From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 10:14:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BAB837B401 for ; Sun, 30 Mar 2003 10:14:52 -0800 (PST) Received: from fat_man.ascendency.net (12-211-152-75.client.attbi.com [12.211.152.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D6C743FD7 for ; Sun, 30 Mar 2003 10:14:49 -0800 (PST) (envelope-from mike@ascendency.net) Received: from mike (user-119bct7.biz.mindspring.com [66.149.179.167]) (authenticated) by fat_man.ascendency.net (8.11.6/8.11.6) with ESMTP id h2SB2kH99215 for ; Fri, 28 Mar 2003 05:03:01 -0600 (CST) (envelope-from mike@ascendency.net) From: "Mike Loiterman" To: Date: Fri, 28 Mar 2003 05:01:13 -0600 Message-ID: <020801c2f519$62e27130$0301a8c0@mike> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailman-Approved-At: Sun, 30 Mar 2003 10:56:26 -0800 Subject: RE: Bindshell rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mike@ascendency.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 18:14:55 -0000 =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok...did some checking. I forgot to mention that I killed dead syslogd. = Not just a -HUP but an actual kill and restarted. I did this several = times. I was trying to get something else to work. Anyway, I killed it again this morning and restarted. The infect = message went away immediately. =20 Could this have been the problem? - ------------------------------ Mike Loiterman grantADLER Medical Corporation Ph: 630-302-4944 Fax: 773-868-0071 PGP Key 0xD1B9D18E=20 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPoQreGjZbUnRudGOEQKlKQCg3A7qjZeuOR8xRy1Y2mwhPXo1wSkAnji1 /ZHe/l+5pciz+K01oFG0hxwo =3D+qca -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 10:14:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6130237B404 for ; Sun, 30 Mar 2003 10:14:53 -0800 (PST) Received: from fat_man.ascendency.net (12-211-152-75.client.attbi.com [12.211.152.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9A68043FD7 for ; Sun, 30 Mar 2003 10:14:52 -0800 (PST) (envelope-from mike@ascendency.net) Received: from mike (user-119bct7.biz.mindspring.com [66.149.179.167]) (authenticated) by fat_man.ascendency.net (8.11.6/8.11.6) with ESMTP id h2SAi5H95772 for ; Fri, 28 Mar 2003 04:44:06 -0600 (CST) (envelope-from mike@ascendency.net) From: "Mike Loiterman" To: Date: Fri, 28 Mar 2003 04:41:32 -0600 Message-ID: <020301c2f516$9ab16d80$0301a8c0@mike> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Mailman-Approved-At: Sun, 30 Mar 2003 10:56:26 -0800 Subject: Bindshell rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mike@ascendency.net List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 18:14:57 -0000 =20 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I was just running chkrootkit on my system and it is reporting bindshell = as infected on port 114. Other then that message, my system is clean. Tripwire doesn't detect = and changes and nothing else (daily run or secuirty reporr) gave any = unusal errors. The chkroot README says that running PORTSENTRY or klaxon will give a = false positive, but I'm running neither. I suspect something = (legitimate) else is running. How can I determine for sure? Is my = system really compromised? - ------------------------------ Mike Loiterman grantADLER Medical Corporation Ph: 630-302-4944 Fax: 773-868-0071 PGP Key 0xD1B9D18E=20 -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 Comment: This message has been digitally signed by Mike Loiterman iQA/AwUBPoQm22jZbUnRudGOEQLH5gCg9qMRGxjNIDLKcxInyKMESZPf03IAn1hK Mds09fVPu9eDz6fVQ+WQ6wkN =3DBx9q -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 11:06:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 91F0837B401 for ; Sun, 30 Mar 2003 11:06:37 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0835743F3F for ; Sun, 30 Mar 2003 11:06:37 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.9/8.12.9) with ESMTP id h2UJ6YO8017703 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sun, 30 Mar 2003 11:06:34 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.9/8.12.9/Submit) id h2UJ6UwH017698; Sun, 30 Mar 2003 11:06:30 -0800 (PST) Date: Sun, 30 Mar 2003 11:06:30 -0800 From: Erick Mechler To: Mike Loiterman Message-ID: <20030330190630.GB651@techometer.net> References: <020801c2f519$62e27130$0301a8c0@mike> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <020801c2f519$62e27130$0301a8c0@mike> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Bindshell rootkit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 19:06:38 -0000 :: Anyway, I killed it again this morning and restarted. The infect :: message went away immediately. :: :: Could this have been the problem? Could have been, but there's no way to be sure now. When you had the chance, 'lsof -i tcp:114' would have told you what process was bound to TCP/114. Cheers - Erick From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 11:12:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C992637B401 for ; Sun, 30 Mar 2003 11:12:53 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CA2F43FB1 for ; Sun, 30 Mar 2003 11:12:53 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h2UJCq5b096227 for ; Sun, 30 Mar 2003 13:12:52 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200303301912.h2UJCq5b096227@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Date: Sun, 30 Mar 2003 13:12:52 -0600 From: Martin McCormick Subject: Re: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 19:12:57 -0000 This is Martin McCormick again. I haven't yet fixed my problem with ssh not being able to write in my home directory, but I am hot on the trail. I have another question, but first I will tell all of you what I found out so anybody else who wants to try the same thing will know what to expect. As I originally said, I started out with a minimal installation of FreeBSD and then extracted a tar ball made from the root drive of another system to fill out the installation. My problem of not being able to get ssh to write new host keys in to ~/.ssh/known_hosts was obviously a permission problem, but what could it be? I finally found that the symbolic link between /home and /usr/home on the two cloned systems had the mode of 755 or rwxr-xr-x. Any link one normally makes has these permissions with the default umask controlling exactly what one gets. The man page for chmod says that the -H option lets you change the link's permissions, but I could never get it to work. The bits seem to stay the same no matter what. I discovered that I could delete the link, set my umask to 0 and remake it and I did get the right permissions which for the /home link are 777. This did not fix the problem, but I think there is probably another link I haven't noticed yet that is set wrong. What I found out is that the extraction process did not restore any of the links whose bits were all 1's. On one FreeBSD system, I have over 700 rwxrwxrwx links. On the cloned system I am trying to fix, I found only 5 and those were ones I had manually reset. My question is whether there is an easier way to set the bits on a link than deleting it, setting the umask to 0 and remaking it, of course, hoping that I don't botch the new link.:-) chmod -H 777 existing_link has no effect. Is there a proper way to do the tar extraction that faithfully preserves all the permissions? This is a mess, but at least I know what is most likely wrong now. From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 13:21:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1490237B404; Sun, 30 Mar 2003 13:21:07 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B86143FBD; Sun, 30 Mar 2003 13:21:04 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h2ULL4NS023150; Sun, 30 Mar 2003 13:21:04 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h2ULL47f023145; Sun, 30 Mar 2003 13:21:04 -0800 (PST) Date: Sun, 30 Mar 2003 13:21:04 -0800 (PST) Message-Id: <200303302121.h2ULL47f023145@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk X-Mailman-Approved-At: Sun, 30 Mar 2003 13:26:53 -0800 Subject: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 21:21:10 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:07.sendmail Security Advisory The FreeBSD Project Topic: a second sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-03-30 Credits: Michal Zalewski Affects: All releases prior to 4.8-RELEASE and 5.0-RELEASE-p7 FreeBSD 4-STABLE prior to the correction date Corrected: 2003-03-29 19:34:13 UTC (RELENG_4) 2003-03-29 21:58:11 UTC (RELENG_5_0) 2003-03-29 21:58:05 UTC (RELENG_4_7) 2003-03-29 21:57:58 UTC (RELENG_4_6) 2003-03-29 21:57:52 UTC (RELENG_4_5) 2003-03-29 21:57:45 UTC (RELENG_4_4) 2003-03-29 21:57:36 UTC (RELENG_4_3) 2003-03-29 20:09:48 UTC (RELENG_3) FreeBSD only: NO I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). II. Problem Description A buffer overflow that may occur during header parsing was identified. The overflow is possible due to a programming error involving type conversions in the C programming language. NOTE WELL: This issue is distinct from the issue described in `FreeBSD-SA-03:04.sendmail', although the impact is very similar. III. Impact A remote attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. The malicious message might be handled (and the vulnerability triggered) by the initial sendmail MTA, by any relaying sendmail MTA, or by the delivering sendmail process. Exploiting this defect is particularly difficult, but is believed to be possible. The defect in the ident routines is not believed to be exploitable. IV. Workaround There is no workaround, other than not using sendmail. