From owner-freebsd-security Sun Jan 12 21:51:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B639B37B401 for ; Sun, 12 Jan 2003 21:51:10 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id C23ED43F3F for ; Sun, 12 Jan 2003 21:51:09 -0800 (PST) (envelope-from njyoder@gummibears.nu) Received: (qmail 78767 invoked from network); 13 Jan 2003 05:51:08 -0000 Received: from roc-24-59-189-237.rochester.rr.com (HELO catbert) (24.59.189.237) by relay.pair.com with SMTP; 13 Jan 2003 05:51:08 -0000 X-pair-Authenticated: 24.59.189.237 Date: Mon, 13 Jan 2003 00:51:07 -0500 From: "Nathan J. Yoder" X-Mailer: The Bat! (v1.61) Educational Reply-To: "Nathan J. Yoder" X-Priority: 3 (Normal) Message-ID: <6121584208.20030113005107@gummibears.nu> To: freebsd-security@FreeBSD.org Subject: digital signatures for downloads MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'd like to suggest that the downloads for FreeBSD systems (whether directly through *.FreeBSD.org or not) should be digitally signed. By digital signature I don't simply mean a bare MD5 hash, as that could have been changed in transit. Most importantly, this would include cvs files transferred via cvsup (FreeBSD source and ports), pre-compiled binary packages and security patches. While the FreeBSD security advisories are signed, they don't include secure hashes of the patches, rather they just provide an insecure FTP link. This leaves it wide open for a MITM attack (in the case of FTP this is relatively easy if you can sniff traffic and the person uses active mode). Realistically it would probably be very difficult to insert a source trojan into most of the patches considering their small size (at least to anyone who actually checked them), but it is definitely needed for other types of downloads like cvsup. By launching a MITM attack on a cvsup connection an attacker can choose to modify/add/delete the source to any file in the tree, which is unlikely to be detected by most users. This can be done to insert a trojan anywhere in the source. This applies to both the FreeBSD source and ports collection. Yes, the ports collection does include MD5 hashes, but someone capable of a MITM attack can change the hash to that of the evil trojaned version. Lastly we have pre-compiled binaries. These can either be flat out replaced with a trojaned version or do some kind of real time code injection into the binary. Anyway, the solution to all this is relatively simple as stated above, digitally sign all the stuff with specially designated FreeBSD keys that are automagically verified without the user having to do anything (this would be done by _default_ with the capability to disable). For patches and pre-compiled binaries a simple front-end script can be used to download the file, verify it, then pass on the full fledged file to continue processing it. Perhaps a clever person could hide the signature inside of the aout/ELF binary itself (like authenticode *gag*), but that might add needless complication. With cvsup this may be possible with a hack on the client side. This would involve digitally signing all source files, then using a special naming scheme to create a digital signature file that corresponds to a given file (i.e. happy.c.sig would correspond to happy.c). The hack comes in by modifying the cvsup client to automatically verify the signatures for files automagically. Or I suppose the make system could be made to verify signatures upon the making of files. Now of course the problem here is that there are a lot of files to sign, so this may be worked around by signing multiple files in the same signature (like signing a giant conglomerate file). Now keep in mind all this may have already been compensated for and I'm just smoking crack, but I just want to make sure something is done either way. I'd be willing to help implement the changes to FreeBSD to make this signature stuff happen if I can get some supporters. I have a cat on my head, weeeeeeee.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 6:40:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0FDB37B401 for ; Mon, 13 Jan 2003 06:40:55 -0800 (PST) Received: from server1.cis-consultants.com (ATuileries-106-2-1-64.abo.wanadoo.fr [193.252.218.64]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0917A43F13 for ; Mon, 13 Jan 2003 06:40:54 -0800 (PST) (envelope-from ronan.lenozach@cis-consultants.com) Received: from CIS2KS01.cis-consultants (mail.cis-consultants [192.168.1.26]) by server1.cis-consultants.com (Postfix) with ESMTP id 9353ED3E7 for ; Mon, 13 Jan 2003 16:36:09 +0100 (CET) Received: from CIS2KS01.cis-consultants ([192.168.1.26]) by CIS2KS01.cis-consultants with Microsoft SMTPSVC(5.0.2195.5329); Mon, 13 Jan 2003 15:40:51 +0100 MIME-Version: 1.0 Subject: =?utf-8?Q?RE=C2=A0:_IPsec_in_tunnel_mode_between_Windows_2000_and_FreeBSD?= Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable content-class: urn:content-classes:message X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Date: Mon, 13 Jan 2003 15:40:51 +0100 Message-ID: <0690CF9CCB18EE4EB57E4E26A0CEC7BB0EF21E@cis2ks01.cis-consultants> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: IPsec in tunnel mode between Windows 2000 and FreeBSD Thread-Index: AcK4Ex4JJoHI4eI+QKW27P42g3bZgwC/Zah+ From: "Ronan LE NOZACH" Importance: normal To: "Andriy Gapon" Cc: X-OriginalArrivalTime: 13 Jan 2003 14:40:51.0602 (UTC) FILETIME=[C522B720:01C2BB11] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thank you for this information Andriy, I did some other tests and it works fine now. If found out my problem = was that phase II life duration expected by Windows was 300 sec and = lifetime proposal sent by racoon was 30 sec ! =20 Ronan Le Nozach CIS Consultants Paris France -------- Message d'origine--------=20 De: Andriy Gapon [mailto:agapon@excite.com]=20 Date: jeu. 09/01/2003 20:10=20 =C3=80: Ronan LE NOZACH=20 Cc: freebsd-security@FreeBSD.ORG=20 Objet: Re: IPsec in tunnel mode between Windows 2000 and FreeBSD =09 =09 Ronan, =09 I have here a well-functioning IPSec tunnel between Win2K leaf-node host and FreeBSD router to the Internet. There are quite a few tutorials on this topic on the www, the most important trick for tunnel mode (vs. transport mode) is to have two separate policies on Win2K - for incoming and outgoing packets (i.e. "mirror" option should not be used). Racoon log may provide more hints, you should be able to find a message where it complaints. =09 -- Andriy Gapon * Broadcast Message from wnpdev21 (pts/tg) Wed Jan 8 09:12:47... replacing the jar - krishna 3931 =09 ------------------------------------------------------------------ Ce message et les eventuelles pieces jointes sont confidentiels ou = appartenant a CIS Consultants et etablis a l'intention exclusive de ses = destinataires. Toute divulgation, utilisation, diffusion ou reproduction = (totale ou partielle) non-autorisee de ce message, ou des informations = qu'il contient, est interdite. Tout message electronique est susceptible = d'alteration. CIS Consultants decline toute responsabilite au titre de = ce message s'il a ete modifie ou falsifie. ------------------------------------------------------------------ This e-mail and any attachments contain confidential information = belonging to CIS Consultants and are intended solely for the addressees. = Any unauthorized disclosure, use, dissemination or copying (either whole = or partial) of this e-mail, or any information it contains, is = prohibited. E-mails are susceptible to alteration. Neither CIS = Consultants shall be liable for the message if altered or falsified. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 6:54: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9138537B401 for ; Mon, 13 Jan 2003 06:54:02 -0800 (PST) Received: from smtp.cwnt.com (smtp.cwnt.com [192.116.246.129]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4745843F13 for ; Mon, 13 Jan 2003 06:54:01 -0800 (PST) (envelope-from liran@cwnt.com) content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1255" Content-Transfer-Encoding: quoted-printable Subject: Compiling tripwire in FreeBSD X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 Date: Mon, 13 Jan 2003 16:53:52 +0200 Message-ID: X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Compiling tripwire in FreeBSD Thread-Index: AcK7E5aYYI5Sfb9RRrOMgWhAx/aA5Q== From: "Liran Siglat" To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I'm trying to complie ("gmake debug") tripwire-2.3.1-2 on FreeBSD 4.3 = with no success. I've downloaded tripwire from the FreeBSD site. I have uncommented the following line in the main Makefile: `SYSPRE =3D = i386-unknown-freebsd` The error I receive is: In file included from ../stlport/stdexcept:33, from ../stlport/stl/_ios_base.h:22, from ../stlport/stl/_streambuf.h:21, from ../stlport/streambuf:31, from ../stlport/stl/_stream_iterator.h:47, from ../stlport/iterator:39, from ../stlport/istream:35, from ../stlport/stl/_complex.h:52, from ../stlport/complex:37, from complex.cpp:21: ../stlport/exception:46: ../include/exception: No such file or directory In file included from ../stlport/stl/_alloc.h:68, from ../stlport/stdexcept:41, from ../stlport/stl/_ios_base.h:22, from ../stlport/stl/_streambuf.h:21, from ../stlport/streambuf:31, from ../stlport/stl/_stream_iterator.h:47, from ../stlport/iterator:39, from ../stlport/istream:35, from ../stlport/stl/_complex.h:52, from ../stlport/complex:37, from complex.cpp:21: ../stlport/new:47: ../include/new: No such file or directory In file included from ../stlport/stl/_locale.h:26, from ../stlport/stl/_ios_base.h:25, from ../stlport/stl/_streambuf.h:21, from ../stlport/streambuf:31, from ../stlport/stl/_stream_iterator.h:47, from ../stlport/iterator:39, from ../stlport/istream:35, from ../stlport/stl/_complex.h:52, from ../stlport/complex:37, from complex.cpp:21: ../stlport/typeinfo:27: ../include/typeinfo: No such file or directory gmake[4]: *** [obj/GCC/Release/complex.o] Error 1=20 Has anyone had any success with compiling tripwire - Any help would be = appreciated. Thanks, Liran. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 6:55: 6 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C28F137B401 for ; Mon, 13 Jan 2003 06:55:03 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CA0443F18 for ; Mon, 13 Jan 2003 06:55:03 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 98C9568; Mon, 13 Jan 2003 08:55:02 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id CEC425CF4; Mon, 13 Jan 2003 08:53:30 -0600 (CST) Date: Mon, 13 Jan 2003 08:53:30 -0600 From: "Jacques A. Vidrine" To: "Nathan J. Yoder" Cc: freebsd-security@FreeBSD.org Subject: Re: digital signatures for downloads Message-ID: <20030113145330.GA78337@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , "Nathan J. Yoder" , freebsd-security@FreeBSD.org References: <6121584208.20030113005107@gummibears.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6121584208.20030113005107@gummibears.nu> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote: > While the FreeBSD security advisories are signed, they > don't include secure hashes of the patches, rather they just provide > an insecure FTP link. Patches are also signed. For example, from the latest advisory: `` a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc '' The `.asc' file is the detached signature. But I agree that packages, et cetera should also be signed. Many of the tools are already there, but we have processes to work on. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 7:41:15 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 164BD37B401; Mon, 13 Jan 2003 07:41:13 -0800 (PST) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56D1A43E4A; Mon, 13 Jan 2003 07:41:12 -0800 (PST) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id h0DFq9go020424; Mon, 13 Jan 2003 10:52:09 -0500 (EST) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id h0DFq868020423; Mon, 13 Jan 2003 10:52:08 -0500 (EST) Date: Mon, 13 Jan 2003 10:52:08 -0500 From: Anthony Schneider To: "Jacques A. Vidrine" Cc: "Nathan J. Yoder" , freebsd-security@FreeBSD.ORG Subject: Re: digital signatures for downloads Message-ID: <20030113155208.GA20328@x-anthony.com> References: <6121584208.20030113005107@gummibears.nu> <20030113145330.GA78337@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030113145330.GA78337@madman.nectar.cc> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i think his point might be that there is only a link provided, and not the hash itself, in the advisory. of course, it's a signature and not just an md5 hash, so i don't see it as a big problem. -Anthony. On Mon, Jan 13, 2003 at 08:53:30AM -0600, Jacques A. Vidrine wrote: > On Mon, Jan 13, 2003 at 12:51:07AM -0500, Nathan J. Yoder wrote: > > While the FreeBSD security advisories are signed, they > > don't include secure hashes of the patches, rather they just provide > > an insecure FTP link. > > Patches are also signed. For example, from the latest advisory: > > `` > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:44/filedesc.patch.asc > '' > > The `.asc' file is the detached signature. > > > But I agree that packages, et cetera should also be signed. > Many of the tools are already there, but