From owner-freebsd-security Sun Apr 14 17:53:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 8DF0037B416 for ; Sun, 14 Apr 2002 17:53:38 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id KAA22843; Mon, 15 Apr 2002 10:53:26 +1000 (EST) From: Darren Reed Message-Id: <200204150053.KAA22843@caligula.anu.edu.au> Subject: Re: [Corrected message] This OpenBSD local root hole may affect some FreeBSD systems To: list@rachinsky.de (Nicolas Rachinsky) Date: Mon, 15 Apr 2002 10:53:25 +1000 (Australia/ACT) Cc: security@FreeBSD.ORG In-Reply-To: <20020411204516.GA51239@pc5.abc> from "Nicolas Rachinsky" at Apr 11, 2002 10:45:17 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Nicolas Rachinsky, sie said: > > * Brett Glass [2002-04-11 14:12:01 -0600]: > > [This is a corrected version of the previous message, which omitted > > the word "isn't" near the beginning of the second paragraph.] > > > > The vulnerability described in the message below is a classic > > "in-band signalling" problem that may give an unauthorized user > > the ability to run an arbitrary command as root. > > > > Fortunately, the vulnerability isn't present in FreeBSD's daily, weekly, > > and monthly maintenance scripts, because they use sendmail rather > > than /bin/mail. Nonetheless, the same patch should be applied to > > FreeBSD's /bin/mail due to the possibility that other privileged > > utilities (or user-written scripts) might use /bin/mail instead of > > sendmail to create e-mail messages. > > man mail says: > -I Forces mail to run in interactive mode even when input is not a > terminal. In particular, the `~' special character when sending > mail is only active in interactive mode. As I'm sure others have already pointed out: OpenBSD re-introduced this bug themselves in OpenBSD. It has been fixed everywhere else for some time. Things like this little incident are good to take note of so when someone is saying: "but OpenBSD has better security" you can say: "Really? They're seem to add as many security bugs by themselves as they fix". (or similar - you get the idea). The general idea being for an O/S that prides itself on "security" and "code auditting", you'd think they'd know better than to reintroduce old security bugs. In OpenSSH's lifetime, there have been 7 security bugs in it and only 4 in ssh.com's version. Another OpenSSH bug and that'll be twice as many as for ssh.com. All of those 7 have been introduced by the OpenSSH programmers. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Apr 14 22: 2:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id DDAA237B405 for ; Sun, 14 Apr 2002 22:02:27 -0700 (PDT) Received: from gw.netlecture.com (gw.netlecture.com [206.40.34.9]) by roble.com with ESMTP id g3F52R218407 for ; Sun, 14 Apr 2002 22:02:27 -0700 (PDT) Date: Sun, 14 Apr 2002 22:02:27 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Subject: Affect of BSD mail/mailx bug in Solaris (was: Re: Corrected... Message-ID: <20020414215552.L18292-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Charles M. Richmond" wrote: >and the default root shell would have had to have been changed >from 'sh' to 'csh'. Not to say that Sun shouldn't fix this. The default root shell only effects interactive sessions. Solaris cron scripts, rc scripts, and scripts which do not specify a shell have always have been run under /bin/sh. Pretty sure this is true for FreeBSD as well. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 0: 3: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from acaxp.physik.rwth-aachen.de (acaxp1.physik.rwth-aachen.de [137.226.32.200]) by hub.freebsd.org (Postfix) with ESMTP id 7375337B400 for ; Mon, 15 Apr 2002 00:03:03 -0700 (PDT) Received: from gil.physik.rwth-aachen.de (gilberto.physik.rwth-aachen.de [137.226.46.168]) by acaxp.physik.rwth-aachen.de (8.8.8/8.8.8) with ESMTP id JAA09601 for ; Mon, 15 Apr 2002 09:03:01 +0200 (MET DST) Received: (from kuku@localhost) by gil.physik.rwth-aachen.de (8.11.6/8.11.6) id g3F731k18347 for freebsd-security@freebsd.org; Mon, 15 Apr 2002 09:03:01 +0200 (CEST) (envelope-from kuku) Date: Mon, 15 Apr 2002 09:03:01 +0200 (CEST) From: Christoph Kukulies Message-Id: <200204150703.g3F731k18347@gil.physik.rwth-aachen.de> To: freebsd-security@freebsd.org Subject: Limiting closed port RST response from 381 to 200 p Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ackets per second My machine often shows these logs on the console when I enter the office in the morning. Sometimes the machine even got unresponsive and I had to reboot (Though I'm not sure whether this is the cause or I have some hardware flakeyness). It looks like the machine is being attacked. Is there a way to trap the attacker? Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second Apr 12 10:32:25 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 10:32:26 host /kernel: Limiting closed port RST response from 355 to 200 packets per second Apr 12 10:32:28 host /kernel: Limiting closed port RST response from 379 to 200 packets per second Apr 12 10:32:29 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 10:32:30 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 10:32:31 host /kernel: Limiting closed port RST response from 325 to 200 packets per second Apr 12 14:12:17 host /kernel: Limiting closed port RST response from 336 to 200 packets per second Apr 12 14:12:18 host /kernel: Limiting closed port RST response from 383 to 200 packets per second Apr 12 14:12:20 host /kernel: Limiting closed port RST response from 355 to 200 packets per second Apr 12 14:12:21 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:22 host /kernel: Limiting closed port RST response from 387 to 200 packets per second Apr 12 14:12:24 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:25 host /kernel: Limiting closed port RST response from 380 to 200 packets per second Apr 12 14:12:26 host /kernel: Limiting closed port RST response from 383 to 200 packets per second Apr 12 14:12:27 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:12:29 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 14:12:30 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:31 host /kernel: Limiting closed port RST response from 380 to 200 packets per second Apr 12 14:12:33 host /kernel: Limiting closed port RST response from 383 to 200 packets per second Apr 12 14:12:34 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:12:35 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 14:12:36 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:38 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:39 host /kernel: Limiting closed port RST response from 386 to 200 packets per second Apr 12 14:12:40 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:42 host /kernel: Limiting closed port RST response from 382 to 200 packets per second Apr 12 14:12:43 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:12:44 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:45 host /kernel: Limiting closed port RST response from 379 to 200 packets per second Apr 12 14:12:47 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:12:48 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 14:12:49 host /kernel: Limiting closed port RST response from 383 to 200 packets per second Apr 12 14:12:51 host /kernel: Limiting closed port RST response from 385 to 200 packets per second Apr 12 14:12:52 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:12:53 host /kernel: Limiting closed port RST response from 380 to 200 packets per second Apr 12 14:12:54 host /kernel: Limiting closed port RST response from 383 to 200 packets per second Apr 12 14:12:56 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:12:57 host /kernel: Limiting closed port RST response from 231 to 200 packets per second Apr 12 14:12:58 host /kernel: Limiting closed port RST response from 350 to 200 packets per second Apr 12 14:13:00 host /kernel: Limiting closed port RST response from 352 to 200 packets per second Apr 12 14:13:01 host /kernel: Limiting closed port RST response from 355 to 200 packets per second Apr 12 14:13:02 host /kernel: Limiting closed port RST response from 384 to 200 packets per second Apr 12 14:13:04 host /kernel: Limiting closed port RST response from 386 to 200 packets per second Apr 12 14:13:05 host /kernel: Limiting closed port RST response from 381 to 200 packets per second Apr 12 14:13:06 host /kernel: Limiting closed port RST response from 298 to 200 packets per second -- Chris Christoph P. U. Kukulies kukulies@rwth-aachen.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 6:37:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 784AB37B400 for ; Mon, 15 Apr 2002 06:37:29 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16x6jL-0003K5-00; Mon, 15 Apr 2002 15:41:15 +0200 From: Sheldon Hearn To: Christoph Kukulies Cc: freebsd-security@freebsd.org Subject: Re: Limiting closed port RST response from 381 to 200 p In-reply-to: Your message of "Mon, 15 Apr 2002 09:03:01 +0200." <200204150703.g3F731k18347@gil.physik.rwth-aachen.de> Date: Mon, 15 Apr 2002 15:41:15 +0200 Message-ID: <12776.1018878075@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 15 Apr 2002 09:03:01 +0200, Christoph Kukulies wrote: > It looks like the machine is being attacked. Is there a way to trap > the attacker? > > Apr 12 10:32:24 host /kernel: Limiting closed port RST response from 336 to 200 packets per second Unlikely, as the source addresses are almost certainly forged. I use the following RELENG_4-relative patch to allow syslog message coalescing, e.g.: [time] fwadmin3 /kernel: Limiting icmp ping response to 200 packets per second [time] fwadmin3 last message repeated 29 times [time] fwadmin3 last message repeated 17 times You lose the "severity at a glance" value of the messages this way, but I don't find them useful enough to warrant the mess in /var/log/messages. Ciao, Sheldon. Index: ip_icmp.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v retrieving revision 1.39.2.16 diff -u -d -r1.39.2.16 ip_icmp.c --- ip_icmp.c 22 Mar 2002 16:54:18 -0000 1.39.2.16 +++ ip_icmp.c 15 Apr 2002 13:39:53 -0000 @@ -862,9 +862,8 @@ if ((unsigned int)dticks > hz) { if (lpackets[which] > icmplim) { - printf("%s from %d to %d packets per second\n", + printf("%s to %d packets per second\n", bandlimittype[which], - lpackets[which], icmplim ); } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 7:21:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.kpi.com.au (www.kpi.com.au [203.39.132.210]) by hub.freebsd.org (Postfix) with ESMTP id 0F30237B419 for ; Mon, 15 Apr 2002 07:21:38 -0700 (PDT) Received: from kpi.com.au (localhost.kpi.com.au [127.0.0.1]) by www.kpi.com.au (8.9.3/8.9.3) with ESMTP id AAA67508; Tue, 16 Apr 2002 00:20:19 +1000 (EST) (envelope-from johnsa@kpi.com.au) Message-ID: <3CBAE191.9010200@kpi.com.au> Date: Tue, 16 Apr 2002 00:20:01 +1000 From: Andrew Johns User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-GB; rv:0.9.4) Gecko/20011128 Netscape6/6.2.1 X-Accept-Language: en-gb MIME-Version: 1.0 To: Sheldon Hearn Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: Limiting closed port RST response from 381 to 200 p References: <12776.1018878075@axl.seasidesoftware.co.za> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sheldon Hearn wrote: > > You lose the "severity at a glance" value of the messages this way, but > I don't find them useful enough to warrant the mess in > /var/log/messages. > > Ciao, > Sheldon. > > Index: ip_icmp.c > =================================================================== > RCS file: /home/ncvs/src/sys/netinet/ip_icmp.c,v > retrieving revision 1.39.2.16 > diff -u -d -r1.39.2.16 ip_icmp.c > --- ip_icmp.c 22 Mar 2002 16:54:18 -0000 1.39.2.16 > +++ ip_icmp.c 15 Apr 2002 13:39:53 -0000 > @@ -862,9 +862,8 @@ > > if ((unsigned int)dticks > hz) { > if (lpackets[which] > icmplim) { > - printf("%s from %d to %d packets per second\n", > + printf("%s to %d packets per second\n", > bandlimittype[which], > - lpackets[which], > icmplim > ); > } Actually Sheldon I think that's a great idea - helps with syslog DoS somewhat as well. Anybody else care to contemplate making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) AJ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 7:48:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id DCEC037B405 for ; Mon, 15 Apr 2002 07:48:51 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16x7pf-0003ap-00; Mon, 15 Apr 2002 16:51:51 +0200 From: Sheldon Hearn To: Andrew Johns Cc: Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: Limiting closed port RST response from 381 to 200 p In-reply-to: Your message of "Tue, 16 Apr 2002 00:20:01 +1000." <3CBAE191.9010200@kpi.com.au> Date: Mon, 15 Apr 2002 16:51:51 +0200 Message-ID: <13814.1018882311@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 16 Apr 2002 00:20:01 +1000, Andrew Johns wrote: > Actually Sheldon I think that's a great idea - helps with > syslog DoS somewhat as well. Anybody else care to contemplate > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) In CURRENT, logging is conditional on a sysctl value; the message format is unchanged from that of STABLE, but logging can be turned off completely if desired. This seems to keep most people happy. I don't think my preference (always seeing the messages, but having syslog coalesce them) is representative of the majority of folks to whom this matters. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 8:15:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by hub.freebsd.org (Postfix) with ESMTP id 2C54537B416 for ; Mon, 15 Apr 2002 08:15:32 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.94.186.97]) by tomts5-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20020415151531.FJFP28421.tomts5-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Mon, 15 Apr 2002 11:15:31 -0400 Received: from lenny.anarcat.dyndns.org (lenny.anarcat.dyndns.org [192.168.0.4]) by khan.anarcat.dyndns.org (Postfix) with SMTP id 95B491AA7; Mon, 15 Apr 2002 11:15:26 -0400 (EDT) Received: by lenny.anarcat.dyndns.org (sSMTP sendmail emulation); Mon, 15 Apr 2002 11:14:22 -0400 Date: Mon, 15 Apr 2002 11:14:22 -0400 From: The Anarcat To: Sheldon Hearn Cc: Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) Message-ID: <20020415151422.GA302@lenny.anarcat.dyndns.org> Mail-Followup-To: Sheldon Hearn , Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG References: <3CBAE191.9010200@kpi.com.au> <13814.1018882311@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="qDbXVdCdHGoSgWSk" Content-Disposition: inline In-Reply-To: <13814.1018882311@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --qDbXVdCdHGoSgWSk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Branching off the topic here... On Mon Apr 15, 2002 at 04:51:51PM +0200, Sheldon Hearn wrote: >=20 > On Tue, 16 Apr 2002 00:20:01 +1000, Andrew Johns wrote: >=20 > > Actually Sheldon I think that's a great idea - helps with > > syslog DoS somewhat as well. Anybody else care to contemplate > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) >=20 > In CURRENT, logging is conditional on a sysctl value; the message > format is unchanged from that of STABLE, but logging can be turned off > completely if desired. This seems to keep most people happy. >=20 > I don't think my preference (always seeing the messages, but having > syslog coalesce them) is representative of the majority of folks to whom > this matters. Actually, what I would like would be a generic rate-limiting facility in syslog(3) itself. That would make DOS much harder. In particular, I got this idea from linux's ipchains (or another fw product, i don't remember which) which allows rule logging to be explicitly rate-limited. That, IMHO, is much better that our logamount facility, which is DOS-able easily, somehow. Just pour enough packets in and ipfw doesn't log anything anymore. If we rate-limit this, with logamount=3D0, we have a much better control. A. --=20 =46rom the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! --qDbXVdCdHGoSgWSk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy67k4ACgkQttcWHAnWiGf9NQCgoZ4jtExkbHUPL2BPE6U/YN10 kIYAn1OiLkF8o+Eb5uTuhrHp1OTyC/TR =PLql -----END PGP SIGNATURE----- --qDbXVdCdHGoSgWSk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 8:21:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 6E1B437B404 for ; Mon, 15 Apr 2002 08:21:28 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16x8LL-0003iD-00; Mon, 15 Apr 2002 17:24:35 +0200 From: Sheldon Hearn To: The Anarcat Cc: Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) In-reply-to: Your message of "Mon, 15 Apr 2002 11:14:22 -0400." <20020415151422.GA302@lenny.anarcat.dyndns.org> Date: Mon, 15 Apr 2002 17:24:35 +0200 Message-ID: <14272.1018884275@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 15 Apr 2002 11:14:22 -0400, The Anarcat wrote: > Actually, what I would like would be a generic rate-limiting facility > in syslog(3) itself. That would make DOS much harder. There already is; that's what my patch relies on. It's just that syslog's rate-limiting relies on messages being identical. Anything more complicated is probably going to involve a new API, which is probably more than what's required here. Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 8:26:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts13-srv.bellnexxia.net (tomts13.bellnexxia.net [209.226.175.34]) by hub.freebsd.org (Postfix) with ESMTP id 4E0C637B416 for ; Mon, 15 Apr 2002 08:25:43 -0700 (PDT) Received: from khan.anarcat.dyndns.org ([65.94.186.97]) by tomts13-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20020415152541.FYLI4519.tomts13-srv.bellnexxia.net@khan.anarcat.dyndns.org>; Mon, 15 Apr 2002 11:25:41 -0400 Received: from lenny.anarcat.dyndns.org (lenny.anarcat.dyndns.org [192.168.0.4]) by khan.anarcat.dyndns.org (Postfix) with SMTP id 2C9E61A1F; Mon, 15 Apr 2002 11:25:39 -0400 (EDT) Received: by lenny.anarcat.dyndns.org (sSMTP sendmail emulation); Mon, 15 Apr 2002 11:24:35 -0400 Date: Mon, 15 Apr 2002 11:24:35 -0400 From: The Anarcat To: Sheldon Hearn Cc: Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) Message-ID: <20020415152435.GB302@lenny.anarcat.dyndns.org> Mail-Followup-To: Sheldon Hearn , Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG References: <20020415151422.GA302@lenny.anarcat.dyndns.org> <14272.1018884275@axl.seasidesoftware.co.za> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="gj572EiMnwbLXET9" Content-Disposition: inline In-Reply-To: <14272.1018884275@axl.seasidesoftware.co.za> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --gj572EiMnwbLXET9 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon Apr 15, 2002 at 05:24:35PM +0200, Sheldon Hearn wrote: >=20 > On Mon, 15 Apr 2002 11:14:22 -0400, The Anarcat wrote: >=20 > > Actually, what I would like would be a generic rate-limiting facility > > in syslog(3) itself. That would make DOS much harder. >=20 > There already is; that's what my patch relies on. It's just that > syslog's rate-limiting relies on messages being identical. >=20 > Anything more complicated is probably going to involve a new API, which > is probably more than what's required here. Yes, of course, you're right. I guess then that it doesn't belong to syslog(3). There is indeed an API and it does its job pretty well. I think it therefore belongs to ipfw to do this kind of rate-limiting, and on a per-rule base, it would be fantastic. I guess I'll need to take another look at ipfw's source, again. :) A. --=20 The idea that Bill Gates has appeared like a knight in shining armour to lead all customers out of a mire of technological chaos neatly ignores the fact that it was he who, by peddling second-rate technology, led them into it in the first place. - Douglas Adams (1952-2001) --gj572EiMnwbLXET9 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjy68LIACgkQttcWHAnWiGcIUwCghW6ajl+Det4rlpHiLKfoxrjl d0YAoJdSnQMOrUTjsoSqal+QMxu1Hdx+ =49OC -----END PGP SIGNATURE----- --gj572EiMnwbLXET9-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 8:35:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 630DE37B419 for ; Mon, 15 Apr 2002 08:35:39 -0700 (PDT) Received: from sheldonh (helo=axl.seasidesoftware.co.za) by axl.seasidesoftware.co.za with local-esmtp (Exim 3.33 #1) id 16x8Z5-0003lv-00; Mon, 15 Apr 2002 17:38:47 +0200 From: Sheldon Hearn To: The Anarcat Cc: Andrew Johns , Christoph Kukulies , freebsd-security@FreeBSD.ORG Subject: Re: General Rate-limiting in syslog(3) (was: Limiting closed port RST response from 381 to 200 p) In-reply-to: Your message of "Mon, 15 Apr 2002 11:24:35 -0400." <20020415152435.GB302@lenny.anarcat.dyndns.org> Date: Mon, 15 Apr 2002 17:38:47 +0200 Message-ID: <14502.1018885127@axl.seasidesoftware.co.za> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 15 Apr 2002 11:24:35 -0400, The Anarcat wrote: > I think it therefore belongs to ipfw to do this kind of rate-limiting, > and on a per-rule base, it would be fantastic. > > I guess I'll need to take another look at ipfw's source, again. :) Well, the messages that this thread revolve around are generated by the kernel's ICMP code, not by IPFW. But if you were to take an interest in improving ipfw's logging, you might want to look at how IPFilter handles logging. In my opinion, IPFilter's logging system is a great step forward from IPFW's. Each message I post on this thread feels more and more off-topic. I think this'll be my last. :-) Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 11: 4:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A736137B400 for ; Mon, 15 Apr 2002 11:04:41 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3FI4fn18100 for security@freebsd.org; Mon, 15 Apr 2002 11:04:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 15 Apr 2002 11:04:41 -0700 (PDT) Message-Id: <200204151804.g3FI4fn18100@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 12:28:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d140.as14.nwbl0.wi.voyager.net [169.207.136.14]) by hub.freebsd.org (Postfix) with ESMTP id 2A85537B405 for ; Mon, 15 Apr 2002 12:28:21 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.2/8.12.2) with ESMTP id g3G1S2Lx006591; Mon, 15 Apr 2002 20:28:02 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.2/8.12.2/Submit) with ESMTP id g3G1RrKV006588; Mon, 15 Apr 2002 20:27:57 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Mon, 15 Apr 2002 20:27:53 -0500 (CDT) From: Mike Silbersack To: Andrew Johns Cc: Sheldon Hearn , Christoph Kukulies , Subject: Re: Limiting closed port RST response from 381 to 200 p In-Reply-To: <3CBAE191.9010200@kpi.com.au> Message-ID: <20020415201908.O5071-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 16 Apr 2002, Andrew Johns wrote: > Actually Sheldon I think that's a great idea - helps with > syslog DoS somewhat as well. Anybody else care to contemplate > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > AJ As the messages are limited to once per second, it's not really a syslog DoS. Just an annoyance, as Sheldon mentions. I think that seeing the rate is useful, although having a sysctl which allows one to switch over to the format Sheldon uses could be useful. I have considered MFCing the sysctl which disables the display of these messages and making off the default, given that many people seem to panic when seeing "limiting blah". As the rate of incoming packets seems pretty steady, I'd wager that Christoph is being scanned by nmap or some similar tool. A true DoS would probably involve a much higher packet rate. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 17: 3:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 598D937B416 for ; Mon, 15 Apr 2002 17:03:47 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 5CDA44AF3; Mon, 15 Apr 2002 19:03:46 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3G03Z501882; Mon, 15 Apr 2002 19:03:35 -0500 (CDT) (envelope-from hawkeyd) Date: Mon, 15 Apr 2002 19:03:35 -0500 (CDT) Message-Id: <200204160003.g3G03Z501882@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <13814.1018882311_axl.seasidesoftware.co.za@ns.sol.net> In-Reply-To: <13814.1018882311_axl.seasidesoftware.co.za@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Limiting closed port RST response from 381 to 200 p X-Original-Newsgroups: sol.lists.freebsd.security To: sheldonh@starjuice.net, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <13814.1018882311_axl.seasidesoftware.co.za@ns.sol.net>, sheldonh@starjuice.net writes: > > > On Tue, 16 Apr 2002 00:20:01 +1000, Andrew Johns wrote: > >> Actually Sheldon I think that's a great idea - helps with >> syslog DoS somewhat as well. Anybody else care to contemplate >> making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > In CURRENT, logging is conditional on a sysctl value; the message > format is unchanged from that of STABLE, but logging can be turned off > completely if desired. This seems to keep most people happy. > > I don't think my preference (always seeing the messages, but having > syslog coalesce them) is representative of the majority of folks to whom > this matters. Here's one that agrees with you, especially if I'm monitoring with root-tail; the coalescing is a welcomed feature as far as I'm concerned. > Ciao, > Sheldon. Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 22:13:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from oddjob.trewitt.org (adsl-216-102-95-11.dsl.snfc21.pacbell.net [216.102.95.11]) by hub.freebsd.org (Postfix) with ESMTP id EEB0937B419; Mon, 15 Apr 2002 22:13:49 -0700 (PDT) Received: from trewitt.org (g4.trewitt.org [10.0.0.4]) by oddjob.trewitt.org (8.11.3/8.11.3) with ESMTP id g3G5Dnm82053; Mon, 15 Apr 2002 22:13:49 -0700 (PDT) (envelope-from glenn@trewitt.org) Message-ID: <3CBBB30D.2BB56B18@trewitt.org> Date: Mon, 15 Apr 2002 22:13:48 -0700 From: Glenn Trewitt Reply-To: glenn@trewitt.org X-Mailer: Mozilla 4.79 (Macintosh; U; PPC) X-Accept-Language: en,pdf MIME-Version: 1.0 To: security@freebsd.org Cc: obrien@freebsd.org Subject: Have code: ftpd support for TLS/SSL Content-Type: text/plain; charset=us-ascii; x-mac-type="54455854"; x-mac-creator="4D4F5353" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've ported and extended Tomas Svensson's NetBSD patches for ftpd that let it do "FTP using TLS", according to the Internet Draft "draft-murray-auth-ftp-ssl-05.txt". I've also extended it slightly to support "Implicit SSL", as well as "Explicit SSL" (the I-D spec). Most of the commercial FTP clients support both of these mechanisms, and there are several free clients that support them, as well. I really need a way to grant non-shell users file transfer access, and this fits the bill, nicely. I'd really like to get this into the code base. Is anyone interested in looking at the patch? Or should I just file a PR? I'd hate to have the PR sit around for a long time, because the patch is extensive enough that it could rot relatively quickly. Thanks, Glenn Trewitt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Apr 15 23:11:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from sigbus.com (c-24-126-148-218.we.client2.attbi.com [24.126.148.218]) by hub.freebsd.org (Postfix) with ESMTP id 265D437B400 for ; Mon, 15 Apr 2002 23:11:50 -0700 (PDT) Received: (from henrich@localhost) by sigbus.com (8.11.1/8.11.1) id g3G6Bko21663 for freebsd-security@freebsd.org; Mon, 15 Apr 2002 23:11:46 -0700 (PDT) (envelope-from henrich) Date: Mon, 15 Apr 2002 23:11:46 -0700 From: Charles Henrich To: freebsd-security@freebsd.org Subject: IPFW/IPsec Message-ID: <20020415231146.A21593@sigbus.com> Mail-Followup-To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Operating-System: FreeBSD 4.2-RELEASE X-PGP-Fingerprint: 1024/F7 FD C7 3A F5 6A 23 BF 76 C4 B8 C9 6E 41 A4 4F X-GPG-Fingerprint: EA4C AB9B 0C38 17C0 AB3F 11DE 41F6 5883 41E7 4F49 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Im trying to do something trivial here, but I just cant seem to figure out whats going on. Im trying to build a gateway that only accepts ESP tunnel packets. When I enable firewall rules something like: /sbin/ipfw add allow udp from any to any isakmp via xl0 /sbin/ipfw add allow esp from any to any via xl0 /sbin/ipfw add deny all from any to any via xl0 /sbin/ipfw add allow all from any to any Communications fails. The thing is, I cant figure out why. I have xl0 internetaddressed, and dc0 internal network addressed, with a gif0 tunnel setup for the ipsec tunneling. Suggestions? Thanks! -Crh Charles Henrich henrich@msu.edu http://www.sigbus.com:81/~henrich To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 1: 5: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.tb.by (ns.tb.by [212.98.163.84]) by hub.freebsd.org (Postfix) with ESMTP id 16E1137B400 for ; Tue, 16 Apr 2002 01:04:59 -0700 (PDT) Received: from franc ([10.20.1.109]) by ns.tb.by (8.11.3/8.11.3) with ESMTP id g3G8M8r75988; Tue, 16 Apr 2002 11:22:10 +0300 (EEST) Date: Tue, 16 Apr 2002 10:58:53 +0300 From: Dmitry Shupilov X-Mailer: The Bat! (v1.47 Halloween Edition) Personal Reply-To: Dmitry Shupilov X-Priority: 3 (Normal) Message-ID: <192415279580.20020416105853@ns.tb.by> To: Charles Henrich Cc: freebsd-security@freebsd.org Subject: Re: IPFW/IPsec In-reply-To: <20020415231146.A21593@sigbus.com> References: <20020415231146.A21593@sigbus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Charles, CH> Im trying to do something trivial here, but I just cant seem to figure out CH> whats going on. Im trying to build a gateway that only accepts ESP tunnel CH> packets. When I enable firewall rules something like: CH> /sbin/ipfw add allow udp from any to any isakmp via xl0 CH> /sbin/ipfw add allow esp from any to any via xl0 CH> /sbin/ipfw add deny all from any to any via xl0 CH> /sbin/ipfw add allow all from any to any CH> Communications fails. The thing is, I cant figure out why. there is a GOLD ipfw rule: /sbin/ipfw add 65000 deny log ip from any to any [via[xl0][dc0] - as you wish] ^^^ you add this rule and look at your log file Dmitry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 1: 8:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta3-rme.xtra.co.nz (mta3-rme.xtra.co.nz [210.86.15.131]) by hub.freebsd.org (Postfix) with ESMTP id 2859337B400 for ; Tue, 16 Apr 2002 01:08:19 -0700 (PDT) Received: from netxsecure.net ([210.55.121.51]) by mta3-rme.xtra.co.nz with ESMTP id <20020416080817.RWBY27009.mta3-rme.xtra.co.nz@netxsecure.net> for ; Tue, 16 Apr 2002 20:08:17 +1200 Message-ID: <3CBBDB83.88EDE744@netxsecure.net> Date: Tue, 16 Apr 2002 20:06:27 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Anti-Trojan kernel patches and paper for FreeBSD Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, A paper on Anti-Trojan and Trojan Detection for FreeBSD using digital signature testing within the kernel is available at: http://www.trojanproof.org/sigexec.pdf A reference implementation for FreeBSD 4.5 is available at: http://www.trojanproof.org/sigexec-fbsd4.5r-0.2.tgz Regards, -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 5:47: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay1.nce.smtp.psi.net (relay1.nce.smtp.psi.net [38.9.152.2]) by hub.freebsd.org (Postfix) with ESMTP id 4D04837B400 for ; Tue, 16 Apr 2002 05:46:59 -0700 (PDT) Received: from vrinet.com ([192.104.81.10] helo=dc-hgh-nsv03.altarum.org) by relay1.nce.smtp.psi.net with esmtp (Exim 3.13 #3) id 16xSMM-0003L6-00 for freebsd-security@FreeBSD.ORG; Tue, 16 Apr 2002 08:46:58 -0400 Subject: To: freebsd-security@FreeBSD.ORG X-Mailer: Lotus Notes Release 5.0.8 June 18, 2001 Message-ID: From: caren.shoemaker@altarum.org Date: Tue, 16 Apr 2002 08:28:43 -0400 X-MIMETrack: Serialize by Router on DC-HGH-SMTP01/VRI(Release 5.0.8 |June 18, 2001) at 04/16/2002 08:46:39 AM MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 6219ad89 unsubscribe freebsd-security caren.shoemaker@altarum.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 9:27:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 7B08137B400 for ; Tue, 16 Apr 2002 09:27:14 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g3GGMT433979; Tue, 16 Apr 2002 11:22:30 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Tue, 16 Apr 2002 11:22:29 -0500 (CDT) From: admin To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Limiting closed port RST response from 381 to 200 p In-Reply-To: <20020415201908.O5071-100000@patrocles.silby.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 15 Apr 2002, Mike Silbersack wrote: > > On Tue, 16 Apr 2002, Andrew Johns wrote: > > > Actually Sheldon I think that's a great idea - helps with > > syslog DoS somewhat as well. Anybody else care to contemplate > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > > > AJ > > As the messages are limited to once per second, it's not really a syslog > DoS. Just an annoyance, as Sheldon mentions. I think that seeing the > rate is useful, although having a sysctl which allows one to switch over > to the format Sheldon uses could be useful. I have considered MFCing the > sysctl which disables the display of these messages and making off the > default, given that many people seem to panic when seeing "limiting blah". > > As the rate of incoming packets seems pretty steady, I'd wager that > Christoph is being scanned by nmap or some similar tool. A true DoS would > probably involve a much higher packet rate. > > Mike "Silby" Silbersack Higher rate like what I see on a few of my irc shell servers: Limiting icmp unreach response from 5263 to 200 packets per second Limiting icmp unreach response from 5202 to 200 packets per second Limiting icmp unreach response from 5233 to 200 packets per second Limiting icmp unreach response from 5216 to 200 packets per second Limiting icmp unreach response from 5228 to 200 packets per second This fills dmesg and messages constantly and the coelescing is a God-send when you have a few hours of DoS. I agree with having a sysctl to switch so that I can decide myself and also diferentiate btwn scans and attacks -emac > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 10:21:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.ndsu.nodak.edu (smtp1.ndsu.NoDak.edu [134.129.111.146]) by hub.freebsd.org (Postfix) with ESMTP id B39A737B400 for ; Tue, 16 Apr 2002 10:21:15 -0700 (PDT) Received: from scrappydoo (scrappydoo.cc.ndsu.NoDak.edu [134.129.71.91]) by smtp1.ndsu.nodak.edu (8.12.1/8.12.1) with SMTP id g3GHLFHZ006240 for ; Tue, 16 Apr 2002 12:21:15 -0500 Message-ID: <003001c1df21$c97d6e40$5b478186@scrappydoo> From: "Help Desk" To: Subject: Date: Mon, 8 Apr 2002 12:21:14 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 0634c431 unsubscribe freebsd-security Help.Desk@ndsu.nodak.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 10:38: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from www.descrypt.com (www.descrypt.com [24.97.31.162]) by hub.freebsd.org (Postfix) with SMTP id 8417C37B419 for ; Tue, 16 Apr 2002 10:37:55 -0700 (PDT) Received: (qmail 3018 invoked from network); 16 Apr 2002 17:39:39 -0000 Received: from alb-66-66-193-225.nycap.rr.com (HELO dessie) (66.66.193.225) by emomusic.com with SMTP; 16 Apr 2002 17:39:39 -0000 Message-ID: <001601c1e56d$751aa140$e1c14242@dessie> From: "Tal Ben-Eliezer" To: Subject: unsubscribe Date: Tue, 16 Apr 2002 13:38:01 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0013_01C1E54B.EDDB3A80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0013_01C1E54B.EDDB3A80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsubscribe ------=_NextPart_000_0013_01C1E54B.EDDB3A80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
unsubscribe
------=_NextPart_000_0013_01C1E54B.EDDB3A80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 11:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from I-Sphere.COM (shell.i-sphere.com [209.249.146.70]) by hub.freebsd.org (Postfix) with ESMTP id 2311E37B400 for ; Tue, 16 Apr 2002 11:27:48 -0700 (PDT) Received: (from fasty@localhost) by I-Sphere.COM (8.11.6/8.11.6) id g3GITA959759; Tue, 16 Apr 2002 11:29:10 -0700 (PDT) (envelope-from fasty) Date: Tue, 16 Apr 2002 11:29:10 -0700 From: faSty To: admin Cc: freebsd-security@freebsd.org Subject: Re: Limiting closed port RST response from 381 to 200 p Message-ID: <20020416112910.A59668@i-sphere.com> References: <20020415201908.O5071-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from admin@crimelords.org on Tue, Apr 16, 2002 at 11:22:29AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Just install snort with guardian. It helps stop the abusers attack your server. Snort is monitor the packets when find DoS detected and it send to syslog so the guardian find snort's alert on syslog and it will place a deny firewall on hostname with certain timer to remove deny rule. That's how i recieved lot DoS pretty often. I was fed up and put snort/guardian helped lot. -trev On Tue, Apr 16, 2002 at 11:22:29AM -0500, admin wrote: > > > On Mon, 15 Apr 2002, Mike Silbersack wrote: > > > > > On Tue, 16 Apr 2002, Andrew Johns wrote: > > > > > Actually Sheldon I think that's a great idea - helps with > > > syslog DoS somewhat as well. Anybody else care to contemplate > > > making it either a default or sysctl (ICMP_BANDLIMIT_DOSLIMIT?) > > > > > > AJ > > > > As the messages are limited to once per second, it's not really a syslog > > DoS. Just an annoyance, as Sheldon mentions. I think that seeing the > > rate is useful, although having a sysctl which allows one to switch over > > to the format Sheldon uses could be useful. I have considered MFCing the > > sysctl which disables the display of these messages and making off the > > default, given that many people seem to panic when seeing "limiting blah". > > > > As the rate of incoming packets seems pretty steady, I'd wager that > > Christoph is being scanned by nmap or some similar tool. A true DoS would > > probably involve a much higher packet rate. > > > > Mike "Silby" Silbersack > > Higher rate like what I see on a few of my irc shell servers: > Limiting icmp unreach response from 5263 to 200 packets per second > Limiting icmp unreach response from 5202 to 200 packets per second > Limiting icmp unreach response from 5233 to 200 packets per second > Limiting icmp unreach response from 5216 to 200 packets per second > Limiting icmp unreach response from 5228 to 200 packets per second > > This fills dmesg and messages constantly and the coelescing is a God-send > when you have a few hours of DoS. I agree with having a sysctl to switch > so that I can decide myself and also diferentiate btwn scans and attacks > > -emac > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Heuristics are bug ridden by definition. If they didn't have bugs, then they'd be algorithms. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 14: 4: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id DCCEA37B405; Tue, 16 Apr 2002 14:03:49 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3GL3nq44377; Tue, 16 Apr 2002 14:03:49 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Tue, 16 Apr 2002 14:03:49 -0700 (PDT) Message-Id: <200204162103.g3GL3nq44377@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:20.syncache Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:20 Security Advisory FreeBSD, Inc. Topic: syncache/syncookies denial of service Category: core Module: net Announced: 2002-04-16 Credits: Alan Judge Dima Ruban Affects: FreeBSD 4.5-RELEASE FreeBSD 4.4-STABLE after 2001-12-14 19:53:01 UTC FreeBSD 4.5-STABLE prior to the correction date Corrected: 2002-02-20 16:48:49 UTC (RELENG_4) 2002-02-21 16:38:39 UTC (RELENG_4_5, 4.5-RELEASE-p1) FreeBSD only: YES I. Background The SYN cache ("syncache") and SYN cookie mechanism ("syncookie") are features of the TCP/IP stack intended to improve resistance to a class of denial of service attacks known as SYN floods. II. Problem Description Two related problems with syncache were triggered when syncookies were implemented. 1) When a SYN was accepted via a syncookie, it used an uninitialized pointer to find the TCP options for the new socket. This pointer may be a null pointer, which will cause the machine to crash. 2) A syncache entry is created when a SYN arrives on a listen socket. If the application which created the listen socket was killed and restarted --- and therefore recreated the listen socket with a different inpcb --- an ACK (or duplicate SYN) which later arrived and matched the existing syncache entry would cause a reference to the old inpcb pointer. Depending on the pointer's contents, this might result in a system crash. Because syncache/syncookies support was added prior to the release of FreeBSD 4.5-RELEASE, no other releases are affected. III. Impact Legitimate TCP/IP traffic may cause the machine to crash. IV. Workaround The first issue described may be worked around by disabling syncookies using sysctl. Issue the following command as root: # sysctl -w net.inet.tcp.syncookies=0 However, there is no workaround for the second issue. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:20/syncache.patch.asc This patch has been verified to apply to 4.5-RELEASE only. Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Path Revision Branch - ------------------------------------------------------------------------- src/sys/conf/newvers.sh RELENG_4_5 1.44.2.20.2.2 src/sys/netinet/tcp_syncache.c RELENG_4 1.5.2.5 RELENG_4_5 1.5.2.4.2.1 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPLw9nVUuHi5z0oilAQFwpAP9EJludFfmQfMWU4supMdZ1K//qeqgtJVn XrEX3TZjqOxRSnlzUUibbO2agnW7yCd8i2Qq0/3KyvMrcS4qSLmcvhQPsZxc26Bx Xakz3uvCRIA0XlpJAd/HirsdPHQ94q0JMdnx6C1kW+EMQzM/0KKLpVNsdnFopy0m mtPNSZRYgHk= =9qwI -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 15:24:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.speakeasy.net (mail17.speakeasy.net [216.254.0.217]) by hub.freebsd.org (Postfix) with ESMTP id 7BB1F37B400 for ; Tue, 16 Apr 2002 15:23:38 -0700 (PDT) Received: (qmail 11451 invoked from network); 16 Apr 2002 22:23:38 -0000 Received: from unknown (HELO metbsd.priv.metrol.net) ([66.92.40.28]) (envelope-sender ) by mail17.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 16 Apr 2002 22:23:38 -0000 Content-Type: text/plain; charset="us-ascii" From: "Michael W. Collette" To: FreeBSD Mailing Lists Subject: SSH Connection Time Problems Date: Tue, 16 Apr 2002 15:23:37 -0700 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200204161523.37293.metrol@metrol.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Recently I have had some problems with getting an SSH connection from my FreeBSD 4.5-Stable box to my web hosting company's servers, also running FreeBSD. It takes over a minute to establish a connection, which is really mucking up the tunnelling of services I have going to them. Initially I was thinking that something changed on the web host, as I was able to make http and pop3 connections to them without delay. Upon writing them about this they suggested that the problem with network latency. Didn't make much sense to me, as latency shouldn't be protocol specific. Even still, I contacted my ISP about this. The tech at my ISP didn't have any delay getting a connection to the web host. He then set me up with a shell account on a RedHat box they were running their hosting on. I was able to get an SSH connection directly to them without delay. I'm running IPFW here, so I added a pass everything rule to cancel it out. No difference. I have 2 IP addresses with this ISP, the other sitting on an NT box. I attempted an SSH connection to the web host with it using TeraTerm, and it worked perfectly. Only my FreeBSD box is experiencing the delay to that web host. I also have FreeBSD sitting on a laptop here. It connects to the Internet through my desktop FreeBSD machine running NAT. From there, it too has a horrible delay in connecting. If I take and give it a static IP outside it is able to connect without delay. After all that, not even sure exactly what to ask. Banging my head on this one for almost a week now. I'm running the built in SSH with FreeBSD, and I've rebuilt world as of yesterday. It seems like an IPFW issue. I haven't made any major changes to my ruleset in months, other than toggling the "pass any" for testing. This problem may have coincided with a make world I did last week, but I honestly don't recall the time frame. My IPFW logging isn't showing anything, and I'm not getting any other errors that I can see. Also, once I do get an SSH connection, the throughput is perfectly normal. Sorry about the length of this post, but I've been trying so many different things to figure out what is going on that I thought I should document it a bit. I'm considering doing a cvsup back to 4.5-Release to see if that helps. Wanted to inquire about opinions on this before doing so. Later on, -- "Outside of a dog, a book is man's best friend. Inside of a dog, it's too dark to read." - Groucho Marx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 15:32:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 0A4C537B400 for ; Tue, 16 Apr 2002 15:32:39 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 7915A5309; Wed, 17 Apr 2002 00:32:37 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Michael W. Collette" Cc: FreeBSD Mailing Lists Subject: Re: SSH Connection Time Problems References: <200204161523.37293.metrol@metrol.net> From: Dag-Erling Smorgrav Date: 17 Apr 2002 00:32:36 +0200 In-Reply-To: <200204161523.37293.metrol@metrol.net> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Michael W. Collette" writes: > Recently I have had some problems with getting an SSH connection from my > FreeBSD 4.5-Stable box to my web hosting company's servers, also running > FreeBSD. It takes over a minute to establish a connection, which is really > mucking up the tunnelling of services I have going to them. The most likely cause is a problem with the reverse DNS for the IP address you're coming from (either your IP address doesn't have a reverse DNS entry, or the web server is unable to look it up). Try this once you're logged in on the web server: /bin/sh -c 'host ${SSH_CLIENT%% *}' (mind the space before the star!) If your reverse DNS is working, this should print out a single line almost immediately; if it hangs for more than a few seconds, you have a DNS problem. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 15:33:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 1853D37B42A for ; Tue, 16 Apr 2002 15:33:19 -0700 (PDT) Received: (qmail 68979 invoked by uid 1000); 16 Apr 2002 22:33:18 -0000 Date: Tue, 16 Apr 2002 18:33:18 -0400 From: Chris Johnson To: "Michael W. Collette" Cc: FreeBSD Mailing Lists Subject: Re: SSH Connection Time Problems Message-ID: <20020416183318.A67626@palomine.net> References: <200204161523.37293.metrol@metrol.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200204161523.37293.metrol@metrol.net>; from metrol@metrol.net on Tue, Apr 16, 2002 at 03:23:37PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote: > Recently I have had some problems with getting an SSH connection from my= =20 > FreeBSD 4.5-Stable box to my web hosting company's servers, also running= =20 > FreeBSD. It takes over a minute to establish a connection, which is real= ly=20 > mucking up the tunnelling of services I have going to them. That sounds an awful lot like a DNS lookup timing out. Does the reverse map= ping of the IP address you're trying to connect from work? What is the IP addres= s? Chris --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8vKatyeUEMvtGLWERAjnLAJ4kc4aKYknSuAUOMsSi7WdTddi9CgCg+kFs /CUF+tjZc0Palqnt6fA5B+U= =+kKt -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 15:35:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailf.telia.com (mailf.telia.com [194.22.194.25]) by hub.freebsd.org (Postfix) with ESMTP id 4E68537B416 for ; Tue, 16 Apr 2002 15:35:03 -0700 (PDT) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by mailf.telia.com (8.11.6/8.11.6) with SMTP id g3GMZ1Z01218 for ; Wed, 17 Apr 2002 00:35:01 +0200 (CEST) Received: (qmail 502 invoked by uid 1001); 16 Apr 2002 22:35:00 -0000 Date: Wed, 17 Apr 2002 00:35:00 +0200 From: Erik Trulsson To: "Michael W. Collette" Cc: FreeBSD Mailing Lists Subject: Re: SSH Connection Time Problems Message-ID: <20020416223500.GA465@student.uu.se> Mail-Followup-To: "Michael W. Collette" , FreeBSD Mailing Lists References: <200204161523.37293.metrol@metrol.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204161523.37293.metrol@metrol.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote: [This should probably have gone to -questions instead.] > Recently I have had some problems with getting an SSH connection from my > FreeBSD 4.5-Stable box to my web hosting company's servers, also running > FreeBSD. It takes over a minute to establish a connection, which is really > mucking up the tunnelling of services I have going to them. Two possibilities come to mind: DNS or ident > Initially I was thinking that something changed on the web host, as I was able > to make http and pop3 connections to them without delay. Upon writing them > about this they suggested that the problem with network latency. Didn't make > much sense to me, as latency shouldn't be protocol specific. Even still, I > contacted my ISP about this. Probably not DNS then. > > The tech at my ISP didn't have any delay getting a connection to the web host. > He then set me up with a shell account on a RedHat box they were running > their hosting on. I was able to get an SSH connection directly to them > without delay. > > I'm running IPFW here, so I added a pass everything rule to cancel it out. No > difference. Try adding the following rule to your IPFW rule set. ipfw add reset tcp from any to me 113 Normally when you try to connect with ssh, the ssh daemon at the other end tries to connect to port 113 (auth) on your machine to see who you are. If nothing is listening on that port it will eventually continue anyway. The 'reset' rule I gave above will immediately return a 'nobody listening here' message to the other end instead of just dropping the packet and thus forcing the other to wait for a timeout (which takes about a minute.) -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 16:43:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from ulairi.csun.edu (ulairi.csun.edu [130.166.10.16]) by hub.freebsd.org (Postfix) with SMTP id 3113537B404 for ; Tue, 16 Apr 2002 16:43:24 -0700 (PDT) Received: (qmail 15612 invoked by uid 60001); 16 Apr 2002 23:40:56 -0000 Received: from 130.166.244.5 ( [130.166.244.5]) as user ulairi@ulairi.csun.edu by ulairi.csun.edu with HTTP; Tue, 16 Apr 2002 16:40:56 +0700 Message-ID: <1019000456.3cbcb68886527@ulairi.csun.edu> Date: Tue, 16 Apr 2002 16:40:56 +0700 From: ulairi@ulairi.org To: "Michael W. Collette" Cc: freebsd-security@FreeBSd.OrG Subject: Re: SSH Connection Time Problems References: <200204161523.37293.metrol@metrol.net> In-Reply-To: <200204161523.37293.metrol@metrol.net> MIME-Version: 1.0 Content-Type: text/plain Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting "Michael W. Collette" : > Recently I have had some problems with getting an SSH connection from my > could you run "ssh -vvv " and post the output? Unfortunately, there will be no timestamps, so if you could comment the output, it'd be great. Another thing you may try doing (if you can) is use the remote machine to spin up sshd in debug mode on a different port and connect to it, see the output of both at same time, might notice something out of place. -ulairi@ulairi.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 18: 9:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from sigbus.com (c-24-126-148-218.we.client2.attbi.com [24.126.148.218]) by hub.freebsd.org (Postfix) with ESMTP id E70E537B404 for ; Tue, 16 Apr 2002 18:09:28 -0700 (PDT) Received: (from henrich@localhost) by sigbus.com (8.11.1/8.11.1) id g3H193F31908; Tue, 16 Apr 2002 18:09:03 -0700 (PDT) (envelope-from henrich) Date: Tue, 16 Apr 2002 18:09:03 -0700 From: Charles Henrich To: Dmitry Shupilov Cc: freebsd-security@freebsd.org Subject: Re: IPFW/IPsec Message-ID: <20020416180902.A31712@sigbus.com> Mail-Followup-To: Dmitry Shupilov , freebsd-security@freebsd.org References: <20020415231146.A21593@sigbus.com> <192415279580.20020416105853@ns.tb.by> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <192415279580.20020416105853@ns.tb.by>; from root@ns.tb.by on Tue, Apr 16, 2002 at 10:58:53AM +0300 X-Operating-System: FreeBSD 4.2-RELEASE X-PGP-Fingerprint: 1024/F7 FD C7 3A F5 6A 23 BF 76 C4 B8 C9 6E 41 A4 4F X-GPG-Fingerprint: EA4C AB9B 0C38 17C0 AB3F 11DE 41F6 5883 41E7 4F49 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So if I allow ipencap packets through the link works, but this leads me to think that the packets arent being encrypted. Shouldnt they be type esp? -Crh Charles Henrich henrich@msu.edu http://www.sigbus.com:81/~henrich To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 18:45:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 3175C37B405 for ; Tue, 16 Apr 2002 18:45:32 -0700 (PDT) Received: from hades.hell.gr (patr530-a080.otenet.gr [212.205.215.80]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g3H1jSL3000680; Wed, 17 Apr 2002 04:45:29 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.2/8.12.2) with ESMTP id g3H1jR0H029079; Wed, 17 Apr 2002 04:45:27 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.2/8.12.2/Submit) id g3H1hlru029030; Wed, 17 Apr 2002 04:43:47 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Wed, 17 Apr 2002 04:43:47 +0300 From: Giorgos Keramidas To: ulairi@ulairi.org Cc: "Michael W. Collette" , freebsd-security@FreeBSD.ORG Subject: Re: SSH Connection Time Problems Message-ID: <20020417014347.GB28850@hades.hell.gr> References: <200204161523.37293.metrol@metrol.net> <1019000456.3cbcb68886527@ulairi.csun.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1019000456.3cbcb68886527@ulairi.csun.edu> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-04-16 16:40, ulairi@ulairi.org wrote: > Quoting "Michael W. Collette" : > > Recently I have had some problems with getting an SSH connection > > from my > > could you run "ssh -vvv " and post the output? > Unfortunately, there will be no timestamps, so if you could comment > the output, it'd be great. You can add timestamps with one second accuracy (I know it's not that accurate, but for this type of test it will probably be OK), with something like: % long running command | perl -ne 'print(time()." ".$_)' Giorgos Keramidas FreeBSD Documentation Project keramida@{freebsd.org,ceid.upatras.gr} http://www.FreeBSD.org/docproj/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 20:18:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f70.law14.hotmail.com [64.4.21.70]) by hub.freebsd.org (Postfix) with ESMTP id EA1D537B417 for ; Tue, 16 Apr 2002 20:18:31 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 16 Apr 2002 20:18:31 -0700 Received: from 209.124.233.61 by lw14fd.law14.hotmail.msn.com with HTTP; Wed, 17 Apr 2002 03:18:31 GMT X-Originating-IP: [209.124.233.61] From: "William J. Borskey" To: freebsd-security@freebsd.org Subject: i need some help Date: Tue, 16 Apr 2002 20:18:31 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 17 Apr 2002 03:18:31.0807 (UTC) FILETIME=[8D2B80F0:01C1E5BE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i am not sure if i am writing to the correct list or not but here is my question: i recently aquired a "Xerox Docuprint M750" printer, it supposedly works. i have it connected to the usb port on my machine and i also have compiled my kernel with support. when i do a `dmesg|grep Xerox` i get "ulpt0: Xerox Xerox DocuPrint M750, rev 1.00/1.00, addr 2, iclass 7/1" for a USB printer, but when i do a `lptest > /dev/ulpt0` i get "Devive busy." i dont understand what the problem is. -Willaim Borskey _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 21: 4:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 17F6037B400 for ; Tue, 16 Apr 2002 21:04:27 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 199015309; Wed, 17 Apr 2002 06:04:25 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "William J. Borskey" Cc: freebsd-security@freebsd.org Subject: Re: i need some help References: From: Dag-Erling Smorgrav Date: 17 Apr 2002 06:04:24 +0200 In-Reply-To: Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "William J. Borskey" writes: > i am not sure if i am writing to the correct list You aren't. This list is for security issues only. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 21:50:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from addu.axelero.hu (mail02.axelero.hu [195.228.240.77]) by hub.freebsd.org (Postfix) with ESMTP id 1C0A037B41A for ; Tue, 16 Apr 2002 21:50:13 -0700 (PDT) Received: from Picasso.Zahemszky.HU (adsl-184-73.adsl-pool.axelero.hu [62.201.73.184]) by mail02.axelero.hu (iPlanet Messaging Server 5.1 (built Jan 30 2002)) with ESMTP id <0GUP00HCZ43N5R@mail02.axelero.hu> for freebsd-security@freebsd.org; Wed, 17 Apr 2002 06:50:11 +0200 (MEST) Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.11.6/8.11.6) id g3H4tWj00269 for freebsd-security@freebsd.org; Wed, 17 Apr 2002 06:55:32 +0200 (CEST envelope-from zgabor) Date: Wed, 17 Apr 2002 06:55:32 +0200 From: Zahemszky =?iso-8859-2?Q?G=E1bor?= Subject: Re: SSH Connection Time Problems In-reply-to: <200204161523.37293.metrol@metrol.net> To: freebsd-security@freebsd.org Mail-Followup-To: Zahemszky =?iso-8859-2?Q?G=E1bor?