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 4.8-RELEASE; or to the RELENG_5_0, RELENG_4_7, or RELENG_4_6 security branch dated after the correction date (5.0-RELEASE-p7, 4.7-RELEASE-p10, or 4.6.2-RELEASE-p13, respectively). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.0, 4.7, and 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libsm # make obj && make depend && make # cd /usr/src/lib/libsmutil # make obj && make depend && make # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart 3) For i386 systems only, a patched sendmail binary is available. Select the correct binary based on your FreeBSD version and whether or not you want STARTTLS support. If you want STARTTLS support, you must have the crypto distribution installed. a) Download the relevant binary from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.6-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-4.7-i386-nocrypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-crypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-crypto.bin.gz.asc ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-nocrypto.bin.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:07/sendmail-5.0-i386-nocrypto.bin.gz.asc b) Install the binary. Execute the following commands as root. Note that these examples utilizes the FreeBSD 4.7 crypto binary. Substitute BINARYGZ with the name of the file which you downloaded in step (a). # BINARYGZ=/path/to/sendmail-4.7-i386-crypto.bin.gz # gunzip ${BINARYGZ} # install -s -o root -g smmsp -m 2555 ${BINARYGZ%.gz} /usr/libexec/sendmail/sendmail c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/sendmail/FREEBSD-upgrade 1.1.2.16 src/contrib/sendmail/RELEASE_NOTES 1.1.1.3.2.15 src/contrib/sendmail/cf/README 1.1.1.3.2.15 src/contrib/sendmail/cf/cf/submit.cf 1.1.1.1.2.8 src/contrib/sendmail/cf/m4/cfhead.m4 1.3.6.8 src/contrib/sendmail/cf/m4/proto.m4 1.1.1.4.2.13 src/contrib/sendmail/cf/m4/version.m4 1.1.1.3.2.15 src/contrib/sendmail/cf/mailer/usenet.m4 1.1.1.2.6.3 src/contrib/sendmail/contrib/buildvirtuser 1.1.1.1.2.5 src/contrib/sendmail/doc/op/op.me 1.1.1.3.2.15 src/contrib/sendmail/editmap/editmap.8 1.1.1.1.2.2 src/contrib/sendmail/include/sm/bdb.h 1.1.1.1.2.2 src/contrib/sendmail/include/sm/conf.h 1.1.1.1.2.7 src/contrib/sendmail/libmilter/docs/api.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/design.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/index.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/installation.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/other.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/overview.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/sample.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/smfi_addheader.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/smfi_addrcpt.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_chgheader.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/smfi_delrcpt.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_getpriv.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_getsymval.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/smfi_main.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_register.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_replacebody.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_setbacklog.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_setconn.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_setpriv.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/smfi_setreply.html 1.1.1.1.2.4 src/contrib/sendmail/libmilter/docs/smfi_settimeout.html 1.1.1.1.2.3 src/contrib/sendmail/libmilter/docs/xxfi_abort.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_body.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_close.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_connect.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_envfrom.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_envrcpt.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_eoh.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_eom.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_header.html 1.1.1.1.2.2 src/contrib/sendmail/libmilter/docs/xxfi_helo.html 1.1.1.1.2.2 src/contrib/sendmail/libsm/clock.c 1.1.1.1.2.5 src/contrib/sendmail/libsm/config.c 1.1.1.1.2.3 src/contrib/sendmail/mail.local/mail.local.c 1.6.6.14 src/contrib/sendmail/src/README 1.1.1.3.2.14 src/contrib/sendmail/src/collect.c 1.1.1.4.2.12 src/contrib/sendmail/src/conf.c 1.5.2.14 src/contrib/sendmail/src/deliver.c 1.1.1.3.2.14 src/contrib/sendmail/src/headers.c 1.4.2.10 src/contrib/sendmail/src/main.c 1.1.1.3.2.15 src/contrib/sendmail/src/milter.c 1.1.1.1.2.16 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.13 src/contrib/sendmail/src/queue.c 1.1.1.3.2.14 src/contrib/sendmail/src/readcf.c 1.1.1.4.2.14 src/contrib/sendmail/src/sendmail.h 1.1.1.4.2.15 src/contrib/sendmail/src/sm_resolve.c 1.1.1.1.2.3 src/contrib/sendmail/src/srvrsmtp.c 1.1.1.2.6.14 src/contrib/sendmail/src/tls.c 1.1.1.1.2.5 src/contrib/sendmail/src/usersmtp.c 1.1.1.3.2.12 src/contrib/sendmail/src/version.c 1.1.1.3.2.15 RELENG_5_0 src/UPDATING 1.229.2.13 src/contrib/sendmail/src/conf.c 1.18.2.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.14.2.2 src/contrib/sendmail/src/version.c 1.1.1.16.2.1 src/sys/conf/newvers.sh 1.48.2.8 RELENG_4_7 src/UPDATING 1.73.2.74.2.13 src/contrib/sendmail/src/conf.c 1.5.2.11.2.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.10.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.12.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.12 RELENG_4_6 src/UPDATING 1.73.2.68.2.41 src/contrib/sendmail/src/conf.c 1.5.2.8.2.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.8.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.9.2.1 src/sys/conf/newvers.sh 1.44.2.23.2.30 RELENG_4_5 src/UPDATING 1.73.2.50.2.43 src/contrib/sendmail/src/conf.c 1.5.2.6.4.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.4.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.4.1 src/sys/conf/newvers.sh 1.44.2.20.2.27 RELENG_4_4 src/UPDATING 1.73.2.43.2.43 src/contrib/sendmail/src/conf.c 1.5.2.6.2.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.2.1 src/sys/conf/newvers.sh 1.44.2.17.2.34 RELENG_4_3 src/UPDATING 1.73.2.28.2.31 src/contrib/sendmail/src/conf.c 1.5.2.4.2.1 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.4.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.4.2.1 src/sys/conf/newvers.sh 1.44.2.14.2.21 RELENG_3 src/contrib/sendmail/src/conf.c 1.3.2.3 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.2.2 src/contrib/sendmail/src/version.c 1.1.1.2.2.2 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+h18lFdaIBMps37IRAg7lAJ9hJLEHlLsXV9Nq20Yw3E3470ZqdQCfX1Sv BBClV+coK1zwzq/zWcfejME= =eDvb -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 14:58:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF08737B401 for ; Sun, 30 Mar 2003 14:58:55 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 47CE243F3F for ; Sun, 30 Mar 2003 14:58:55 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id C68A59A for ; Sun, 30 Mar 2003 16:58:54 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 2DD6E78C66; Sun, 30 Mar 2003 16:58:54 -0600 (CST) Date: Sun, 30 Mar 2003 16:58:54 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030330225854.GA35069@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org References: <200303302121.h2ULL47f023145@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200303302121.h2ULL47f023145@freefall.freebsd.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 22:58:57 -0000 On Sun, Mar 30, 2003 at 01:21:04PM -0800, FreeBSD Security Advisories wrote: > The defect in the ident routines is not believed to be exploitable. Oops, please ignore this sentence, Good Folks. It was obviously left in after the cut-n-paste from FreeBSD-SA-03:04.sendmail, and does not apply to this advisory. A later revision of the advisory will remove it. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 17:03:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E57BC37B401 for ; Sun, 30 Mar 2003 17:03:37 -0800 (PST) Received: from yowie.cc.uq.edu.au (yowie.cc.uq.edu.au [130.102.2.