we have processes to work on. > > Cheers, > -- > Jacques A. Vidrine http://www.celabo.org/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 7:48:10 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3771B37B401 for ; Mon, 13 Jan 2003 07:48:08 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 3246343F18 for ; Mon, 13 Jan 2003 07:48:03 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 73074 invoked by uid 1000); 13 Jan 2003 15:47:15 -0000 Date: Mon, 13 Jan 2003 17:47:15 +0200 From: Peter Pentchev To: Liran Siglat Cc: freebsd-security@FreeBSD.org Subject: Re: Compiling tripwire in FreeBSD Message-ID: <20030113154715.GE372@straylight.oblivion.bg> Mail-Followup-To: Liran Siglat , freebsd-security@FreeBSD.org References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2hMgfIw2X+zgXrFs" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2hMgfIw2X+zgXrFs Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jan 13, 2003 at 04:53:52PM +0200, Liran Siglat wrote: > Hi, >=20 > I'm trying to complie ("gmake debug") tripwire-2.3.1-2 on FreeBSD 4.3 wit= h no success. > I've downloaded tripwire from the FreeBSD site. >=20 > I have uncommented the following line in the main Makefile: `SYSPRE =3D i= 386-unknown-freebsd` Any reason you are not using the security/tripwire port? G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 Thit sentence is not self-referential because "thit" is not a word. --2hMgfIw2X+zgXrFs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+It+D7Ri2jRYZRVMRAg2nAJ0Q2GiSz8BNkXorHRO+VV6eLae7lwCgkh/o wD95zTO8xinDkajHF/0x1Vg= =srqy -----END PGP SIGNATURE----- --2hMgfIw2X+zgXrFs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 8:50:49 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA73537B401 for ; Mon, 13 Jan 2003 08:50:46 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 878AB43F5F for ; Mon, 13 Jan 2003 08:50:40 -0800 (PST) (envelope-from njyoder@gummibears.nu) Received: (qmail 2424 invoked from network); 13 Jan 2003 16:50:34 -0000 Received: from roc-24-59-189-237.rochester.rr.com (HELO catbert) (24.59.189.237) by relay.pair.com with SMTP; 13 Jan 2003 16:50:34 -0000 X-pair-Authenticated: 24.59.189.237 Date: Mon, 13 Jan 2003 11:50:32 -0500 From: "Nathan J. Yoder" X-Mailer: The Bat! (v1.61) Educational Reply-To: "Nathan J. Yoder" X-Priority: 3 (Normal) Message-ID: <183161149721.20030113115032@gummibears.nu> To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.org Subject: Re: digital signatures for downloads In-Reply-To: <20030113145330.GA78337@madman.nectar.cc> References: <6121584208.20030113005107@gummibears.nu> <20030113145330.GA78337@madman.nectar.cc> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Monday, January 13, 2003, 9:53:30 AM, Jacques A. Vidrine wrote: > Patches are also signed. For example, from the latest advisory: Right, my mistake. Anyway, someone pointed out to me that this discussion had been done 2 years ago and gave me this link: http://razor.bindview.com/publish/papers/os-patch.html . There is section on FreeBSD in the middle. I'm reading up further on SFSRO : http://www.fs.net/sfs/@new-york.lcs.mit.edu,u83s4uk49nt8rmp4uwmt2exvz6d3cavh/pub/sfswww/ With this new information I'll see what I can do to help. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jan 13 8:59:44 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8A6237B401 for ; Mon, 13 Jan 2003 08:59:41 -0800 (PST) Received: from HAL9000.homeunix.com (12-233-57-224.client.attbi.com [12.233.57.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id F030A43F7C for ; Mon, 13 Jan 2003 08:59:40 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: from HAL9000.homeunix.com (localhost [127.0.0.1]) by HAL9000.homeunix.com (8.12.6/8.12.5) with ESMTP id h0DGxdB4007588; Mon, 13 Jan 2003 08:59:39 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Received: (from das@localhost) by HAL9000.homeunix.com (8.12.6/8.12.5/Submit) id h0DGxdMP007587; Mon, 13 Jan 2003 08:59:39 -0800 (PST) (envelope-from dschultz@uclink.Berkeley.EDU) Date: Mon, 13 Jan 2003 08:59:39 -0800 From: David Schultz To: "Nathan J. Yoder" Cc: freebsd-security@FreeBSD.ORG Subject: Re: digital signatures for downloads Message-ID: <20030113165939.GA7457@HAL9000.homeunix.com> Mail-Followup-To: "Nathan J. Yoder" , freebsd-security@FreeBSD.ORG References: <6121584208.20030113005107@gummibears.