= , freebsd-security@freebsd.org Message-id: <20020417045532.GA223@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.3.27i X-Operating-System: FreeBSD 4.5-RELEASE References: <200204161523.37293.metrol@metrol.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote: > Recently I have had some problems with getting an SSH connection from my > FreeBSD 4.5-Stable box to my web hosting company's servers, also running > FreeBSD. It takes over a minute to establish a connection, which is really > mucking up the tunnelling of services I have going to them. What about it: somewhere in past, ssh client used to use protocol version 1. Now, it uses v2. Try ssh -1 . If it is a lot quicker, try to use a bigger machine on the other end. I had the same problem with my little gateway machine at home - it's an old 486. With v2, it's about a minute or two to connect, with v1, only 2 or 3 seconds. ZGabor < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;X=;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;X="$X $i";typeset +l i;};print "$X" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Apr 16 22:10:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C3DD37B400 for ; Tue, 16 Apr 2002 22:10:10 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3H59is31848; Tue, 16 Apr 2002 22:09:44 -0700 (PDT) (envelope-from roo) Date: Tue, 16 Apr 2002 22:09:44 -0700 From: Benjamin Krueger To: =?iso-8859-1?Q?Zahemszky_G=E1bor?= Cc: freebsd-security@freebsd.org Subject: Re: SSH Connection Time Problems Message-ID: <20020416220944.R23267@rain.macguire.net> References: <200204161523.37293.metrol@metrol.net> <20020417045532.GA223@Picasso.Zahemszky.HU> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <20020417045532.GA223@Picasso.Zahemszky.HU>; from Gabor@Zahemszky.HU on Wed, Apr 17, 2002 at 06:55:32AM +0200 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Zahemszky Gábor (Gabor@Zahemszky.HU) [020416 21:50]: > On Tue, Apr 16, 2002 at 03:23:37PM -0700, Michael W. Collette wrote: > > Recently I have had some problems with getting an SSH connection from my > > FreeBSD 4.5-Stable box to my web hosting company's servers, also running > > FreeBSD. It takes over a minute to establish a connection, which is really > > mucking up the tunnelling of services I have going to them. > > What about it: somewhere in past, ssh client used to use protocol version 1. > Now, it uses v2. Try ssh -1 . If it is a lot quicker, try to > use a bigger machine on the other end. I had the same problem with my little > gateway machine at home - it's an old 486. With v2, it's about a minute or > two to connect, with v1, only 2 or 3 seconds. > > ZGabor < Gabor at Zahemszky dot HU > You may also want to use Blowfish as your primary cipher. Blowfish will be a lot nicer to an older machine. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 3:48:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id F012E37B404 for ; Wed, 17 Apr 2002 03:48:37 -0700 (PDT) Received: (qmail 70576 invoked from network); 17 Apr 2002 10:48:36 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 17 Apr 2002 10:48:36 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 17 Apr 02 07:51:58 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 17 Apr 02 07:50:17 GMT-3 From: "Mario Lobo" Organization: American School of Recife - Brazil To: freebsd-security@FreeBSD.org Date: Wed, 17 Apr 2002 07:49:38 -0300 MIME-Version: 1.0 Subject: test, please erase Reply-To: mlobo@ear.com.br Message-ID: <3CBD290B.27910.4A0BB70@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org test, please erase- *** Mario Lobo (webmaster) *** Dean of Computer Department *** American School of Recife To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 6:41:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gcfn.org (mail.gcfn.org [164.107.107.13]) by hub.freebsd.org (Postfix) with ESMTP id 0DA5037B417 for ; Wed, 17 Apr 2002 06:41:44 -0700 (PDT) Received: from gcfn.org (ginsu [192.168.1.14]) by mail.gcfn.org (8.9.3/8.9.3) with SMTP id JAA12896; Wed, 17 Apr 2002 09:36:57 -0400 (EDT) From: Kenneth Smith Received: from 199.125.55.250 (SquirrelMail authenticated user kennsmit) by www.gcfn.org with HTTP; Wed, 17 Apr 2002 09:36:58 -0400 (EDT) Message-ID: <46822.199.125.55.250.1019050618.squirrel@www.gcfn.org> Date: Wed, 17 Apr 2002 09:36:58 -0400 (EDT) Subject: Re: i need some help To: wborskey@hotmail.com Cc: freebsd-security@FreeBSD.ORG X-Mailer: SquirrelMail (version 1.0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org William: See the information below from freebsd.org. ks http://www.freebsd.org/support.html#mailing-list Mailing lists are the primary support channel for FreeBSD users, with numerous mailing lists covering different topic areas. When in doubt about what list to post a question to, post to freebsd-questions@FreeBSD.ORG. You can browse or search the mailing list archives at www.FreeBSD.org. >Subject: Re: i need some help View full header >From: Dag-Erling Smorgrav >Date: Wed, April 17, 2002 12:04 am >To: "William J. Borskey" >Cc: freebsd-security@FreeBSD.ORG >>"William J. Borskey" writes: >> i am not sure if i am writing to the correct list >You aren't. This list is for security issues only. >DES >-- >Dag-Erling Smorgrav - des@ofug.org >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 7:39: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from umail.ru (umail.mtu.ru [195.34.32.101]) by hub.freebsd.org (Postfix) with ESMTP id ACA9037B404; Wed, 17 Apr 2002 07:38:56 -0700 (PDT) Received: from [62.118.215.132] (HELO phoenix.atalan.ru) by umail.ru (CommuniGate Pro SMTP 3.5.9) with ESMTP id 26926055; Wed, 17 Apr 2002 18:38:16 +0400 Received: from cave (cave.atalan.ru [10.15.15.155]) by phoenix.atalan.ru (Postfix) with SMTP id 6E5025FDC; Wed, 17 Apr 2002 18:36:28 +0400 (MSD) Reply-To: From: "Andrew A. Bely" To: Cc: Subject: IPSec with Win2k: racoon problems Date: Wed, 17 Apr 2002 18:41:52 +0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all! I have a problem setting up an IPSec between FreeBSD and Win2k boxes. All goes well when connection initiated from Win2k box. But, when the connection initiated from FreeBSD box, racoon simply dies after time specified by "interval" parameter in "timer" section of configuration file. I can send a config file used and any additional info, if needed. I'm not subscribed to this list(s), so, please, send me a copy of any responces directly. Thanks for help. Andrew Bely To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 8: 0:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from papa.tanu.org (kame195.kame.net [203.178.141.195]) by hub.freebsd.org (Postfix) with ESMTP id C98CA37B404; Wed, 17 Apr 2002 08:00:31 -0700 (PDT) Received: from localhost ([3ffe:501:4819:cafe:260:1dff:fe21:f766]) by papa.tanu.org (8.11.6/8.11.6) with ESMTP id g3HF25v03646; Thu, 18 Apr 2002 00:02:06 +0900 (JST) (envelope-from sakane@kame.net) To: taurus@atalan.ru Cc: freebsd-question@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: IPSec with Win2k: racoon problems In-Reply-To: Your message of "Wed, 17 Apr 2002 18:41:52 +0400" References: X-Mailer: Cue version 0.6 (011026-1440/sakane) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Message-Id: <20020418000134K.sakane@kame.net> Date: Thu, 18 Apr 2002 00:01:34 +0900 From: Shoichi Sakane X-Dispatcher: imput version 20000228(IM140) Lines: 15 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I have a problem setting up an IPSec between FreeBSD and Win2k boxes. > All goes well when connection initiated from Win2k box. But, when the there are some people in this mailing list, who know some tips for connecting with win2k. they could help you. > connection initiated from FreeBSD box, racoon simply dies after time > specified by "interval" parameter in "timer" section of configuration file. > I can send a config file used and any additional info, if needed. please run racoon with -d option and take a log file when racoon dies. the following command will help this operation. # script debug.log racoon -dF and send me the log directly. thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 12:24: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A244137B416; Wed, 17 Apr 2002 12:23:42 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3HJNga58899; Wed, 17 Apr 2002 12:23:42 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Apr 2002 12:23:42 -0700 (PDT) Message-Id: <200204171923.g3HJNga58899@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:21.tcpip Security Advisory FreeBSD, Inc. Topic: routing table memory leak Category: core Module: net Announced: 2002-04-17 Credits: Jayanth Vijayaraghavan Ruslan Ermilov Affects: FreeBSD 4.5-RELEASE FreeBSD 4-STABLE after 2001-12-07 09:23:11 UTC and prior to the correction date Corrected: 2002-03-22 16:54:19 UTC (RELENG_4) 2002-04-15 17:12:08 UTC (RELENG_4_5) FreeBSD only: YES I. Background The TCP/IP stack's routing table records information about how to reach various destinations. The first time a TCP connection is established with a particular host, a so-called "cloned route" entry for that host is automatically derived from one of the predefined routes and added to the table. Each entry has a reference count that indicates how many existing connections use that entry; when the reference count reaches zero, the entry is removed from the table. II. Problem Description A bug was introduced into ip_output() wherein the processing of an ICMP echo reply message would cause a reference count on a routing table entry to never be decremented. Thus, memory allocated for the routing table entry was never deallocated. III. Impact This bug could be exploited to effect a remote denial of service attack. An attacker could cause new routing table entries (for example, by taking advantage of TCP's route cloning behavior) and then utilize this bug to cause the route entry to never be deallocated. In this fashion, the target system's memory can be exhausted. IV. Workaround Use a packet filter (see ipf(8) or ipfw(8)) to deny ICMP echo messages. V. Solution 1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or the RELENG_4_5 security branch dated after the respective correction dates. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [4.5-RELEASE, 4-STABLE between 2001-12-28 10:08:33 UTC and 2002-02-20 14:57:41 UTC] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- sys/netinet/ip_icmp.c RELENG_4 1.39.2.16 RELENG_4_5 1.39.2.14.2.1 sys/netinet/ip_mroute.c RELENG_4 1.56.2.4 RELENG_4_5 1.56.2.3.2.1 sys/netinet/ip_output.c RELENG_4 1.99.2.29 RELENG_4_5 1.99.2.24.2.1 - ------------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPL3IEFUuHi5z0oilAQE56AP/X0tJA/Q0y42JDqxI2A0NRnKyR5YWoH8D i3izr0MxMTyPnuWg+uZHZhr/ve2AS2mTfNi7do0Ehdw0U2CEMnPKEVLMqt7kMFmL i+ib4HCijb4RWn3WEC6ueO14SQDCB+X9w/yCVEfeHMWd2PrQWtDoCPmurOuQCz4W IFu9kJLMhMA= =qsYz -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 13: 8:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by hub.freebsd.org (Postfix) with ESMTP id A451437B404 for ; Wed, 17 Apr 2002 13:08:40 -0700 (PDT) Received: from dc.cis.okstate.edu (localhost [127.0.0.1]) by dc.cis.okstate.edu (8.11.6/8.11.3) with ESMTP id g3HK8Sx19717 for ; Wed, 17 Apr 2002 15:08:28 -0500 (CDT) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200204172008.g3HK8Sx19717@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Date: Wed, 17 Apr 2002 15:08:28 -0500 From: Martin McCormick Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does this advisory apply to systems that do not function as routers but send and receive all their out-of-network traffic through a router? If this is the lamest question that gets asked here, I am sorry, but I want to make sure I am not missing some non-obvious function that this memory leak involves. Thank you very much. Martin McCormick FreeBSD Security Advisories writes: >Topic: routing table memory leak To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 13:15:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A298537B417 for ; Wed, 17 Apr 2002 13:15:44 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 110803A; Wed, 17 Apr 2002 15:15:44 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3HKFh0G014305; Wed, 17 Apr 2002 15:15:43 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3HKFhlq014304; Wed, 17 Apr 2002 15:15:43 -0500 (CDT) Date: Wed, 17 Apr 2002 15:15:43 -0500 From: "Jacques A. Vidrine" To: Martin McCormick Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020417201542.GA14047@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Martin McCormick , freebsd-security@FreeBSD.ORG References: <200204172008.g3HK8Sx19717@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204172008.g3HK8Sx19717@dc.cis.okstate.edu> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Apr 17, 2002 at 03:08:28PM -0500, Martin McCormick wrote: > Does this advisory apply to systems that do not function > as routers Yes. Hosts have routing tables, too. > but send and receive all their out-of-network traffic > through a router? > > If this is the lamest question that gets asked here, I am > sorry, but I want to make sure I am not missing some non-obvious > function that this memory leak involves. Thank you very much. Better safe than sorry. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 13:16:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from pumaman.dyndns.org (rn110.isis.de [195.158.148.110]) by hub.freebsd.org (Postfix) with ESMTP id 0713737B416 for ; Wed, 17 Apr 2002 13:16:29 -0700 (PDT) Received: from ws.bnet ([192.168.100.222] helo=there) by pumaman.dyndns.org with smtp (Exim 3.34 #1) id 16xvqn-00009M-00; Wed, 17 Apr 2002 22:16:21 +0200 Content-Type: text/plain; charset="iso-8859-1" From: Bjoern Engels To: Martin McCormick , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Date: Wed, 17 Apr 2002 22:16:16 +0200 X-Mailer: KMail [version 1.3.2] References: <200204172008.g3HK8Sx19717@dc.cis.okstate.edu> In-Reply-To: <200204172008.g3HK8Sx19717@dc.cis.okstate.edu> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wednesday, 17. April 2002 22:08, Martin McCormick wrote: > Does this advisory apply to systems that do not function > as routers but send and receive all their out-of-network traffic > through a router? It affects every system described in the announcement that can be=20 pinged. Bjoern --=20 "The number of Unix installations has grown to ten, with more expected" -- The Unix programmers handbook, 1972 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 22: 3:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D31C037B400 for ; Wed, 17 Apr 2002 22:03:41 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA11088 for ; Wed, 17 Apr 2002 23:03:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 17 Apr 2002 23:03:22 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <200204171923.g3HJNga58899@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:23 PM 4/17/2002, FreeBSD Security Advisories wrote: >V. Solution > >1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or >the RELENG_4_5 security branch dated after the respective correction >dates. On what server is 4.5-RELEASE-p3 located? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Apr 17 22:11:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 6F3EB37B417 for ; Wed, 17 Apr 2002 22:11:45 -0700 (PDT) Received: from tarmap.nospam.schulte.org (tarmap.schulte.org [209.134.156.198]) by clink.schulte.org (Postfix) with ESMTP id 91CA4243BF; Thu, 18 Apr 2002 00:11:43 -0500 (CDT) Message-Id: <5.1.0.14.0.20020418000849.02931cf8@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 18 Apr 2002 00:11:39 -0500 To: Brett Glass , security@FreeBSD.ORG From: Christopher Schulte Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> References: <200204171923.g3HJNga58899@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:03 PM 4/17/2002 -0600, Brett Glass wrote: >At 01:23 PM 4/17/2002, FreeBSD Security Advisories wrote: > >>V. Solution >> >>1) Upgrade your vulnerable system to 4.5-STABLE, 4.5-RELEASE-p3, or >>the RELENG_4_5 security branch dated after the respective correction >>dates. > >On what server is 4.5-RELEASE-p3 located? You can synchronize your source tree and recompile. See: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html Direct any questions to freebsd-questions@freebsd.org, please. >--Brett Glass -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 0:33:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id D5E5837B400 for ; Thu, 18 Apr 2002 00:33:12 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id <4U15ED50ZL4WVM0UEE0W2AIAH5XZ51ZLAEX1P1UF@ziplip.com> for ; 18 Apr 2002 00:33:10 -0700 (PDT) Message-ID: <4U15ED50ZL4WVM0UEE0W2AIAH5XZ51ZLAEX1P1UF@ziplip.com> Date: Thu, 18 Apr 2002 00:33:10 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: freebsd-security@freebsd.org Subject: Upgrading default OpenSSL Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'd like to upgrade the default version of OpenSSL (0.9.6a) on 4.5-STABLE to the latest available in ports (0.9.6b). I upgraded the default OpenSSH to 3.1p using an entry in /etc/make.conf: OPENSSH_OVERWRITE_BASE=YES Can the same thing be done with OpenSSL (i.e. OPENSSL_OVERWRITE_BASE=YES), after commenting out the FORBIDDEN lines in the Makefile? When will 0.9.6c (released Dec. 21, 2001) be incorporated? TIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 0:38:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.sys.uta.at (auth2.sys.uta.at [195.70.254.193]) by hub.freebsd.org (Postfix) with ESMTP id D901637B405 for ; Thu, 18 Apr 2002 00:38:16 -0700 (PDT) Received: from atmailinet01.utalan.at ([172.19.101.5]) by mail.sys.uta.at (8.8.8+Sun/8.8.8) with ESMTP id JAA21192 for ; Thu, 18 Apr 2002 09:38:14 +0200 (MET DST) Received: from branix.netway.at (branix.utalan.at [172.21.53.80]) by atmailinet01.utalan.at with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id 2GWY0JM6; Thu, 18 Apr 2002 09:38:30 +0200 Date: Thu, 18 Apr 2002 09:38:14 +0200 From: Brani Stojakovic To: security@freebsd.org Message-Id: <20020418093814.6210bec0.branix@uta.at> X-Mailer: Sylpheed version 0.7.0 (GTK+ 1.2.10; i386--freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org unsubscribe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 0:48:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from ziplip.com (mail.ziplip.com [128.242.109.119]) by hub.freebsd.org (Postfix) with ESMTP id C1D0B37B404 for ; Thu, 18 Apr 2002 00:48:28 -0700 (PDT) Received: from 10.1.0.21 (EHLO 10.1.0.21 10.1.0.21 [10.1.0.21] (may be forged)) by 10.1.0.21 with ESMTP id for ; 18 Apr 2002 00:48:26 -0700 (PDT) Message-ID: Date: Thu, 18 Apr 2002 00:48:26 -0700 (PDT) From: SolarfluX Reply-To: solarflux@ziplip.com To: freebsd-security@freebsd.org Subject: Re: Upgrading default OpenSSL Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-ZLPwdHint: X-ZLExpiry: -1 X-ZLReceiptConfirm: N X-ZLAuthType: WEB-MAIL X-ZLAuthOn: Y X-Mailer: ZipLip Sonoma v3.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Normally, yes, that's what it is for, but not in this case. From /usr/ports/security/openssl/Makefile: #FORBIDDEN= "OpenSSL is already in the base system" -S > -----Original Message----- > From: Jeff Palmer [mailto:scorpio@drkshdw.org] > Sent: Thursday, April 18, 2002, 12:39 AM > To: solarflux@ziplip.com > Subject: Re: Upgrading default OpenSSL > > Do you happen to know what the forbidden= is for? > Typically its due to a security related issue. It seems to me that you > want the latest/greatest OpenSSL/OpenSSH for security purposes.. so I'd > think this whole idea of commenting out the line, would be > counter-productive.. > > > ----- Original Message ----- > From: "SolarfluX" > To: > Sent: Thursday, April 18, 2002 3:33 AM > Subject: Upgrading default OpenSSL > > > > Hi, > > > > I'd like to upgrade the default version of OpenSSL (0.9.6a) on 4.5-STABLE > to the latest available in ports (0.9.6b). I upgraded the default OpenSSH > to 3.1p using an entry in /etc/make.conf: > > > > OPENSSH_OVERWRITE_BASE=YES > > > > Can the same thing be done with OpenSSL (i.e. OPENSSL_OVERWRITE_BASE=YES), > after commenting out the FORBIDDEN lines in the Makefile? > > > > When will 0.9.6c (released Dec. 21, 2001) be incorporated? > > > > TIA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 4:34: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from th06.opsion.fr (th06.opsion.fr [195.219.20.16]) by hub.freebsd.org (Postfix) with SMTP id 0C03137B400 for ; Thu, 18 Apr 2002 04:34:00 -0700 (PDT) Received: from 80.34.220.92 [80.34.220.92] by th06.opsion.fr id 200204181133.2d9f; Thu, 18 Apr 2002 11:33:45 GMT From: "Iago Sineiro" To: "FreeBSD Seguridad" Subject: Problem applying patch SA-02:18 Date: Fri, 19 Apr 2002 13:33:32 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi. I followed the instructions in FreeBSD SA-02:18 but when I try to apply patch zlib I obtained this result: prototipo# pwd /usr/src prototipo# patch -p < /tmp/zlib.patch Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: lib/libz/infblock.c |=================================================================== |RCS file: /home/ncvs/src/lib/libz/infblock.c,v |retrieving revision 1.2 |diff -u -r1.2 infblock.c |--- lib/libz/infblock.c 30 Sep 2001 22:39:00 -0000 1.2 |+++ lib/libz/infblock.c 17 Feb 2002 15:19:53 -0000 -------------------------- File to patch: What file I have to patch? I apply patch syncache (SA-02:20) and didn't ask the file I want to patch. I try to apply patch FreeBSD-SA-02:13 (openssh) and it also ask the file to patch. Also what is the difference between patch -p < /tmp/zlib.patch and patch < /tmp/zlib.patch? I see the man page for pathc but I didn't understand it very well. Thanks. Iago. ______________________________________________________________________________ mensaje enviado desde http://www.iespana.es emails (pop)-paginas web (espacio ilimitado)-agenda-favoritos (bookmarks)-foros -Chat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 5: 2:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 74E5037B404 for ; Thu, 18 Apr 2002 05:02:18 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id EEEBA4C; Thu, 18 Apr 2002 07:02:17 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3IC2H0G021796; Thu, 18 Apr 2002 07:02:17 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3IC2Du1021795; Thu, 18 Apr 2002 07:02:13 -0500 (CDT) Date: Thu, 18 Apr 2002 07:02:13 -0500 From: "Jacques A. Vidrine" To: Iago Sineiro Cc: FreeBSD Seguridad Subject: Re: Problem applying patch SA-02:18 Message-ID: <20020418120213.GC21732@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Iago Sineiro , FreeBSD Seguridad References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 19, 2002 at 01:33:32PM +0200, Iago Sineiro wrote: > Hi. > > I followed the instructions in FreeBSD SA-02:18 but when I try to apply > patch zlib I obtained this result: [deletia] It appears that you do not have a full source tree in /usr/src. > Also what is the difference between patch -p < /tmp/zlib.patch and patch < > /tmp/zlib.patch? I see the man page for pathc but I didn't understand it > very well. The `-p' option is for stripping path name components from the path names in the patch. You might try . -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 5: 7:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from atlantis.dp.ua (atlantis.dp.ua [193.108.46.1]) by hub.freebsd.org (Postfix) with ESMTP id 5291037B41F for ; Thu, 18 Apr 2002 05:06:05 -0700 (PDT) Received: from localhost (dmitry@localhost) by atlantis.dp.ua (8.11.1/8.11.1) with ESMTP id g3IC5tQ30314 for ; Thu, 18 Apr 2002 15:05:56 +0300 (EEST) (envelope-from dmitry@atlantis.dp.ua) Date: Thu, 18 Apr 2002 15:05:55 +0300 (EEST) From: Dmitry Pryanishnikov To: Subject: Re: Problem applying patch SA-02:18 In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! On Thu, 18 Apr 2002, Iago Sineiro wrote: > I followed the instructions in FreeBSD SA-02:18 but when I try to apply > patch zlib I obtained this result: > > prototipo# pwd > /usr/src > prototipo# patch -p < /tmp/zlib.patch > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: lib/libz/infblock.c > |=================================================================== > |RCS file: /home/ncvs/src/lib/libz/infblock.c,v > |retrieving revision 1.2 > |diff -u -r1.2 infblock.c > |--- lib/libz/infblock.c 30 Sep 2001 22:39:00 -0000 1.2 > |+++ lib/libz/infblock.c 17 Feb 2002 15:19:53 -0000 > -------------------------- > File to patch: > > What file I have to patch? It seems that you didn't install sources for libraries (/usr/src/lib), install them from the distribution. Again, *NOTE* that fix for /sys/net/zlib.c still broken, it will crash your kernel if you'll try to use kernel pppd with 'deflate' compression. Better fetch new version of /sys/net/zlib.c from CVS repositary. Sincerely, Dmitry Atlantis ISP, System Administrator e-mail: dmitry@atlantis.dp.ua nic-hdl: LYNX-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 8:25:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from pszczyna.net.pl (pszczyna.net.pl [213.216.65.196]) by hub.freebsd.org (Postfix) with SMTP id 7935637B432 for ; Thu, 18 Apr 2002 08:25:08 -0700 (PDT) Received: (qmail 10411 invoked by uid 1000); 18 Apr 2002 15:25:35 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Apr 2002 15:25:35 -0000 Date: Thu, 18 Apr 2002 17:25:35 +0200 (CEST) From: DawidChrzan To: freebsd-security@freebsd.org Subject: Problem FreeBSD-SA-02:21.tcpip Message-ID: <20020418171037.W2808-100000@legvan.pszczyna.net.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi I have a problem patching /usr/src with tcpip.patch . I downloaded ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.patch When i am aplying patch i get an error of the prveiously replaied patch. Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys/netinet/ip_icmp.c |diff -u sys/netinet/ip_icmp.c:1.39.2.14 sys/netinet/ip_icmp.c:1.39.2.14.2.1 |--- sys/netinet/ip_icmp.c:1.39.2.14 Mon Jan 14 01:54:35 2002 |+++ sys/netinet/ip_icmp.c Mon Apr 15 12:12:05 2002 -------------------------- Patching file sys/netinet/ip_icmp.c using Plan A... etc... make depend goes ok , but while make i got an error cc -c -O -pipe -Wall -Wredundant-decls -Wnested-externs -Wstrict-prototypes -Wmissing-prototypes -Wpointer-arith -Winline -Wcast-qual -fformat-extensions -ansi -nostdinc -I- -I. -I../.. -I../../../include -I../../contrib/ipfilter -D_KERNEL -include opt_global.h -elf -mpreferred-stack-boundary=2 ../../netinet/ip_icmp.c ../../netinet/ip_icmp.c: In function `icmp_reflect': ../../netinet/ip_icmp.c:622: `ro' undeclared (first use in this function) ../../netinet/ip_icmp.c:622: (Each undeclared identifier is reported only once ../../netinet/ip_icmp.c:622: for each function it appears in.) ../../netinet/ip_icmp.c:622: `rt' undeclared (first use in this function) *** Error code 1 I use `uname -a` FreeBSD legvan.pszczyna.net.pl 4.4-RELEASE FreeBSD 4.4-RELEASE #3: Sat Feb 23 00:24:31 GMT 2002 root@legvan.pszczyna.net.pl:/usr/src/sys/compile/LEGVAN i386 Dawid Chrzan Net/Sys Admin - pszczyna.net.pl mailto:qba@pszczyna.net.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 8:53:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 866EB37B404 for ; Thu, 18 Apr 2002 08:53:41 -0700 (PDT) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020418155341.CCYS1901.rwcrmhc52.attbi.com@bmah.dyndns.org>; Thu, 18 Apr 2002 15:53:41 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.2/8.12.2) with ESMTP id g3IFrfNk011847; Thu, 18 Apr 2002 08:53:41 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.2/8.12.2/Submit) id g3IFreNo011846; Thu, 18 Apr 2002 08:53:40 -0700 (PDT) Message-Id: <200204181553.g3IFreNo011846@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020416 with nmh-1.0.4 To: DawidChrzan Cc: freebsd-security@FreeBSD.org Subject: Re: Problem FreeBSD-SA-02:21.tcpip In-reply-to: <20020418171037.W2808-100000@legvan.pszczyna.net.pl> References: <20020418171037.W2808-100000@legvan.pszczyna.net.pl> Comments: In-reply-to DawidChrzan message dated "Thu, 18 Apr 2002 17:25:35 +0200." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.org X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 18 Apr 2002 08:53:40 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, DawidChrzan wrote: > I have a problem patching /usr/src with tcpip.patch . > I downloaded ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:21/tcpip.pa > tch > When i am aplying patch i get an error of the prveiously replaied patch. [snip] > I use `uname -a` > FreeBSD legvan.pszczyna.net.pl 4.4-RELEASE FreeBSD 4.4-RELEASE #3: Sat Feb > 23 00:24:31 GMT 2002 root@legvan.pszczyna.net.pl:/usr/src/sys/compile/LEGVAN > i386 If you read the advisory carefully, you will see that it does not apply to 4.4-RELEASE. Problem solved. :-) Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 9:10:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D945837B400 for ; Thu, 18 Apr 2002 09:10:45 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA16638; Thu, 18 Apr 2002 10:10:27 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 10:10:15 -0600 To: Christopher Schulte , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <5.1.0.14.0.20020418000849.02931cf8@pop3s.schulte.org> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:11 PM 4/17/2002, Christopher Schulte wrote: >You can synchronize your source tree and recompile. See: > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html Alas, this is not an acceptable solution. I realize that many people use FreeBSD on non-mission-critical systems, or to tinker with, and can afford downtime. But we need to create and maintain production machines. I hope that you can understand that doing a CVSup and then rebuilding the world every night (slowing the system to a crawl in the process and creating a system which might or might not be 100% stable) is not an acceptable solution. Nor is downloading a random snapshot. (Which one can't seem to do anyway these days; releng4.freebsd.org is refusing What is needed is a known good "p3" (or "p-whatever") build that can be installed quickly with minimum downtime. Yet, despite the fact that people routinely refer to (for example) "4.5-RELEASE-p3", no such build seems to actually exist. For those of us who create and manage production servers, there should be. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 9:19:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id C995F37B417 for ; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.2/8.12.2) with ESMTP id g3IGIwZG029031; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.2/8.12.2/Submit) id g3IGIwkd029030; Thu, 18 Apr 2002 09:18:58 -0700 (PDT) Date: Thu, 18 Apr 2002 09:18:58 -0700 (PDT) From: David Wolfskill Message-Id: <200204181618.g3IGIwkd029030@bunrab.catwhisker.org> To: brett@lariat.org, schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Date: Thu, 18 Apr 2002 10:10:15 -0600 >From: Brett Glass >At 11:11 PM 4/17/2002, Christopher Schulte wrote: >>You can synchronize your source tree and recompile. See: >>http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html >Alas, this is not an acceptable solution. >I realize that many people use FreeBSD on non-mission-critical systems, or >to tinker with, and can afford downtime. But we need to create and maintain >production machines. >I hope that you can understand that doing a CVSup and then rebuilding the >world every night (slowing the system to a crawl in the process and >creating a system which might or might not be 100% stable) is not an >acceptable solution. Nor is downloading a random snapshot. (Which one >can't seem to do anyway these days; releng4.freebsd.org is refusing That is irrelevant and specious. If you have systems that are that important to you -- and I do, even here at home -- then acquire a machine to do the builds, and then use some method other than "build in place" to install the result. In some cases, that could be NFS (perhaps over a special network dedicated to such tasks); in others, it could be using such capabilities as provided by atacontrol to insert a drive with a system image while the target system remains up and running. In neither case is the target system required to do the builds (and consume the time and other resources necessary). >What is needed is a known good "p3" (or "p-whatever") build that can be >installed quickly with minimum downtime. Yet, despite the fact that >people routinely refer to (for example) "4.5-RELEASE-p3", no such build >seems to actually exist. For those of us who create and manage production >servers, there should be. Patches? Thanks.... Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david@catwhisker.org Based on my experience as a computing professional, I consider the use of Microsoft products as components of computing systems to be just as advisable as using green wood to frame a house... and expect similar results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 9:30:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 0A4FA37B426 for ; Thu, 18 Apr 2002 09:29:21 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id KAA26657; Thu, 18 Apr 2002 10:29:02 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3IGT2K25269; Thu, 18 Apr 2002 10:29:02 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15550.62541.903626.398637@caddis.yogotech.com> Date: Thu, 18 Apr 2002 10:29:01 -0600 To: Brett Glass Cc: Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ One more time, since Brett apparently doesn't 'get it'. ] > >You can synchronize your source tree and recompile. See: > > > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > > Alas, this is not an acceptable solution. > > I realize that many people use FreeBSD on non-mission-critical systems, or > to tinker with, and can afford downtime. But we need to create and maintain > production machines. > > I hope that you can understand that doing a CVSup and then rebuilding the > world every night (slowing the system to a crawl in the process and > creating a system which might or might not be 100% stable) is not an > acceptable solution. Who said anything about building it every night? > Nor is downloading a random snapshot. (Which one can't seem to do > anyway these days; releng4.freebsd.org is refusing Who said anything about a 'random' snapshot. Pick the snapshot that has the fix applied (using the date), and build it. And, for what it's worth, code that seem to claim is 'random' on the RELENG_4_X is *exactly* the same code you would be getting if you download the patch and apply it to your system, except that it's automated. > What is needed is a known good "p3" (or "p-whatever") build that can be > installed quickly with minimum downtime. Yet, despite the fact that > people routinely refer to (for example) "4.5-RELEASE-p3", no such build > seems to actually exist. For those of us who create and manage production > servers, there should be. There is. Download the 'random snapshot' using the RELENG_4_5 tag. All I see from you is a lot of bitching about how the FreeBSD project didn't hold your hand tight enough and have a developer show up on your doorstop to install and verify every single version of FreeBSD you use. This email is send from someone who is in *production use* a large number of machines. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 9:42:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from pittgoth.com (14.zlnp1.xdsl.nauticom.net [209.195.149.111]) by hub.freebsd.org (Postfix) with ESMTP id AE34C37B419 for ; Thu, 18 Apr 2002 09:42:26 -0700 (PDT) Received: from localhost (lcl234.zbzoom.net [208.236.36.234]) by pittgoth.com (8.11.6/8.11.6) with SMTP id g3IGg6119738; Thu, 18 Apr 2002 12:42:11 -0400 (EDT) (envelope-from darklogik@pittgoth.com) Date: Thu, 18 Apr 2002 12:50:03 -0400 From: Tom Rhodes To: Dmitry Pryanishnikov Cc: freebsd-security@FreeBSD.ORG Subject: Re: Problem applying patch SA-02:18 Message-Id: <20020418125003.48788de3.darklogik@pittgoth.com> In-Reply-To: References: X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-portbld-freebsd4.5) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002 15:05:55 +0300 (EEST) Dmitry Pryanishnikov wrote: [Patch Snip] > > > > What file I have to patch? > > It seems that you didn't install sources for libraries > (/usr/src/lib), install them from the distribution. Again, *NOTE* > that fix for /sys/net/zlib.c still broken, it will crash your kernel > if you'll try to use kernel pppd with 'deflate' compression. Better > fetch new version of /sys/net/zlib.c from CVS repositary. > > Sincerely, Dmitry > > Atlantis ISP, System Administrator > e-mail: dmitry@atlantis.dp.ua > nic-hdl: LYNX-RIPE > Have you done ``make cleandir'' after a previous build? If you don't do this your libraries will be scattered and unordered, I can verify this with my last makeworld on STABLE ;) Hope that helps also -- Tom (Darklogik) Rhodes www.FreeBSD.org -The Power To Serve www.Pittgoth.com -Pittgoth Discussion Portal trhodes@{Pittgoth.com, FreeBSD.org} PGP key by www: http://www.pittgoth.com/~darklogik/darklogik.key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:43: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 7466637B404 for ; Thu, 18 Apr 2002 10:42:56 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA17913; Thu, 18 Apr 2002 11:42:41 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 11:42:35 -0600 To: David Wolfskill , schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <200204181618.g3IGIwkd029030@bunrab.catwhisker.org> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:18 AM 4/18/2002, David Wolfskill wrote: >If you have systems that are that important to you -- and I do, even >here at home -- then acquire a machine to do the builds, and then use >some method other than "build in place" to install the result. That's not sufficient to ensure that you didn't pick the wrong time to take a snapshot. Production machines must run a known good snapshot. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:47:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by hub.freebsd.org (Postfix) with ESMTP id 805B637B47B for ; Thu, 18 Apr 2002 10:47:14 -0700 (PDT) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.2/8.12.2) with ESMTP id g3IHlDZG029336; Thu, 18 Apr 2002 10:47:13 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.2/8.12.2/Submit) id g3IHlDiq029335; Thu, 18 Apr 2002 10:47:13 -0700 (PDT) Date: Thu, 18 Apr 2002 10:47:13 -0700 (PDT) From: David Wolfskill Message-Id: <200204181747.g3IHlDiq029335@bunrab.catwhisker.org> To: brett@lariat.org, david@catwhisker.org, schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Date: Thu, 18 Apr 2002 11:42:35 -0600 >From: Brett Glass >>If you have systems that are that important to you -- and I do, even >>here at home -- then acquire a machine to do the builds, and then use >>some method other than "build in place" to install the result. >That's not sufficient to ensure that you didn't pick the wrong time >to take a snapshot. Production machines must run a known good >snapshot. So build yourself a "snapshot" that suits you; test it according to the needs of *your* environment. If you are unwilling/unable to do so, arrange for someone else to do it for you. It's possible that someone would volunteer to expend his or her time and other resources to do this for you for free, out of gratitude for something, or some such thing; more likely, the person would request some form of compensation. This has been gone over before, and I'm not going to spam the -security list further on the topic. Cheers, david (links to my resume at http://www.catwhisker.org/~david) -- David H. Wolfskill david@catwhisker.org Based on my experience as a computing professional, I consider the use of Microsoft products as components of computing systems to be just as advisable as using green wood to frame a house... and expect similar results. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:49:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 7CB6937B404 for ; Thu, 18 Apr 2002 10:49:47 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA18011; Thu, 18 Apr 2002 11:49:31 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 11:49:24 -0600 To: nate@yogotech.com (Nate Williams) From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: Christopher Schulte , security@FreeBSD.ORG In-Reply-To: <15550.62541.903626.398637@caddis.yogotech.com> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:29 AM 4/18/2002, Nate Williams wrote: >Who said anything about building it every night? Many people are suggesting that one CVSup every night. >> Nor is downloading a random snapshot. (Which one can't seem to do >> anyway these days; releng4.freebsd.org is refusing > >Who said anything about a 'random' snapshot. Pick the snapshot that has >the fix applied (using the date), and build it. How does one know that there isn't a system-crashing bug in some other part of the tree for the same date? What's needed is not just the snapshot that happened to be available that day (or today) but one that's known to be reasonably stable. Remember, a snapshot of -STABLE taken on a random day is not guaranteed even to boot! >There is. Download the 'random snapshot' using the RELENG_4_5 tag. >All I see from you is a lot of bitching about how the FreeBSD project >didn't hold your hand tight enough Not true at all. What administrators using FreeBSD need is not "hand-holding" but a way to upgrade to a known good snapshot. Not necessarily the absolute latest, but one with the needed patches which others have seen to work. >and have a developer show up on your >doorstop to install and verify every single version of FreeBSD you use. I'm a developer myself, and therefore understand the value of testing. It should be possible to get a snapshot ("patch level N," or whatever) which one knows that others have tried and have found to work. As an administrator, you should want this too. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:51:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id B38D137B404 for ; Thu, 18 Apr 2002 10:51:32 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA27544; Thu, 18 Apr 2002 11:51:28 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3IHpPa25838; Thu, 18 Apr 2002 11:51:25 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.1949.581870.277391@caddis.yogotech.com> Date: Thu, 18 Apr 2002 11:51:25 -0600 To: Brett Glass Cc: David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ Another 'clue-by-four' that Brett can ignore again ] > >If you have systems that are that important to you -- and I do, even > >here at home -- then acquire a machine to do the builds, and then use > >some method other than "build in place" to install the result. > > That's not sufficient to ensure that you didn't pick the wrong time > to take a snapshot. Production machines must run a known good > snapshot. Pray tell who is going to very that a snapshot is both 'known and good'? Simply applying security patches doesn't (necessarily) qualify as giving you your requirement, so if you are truly concerned about your production systems, you'll need to test *any* changes made to them either on the system (and take the risk that it won't work), or setup a system like David says and do your testing/verification process on a scratch system. This ain't rocket science here.... Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:54:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 5112137B404 for ; Thu, 18 Apr 2002 10:54:44 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA18135; Thu, 18 Apr 2002 11:54:35 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418115015.021cc7d0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 11:54:28 -0600 To: David Wolfskill , david@catwhisker.org, schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <200204181747.g3IHlDiq029335@bunrab.catwhisker.org> References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:47 AM 4/18/2002, David Wolfskill wrote: >So build yourself a "snapshot" that suits you; test it according to the >needs of *your* environment. If you are unwilling/unable to do so, >arrange for someone else to do it for you. Neither is as effective as sharing information about the quality of a snapshot among a large pool of administrators and testers. If this is not done, the snapshot won't be tested under a sufficient variety of conditions to flush out problems. > It's possible that someone >would volunteer to expend his or her time and other resources to do this >for you for free, out of gratitude for something, or some such thing; How about a group of volunteers who do it for their mutual benefit? Sort of like some software projects I've heard of.... Gee, their names seem to be escaping me at the moment. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:56:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [216.150.202.147]) by hub.freebsd.org (Postfix) with SMTP id 4A2CB37B419 for ; Thu, 18 Apr 2002 10:56:47 -0700 (PDT) Received: (qmail 30019 invoked by uid 1000); 18 Apr 2002 17:54:48 -0000 Date: Thu, 18 Apr 2002 13:54:48 -0400 From: Jamie Norwood To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418135448.A29869@mushhaven.net> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 11:49:24AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 11:49:24AM -0600, Brett Glass wrote: > > How does one know that there isn't a system-crashing bug in some other > part of the tree for the same date? What's needed is not just the > snapshot that happened to be available that day (or today) but one > that's known to be reasonably stable. Remember, a snapshot of -STABLE > taken on a random day is not guaranteed even to boot! It sounds like you want releng_4_5. This is -RELEASE with security updates. It is pretty unchanging, and never gets feature updates, so will always be the same as -RELEASE, only more secure. > >There is. Download the 'random snapshot' using the RELENG_4_5 tag. > >All I see from you is a lot of bitching about how the FreeBSD project > >didn't hold your hand tight enough > > Not true at all. What administrators using FreeBSD need is not > "hand-holding" but a way to upgrade to a known good snapshot. > Not necessarily the absolute latest, but one with the needed > patches which others have seen to work. This is RELENG_4_5. What are you looking for that it does not provide? Administrators HAVE 'a way to upgrade to a known good snapshot.' > >and have a developer show up on your > >doorstop to install and verify every single version of FreeBSD you use. > > I'm a developer myself, and therefore understand the value of testing. > It should be possible to get a snapshot ("patch level N," or whatever) > which one knows that others have tried and have found to work. As an > administrator, you should want this too. We do. And we have it. I fail to see what you want that is not already provided. Jamie > --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 10:59:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4FAF137B400 for ; Thu, 18 Apr 2002 10:59:33 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id LAA27660; Thu, 18 Apr 2002 11:59:29 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3IHxQM25915; Thu, 18 Apr 2002 11:59:26 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.2430.223189.820500@caddis.yogotech.com> Date: Thu, 18 Apr 2002 11:59:26 -0600 To: Brett Glass Cc: nate@yogotech.com (Nate Williams), Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >Who said anything about building it every night? > > Many people are suggesting that one CVSup every night. How is doing a CVSup and building a release related? You can build a system every night and never do a build? You can do a build every night and never do a CVSup? They are completely unrelated operations. > >> Nor is downloading a random snapshot. (Which one can't seem to do > >> anyway these days; releng4.freebsd.org is refusing > > > >Who said anything about a 'random' snapshot. Pick the snapshot that has > >the fix applied (using the date), and build it. > > How does one know that there isn't a system-crashing bug in some other > part of the tree for the same date? How do you know that the patch doesn't cause your system to crash, because of the special circumstances in your setup that wasn't seen previously? > What's needed is not just the snapshot that happened to be available > that day (or today) but one that's known to be reasonably > stable. Remember, a snapshot of -STABLE taken on a random day is not > guaranteed even to boot! Except, a snapshot of RELENG_4_[2345] *are* guaranteed to both boot, and contain minimal changes (security only), in as much as you get *any* guarantee from any vendor. > >There is. Download the 'random snapshot' using the RELENG_4_5 tag. > >All I see from you is a lot of bitching about how the FreeBSD project > >didn't hold your hand tight enough > > Not true at all. What administrators using FreeBSD need is not > "hand-holding" but a way to upgrade to a known good snapshot. Many folks have provided you with ample ways to get a known/good snapshot. You simply refuse to use them. > Not necessarily the absolute latest, but one with the needed > patches which others have seen to work. See above. That *is* > >and have a developer show up on your > >doorstop to install and verify every single version of FreeBSD you use. > > I'm a developer myself, and therefore understand the value of testing. > It should be possible to get a snapshot ("patch level N," or whatever) > which one knows that others have tried and have found to work. As an > administrator, you should want this too. And I do on those systems, but apparently I have more of a clue than you do, since I don't find it all a problem to follow the advice given by many people who've contributed to this thread (and similar threads you've raised in the past.) There are at two active *branches* in FreeBSD, and a number of semi-active branches. Active: - RELENG_4 (stable) - HEAD (current) Semi-active: - RELENG_4_5 (security patches to FreeBSD4.5) - RELENG_4_4 (security patches to FreeBSD4.5) - RELENG_4_3 (security patches to FreeBSD4.5) Less-active: - RELENG_3 - RELENG_2 If you want a *completely* stable release without bad patches (to the best of the ability of the developers), and you are running a system based on FreeBSD 4.[345], then grab the RELENG_4_[345] branch, which is the exact same code as the releases plus security patches. This is all laid out in the security advisories, which apparently you actually don't completely read. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 0:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id E9B9E37B42A for ; Thu, 18 Apr 2002 11:00:23 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18244; Thu, 18 Apr 2002 12:00:13 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 12:00:07 -0600 To: nate@yogotech.com (Nate Williams) From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: David Wolfskill , security@FreeBSD.ORG In-Reply-To: <15551.1949.581870.277391@caddis.yogotech.com> References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:51 AM 4/18/2002, Nate Williams wrote: >Pray tell who is going to very that a snapshot is both 'known and good'? That's not "known and good" -- it's "known TO BE good." >Simply applying security patches doesn't (necessarily) qualify as giving >you your requirement, Not if the version being used has also been altered in other ways. >This ain't rocket science here.... No, it's not. Other open source projects issue periodic "patch level N" snapshots between releases. If a significant security event occurs, FreeBSD should as well. Pick a snapshot after the fixes have gone in, test it, and post it as the next patch level... one that's a relatively safe bet for an admin to upgrade to. In other words, you should be able to go to the download site and actually find a build labeled FreeBSD 4.5-RELEASE-p3. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 0:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id CDD8937B400 for ; Thu, 18 Apr 2002 11:00:14 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 5CD474C; Thu, 18 Apr 2002 13:00:14 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3II0E0G025102; Thu, 18 Apr 2002 13:00:14 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3II0BlS025101; Thu, 18 Apr 2002 13:00:11 -0500 (CDT) Date: Thu, 18 Apr 2002 13:00:11 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Nate Williams , Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418180011.GB24952@madman.nectar.cc> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 11:49:24AM -0600, Brett Glass wrote: > How does one know that there isn't a system-crashing bug in some other > part of the tree for the same date? What's needed is not just the > snapshot that happened to be available that day (or today) but one > that's known to be reasonably stable. Remember, a snapshot of -STABLE > taken on a random day is not guaranteed even to boot! I thought we were talking about the security branch. CVSup to RELENG_4_5 when and advisory comes out, and you are good to go. That is what 4.5-RELEASE-p3 is, right now, by the way: RELENG_4_5 as of the latest advisory. > Not true at all. What administrators using FreeBSD need is not > "hand-holding" but a way to upgrade to a known good snapshot. > Not necessarily the absolute latest, but one with the needed > patches which others have seen to work. That is what RELENG_4_? is for. > I'm a developer myself, and therefore understand the value of testing. > It should be possible to get a snapshot ("patch level N," or whatever) > which one knows that others have tried and have found to work. As an > administrator, you should want this too. There is. What's the problem? -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 2:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 8812637B42B for ; Thu, 18 Apr 2002 11:02:40 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id MAA27732; Thu, 18 Apr 2002 12:02:38 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3II2b225974; Thu, 18 Apr 2002 12:02:37 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.2621.764783.518524@caddis.yogotech.com> Date: Thu, 18 Apr 2002 12:02:37 -0600 To: Brett Glass Cc: nate@yogotech.com (Nate Williams), David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > >Pray tell who is going to very that a snapshot is both 'known and good'? > > That's not "known and good" -- it's "known TO BE good." Same thing. If it's good, and you have no way of getting the same snapshot it doesn't help you. > >Simply applying security patches doesn't (necessarily) qualify as giving > >you your requirement, > > Not if the version being used has also been altered in other ways. Sure it does. The security patch could break your running system, because it may not have been tested in your exact configuration, on your exact hardware. > >This ain't rocket science here.... > > No, it's not. Other open source projects issue periodic "patch level N" > snapshots between releases. As does FreeBSD, if you'd get your head out of your butt and use it. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 3: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 401A437B405 for ; Thu, 18 Apr 2002 11:02:48 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 88E3B6A; Thu, 18 Apr 2002 13:02:47 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3II2l0G025111; Thu, 18 Apr 2002 13:02:47 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3II2kOZ025110; Thu, 18 Apr 2002 13:02:46 -0500 (CDT) Date: Thu, 18 Apr 2002 13:02:46 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Nate Williams , David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418180246.GC24952@madman.nectar.cc> References: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 12:00:07PM -0600, Brett Glass wrote: > No, it's not. Other open source projects issue periodic "patch level N" > snapshots between releases. If a significant security event occurs, > FreeBSD should as well. Clearly you are not paying attention. Please stop wasting everyone's time (again). -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 6:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4174B37B400 for ; Thu, 18 Apr 2002 11:06:41 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18346; Thu, 18 Apr 2002 12:06:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 12:06:28 -0600 To: Jamie Norwood , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418135448.A29869@mushhaven.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:54 AM 4/18/2002, Jamie Norwood wrote: >> Not true at all. What administrators using FreeBSD need is not >> "hand-holding" but a way to upgrade to a known good snapshot. >> Not necessarily the absolute latest, but one with the needed >> patches which others have seen to work. > >This is RELENG_4_5. What are you looking for that it does not >provide? This is a CVS tag, not a build. Also, what you get when you bring it in will change over time, so you can't easily answer the question, "What patch level is this server running?" What's needed is builds either from this or from -STABLE (with testing to make sure nothing's broken) that one can download and install without recompiling the world. With numbers such that one can say, "This server is at -p3 and a new security hole was found.... I'll upgrade to -p4 tonight." Simple, convenient, and likely to work without fuss, so that we can install the build and get back to more important things, like developing code. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11: 9:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 32D5E37B400 for ; Thu, 18 Apr 2002 11:09:50 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA18397; Thu, 18 Apr 2002 12:09:38 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 12:09:32 -0600 To: nate@yogotech.com (Nate Williams) From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: nate@yogotech.com (Nate Williams), David Wolfskill , security@FreeBSD.ORG In-Reply-To: <15551.2621.764783.518524@caddis.yogotech.com> References: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:02 PM 4/18/2002, Nate Williams wrote: >> No, it's not. Other open source projects issue periodic "patch level N" >> snapshots between releases. > >As does FreeBSD, if you'd get your head out of your butt and use it. No, it doesn't. It only offers a CVS tag, not a build. You do understand the difference? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:16: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id E669637B400 for ; Thu, 18 Apr 2002 11:16:02 -0700 (PDT) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16yGRl-0001jW-00; Thu, 18 Apr 2002 19:15:53 +0100 Date: Thu, 18 Apr 2002 19:15:53 +0100 From: Ceri Davies To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418181553.GA6453@submonkey.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 12:06:28PM -0600, Brett Glass wrote: > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > >> Not true at all. What administrators using FreeBSD need is not > >> "hand-holding" but a way to upgrade to a known good snapshot. > >> Not necessarily the absolute latest, but one with the needed > >> patches which others have seen to work. > > > >This is RELENG_4_5. What are you looking for that it does not > >provide? > > This is a CVS tag, not a build. Also, what you get when you > bring it in will change over time, so you can't easily answer > the question, "What patch level is this server running?" That's not a bad point. Any reason why newvers.sh can't be change to do this in RELENG_4 ? Ceri -- get the cool shoe shine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:17:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from web14201.mail.yahoo.com (web14201.mail.yahoo.com [216.136.172.143]) by hub.freebsd.org (Postfix) with SMTP id 3E66E37B420 for ; Thu, 18 Apr 2002 11:17:45 -0700 (PDT) Message-ID: <20020418181744.45846.qmail@web14201.mail.yahoo.com> Received: from [152.163.190.1] by web14201.mail.yahoo.com via HTTP; Thu, 18 Apr 2002 11:17:44 PDT Date: Thu, 18 Apr 2002 11:17:44 -0700 (PDT) From: Jon Bergfeld Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip To: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org look, the existing process seems to work fine for everyone else, so if you want a new way to upgrade, develop it yourself. now stop trolling and let's move on. --- Brett Glass wrote: > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > >> Not true at all. What administrators using FreeBSD need is not > >> "hand-holding" but a way to upgrade to a known good snapshot. > >> Not necessarily the absolute latest, but one with the needed > >> patches which others have seen to work. > > > >This is RELENG_4_5. What are you looking for that it does not > >provide? > > This is a CVS tag, not a build. Also, what you get when you > bring it in will change over time, so you can't easily answer > the question, "What patch level is this server running?" > What's needed is builds either from this or from -STABLE > (with testing to make sure nothing's broken) that one can > download and install without recompiling the world. With > numbers such that one can say, "This server is at -p3 and > a new security hole was found.... I'll upgrade to -p4 tonight." > Simple, convenient, and likely to work without fuss, so that > we can install the build and get back to more important things, > like developing code. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:22:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 5557D37B41B for ; Thu, 18 Apr 2002 11:22:25 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id A3D3F13667; Thu, 18 Apr 2002 14:22:18 -0400 (EDT) Date: Thu, 18 Apr 2002 14:22:18 -0400 From: Chris Faulhaber To: Brett Glass Cc: Nate Williams , David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418182218.GA35672@peitho.fxp.org> References: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> User-Agent: Mutt/1.3.24i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Apr 18, 2002 at 12:09:32PM -0600, Brett Glass wrote: > At 12:02 PM 4/18/2002, Nate Williams wrote: >=20 > >> No, it's not. Other open source projects issue periodic "patch level N" > >> snapshots between releases. > > > >As does FreeBSD, if you'd get your head out of your butt and use it. >=20 > No, it doesn't. It only offers a CVS tag, not a build. You do understand > the difference? >=20 ftp://snapshots.jp.freebsd.org/pub/FreeBSD/releases/i386/4.5-RELEASE-p3/ --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: FreeBSD: The Power To Serve iEYEARECAAYFAjy/DtoACgkQObaG4P6BelAPwACeIuZ9LvPzjRC5EMU5uW0phtaC k0wAn3tpwnt0xhflwhBFsghENw9JxISi =htMg -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:23:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id 16DA437B419 for ; Thu, 18 Apr 2002 11:22:47 -0700 (PDT) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16yGYQ-0001nF-00 for security@FreeBSD.org; Thu, 18 Apr 2002 19:22:46 +0100 Date: Thu, 18 Apr 2002 19:22:46 +0100 From: Ceri Davies To: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418182246.GA6731@submonkey.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <20020418181553.GA6453@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020418181553.GA6453@submonkey.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 07:15:53PM +0100, Ceri Davies wrote: > On Thu, Apr 18, 2002 at 12:06:28PM -0600, Brett Glass wrote: > > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > > > >> Not true at all. What administrators using FreeBSD need is not > > >> "hand-holding" but a way to upgrade to a known good snapshot. > > >> Not necessarily the absolute latest, but one with the needed > > >> patches which others have seen to work. > > > > > >This is RELENG_4_5. What are you looking for that it does not > > >provide? > > > > This is a CVS tag, not a build. Also, what you get when you > > bring it in will change over time, so you can't easily answer > > the question, "What patch level is this server running?" > > That's not a bad point. > Any reason why newvers.sh can't be change to do this in RELENG_4 ? I meant RELENG_4_[0-9]. Ceri -- get the cool shoe shine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:25:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4AABE37B41D; Thu, 18 Apr 2002 11:25:22 -0700 (PDT) Received: (from nectar@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g3IIPM478984; Thu, 18 Apr 2002 11:25:22 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Thu, 18 Apr 2002 11:25:22 -0700 (PDT) Message-Id: <200204181825.g3IIPM478984@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED] Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:18 Security Advisory FreeBSD, Inc. Topic: zlib double-free Category: core, ports Module: zlib Announced: 2002-03-18 Credits: Matthias Clasen Owen Taylor Affects: All released versions of FreeBSD FreeBSD 4.5-STABLE prior to the correction date Various ports using or including zlib Corrected: 2002-02-24 23:12:48 UTC (RELENG_4) 2002-02-24 23:22:57 UTC (RELENG_4_5) 2002-02-24 23:23:58 UTC (RELENG_4_4) 2002-02-24 23:24:46 UTC (RELENG_4_3) CVE: CAN-2002-0059 FreeBSD only: NO 0. Revision History v1.0 2002-04-20 Initial release v1.1 2002-04-25 Corrected ZFREE location in kernel patch Corrected deflate window size check I. Background zlib is a compression library used by numerous applications to provide data compression/decompression routines. II. Problem Description A programming error in zlib may cause segments of dynamically allocated memory to be released more than once (double-freed). If an attacker is able to pass a specially-crafted block of invalid compressed data to a program that includes zlib, the program's attempt to decompress the crafted data may cause the zlib routines to attempt to free memory multiple times. Unlike some implementations of malloc(3)/free(3), the malloc(3) and free(3) routines used in FreeBSD (aka phkmalloc, written by Poul-Henning Kamp ), are not vulnerable to this type of bug. From the author: Most mallocs keep their housekeeping data right next to the allocated range. This gives rise to all sorts of unpleassant situations if programs stray outside the dotted line, free(3) things twice or free(3) modified pointers. phkmalloc(3) does not store housekeeping next to allocated data, and in particular it has code that detects and complains about exactly this kind of double free. When attempting to double-free an area of memory, phkmalloc will issue a warning: progname in free(): error: chunk is already free and may call abort(3) if the malloc flag 'A' is used. III. Impact If an attacker is able to pass a specially-crafted block of invalid compressed data to an application that utilizes zlib, the attempt to decompress the data may cause incorrect operation of the application, including possibly crashing the application. Also, the malloc implementation will issue warnings and, if the `A' malloc option is used, cause the application to abort(3). In short, an attacker may cause a denial of service in applications utilizing zlib. IV. Workaround To prevent affected programs from aborting, remove the 'A' from the malloc flags. To check which malloc flags are in use, issue the following commands: # ls -l /etc/malloc.conf # echo $MALLOC_OPTIONS A nonexistent /etc/malloc.conf or MALLOC_OPTIONS environmental variable means that no malloc flags are in use. See the malloc(3) man page for more information. V. Solution [FreeBSD 4.x base system] 1) Upgrade your vulnerable system to 4.5-STABLE or to one of the RELENG_4_4 or RELENG_4_5 security branches dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: For FreeBSD 4.x systems that have the previous zlib patch applied: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.corrected.patch.asc For FreeBSD 4.x systems that do not have the previous zlib patch applied: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:18/zlib.v1.1.patch.asc Verify the detached PGP signature using your PGP utility. This patch has been verified to apply to all FreeBSD 4.x versions. # cd /usr/src # patch -p < /path/to/patch # cd lib/libz # make depend && make all install Then rebuild and reinstall your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system with the new kernel for the changes to take effect. [ports] Various ports may statically link zlib or contain their own versions of zlib that have not been corrected by updating the FreeBSD libz. Efforts are underway to identify and correct these ports. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libz/deflate.c RELENG_4 1.5.2.1 RELENG_4_5 1.5.8.1 RELENG_4_4 1.5.6.1 RELENG_4_3 1.5.4.1 src/lib/libz/infblock.c RELENG_4 1.1.1.4.6.1 RELENG_4_5 1.1.1.4.12.1 RELENG_4_4 1.1.1.4.10.1 RELENG_4_3 1.1.1.4.8.1 src/sys/net/zlib.c RELENG_4 1.10.2.3 RELENG_4_5 1.10.8.2 RELENG_4_4 1.10.6.2 RELENG_4_3 1.10.4.2 - ------------------------------------------------------------------------- VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2002-0059 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBPL7ZU1UuHi5z0oilAQFBSAQAjR7ddnCz9WUySoE3wxUtrrEyp5ZGw0cW 8PNIdu78zLdBYwAMr02ZPht+3tb1E3ycshO+MLhtW05SrDWPd5KIy6nk03AOjgB9 aKPs+B2NKN84W3udAtHaGYWL24ef8PJFJnna05oAiuXHrkCyHbMIB11RJ86ZJx3u 4DHKy14D8lE= =EeE6 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:28:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 23C7B37B507 for ; Thu, 18 Apr 2002 11:27:50 -0700 (PDT) Received: from [128.113.24.47] (gilead.acs.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.12.1/8.12.1) with ESMTP id g3IIRONH550394; Thu, 18 Apr 2002 14:27:24 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> References: <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> Date: Thu, 18 Apr 2002 14:27:23 -0400 To: Brett Glass From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:09 PM -0600 4/18/02, Brett Glass wrote: >At 12:02 PM 4/18/2002, Nate Williams wrote: > > >> No, it's not. Other open source projects issue periodic > >> "patch level N" snapshots between releases. > > > > As does FreeBSD, if you'd get your head out of your butt > > and use it. > >No, it doesn't. It only offers a CVS tag, not a build. You do >understand the difference? It is a cvs branch, not just a random tag. If you're saying you want a pre-built ISO which will do a complete system install of a given security-patch, then the answer is "we do not currently have the resources to do that". -- Garance Alistair Drosehn = gad@eclipse.acs.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:38:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 8212D37B41F for ; Thu, 18 Apr 2002 11:28:34 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g3IISU353982 for ; Thu, 18 Apr 2002 14:28:30 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Thu, 18 Apr 2002 14:28:25 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Tested Snapshots In-Reply-To: <4.3.2.7.2.20020418115015.021cc7d0@nospam.lariat.org> Message-ID: <20020418142656.D53965-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002, Brett Glass wrote: > At 11:47 AM 4/18/2002, David Wolfskill wrote: > > >So build yourself a "snapshot" that suits you; test it according to the > >needs of *your* environment. If you are unwilling/unable to do so, > >arrange for someone else to do it for you. > > Neither is as effective as sharing information about the quality > of a snapshot among a large pool of administrators and testers. Hmm...RELENG_4_5 Hmm...security@freebsd.org Looks like your requirements have been met. -- Chris BeHanna http://www.pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:39:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from pszczyna.net.pl (pszczyna.net.pl [213.216.65.196]) by hub.freebsd.org (Postfix) with SMTP id EC94F37B6D2 for ; Thu, 18 Apr 2002 11:32:00 -0700 (PDT) Received: (qmail 818 invoked by uid 1000); 18 Apr 2002 18:05:07 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 18 Apr 2002 18:05:07 -0000 Date: Thu, 18 Apr 2002 20:05:07 +0200 (CEST) From: DawidChrzan To: freebsd-security@FreeBSD.org Subject: Re: Problem FreeBSD-SA-02:21.tcpip In-Reply-To: <200204181553.g3IFreNo011846@intruder.bmah.org> Message-ID: <20020418200238.G813-100000@legvan.pszczyna.net.pl> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002, Bruce A. Mah wrote: > > If you read the advisory carefully, you will see that it does not apply > to 4.4-RELEASE. Problem solved. :-) > Yhm.. , yeap You are right. My lack of carefulness. Backups are beeing untared now.. Dawid Chrzan Net/Sys Admin - pszczyna.net.pl mailto:qba@pszczyna.net.pl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:42: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id A233137B7DF for ; Thu, 18 Apr 2002 11:35:13 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.11.6/8.11.6) with ESMTP id g3IIYc354003 for ; Thu, 18 Apr 2002 14:34:38 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Thu, 18 Apr 2002 14:34:33 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> Message-ID: <20020418143038.X53965-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002, Brett Glass wrote: > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > >> Not true at all. What administrators using FreeBSD need is not > >> "hand-holding" but a way to upgrade to a known good snapshot. > >> Not necessarily the absolute latest, but one with the needed > >> patches which others have seen to work. > > > >This is RELENG_4_5. What are you looking for that it does not > >provide? > > This is a CVS tag, not a build. Also, what you get when you > bring it in will change over time, so you can't easily answer > the question, "What patch level is this server running?" uname -a > What's needed is builds either from this or from -STABLE > (with testing to make sure nothing's broken) that one can > download and install without recompiling the world. With With the number of custom kernels running out there, and the number of different combinations of hardware out there, this is not feasible. The best you could hope for is a page somewhere that has submissions from people of "I'm running X here with Y kernel config with Z hardware combination and it seems to be OK." You might get a pre-built world somewhere with a GENERIC kernel that you could download, but that's it. The snapshot server in Japan has binaries that you can use to patch your system, but even it will not have any of your local customizations. > numbers such that one can say, "This server is at -p3 and > a new security hole was found.... I'll upgrade to -p4 tonight." > Simple, convenient, and likely to work without fuss, so that > we can install the build and get back to more important things, > like developing code. That's exactly what RELENG_4_5 is for. If there's a hole in -p3, then -p4 will have the fix for that hole, AND ONLY THAT FIX, in addition to whatever was in -p3. -- Chris BeHanna http://www.pennasoft.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:45:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from goofy.epylon.com (sf-gw.epylon.com [63.93.9.98]) by hub.freebsd.org (Postfix) with ESMTP id A24D937B83B for ; Thu, 18 Apr 2002 11:36:20 -0700 (PDT) Received: by goofy.epylon.lan with Internet Mail Service (5.5.2653.19) id <24K4XBMK>; Thu, 18 Apr 2002 11:35:32 -0700 Message-ID: <657B20E93E93D4118F9700D0B73CE3EA02FFF538@goofy.epylon.lan> From: "DiCioccio, Jason" To: 'Jon Bergfeld' , security@FreeBSD.ORG Subject: RE: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Date: Thu, 18 Apr 2002 11:35:31 -0700 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Give me a break, he's not trolling, he's making a valid point. Perhaps some of the current FTP mirrors could mirror the releng_4_[0-9] snapshots currently on ftp://snapshots.jp.freebsd.org (as Chris Faulhaber posted). The snapshots are being made none the less though so it looks like this might be the answer to his problem/question. Cheers, - -JD- - -----Original Message----- From: Jon Bergfeld [mailto:jbergfel@yahoo.com] Sent: Thursday, April 18, 2002 11:18 AM To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip look, the existing process seems to work fine for everyone else, so if you want a new way to upgrade, develop it yourself. now stop trolling and let's move on. - --- Brett Glass wrote: > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > >> Not true at all. What administrators using FreeBSD need is not > >> "hand-holding" but a way to upgrade to a known good snapshot. > >> Not necessarily the absolute latest, but one with the needed > >> patches which others have seen to work. > > > >This is RELENG_4_5. What are you looking for that it does not > >provide? > > This is a CVS tag, not a build. Also, what you get when you > bring it in will change over time, so you can't easily answer > the question, "What patch level is this server running?" > What's needed is builds either from this or from -STABLE > (with testing to make sure nothing's broken) that one can > download and install without recompiling the world. With > numbers such that one can say, "This server is at -p3 and > a new security hole was found.... I'll upgrade to -p4 tonight." > Simple, convenient, and likely to work without fuss, so that > we can install the build and get back to more important things, > like developing code. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message __________________________________________________ Do You Yahoo!? Yahoo! Tax Center - online filing with TurboTax http://taxes.yahoo.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPL8ULL8+wXo6G32BEQL91gCgutwDN743l4KlAhqALp0LfiRMu2IAn0rZ I73vrq4B/M98XYVg3X09pC/M =RBh4 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:47: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts22-srv.bellnexxia.net (tomts22.bellnexxia.net [209.226.175.184]) by hub.freebsd.org (Postfix) with ESMTP id DCB8D37BAC5 for ; Thu, 18 Apr 2002 11:43:42 -0700 (PDT) Received: from localhost ([64.229.5.134]) by tomts22-srv.bellnexxia.net (InterMail vM.4.01.03.23 201-229-121-123-20010418) with ESMTP id <20020418184317.YRSJ26082.tomts22-srv.bellnexxia.net@localhost> for ; Thu, 18 Apr 2002 14:43:17 -0400 Date: Thu, 18 Apr 2002 14:43:17 -0400 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED] Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v481) From: Bryan Fullerton To: freebsd-security@freebsd.org Content-Transfer-Encoding: 7bit In-Reply-To: <200204181825.g3IIPM478984@freefall.freebsd.org> Message-Id: <25F0DB96-52FC-11D6-BD20-000393013B04@samurai.com> X-Mailer: Apple Mail (2.481) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday, April 18, 2002, at 02:25 PM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ========================================================================= > ==== > FreeBSD-SA-02:18 Security > Advisory > > FreeBSD, Inc. > > Topic: zlib double-free > > Category: core, ports > Module: zlib > Announced: 2002-03-18 [snip] > 0. Revision History > > v1.0 2002-04-20 Initial release > v1.1 2002-04-25 Corrected ZFREE location in kernel patch > Corrected deflate window size check These dates are in the future - perhaps 2002-03-##? Bryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:53:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from rhadamanth.submonkey.net (pc4-card4-0-cust162.cdf.cable.ntl.com [80.4.14.162]) by hub.freebsd.org (Postfix) with ESMTP id B189E37BBEE for ; Thu, 18 Apr 2002 11:48:47 -0700 (PDT) Received: from setantae by rhadamanth.submonkey.net with local (Exim 3.35 #1) id 16yGwy-00023V-00 for security@FreeBSD.org; Thu, 18 Apr 2002 19:48:08 +0100 Date: Thu, 18 Apr 2002 19:48:08 +0100 From: Ceri Davies To: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418184808.GA7729@submonkey.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <20020418181553.GA6453@submonkey.net> <20020418182246.GA6731@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020418182246.GA6731@submonkey.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 07:22:46PM +0100, Ceri Davies wrote: > On Thu, Apr 18, 2002 at 07:15:53PM +0100, Ceri Davies wrote: > > On Thu, Apr 18, 2002 at 12:06:28PM -0600, Brett Glass wrote: > > > At 11:54 AM 4/18/2002, Jamie Norwood wrote: > > > > > > >> Not true at all. What administrators using FreeBSD need is not > > > >> "hand-holding" but a way to upgrade to a known good snapshot. > > > >> Not necessarily the absolute latest, but one with the needed > > > >> patches which others have seen to work. > > > > > > > >This is RELENG_4_5. What are you looking for that it does not > > > >provide? > > > > > > This is a CVS tag, not a build. Also, what you get when you > > > bring it in will change over time, so you can't easily answer > > > the question, "What patch level is this server running?" > > > > That's not a bad point. > > Any reason why newvers.sh can't be change to do this in RELENG_4 ? > > I meant RELENG_4_[0-9]. And it already does get changed. /me considers unsubscribing ... :) Ceri -- get the cool shoe shine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:55:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from rwcrmhc52.attbi.com (rwcrmhc52.attbi.com [216.148.227.88]) by hub.freebsd.org (Postfix) with ESMTP id 8DE4D37BBF1 for ; Thu, 18 Apr 2002 11:48:48 -0700 (PDT) Received: from bmah.dyndns.org ([12.233.149.189]) by rwcrmhc52.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020418184816.IUBC1901.rwcrmhc52.attbi.com@bmah.dyndns.org>; Thu, 18 Apr 2002 18:48:16 +0000 Received: from intruder.bmah.org (localhost [IPv6:::1]) by bmah.dyndns.org (8.12.2/8.12.2) with ESMTP id g3IImFNk016027; Thu, 18 Apr 2002 11:48:15 -0700 (PDT) (envelope-from bmah@intruder.bmah.org) Received: (from bmah@localhost) by intruder.bmah.org (8.12.2/8.12.2/Submit) id g3IImFIj016026; Thu, 18 Apr 2002 11:48:15 -0700 (PDT) Message-Id: <200204181848.g3IImFIj016026@intruder.bmah.org> X-Mailer: exmh version 2.5+ 20020416 with nmh-1.0.4 To: Ceri Davies Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-reply-to: <20020418182246.GA6731@submonkey.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <20020418181553.GA6453@submonkey.net> <20020418182246.GA6731@submonkey.net> Comments: In-reply-to Ceri Davies message dated "Thu, 18 Apr 2002 19:22:46 +0100." From: "Bruce A. Mah" Reply-To: bmah@FreeBSD.ORG X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Thu, 18 Apr 2002 11:48:15 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If memory serves me right, Ceri Davies wrote: > > Any reason why newvers.sh can't be change to do this in RELENG_4 ? > > I meant RELENG_4_[0-9]. The SO team *does* change it...go see the commits to src/sys/conf/ newvers.sh. The patch levels are annotated in src/UPDATING. Bruce. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:57:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by hub.freebsd.org (Postfix) with SMTP id 2A11237BC46 for ; Thu, 18 Apr 2002 11:49:52 -0700 (PDT) Received: (qmail 24439 invoked by uid 1001); 18 Apr 2002 18:37:57 -0000 Date: Thu, 18 Apr 2002 14:37:57 -0400 From: Pete Fritchman To: Ceri Davies Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418143757.B21321@databits.net> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <20020418181553.GA6453@submonkey.net> <20020418182246.GA6731@submonkey.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020418182246.GA6731@submonkey.net>; from setantae@submonkey.net on Thu, Apr 18, 2002 at 07:22:46PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ++ 18/04/02 19:22 +0100 - Ceri Davies: | > > >This is RELENG_4_5. What are you looking for that it does not | > > >provide? | > > | > > This is a CVS tag, not a build. Also, what you get when you | > > bring it in will change over time, so you can't easily answer | > > the question, "What patch level is this server running?" | > | > That's not a bad point. | > Any reason why newvers.sh can't be change to do this in RELENG_4 ? | | I meant RELENG_4_[0-9]. It does. For example, here are the updates for RELENG_4_5: http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/newvers.sh?f=u&only_with_tag=RELENG_4_5&logsort=date We are now at 4.5-RELEASE-p3. Answering the "What patch level is this server running?" question is as simple as running 'uname -r'. --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|csh.rit.edu)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 11:58:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-22-238.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id 690DE37BD9E for ; Thu, 18 Apr 2002 11:54:30 -0700 (PDT) Received: from Master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-22-238.client.attbi.com (8.12.2/8.12.2) with ESMTP id g3IIsHHt037232 for ; Thu, 18 Apr 2002 11:54:17 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from Master.gorean.org (zoot [127.0.0.1]) by Master.gorean.org (8.12.2/8.12.2) with ESMTP id g3IIsJLr009317 for ; Thu, 18 Apr 2002 11:54:19 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by Master.gorean.org (8.12.2/8.12.2/Submit) with ESMTP id g3IIsJHX009314 for ; Thu, 18 Apr 2002 11:54:19 -0700 (PDT) X-Authentication-Warning: Master.gorean.org: doug owned process doing -bs Date: Thu, 18 Apr 2002 11:54:19 -0700 (PDT) From: Doug Barton X-X-Sender: doug@master.gorean.org To: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: Message-ID: <20020418115258.F9140-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Guys, There is no way to end this discussion with Brett agreeing with you. A cursory examination of the mail archives will show that this is one of his favorite hobby horses. I would suggest not wasting any more time on it. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 12: 5:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 19F6137B448 for ; Thu, 18 Apr 2002 12:04:41 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 5E4C71B9C9F; Thu, 18 Apr 2002 12:08:14 -0700 (PDT) To: Brett Glass Cc: Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> From: Ken McGlothlen Date: 18 Apr 2002 12:08:14 -0700 In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Message-ID: <87r8lcakpt.fsf@ralf.artlogix.com> Lines: 79 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | Alas, this is not an acceptable solution. | | I realize that many people use FreeBSD on non-mission-critical systems, or to | tinker with, and can afford downtime. But we need to create and maintain | production machines. | | I hope that you can understand that doing a CVSup and then rebuilding the | world every night (slowing the system to a crawl in the process and creating | a system which might or might not be 100% stable) is not an acceptable | solution. Actually, it's not as bad as it might seem. I suspect what's got you upset is the thought of having to do a make buildworld on every machine. I can tell you how to avoid that. What I've done in the past is to use NFS to export /usr from my fastest machine. Let's assume you want to keep a Class C network at 192.168.3.0 updated. /etc/exports: /usr -alldirs -maproot=0:10 -network 192.168.3 -mask 255.255.255.0 Then, on the machines you want to keep updated, you'd mount /usr/src and /usr/obj from that build machine. Now, on the fast box, type # cd /usr/src # make buildworld Churn, churn, churn. None of your production machines are impacted; only the fast box handling the build. I should also note that you may want to move *all* your kernel configuration files over to the fast box, into /sys/i386/conf (if you're running x86/Pentium/ AMD boxes). Once the build is done, pick a machine you want to update. Let's assume it's called wibble, and it's kernel configuration file is called WIBBLE. On the fast box, type # make buildkernel KERNCONF=WIBBLE Once that's done, go to Wibble, shut down the services on it (what you want to do is essentially bring it down to single-user mode, but still keep NFS running), and type the following: # cd /usr/src (Remember, that's the directory that actually resides on the fast box) # make installworld (Which installs the new operating system.) # make installkernel KERNCONF=WIBBLE (Which installs the new kernel.) # reboot You should be done at this point with wibble. Next machine, wobble. Go to the fastbox and type # make buildkernel KERNCONF=WOBBLE and when that's done, go to wobble and type # cd /usr/src # make installworld # make installkernel KERNCONF=WOBBLE # reboot and so on. You'll find that's a LOT faster than rebuilding the entire OS from source on each and every machine. Hope that helps. If you have any questions . . . well, you know where to write. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 12: 7:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 04C7937B497 for ; Thu, 18 Apr 2002 12:07:26 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 44C251B9C9F; Thu, 18 Apr 2002 12:11:01 -0700 (PDT) To: Brett Glass Cc: Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> From: Ken McGlothlen Date: 18 Apr 2002 12:11:00 -0700 In-Reply-To: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Message-ID: <87n0w0akl7.fsf@ralf.artlogix.com> Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | I hope that you can understand that doing a CVSup and then rebuilding the | world every night [...] One thing I forgot to mention. A rebuild every night generally isn't necessary. Some of those security advisories might not apply to you. Some of them are things you might not consider a serious danger to your site given your userbase. It's nice not to be forced to update on every advisory that comes out. But if something *does* affect you, having an efficient way to update all the systems isn't such a bad thing. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 12: 8:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f175.law14.hotmail.com [64.4.21.175]) by hub.freebsd.org (Postfix) with ESMTP id 1AAF337B42A for ; Thu, 18 Apr 2002 12:08:48 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Thu, 18 Apr 2002 12:08:47 -0700 Received: from 209.124.233.26 by lw14fd.law14.hotmail.msn.com with HTTP; Thu, 18 Apr 2002 19:08:47 GMT X-Originating-IP: [209.124.233.26] From: "William J. Borskey" To: security@freebsd.org Subject: libparanioa Date: Thu, 18 Apr 2002 12:08:47 -0700 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 18 Apr 2002 19:08:47.0965 (UTC) FILETIME=[77DC88D0:01C1E70C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i recently installed the port "libparanoia" for protection against buffer overruns. i installed it with functionality added to libc. my question is: do i just do a make buildworld; make installworld; to secure my system or what? i checked out the main website for it but i didnt find much help. _________________________________________________________________ Send and receive Hotmail on your mobile device: http://mobile.msn.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 12:21: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 3B5CB37B41C for ; Thu, 18 Apr 2002 12:20:57 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 80DE81B9C9F; Thu, 18 Apr 2002 12:24:31 -0700 (PDT) To: Brett Glass Cc: nate@yogotech.com (Nate Williams), Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> From: Ken McGlothlen Date: 18 Apr 2002 12:24:31 -0700 In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Message-ID: <87it6oajyo.fsf@ralf.artlogix.com> Lines: 44 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | Many people are suggesting that one CVSup every night. Which isn't an onerous thing to do, provided you're only doing it on one reference machine. I suspect most people only do the cvsup on demand, or weekly, or monthly, or whatever else. | How does one know that there isn't a system-crashing bug in some other part | of the tree for the same date? Well, that's certainly a possibility. However, patches made to -STABLE are tested pretty well prior to inclusion (which is why it's called -STABLE). In -CURRENT, you're kind of on your own, but a production shop shouldn't be running -CURRENT. Even well-funded organizations such as Microsoft can't possibly test all combinations of hardware; Microsoft has occasionally released system updates that have caused widespread problems. The same can conceivably happen with FreeBSD, or any other operating system, for that matter. The absolute best way to head off potential problems is this: * Have all your machines running absolutely identical hardware. * Designate one machine to be the FreeBSD -STABLE source reference. * CVSup that one daily, nightly, weekly, whatever you like. * Designate another machine to be the test box. * Before installing a new version of FreeBSD or any kernels on a production machine, test it on your test box until you're reasonably sure that it will work on the production machine. Now, this gets kind of expensive, because you have to make hardware upgrades across the entire range of machines at once (say, if a part croaks and it turns out they don't make that model anymore). But it's the only sure-fire way. A more reasonable approach is to be aware that changes to the -STABLE branch are properly and reasonably pretested, widely installed, and any potential problems will be squished as soon as humanly possible. Pay attention to and evaluate all the security advisories on an individual basis, and try to run the same build across all the machines. I should point out that I've been running FreeBSD since . . . uh . . . 1994 or 1995, and I've *never* had -STABLE produce a non-running system. Ever. I've developed a lot of faith in the -STABLE tree, and in the people in charge of it. You might want to relax a little. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 13:18:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id DA1F737B405 for ; Thu, 18 Apr 2002 13:18:44 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20382; Thu, 18 Apr 2002 14:18:28 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:18:14 -0600 To: Jon Bergfeld , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418181744.45846.qmail@web14201.mail.yahoo.com> References: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:17 PM 4/18/2002, Jon Bergfeld wrote: >look, the existing process seems to work fine for everyone else Acutally, it doesn't. And it really hurts evangelism and new adopters of FreeBSD. For example, here's a rough transcript of a conversation I recently had with an admin who wanted to put up a FreeBSD server. Prospective user: FreeBSD sounds neat. How do I install it? Me: Well, it's really easy. You just put in the first install floppy, boot the system, insert the second floppy when asked, and away you go. You can get the release floppies at ftp://www.freebsd.org/. Prospective user: But I've heard that there were some security holes and bugs discovered since then. How do I install a version with those problems fixed? [What I'd like to say: Oh, that's simple. In the same directory you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et cetera. Just get the floppies for the most recent one, and it will have all the critical fixes. What I'd like to hear the prospective user say: This is great! I'm glad that FreeBSD lives up to its reputation for being easy to install.] What I have to say now: That's not so simple. First, you have to install the last ful release, bugs and all. Then, you have to use CVSup... Prospective user: What's that? Me: Well, it updates your source tree to include the latest fixes. Prospective user: Source tree? I'm not ready to play with the source; I'm not familiar with the system yet, and I don't know what this CVSup thing is. Me: Unfortunately, there's no other way to do it. You have to get the latest source, using the tag RELENG_4_5, and then do a "make world." Prospective user: What's a tag? How do I use it? And what's a "make world?" And how do you find out the name "RELENG_4_5" if you don't know it already? Me: Do you have about half an hour? I can teach you the basics of CVSup.... Prospective user: Naah, never mind. This is more complicated than I thought, and it's a lot more complicated than installing Red Hat and installing the latest RPMs to fix the bugs. I just wanted to download a version of the OS that's secure, but I don't have time to learn about all this stuff you're talking about right this minute. I guess I'll stick with {Win2K/Linux}. (End of dialogue) As you can see from the above, FreeBSD doesn't have a simple answer to a simple, reasonable question: "How can I *just install* FreeBSD with all of the latest security fixes on a new machine, without walking off of a conceptual cliff?" We need to address this. Not only would it help newcomers; it would also help admins who just want to do a quick, no-hassle upgrade that includes the latest security fixes. We should NOT say, "the heck with them if they're not willing to learn all sorts of developer stuff on the spot." That's pointless elitism. And we shouldn't make it unreasonably hard for admins to update... or they might not do it. And then, when their systems are broken into, FreeBSD's reputation as a secure OS suffers. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 13:30:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 67DBB37B417 for ; Thu, 18 Apr 2002 13:30:01 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20546; Thu, 18 Apr 2002 14:29:43 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418141843.021d1540@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:29:37 -0600 To: Chris Faulhaber From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: Nate Williams , David Wolfskill , security@FreeBSD.ORG In-Reply-To: <20020418182218.GA35672@peitho.fxp.org> References: <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:22 PM 4/18/2002, Chris Faulhaber wrote: >ftp://snapshots.jp.freebsd.org/pub/FreeBSD/releases/i386/4.5-RELEASE-p3/ I've looked at this. It looks like the right idea. But: 1) It's halfway around the world, in Japan. Downloads can be quite slow. Why isn't it on the main FreeBSD FTP server and mirrors? 2) It's not documented anywhere -- not even on the Web page at http://snapshots.jp.freebsd.org/. 3) Is it really a "p3" build? Or is it a snapshot of -STABLE? It looks as if at least part of it (maybe all of it) is rebuilt every day. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 13:35: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 76E0C37B405; Thu, 18 Apr 2002 13:34:58 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20624; Thu, 18 Apr 2002 14:34:52 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:34:47 -0600 To: Doug Barton , security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418115258.F9140-100000@master.gorean.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:54 PM 4/18/2002, Doug Barton wrote: >There is no way to end this discussion with Brett agreeing with >you. Not true. About the only thing I am sure to disagree with is an assertion to the effect that the problem does not exist (it plagues lots of folks!) that it does not need to be fixed. >A cursory examination of the mail archives will show that this is one >of his favorite hobby horses. It's not a "favorite hobby horse" but rather a longstanding issue. Why not work to solve the problem? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 13:42:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 3CB2437B417 for ; Thu, 18 Apr 2002 13:42:24 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20767; Thu, 18 Apr 2002 14:42:10 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:42:06 -0600 To: Ken McGlothlen From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: Christopher Schulte , security@FreeBSD.ORG In-Reply-To: <87r8lcakpt.fsf@ralf.artlogix.com> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:08 PM 4/18/2002, Ken McGlothlen wrote: >Actually, it's not as bad as it might seem. I suspect what's got you upset is >the thought of having to do a make buildworld on every machine. I can tell you >how to avoid that.... [Snip] Good tips here, assuming that you're willing to keep a build server around. But what if you're doing a fresh install at a customer site (with Internet feed), and want to get from floppies to a reasonably secure system without headaches? Also, won't "make installworld" nuke some of the customization you've done to each machine? And what if you're running with SECURELEVEL=2 on your production servers? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 13:51:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id D0C5437B417 for ; Thu, 18 Apr 2002 13:51:07 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA20902; Thu, 18 Apr 2002 14:50:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418144331.0222d830@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 14:50:49 -0600 To: Ken McGlothlen From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: nate@yogotech.com (Nate Williams), Christopher Schulte , security@FreeBSD.ORG In-Reply-To: <87it6oajyo.fsf@ralf.artlogix.com> References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:24 PM 4/18/2002, Ken McGlothlen wrote: >Even well-funded organizations such as Microsoft can't possibly test all >combinations of hardware; True. And it's not reasonable to expect it. But it'd be wonderful if, say, a -p4 came out and you could watch the -STABLE list to see if anyone found a problem with it before installing it yourself. If that Japanese -p3 build is either a snapshot of RELENG_4_5 or a snapshot of -STABLE that does not seem to be causing people trouble, it's an example of The Right Thing.... It should be duplicated on the various mirrors and it should be the preferred version to download. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 14:12:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from squall.waterspout.com (squall.waterspout.com [208.13.56.12]) by hub.freebsd.org (Postfix) with ESMTP id BEA1F37B41B for ; Thu, 18 Apr 2002 14:11:59 -0700 (PDT) Received: by squall.waterspout.com (Postfix, from userid 1050) id E5BC79B19; Thu, 18 Apr 2002 16:11:53 -0500 (EST) Date: Thu, 18 Apr 2002 16:11:53 -0500 From: Will Andrews To: Brett Glass Cc: Chris Faulhaber , Nate Williams , David Wolfskill , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418211153.GP89460@squall.waterspout.com> Mail-Followup-To: Brett Glass , Chris Faulhaber , Nate Williams , David Wolfskill , security@FreeBSD.ORG References: <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418115527.021d9f00@nospam.lariat.org> <4.3.2.7.2.20020418120815.021c6580@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418141843.021d1540@nospam.lariat.org> User-Agent: Mutt/1.3.26i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Apr 18, 2002 at 02:29:37PM -0600, Brett Glass wrote: > I've looked at this. It looks like the right idea. But: > > 1) It's halfway around the world, in Japan. Downloads can be quite > slow. Why isn't it on the main FreeBSD FTP server and mirrors? It's not any farther from midwestern USA. I get 160ms pings from both ftp.freebsd.org and snapshots.jp.freebsd.org, and similar download rates (~105KB/s). But it would be nice to see on mirrors. > 3) Is it really a "p3" build? Or is it a snapshot of -STABLE? It looks > as if at least part of it (maybe all of it) is rebuilt every day. Just because it's rebuilt every day doesn't mean it's not a p3 build. It's possible to build things more than once. Regards, -- wca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 14:14:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id F09D337B405 for ; Thu, 18 Apr 2002 14:14:08 -0700 (PDT) Received: from gw.netlecture.com (gw.netlecture.com [206.40.34.9]) by roble.com with ESMTP id g3ILE8A47786 for ; Thu, 18 Apr 2002 14:14:08 -0700 (PDT) Date: Thu, 18 Apr 2002 14:14:08 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: Message-ID: <20020418134015.D47205-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jon Bergfeld wrote: > look, the existing process seems to work fine for everyone else, so if > you want a new way to upgrade, develop it yourself. Actually the existing process does not work fine for everyone, neither Brett, myself, nor many other sysadmins of mission-critical production systems. If you would suppress the dirt-mouthed language and stop shooting the messenger this might be more evident. Different sites have different levels of risk tolerance. CVSup is not the right tool for applying minimal deltas of fully tested code to mission-critical servers. I've migrated several FreeBSD servers to Solaris over the years for exactly this reason. Solaris' patch and package subsystems are considerably better designed (i.e, anal) and the patches are far more thoroughly tested than you'll find in FreeBSD. This is a core difference between much free and commercial software and it doesn't appear likely to change any time soon (especially given the responses to Brett's wholly accurate observations). The development-oriented readers of -security, good as their coding skills are (and they are the best), simply don't have the admin or management experience necessary to understand a risk-analysis with this level of distinction much less the time or inclination to write the necessary code or implement supporting procedures. FreeBSD is the finest OS for many, many applications. It's not, however, the best at minimizing the risk of applying patches. Trying not to be critical, just noting the facts as I see them, -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 14:24:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from post2.inre.asu.edu (post2.inre.asu.edu [129.219.110.73]) by hub.freebsd.org (Postfix) with ESMTP id E6CC337B400 for ; Thu, 18 Apr 2002 14:24:04 -0700 (PDT) Received: from conversion.post2.inre.asu.edu by asu.edu (PMDF V6.1 #40111) id <0GUS00F018RYJI@asu.edu> for security@freebsd.org; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Received: from smtp.asu.edu (smtp.asu.edu [129.219.110.107]) by asu.edu (PMDF V6.1 #40111) with ESMTP id <0GUS00DLE8RYBJ@asu.edu> for security@freebsd.org; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Received: from moroni.pp.asu.edu (moroni.pp.asu.edu [129.219.120.183]) by smtp.asu.edu (8.11.0/8.11.0/asu_smtp_relay,nullclient,tcp_wrapped) with ESMTP id g3ILNwB14969 for ; Thu, 18 Apr 2002 14:23:58 -0700 (MST) Date: Thu, 18 Apr 2002 14:23:58 -0700 (MST) From: David Bear Subject: light from heat! yeah!! Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-reply-to: <87r8lcakpt.fsf@ralf.artlogix.com> X-X-Sender: To: security@freebsd.org Message-id: MIME-version: 1.0 Content-type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 18 Apr 2002, Ken McGlothlen wrote: > Brett Glass writes: > | I realize that many people use FreeBSD on non-mission-critical systems, or to > | tinker with, and can afford downtime. But we need to create and maintain > | production machines. > the thought of having to do a make buildworld on every machine. I can tell you > how to avoid that. THANKYOU. Here's a suggestion that helps. Seems like the topic for a new HOWTO -- Keeping security updates across large numbers of production servers --- I'm very new to FreeBSD -- I chose FreeBSD because there was not a distro dejour like in the linux world. Keeping security patching tractable should be of great interest to the security group. > > What I've done in the past is to use NFS to export /usr from my fastest > machine. Let's assume you want to keep a Class C network at 192.168.3.0 > updated. > > /etc/exports: > > /usr -alldirs -maproot=0:10 -network 192.168.3 -mask 255.255.255.0 > > Then, on the machines you want to keep updated, you'd mount /usr/src and > /usr/obj from that build machine. > > Now, on the fast box, type > > # cd /usr/src > # make buildworld > > Churn, churn, churn. None of your production machines are impacted; only the > fast box handling the build. > > I should also note that you may want to move *all* your kernel configuration > files over to the fast box, into /sys/i386/conf (if you're running x86/Pentium/ > AMD boxes). > > Once the build is done, pick a machine you want to update. Let's assume it's > called wibble, and it's kernel configuration file is called WIBBLE. > > On the fast box, type > > # make buildkernel KERNCONF=WIBBLE > > Once that's done, go to Wibble, shut down the services on it (what you want to > do is essentially bring it down to single-user mode, but still keep NFS > running), and type the following: > > # cd /usr/src > (Remember, that's the directory that actually resides on the > fast box) > # make installworld > (Which installs the new operating system.) > # make installkernel KERNCONF=WIBBLE > (Which installs the new kernel.) > # reboot > > You should be done at this point with wibble. Next machine, wobble. Go to the > fastbox and type > > # make buildkernel KERNCONF=WOBBLE > > and when that's done, go to wobble and type > > # cd /usr/src > # make installworld > # make installkernel KERNCONF=WOBBLE > # reboot > > and so on. > > You'll find that's a LOT faster than rebuilding the entire OS from source on > each and every machine. > -- David Bear College of Public Programs/ASU 480-965-8257 ...the way is like water, going where nobody wants it to go To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15: 8: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from user205.net239.fl.sprint-hsd.net (user205.net239.fl.sprint-hsd.net [209.26.20.205]) by hub.freebsd.org (Postfix) with SMTP id D0A3237B419 for ; Thu, 18 Apr 2002 15:07:59 -0700 (PDT) Received: (qmail 15536 invoked by uid 85); 18 Apr 2002 22:08:01 -0000 Received: from scorpio@drkshdw.org by scorpio.DrkShdw.org by uid 89 with qmail-scanner-1.10 (uvscan: v4.1.60/v4196. . Clear:0. Processed in 0.860206 secs); 18 Apr 2002 22:08:01 -0000 Received: from jeff.home.lan (HELO jeffrey) (192.168.134.2) by user205.net239.fl.sprint-hsd.net with SMTP; 18 Apr 2002 22:07:59 -0000 Message-ID: <012901c1e725$da237e90$0286a8c0@jeffrey> From: "Jeff Palmer" To: References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Date: Thu, 18 Apr 2002 18:10:30 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org It's not the FreeBSD communities fault if you don't have a non-critical machine to test a cvsup, before going "live" in a production environment. Most respectable companies with mission critical servers would do so. It's also not our fault if cvsup is "not an acceptable solution" in your curcumstances. It works for the rest of the world. Get off your high horse, and mock up a server, cvsup test it, and then upgrade your production servers. If this is still unacceptable, Please feel free to code up your own patches, apply them, and quit bitching on the mailing lists? Jeff ----- Original Message ----- From: "Brett Glass" To: "Christopher Schulte" ; Sent: Thursday, April 18, 2002 12:10 PM Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip > At 11:11 PM 4/17/2002, Christopher Schulte wrote: > > >You can synchronize your source tree and recompile. See: > > > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > > Alas, this is not an acceptable solution. > > I realize that many people use FreeBSD on non-mission-critical systems, or > to tinker with, and can afford downtime. But we need to create and maintain > production machines. > > I hope that you can understand that doing a CVSup and then rebuilding the > world every night (slowing the system to a crawl in the process and > creating a system which might or might not be 100% stable) is not an > acceptable solution. Nor is downloading a random snapshot. (Which one > can't seem to do anyway these days; releng4.freebsd.org is refusing > > What is needed is a known good "p3" (or "p-whatever") build that can be > installed quickly with minimum downtime. Yet, despite the fact that > people routinely refer to (for example) "4.5-RELEASE-p3", no such build > seems to actually exist. For those of us who create and manage production > servers, there should be. > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from 66-162-33-178.gen.twtelecom.net (66-162-33-178.gen.twtelecom.net [66.162.33.178]) by hub.freebsd.org (Postfix) with ESMTP id 6782C37B404 for ; Thu, 18 Apr 2002 15:08:03 -0700 (PDT) Received: from [10.4.2.41] (helo=expertcity.com) by 66-162-33-178.gen.twtelecom.net with esmtp (Exim 3.22 #4) id 16yK4Q-0002Uv-00; Thu, 18 Apr 2002 15:08:02 -0700 Message-ID: <3CBF43E7.9080509@expertcity.com> Date: Thu, 18 Apr 2002 15:08:39 -0700 From: Steve Francis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: Brett Glass Cc: Jon Bergfeld , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418120036.021ceb30@nospam.lariat.org> <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> Content-Type: multipart/alternative; boundary="------------060803020103020202070702" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------060803020103020202070702 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I'd just like to second this. I've managed unix systems for quite a few years, all solaris and AIX until recently when I started moving one production class of servers over to FreeBSD (performance is a lot better for this function.) My biggest confusion in moving to FreeBSD was the CVSup process, and how to get a currently patched stable image. (Not that it is that difficult, but it is not intuitive, and there was no page in the FreeBSD handbook saying "To ensure your system has the current patchset, and the most stable code as of this date, do this... If you dont trust the latest stable code, you can get patchlevel Y by doing this...") Also, it is, in my opinion, unfortunate that I can install a system from the CD"s without putting the source to everything on the box, but to go to the -releng current patch set, I do need to first get the sources for all on the system. My .02c Brett Glass wrote: >At 12:17 PM 4/18/2002, Jon Bergfeld wrote: > > >>look, the existing process seems to work fine for everyone else >> > >Acutally, it doesn't. And it really hurts evangelism and new >adopters of FreeBSD. > > > >As you can see from the above, FreeBSD doesn't have a simple answer >to a simple, reasonable question: "How can I *just install* FreeBSD >with all of the latest security fixes on a new machine, without >walking off of a conceptual cliff?" > >We need to address this. Not only would it help newcomers; it would >also help admins who just want to do a quick, no-hassle upgrade that >includes the latest security fixes. We should NOT say, "the heck with >them if they're not willing to learn all sorts of developer stuff on >the spot." That's pointless elitism. And we shouldn't make it >unreasonably hard for admins to update... or they might not do it. >And then, when their systems are broken into, FreeBSD's reputation >as a secure OS suffers. > >--Brett Glass > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > --------------060803020103020202070702 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit I'd just like to second this.