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0FC043FA3 for ; Sun, 30 Mar 2003 17:03:36 -0800 (PST) (envelope-from csmith@its.uq.edu.au) Received: from its.uq.edu.au (tobermory.its.uq.edu.au [130.102.152.68]) by yowie.cc.uq.edu.au (8.12.8p1/8.12.8) with ESMTP id h2V13QD6018677; Mon, 31 Mar 2003 11:03:26 +1000 (GMT+1000) Date: Mon, 31 Mar 2003 11:03:25 +1000 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v551) To: Michael Richards From: Christopher Smith In-Reply-To: <3E82386C.000003.20487@ns.interchange.ca> Message-Id: <93920598-6314-11D7-A85A-000502F96668@its.uq.edu.au> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.551) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 01:03:40 -0000 On Thursday, March 27, 2003, at 09:31 AM, Michael Richards wrote: > The problem here is really 2 pronged: > 1) I need some means of realising that the firewall just died and > transparently switching over to the backup or load balancing the two > so if one dies the other takes up the slack. This is really easy. Setup some sort of dedicated link between them (serial, UTP on its own port, wireless - we use UTP). Use some sort of heartbeat script to detect when the other machine (and/or its interfaces) are up or down. When the other machine goes down, have the backup box reconfigure its interfaces appropriately. All our scripts basically do is sit there banging away with a ping and if the other machine doesn't respond, it takes over the other machine's IPs. We have a few redundant setups like this, and they can switch merrily between each machine and only lose one or two ping packets. The catch is... > 2) I need a means of syncing the state info so existing connections > won't be torn down if they end up going through the other firewall. This is really hard. Our firewalls are ipfilter based. ipfs(8) allows state tables to be saved and restored. However, there are some major problems: 1. While ipfs is saving the state tables, the state table is locked for writing *and reading*. This effectively means your router stops routing for as long as it takes to save the state table (and even with only a modest number of states - 4000 or so - it takes a good second or two on a dual 1Ghz P3). 2. The saved state table doesn't always reload correctly on the other machine (it often causes kernel panics when it reloads, or leaves the state table in such a way that no new states can be added) thus largely defeating the purpose of having a redundant firewall. 3. When ipfs reloads the state table it completely overwrites any existing state table. So, your failover machine can't be doing any other firewalling or routing. 4. Any new states created since the last time the state table was saved will not be duplicated when it is reloaded. I spent months fiddling around with periodically saving the state table, copying it to another machine and reloading it to get a kludgy form of stateful failover working but couldn't get it to work reliably. Since I don't have the programming skills or knowledge to modify IPFilter to do it "properly" I am waiting for someone else to do so. Darryl is apparently working on state table syncing with IPFilter 4.0. This should (at the very least) allow machines to be setup in a hot-spare style arrangement with all states added to the table on one machine also added on the other (via a dedicated link). So the initial method of just reconfiuguring the interfaces on the fly should work fine. Bear in mind, however, this has been in the works for at least a year. Ideally it will allow selective addition and removal of state table entries and the ability to sync state tables between multiple machines. I imagine there are people working on pf (OpenBSD) trying to do this sort of thing as well. I have no idea if the people working on ipfw are trying to implement such a system. If I had to make a prediction, I'd say the OpenBSD guys will get there first with pf. If they do, they'll really have a killer app in the firewalling market. > Sounds like a solution people would normally pay an obscene amount of > money for but I'd be surprised if there isn't a way to do this. Maybe > something with routing could do the balancing... Yes, stateful failover does cost obscene amounts of money (AU$50k + for a Cisco solution - and that's with a discount). The only real problem involved is synchronising the state tables between machines. -- +- Christopher Smith, Systems Administrator ------------------------------+ | Server & Security Group, Information Technology Services | | The University of Queensland, Brisbane, Australia, 4072 | +- Ph +61 7 3365 4046 | email csmith@its.uq.edu.au | Fax +61 7 3365 4065 -+ From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 18:29:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 930E837B404 for ; Sun, 30 Mar 2003 18:29:56 -0800 (PST) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CB1543FBF for ; Sun, 30 Mar 2003 18:29:55 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 5377 invoked from network); 31 Mar 2003 02:34:22 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.83.93) by graceland.gigatrex.com with SMTP; 31 Mar 2003 02:34:22 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.8/8.12.7) with ESMTP id h2V2TpxN029888; Sun, 30 Mar 2003 21:29:51 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h2V2TpbY029885; Sun, 30 Mar 2003 21:29:51 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Sun, 30 Mar 2003 21:29:51 -0500 (EST) From: Matt Piechota To: Martin McCormick In-Reply-To: <200303301912.h2UJCq5b096227@dc.cis.okstate.edu> Message-ID: <20030330212752.W27978@cithaeron.argolis.org> References: <200303301912.h2UJCq5b096227@dc.cis.okstate.edu> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 02:29:59 -0000 On Sun, 30 Mar 2003, Martin McCormick wrote: > Is there a proper way to do the tar extraction that > faithfully preserves all the permissions? This is a mess, but at > least I know what is most likely wrong now. For doing OS type stuff, you should probably use dump(8). It handles things like hard-linked files and such better. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Sun Mar 30 18:40:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A85237B404 for ; Sun, 30 Mar 2003 18:40:21 -0800 (PST) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19BD843F3F for ; Sun, 30 Mar 2003 18:40:20 -0800 (PST) (envelope-from avalon@caligula.anu.edu.au) Received: from caligula.anu.edu.au (localhost [127.0.0.1]) by caligula.anu.edu.au (8.12.8/8.12.8) with ESMTP id h2V2eHsa017228; Mon, 31 Mar 2003 12:40:17 +1000 (EST) Received: (from avalon@localhost) by caligula.anu.edu.au (8.12.8/8.12.8/Submit) id h2V2eGYX017225; Mon, 31 Mar 2003 12:40:16 +1000 (EST) From: Darren Reed Message-Id: <200303310240.h2V2eGYX017225@caligula.anu.edu.au> To: csmith@its.uq.edu.au (Christopher Smith) Date: Mon, 31 Mar 2003 12:40:16 +1000 (Australia/ACT) In-Reply-To: <93920598-6314-11D7-A85A-000502F96668@its.uq.edu.au> from "Christopher Smith" at Mar 31, 2003 11:03:25 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 30 Mar 2003 23:12:26 -0800 cc: freebsd-security@freebsd.org cc: Michael Richards Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 02:40:53 -0000 In some mail from Christopher Smith, sie said: > > If I had to make a prediction, I'd say the OpenBSD guys will get there > first with pf. If they do, they'll really have a killer app in the > firewalling market. Well, in that case, they'd better already have done it, otherwise they won't be first. There may be one or two old versions of ipfilter 4.0 code around that doesn't have the files relevant files deleted. My reluctance in making the code public is rather simple... (a) if you *really* need redundancy then you're prepared to pay for it; (b) it would be quite nice if ipfilter could somehow support its author; (c) i'm generally not all that interested in trying to actively devalue the potential of value-add things like this. As someone who works in software engineering for a "profession", it is sometimes hard to justify providing software for free that goes beyond the basic requirements. Note that if I was in some other industry or still a student, I might have a different philosophy. It's bad enough that we have the spectre of "cheap labour" looming overhead...but I'm digressing into a political rant on the nature of the industry now. Cheers, Darren From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 03:34:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6066937B401 for ; Mon, 31 Mar 2003 03:34:27 -0800 (PST) Received: from f22.mail.ru (f22.mail.ru [194.67.57.