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6121584208.20030113005107@gummibears.nu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thus spake Nathan J. Yoder : > I'd like to suggest that the downloads for FreeBSD systems > (whether directly through *.FreeBSD.org or not) should be digitally > signed. By digital signature I don't simply mean a bare MD5 hash, as > that could have been changed in transit. Most importantly, this would > include cvs files transferred via cvsup (FreeBSD source and ports), > pre-compiled binary packages and security patches. That's a good idea, but it's rather hard to implement. Signing every CVS revision would not only be computationally expensive, but it would make it impossible to do the signing ``offline'' in a secure environment. That has negative implications for the security of the security officer's private key. Signing a CVS snapshot for every release, on the other hand, is more reasonable. It wouldn't be seamlessly integrated into CVS, and it would be inefficient on the client end, but it could at least be automated (e.g. integrated into 'make update'.) > While the FreeBSD security advisories are signed, they > don't include secure hashes of the patches, rather they just provide > an insecure FTP link. This leaves it wide open for a MITM attack (in > the case of FTP this is relatively easy if you can sniff traffic and > the person uses active mode). No, a MITM attack isn't possible if you verify the signatures. If someone hijacks your FTP connection while you download the patch and detached PGP signature and sends you a trojan horse instead, you will find that the signature on the modified patch was not made by the FreeBSD security officer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jan 14 2: 8:54 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EF2A37B401 for ; Tue, 14 Jan 2003 02:08:47 -0800 (PST) Received: from one.mteege.de (one.mteege.de [81.2.131.61]) by mx1.FreeBSD.org (Postfix) with SMTP id 4A8DB43F18 for ; Tue, 14 Jan 2003 02:08:45 -0800 (PST) (envelope-from matthias@mteege.de) Received: (qmail 56597 invoked by uid 66); 11 Jan 2003 12:25:33 -0000 Received: (qmail 41561 invoked from network); 11 Jan 2003 12:23:35 -0000 Received: from gic.mteege.de (HELO mteege.de) (192.168.153.10) by 0 with SMTP; 11 Jan 2003 12:23:35 -0000 Received: (qmail 34125 invoked by uid 1001); 11 Jan 2003 12:23:35 -0000 Date: Sat, 11 Jan 2003 13:23:34 +0100 From: Matthias Teege To: freebsd-security@freebsd.org Subject: ESP input: no key association found for spi Message-ID: <20030111122334.GB33642@gic.mteege.de> Mail-Followup-To: Matthias Teege , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Moin, i connected a OpenBSD/isakmpd and a FreeBSD/racoon router together with IPSec and the tunnel is up know. But on the FreeBSD side I get the following messages: Jan 11 13:05:01 bullet /kernel: IPv4 ESP input: no key association found for spi 15572638 Jan 11 13:06:41 bullet /kernel: IPv4 ESP input: no key association found for spi 175788114 Jan 11 13:08:21 bullet /kernel: IPv4 ESP input: no key association found for spi 242915680 Jan 11 13:12:31 bullet /kernel: IPv4 ESP input: no key association found for spi 180762712 Jan 11 13:13:46 bullet /kernel: IPv4 ESP input: no key association found for spi 263880410 Was does this mean? On the FreeBSD side I use the following setup #!/bin/sh setkey -FP setkey -F setkey -c << EOF spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.9.9-192.168.9.11; spdadd 0.0.0.0/0 192.168.0.0/24 any -P out ipsec esp/tunnel/192.168.9.11-192.168.9.9; bullet# setkey -DP 192.168.0.0/24[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.9.9-192.168.9.11/default spid=73 seq=1 pid=95831 refcnt=1 0.0.0.0/0[any] 192.168.0.0/24[any] any out ipsec esp/tunnel/192.168.9.11-192.168.9.9/default spid=74 seq=0 pid=95831 refcnt=1 bullet# raccon.conf # $KAME: racoon.conf.in,v 1.18 2001/08/16 06:33:40 itojun Exp $ # "path" must be placed before it should be used. # You can overwrite which you defined, but it should not use due to confusing. path include "/usr/local/etc/racoon" ; #include "remote.conf" ; # search this file for pre_shared_key with various ID key. path pre_shared_key "/usr/local/etc/racoon/psk.txt" ; # racoon will look for certificate file in the directory, # if the certificate/certificate request payload is received. path certificate "/usr/local/etc/cert" ; # "log" specifies logging level. It is followed by either "notify", "debug" # or "debug2". #log debug; # "padding" defines some parameter of padding. You should not touch these. padding { maximum_length 20; # maximum padding length. randomize off; # enable randomize length. strict_check off; # enable strict check. exclusive_tail off; # extract last one octet. } # if no listen directive is specified, racoon will listen to all # available interface addresses. listen { #isakmp ::1 [7000]; #isakmp 202.249.11.124 [500]; isakmp 192.168.9.11 [500]; #admin [7002]; # administrative's port by kmpstat. strict_address; # required all addresses must be bound. } # Specification of default various timer. timer { # These value can be changed per remote node. counter 5; # maximum trying count to send. interval 20 sec; # maximum interval to resend. persend 1; # the number of packets per a send. # timer for waiting to complete each phase. phase1 30 sec; phase2 15 sec; } remote 192.168.9.9 { exchange_mode main,aggressive; #exchange_mode aggressive,main; #exchange_mode main; doi ipsec_doi; situation identity_only; my_identifier address 192.168.9.11; peers_identifier address 192.168.9.9; #my_identifier user_fqdn "sakane@kame.net"; #peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; #lifetime time 1 min; # sec,min,hour lifetime time 60 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote anonymous { exchange_mode main,aggressive; #exchange_mode aggressive,main; #exchange_mode main; doi ipsec_doi; situation identity_only; #my_identifier address; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; #lifetime time 1 min; # sec,min,hour lifetime time 60 min; # sec,min,hour initial_contact on; support_mip6 on; proposal_check obey; # obey, strict or claim proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } remote ::1 [8000] { #exchange_mode main,aggressive; exchange_mode aggressive,main; doi ipsec_doi; situation identity_only; my_identifier user_fqdn "sakane@kame.net"; peers_identifier user_fqdn "sakane@kame.net"; #certificate_type x509 "mycert" "mypriv"; nonce_size 16; lifetime time 1 min; # sec,min,hour proposal { encryption_algorithm 3des; hash_algorithm sha1; authentication_method pre_shared_key ; dh_group 2 ; } } sainfo anonymous { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 192.168.9.11 any address 192.168.9.9 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm 3des ; authentication_algorithm hmac_sha1; compression_algorithm deflate ; } sainfo address 203.178.141.209 any address 203.178.141.218 any { pfs_group 1; lifetime time 30 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate ; } sainfo address ::1 icmp6 address ::1 icmp6 { pfs_group 1; lifetime time 60 sec; encryption_algorithm 3des, cast128, blowfish 448, des ; authentication_algorithm hmac_sha1, hmac_md5 ; compression_algorithm deflate ; } Thnaks for any hint Bis dann Matthias -- Matthias Teege -- matthias@mteege.de -- http://www.mteege.de make world not war PGP-Key auf Anfrage To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 15 6:13:25 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E70D37B401 for ; Wed, 15 Jan 2003 06:13:20 -0800 (PST) Received: from relay1.ntu-kpi.kiev.ua (www.ntu-kpi.kiev.ua [212.111.192.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id D77D543E4A for ; Wed, 15 Jan 2003 06:13:14 -0800 (PST) (envelope-from nikolay@asu.ntu-kpi.kiev.ua) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id 86DD919C19; Wed, 15 Jan 2003 16:13:03 +0200 (EET) Received: from onyx.asu.ntu-kpi.kiev.ua (eth0.onyx.asu.ntu-kpi.kiev.ua [10.18.16.2]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id 51CCB19C17 for ; Wed, 15 Jan 2003 16:13:02 +0200 (EET) Received: from drweb by onyx.asu.ntu-kpi.kiev.ua with drweb-scanned (Exim 4.10) id 18YoHu-000IFc-00 for freebsd-security@FreeBSD.org; Wed, 15 Jan 2003 16:13:02 +0200 Received: from nikolay by onyx.asu.ntu-kpi.kiev.ua with local (Exim 4.10) id 18YoHt-000IFW-00 for freebsd-security@FreeBSD.org; Wed, 15 Jan 2003 16:13:01 +0200 Date: Wed, 15 Jan 2003 16:13:01 +0200 From: "Nikolay Y. Orlyuk" To: freebsd-security@FreeBSD.org Subject: Fw: [freebsd] Re: Compiling tripwire in FreeBSD Message-ID: <20030115141301.GA69577@asu.ntu-kpi.kiev.ua> Mail-Followup-To: freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: message/rfc822 Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Return-path: Envelope-to: nikolay@asu.ntu-kpi.kiev.ua Delivery-date: Tue, 14 Jan 2003 14:16:54 +0200 Received: from drweb by onyx.asu.ntu-kpi.kiev.ua with drweb-scanned (Exim 4.10) id 18YPzy-0007Qv-00 for nikolay@asu.ntu-kpi.kiev.ua; Tue, 14 Jan 2003 14:16:54 +0200 Received: from www.ntu-kpi.kiev.ua ([10.2.1.8] helo=relay1.ntu-kpi.kiev.ua) by onyx.asu.ntu-kpi.kiev.ua with esmtp (Exim 4.10) id 18YPzy-0007Qp-00 for nikolay@asu.ntu-kpi.kiev.ua; Tue, 14 Jan 2003 14:16:54 +0200 Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id 2F16519C3B; Tue, 14 Jan 2003 14:16:54 +0200 (EET) Received: from postfix.