I've managed unix systems for quite a few years, all solaris and AIX until recently when I started moving one production class of servers over to FreeBSD (performance is a lot better for this function.)

My biggest confusion in moving to FreeBSD was the CVSup process, and how to get a currently patched stable image. (Not that it is that difficult, but it is not intuitive, and there was no page in the FreeBSD handbook saying "To ensure your system has the current patchset, and the most stable code as of this date, do this...  If you dont trust the latest stable code, you can get patchlevel Y by doing this...")

Also, it is, in my opinion, unfortunate that I can install a system from the CD"s without putting the source to everything on the box, but to go to the -releng current patch set, I do need to first get the sources for all on the system.

My .02c


Brett Glass wrote:
At 12:17 PM 4/18/2002, Jon Bergfeld wrote:
  
look, the existing process seems to work fine for everyone else

Acutally, it doesn't. And it really hurts evangelism and new
adopters of FreeBSD.

<snip>

As you can see from the above, FreeBSD doesn't have a simple answer
to a simple, reasonable question: "How can I *just install* FreeBSD
with all of the latest security fixes on a new machine, without
walking off of a conceptual cliff?"

We need to address this. Not only would it help newcomers; it would
also help admins who just want to do a quick, no-hassle upgrade that
includes the latest security fixes. We should NOT say, "the heck with 
them if they're not willing to learn all sorts of developer stuff on 
the spot." That's pointless elitism. And we shouldn't make it
unreasonably hard for admins to update... or they might not do it.
And then, when their systems are broken into, FreeBSD's reputation 
as a secure OS suffers.