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B90843FB1 for ; Mon, 31 Mar 2003 03:34:26 -0800 (PST) (envelope-from tovarisch-drug@mail.ru) Received: from mail by f22.mail.ru with local (Exim FE.1) id 18zxZE-000Agr-00 for freebsd-security@freebsd.org; Mon, 31 Mar 2003 15:35:08 +0400 Received: from [194.85.25.186] by win.mail.ru with HTTP; Mon, 31 Mar 2003 15:35:08 +0400 From: "Tovarisch Drug" To: freebsd-security@freebsd.org Mime-Version: 1.0 X-Mailer: mPOP Web-Mail 2.19 X-Originating-IP: unknown via proxy [194.85.25.186] Date: Mon, 31 Mar 2003 15:35:08 +0400 Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 8bit Message-Id: X-Mailman-Approved-At: Mon, 31 Mar 2003 03:56:10 -0800 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Tovarisch Drug List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 11:34:29 -0000 Hello! cvsup'ing system 22.03 after SA-03:06 after rebuilding and restarting, "telnet 25 localhost" output the following (cut): 220 host.domain.ru ESMTP Sendmail 8.12.7/8.12.7;... after applying SA-03:07's patch the one's output has changed to (cut): 220 host.domain.ru ESMTP Sendmail 8.12.6p2/8.12.7;... installing the binary has the same result. Does version's downgrade take place? Or I missed anything out? Thanks in advance, Illia Baidakov. From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 05:42:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE59F37B401 for ; Mon, 31 Mar 2003 05:42:23 -0800 (PST) Received: from hub.org (hub.org [64.117.224.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B3F343F93 for ; Mon, 31 Mar 2003 05:42:23 -0800 (PST) (envelope-from excalibur@hub.org) Received: from morpheus (u173n221.eastlink.ca [24.224.173.221]) by hub.org (Postfix) with ESMTP id AF1101038D41; Mon, 31 Mar 2003 09:42:16 -0400 (AST) From: Chris Bowlby To: Jez Hancock In-Reply-To: <20030329191251.GB80087@users.munk.nu> References: <5.2.0.9.0.20030329110305.009fd8e0@mail.hub.org> <20030329191251.GB80087@users.munk.nu> Content-Type: text/plain Organization: Hub.Org Networking Services Message-Id: <1049117995.9816.7.camel@morpheus> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 31 Mar 2003 09:39:56 -0400 Content-Transfer-Encoding: 7bit cc: security@freebsd.org Subject: Re: Documentation people needed. FreeBSD/Security clue beneficial. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: excalibur@hub.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 13:42:27 -0000 On Sat, 2003-03-29 at 15:12, Jez Hancock wrote: > Perhaps it would be an idea to become familiar with the docproj package > and the format they use for their documentation if you haven't done > so already. > I will definitely familiarize my self docproj, I want to maintain the doc standards as much as possible, and at the same time provide a clean interface to work on those docs. > I had a quick read through the requirements for documentation submitted to > freebsd.org doc team a while ago (after installing /usr/ports/textproc/docproj/) > and as I remember they have a selection of SGML templates that they use to > build their books. It might save a lot of time later if you could have all > documents on your server in SGML so you can later mark them up how you want, > depending on the media used. sounds cool.. > What do you plan on developing the user interface in by the way? Most of the site is based on PHP, and the user interaction capabilities are already there, all I should need to do is extend what I currently have to allow doc writers a simple interface to update the content of those docs, probably storing the docs behind the scenes in a database and then regeneration the docs on the fly or once nightly, etc. It depends on how manipulative the docs need to be (going on the assumption of very easy to manipulate right now).. > Who would comprise the core security doc team? I suppose this is a question > for Jacques Vidrine as security officer(?). What I will do is provide access for the voted member (chair person? - or Jacques Vidrine) with the means to "elevate" an active account to the security group, thus allowing that team member to begin contributing to the project. He/She will also have the option to elevate them to core group member so that they too will have voting rights on who gets elevated, but the chair-rep has the veto capabilities, etc.. The access system I've already built into extremefreebsd.org already has this capability, but from an admin stand point, I just need to modify it slightly to allow core members to also have some of these privileges... -- Chris Bowlby Hub.Org Networking Services From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 07:19:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEF7437B401 for ; Mon, 31 Mar 2003 07:19:06 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 66C2843F93 for ; Mon, 31 Mar 2003 07:19:06 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h2VFJ55b068082 for ; Mon, 31 Mar 2003 09:19:05 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200303311519.h2VFJ55b068082@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Date: Mon, 31 Mar 2003 09:19:05 -0600 From: Martin McCormick Subject: Re: How did I Break ssh? Solved. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 15:19:08 -0000 The problem is solved. Sometimes, I have asked questions on this list that later turned out to be a case of not reading the manual and I felt properly embarrassed, etc. Here is what it was and all should pay attention if you aspire to use a tar extraction to build or rebuild a system. I thought of what it might do to /dev, but since the systems all use the same architecture and are all FreeBSD 4.7, I figured that the extraction would essentially be writing the same data back to /dev so it shouldn't matter. That is wrong. Apparently, /dev/random no longer works after it is overwritten although it can appear to. As soon as I did a MAKEDEV std, ssh came to life and is now working as it should. Someone asked me if I had /dev/random which I did, but that got me to thinking which lead me to remake all the standard devices. As far as I know, ssh was the only thing that did not work because of this problem. I would suspect that any cryptographic software or anything else that uses random numbers is effected. The behavior of the system just screamed permissions, but that wasn't it. Other software may fail oddly in other ways. From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 08:35:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79D6B37B404 for ; Mon, 31 Mar 2003 08:35:03 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18F0D43FAF for ; Mon, 31 Mar 2003 08:35:00 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h2VGZZ88030684 for ; Mon, 31 Mar 2003 17:35:35 +0100 (BST) (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.9/8.12.8/Submit) id h2VGZXjw030683 for freebsd-security@freebsd.org; Mon, 31 Mar 2003 17:35:33 +0100 (BST) Date: Mon, 31 Mar 2003 17:35:33 +0100 From: Jez Hancock To: freebsd-security@freebsd.org Message-ID: <20030331163533.GA30523@users.munk.nu> Mail-Followup-To: freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 16:35:06 -0000 I noticed this too, is this correct? =================================================================== RCS file: /home/ncvs/src/contrib/sendmail/src/version.c,v retrieving revision 1.1.1.3.2.12 retrieving revision 1.1.1.3.2.12.2.1 diff -c -r1.1.1.3.2.12 -r1.1.1.3.2.12.2.1 *** contrib/sendmail/src/version.c 3 Sep 2002 01:50:20 -0000 1.1.1.3.2.12 --- contrib/sendmail/src/version.c 29 Mar 2003 20:13:05 -0000 1.1.1.3.2.12.2.1 *************** *** 15,18 **** SM_RCSID("@(#)$Id: version.c,v 8.104.2.5 2002/08/24 16:27:21 ca Exp $") ! char Version[] = "8.12.6"; --- 15,18 ---- SM_RCSID("@(#)$Id: version.c,v 8.104.2.5 2002/08/24 16:27:21 ca Exp $") ! char Version[] = "8.12.6p2"; On Mon, Mar 31, 2003 at 03:35:08PM +0400, Tovarisch Drug wrote: > Hello! > cvsup'ing system 22.03 after SA-03:06 after rebuilding and restarting, "telnet 25 localhost" output the following (cut): > 220 host.domain.ru ESMTP Sendmail 8.12.7/8.12.7;... > > after applying SA-03:07's patch the one's output has changed to (cut): > 220 host.domain.ru ESMTP Sendmail 8.12.6p2/8.12.7;... > installing the binary has the same result. > > Does version's downgrade take place? > Or I missed anything out? > > Thanks in advance, > Illia Baidakov. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 08:41:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AC9D137B401 for ; Mon, 31 Mar 2003 08:41:34 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id E56A543FAF for ; Mon, 31 Mar 2003 08:41:33 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 678BCA3 for ; Mon, 31 Mar 2003 10:41:33 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id B781A78C66; Mon, 31 Mar 2003 10:41:32 -0600 (CST) Date: Mon, 31 Mar 2003 10:41:32 -0600 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20030331164132.GA39868@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org References: <20030331163533.GA30523@users.munk.nu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030331163533.GA30523@users.munk.nu> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 16:41:38 -0000 On Mon, Mar 31, 2003 at 05:35:33PM +0100, Jez Hancock wrote: > I noticed this too, is this correct? No, it is stupid. :-) I should not have included version.c in the patch file. There will likely be a new patch uploaded without it. Oddly enough this patch will succeed even if the version string doesn't match ... that's partly why I missed it. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 09:18:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 253C837B401 for ; Mon, 31 Mar 2003 09:18:20 -0800 (PST) Received: from imap.drweb.ru (blag3.drweb.ru [62.16.103.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1837C43FB1 for ; Mon, 31 Mar 2003 09:18:19 -0800 (PST) (envelope-from nikolaj@drweb.ru) Received: from drweb.ru (ppp171.leivo.ru [194.105.199.171]) by imap.drweb.ru (Postfix) with ESMTP id D59912F8F1 for ; Mon, 31 Mar 2003 21:18:14 +0400 (MSD) Message-ID: <3E887850.7010100@drweb.ru> Date: Mon, 31 Mar 2003 21:18:08 +0400 From: "Nikolaj I. Potanin" Organization: ID Antivirus Lab (SalD Ltd) User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.3b) Gecko/20030210 X-Accept-Language: ru, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 17:18:21 -0000 What does mean this bizarre msgid? maillog: Mar 31 19:31:15 cu sm-mta[5352]: h2VFVEGS005352: from=, size=1737, class=0, nrcpts=1, msgid= Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C688337B401 for ; Mon, 31 Mar 2003 09:23:30 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBB0643FAF for ; Mon, 31 Mar 2003 09:23:29 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA27568; Mon, 31 Mar 2003 10:23:06 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030331102232.0327fa90@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 31 Mar 2003 10:23:02 -0700 To: "Nikolaj I. Potanin" , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <3E887850.7010100@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 17:23:31 -0000 At 10:18 AM 3/31/2003, Nikolaj I. Potanin wrote: >What does mean this bizarre msgid? It means that someone's trying to exploit a buffer overrun vulnerability. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 09:36:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5884737B401 for ; Mon, 31 Mar 2003 09:36:34 -0800 (PST) Received: from mx2.drweb.ru (blag1.drweb.ru [62.16.103.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id B97A643F3F for ; Mon, 31 Mar 2003 09:36:33 -0800 (PST) (envelope-from nikolaj@drweb.ru) Received: from ppp171.leivo.ru (ppp171.leivo.ru [194.105.199.171]) by mx2.drweb.ru (Postfix) with ESMTP id 3ED4AAC64; Mon, 31 Mar 2003 21:36:30 +0400 (MSD) Date: Mon, 31 Mar 2003 21:36:23 +0400 From: "Nikolaj I. Potanin" X-Mailer: The Bat! (v1.61) Business Organization: ID Anti-Virus Lab (SalD Ltd) X-Priority: 3 (Normal) Message-ID: <329073853.20030331213623@drweb.ru> To: David Wolfskill In-Reply-To: <200303311727.h2VHRLkN007598@bunrab.catwhisker.org> References: <200303311727.h2VHRLkN007598@bunrab.catwhisker.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re[2]: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 17:36:35 -0000 >>Mar 31 19:31:15 cu sm-mta[5352]: h2VFVEGS005352: from=, >>size=1737, class=0, nrcpts=1, >>msgid=>proto=ESMTP, daemon=MTA, relay=wg.pu.ru [193.124.85.219] > I don't know if it "means" anything, but a message that an SMTP client > tried to deliver to my SMTP server would be rejected, because it didn't > have an '@' in it. Anyway, newly updated sendmail _did_ deliver this message, is there any means to make it reject such kind of mail (i.e. containing illegal msgid)? -- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624 From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 10:56:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD6A337B401 for ; Mon, 31 Mar 2003 10:56:35 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1653C43FAF for ; Mon, 31 Mar 2003 10:56:35 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 7507666; Mon, 31 Mar 2003 12:56:34 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id C180278C66; Mon, 31 Mar 2003 12:56:33 -0600 (CST) Date: Mon, 31 Mar 2003 12:56:33 -0600 From: "Jacques A. Vidrine" To: "Nikolaj I. Potanin" Message-ID: <20030331185633.GA40453@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Nikolaj I. Potanin" , freebsd-security@freebsd.org References: <3E887850.7010100@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=unknown-8bit Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <3E887850.7010100@drweb.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 18:56:41 -0000 On Mon, Mar 31, 2003 at 09:18:08PM +0400, Nikolaj I. Potanin wrote: > What does mean this bizarre msgid? > > maillog: > Mar 31 19:31:15 cu sm-mta[5352]: h2VFVEGS005352: from=, > size=1737, class=0, nrcpts=1, > msgid= proto=ESMTP, daemon=MTA, relay=wg.pu.ru [193.124.85.219] It was a long Message-ID which sendmail truncated to 100 characters when printing the log message, i.e. printf(... msgid=%.100s ...). It's kind of interesting, because it is base64 encoded data which begins with the string `PCDFEB09': 0000 50 43 44 46 45 42 30 39 00 01 00 02 00 00 00 00 |PCDFEB09........| 0010 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 |................| 0020 00 7e 9e 05 6b 64 a1 3c 4d ae e2 93 ff 42 93 c3 |.~..kd¡ http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 10:56:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D849A37B417 for ; Mon, 31 Mar 2003 10:56:47 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D0C143F75 for ; Mon, 31 Mar 2003 10:56:47 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id B98B36C; Mon, 31 Mar 2003 12:56:46 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 4C63B78C68; Mon, 31 Mar 2003 12:56:46 -0600 (CST) Date: Mon, 31 Mar 2003 12:56:46 -0600 From: "Jacques A. Vidrine" To: Brett Glass Message-ID: <20030331185646.GB40453@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , "Nikolaj I. Potanin" , freebsd-security@freebsd.org References: <3E887850.7010100@drweb.ru> <4.3.2.7.2.20030331102232.0327fa90@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030331102232.0327fa90@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 18:56:49 -0000 On Mon, Mar 31, 2003 at 10:23:02AM -0700, Brett Glass wrote: > At 10:18 AM 3/31/2003, Nikolaj I. Potanin wrote: > > >What does mean this bizarre msgid? > > It means that someone's trying to exploit a buffer overrun > vulnerability. No, I don't think so. -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 10:57:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E98E637B401 for ; Mon, 31 Mar 2003 10:57:53 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2642C43FBD for ; Mon, 31 Mar 2003 10:57:53 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id B73D666; Mon, 31 Mar 2003 12:57:52 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 42C2478C66; Mon, 31 Mar 2003 12:57:52 -0600 (CST) Date: Mon, 31 Mar 2003 12:57:52 -0600 From: "Jacques A. Vidrine" To: "Nikolaj I. Potanin" Message-ID: <20030331185752.GC40453@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Nikolaj I. Potanin" , David Wolfskill , freebsd-security@freebsd.org References: <200303311727.h2VHRLkN007598@bunrab.catwhisker.org> <329073853.20030331213623@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <329073853.20030331213623@drweb.ru> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 18:57:55 -0000 On Mon, Mar 31, 2003 at 09:36:23PM +0400, Nikolaj I. Potanin wrote: > >>Mar 31 19:31:15 cu sm-mta[5352]: h2VFVEGS005352: from=, > >>size=1737, class=0, nrcpts=1, > >>msgid= >>proto=ESMTP, daemon=MTA, relay=wg.pu.ru [193.124.85.219] > > > I don't know if it "means" anything, but a message that an SMTP client > > tried to deliver to my SMTP server would be rejected, because it didn't > > have an '@' in it. > > Anyway, newly updated sendmail _did_ deliver this message, is there > any means to make it reject such kind of mail (i.e. containing illegal > msgid)? The Message-ID was not necessarily illegal. It was truncated by sendmail's log output, so you don't know what the complete Message-ID was. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 11:27:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3265737B404; Mon, 31 Mar 2003 11:27:11 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F152C43FB1; Mon, 31 Mar 2003 11:27:07 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA29284; Mon, 31 Mar 2003 12:27:02 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030331122450.031ace50@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 31 Mar 2003 12:26:56 -0700 To: "Jacques A. Vidrine" From: Brett Glass In-Reply-To: <20030331185646.GB40453@madman.celabo.org> References: <4.3.2.7.2.20030331102232.0327fa90@localhost> <3E887850.7010100@drweb.ru> <4.3.2.7.2.20030331102232.0327fa90@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@FreeBSD.