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id AC0C019CEC for ; Tue, 14 Jan 2003 14:16:09 +0200 (EET) Received: by postfix.osdn.org.ua (Postfix:listserv) id 656331A6A0; Tue, 14 Jan 2003 14:15:50 +0200 (EET) Received: by postfix.osdn.org.ua (Postfix:listserv, from userid 54) id 28ABB1A68D; Tue, 14 Jan 2003 14:15:49 +0200 (EET) Received: from kurush.osdn.org.ua (majordom@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id h0ECFmGY096008; Tue, 14 Jan 2003 14:15:48 +0200 (EET) (envelope-from majordom@kurush.osdn.org.ua) Received: (from majordom@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id h0ECFmEO096007; Tue, 14 Jan 2003 14:15:48 +0200 (EET) Received: from relay1.ntu-kpi.kiev.ua (www.ntu-kpi.kiev.ua [212.111.192.161]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id h0ECFaGY096001 for ; Tue, 14 Jan 2003 14:15:46 +0200 (EET) (envelope-from nikolay@asu.ntu-kpi.kiev.ua) Received: by relay1.ntu-kpi.kiev.ua (Postfix, from userid 426) id 0CE5B19BB0; Tue, 14 Jan 2003 14:15:29 +0200 (EET) Received: from onyx.asu.ntu-kpi.kiev.ua (eth0.onyx.asu.ntu-kpi.kiev.ua [10.18.16.2]) by relay1.ntu-kpi.kiev.ua (Postfix) with ESMTP id 586C919BA6 for ; Tue, 14 Jan 2003 14:15:27 +0200 (EET) Received: from drweb by onyx.asu.ntu-kpi.kiev.ua with drweb-scanned (Exim 4.10) id 18YPyZ-0007Pz-00 for freebsd@FreeBSDDiary.org.ua; Tue, 14 Jan 2003 14:15:27 +0200 Received: from nikolay by onyx.asu.ntu-kpi.kiev.ua with local (Exim 4.10) id 18YPyY-0007Pt-00 for freebsd@FreeBSDDiary.org.ua; Tue, 14 Jan 2003 14:15:26 +0200 Date: Tue, 14 Jan 2003 14:15:26 +0200 From: "Nikolay Y. Orlyuk" To: freebsd@FreeBSDDiary.org.ua Subject: [freebsd] Re: Compiling tripwire in FreeBSD Message-ID: <20030114121526.GD25101@asu.ntu-kpi.kiev.ua> Reply-To: freebsd@FreeBSDDiary.org.ua References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd@osdn.org.ua Precedence: bulk List-Post: List-ID: List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: On Mon, Jan 13, 2003 at 04:53:52PM +0200, Liran Siglat wrote: > Hi, Hi > > I'm trying to complie ("gmake debug") tripwire-2.3.1-2 on FreeBSD 4.3 with no success. > I've downloaded tripwire from the FreeBSD site. > > I have uncommented the following line in the main Makefile: `SYSPRE = i386-unknown-freebsd` This can be set with help of autoconf, it treating your system and writing it in cannonical format. if you will run config.guess it will print this string. > > The error I receive is: > > In file included from ../stlport/stdexcept:33, > from ../stlport/stl/_ios_base.h:22, > from ../stlport/stl/_streambuf.h:21, > from ../stlport/streambuf:31, > from ../stlport/stl/_stream_iterator.h:47, > from ../stlport/iterator:39, > from ../stlport/istream:35, > from ../stlport/stl/_complex.h:52, > from ../stlport/complex:37, > from complex.cpp:21: *> ../stlport/exception:46: ../include/exception: No such file or directory > In file included from ../stlport/stl/_alloc.h:68, > from ../stlport/stdexcept:41, > from ../stlport/stl/_ios_base.h:22, > from ../stlport/stl/_streambuf.h:21, > from ../stlport/streambuf:31, > from ../stlport/stl/_stream_iterator.h:47, > from ../stlport/iterator:39, > from ../stlport/istream:35, > from ../stlport/stl/_complex.h:52, > from ../stlport/complex:37, > from complex.cpp:21: *> ../stlport/new:47: ../include/new: No such file or directory > In file included from ../stlport/stl/_locale.h:26, > from ../stlport/stl/_ios_base.h:25, > from ../stlport/stl/_streambuf.h:21, > from ../stlport/streambuf:31, > from ../stlport/stl/_stream_iterator.h:47, > from ../stlport/iterator:39, > from ../stlport/istream:35, > from ../stlport/stl/_complex.h:52, > from ../stlport/complex:37, > from complex.cpp:21: *> ../stlport/typeinfo:27: ../include/typeinfo: No such file or directory > gmake[4]: *** [obj/GCC/Release/complex.o] Error 1 > I think you must locate this files (which marked No such file), and if they have same prefix (directory relative