--Brett Glass


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--------------060803020103020202070702-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15:29:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id A757437B41A for ; Thu, 18 Apr 2002 15:29:06 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 4CBC91B9C9F; Thu, 18 Apr 2002 15:32:42 -0700 (PDT) To: Brett Glass Cc: Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> From: Ken McGlothlen Date: 18 Apr 2002 15:32:42 -0700 In-Reply-To: <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> Message-ID: <878z7k4oz9.fsf@ralf.artlogix.com> Lines: 23 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | Good tips here, assuming that you're willing to keep a build server around. | But what if you're doing a fresh install at a customer site (with Internet | feed), and want to get from floppies to a reasonably secure system without | headaches? I'd probably burn it onto a CD myself based on the latest -STABLE I was willing to support. | Also, won't "make installworld" nuke some of the customization you've done to | each machine? I try my hardest not to customize anything in /usr/src. If you do that, you're on your own, bud. | And what if you're running with SECURELEVEL=2 on your production servers? You'll have run with a lower SECURELEVEL to install it. But then, you'd have to anyway. C'mon, Brett, these last two objections are really stretching things. Are you looking for a solution, or are you just whinging? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15:30:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id A1BB737B41E for ; Thu, 18 Apr 2002 15:30:18 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 4D8C81B9C9F; Thu, 18 Apr 2002 15:33:54 -0700 (PDT) To: Brett Glass Cc: nate@yogotech.com (Nate Williams), Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> <4.3.2.7.2.20020418144331.0222d830@nospam.lariat.org> From: Ken McGlothlen Date: 18 Apr 2002 15:33:54 -0700 In-Reply-To: <4.3.2.7.2.20020418144331.0222d830@nospam.lariat.org> Message-ID: <874ri84ox9.fsf@ralf.artlogix.com> Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | True. And it's not reasonable to expect it. But it'd be wonderful if, say, a | -p4 came out and you could watch the -STABLE list to see if anyone found a | problem with it before installing it yourself. I do. I watch -questions and -security, generally for a day or two. But I've never seen any problem with -STABLE. Ports are a different matter. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15:38: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 82AAB37B417 for ; Thu, 18 Apr 2002 15:38:05 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 8FF451B9C9F; Thu, 18 Apr 2002 15:41:40 -0700 (PDT) To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <20020418134015.D47205-100000@roble.com> From: Ken McGlothlen Date: 18 Apr 2002 15:41:40 -0700 In-Reply-To: <20020418134015.D47205-100000@roble.com> Message-ID: <87zo0039zv.fsf@ralf.artlogix.com> Lines: 40 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Roger Marquis writes: | Solaris' patch and package subsystems are considerably better designed (i.e, | anal) and the patches are far more thoroughly tested than you'll find in | FreeBSD. Of course. Sun has much, much more control over the hardware. I don't know that they're particularly better designed (things might have changed in the last three years since I've been off Solaris, though), but they're certainly better tested on the sort of hardware it's likely to run on. But even it's not perfect. I remember a SunOS patch some years ago that had the community up in arms. Sun was pretty embarrassed about that. | This is a core difference between much free and commercial software and it | doesn't appear likely to change any time soon (especially given the responses | to Brett's wholly accurate observations). Well, if you are willing to contribute monetarily, I'm sure someone in the FreeBSD camp would be willing to write a better one. After all, you don't seem very hesitant to contribute to Sun; perhaps if FreeBSD got some of your budget, some of the tools most important to you would move up on the priority chain. | The development-oriented readers of -security, good as their coding skills | are (and they are the best), simply don't have the admin or management | experience necessary to understand a risk-analysis with this level of | distinction much less the time or inclination to write the necessary code or | implement supporting procedures. I completely disagree with this, save one item: it's a matter of time. The effort is largely volunteer in nature. Many of us have been admins or coders for years (nearly fifteen years Unix administration for me), and we're aware of the problems and shortcomings of the open-source movement. Believe me, there are definitely things I'd like to see improved as well---but *I* don't have the time to code it, either. If someone were willing to pay me to swot up package- and release-management code, I'd consider it. If you're not comfortable with contributing to FreeBSD development on that level, or its shortcomings are too great, you're probably better off with Solaris. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 15:44:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id EBB0737B400 for ; Thu, 18 Apr 2002 15:44:40 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3IMhcS38472; Thu, 18 Apr 2002 15:43:38 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 15:43:38 -0700 From: Benjamin Krueger To: Jeff Palmer Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418154338.D23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <012901c1e725$da237e90$0286a8c0@jeffrey>; from scorpio@drkshdw.org on Thu, Apr 18, 2002 at 06:10:30PM -0400 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > ----- Original Message ----- > From: "Brett Glass" > To: "Christopher Schulte" ; > > Sent: Thursday, April 18, 2002 12:10 PM > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip > > > > At 11:11 PM 4/17/2002, Christopher Schulte wrote: > > > > >You can synchronize your source tree and recompile. See: > > > > > >http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html > > > > Alas, this is not an acceptable solution. > > > > I realize that many people use FreeBSD on non-mission-critical systems, or > > to tinker with, and can afford downtime. But we need to create and > maintain > > production machines. > > > > I hope that you can understand that doing a CVSup and then rebuilding the > > world every night (slowing the system to a crawl in the process and > > creating a system which might or might not be 100% stable) is not an > > acceptable solution. Nor is downloading a random snapshot. (Which one > > can't seem to do anyway these days; releng4.freebsd.org is refusing > > > > What is needed is a known good "p3" (or "p-whatever") build that can be > > installed quickly with minimum downtime. Yet, despite the fact that > > people routinely refer to (for example) "4.5-RELEASE-p3", no such build > > seems to actually exist. For those of us who create and manage production > > servers, there should be. > > > > --Brett Glass * Jeff Palmer (scorpio@drkshdw.org) [020418 15:08]: > It's not the FreeBSD communities fault if you don't have a non-critical > machine to test a cvsup, before going "live" in a production environment. > Most respectable companies with mission critical servers would do so. > > It's also not our fault if cvsup is "not an acceptable solution" in your > curcumstances. It works for the rest of the world. > > Get off your high horse, and mock up a server, cvsup test it, and then > upgrade your production servers. If this is still unacceptable, Please feel > free to code up your own patches, apply them, and quit bitching on the > mailing lists? > > Jeff There seems to be a lot of animosity among people, rather than constructive discussion of the issue that has been raised. This can't be too productive. Sometimes an improvement suggestion is just an improvement suggestion, and not an accusation or hostile criticism. I think everyone here wants to see The Project improve and benefit us all. Like it or not, Brett has raised a concern which is entirely valid and echoed by many system administrators. ( I have a feeling the number is not small ) FreeBSD currently does not enable easy maintainance between critical release points for large server environments. Using cvsup to maintain source builds for environments like these ( say 400 servers or more ) is not only unacceptable without an on staff developer and release engineer, it is infeasible. For those of you who would be quick to note that "Corporations with 400 servers should be able to afford a developer and release engineer" please note that 400 NT, Solaris, AIX, or HP-UX servers can be maintained by a small team of administrators, and do not require these extra resources. If you can still convince them to go with FreeBSD despite the extra salaries and resources instead of the ease ( and insurance ) of buying a support contract from the vendor, I commend you. Marketing is not my gig. Nobody expects a new system to replace the current and trustworthy cvsup method. By the same token, nobody expects The Project to support every possible hardware/software configuration out there. On the flip side, FreeBSD is not like NetBSD or Linux in that we don't support 40 architectures, and a few household appliances. Currently, we have 2 major architectures spanning 3 processors. Intel and AMD processors on the PC, and Alpha. Sparc and IA64 may be considerations in the future. For now, any patches or builds of this nature could very well be limited to 3 supported base architectures. Typically, we have maybe 2 or 3 critical releases of this nature per month. That comes to 3 builds three times a month, not a considerable strain, for the benefit of releasing patches that folks will use. I should like to note that this kind of system would be an excellent opportunity for a FreeBSD support company to pick up some slack that perhaps The Project doesn't have the resources to cover. It could potentially be a valuable service for customers and users alike. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 16: 2:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2A30D37B417 for ; Thu, 18 Apr 2002 16:02:43 -0700 (PDT) Received: (qmail 62530 invoked by uid 1000); 18 Apr 2002 23:03:03 -0000 Date: Fri, 19 Apr 2002 01:03:03 +0200 From: "Karsten W. Rohrbach" To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419010303.K60925@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , security@FreeBSD.ORG References: <20020418115258.F9140-100000@master.gorean.org> <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="wRokNccIwvMzawGl" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 02:34:47PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --wRokNccIwvMzawGl Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brett Glass(brett@lariat.org)@2002.04.18 14:34:47 +0000: > >A cursory examination of the mail archives will show that this is one > >of his favorite hobby horses.=20 >=20 > It's not a "favorite hobby horse" but rather a longstanding issue. > Why not work to solve the problem? if it is of major importance to you, please contact the jp.freebsd.org people, talk about the open issues (docs, distribution,...) and then set up a public ftp mirror that holds snapshots of RELENG_4_WHATEVER. if you want to do it yourself, creating iso images and a properly set up ftp-area for network installs read the docs listed at http://www.freebsd.org/releng/index.html#docs you just have to set up some midrange pc hardware that pulls the CVS archive and runs a script around "make release". this _is_ a lot of work, sure, and i stopped delivering my (past employer's) customers custom -stable releases on iso (for obvious reasons). if you got more than let's say 50 boxes running the same release with a site-specific standard setup, it makes sense to invest the time. go ahead and try building a release. regards, /k --=20 > Obscenity is the crutch of inarticulate motherfuckers. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --wRokNccIwvMzawGl Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8v1CnM0BPTilkv0YRAngMAJ9e2DftxdqlK0uy19UdzCmD0KZUbQCcDSP2 N57d4sbEHwsl1kUCIskjURw= =/gLB -----END PGP SIGNATURE----- --wRokNccIwvMzawGl-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 16: 9:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 2F5BA37B416 for ; Thu, 18 Apr 2002 16:09:32 -0700 (PDT) Received: (qmail 62643 invoked by uid 1000); 18 Apr 2002 23:09:53 -0000 Date: Fri, 19 Apr 2002 01:09:53 +0200 From: "Karsten W. Rohrbach" To: Brett Glass Cc: Nate Williams , Christopher Schulte , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419010953.L60925@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , Nate Williams , Christopher Schulte , security@FreeBSD.ORG References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <15550.62541.903626.398637@caddis.yogotech.com> <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8SdtHY/0P4yzaavF" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020418114304.00dccf00@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 11:49:24AM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8SdtHY/0P4yzaavF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brett Glass(brett@lariat.org)@2002.04.18 11:49:24 +0000: > How does one know that there isn't a system-crashing bug in some other > part of the tree for the same date? What's needed is not just the > snapshot that happened to be available that day (or today) but one > that's known to be reasonably stable. Remember, a snapshot of -STABLE=20 > taken on a random day is not guaranteed even to boot! if you need an os with "system-crashing bugs" and "not guaranteed even to boot" (at least after a severe crash), you might want to check out windows XP ;-) i heard there are "random snapshots" of driver binaries and libraries available for download at its manufacturer's web site, too. word of mouth even told me that someone "certified professional"=20 may be called to fix your always b0rked systems after receiving moderate=20 amounts of $$$.=20 :-> sorry, couldn't resist. /k --=20 > Open Minds. Open Sources. Open Future. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --8SdtHY/0P4yzaavF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8v1JBM0BPTilkv0YRAngIAKCeXXmjMf/HIKO8lTor8hN6/Kv32wCfVD57 TK+A/wicOhraiHF8NleHPOU= =bhWd -----END PGP SIGNATURE----- --8SdtHY/0P4yzaavF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 16:43:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 9EDDD37B41B for ; Thu, 18 Apr 2002 16:43:36 -0700 (PDT) Received: (qmail 63068 invoked by uid 1000); 18 Apr 2002 23:43:51 -0000 Date: Fri, 19 Apr 2002 01:43:51 +0200 From: "Karsten W. Rohrbach" To: Benjamin Krueger Cc: Jeff Palmer , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419014351.M60925@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Benjamin Krueger , Jeff Palmer , freebsd-security@freebsd.org References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="L/bWm/e7/ricERqM" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020418154338.D23267@rain.macguire.net>; from benjamin@macguire.net on Thu, Apr 18, 2002 at 03:43:38PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --L/bWm/e7/ricERqM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Benjamin Krueger(benjamin@macguire.net)@2002.04.18 15:43:38 +0000: > Like it or not, Brett has raised a concern which is entirely valid and ec= hoed > by many system administrators. ( I have a feeling the number is not small= ) but you are missing the point that _administrators_ have the option (and the knowledge) to upgrade from source, using a builder system, just like most freebsd admins with larger installations do. > FreeBSD currently does not enable easy maintainance between critical rele= ase > points for large server environments. Using cvsup to maintain source buil= ds > for environments like these ( say 400 servers or more ) is not only=20 > unacceptable without an on staff developer and release engineer, it is=20 > infeasible.=20 take your favourite spreadsheet and create a TCO estimate of administration and maintenance of - freebsd 4.x - linux (your "favourite" distro) - win32 including the points - system setup - first time installation of services - customer education (for them to be able to use the system) - maintaining system stability (sec updates, subsystem upgrades) and all that in an automatic or semi-automatic manner with maint contracts running 1 or 2 years. at my previous employer we had 1000+ customer boxes out there, some with maintenance contracts, and freebsd turned out to be the most performant, most stable and cheapest solution. i would be delighted to see the numbers you get under the bottom line for TCO of the three platforms. > For those of you who would be quick to note that "Corporations with 400= =20 > servers should be able to afford a developer and release engineer" please= =20 > note that 400 NT, Solaris, AIX, or HP-UX servers can be maintained by a s= mall=20 ^^^^^^ ^= ^^^^ > team of administrators, and do not require these extra resources. If you = can=20 ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^ so, money is not a resource at your site? freebsd is an os, _freely available_, running on _darn cheap_ hardware. your comparison lacks a bit of realism here, at least from the european point of view of the software/hardware prices of the vendors mentioned above. btw, i'd also like to have some of the stuff you smoke over there ;-) > still convince them to go with FreeBSD despite the extra salaries and > resources instead of the ease ( and insurance ) of buying a support contr= act > from the vendor, I commend you. Marketing is not my gig. >=20 > Nobody expects a new system to replace the current and trustworthy cvsup > method. By the same token, nobody expects The Project to support every > possible hardware/software configuration out there. On the flip side, Fre= eBSD > is not like NetBSD or Linux in that we don't support 40 architectures, an= d a > few household appliances.=20 nevertheless, release engineering for RELENG_4_X (X!=3D5) turned out to be pretty perfect for an opensource os, from my point of view. > Currently, we have 2 major architectures spanning 3 processors. Intel and= =20 > AMD processors on the PC, and Alpha. Sparc and IA64 may be considerations= in=20 > the future. For now, any patches or builds of this nature could very well= be=20 > limited to 3 supported base architectures. Typically, we have maybe 2 or 3 > critical releases of this nature per month. That comes to 3 builds three > times a month, not a considerable strain, for the benefit of releasing=20 > patches that folks will use. >=20 > I should like to note that this kind of system would be an excellent > opportunity for a FreeBSD support company to pick up some slack that perh= aps > The Project doesn't have the resources to cover. It could potentially be a > valuable service for customers and users alike. i agree partly. from my experience in the freebsd community there are quite some folks who _do_ release builds for internal use at their site. it would rather be a coordination effort to get one or more publicly available update releases available out there, if their employers would spend the resources on doing this. regards, /k --=20 > UNiX *IS* user friendly. It's just selective about who it's friends are. KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --L/bWm/e7/ricERqM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8v1o3M0BPTilkv0YRAkU3AKCpxnKRnte3UjZqm175TfGA/v1lkACcDE98 Oq6dhNWKw6e97+2M8G7AaFc= =jocT -----END PGP SIGNATURE----- --L/bWm/e7/ricERqM-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 17:16:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 58C8737B400 for ; Thu, 18 Apr 2002 17:16:22 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3J0EsV38779; Thu, 18 Apr 2002 17:14:54 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 17:14:54 -0700 From: Benjamin Krueger To: "Karsten W. Rohrbach" , Benjamin Krueger , Jeff Palmer , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418171454.E23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <20020419014351.M60925@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020419014351.M60925@mail.webmonster.de>; from karsten@rohrbach.de on Fri, Apr 19, 2002 at 01:43:51AM +0200 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Karsten W. Rohrbach (karsten@rohrbach.de) [020418 16:43]: > Benjamin Krueger(benjamin@macguire.net)@2002.04.18 15:43:38 +0000: > > Like it or not, Brett has raised a concern which is entirely valid and echoed > > by many system administrators. ( I have a feeling the number is not small ) > > but you are missing the point that _administrators_ have the option (and > the knowledge) to upgrade from source, using a builder system, just like > most freebsd admins with larger installations do. Indeed they do. Doing this for 1000 individual servers, even when scripted, is an incredible task, and not very feasible. > > FreeBSD currently does not enable easy maintainance between critical release > > points for large server environments. Using cvsup to maintain source builds > > for environments like these ( say 400 servers or more ) is not only > > unacceptable without an on staff developer and release engineer, it is > > infeasible. > > at my previous employer we had 1000+ customer boxes out there, some with > maintenance contracts, and freebsd turned out to be the most performant, > most stable and cheapest solution. i would be delighted to see the > numbers you get under the bottom line for TCO of the three platforms. I'm not sure why you're bringing up TCO here. A change like this would help reduce your TCO. How many hours did you spend every update with those 1000 servers? How much does it cost per hour for your company to employ you? What kind of profitable work would you have been doing if you only had to apply patches instead of building? How much will it cost them if you fubar and a customer goes down? > > For those of you who would be quick to note that "Corporations with 400 > > servers should be able to afford a developer and release engineer" please > > note that 400 NT, Solaris, AIX, or HP-UX servers can be maintained by a small > ^^^^^^ ^^^^^ > > team of administrators, and do not require these extra resources. If you can > ^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^ > so, money is not a resource at your site? freebsd is an os, _freely > available_, running on _darn cheap_ hardware. your comparison lacks a > bit of realism here, at least from the european point of view of the > software/hardware prices of the vendors mentioned above. > btw, i'd also like to have some of the stuff you smoke over there ;-) Lets be realistic here. Corporations don't like unsure things. They spend money on good hardware and support contracts because they have gaurantees and somebody to hold accountable. You're going to have an easier time getting them to be flexible on this point if there are patches for critical releases that system administrators can use, rather than having to maintain an internal build infrastructure. ("You want us to replace vendor support contracts and SLAs with an internal build team that we have to pay for ourselves? Who do we hold accountable when the internal build breaks and 500 servers go tits up?") Yes, FreeBSD does run on darn cheap hardware, and it runs well. That being said, I would never run a large operation on cheap hardware. I will find a reliable hardware manufacturer with quality parts who doesn't balk when I need to order 100 spare hotswap scsi drives or RMA 324 dead power supply fans that came out of a bad production run by tomorrow morning. Reliability costs money, and the operating system is just a part of that reliability. To be frank, I don't think most shops spend most of their server budget on software. Yes, NT licenses cost money. Build engineer salaries cost money too. I still believe the bulk of IT budgets goes towards purchasing reliable hardware. I don't recommend that folks use FreeBSD because its free. I recommend they use it because its one of the most capable systems out there. > > Nobody expects a new system to replace the current and trustworthy cvsup > > method. By the same token, nobody expects The Project to support every > > possible hardware/software configuration out there. On the flip side, FreeBSD > > is not like NetBSD or Linux in that we don't support 40 architectures, and a > > few household appliances. > > nevertheless, release engineering for RELENG_4_X (X!=5) turned out to be > pretty perfect for an opensource os, from my point of view. Nothing is perfect. Ever. It definately went smoothly though. > > Currently, we have 2 major architectures spanning 3 processors. Intel and > > AMD processors on the PC, and Alpha. Sparc and IA64 may be considerations in > > the future. For now, any patches or builds of this nature could very well be > > limited to 3 supported base architectures. Typically, we have maybe 2 or 3 > > critical releases of this nature per month. That comes to 3 builds three > > times a month, not a considerable strain, for the benefit of releasing > > patches that folks will use. > > > > I should like to note that this kind of system would be an excellent > > opportunity for a FreeBSD support company to pick up some slack that perhaps > > The Project doesn't have the resources to cover. It could potentially be a > > valuable service for customers and users alike. > > i agree partly. from my experience in the freebsd community there are > quite some folks who _do_ release builds for internal use at their site. > it would rather be a coordination effort to get one or more publicly > available update releases available out there, if their employers would > spend the resources on doing this. Quite a few shops do have the luxery of being able to maintain and release internal builds. Quite a few more do not. Either way, its still a good opportunity for someone who can. =) > regards, > /k -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 17:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id A6F6737B416 for ; Thu, 18 Apr 2002 17:21:58 -0700 (PDT) Received: from hades.hell.gr (patr530-a203.otenet.gr [212.205.215.203]) by mailsrv.otenet.gr (8.12.2/8.12.2) with ESMTP id g3J0Lgrc017217; Fri, 19 Apr 2002 03:21:44 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.2/8.12.2) with ESMTP id g3J0Lf6M011748; Fri, 19 Apr 2002 03:21:41 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from charon@localhost) by hades.hell.gr (8.12.2/8.12.2/Submit) id g3J0LZQY011747; Fri, 19 Apr 2002 03:21:35 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 19 Apr 2002 03:21:34 +0300 From: Giorgos Keramidas To: Brett Glass Cc: David Wolfskill , schulte+freebsd@nospam.schulte.org, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419002134.GA11682@hades.hell.gr> References: <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020418114128.02156980@nospam.lariat.org> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-04-18 11:42, Brett Glass wrote: > At 10:18 AM 4/18/2002, David Wolfskill wrote: > > >If you have systems that are that important to you -- and I do, even > >here at home -- then acquire a machine to do the builds, and then use > >some method other than "build in place" to install the result. > > That's not sufficient to ensure that you didn't pick the wrong time > to take a snapshot. Production machines must run a known good > snapshot. Err, what ever happened to the old practice of building the snapshot on sufficiently `identical' machines and testing it there before deploying[0] it on production use? [0] I hate me already for using this word :) - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 17:46:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from kbtfw.kubota.co.jp (kbtfw.kubota.co.jp [133.253.102.202]) by hub.freebsd.org (Postfix) with ESMTP id 7FCB137B405 for ; Thu, 18 Apr 2002 17:45:35 -0700 (PDT) Received: (from uucp@localhost) by kbtfw.kubota.co.jp (smap) id g3J0jVF14709 for ; Fri, 19 Apr 2002 09:45:33 +0900 (JST) Received: from unknown(133.253.122.4) by kbtfw.kubota.co.jp via smap (V5.0) id xma014317; Fri, 19 Apr 02 09:44:55 +0900 Received: from kubotaj.tt.kubota.co.jp (kbtgk.eto.kubota.co.jp [133.253.122.3]) by kbtmk.eto.kubota.co.jp (8.12.2/8.12.2) with ESMTP id g3J0hQpC020676 for ; Fri, 19 Apr 2002 09:43:27 +0900 (JST) Received: from tt.kubota.co.jp (pegasus.tt.kubota.co.jp [133.253.130.15]) by kubotaj.tt.kubota.co.jp (8.9.3+3.2W/3.7W) with ESMTP id JAA11205 for ; Fri, 19 Apr 2002 09:54:06 +0900 Received: from tt.kubota.co.jp [133.253.130.41] by tt.kubota.co.jp with ESMTP (SMTPD32-7.06) id A8E2C8200D4; Fri, 19 Apr 2002 09:46:26 +0900 Message-ID: <3CBF6974.7DF88F5A@tt.kubota.co.jp> Date: Fri, 19 Apr 2002 09:48:52 +0900 From: Munehiro Matsuda Reply-To: haro@kubota.co.jp Organization: e-Collaboration Group, Kubota Graphics Technology Inc. X-Mailer: Mozilla 4.78 [ja] (WinNT; U) X-Accept-Language: ja MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED] References: <200204181825.g3IIPMb78993@freefall.freebsd.org> Content-Type: text/plain; charset=iso-2022-jp Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-02:18 Security Advisory > FreeBSD, Inc. > > Topic: zlib double-free > > Category: core, ports > Module: zlib > Announced: 2002-03-18 > > 0. Revision History > > v1.0 2002-04-20 Initial release > v1.1 2002-04-25 Corrected ZFREE location in kernel patch > Corrected deflate window size check The revision dates seems to be very weird. Is FreeBSD advancing ahead of time? :-) Thanks, Haro =----------------------------------------------------------------------- _ _ Munehiro (haro) Matsuda -|- /_\ |_|_| Kubota Graphics Technology Inc. /|\ |_| |_|_| 2-8-8 Shinjuku, Shinjuku-ku Tokyo 160-0022, Japan Tel: +81-3-3225-0931 Fax: +81-3-3225-0749 Email: haro@kubota.co.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 17:50:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [216.150.202.147]) by hub.freebsd.org (Postfix) with SMTP id 198FB37B419 for ; Thu, 18 Apr 2002 17:50:06 -0700 (PDT) Received: (qmail 35986 invoked by uid 1000); 19 Apr 2002 00:48:04 -0000 Date: Thu, 18 Apr 2002 20:48:04 -0400 From: Jamie Norwood To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:18.zlib [REVISED] Message-ID: <20020418204804.A35910@mushhaven.net> References: <200204181825.g3IIPMb78993@freefall.freebsd.org> <3CBF6974.7DF88F5A@tt.kubota.co.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3CBF6974.7DF88F5A@tt.kubota.co.jp>; from haro@tt.kubota.co.jp on Fri, Apr 19, 2002 at 09:48:52AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 19, 2002 at 09:48:52AM +0900, Munehiro Matsuda wrote: > > > > v1.0 2002-04-20 Initial release > > v1.1 2002-04-25 Corrected ZFREE location in kernel patch > > Corrected deflate window size check > > The revision dates seems to be very weird. > Is FreeBSD advancing ahead of time? :-) We are finally being warned ahead of time that there is a change coming, like we've been begging for. *duck and run like hell* Jamie > Thanks, > Haro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18: 3:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id D1A5137B405 for ; Thu, 18 Apr 2002 18:03:41 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id TAA02178; Thu, 18 Apr 2002 19:03:34 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3J13Ys35796; Thu, 18 Apr 2002 19:03:34 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.27877.743534.149538@caddis.yogotech.com> Date: Thu, 18 Apr 2002 19:03:33 -0600 To: Benjamin Krueger Cc: Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418154338.D23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > FreeBSD currently does not enable easy maintainance between critical release > points for large server environments. Using cvsup to maintain source builds > for environments like these ( say 400 servers or more ) is not only > unacceptable without an on staff developer and release engineer, it is > infeasible. > > For those of you who would be quick to note that "Corporations with > 400 servers should be able to afford a developer and release engineer" > please note that 400 NT, Solaris, AIX, or HP-UX servers can be > maintained by a small team of administrators, and do not require these > extra resources. So, for 400 NT, Solaris, AIX, or HP-UX servers you allow a small team, and for FreeBSD you don't even allow a single engineer? Seems kind of a double standard. And as a long-time administrator, I disagree that FreeBSD is more difficult to maintain releases across systems. I've done Ultrix, SunOS, Solaris, FreeBSD, and (ack!) Linux, and I find that FreeBSD is second to Solaris, but barely so. However, Solaris doesn't even provide anything remotely close to what Brett is asking, and they're getting paid alot for the OS than FreeBSD is getting paid. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18: 7:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from zoot.corp.yahoo.com (zoot.corp.yahoo.com [216.145.52.89]) by hub.freebsd.org (Postfix) with ESMTP id A268C37B400 for ; Thu, 18 Apr 2002 18:07:55 -0700 (PDT) Received: from zoot.corp.yahoo.com (localhost [127.0.0.1]) by zoot.corp.yahoo.com (8.12.3/8.12.3) with ESMTP id g3J17tHW008976; Thu, 18 Apr 2002 18:07:55 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (dougb@localhost) by zoot.corp.yahoo.com (8.12.3/8.12.3/Submit) with ESMTP id g3J17sce008973; Thu, 18 Apr 2002 18:07:55 -0700 (PDT) X-Authentication-Warning: zoot.corp.yahoo.com: dougb owned process doing -bs Date: Thu, 18 Apr 2002 18:07:54 -0700 (PDT) From: Doug Barton X-X-Sender: dougb@zoot.corp.yahoo.com To: Brett Glass Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> Message-ID: <20020418180158.D8772-100000@zoot.corp.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ Foolishly disregarding my own advice.... ] On Thu, 18 Apr 2002, Brett Glass wrote: > At 12:54 PM 4/18/2002, Doug Barton wrote: > > >There is no way to end this discussion with Brett agreeing with > >you. > > Not true. About the only thing I am sure to disagree with is an > assertion to the effect that the problem does not exist (it > plagues lots of folks!) that it does not need to be fixed. I think everyone agrees that you have problems Brett. No argument there. :) The question is, whether or not this problem of between-release upgrades is ever going to be solved to your satisfation. > >A cursory examination of the mail archives will show that this is one > >of his favorite hobby horses. > > It's not a "favorite hobby horse" but rather a longstanding issue. > Why not work to solve the problem? The typical FreeBSD answer is, "Since YOU think it's a problem, why don't YOU work to solve it?" However, since to my knowledge your record of never actually contributing a line of code to the project remains unblemished, I know you don't like that answer very much. I also think that the new RELENG_N_N idea is a good one, and it may do your heart good to know that I took your point about not being able to easily ascertain how many patches have been applied to a particular point in that branch up with the release engineers just now. I agree that it's valid, and should be easy to fix with newvers.sh, if it's not already fixed (I haven't been following developments on that stuff too closely). As for other magical solutions to your (upgrade) problems... -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:10:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id DCF3837B417 for ; Thu, 18 Apr 2002 18:10:42 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3J18kU38924; Thu, 18 Apr 2002 18:08:46 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 18:08:46 -0700 From: Benjamin Krueger To: Nate Williams Cc: Benjamin Krueger , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418180846.F23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <15551.27877.743534.149538@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15551.27877.743534.149538@caddis.yogotech.com>; from nate@yogotech.com on Thu, Apr 18, 2002 at 07:03:33PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nate Williams (nate@yogotech.com) [020418 18:03]: > > FreeBSD currently does not enable easy maintainance between critical release > > points for large server environments. Using cvsup to maintain source builds > > for environments like these ( say 400 servers or more ) is not only > > unacceptable without an on staff developer and release engineer, it is > > infeasible. > > > > For those of you who would be quick to note that "Corporations with > > 400 servers should be able to afford a developer and release engineer" > > please note that 400 NT, Solaris, AIX, or HP-UX servers can be > > maintained by a small team of administrators, and do not require these > > extra resources. > > So, for 400 NT, Solaris, AIX, or HP-UX servers you allow a small team, > and for FreeBSD you don't even allow a single engineer? Seems kind of a > double standard. > > And as a long-time administrator, I disagree that FreeBSD is more > difficult to maintain releases across systems. I've done Ultrix, SunOS, > Solaris, FreeBSD, and (ack!) Linux, and I find that FreeBSD is second to > Solaris, but barely so. > > However, Solaris doesn't even provide anything remotely close to what > Brett is asking, and they're getting paid alot for the OS than FreeBSD > is getting paid. > > Nate I think you misunderstood. I meant you don't need release engineers for any of the above, only FreeBSD. FreeBSD might be great, but it doesn't admin itself yet. ;) Consider 4 sysadmins, and 2 release engineers for FreeBSD, as opposed to just 4 sysadmins for NT / Solaris / AIX / HP-UX. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:13: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 4F22837B41B for ; Thu, 18 Apr 2002 18:12:59 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id TAA02294; Thu, 18 Apr 2002 19:12:55 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3J1CsQ35858; Thu, 18 Apr 2002 19:12:54 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.28438.662471.593081@caddis.yogotech.com> Date: Thu, 18 Apr 2002 19:12:54 -0600 To: Benjamin Krueger Cc: Nate Williams , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418180846.F23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <15551.27877.743534.149538@caddis.yogotech.com> <20020418180846.F23267@rain.macguire.net> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > FreeBSD currently does not enable easy maintainance between critical release > > > points for large server environments. Using cvsup to maintain source builds > > > for environments like these ( say 400 servers or more ) is not only > > > unacceptable without an on staff developer and release engineer, it is > > > infeasible. > > > > > > For those of you who would be quick to note that "Corporations with > > > 400 servers should be able to afford a developer and release engineer" > > > please note that 400 NT, Solaris, AIX, or HP-UX servers can be > > > maintained by a small team of administrators, and do not require these > > > extra resources. > > > > So, for 400 NT, Solaris, AIX, or HP-UX servers you allow a small team, > > and for FreeBSD you don't even allow a single engineer? Seems kind of a > > double standard. > > > > And as a long-time administrator, I disagree that FreeBSD is more > > difficult to maintain releases across systems. I've done Ultrix, SunOS, > > Solaris, FreeBSD, and (ack!) Linux, and I find that FreeBSD is second to > > Solaris, but barely so. > > > > However, Solaris doesn't even provide anything remotely close to what > > Brett is asking, and they're getting paid alot for the OS than FreeBSD > > is getting paid. > > > > Nate > > I think you misunderstood. I meant you don't need release engineers for > any of the above, only FreeBSD. FreeBSD might be great, but it doesn't admin > itself yet. ;) Consider 4 sysadmins, and 2 release engineers for FreeBSD, as > opposed to just 4 sysadmins for NT / Solaris / AIX / HP-UX. Call it what you like, but I consider preparing/testing a release for our configuration part of the 'sysadmin' job. Certainly the IS staff at my company does hardware/software verification as part of their job, on *all* platforms (including Win98/NT/Win2K/WinME/XP, along with all of the *nix variants). If it makes you feel better, use the title 'release engineer', but the staff of 4 people should be more than adequate to do all of the tasks necessary to support your installations, regardless of whether FreeBSD is used or not. Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:17:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns.yogotech.com (ns.yogotech.com [206.127.123.66]) by hub.freebsd.org (Postfix) with ESMTP id 145F237B405 for ; Thu, 18 Apr 2002 18:16:54 -0700 (PDT) Received: from caddis.yogotech.com (caddis.yogotech.com [206.127.123.130]) by ns.yogotech.com (8.9.3/8.9.3) with ESMTP id TAA02347; Thu, 18 Apr 2002 19:16:48 -0600 (MDT) (envelope-from nate@yogotech.com) Received: (from nate@localhost) by caddis.yogotech.com (8.11.6/8.11.6) id g3J1GlR35890; Thu, 18 Apr 2002 19:16:47 -0600 (MDT) (envelope-from nate) From: Nate Williams MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15551.28671.448890.421578@caddis.yogotech.com> Date: Thu, 18 Apr 2002 19:16:47 -0600 To: Benjamin Krueger Cc: "Karsten W. Rohrbach" , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020418171454.E23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <20020419014351.M60925@mail.webmonster.de> <20020418171454.E23267@rain.macguire.net> X-Mailer: VM 6.96 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Reply-To: nate@yogotech.com (Nate Williams) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > Like it or not, Brett has raised a concern which is entirely valid and echoed > > > by many system administrators. ( I have a feeling the number is not small ) > > > > but you are missing the point that _administrators_ have the option (and > > the knowledge) to upgrade from source, using a builder system, just like > > most freebsd admins with larger installations do. > > Indeed they do. Doing this for 1000 individual servers, even when > scripted, is an incredible task, and not very feasible. Doing *anything* to 1000 individual servers running ANY OS is an incredible tasks, regardless of what is being done. Why is FreeBSD being singled out here? > Quite a few shops do have the luxery of being able to maintain and release > internal builds. Quite a few more do not. Either way, its still a good > opportunity for someone who can. =) Any shop that has a significant # of servers that I've worked with takes the time to do internal builds using a standard set of hardware. Otherwise, you spend more time chasing your tail than in solving problems. (Again, this issue is orthogonal to the issue of which hardware/software is being used). Nate To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:23:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 668A937B41C for ; Thu, 18 Apr 2002 18:23:41 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3J1LjC38968; Thu, 18 Apr 2002 18:21:45 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 18:21:45 -0700 From: Benjamin Krueger To: Nate Williams Cc: Benjamin Krueger , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418182145.G23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <15551.27877.743534.149538@caddis.yogotech.com> <20020418180846.F23267@rain.macguire.net> <15551.28438.662471.593081@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15551.28438.662471.593081@caddis.yogotech.com>; from nate@yogotech.com on Thu, Apr 18, 2002 at 07:12:54PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nate Williams (nate@yogotech.com) [020418 18:12]: > > > > FreeBSD currently does not enable easy maintainance between critical release > > > > points for large server environments. Using cvsup to maintain source builds > > > > for environments like these ( say 400 servers or more ) is not only > > > > unacceptable without an on staff developer and release engineer, it is > > > > infeasible. > > > > > > > > For those of you who would be quick to note that "Corporations with > > > > 400 servers should be able to afford a developer and release engineer" > > > > please note that 400 NT, Solaris, AIX, or HP-UX servers can be > > > > maintained by a small team of administrators, and do not require these > > > > extra resources. > > > > > > So, for 400 NT, Solaris, AIX, or HP-UX servers you allow a small team, > > > and for FreeBSD you don't even allow a single engineer? Seems kind of a > > > double standard. > > > > > > And as a long-time administrator, I disagree that FreeBSD is more > > > difficult to maintain releases across systems. I've done Ultrix, SunOS, > > > Solaris, FreeBSD, and (ack!) Linux, and I find that FreeBSD is second to > > > Solaris, but barely so. > > > > > > However, Solaris doesn't even provide anything remotely close to what > > > Brett is asking, and they're getting paid alot for the OS than FreeBSD > > > is getting paid. > > > > > > Nate > > > > I think you misunderstood. I meant you don't need release engineers for > > any of the above, only FreeBSD. FreeBSD might be great, but it doesn't admin > > itself yet. ;) Consider 4 sysadmins, and 2 release engineers for FreeBSD, as > > opposed to just 4 sysadmins for NT / Solaris / AIX / HP-UX. > > Call it what you like, but I consider preparing/testing a release for > our configuration part of the 'sysadmin' job. Certainly the IS staff at > my company does hardware/software verification as part of their job, on > *all* platforms (including Win98/NT/Win2K/WinME/XP, along with all of > the *nix variants). > > If it makes you feel better, use the title 'release engineer', but the > staff of 4 people should be more than adequate to do all of the tasks > necessary to support your installations, regardless of whether FreeBSD > is used or not. > > > Nate That is very convenient, but I wouldn't call it realistic. We're talking about more than just verification here. We're talking about building and testing an entire OS from source, and then distributing it among a large number of machines. While I'm sure most sysadmins would like to fancy themselves superpeople (I would!), most of us aren't. ;) The point here is that release engineering is very much a larger task than using release patches. With a large server farm, you are going to have lots of reasons to have folks soley dedicated to just this task. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:24:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail3.texoma.net (mail3.texoma.net [209.151.96.18]) by hub.freebsd.org (Postfix) with SMTP id 9725437B400 for ; Thu, 18 Apr 2002 18:24:39 -0700 (PDT) Received: (qmail 16322 invoked from network); 19 Apr 2002 01:24:38 -0000 Received: from unknown (HELO love2golf.texoma.net) (209.151.96.67) by mail3.texoma.net with SMTP; 19 Apr 2002 01:24:38 -0000 Message-Id: <5.1.0.14.2.20020418201450.05b44d80@incoming.texoma.net> X-Sender: ldvhomeu@incoming.texoma.net X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 18 Apr 2002 20:24:37 -0500 To: freebsd-security@FreeBSD.ORG From: Larry Vaden Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <15551.27877.743534.149538@caddis.yogotech.com> References: <20020418154338.D23267@rain.macguire.net> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:03 PM 4/18/2002, Nate Williams wrote: >However, Solaris doesn't even provide anything remotely close to what >Brett is asking, and they're getting paid alot for the OS than FreeBSD >is getting paid. Perhaps there is reason for the FreeBSD project to *consider* providing the requested enhanced service(s) in return for a subscription fee from those who would benefit. It might [outsell | generate more revenue than] T-Shirts or Daemons, perhaps even make evangelism easier, perhaps even increase market share. OTOH, perhaps a free T-Shirt should come with each subscription. Make mine an XX-L, please `[8-)) rgds/ldv 7 year licensee of BSD/OS, now using FreeBSD To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:26:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from rain.macguire.net (sense-sea-MegaSub-1-125.oz.net [216.39.144.125]) by hub.freebsd.org (Postfix) with ESMTP id 71A3737B405 for ; Thu, 18 Apr 2002 18:26:40 -0700 (PDT) Received: (from roo@localhost) by rain.macguire.net (8.11.6/8.11.6) id g3J1OgG38989; Thu, 18 Apr 2002 18:24:42 -0700 (PDT) (envelope-from roo) Date: Thu, 18 Apr 2002 18:24:42 -0700 From: Benjamin Krueger To: Nate Williams Cc: Benjamin Krueger , "Karsten W. Rohrbach" , Jeff Palmer , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418182442.H23267@rain.macguire.net> References: <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <012901c1e725$da237e90$0286a8c0@jeffrey> <20020418154338.D23267@rain.macguire.net> <20020419014351.M60925@mail.webmonster.de> <20020418171454.E23267@rain.macguire.net> <15551.28671.448890.421578@caddis.yogotech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <15551.28671.448890.421578@caddis.yogotech.com>; from nate@yogotech.com on Thu, Apr 18, 2002 at 07:16:47PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Nate Williams (nate@yogotech.com) [020418 18:16]: > > > > Like it or not, Brett has raised a concern which is entirely valid and echoed > > > > by many system administrators. ( I have a feeling the number is not small ) > > > > > > but you are missing the point that _administrators_ have the option (and > > > the knowledge) to upgrade from source, using a builder system, just like > > > most freebsd admins with larger installations do. > > > > > Indeed they do. Doing this for 1000 individual servers, even when > > scripted, is an incredible task, and not very feasible. > > Doing *anything* to 1000 individual servers running ANY OS is an > incredible tasks, regardless of what is being done. Why is FreeBSD > being singled out here? Because keeping an internal build mechanism is far more complex and costly than keeping a set of scripts that push out patches. > > Quite a few shops do have the luxery of being able to maintain and release > > internal builds. Quite a few more do not. Either way, its still a good > > opportunity for someone who can. =) > > Any shop that has a significant # of servers that I've worked with takes > the time to do internal builds using a standard set of hardware. > Otherwise, you spend more time chasing your tail than in solving > problems. (Again, this issue is orthogonal to the issue of which > hardware/software is being used). Again, verification is not quite the task that building an OS is. > > Nate -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 18:49:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 987B537B404 for ; Thu, 18 Apr 2002 18:49:26 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id A96074DF5; Thu, 18 Apr 2002 20:49:25 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3J1nOb01496; Thu, 18 Apr 2002 20:49:24 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 18 Apr 2002 20:49:24 -0500 (CDT) Message-Id: <200204190149.g3J1nOb01496@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> In-Reply-To: <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip X-Original-Newsgroups: sol.lists.freebsd.security To: brett@lariat.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net>, brett@lariat.org writes: > At 12:22 PM 4/18/2002, Chris Faulhaber wrote: > >>ftp://snapshots.jp.freebsd.org/pub/FreeBSD/releases/i386/4.5-RELEASE-p3/ > > I've looked at this. It looks like the right idea. But: > > 1) It's halfway around the world, in Japan. Downloads can be quite > slow. Why isn't it on the main FreeBSD FTP server and mirrors? > > 2) It's not documented anywhere -- not even on the Web page at > http://snapshots.jp.freebsd.org/. > > 3) Is it really a "p3" build? Or is it a snapshot of -STABLE? It looks > as if at least part of it (maybe all of it) is rebuilt every day. OK, I believe it was mentioned already, but was rather glossed over: For any one "snapshot", be it a major.minor-RELEASE, or -RELEASE-pN, have you - or anyone - any idea just how many snapshots would be required? Some systems are IDE/ATAPI, others are SCSI, some are both, and some are RAID. You want a snapshot kernel supporting all that, if yours is just an internet gateway? What're the possible permutations of supported DASD? What are the possible permutations of NICs? What of optimizations for particular CPUs? So, how many kernels should be "snaphot"d? And who's to make that call? My point is, if it isn't already obvious, is that this path will garner nothing but disappointment to some group of people somewhere. There's no way FreeBSD - or any OS that runs on "ubiquitous" or "off the shelf" hardware - can make everyone happy. I daresay it'd actually satisfy but a small number of users, of which you may or may not be included. Even "snapshot"d GENERIC kernels wouldn't cut it, methinks (it wouldn't for me, anyway). --- I've tried to use Red Hat's RPMs for updates/upgrades, and it was more hassle to keep that straight than to simply replace the OS altogether (and I have to wonder if a majority of Linux sysadmins haven't came to the same conclusion and practice?). Those were on "generic" systems, too; I shudder to think what would break were they custom (in the FreeBSD sense). RPMs are not the panacea they're purported to be, many's the time they've broken more than they've fixed. --- I have used NFS as a method of distributing builds from a "master" box, and it is a viable solution, indeed. Clean, too, from the standpoint of support. And the price of the "master" box? What, $600 or $700? For the record: I cvsup'd from -RELEASE-p2 to -p3, rebuild the world, and kernel, while doing all my day-to-day business, with only occasional and brief hesitations in response times. It took about 2-1/2 hours. The system was off-line for all of about ten minutes for the installation. This on a 700Mhz Celeron. The overhead on other servers NFS-connected to it would be that last ten minutes or so. As to your "what if" about customer's systems? The build process is a great time for an extended lunch to mull over others issues with that client. Someone can page you on the off-chance it breaks, though that's never happened to me. --- And to a comment of yours that stuck in my mind: You can cvsup every night if you want, but that doesn't necessarily mean a build every night. > --Brett Brett, FreeBSD's methodologies may not be the most convenient for you or others that agree with you, but you've got to admit, it is comprehensive, and pretty much bullet-proof, if not idiot-proof. Just my more-than-two-cents' worth, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 19:13: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 68CC037B404 for ; Thu, 18 Apr 2002 19:13:03 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA25567; Thu, 18 Apr 2002 20:12:51 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 20:12:47 -0600 To: hawkeyd@visi.com, freebsd-security@freebsd.org From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <200204190149.g3J1nOb01496@sheol.localdomain> References: <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:49 PM 4/18/2002, D J Hawkey Jr wrote: >OK, I believe it was mentioned already, but was rather glossed over: > >For any one "snapshot", be it a major.minor-RELEASE, or -RELEASE-pN, >have you - or anyone - any idea just how many snapshots would be required? One. >Some systems are IDE/ATAPI, others are SCSI, some are both, and some are >RAID. You want a snapshot kernel supporting all that, if yours is just >an internet gateway? What're the possible permutations of supported DASD? I'm afraid I don't understand. What are you talking about? >What are the possible permutations of NICs? > >What of optimizations for particular CPUs? > >So, how many kernels should be "snaphot"d? And who's to make that call? You obviously misunderstand what we've been referring to when we use the word "snapshot." A "snapshot," in this context, is a build of FreeBSD from a particular day's sources. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 19:24:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id C544637B416 for ; Thu, 18 Apr 2002 19:24:46 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 10D184DE2; Thu, 18 Apr 2002 21:24:46 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3J2Ojf01594; Thu, 18 Apr 2002 21:24:45 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 18 Apr 2002 21:24:45 -0500 From: D J Hawkey Jr To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418212445.A1577@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 08:12:47PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Apr 18, at 08:12 PM, Brett Glass wrote: > > At 07:49 PM 4/18/2002, D J Hawkey Jr wrote: > > >OK, I believe it was mentioned already, but was rather glossed over: > > > >For any one "snapshot", be it a major.minor-RELEASE, or -RELEASE-pN, > >have you - or anyone - any idea just how many snapshots would be required? > > One. > > >Some systems are IDE/ATAPI, others are SCSI, some are both, and some are > >RAID. You want a snapshot kernel supporting all that, if yours is just > >an internet gateway? What're the possible permutations of supported DASD? > > I'm afraid I don't understand. What are you talking about? > > >What are the possible permutations of NICs? > > > >What of optimizations for particular CPUs? > > > >So, how many kernels should be "snaphot"d? And who's to make that call? > > You obviously misunderstand what we've been referring to when we use > the word "snapshot." A "snapshot," in this context, is a build of FreeBSD > from a particular day's sources. No, I think I do understand. Would not that "snapshot" include the kernel? If so, what would you like that kernel to be configured as when the snapshot is taken? Do you think it'd be the same requirements as that of the majority of others? Even a large minority? How about a small majority? The kernel not withstanding, what about CPU capabilities? What if the OS was built with code that uses SSE, but your CPU doesn't support SSE? This pro'lly isn't a reality [right now], but you get my drift, don't you? Would you really want an OS built for the lowest common denominator as the one you install on your production servers, much less your desktop? > --Brett Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 19:26:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 33FD937B43F for ; Thu, 18 Apr 2002 19:25:33 -0700 (PDT) Received: (qmail 29972 invoked by uid 1000); 19 Apr 2002 02:25:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Apr 2002 02:25:27 -0000 Date: Thu, 18 Apr 2002 19:25:20 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> Message-ID: <20020418191804.I50980-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > >For any one "snapshot", be it a major.minor-RELEASE, or -RELEASE-pN, > >have you - or anyone - any idea just how many snapshots would be required? > > One. > > >Some systems are IDE/ATAPI, others are SCSI, some are both, and some are > >RAID. You want a snapshot kernel supporting all that, if yours is just > >an internet gateway? What're the possible permutations of supported DASD? > > I'm afraid I don't understand. What are you talking about? I think that the implication is that no one ever uses a "snapshot" because everyone always compiles their own custom kernel, because GENERIC is never appropriate for a production system. Whether or not you agree is for you to decide. Can this discussion stop taking place on this list? While you may or may not agree that this aspect of release engineering needs fixing, I hope that you will agree that this is only tangentially a security issue, and that cluttering a list which people count on to be mostly brief clarifications of important and immediate security issues is undesirable. Maybe take it to -hackers? Or create a new -relng list? -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE8v4AXswXMWWtptckRAohdAKDycH8+ZTv8FSFfDjLgGy9CYgEI7wCgtTo8 6aXuG0FGVzMHvL9eA1/7nS4= =om2H -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 19:47:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 1157837B484 for ; Thu, 18 Apr 2002 19:47:07 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA25815; Thu, 18 Apr 2002 20:31:00 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 20:30:56 -0600 To: Ken McGlothlen From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: security@freebsd.org In-Reply-To: <878z7k4oz9.fsf@ralf.artlogix.com> References: <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:32 PM 4/18/2002, Ken McGlothlen wrote: >C'mon, Brett, these last two objections are really stretching things. I don't think so. They're real pitfalls for administrators. As I've mentioned in other messages, what I think we need is the equivalent of the Japanese FreeBSD X.Y-RELEASE-pZ builds, on the main FTP server and on the mirrors, ready for installation both by new users and by admins looking to do a sure, safe upgrade. Having a local build server is a nice idea, especially if you're a large shop, but doesn't get newcomers a safe version to install (important; if they're hacked they'll sour on FreeBSD) or give an admin a build to which she can just upgrade quickly and know that the latest holes are closed. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 19:47:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id AE5A137B47E for ; Thu, 18 Apr 2002 19:47:05 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA25839; Thu, 18 Apr 2002 20:33:17 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 20:33:12 -0600 To: hawkeyd@visi.com From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: freebsd-security@freebsd.org In-Reply-To: <20020418212445.A1577@sheol.localdomain> References: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:24 PM 4/18/2002, D J Hawkey Jr wrote: >> You obviously misunderstand what we've been referring to when we use >> the word "snapshot." A "snapshot," in this context, is a build of FreeBSD >> from a particular day's sources. > >No, I think I do understand. Would not that "snapshot" include the kernel? >If so, what would you like that kernel to be configured as when the snapshot >is taken? GENERIC. >Would you really want an OS built for the lowest common denominator as the >one you install on your production servers, much less your desktop? Sure, to start with. And then I customize it. If my kernel config files are preserved through the update, I can do that very quickly. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 20: 6:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id B13A437B416 for ; Thu, 18 Apr 2002 20:06:43 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id DB67F4E9B; Thu, 18 Apr 2002 22:06:42 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3J36gi01720; Thu, 18 Apr 2002 22:06:42 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 18 Apr 2002 22:06:42 -0500 From: D J Hawkey Jr To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020418220642.A1647@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <20020418212445.A1577@sheol.localdomain> <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org>; from brett@lariat.org on Thu, Apr 18, 2002 at 08:33:12PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This'll be my last post in this thread, as Jason has a valid point in his reply; this discussion doesn't really belong in this list. On Apr 18, at 08:33 PM, Brett Glass wrote: > > At 08:24 PM 4/18/2002, D J Hawkey Jr wrote: > > >> You obviously misunderstand what we've been referring to when we use > >> the word "snapshot." A "snapshot," in this context, is a build of FreeBSD > >> from a particular day's sources. > > > >No, I think I do understand. Would not that "snapshot" include the kernel? > >If so, what would you like that kernel to be configured as when the snapshot > >is taken? > > GENERIC. Wouldn't cut it for some of the boxes I am or have been responsible for. It'd boot and run, mostly, but it wouldn't "communicate". > >Would you really want an OS built for the lowest common denominator as the > >one you install on your production servers, much less your desktop? > > Sure, to start with. And then I customize it. If my kernel config files are > preserved through the update, I can do that very quickly. Excepting servers that can't connect to a "master box" via NFS (as has been detailed), you can't possibly build and install a kernel inside of the ten to twenty (max?) minutes of downtime to install an already-built kernel from that NFS server "master". Even were it so, you'd end up with a tuned kernel running against it's lowest common denominator OS; that's acceptable to you? Not for me, nope. In my mind, it boils down to this: If you value FreeBSD enough to employ it, is it such a stretch to have a "master" on the network to accomodate FreeBSD's update/upgrade methodologies? My "master" just happens to be my workstation; no additional costs incurred. In closing, it seems to me you've got to consider the entire population more, and your own conveniences a little less. Completely unfashionable since, oh, the middle 80's or so, but it's the coda to much, isn't it? > --Brett Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Apr 18 20:20:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 4BFAD37B42A for ; Thu, 18 Apr 2002 20:20:23 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA26436; Thu, 18 Apr 2002 21:20:15 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020418211757.022614d0@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 18 Apr 2002 21:20:08 -0600 To: hawkeyd@visi.com From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: freebsd-security@freebsd.org In-Reply-To: <20020418220642.A1647@sheol.localdomain> References: <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <20020418212445.A1577@sheol.localdomain> <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:06 PM 4/18/2002, D J Hawkey Jr wrote: >> GENERIC. > >Wouldn't cut it for some of the boxes I am or have been responsible for. >It'd boot and run, mostly, but it wouldn't "communicate". And at that point you'd quickly rebuild the kernel. >Excepting servers that can't connect to a "master box" via NFS (as has been >detailed), you can't possibly build and install a kernel inside of the ten >to twenty (max?) minutes of downtime to install an already-built kernel from >that NFS server "master". If you've got that many to do, it *is* better to create a build server. >Even were it so, you'd end up with a tuned kernel running against it's >lowest common denominator OS; that's acceptable to you? Again, you're not making sense. It wouldn't be the "lowest common denominator OS;" it'd be THE latest version of the OS. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 0:39:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 7406A37B41A for ; Fri, 19 Apr 2002 00:39:38 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id B37281B9C9F; Fri, 19 Apr 2002 00:43:17 -0700 (PDT) To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> From: Ken McGlothlen Date: 19 Apr 2002 00:43:17 -0700 In-Reply-To: <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> Message-ID: <87ads016cq.fsf@ralf.artlogix.com> Lines: 101 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | I don't think so. They're real pitfalls for administrators. No, they're not. Most administrators don't modify stuff in /usr/src, and if they do, most of them understand that they're on their own when they do this. And if you want to modify the operating system (i.e., upgrade), you've got to drop SECURELEVEL, in the classic can't-have-your-cake-and-eat-it-too dilemma. I'm going to treat those as specious whines, and go back to the basic problem. You want to be able to roll out security patches, as I understand it, without doing buildworld/installworld/buildkernel/installkernel. Yes? Y'know, even Solaris didn't have this until the last few years. I admit it: in doing autoupdating, FreeBSD is a little behind the commercial curve. Which isn't surprising, given its lack of funding. Okay, so if I were administrating 1000 FreeBSD machines, and having to keep them up to date, how would I do it? I guess what I'd do is keep a reference machine around for starters. No matter what, I'd want a reference machine tracking -STABLE, so that if I was hit with a DoS attack that was already fixed in the sources, I would at least have access to the source code. The next thing I'd have to ask is how important it was that they were *all* running the same operating system. If it was critical to the mission, what I'd probably do is set up a rolling update system. I wouldn't use very many kernel configuration files; instead of individualizing them too much, I'd probably name them MAIL, WEB, or after whatever function they were fulfilling. Do the buildworld and the first kernel, and roll it out to, say, ten vanguard boxes by executing a command from the reference machine to tell the vanguard boxes (I can think of several ways to do this off the top of my head) to go to single-user mode and start the installworld and installkernel. When they reboot, they let the next batch know (say, 50 machines) that it's time for them to update. The vanguard machines would then serve as the second wave's reference machines (five apiece), which would then do the installworld, and then refer to the reference box for installkernel. And so on, until all the machines were updated within the day. Rolling blackouts, as it were, but wouldn't cut services entirely. Of course, I'd have to put it together myself. And if it was sufficiently clean and well-written, I might share it with the community. Might even become a nice general-usage tool. Of course, to me, that's sort of what sysadmins *do*. I don't see this as a weakness of the operating system per se; it's just that there's no tool that's going to help me run my particular shop quite as effectively as I'd like, because I'm the guy who knows what the requirements are for the shop, and I know how everything's put together. For example, on a server farm like the one I've been talking about, you might not even want to bother taking things down to single-user mode. Sure, it's safer that way, but when I know I'm the only user on a system, the only one with a password, I might want to take a shortcut. Again, test it on the reference box first, but if I felt it was safe enough. . . . On the other hand, if everything absolutely, positively had to be done NOW, with as little impact as possible, I'd have redundant boxes all over the place, doing distributed functions, so taking down a bunch of them would slow things down, but not make services completely unavailable. It goes without saying that downtime should be announced in advance. Take a different BSD operating system: Mac OS X. The System Update tool is quite nice. But the system still has to get bounced once in a while, and you still have to go from box to box updating the system. Last I checked, that was true of Solaris, too. I guess I look at it like this: There's an inherent tradeoff between flexibility and convenience, and another one between work and spending. I like the flexibility, and I like saving money, so I use FreeBSD. If convenience and not having as much work to do is more valuable to you, then Solaris or something like it is probably a better solution. I admit that FreeBSD (or Linux, or OpenBSD or NetBSD or HP/UX or AIX or whatever) isn't for everybody. Each shop's requirements has a hand in tipping the balance towards what OS is a preferable solution. If security and source auditing is your number one concern, then use OpenBSD, for heaven's sakes. If you want your operating system manufacturer to keep your systems updated for you conveniently and easily, then use Solaris or something like that. If you have a boss with a penguin fetish, then Linux may be what you want. No OS is going to be the end-all and be-all of the entire population. I think the FreeBSD core team knows that. I'm an agnostic on the issue of which is "best"---I just have a strong preference for FreeBSD, because of my *own* requirements. There are things I'd like to change about FreeBSD, and when I have the time, I might try to help change those things, or when I win the lottery, I might pay someone to help change those things. But I accept the limitations of a volunteer project: they don't have the manpower or monetary resources to do what Sun or Microsoft or IBM does. The FreeBSD core team is *dwarfed* by the number of paid full-time Solaris team developers, and I'm not even going to go *into* how many people Microsoft or IBM has banging away on their respective OSes on respectable salaries. FreeBSD might not be for your shop. It's okay. We can take it. But whinging that it's not Solaris is only going to wear at the hardworking and competent volunteers that have made FreeBSD as excellent as it is. The cardinal rule is, don't fix it if it ain't broke, but closely following *that* rule is this one: If you think it is, fix it. Do something to contribute---after all, none of us are getting paid to work on FreeBSD (with a very few notable exceptions, and nobody full-time to my knowledge). To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 0:43:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from ralf.artlogix.com (sense-mcglk-240.oz.net [216.39.168.240]) by hub.freebsd.org (Postfix) with ESMTP id 4F7DD37B41A for ; Fri, 19 Apr 2002 00:43:08 -0700 (PDT) Received: by ralf.artlogix.com (Postfix, from userid 1000) id 896351B9C9F; Fri, 19 Apr 2002 00:46:47 -0700 (PDT) To: Brett Glass Cc: hawkeyd@visi.com, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <20020418182218.GA35672_peitho.fxp.org@ns.sol.net> <4.3.2.7.2.20020418141843.021d1540_nospam.lariat.org@ns.sol.net> <200204190149.g3J1nOb01496@sheol.localdomain> <4.3.2.7.2.20020418200936.023fedd0@nospam.lariat.org> <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> From: Ken McGlothlen Date: 19 Apr 2002 00:46:47 -0700 In-Reply-To: <4.3.2.7.2.20020418203122.0218e970@nospam.lariat.org> Message-ID: <87sn5syvtk.fsf@ralf.artlogix.com> Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass writes: | Sure, to start with. And then I customize it. If my kernel config files are | preserved through the update, I can do that very quickly. Kernel config files have been preserved through the update since FreeBSD 3.x. They're in /sys/i386/conf. GENERIC gets stomped on, as does LINT, but everything else is preserved. And if you're feeling paranoid about it (which I tend to be), there's always the floppy drive or some other backup mechanism. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 4: 2:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id D0FE837B41D for ; Fri, 19 Apr 2002 04:02:30 -0700 (PDT) Received: (qmail 35363 invoked from network); 19 Apr 2002 11:02:26 -0000 Received: from ear.nlink.com.br (HELO ear.com.br) (200.249.196.67) by mirage.nlink.com.br with SMTP; 19 Apr 2002 11:02:26 -0000 Received: from EARMDPA01/SpoolDir by ear.com.br (Mercury 1.48); 19 Apr 02 08:05:54 GMT-3 Received: from SpoolDir by EARMDPA01 (Mercury 1.48); 19 Apr 02 08:04:44 GMT-3 From: "Mario Lobo" Organization: American School of Recife - Brazil To: security@FreeBSD.ORG Date: Fri, 19 Apr 2002 08:04:01 -0300 MIME-Version: 1.0 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Reply-To: mlobo@ear.com.br Message-ID: <3CBFCF67.3119.3C78042@localhost> In-reply-to: <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> References: <20020418181744.45846.qmail@web14201.mail.yahoo.com> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: Quoted-printable Content-description: Mail message body Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I=B4ve been following this thread since it started and this is the DEFINIT= E exposition of the problem that Brett has been trying to show since the beginning. To anyone that that thinks there is not really an issue here, t= he last paragraph applies. Brett, you next step (if there is any next step) is to use apples and oran= ges!! Mario Lobo > Acutally, it doesn't. And it really hurts evangelism and new > adopters of FreeBSD. > > For example, here's a rough transcript of a conversation I recently > had with an admin who wanted to put up a FreeBSD server. > > Prospective user: FreeBSD sounds neat. How do I install it? > > Me: Well, it's really easy. You just put in the first install floppy, > boot the system, insert the second floppy when asked, and away you > go. You can get the release floppies at ftp://www.freebsd.org/. > > Prospective user: But I've heard that there were some security holes > and bugs discovered since then. How do I install a version with those > problems fixed? > > [What I'd like to say: Oh, that's simple. In the same directory > you'll see 4.5-RELEASE, 4.5-RELEASE-p1, 4.5-RELEASE-p2, et > cetera. Just get the floppies for the most recent one, and it > will have all the critical fixes. > > What I'd like to hear the prospective user say: This is great! > I'm glad that FreeBSD lives up to its reputation for being > easy to install.] > > What I have to say now: That's not so simple. First, you have > to install the last ful release, bugs and all. Then, you have > to use CVSup... > > Prospective user: What's that? > > Me: Well, it updates your source tree to include the latest fixes. > > Prospective user: Source tree? I'm not ready to play with the > source; I'm not familiar with the system yet, and I don't know > what this CVSup thing is. > > Me: Unfortunately, there's no other way to do it. You have to > get the latest source, using the tag RELENG_4_5, and then > do a "make world." > > Prospective user: What's a tag? How do I use it? And what's a > "make world?" And how do you find out the name "RELENG_4_5" > if you don't know it already? > > Me: Do you have about half an hour? I can teach you the basics > of CVSup.... > > Prospective user: Naah, never mind. This is more complicated than > I thought, and it's a lot more complicated than installing > Red Hat and installing the latest RPMs to fix the bugs. I just > wanted to download a version of the OS that's secure, but I > don't have time to learn about all this stuff you're talking > about right this minute. I guess I'll stick with {Win2K/Linux}. > > (End of dialogue) > > As you can see from the above, FreeBSD doesn't have a simple answer > to a simple, reasonable question: "How can I *just install* FreeBSD > with all of the latest security fixes on a new machine, without > walking off of a conceptual cliff?" > > We need to address this. Not only would it help newcomers; it would > also help admins who just want to do a quick, no-hassle upgrade that > includes the latest security fixes. We should NOT say, "the heck with > them if they're not willing to learn all sorts of developer stuff on > the spot." That's pointless elitism. And we shouldn't make it > unreasonably hard for admins to update... or they might not do it. > And then, when their systems are broken into, FreeBSD's reputation > as a secure OS suffers. > > --Brett Glass > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 5: 9:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from figg.isecure.com.au (ns2.isecure.com.au [202.125.4.72]) by hub.freebsd.org (Postfix) with ESMTP id E623F37B416 for ; Fri, 19 Apr 2002 05:08:57 -0700 (PDT) Received: from iron.isentry.net.au (iron.isecure.com.au [202.125.4.94] (may be forged)) by figg.isecure.com.au (8.11.3/8.11.3) with ESMTP id g3JC8uL01268 for ; Fri, 19 Apr 2002 22:08:56 +1000 Received: (from smap@localhost) by iron.isentry.net.au (8.11.2/8.10.2) id g3JC8tw14047 for ; Fri, 19 Apr 2002 22:08:55 +1000 (EST) X-Authentication-Warning: iron.isentry.net.au: smap set sender to using -f Received: from nodnsquery(10.11.3.10) by iron via smap (V5.5) id xma014039; Fri, 19 Apr 02 22:08:49 +1000 Received: from vmail.aipo.gov.au (localhost [127.0.0.1]) by gibbons.isecure.com.au (8.11.3/8.10.2) with ESMTP id g3JC8nT25492 for ; Fri, 19 Apr 2002 22:08:49 +1000 Received: from stan.aipo.gov.au (wf-105.aipo.gov.au [192.168.1.105]) by vmail.aipo.gov.au (8.11.6/8.11.6) with ESMTP id g3JC8li25983 for ; Fri, 19 Apr 2002 22:08:48 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) Received: (from anwsmh@localhost) by stan.aipo.gov.au (8.11.6/8.11.6) id g3JC8mk00435 for security@FreeBSD.ORG; Fri, 19 Apr 2002 22:08:48 +1000 (EST) (envelope-from anwsmh@IPAustralia.Gov.AU) X-Authentication-Warning: stan.aipo.gov.au: anwsmh set sender to anwsmh@IPAustralia.Gov.AU using -f Date: Fri, 19 Apr 2002 22:08:48 +1000 From: Stanley Hopcroft To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419220844.D190@IPAustralia.Gov.AU> References: <20020418181744.45846.qmail@web14201.mail.yahoo.com> <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> <3CBFCF67.3119.3C78042@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3CBFCF67.3119.3C78042@localhost>; from Mlobo@ear.com.br on Fri, Apr 19, 2002 at 08:04:01AM -0300 Content-Transfer-Encoding: quoted-printable X-MIME-Autoconverted: from 8bit to quoted-printable by gibbons.isecure.com.au id g3JC8nT25492 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear Ladies and Gentlemen, I am writing to say that this has been an admirable thread and sum up by saying that it's unlikely the FreeBSD upgrade system is likely to satisfy the characters depicted below. However, they may be better off with other operating systems. Is this argument really anything more than OS Y does X better ? Granted that the upgrade system could be improved, I think that this is an opportunity for others to step forward, since the projects resources probably don't give it the priority the plaintiffs think it needs. I think the project delivers well in areas such as=20 . stability . applications . device support . performance . security These are more important to me than the upgrade path (which meets my relatively low tech needs). Surely not many are as impressed by upgradability - pain in anyones language - as features. BTW, it seems to me that the skills required to safely upgrade any OS are not coding skills and are unlikely to be found among casual computer users. I am neither coder nor sys admin, yet the use of CVS and friends, once I bit the bullet, wasn't all that daunting. Would it be as hard as learning UML, J2EE, writing a parser ? I don't think so. On Fri, Apr 19, 2002 at 08:04:01AM -0300, Mario Lobo wrote: > I=B4ve been following this thread since it started and this is the DEFI= NITE=20 > exposition of the problem that Brett has been trying to show since the=20 > beginning. To anyone that that thinks there is not really an issue here= , the=20 > last paragraph applies. >=20 > Brett, you next step (if there is any next step) is to use apples and o= ranges!! >=20 > Mario Lobo >=20 > >=20 > > We need to address this. Not only would it help newcomers; it would > > also help admins who just want to do a quick, no-hassle upgrade that > > includes the latest security fixes. We should NOT say, "the heck with= =20 > > them if they're not willing to learn all sorts of developer stuff on=20 > > the spot." That's pointless elitism. And we shouldn't make it > > unreasonably hard for admins to update... or they might not do it. > > And then, when their systems are broken into, FreeBSD's reputation=20 > > as a secure OS suffers. Thank you, Yours sincerely. --=20 ------------------------------------------------------------------------ Stanley Hopcroft Network Specialist ------------------------------------------------------------------------ '...No man is an island, entire of itself; every man is a piece of the continent, a part of the main. If a clod be washed away by the sea, Europe is the less, as well as if a promontory were, as well as if a manor of thy friend's or of thine own were. Any man's death diminishes me, because I am involved in mankind; and therefore never send to know for whom the bell tolls; it tolls for thee...' from Meditation 17, J Donne. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 7:37:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost.unt.edu (mailhost.unt.edu [129.120.209.40]) by hub.freebsd.org (Postfix) with ESMTP id 421DB37B419 for ; Fri, 19 Apr 2002 07:37:08 -0700 (PDT) Received: from unt.edu (slink.unt.edu [129.120.32.80]) by mailhost.unt.edu (8.11.4/8.11.4) with ESMTP id g3JEawR24298 for ; Fri, 19 Apr 2002 09:36:58 -0500 (CDT) Message-ID: <3CC02BB3.1030209@unt.edu> Date: Fri, 19 Apr 2002 09:37:39 -0500 From: Curry Searle Reply-To: searle@unt.edu User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.9) Gecko/20020311 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Older releases? was Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <20020418181744.45846.qmail@web14201.mail.yahoo.com> <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> <3CBFCF67.3119.3C78042@localhost> <20020419220844.D190@IPAustralia.Gov.AU> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The patch described in the advisory talks about 4.5-RELEASE. I'm running two systems on 4.3-RELEASE-p28; I am guessing they are vulnerable. If so, what steps do I follow to patch the system? Upgrading is not an option since the fxp (QLogic fibre-channel HAB) driver is very flaky since 4.4 and above. The patches seem to make relavent changes; I just want to be sure. Thanks! -- ____________________________________________________ Curry Searle | Postmaster searle@unt.edu | Unix Hosts www.cas.unt.edu/~searle | Xiotech Support College of Arts & Sciences | Win32 Desktop & Server Computer Support Services | Network HW & Protocols To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 7:54:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (f225.law11.hotmail.com [64.4.17.225]) by hub.freebsd.org (Postfix) with ESMTP id 2D2CA37B416 for ; Fri, 19 Apr 2002 07:54:53 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 19 Apr 2002 07:54:52 -0700 Received: from 152.163.190.1 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 19 Apr 2002 14:54:52 GMT X-Originating-IP: [152.163.190.1] From: "_ _" To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Date: Fri, 19 Apr 2002 14:54:52 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 19 Apr 2002 14:54:52.0923 (UTC) FILETIME=[297B5CB0:01C1E7B2] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org brett glass writes: >Sure, to start with. And then I customize it. If my kernel config >files are preserved through the update, I can do that very quickly. i thought you were trying to avoid rebuilding the kernel??? if your gonna build the kernel, just build world also! and use a dedicated build server like other's have suggested. he's aboviously changing his questions every other post just to get people on this list riled up(mission accomplished.) as other people have noted, he does this frequently, so let's just stop this thread and get back to security. please! _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 7:59:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 7EA4137B404; Fri, 19 Apr 2002 07:59:16 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id A74375005; Fri, 19 Apr 2002 09:59:15 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g3JExEh08010; Fri, 19 Apr 2002 09:59:14 -0500 (CDT) (envelope-from hawkeyd) Date: Fri, 19 Apr 2002 09:59:14 -0500 (CDT) Message-Id: <200204191459.g3JExEh08010@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020419220844.D190_IPAustralia.Gov.AU@ns.sol.net> <3CC02BB3.1030209_unt.edu@ns.sol.net> In-Reply-To: <3CC02BB3.1030209_unt.edu@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Older releases? was Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip X-Original-Newsgroups: sol.lists.freebsd.security To: searle@unt.edu, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Terribly sorry for this cross-post, but it seems relevant, if not appropriate, this time. In article <3CC02BB3.1030209_unt.edu@ns.sol.net>, searle@unt.edu writes: > The patch described in the advisory talks about 4.5-RELEASE. > I'm running two systems on 4.3-RELEASE-p28; I am guessing they are > vulnerable. If so, what steps do I follow to patch the system? > > Upgrading is not an option since the fxp (QLogic fibre-channel HAB) > driver is very flaky since 4.4 and above. > > The patches seem to make relavent changes; I just want to be sure. I was going to ask the same thing today, to try to provide backported patches. I assume you're writing of source patches, not binary patches? Let's stay in contact with one another on this. If 4.4 and earlier are vulnerable and patchable (that is, no make world required), I'll create patchfiles and make them available. It may take me a day or two, though. Developers: Userland is affected here - /usr/lib/libz. Would a "make && make install" (sic) in /usr/src/lib/libz before building the kernel suffice for a solid upgrade? > Thanks! Ditto, Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 8: 8:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id D83B437B41B for ; Fri, 19 Apr 2002 08:08:48 -0700 (PDT) Received: (qmail 79258 invoked by uid 1000); 19 Apr 2002 15:09:09 -0000 Date: Fri, 19 Apr 2002 17:09:09 +0200 From: "Karsten W. Rohrbach" To: Doug Barton Cc: Brett Glass , security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419170909.F78386@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Doug Barton , Brett Glass , security@FreeBSD.org References: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> <20020418180158.D8772-100000@zoot.corp.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="s5/bjXLgkIwAv6Hi" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020418180158.D8772-100000@zoot.corp.yahoo.com>; from DougB@FreeBSD.org on Thu, Apr 18, 2002 at 06:07:54PM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --s5/bjXLgkIwAv6Hi Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Doug Barton(DougB@FreeBSD.org)@2002.04.18 18:07:54 +0000: > The typical FreeBSD answer is, "Since YOU think it's a problem, > why don't YOU work to solve it?" However, since to my knowledge your > record of never actually contributing a line of code to the project > remains unblemished, I know you don't like that answer very much. doug, the "lines of code" argument does not apply to people supplying ideas, or experience from operations. take me for example, i am not much of a c coder, so i see it as a contribution to the world _not_ to put my sources out, them being pretty crappy and likely to screw up things badly. OTOH, i answer questions on the mailing lists and contribute my ideas to the community, all originating from my work expeieence with freebsd and other systems, you get the point. > I also think that the new RELENG_N_N idea is a good one, and it > may do your heart good to know that I took your point about not being able > to easily ascertain how many patches have been applied to a particular > point in that branch up with the release engineers just now. I agree that > it's valid, and should be easy to fix with newvers.sh, if it's not already > fixed (I haven't been following developments on that stuff too closely). how about including the tag of the last applied patches' corresponding security advisory for the RELENG_4_? what i did in my internal releases was including a date tag relating to a local changelog (including cvsup dates, local changes, and so on). this additionally gives a compile-time independent timestamp for the release. or, how about the "official" patch naming? "4.5-STABLE-p3" and the like? just a few ideas... regards, /k --=20 > "Afghanistan proved that expensive precision weapons save innocent lives,= =20 > and we need more of them." -- George W. Bush, 2002 State of the Union Add= ress KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --s5/bjXLgkIwAv6Hi Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8wDMVM0BPTilkv0YRAnyTAJ0WuqyRgLYGRDunA60pFRA3AzKmxQCgogWE fsuJtinVXV/ylH74PXzRetc= =g5qg -----END PGP SIGNATURE----- --s5/bjXLgkIwAv6Hi-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 8:29:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id DD52C37B41B; Fri, 19 Apr 2002 08:29:35 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA03154; Fri, 19 Apr 2002 09:29:24 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020419090903.023f0590@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 19 Apr 2002 09:29:13 -0600 To: Doug Barton From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: security@FreeBSD.org In-Reply-To: <20020418180158.D8772-100000@zoot.corp.yahoo.com> References: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:07 PM 4/18/2002, Doug Barton wrote: > I think everyone agrees that you have problems Brett. Being insulting doesn't further the discussion. >> It's not a "favorite hobby horse" but rather a longstanding issue. >> Why not work to solve the problem? > > The typical FreeBSD answer is, "Since YOU think it's a problem, >why don't YOU work to solve it?" I am -- by putting up with invectives such as the ones you've hurled at me in recent messages. Putting up a specific build on the FTP server and mirrors is not something I can physically do, but I can demonstrate the need and the benefits that will come from it. As with the "High" security option in the current FreeBSD install (which I was also flamed for suggesting on the lists. It's amazing how any new idea, good or bad, is answered with flames by some people). >However, since to my knowledge your >record of never actually contributing a line of code to the project >remains unblemished, I've actually had code in FreeBSD since 1995 or so. Mostly small stuff, and all contributed through others because I'm not a committer. But some of it is important.... Such as the recent changes to syslogd that allow automatic monitoring. (These were featured in my paper at the first Usenix BSDCon.) > I also think that the new RELENG_N_N idea I see; it's "the" new RELENG_N_N idea, not mine. Can't give me credit for anything, can you? ;-) >is a good one, and it >may do your heart good to know that I took your point about not being able >to easily ascertain how many patches have been applied to a particular >point in that branch up with the release engineers just now. I agree that >it's valid, and should be easy to fix with newvers.sh, if it's not already >fixed (I haven't been following developments on that stuff too closely). It's a start. But we also need to make the security branch the one that new users get, by default, when they visit the FreeBSD Web site, get floppy images, and download via the Net. It would also be exceedingly useful to post -- prominently -- a patch that upgrades buyers of the last release on CD to the same build, and to display a message at the end of sysinstall directing users to the page where it's located. This way, every new install will be as secure as we currently know how to make it. This is not only good publicity; if you believe (as I do) that it's unethical to knowingly give someone an insecure version to install when a secure one can is readily available, it's just good ethics. Other benefits, such as giving admins a verstion to which they can upgrade quickly, would also arise from this. It's a total win. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 8:48: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id DA30437B41B for ; Fri, 19 Apr 2002 08:47:55 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 426B338; Fri, 19 Apr 2002 10:47:55 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3JFltVw053260; Fri, 19 Apr 2002 10:47:55 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3JFlsVm053256; Fri, 19 Apr 2002 10:47:54 -0500 (CDT) Date: Fri, 19 Apr 2002 10:47:54 -0500 From: "Jacques A. Vidrine" To: Curry Searle Cc: freebsd-security@freebsd.org Subject: Re: Older releases? was Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419154754.GF31829@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Curry Searle , freebsd-security@freebsd.org References: <20020418181744.45846.qmail@web14201.mail.yahoo.com> <4.3.2.7.2.20020418135706.02192c60@nospam.lariat.org> <3CBFCF67.3119.3C78042@localhost> <20020419220844.D190@IPAustralia.Gov.AU> <3CC02BB3.1030209@unt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3CC02BB3.1030209@unt.edu> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 19, 2002 at 09:37:39AM -0500, Curry Searle wrote: > The patch described in the advisory talks about 4.5-RELEASE. > I'm running two systems on 4.3-RELEASE-p28; I am guessing they are > vulnerable. If so, what steps do I follow to patch the system? For this PARTICULAR advisory, the bug was introduced after 4.4-RELEASE, so there is no need for you to patch your system. The answer for other issues in general are: You are officially on your own. The releases which are currently supported by the Security Officer are 4.4 and 4.5 (as always, the current release and the previous release). > Upgrading is not an option since the fxp (QLogic fibre-channel HAB) > driver is very flaky since 4.4 and above. The `fxp' driver is not the `QLogic fibre-channel HAB' driver. > The patches seem to make relavent changes; I just want to be sure. You may certainly back port patches to 4.3. Maybe someone here will be generous and backport the fix, test it, and post it to the list. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 8:58:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2772737B404; Fri, 19 Apr 2002 08:58:50 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id AA63738; Fri, 19 Apr 2002 10:58:49 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3JFwnVw051339; Fri, 19 Apr 2002 10:58:49 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3JFwnbr051335; Fri, 19 Apr 2002 10:58:49 -0500 (CDT) Date: Fri, 19 Apr 2002 10:58:49 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Doug Barton , security@FreeBSD.org Subject: Brett rant #31459654 Message-ID: <20020419155849.GG31829@madman.nectar.cc> References: <4.3.2.7.2.20020418143231.021d6840@nospam.lariat.org> <4.3.2.7.2.20020419090903.023f0590@nospam.lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020419090903.023f0590@nospam.lariat.org> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Please change the Subject line; it has been long since the specific advisory was the topic of this thread.] On Fri, Apr 19, 2002 at 09:29:13AM -0600, Brett Glass wrote: > > I also think that the new RELENG_N_N idea > > I see; it's "the" new RELENG_N_N idea, not mine. Can't give me > credit for anything, can you? ;-) It is not new and it is not yours. We have been updating newvers.sh on the security branches for 8 months now (since 4.3-RELEASE-p12). > But we also need to make the security branch the one that > new users get, by default, when they visit the FreeBSD Web site, get > floppy images, and download via the Net. Finally, a reasonable suggestion. It has come up many times, but the issue is always the same: resources. Do you have some to contribute? > It would also be exceedingly > useful to post -- prominently -- a patch that upgrades buyers of the > last release on CD to the same build, and to display a message at the end > of sysinstall directing users to the page where it's located. We have experimental binary patches for some time now, and we're not ready quite yet to stop calling them `experimental'. When we do, you can be sure that we will announce it. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 9: 2:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 0A32B37B41B; Fri, 19 Apr 2002 09:02:32 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8D37D10; Fri, 19 Apr 2002 11:02:31 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3JG2VVw065064; Fri, 19 Apr 2002 11:02:31 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3JG2V0v065060; Fri, 19 Apr 2002 11:02:31 -0500 (CDT) Date: Fri, 19 Apr 2002 11:02:31 -0500 From: "Jacques A. Vidrine" To: D J Hawkey Jr Cc: searle@unt.edu, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: Older releases? was Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419160231.GI31829@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , searle@unt.edu, freebsd-security@freebsd.org, freebsd-hackers@freebsd.org References: <20020419220844.D190_IPAustralia.Gov.AU@ns.sol.net> <3CC02BB3.1030209_unt.edu@ns.sol.net> <200204191459.g3JExEh08010@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200204191459.g3JExEh08010@sheol.localdomain> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 19, 2002 at 09:59:14AM -0500, D J Hawkey Jr wrote: > Developers: Userland is affected here - /usr/lib/libz. Would a > "make && make install" (sic) in /usr/src/lib/libz before building the > kernel suffice for a solid upgrade? No, the src/lib/libz is --- as you note --- for userland. It is not used by the kernel. Note that the patch includes updates to the kernel source as well. Also note that `savecore' statically links libz, so it must be recompiled and reinstalled also. I don't believe there are any other programs in the base system that statically link libz. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 11:45:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-22-238.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id 15DF037B41A for ; Fri, 19 Apr 2002 11:45:28 -0700 (PDT) Received: from Master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-22-238.client.attbi.com (8.12.2/8.12.2) with ESMTP id g3JIjRHt045195; Fri, 19 Apr 2002 11:45:27 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from Master.gorean.org (zoot [127.0.0.1]) by Master.gorean.org (8.12.2/8.12.2) with ESMTP id g3JIjTLr011290; Fri, 19 Apr 2002 11:45:29 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by Master.gorean.org (8.12.2/8.12.2/Submit) with ESMTP id g3JIjSZP011287; Fri, 19 Apr 2002 11:45:29 -0700 (PDT) X-Authentication-Warning: Master.gorean.org: doug owned process doing -bs Date: Fri, 19 Apr 2002 11:45:28 -0700 (PDT) From: Doug Barton X-X-Sender: doug@master.gorean.org To: "Karsten W. Rohrbach" Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020419170909.F78386@mail.webmonster.de> Message-ID: <20020419114336.E11273-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 19 Apr 2002, Karsten W. Rohrbach wrote: > Doug Barton(DougB@FreeBSD.org)@2002.04.18 18:07:54 +0000: > > The typical FreeBSD answer is, "Since YOU think it's a problem, > > why don't YOU work to solve it?" However, since to my knowledge your > > record of never actually contributing a line of code to the project > > remains unblemished, I know you don't like that answer very much. > > doug, the "lines of code" argument does not apply to people supplying > ideas, or experience from operations. take me for example, i am not much > of a c coder, so i see it as a contribution to the world _not_ to put > my sources out, them being pretty crappy and likely to screw up things > badly. OTOH, i answer questions on the mailing lists and contribute my > ideas to the community, all originating from my work expeieence with > freebsd and other systems, you get the point. Oh, I agree completely. The problem is, at the end of the day, this is a volunteer organization. If no one volunteers to make your idea a reality, you're pretty well stuck in do it yourself mode.... unless your idea of fun is to sit around and wait for the topic to come up and make a nuisance of yourself over and over again. -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 11:48:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-22-238.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id 3AE2F37B404 for ; Fri, 19 Apr 2002 11:48:14 -0700 (PDT) Received: from Master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-22-238.client.attbi.com (8.12.2/8.12.2) with ESMTP id g3JImEHt045218; Fri, 19 Apr 2002 11:48:14 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from Master.gorean.org (zoot [127.0.0.1]) by Master.gorean.org (8.12.2/8.12.2) with ESMTP id g3JImFLr011298; Fri, 19 Apr 2002 11:48:15 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by Master.gorean.org (8.12.2/8.12.2/Submit) with ESMTP id g3JImFpl011295; Fri, 19 Apr 2002 11:48:15 -0700 (PDT) X-Authentication-Warning: Master.gorean.org: doug owned process doing -bs Date: Fri, 19 Apr 2002 11:48:15 -0700 (PDT) From: Doug Barton X-X-Sender: doug@master.gorean.org Reply-To: dev-null@FreeBSD.org To: Brett Glass Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <4.3.2.7.2.20020419090903.023f0590@nospam.lariat.org> Message-ID: <20020419114532.P11273-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 19 Apr 2002, Brett Glass wrote: > At 07:07 PM 4/18/2002, Doug Barton wrote: > > > I think everyone agrees that you have problems Brett. > > Being insulting doesn't further the discussion. I was trying to inject a little humor into the situation.... thus the smiley which you seem to have deleted. > >> It's not a "favorite hobby horse" but rather a longstanding issue. > >> Why not work to solve the problem? > > > > The typical FreeBSD answer is, "Since YOU think it's a problem, > >why don't YOU work to solve it?" > > I am -- by putting up with invectives such as the ones you've > hurled at me in recent messages. Ok, now I'm going to be insulting. You have officially sunk to a new low. "They're being mean to me, therefore I'm contributing to the project!" (I new I should not have contributed to this thread...) -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 12: 9: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta7.pltn13.pbi.net (mta7.pltn13.pbi.net [64.164.98.8]) by hub.freebsd.org (Postfix) with ESMTP id DB43137B400 for ; Fri, 19 Apr 2002 12:08:54 -0700 (PDT) Received: from StarPort.pacbell.net ([63.206.117.229]) by mta7.pltn13.pbi.net (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTP id <0GUT00I8TX6T41@mta7.pltn13.pbi.net> for security@freebsd.org; Fri, 19 Apr 2002 12:08:54 -0700 (PDT) Date: Fri, 19 Apr 2002 12:08:25 -0700 From: Greg Fortune Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-reply-to: <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> X-Sender: sykoh@postoffice.pacbell.net To: Brett Glass , Ken McGlothlen Cc: security@freebsd.org Message-id: <5.1.0.14.2.20020419101925.00ab2200@postoffice.pacbell.net> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Content-type: multipart/alternative; boundary="Boundary_(ID_DK/v9UVviBTmeeeLTnWvgA)" References: <878z7k4oz9.fsf@ralf.artlogix.com> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Boundary_(ID_DK/v9UVviBTmeeeLTnWvgA) Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT At 08:30 PM 4/18/2002 -0600, Brett Glass wrote: >Having a local build server is a nice idea, especially if you're >a large shop, but doesn't get newcomers a safe version to install >(important; if they're hacked they'll sour on FreeBSD) or give >an admin a build to which she can just upgrade quickly and know >that the latest holes are closed. > >--Brett Brett, I've been watching this thread quietly, as I am a "newcomer" to FreeBSD. However your intimation that we'll run for the hills like children at the first sign of difficult offends me. First, anyone connected to the net who ever thinks that their box is ever "safe" needs a reality check. Pretty good assumption for a newcomer, eh? I came to FreeBSD because of its security and groups like this. If my site gets hacked, I'm not going to "sour" on FreeBSD, I'm going to take advantage of this group and all the other wonderful resources available to this community and figure out what I need to learn to do better. Just because we're new to FreeBSD doesn't mean we're sheep. We all know where the sheep graze. Nobody ever told me that FreeBSD was easy. Nobody ever told me it was secure "out of the box". What I heard was that if I was willing to learn how to do it, FreeBSD has the potential to be one of the most powerful and secure operating systems out there. I never thought that all the work was going to be done for me, or that the process would be easy of end. If technology was easy, sysadmins would get paid minimum wage and have to wear polyester uniforms and funny little hats. Anyone who runs from an OS due to their own inability to learn how to properly configure/maintain it can go run Windows and contribute to Microsoft's ongoing track record for security and stability. You sound like you know exactly what you want. Why not put it together? Hey, if you build it, it'll be done exactly the way you want it done, won't it? Don't let this opportunity pass you up! Here's your chance to have a piece of FreeBSD work perfectly for you! I'd code it, but my skills aren't up to snuff (yet) and I don't figure that any of these kind people should have to bear the burden of holding my hand. So I send my money to O'Reilly and I spend my time learning how to do new things. One of these days I will contribute to this body of work, but not until I've got the chops (I'd like to fix bugs, not introduce them ;-) ). If you aren't careful, one of these days you'll be griping about the update mechanism I wrote, because I won't code it the way you want, I'll code it the way I want. Life is wonderful when you just deal with what IS. I read this list to learn how to use the tools I currently have to do the best job I can, not to watch theory wars via email. If you don't like things the way they are, step up to the plate and do something about it. Otherwise, we all heard what you said, so please remain in the audience and take your seat. Personally, my hat's off to the fine folks who post the security notices, analyze the bugs, write the code, debug the code, and maintain the source tree, all for a FREE OS! Without the people who actually do all the work that you're complaining about, you'd have to do all that work yourself (or "sour" on FreeBSD, as you put it). Try applying THAT across 1000 servers sometime. -Greg P.S. If you really must respond to this, please email me directly. No need to clutter the group with more witty banter or high drama. Greg Fortune Megaton Technologies megatontech@pacbell.net ------------------------------------------ "Those who say it can't be done should get out of the way of those who are doing it." --Boundary_(ID_DK/v9UVviBTmeeeLTnWvgA) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT At 08:30 PM 4/18/2002 -0600, Brett Glass wrote:

Having a local build server is a nice idea, especially if you're
a large shop, but doesn't get newcomers a safe version to install
(important; if they're hacked they'll sour on FreeBSD) or give
an admin a build to which she can just upgrade quickly and know
that the latest holes are closed.

--Brett

Brett,

I've been watching this thread quietly, as I am a "newcomer" to FreeBSD. However your intimation that we'll run for the hills like children at the first sign of difficult offends me.

First, anyone connected to the net who ever thinks that their box is ever "safe" needs a reality check. Pretty good assumption for a newcomer, eh? I came to FreeBSD because of its security and groups like this. If my site gets hacked, I'm not going to "sour" on FreeBSD, I'm going to take advantage of this group and all the other wonderful resources available to this community and figure out what I need to learn to do better.

Just because we're new to FreeBSD doesn't mean we're sheep. We all know where the sheep graze. Nobody ever told me that FreeBSD was easy. Nobody ever told me it was secure "out of the box". What I heard was that if I was willing to learn how to do it, FreeBSD has the potential to be one of the most powerful and secure operating systems out there. I never thought that all the work was going to be done for me, or that the process would be easy of end. If technology was easy, sysadmins would get paid minimum wage and have to wear polyester uniforms and funny little hats.

Anyone who runs from an OS due to their own inability to learn how to properly configure/maintain it can go run Windows and contribute to Microsoft's ongoing track record for security and stability.

You sound like you know exactly what you want. Why not put it together? Hey, if you build it, it'll be done exactly the way you want it done, won't it? Don't let this opportunity pass you up! Here's your chance to have a piece of FreeBSD work perfectly for you! I'd code it, but my skills aren't up to snuff (yet) and I don't figure that any of these kind people should have to bear the burden of holding my hand. So I send my money to O'Reilly and I spend my time learning how to do new things. One of these days I will contribute to this body of work, but not until I've got the chops (I'd like to fix bugs, not introduce them ;-) ).

If you aren't careful, one of these days you'll be griping about the update mechanism I wrote, because I won't code it the way you want, I'll code it the way I want.

Life is wonderful when you just deal with what IS. I read this list to learn how to use the tools I currently have to do the best job I can, not to watch theory wars via email. If you don't like things the way they are, step up to the plate and do something about it. Otherwise, we all heard what you said, so please remain in the audience and take your seat.

Personally, my hat's off to the fine folks who post the security notices,  analyze the bugs, write the code, debug the code, and maintain the source tree, all for a FREE OS! Without the people who actually do all the work that you're complaining about, you'd have to do all that work yourself (or "sour" on FreeBSD, as you put it). Try applying THAT across 1000 servers sometime.