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:27:13 -0000 At 11:56 AM 3/31/2003, Jacques A. Vidrine wrote: >> It means that someone's trying to exploit a buffer overrun >> vulnerability. > >No, I don't think so. You have a right to disagree, of course. However, some MUAs HAVE been reported to have buffer overflow vulnerabilities that can be exploited via an excessively long message ID header. I have installed a filter that shortens them to prevent Outlook users from being nailed by this bug. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 11:30:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA89B37B401; Mon, 31 Mar 2003 11:30:11 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FD2043FBF; Mon, 31 Mar 2003 11:30:10 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA29329; Mon, 31 Mar 2003 12:30:06 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030331122909.031ac940@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 31 Mar 2003 12:29:59 -0700 To: "Jacques A. Vidrine" From: Brett Glass Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@FreeBSD.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:30:12 -0000 Oh, and elm apparently has a buffer overflow in Message-ID header handling too. See http://www.linuxsecurity.com/advisories/redhat_advisory-1497.html --Brett From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 11:34:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8B9237B404; Mon, 31 Mar 2003 11:34:01 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB20E43FDF; Mon, 31 Mar 2003 11:34:00 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h2VJXxCm015498; Mon, 31 Mar 2003 14:34:00 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 31 Mar 2003 14:39:49 -0500 To: "Jacques A. Vidrine" From: Mike Tancsa In-Reply-To: <20030331185633.GA40453@madman.celabo.org> References: <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:34:04 -0000 At 12:56 PM 31/03/2003 -0600, Jacques A. Vidrine wrote: >It's kind of interesting, because it is base64 encoded data which >begins with the string `PCDFEB09': > >0000 50 43 44 46 45 42 30 39 00 01 00 02 00 00 00 00 |PCDFEB09........| >0010 00 00 00 00 00 00 00 00 00 18 00 00 00 00 00 00 |................| >0020 00 7e 9e 05 6b 64 a1 3c 4d ae e2 93 ff 42 93 c3 |.~..kd=A10030 20 c2 80 00 00 10 00 00 00 8f ec db e0 8b 1b ba | =C2........=EC=DB= =E0..=BA| >0040 4f ad 60 43 d5 17 d5 5f |O=AD`C=D5.=D5_| > >Google'ing for that string turns up a lot of hits, which seem to be >Microsoft TNEF attachements. *shrug* Perhaps it is a sneaky way of >sending some data out-of-band :-) Actually, will not some MS email clients (e.g. lookOUT) honor attachments=20 that begin in the headers ? I recall a discussion similar to this on email= =20 AV scanner lists... Because MS would decode an attachment crammed in the=20 subject line, this could be a way to bypass email scanners and cram viruses= =20 in the subject... Combined with the fact that there are many unpatched=20 email clients out there, this would be a nice way to spread an email worm. Perhaps the MS client would try and decode an attachment in the messageID ? ---Mike >or maybe it is just a buggy >application. Too bad you don't have the entire message. > >I don't think it is anything to worry about, really. > >Cheers, >-- >Jacques A. Vidrine http://www.celabo.org/ >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 11:02:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FE1337B40D for ; Mon, 31 Mar 2003 11:02:53 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 57A3244001 for ; Mon, 31 Mar 2003 11:02:12 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h2VJ2CUp008828 for ; Mon, 31 Mar 2003 11:02:12 -0800 (PST) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h2VJ2C40008822 for security@freebsd.org; Mon, 31 Mar 2003 11:02:12 -0800 (PST) Date: Mon, 31 Mar 2003 11:02:12 -0800 (PST) Message-Id: <200303311902.h2VJ2C40008822@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org X-Mailman-Approved-At: Mon, 31 Mar 2003 11:52:09 -0800 Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 19:02:54 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 08:49:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 984CD37B414 for ; Mon, 31 Mar 2003 08:49:05 -0800 (PST) Received: from star.sstec.com (adsl-216-102-148-67.dsl.lsan03.pacbell.net [216.102.148.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBDAC43F85 for ; Mon, 31 Mar 2003 08:49:04 -0800 (PST) (envelope-from fbsd1@sstec.com) Received: from comm.sstec.com (comm.sstec.com [192.168.74.10]) by star.sstec.com (8.12.6p2/8.12.6) with ESMTP id h2VGn2Ab003924 for ; Mon, 31 Mar 2003 08:49:02 -0800 (PST) (envelope-from fbsd1@sstec.com) Message-Id: <5.1.0.14.2.20030331084447.0228ce70@mail.sstec.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Mon, 31 Mar 2003 08:47:25 -0700 To: freebsd-security@freebsd.org From: John Long In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Mailman-Approved-At: Mon, 31 Mar 2003 11:53:00 -0800 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 16:49:07 -0000 after cvsup and rebuild last night on FreeBSD 4.7-RELEASE-p10 #10: Sun Mar 30 14:45:09 PST 2003 I get: (8.12.6p2/8.12.6) whats up with that? proper or not? John At 04:35 AM 3/31/2003, Tovarisch Drug wrote: >Hello! >cvsup'ing system 22.03 after SA-03:06 after rebuilding and restarting, >"telnet 25 localhost" output the following (cut): >220 host.domain.ru ESMTP Sendmail 8.12.7/8.12.7;... > >after applying SA-03:07's patch the one's output has changed to (cut): >220 host.domain.ru ESMTP Sendmail 8.12.6p2/8.12.7;... >installing the binary has the same result. > >Does version's downgrade take place? >Or I missed anything out? > >Thanks in advance, >Illia Baidakov. >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 12:04:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE8DA37B401 for ; Mon, 31 Mar 2003 12:04:48 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAD6B43F85 for ; Mon, 31 Mar 2003 12:04:47 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 2C5AD66; Mon, 31 Mar 2003 14:04:47 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 567AC78C66; Mon, 31 Mar 2003 14:04:46 -0600 (CST) Date: Mon, 31 Mar 2003 14:04:46 -0600 From: "Jacques A. Vidrine" To: Brett Glass Message-ID: <20030331200446.GA41695@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , "Nikolaj I. Potanin" , freebsd-security@FreeBSD.org References: <4.3.2.7.2.20030331122909.031ac940@localhost> <4.3.2.7.2.20030331102232.0327fa90@localhost> <3E887850.7010100@drweb.ru> <4.3.2.7.2.20030331102232.0327fa90@localhost> <4.3.2.7.2.20030331122450.031ace50@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030331122909.031ac940@localhost> <4.3.2.7.2.20030331122450.031ace50@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@FreeBSD.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 20:04:50 -0000 On Mon, Mar 31, 2003 at 12:26:56PM -0700, Brett Glass wrote: > >No, I don't think so. > > You have a right to disagree, of course. However, some MUAs > HAVE been reported to have buffer overflow vulnerabilities > that can be exploited via an excessively long message ID > header. I have installed a filter that shortens them to > prevent Outlook users from being nailed by this bug. On Mon, Mar 31, 2003 at 12:29:59PM -0700, Brett Glass wrote: > Oh, and elm apparently has a buffer overflow in Message-ID header > handling too. See > > http://www.linuxsecurity.com/advisories/redhat_advisory-1497.html Read my post about the type of data that was in the Message-ID. It doesn't /look/ like an overflow --- I did not recognize the data as executable code `as is', nor once it was decoded. Thus, I do not believe that it is a particular attempt at causing a buffer overflow in a MTA or MUA. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 12:06:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEC6D37B401 for ; Mon, 31 Mar 2003 12:06:10 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4401143F93 for ; Mon, 31 Mar 2003 12:06:10 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id D289166; Mon, 31 Mar 2003 14:06:09 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 60E4A78C66; Mon, 31 Mar 2003 14:06:09 -0600 (CST) Date: Mon, 31 Mar 2003 14:06:09 -0600 From: "Jacques A. Vidrine" To: Mike Tancsa Message-ID: <20030331200609.GB41695@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Mike Tancsa , freebsd-security@freebsd.org References: <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru> <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 20:06:12 -0000 On Mon, Mar 31, 2003 at 02:39:49PM -0500, Mike Tancsa wrote: > Actually, will not some MS email clients (e.g. lookOUT) honor attachments > that begin in the headers ? I recall a discussion similar to this on email > AV scanner lists... Because MS would decode an attachment crammed in the > subject line, this could be a way to bypass email scanners and cram viruses > in the subject... Combined with the fact that there are many unpatched > email clients out there, this would be a nice way to spread an email worm. > > Perhaps the MS client would try and decode an attachment in the messageID ? That would explain why someone was sending such a Message-ID header, and I guess I would not be surprised that some Microsoft MUA would do something bone-headed like that. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 12:08:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6767137B401 for ; Mon, 31 Mar 2003 12:08:18 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFA2043F85 for ; Mon, 31 Mar 2003 12:08:17 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 3B6E666; Mon, 31 Mar 2003 14:08:17 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 9155978C66; Mon, 31 Mar 2003 14:08:16 -0600 (CST) Date: Mon, 31 Mar 2003 14:08:16 -0600 From: "Jacques A. Vidrine" To: John Long Message-ID: <20030331200816.GC41695@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , John Long , freebsd-security@freebsd.org References: <5.1.0.14.2.20030331084447.0228ce70@mail.sstec.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.2.20030331084447.0228ce70@mail.sstec.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 20:08:19 -0000 On Mon, Mar 31, 2003 at 08:47:25AM -0700, John Long wrote: > after cvsup and rebuild last night on > FreeBSD 4.7-RELEASE-p10 #10: Sun Mar 30 14:45:09 PST 2003 > > I get: > (8.12.6p2/8.12.6) > > whats up with that? proper or not? Proper. The first version is the binary, the second is the config file. -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 15:20:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E0CFD37B401; Mon, 31 Mar 2003 15:20:33 -0800 (PST) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAB6543FBD; Mon, 31 Mar 2003 15:20:32 -0800 (PST) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA02347; Mon, 31 Mar 2003 16:20:18 -0700 (MST) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030331161241.0411cb00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 31 Mar 2003 16:20:14 -0700 To: Mike Tancsa , "Jacques A. Vidrine" From: Brett Glass In-Reply-To: <5.2.0.9.0.20030331143557.07ea0858@marble.sentex.ca> References: <20030331185633.GA40453@madman.celabo.org> <3E887850.7010100@drweb.ru> <3E887850.7010100@drweb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@freebsd.org Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 23:20:35 -0000 At 12:39 PM 3/31/2003, Mike Tancsa wrote: >Actually, will not some MS email clients (e.g. lookOUT) honor attachments that begin in the headers ? I haven't heard of this, but it's certainly possible. Many MTAs automatically strip TNEF attachments from the body of the message, but they may miss them if they're in a header. The TNEF signature string could be misdirection, too. --Brett From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 12:45:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A253937B401 for ; Mon, 31 Mar 2003 12:45:52 -0800 (PST) Received: from koibito.iisc.com (koibito.iisc.com [198.5.5.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF52E43FB1 for ; Mon, 31 Mar 2003 12:45:51 -0800 (PST) (envelope-from cmr@koibito.iisc.com) Received: from koibito.iisc.com (LOCALHOST [127.0.0.1] (may be forged)) by koibito.iisc.com (8.12.9/8.12.8) with ESMTP id h2VKjoVj008179 for ; Mon, 31 Mar 2003 15:45:50 -0500 (EST) Message-Id: <200303312045.h2VKjoVj008179@koibito.iisc.com> To: freebsd-security@freebsd.org In-Reply-To: Your message of "Mon, 31 Mar 2003 12:56:33 CST." <20030331185633.GA40453@madman.celabo.org> Date: Mon, 31 Mar 2003 15:45:50 -0500 From: "Charles M. Richmond" X-Mailman-Approved-At: Mon, 31 Mar 2003 17:55:23 -0800 Subject: Re: what was that? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 31 Mar 2003 20:45:54 -0000 So I did a grep for msg IDs similar to the one that is being discussed and I got the following 3 examples. There is some humour perhaps in the fact that 2 are from the bugtraq mailing list. :) All 3 are from microsoft outlook and both of the bugtraq samples are from the same individual. I would like to see some analysis of this. The chance that generated msg IDs could correspond so closely is about 1/googleplex so we can assume some mechanism. Are these systems in fact infected with a virus and is embedded base64 in the MSG ID a viral vector? 07-Mar-00:01/mail.log:Mar 7 18:10:19 koibito sendmail[3110]: h27NAIVK003110: from=, size=11569, class=-60, nrcpts=1, msgid=, size=3175, class=-60, nrcpts=1, msgid=, size=4002, class=0, nrcpts=1, msgid= ... X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.4024 Message-ID: ... X-Mailer: Microsoft Outlook, Build 10.0.4024 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: ... X-Mailer: Microsoft Outlook, Build 10.0.4510 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 19:43:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8872E37B401 for ; Mon, 31 Mar 2003 19:43:11 -0800 (PST) Received: from franky.speednet.com.au (franky.speednet.com.au [203.57.65.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 511C543FA3 for ; Mon, 31 Mar 2003 19:43:10 -0800 (PST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [203.38.96.242])h313h8in054966 for ; Tue, 1 Apr 2003 13:43:08 +1000 (EST) (envelope-from andyf@speednet.com.au) Received: from hewey.af.speednet.com.au (hewey.af.speednet.com.au [172.22.2.17])h313h70A013036 for ; Tue, 1 Apr 2003 13:43:07 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Tue, 1 Apr 2003 13:43:06 +1000 (EST) From: Andy Farkas X-X-Sender: andyf@hewey.af.speednet.com.au To: security@FreeBSD.ORG Message-ID: <20030401133947.L96386-100000@hewey.af.speednet.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 03:43:11 -0000 Any chance of this being implemented in fbsd? Could be usefull ;-) ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 20:06:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B1C537B401 for ; Mon, 31 Mar 2003 20:06:55 -0800 (PST) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id CECD343FAF for ; Mon, 31 Mar 2003 20:06:54 -0800 (PST) (envelope-from silby@silby.com) Received: (qmail 37362 invoked from network); 1 Apr 2003 04:06:54 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 1 Apr 2003 04:06:54 -0000 X-pair-Authenticated: 209.68.2.70 Date: Mon, 31 Mar 2003 22:03:21 -0600 (CST) From: Mike Silbersack To: Andy Farkas In-Reply-To: <20030401133947.L96386-100000@hewey.af.speednet.com.au> Message-ID: <20030331220228.H1612@odysseus.silby.com> References: <20030401133947.L96386-100000@hewey.af.speednet.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@FreeBSD.ORG Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 04:06:55 -0000 On Tue, 1 Apr 2003, Andy Farkas wrote: > Any chance of this being implemented in fbsd? Could be usefull ;-) > > ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt > > -- > > :{ andyf@speednet.com.au > > Andy Farkas Really lame jokes are off-topic for this list, I think. Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Mon Mar 31 21:43:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD75B37B401 for ; Mon, 31 Mar 2003 21:43:50 -0800 (PST) Received: from mx2.drweb.ru (blag1.drweb.ru [62.16.103.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1125543FBF for ; Mon, 31 Mar 2003 21:43:50 -0800 (PST) (envelope-from nikolaj@drweb.ru) Received: from ppp158.leivo.ru (ppp158.leivo.ru [194.105.199.158]) by mx2.drweb.ru (Postfix) with ESMTP id 52946AC62 for ; Tue, 1 Apr 2003 09:43:47 +0400 (MSD) Date: Tue, 1 Apr 2003 09:43:39 +0400 From: "Nikolaj I. Potanin" X-Mailer: The Bat! (v1.61) Business Organization: ID Anti-Virus Lab (SalD Ltd) X-Priority: 3 (Normal) Message-ID: <149571566.20030401094339@drweb.ru> To: freebsd-security@freebsd.org In-Reply-To: <20030331220228.H1612@odysseus.silby.com> References: <20030401133947.L96386-100000@hewey.af.speednet.com.au> <20030331220228.H1612@odysseus.silby.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Re[2]: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 05:43:51 -0000 >> Any chance of this being implemented in fbsd? Could be usefull ;-) >> >> ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt > Really lame jokes are off-topic for this list, I think. Are they off-topic on the 1st of April also? :) -- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624 From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 01:07:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A2C5637B401 for ; Tue, 1 Apr 2003 01:07:09 -0800 (PST) Received: from tyrex.indenial.com (h00036d1cf43b.ne.client2.attbi.com [24.128.149.