to which it can be found including with dots moving) that prefix must be included,as -Iprefix in flags for gcc, cpp, and other things which works like preprocessors and processing directive #include > > Has anyone had any success with compiling tripwire - Any help would be appreciated. I don't know what is tripware. P.S. If they absent, then it will be resonable to find why it want they > P.S. Sorry I missed last time to other maillist -- With best wishes Nikolay mail: nikolay@asu.ntu-kpi.kiev.ua =================================================================== freebsd mailing list. To Unsubscribe: send mail to majordomo@freebsddiary.org.ua with "unsubscribe freebsd" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jan 15 15:14:33 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0EB337B401 for ; Wed, 15 Jan 2003 15:14:31 -0800 (PST) Received: from internet.simplifiedtechnology.com (internet.simplifiedtechnology.com [168.103.109.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10E4643F1E for ; Wed, 15 Jan 2003 15:14:31 -0800 (PST) (envelope-from GregoryC@stcinc.com) Received: from stcinc.com ([10.1.1.2]) by internet.simplifiedtechnology.com (8.10.2/8.10.2) with ESMTP id h0FNJQ999340; Wed, 15 Jan 2003 15:19:30 -0800 (PST) Message-ID: <3E25EC21.CF412BEA@stcinc.com> Date: Wed, 15 Jan 2003 15:17:53 -0800 From: Gregory Carvalho Organization: Simplified Technology Company X-Mailer: Mozilla 4.51 [en] (X11; I; FreeBSD 3.2-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Matthias Teege Cc: freebsd-security@FreeBSD.ORG Subject: Re: ESP input: no key association found for spi References: <20030111122334.GB33642@gic.mteege.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The error indicates to me that the SPI contains no valid SPD entry for the SADB entry. While all your sample numbers match, I'll change them to create the error (I just changed the first occurance of 192.168.9.11 to 192.168.9.12): spdadd 192.168.0.0/24 0.0.0.0/0 any -P in ipsec esp/tunnel/192.168.9.9-192.168.9.12; bullet# setkey -DP 192.168.0.0/24[any] 0.0.0.0/0[any] any in ipsec esp/tunnel/192.168.9.9-192.168.9.11/default spid=73 seq=1 pid=95831 refcnt=1 I hope this helps you find the answer. -GCC To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jan 17 8:52:59 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7078A37B401; Fri, 17 Jan 2003 08:52:54 -0800 (PST) Received: from mail.online.ie (mail.online.ie [213.159.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DE8843EB2; Fri, 17 Jan 2003 08:52:53 -0800 (PST) (envelope-from relyod@cooperationireland.org) Received: from cooperationireland.org (unknown [217.67.143.158]) by mail.online.ie (Postfix) with ESMTP id 00F887046; Fri, 17 Jan 2003 16:52:46 +0000 (GMT) Received: from IT3 (it3 [199.107.2.144]) by cooperationireland.org (8.11.1/8.11.1) with SMTP id h0HGqhX03948; Fri, 17 Jan 2003 16:52:44 GMT (envelope-from relyod@cooperationireland.org) Message-Id: <3.0.5.32.20030117165243.00ba6ca0@199.107.2.1> X-Sender: relyod@199.107.2.1 X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (32) Date: Fri, 17 Jan 2003 16:52:43 +0000 To: questions@freebsd.org, security@freebsd.org From: Mike Doyle Subject: Help needed configuring racoon Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I think I need a little help configuring a VPN using FreeBSD and racoon. At the moment I have got as far as compiling an IPSec enabled kernel, and running racoon. When I try to ping a machine on the other end of the tunnel, racoon fails to negotiate key exchange. On debug level 1, the message in the log file is: > ERROR: pfkey.c:1604:pk_recvacquire(): failed to get sainfo. For any experts out there, I would be happy to send copies of any relevant log files and/or config files. However, given that these are the two firewalls protecting my LANs, I don't want to post configuration info to a public forum. PS: I'm not subscribed to questions, but I do check the web-archives so please email me directly if you're prepared to help. <>< ============================================================= ><> Michael Doyle email: relyod@cooperationireland.org Network Administrator personal email: relyod@indigo.ie Co-operation Ireland http://www.cooperationireland.org/ Phone: +353-1-661 0588 Fax: +353-1-661 8456 ********************************************************************* To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message