-Greg

P.S. If you really must respond to this, please email me directly. No need to clutter the group with more witty banter or high drama.

Greg Fortune
Megaton Technologies
megatontech@pacbell.net
------------------------------------------
"Those who say it can't be done should
get out of the way of those who are doing it." --Boundary_(ID_DK/v9UVviBTmeeeLTnWvgA)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 13:14:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 09AB137B400 for ; Fri, 19 Apr 2002 13:14:25 -0700 (PDT) Received: (qmail 85043 invoked by uid 1000); 19 Apr 2002 20:14:45 -0000 Date: Fri, 19 Apr 2002 22:14:45 +0200 From: "Karsten W. Rohrbach" To: Doug Barton Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419221445.B84400@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Doug Barton , security@FreeBSD.org References: <20020419170909.F78386@mail.webmonster.de> <20020419114336.E11273-100000@master.gorean.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="neYutvxvOLaeuPCA" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020419114336.E11273-100000@master.gorean.org>; from DougB@FreeBSD.org on Fri, Apr 19, 2002 at 11:45:28AM -0700 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --neYutvxvOLaeuPCA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Doug Barton(DougB@FreeBSD.org)@2002.04.19 11:45:28 +0000: [...] > > doug, the "lines of code" argument does not apply to people supplying > > ideas, or experience from operations. take me for example, i am not much > > of a c coder, so i see it as a contribution to the world _not_ to put > > my sources out, them being pretty crappy and likely to screw up things > > badly. OTOH, i answer questions on the mailing lists and contribute my > > ideas to the community, all originating from my work expeieence with > > freebsd and other systems, you get the point. >=20 > Oh, I agree completely. The problem is, at the end of the day, > this is a volunteer organization. If no one volunteers to make your idea a > reality, you're pretty well stuck in do it yourself mode.... unless your > idea of fun is to sit around and wait for the topic to come up and make a > nuisance of yourself over and over again. i just wanted to point out that not everyone in the community is a coder demigod, but a lot of people come up with good ideas. you're perfectly right with that statement above, because code simply doesn't write itself.=20 and, yes, in my spare time i am currently experiencing quite a steep learning curve in understanding netbsd's/freebsd's make system, and emacs, and some more minor fundamental things that have to do with "hard" code. i did my cs studies in darmstadt, quite some 10 years ago, and i do try very hard to acquire the knowledge to be able to play with the build system, as a first step. the code i write for stuff i need, on a daily basis, is mostly in python, just as a sidenote, so you hopefully understand my deficiencies in reading and writing C code or makefiles. as it comes to committing code to the project, you already read my statement, on how i see my C proficiencies. i once made an apache module to drive netscape 3.x remote configuration and isp service registration. this was the only compiled language project in _years_ (and i was glad when it ran in production and we were finished with it). another small tool is /usr/ports/sysutils/timelimt, by peter pentchev, where i hacked some docs and contributed some ideas, but i must admit that in this little program, my language knowledge increased quite a bit, but not sufficiently to modify os or userland code, or create new programs (in C). i guess the comparison of your perspective as a proficient (i hope that's the right word) C coder to mine as a systems administrator is like you would sit down read the handbook and translate it to a language you do not speak (for example thai), chapter by chapter. it's simply a steep learning curve keeping a lot of folks from being a guru, but that's not really a bad thing. when it comes to personal experience to share with the community - i mean system administration questions, operations knowledge, etc. - you know that i always shared and will share that openly. i also provide a complete cvsup server in .de (which is not listed at the moment, btw.)=20 because i think that this is one way to give something back to the=20 community. > Do YOU Yahoo!? no, i google ;-) regards, /k --=20 > Tragedy is when I cut my finger. Comedy is when you walk into an open > sewer and die. --Mel Brooks KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --neYutvxvOLaeuPCA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8wHq1M0BPTilkv0YRAjdRAJ9O5y/jAo2dq/x/0LR6o/GoYIEDogCfZpac qJuhpNBtfKsVqsYXauLEWGs= =nPeW -----END PGP SIGNATURE----- --neYutvxvOLaeuPCA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 14:18:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx0.roble.com [206.40.34.14]) by hub.freebsd.org (Postfix) with ESMTP id A412C37B405 for ; Fri, 19 Apr 2002 14:18:15 -0700 (PDT) Received: from gw.netlecture.com (gw.netlecture.com [206.40.34.9]) by roble.com with ESMTP id g3JLIEo73536 for ; Fri, 19 Apr 2002 14:18:15 -0700 (PDT) Date: Fri, 19 Apr 2002 14:18:14 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419133825.B72826-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Greg Fortune wrote: >First, anyone connected to the net who ever thinks that their box is ever >"safe" needs a reality check. Please try to keep the invective down. This thread has not been about subjective measures of safety. All agree that applying large amounts of new code cannot be as safe as applying specific patches with a minimum of new code. >Pretty good assumption for a newcomer, eh? You're joking (and forgot the smiley) I hope. >Just because we're new to FreeBSD doesn't mean we're sheep. We all know >where the sheep graze. Nobody ever told me that FreeBSD was easy. Nobody >ever told me it was secure "out of the box". If you have something to say about CVSup or the current method of applying patches or labeling releases then do contribute. Until then we can all do without diatribes like Greg's. There certainly are many ways to improve FreeBSD and we should not require the submission of code or money in exchange for the privilege of pointing them out. If I knew how to get a better patch system implemented into FreeBSD I would. What this thread makes clear, however, is that it's not about submitting improvements, it's about legacy methodology. The current majority of -security subscribers seem to be happy with CVSup and buildworld and unhappy with the prospect of learning anything different. As a result we're stuck with the status quo. That and the resultant small market share which forces most of us to use and support other operating systems in order to earn a living. If you want a better FreeBSD just copy Solaris' patch system wholesale. There's no need to reinvent the wheel. The real problem, however, is cultural. Exactly how do you submit a new patch system over the objections of legacy developers. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 15: 7: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from zoot.corp.yahoo.com (zoot.corp.yahoo.com [216.145.52.89]) by hub.freebsd.org (Postfix) with ESMTP id 0256E37B400 for ; Fri, 19 Apr 2002 15:07:04 -0700 (PDT) Received: from zoot.corp.yahoo.com (localhost [127.0.0.1]) by zoot.corp.yahoo.com (8.12.3/8.12.3) with ESMTP id g3JM73HW017199; Fri, 19 Apr 2002 15:07:03 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (dougb@localhost) by zoot.corp.yahoo.com (8.12.3/8.12.3/Submit) with ESMTP id g3JM72fK017196; Fri, 19 Apr 2002 15:07:03 -0700 (PDT) X-Authentication-Warning: zoot.corp.yahoo.com: dougb owned process doing -bs Date: Fri, 19 Apr 2002 15:07:02 -0700 (PDT) From: Doug Barton X-X-Sender: dougb@zoot.corp.yahoo.com To: "Karsten W. Rohrbach" Cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020419221445.B84400@mail.webmonster.de> Message-ID: <20020419145828.K17023-100000@zoot.corp.yahoo.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 19 Apr 2002, Karsten W. Rohrbach wrote: > i just wanted to point out that not everyone in the community is a coder > demigod, but a lot of people come up with good ideas. you're perfectly > right with that statement above, because code simply doesn't write > itself. Personally, I fall cleanly into the non "coder demigod" camp. I'm functional in C, but I doubt that I'll ever attain the heights that many in the project have. But that never stopped me from contributing. I contributed what skills I do have for a long time before I got a commit bit. Nowadays, I maintain some ports, clean up PR stuff when I can, twiddle /etc... submit mostly aesthetic 3 line patches to things I care about... basically, a lot of the piddly stuff that has to happen in order to keep things functional. I also keep threatening to write some documentation, but never seem to find the time. My point is that whatever your level of experience, you CAN contribute to the project if you want to. Even if your only contribution is ideas for improvements that are based on your level of experience, because we need that too. I long ago forgot what it was like to be a new FreeBSD user, even though I still focus on interface design because it's something I have some skill/interest in. What you(pl.) CAN'T do, is sit on the sidelines and log grenades in periodically about how the project is not responsive to your needs. Both becase that's not how things work, and because it's not true. We DO have a response. The response is, do it your self and quit whining about it. :) > and, yes, in my spare time i am currently experiencing quite a steep > learning curve in understanding netbsd's/freebsd's make system, and > emacs, Eeekk.. stop learning emacs asap, before it corrupts your brain. :) > > Do YOU Yahoo!? > > no, i google ;-) That's cool, they are one of our partners. :) -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 15:12:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [12.23.109.2]) by hub.freebsd.org (Postfix) with ESMTP id 8015937B41C; Fri, 19 Apr 2002 15:12:51 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [12.23.109.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA08411; Fri, 19 Apr 2002 16:12:44 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook may make your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020419161047.0360e970@nospam.lariat.org> X-Sender: brett@nospam.lariat.org X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 19 Apr 2002 16:12:33 -0600 To: Doug Barton , "Karsten W. Rohrbach" From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Cc: security@FreeBSD.ORG In-Reply-To: <20020419145828.K17023-100000@zoot.corp.yahoo.com> References: <20020419221445.B84400@mail.webmonster.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:07 PM 4/19/2002, Doug Barton wrote: >I long ago forgot what it was like to be a new >FreeBSD user, This is part of the problem here. We should care a lot about newcomers' experience, and respect the fact that no matter how bright they are they cannot learn everything at once. Expecting a new user to master CVSup is unreasonable. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 15:22:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id D44D737B405 for ; Fri, 19 Apr 2002 15:22:45 -0700 (PDT) Received: (qmail 28067 invoked by uid 1001); 19 Apr 2002 22:22:44 -0000 Date: Fri, 19 Apr 2002 18:22:44 -0400 From: "Peter C. Lai" To: Greg Fortune Cc: Brett Glass , Ken McGlothlen , security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020419182244.A27580@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <878z7k4oz9.fsf@ralf.artlogix.com> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020417230144.032ad390@nospam.lariat.org> <200204171923.g3HJNga58899@freefall.freebsd.org> <4.3.2.7.2.20020418095356.024354c0@nospam.lariat.org> <4.3.2.7.2.20020418143615.021a8460@nospam.lariat.org> <4.3.2.7.2.20020418202335.0229b540@nospam.lariat.org> <5.1.0.14.2.20020419101925.00ab2200@postoffice.pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <5.1.0.14.2.20020419101925.00ab2200@postoffice.pacbell.net>; from megatontech@pacbell.net on Fri, Apr 19, 2002 at 12:08:25PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Apr 19, 2002 at 12:08:25PM -0700, Greg Fortune wrote: > At 08:30 PM 4/18/2002 -0600, Brett Glass wrote: > > >Having a local build server is a nice idea, especially if you're > >a large shop, but doesn't get newcomers a safe version to install > >(important; if they're hacked they'll sour on FreeBSD) or give > >an admin a build to which she can just upgrade quickly and know > >that the latest holes are closed. > > > >--Brett > > Brett, > > I've been watching this thread quietly, as I am a "newcomer" to FreeBSD. > However your intimation that we'll run for the hills like children at the > first sign of difficult offends me. > > First, anyone connected to the net who ever thinks that their box is ever > "safe" needs a reality check. Pretty good assumption for a newcomer, eh? I > came to FreeBSD because of its security and groups like this. If my site > gets hacked, I'm not going to "sour" on FreeBSD, I'm going to take > advantage of this group and all the other wonderful resources available to > this community and figure out what I need to learn to do better. > > Just because we're new to FreeBSD doesn't mean we're sheep. We all know > where the sheep graze. Nobody ever told me that FreeBSD was easy. Nobody > ever told me it was secure "out of the box". What I heard was that if I was > willing to learn how to do it, FreeBSD has the potential to be one of the > most powerful and secure operating systems out there. I never thought that > all the work was going to be done for me, or that the process would be easy > of end. If technology was easy, sysadmins would get paid minimum wage and > have to wear polyester uniforms and funny little hats. > It has been said (by various people, mostly those from the latter computing age of PDP,VAX,and s/390) that a good sysadmin is one that should be able to script (or otherwise automate/routin-ize) themselves out of a job. Administration is just that. Read: management from the desk, planning, communications, finding people and tasking them to deploy or implement. Sysadmin-ship historically was maintaining system components that could not maintain themselves. This included loading software from tape, backing up to tape, providing user-requested features and fixing failures. With modern systems, the OS is but one very small part of the whole equation. It is supposed to provide a user-computer interface to load and run programs. It ought to be as automated and easy to implement as possible, with high reliability and security. There really is no reason why UNIX or FreeBSD should be harder to deploy or implement than WinNT or Solaris. A "solution" being the buzzwords of these days, is exactly what it should mean. You are supposed to tell your boss "we need this functionality, this vendor supplies something with that. It costs this much compared to this other thing, and the implementation time is 1 day" Unless you are truly masochistic, I'm pretty sure you don't want to spend your nights trying learning the nuances of an OS that you picked because you lost an OS flamewar with your favorite security mailing list ;) In effect, the old saying "Unix is userfriendly, it's just picky about its users" should really ring less and less true as we develop more advanced versions of it. > Anyone who runs from an OS due to their own inability to learn how to > properly configure/maintain it can go run Windows and contribute to > Microsoft's ongoing track record for security and stability. > It isn't running away. see above :) At a company, you don't *learn* how to properly configure an OS, you do it. Years ago, I used to work at a place where the motivational poster was "This is not a University". Companies who hire administrators expect that their people know what's going on and enough knowledge to run the systems. I suppose if someone wants to migrate software platforms they should be educated to some extent about the target platform, but how do we use this as a FreeBSD selling point instead of hindering potential users to begin using FreeBSD? (see comment below) If it's going to take additional human resources to implement FreeBSD over some other OS, with the same sort of stability and reliability, then maybe it's not such a good idea. Sysadmins have better things to do than maintain build servers and worry if the next patch breaks the OS. They should be figuring out improvements in efficiency, user training, uptime, infrastructure growth and assessing the needs of users or clients. > You sound like you know exactly what you want. Why not put it together? > Hey, if you build it, it'll be done exactly the way you want it done, won't > it? Don't let this opportunity pass you up! Here's your chance to have a > piece of FreeBSD work perfectly for you! I'd code it, but my skills aren't > up to snuff (yet) and I don't figure that any of these kind people should > have to bear the burden of holding my hand. So I send my money to O'Reilly > and I spend my time learning how to do new things. One of these days I will > contribute to this body of work, but not until I've got the chops (I'd like > to fix bugs, not introduce them ;-) ). > > If you aren't careful, one of these days you'll be griping about the update > mechanism I wrote, because I won't code it the way you want, I'll code it > the way I want. > > Life is wonderful when you just deal with what IS. I read this list to > learn how to use the tools I currently have to do the best job I can, not > to watch theory wars via email. If you don't like things the way they are, > step up to the plate and do something about it. Otherwise, we all heard > what you said, so please remain in the audience and take your seat. > > Personally, my hat's off to the fine folks who post the security > notices, analyze the bugs, write the code, debug the code, and maintain > the source tree, all for a FREE OS! Without the people who actually do all > the work that you're complaining about, you'd have to do all that work > yourself (or "sour" on FreeBSD, as you put it). Try applying THAT across > 1000 servers sometime. But then again, the objective of FreeBSD advocacy is to say that we provide a suitable replacement enterprise level OS in a production environment on mission critical systems. The main argument would favor improved binary patch system with minimal downtime and maximum stability. If more people are to expected to adopt open source operating systems, then Brett's point is that a successful binary patch system is also an important marketing feature. Normally, with commercial vendors, the sysadmin will consult those technicians to result in a working solution to a patch. That's the price of a support contract. You are walked through the upgrade process, and if something breaks, the vendor is responsible for fixing it. (I'm talking about large implementations here, such as our S/390 support contracts. Downtime of over an hour is unacceptable, so the protocols for microcode updates have been written by IBM for our customized systems, and in the case they failed to forsee an event, they have a tech on hand. Similarly, I've never seen any particularly involved AIX patch because we needed to reinstall all the core binaries for an update - we just install the binaries on the patch CD, and half the time don't even need to reboot.) With open source, mailing lists such as these are typically your main source of support. However, utilities facilitating easy system upgrades such as a reliable binary patch system would again be beneficial not only to existing users, but also to potential users. As a sidenote, linux operators commonly exclaim why I have to spend hours compiling all of my core software, and then take down the system to patch a system when all they do to fix vulns is to download the latest rpm or deb. Similarly, microsofties download the latest SP (even though it's usually 5 months later :) and reboot. > > -Greg > > P.S. If you really must respond to this, please email me directly. No need > to clutter the group with more witty banter or high drama. > > Greg Fortune > Megaton Technologies > megatontech@pacbell.net > ------------------------------------------ > "Those who say it can't be done should > get out of the way of those who are doing it." -- Peter C. Lai University of Connecticut Dept. of Residential Life | Programmer Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ 860.427.4542 (Room) 860.486.1899 (Lab) 203.206.3784 (Cellphone) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 15:32:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.freebsd.se (h50n2fls33o898.telia.com [217.208.118.50]) by hub.freebsd.org (Postfix) with ESMTP id 6C2EA37B400 for ; Fri, 19 Apr 2002 15:32:43 -0700 (PDT) Received: by mail.freebsd.se (Postfix, from userid 65534) id 74337194FEA; Sat, 20 Apr 2002 00:43:33 +0200 (CEST) Received: from 192.168.0.2 ( [192.168.0.2]) as user tubbs@localhost by mail.freebsd.se with HTTP; Sat, 20 Apr 2002 00:43:33 +0200 Message-ID: <1019256213.3cc09d9554210@mail.freebsd.se> Date: Sat, 20 Apr 2002 00:43:33 +0200 From: =?ISO-8859-1?B?TWFya3VzIEhhbGxzdHL2bQ==?= To: freebsd-security@freebsd.org Subject: new openSSH hole? MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 / FreeBSD-4.5 X-Originating-IP: 192.168.0.2 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This just showed up on vuln-dev On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote: > > > The bug affects servers offering Kerberos TGT > and/or AFS Token passing. The vulnerability can lead > to a root compromise. > > more : mantra.freeweb.hu > > Marcell Fodor > on http://mantra.freeweb.hu I get the following information 18.04.2002 security bug report: OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow. The bug affects servers offering Kerberos TGT and/or AFS Token passing. The vulnerability can lead to a root compromise. bug details: radix.c GETSTRING macro in radix_to_creds function may cause buffer overflow. affected buffers: creds->service creds->instance creds->realm creds->pinst user can exploit the vulnerability by sending malformed request for: 1. pass Kerberos IV TGT 2. pass AFS Token For security considerations the CREDENTIALS structure is erased at the end of the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at the first look, since the user supplied code is cleared. Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is the place, where the server decoded the ticket. It should be considered in further versions to clear the temp buffer prior returning from the radix_to_creds function. Is this known? should I worry? -- /Markus ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 17:26:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id 65AB537B47B for ; Fri, 19 Apr 2002 17:26:09 -0700 (PDT) Received: (qmail 88481 invoked by uid 1000); 20 Apr 2002 00:26:30 -0000 Date: Sat, 20 Apr 2002 02:26:30 +0200 From: "Karsten W. Rohrbach" To: Brett Glass Cc: Doug Barton , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020420022630.C88054@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Brett Glass , Doug Barton , security@FreeBSD.ORG References: <20020419221445.B84400@mail.webmonster.de> <20020419145828.K17023-100000@zoot.corp.yahoo.com> <4.3.2.7.2.20020419161047.0360e970@nospam.lariat.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jy6Sn24JjFx/iggw" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020419161047.0360e970@nospam.lariat.org>; from brett@lariat.org on Fri, Apr 19, 2002 at 04:12:33PM -0600 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --jy6Sn24JjFx/iggw Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Brett Glass(brett@lariat.org)@2002.04.19 16:12:33 +0000: > At 04:07 PM 4/19/2002, Doug Barton wrote: >=20 > >I long ago forgot what it was like to be a new > >FreeBSD user,=20 >=20 > This is part of the problem here. We should care a lot about > newcomers' experience, and respect the fact that no matter > how bright they are they cannot learn everything at once. > Expecting a new user to master CVSup is unreasonable. brett,=20 i'm sorry, but reading this thread made me think about the days when i started using freebsd and set up my first server. after being left alone at a root user prompt "# " i learned how to configure the stuff in /etc, that docs are in /usr/share/doc, how to install packages, and then how to cvsup (for building upt to date versions out of the ports tree). in my personal opinion, i find the RPM or binary-only distribution mechanism very dangerous for users, because it is mainly the microsoft approach to hide software complexity behind an interface the user has to trust. i personally do not trust binary package systems (although i am forced to use them sometimes), nor do i blindly trust the ports tree. yes, i mean i _read_ the make files and view the output of the make process before installing a port the first time on one box. then i make a package out of it. that's all personal preference, yes. IMVHO, what would be a good thing[tm] for the source dist (/usr/src) is a Changelog file, containing the history of major fixes/enhancements to the currently installed sources. it would be very easy to write a little wrapper that saves /usr/src/Changelog (or maybe even a whole hierarchy of subsystem Changelogs) to a backup and then diffs out the changes after the update completed. this gives at least some overview about what has changed and where to look for potential breakage. it would be very good, if some of the committers could comment on that. regards, /k --=20 > It's not that perl programmers are idiots, it's that the language rewards > idiotic behavior in a way that no other language or tool has ever done.= =20 > --Erik Naggum=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --jy6Sn24JjFx/iggw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8wLW1M0BPTilkv0YRAl3jAJ9fJ5Sk8a6cspaWQ1zL999UK5amowCcD5G/ PyZoL5PZ2sIdiJDss/LJi1w= =za7G -----END PGP SIGNATURE----- --jy6Sn24JjFx/iggw-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 17:50:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from russian-caravan.cloud9.net (russian-caravan.cloud9.net [168.100.1.4]) by hub.freebsd.org (Postfix) with ESMTP id A72E337B419; Fri, 19 Apr 2002 17:50:16 -0700 (PDT) Received: from earl-grey.cloud9.net (earl-grey.cloud9.net [168.100.1.1]) by russian-caravan.cloud9.net (Postfix) with ESMTP id 1799428C34; Fri, 19 Apr 2002 20:50:16 -0400 (EDT) Date: Fri, 19 Apr 2002 20:50:16 -0400 (EDT) From: Peter Leftwich X-X-Sender: To: "Karsten W. Rohrbach" Cc: Brett Glass , Doug Barton , FreeBSD Security LIST Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip In-Reply-To: <20020420022630.C88054@mail.webmonster.de> Message-ID: <20020419203037.S39174-100000@earl-grey.cloud9.net> Organization: Video2Video Services - http://Www.Video2Video.Com MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 20 Apr 2002, Karsten W. Rohrbach wrote: > Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip {My lord! Is this thread still alive?! The security@freebsd.org list is for legitimate, authoritative notices only is it not...} > Brett Glass(brett@lariat.org)@2002.04.19 16:12:33 +0000: > > At 04:07 PM 4/19/2002, Doug Barton wrote: > > >I long ago forgot what it was like to be a new FreeBSD user, questions@freebsd.org > > This is part of the problem here. We should care a lot about newcomers' experience, and respect the fact that no matter how bright they are they cannot learn everything at once. Expecting a new user to master CVSup is unreasonable. Hi Karsten. The FreeBSD (and most *nix OS folk) community *does* care tons about newcomers. It's the newcomers that make demands, snap judgments, and ask endless questions without RTFM or RTFMOTT (... once told to) that are disliked and as such scolded, often somewhat harshly but -- well, you gadda make an example. :) Besides, nobody expects anyone to "master" any command (cvsup for example). That is unreasonable and everyone would agree; Are you confusing goals with inferences? For example, Jane J. wishes to master (or mistress) the grep command, so she posts to a list "How do I use grep?" Someone replies "man grep" and Jane J. gets all fussy because this cold-hearted posting person is somehow impeding her from becoming "Grep Expert of the Planet." *lol* > brett, i'm sorry, but reading this thread made me think about the days when i started using freebsd and set up my first server. after being left alone at a root user prompt "# " i learned how to configure the stuff in /etc, that docs are in /usr/share/doc, how to install packages, and then how to cvsup (for building upt to date versions out of the ports tree). I always log in as root - The thinking is... rm doesn't scare me one bit! :) > in my personal opinion, i find the RPM or binary-only distribution mechanism very dangerous for users, because it is mainly the microsoft approach to hide software complexity behind an interface the user has to trust. i personally do not trust binary package systems (although i am forced to use them sometimes), nor do i blindly trust the ports tree. yes, i mean i _read_ the make files and view the output of the make process before installing a port the first time on one box. then i make a package out of it. that's all personal preference, yes. Don't know practically nuttin about RPM, but if you are concerned about security and customizable control of pkg_add, remember the following: You can *always* just ftp the package (a tarball, or somecommandhere_3.1.1.tgz) to your box, gunzip and untar the contents... edit them in your favorite editor and then "make" or "make clean" or "make install" manually (you can tell beyond a certain point in this sentence I know not about what I speak)! > IMVHO, what would be a good thing[tm] for the source dist (/usr/src) is a Changelog file, containing the history of major fixes/enhancements to the currently installed sources. it would be very easy to write a little wrapper that saves /usr/src/Changelog (or maybe even a whole hierarchy of subsystem Changelogs) to a backup and then diffs out the changes after the update completed. this gives at least some overview about what has changed and where to look for potential breakage. it would be very good, if some of the committers could comment on that. > regards, > /k No comment. (Uninformed.) > > It's not that perl programmers are idiots, it's that the language rewards idiotic behavior in a way that no other language or tool has ever done. --Erik Naggum What does this Chief Wiggum, er, Erik Naggum know about PERL anyways?! _P_erl _E_eez _R_eallllly _L_ovable. :) By the way your quote brought to the forward hanging, thin branch of thought on the tip of my cortical cortex in the pink matter left of the grey matter, or something, this: It's not that MACOS USERS are idiots, it's that the OS rewards idiotic behavior in a way that no other OS or SOFTWARE [ever has]. --Peter Leftwich (For the record, I think very highly of Apple *hardware*, it's the OS that makes me feel very claustrophobic, and it's the software that, well, the software that is nowhere to be found except in scant quantities across the globe! *grins* So hurry up and write a FreeBSD for the G4 architecture!) > KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie > http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.net/ > GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 > My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ > Please do not remove my address from To: and Cc: fields in mailing lists. 10x Hope this has been as fun for y'all as it hath fer me. -- Peter Leftwich President & Founder Video2Video Services Box 13692, La Jolla, CA, 92039 USA +1-413-403-9555 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 18:14:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id A5BDA37B433 for ; Fri, 19 Apr 2002 18:14:39 -0700 (PDT) Received: (qmail 90356 invoked by uid 1000); 20 Apr 2002 01:14:59 -0000 Date: Sat, 20 Apr 2002 03:14:59 +0200 From: "Karsten W. Rohrbach" To: Peter Leftwich Cc: FreeBSD Security LIST Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip Message-ID: <20020420031459.A88998@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Peter Leftwich , FreeBSD Security LIST References: <20020420022630.C88054@mail.webmonster.de> <20020419203037.S39174-100000@earl-grey.cloud9.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020419203037.S39174-100000@earl-grey.cloud9.net>; from Hostmaster@Video2Video.Com on Fri, Apr 19, 2002 at 08:50:16PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer X-Work-URL: http://www.ngenn.net/ X-Work-Address: nGENn GmbH, Schloss Kransberg, D-61250 Usingen-Kransberg, Germany X-Work-Phone: +49-6081-682-304 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Peter Leftwich(Hostmaster@Video2Video.Com)@2002.04.19 20:50:16 +0000: > On Sat, 20 Apr 2002, Karsten W. Rohrbach wrote: [...] > > Brett Glass(brett@lariat.org)@2002.04.19 16:12:33 +0000: > > > At 04:07 PM 4/19/2002, Doug Barton wrote: > > > >I long ago forgot what it was like to be a new FreeBSD user, >=20 > questions@freebsd.org >=20 > > > This is part of the problem here. We should care a lot about newcomer= s' experience, and respect the fact that no matter how bright they are they= cannot learn everything at once. Expecting a new user to master CVSup is u= nreasonable. >=20 > Hi Karsten. The FreeBSD (and most *nix OS folk) community *does* care to= ns you are quote-quoting brett here ;-) i /do/ know that _especially_ the freebsd folks /do/ care. > > brett, i'm sorry, but reading this thread made me think about the > > days when i started using freebsd and set up my first server. after > > being left alone at a root user prompt "# " i learned how to > > configure the stuff in /etc, that docs are in /usr/share/doc, how to > > install packages, and then how to cvsup (for building upt to date > > versions out of the ports tree). >=20 > I always log in as root - The thinking is... rm doesn't scare me one bit!= :) sensing some amount of irony here, yes a new user logs in as root, because he got a "blank" system, with (hopefully) limited userland. i doesn't matter how many times you tell him "no do not log in as root", he will understand it when he executed his first more complex shell command containing "rm" ;-) > > in my personal opinion, i find the RPM or binary-only distribution > > mechanism very dangerous for users, because it is mainly the > > microsoft approach to hide software complexity behind an interface > > the user has to trust. i personally do not trust binary package > > systems (although i am forced to use them sometimes), nor do i > > blindly trust the ports tree. yes, i mean i _read_ the make files > > and view the output of the make process before installing a port the > > first time on one box. then i make a package out of it. that's all > > personal preference, yes. >=20 > Don't know practically nuttin about RPM, but if you are concerned about > security and customizable control of pkg_add, remember the following: You > can *always* just ftp the package (a tarball, or somecommandhere_3.1.1.tg= z) > to your box, gunzip and untar the contents... edit them in your favorite > editor and then "make" or "make clean" or "make install" manually (you can > tell beyond a certain point in this sentence I know not about what I spea= k)! yes, i know. but after the "USA_RESIDENT=3Dno vs. kerberos lib linkage in packages" issue, i rather roll my own, thanks. > Hope this has been as fun for y'all as it hath fer me. your mua does terrible things to line breaks. please check and fix ;-) regards, /k --=20 > Fools ignore complexity. Pragmatists suffer it. Some can avoid it. > Geniuses remove it. > --Perlis's Programming Proverb #58, SIGPLAN Notices, Sept. 1982=20 KR433/KR11-RIPE -- WebMonster Community Founder -- nGENn GmbH Senior Techie http://www.webmonster.de/ -- ftp://ftp.webmonster.de/ -- http://www.ngenn.n= et/ GnuPG 0x2964BF46 2001-03-15 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 B= F46 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE8wMETM0BPTilkv0YRAtvkAKCk6l55y3weLMSqUFxQOwTTg4uTWQCeMU+x OyHl4AnoIxji0gJauiWuY3Q= =Smi2 -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Apr 19 18:44:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp-in.sc5.paypal.com (smtp-in.sc5.paypal.com [216.136.155.8]) by hub.freebsd.org (Postfix) with ESMTP id A5AB737B400 for ; Fri, 19 Apr 2002 18:44:08 -0700 (PDT) Received: from xchange2.pa1.paypal.com (xchange2.pa1.paypal.com [10.1.1.37]) by smtp-in.sc5.paypal.com (8.11.6/8.11.6) with ESMTP id g3K1i8c01962 for ; Fri, 19 Apr 2002 18:44:08 -0700 Received: from stinky.pa1.paypal.com ([10.1.2.6]) by xchange2.pa1.paypal.com with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2655.55) id JA43LSXS; Fri, 19 Apr 2002 18:44:30 -0700 Received: from paypal.com (localhost [127.0.0.1]) by stinky.pa1.paypal.com (Postfix) with ESMTP id 011D32050; Fri, 19 Apr 2002 15:24:19 -0700 (PDT) Message-ID: <3CC09913.4010605@paypal.com> Date: Fri, 19 Apr 2002 15:24:19 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:0.9.9) Gecko/20020327 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:21.tcpip References: <4.3.2.7.2.20020419161047.0360e970@nospam.lariat.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > At 04:07 PM 4/19/2002, Doug Barton wrote: > > >>I long ago forgot what it was like to be a new >>FreeBSD user, > > > This is part of the problem here. We should care a lot about > newcomers' experience, and respect the fact that no matter > how bright they are they cannot learn everything at once. > Expecting a new user to master CVSup is unreasonable. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Let's apply this logic to other places in our lives.... Licenses for people with an inability to learn to drive should be easier. Perhaps the DMV should start distributing chauffeurs for those unable to learn to drive? This, of course, will be a free service. People who do not know how to run their own businesses should be given a staff, salary, idea, and business process, all for free. (!) If you don't know how to do dentistry (golsh, that's tougher then CVSup!), there should be an easy, free, "do it at home for free(!)" kit. You simply plug this free device into your mouth and whammo, no dental woes. 'Expecting a new user to master CVSup is unreasonable.' -- sounds liek you're volountering to engineer a solution. Go do it and stfu. Until then, I am adding a to/from/body filter that if it includes your name, it goes right to the trash. When I see the "Super n00b FreeBSD Install by Brett Glass", this filter will be removed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Apr 20 9: 5:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 27DB937B405 for ; Sat, 20 Apr 2002 09:05:30 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8409036; Sat, 20 Apr 2002 11:05:29 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.2/8.11.6) with ESMTP id g3KG5TVw028063; Sat, 20 Apr 2002 11:05:29 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.2/8.12.2/Submit) id g3KG5SqE028062; Sat, 20 Apr 2002 11:05:28 -0500 (CDT) Date: Sat, 20 Apr 2002 11:05:28 -0500 From: "Jacques A. Vidrine" To: Markus =?iso-8859-1?Q?Hallstr=F6m?= Cc: freebsd-security@freebsd.org Subject: Does not affect FreeBSD (was Re: new openSSH hole?) Message-ID: <20020420160528.GJ27108@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Markus =?iso-8859-1?Q?Hallstr=F6m?= , freebsd-security@freebsd.org References: <1019256213.3cc09d9554210@mail.freebsd.se> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <1019256213.3cc09d9554210@mail.freebsd.se> User-Agent: Mutt/1.3.28i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FreeBSD is not affected. This code is only built in environments which support AFS. Neither the OpenSSH in the base system nor in the ports collection can be built with AFS unless (a) you have AFS from somewhere, and (b) you manually hack the configuration to enable AFS. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se On Sat, Apr 20, 2002 at 12:43:33AM +0200, Markus Hallström wrote: > This just showed up on vuln-dev > > On Fri, 2002-04-19 at 15:48, Marcell Fodor wrote: > > > > > > The bug affects servers offering Kerberos TGT > > and/or AFS Token passing. The vulnerability can lead > > to a root compromise. > > > > more : mantra.freeweb.hu > > > > Marcell Fodor > > > > on http://mantra.freeweb.hu I get the following information > > 18.04.2002 > security bug report: > > > OpenSSH 2.2.0 - 3.1.0 server contains a locally exploitable buffer overflow. > The bug affects servers offering Kerberos TGT and/or AFS Token passing. > The vulnerability can lead to a root compromise. > > bug details: > > radix.c > GETSTRING macro in radix_to_creds function may cause buffer overflow. > affected buffers: > > creds->service > creds->instance > creds->realm > creds->pinst > > user can exploit the vulnerability by sending malformed request for: > > 1. pass Kerberos IV TGT > 2. pass AFS Token > > > For security considerations the CREDENTIALS structure is erased at the end of > the auth_krb4_tgt function (auth_krb4.c). This makes code injection impossible at > the first look, since the user supplied code is cleared. > Well, it's all there! Check the temp[] buffer in radix_to_creds() function. This is > the place, where the server decoded the ticket. > > It should be considered in further versions to clear the temp buffer prior > returning from the radix_to_creds function. > > > > Is this known? should I worry? > -- > /Markus > > ------------------------------------------------- > This mail sent through IMP: http://horde.org/imp/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message