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2480543F75 for ; Tue, 1 Apr 2003 01:07:06 -0800 (PST) (envelope-from 1nd3n14l@indenial.com) Received: from godzilla.indenial.com (godzilla.indenial.com [10.0.2.111]) by tyrex.indenial.com (8.12.9/8.12.9) with ESMTP id h31975t0064540 for ; Tue, 1 Apr 2003 04:07:05 -0500 (EST) (envelope-from 1nd3n14l@indenial.com) Received: from godzilla.indenial.com (localhost [127.0.0.1]) by godzilla.indenial.com (8.12.9/8.12.9) with ESMTP id h31975BH097096 for ; Tue, 1 Apr 2003 04:07:05 -0500 (EST) (envelope-from 1nd3n14l@indenial.com) Received: from localhost (1nd3n14l@localhost)h31974cG097093 for ; Tue, 1 Apr 2003 04:07:05 -0500 (EST) X-Authentication-Warning: godzilla.indenial.com: 1nd3n14l owned process doing -bs Date: Tue, 1 Apr 2003 04:07:04 -0500 (EST) From: David A Bestor <1nd3n14l@indenial.com> To: freebsd-security@freebsd.org In-Reply-To: <200303302121.h2ULL47f023145@freefall.freebsd.org> Message-ID: <20030401034814.X97058@godzilla.indenial.com> References: <200303302121.h2ULL47f023145@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 09:07:09 -0000 On Sun, 30 Mar 2003, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-03:07.sendmail Security Advisory > The FreeBSD Project > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libsm > # make obj && make depend && make > # cd /usr/src/lib/libsmutil > # make obj && make depend && make > # cd /usr/src/usr.sbin/sendmail > # make obj && make depend && make && make install > I think the advisory should also include the following: # cd /usr/src/share/sendmail # make install I run a custom hostname.mc in /etc/mail . Which I dont think is to extreme. If I do the following: cd /etc/mail make I then compare hostname.cf to sendmail.cf and it does not get built with updated information. This is because I still have the old m4 files in /usr/share/sendmail/cf unless I do the additional make install from above. Thanks, David From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 01:32:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBE9C37B401 for ; Tue, 1 Apr 2003 01:32:27 -0800 (PST) Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B03143FD7 for ; Tue, 1 Apr 2003 01:32:27 -0800 (PST) (envelope-from winter@jurai.net) Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by sasami.jurai.net (8.12.9/8.12.9) with ESMTP id h319WQEF044119; Tue, 1 Apr 2003 04:32:26 -0500 (EST) (envelope-from winter@jurai.net) Date: Tue, 1 Apr 2003 04:32:26 -0500 (EST) From: "Matthew N. Dodd" To: Andy Farkas In-Reply-To: <20030401133947.L96386-100000@hewey.af.speednet.com.au> Message-ID: <20030401043154.D1365@sasami.jurai.net> References: <20030401133947.L96386-100000@hewey.af.speednet.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: security@freebsd.org Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 09:32:28 -0000 On Tue, 1 Apr 2003, Andy Farkas wrote: > Any chance of this being implemented in fbsd? Could be usefull ;-) > > ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt This is implemented in -CURRENT A patch for -STABLE is available here: ftp://ftp.jurai.net/users/winter/patches/rfc3514-stable.patch -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | For Great Justice! | ISO8802.5 4ever | From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 02:45:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5798637B401 for ; Tue, 1 Apr 2003 02:45:10 -0800 (PST) Received: from tyrex.indenial.com (h00036d1cf43b.ne.client2.attbi.com [24.128.149.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 783A743FA3 for ; Tue, 1 Apr 2003 02:45:09 -0800 (PST) (envelope-from 1nd3n14l@indenial.com) Received: from godzilla.indenial.com (godzilla.indenial.com [10.0.2.111]) by tyrex.indenial.com (8.12.9/8.12.9) with ESMTP id h31Aj8t0065722 for ; Tue, 1 Apr 2003 05:45:08 -0500 (EST) (envelope-from 1nd3n14l@indenial.com) Received: from godzilla.indenial.com (localhost [127.0.0.1]) by godzilla.indenial.com (8.12.9/8.12.9) with ESMTP id h31Aj8BH097327 for ; Tue, 1 Apr 2003 05:45:08 -0500 (EST) (envelope-from 1nd3n14l@indenial.com) Received: from localhost (1nd3n14l@localhost)h31Aj8wu097324 for ; Tue, 1 Apr 2003 05:45:08 -0500 (EST) X-Authentication-Warning: godzilla.indenial.com: 1nd3n14l owned process doing -bs Date: Tue, 1 Apr 2003 05:45:08 -0500 (EST) From: David A Bestor <1nd3n14l@indenial.com> To: freebsd-security@freebsd.org In-Reply-To: <20030401034814.X97058@godzilla.indenial.com> Message-ID: <20030401053831.K97268@godzilla.indenial.com> References: <200303302121.h2ULL47f023145@freefall.freebsd.org> <20030401034814.X97058@godzilla.indenial.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:07.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 10:45:10 -0000 On Tue, 1 Apr 2003, David A Bestor wrote: > I think the advisory should also include the following: > # cd /usr/src/share/sendmail > # make install > > I run a custom hostname.mc in /etc/mail . Which I dont think is to > extreme. If I do the following: > cd /etc/mail > make > > I then compare hostname.cf to sendmail.cf and it does not get > built with updated information. This is because I still have the > old m4 files in /usr/share/sendmail/cf unless I do the additional make > install from above. > > Thanks, > David Nevermind. I see the error in my ways. I'm tracking stable on that machine , and I was using the advisory commands just to rebuild the sendmail on it. Sorry for the wasted bandwidth. Thanks, David From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 05:10:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1C8037B401 for ; Tue, 1 Apr 2003 05:10:10 -0800 (PST) Received: from mail.online.ie (mail.online.ie [213.159.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D1EE43F85 for ; Tue, 1 Apr 2003 05:10:09 -0800 (PST) (envelope-from bofh@online.ie) Received: from greebo.eirteic.com (news.eirteic.com [62.17.159.133]) by mail.online.ie (Postfix) with ESMTP id CF717B05E for ; Tue, 1 Apr 2003 14:10:07 +0100 (IST) From: Sascha Luck To: freebsd-security@freebsd.org Date: Tue, 1 Apr 2003 14:09:14 +0100 User-Agent: KMail/1.5 MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200304011409.25515.bofh@online.ie> Subject: Jails and multihoming X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 13:10:10 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 All, are there any plans to allow FreeBSD jails to bind to more than one IP=20 address?=20 My scenario (virtual hosting) : 3 front-end hosts with 2 interfaces each, one on the public network, the=20 other on a private subnet.=20 1 back-end host, providing NFS mounts for the front-ends. This scenarion is not uncommon in ISP environments, usually with a big=20 Netapp Filer in the backend... I'd like to be able to bind each jail to both public and private IPs, so=20 the frontend hosts can mount filesystems off the backend.=20 Cheers, s.=20 =2D --=20 It strikes me that cats are like soft-tipped ammo, they're small when they enter your life, cause all kinds of havoc while they're in it, and then leave a gaping hole in your heart when they pass out of it. =2D --William Jennings in a.f.h =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+iY+E51unZWdvDMoRAjYLAJ4wMTgd7+178x8aPH5VQsR/UJuPzgCeIV74 NUuKInvB7OAN8hpjrisx0og=3D =3DOXMN =2D----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 05:19:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4343E37B401 for ; Tue, 1 Apr 2003 05:19:03 -0800 (PST) Received: from mx0.gmx.net (mx0.gmx.net [213.165.64.100]) by mx1.FreeBSD.org (Postfix) with SMTP id 3EF0F43FAF for ; Tue, 1 Apr 2003 05:19:02 -0800 (PST) (envelope-from haribeau@gmx.de) Received: (qmail 11011 invoked by uid 0); 1 Apr 2003 13:19:01 -0000 Date: Tue, 1 Apr 2003 15:19:00 +0200 (MEST) From: Clemens Hermann To: Sascha Luck MIME-Version: 1.0 References: <200304011409.25515.bofh@online.ie> X-Priority: 3 (Normal) X-Authenticated-Sender: #0000301651@gmx.net X-Authenticated-IP: [217.228.230.108] Message-ID: <5639.1049203140@www34.gmx.net> X-Mailer: WWW-Mail 1.6 (Global Message Exchange) X-Flags: 0001 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: Jails and multihoming X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 13:19:03 -0000 Hi Sascha, > are there any plans to allow FreeBSD jails to bind to more than one IP > address? http://garage.freebsd.pl/mijail.tbz http://garage.freebsd.pl/mijail.README hth /ch -- +++ GMX - Mail, Messaging & more http://www.gmx.net +++ Bitte lächeln! Fotogalerie online mit GMX ohne eigene Homepage! From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 07:04:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE21137B401 for ; Tue, 1 Apr 2003 07:04:33 -0800 (PST) Received: from mail.online.ie (mail.online.ie [213.159.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB11443FBD for ; Tue, 1 Apr 2003 07:04:32 -0800 (PST) (envelope-from bofh@online.ie) Received: from greebo.eirteic.com (news.eirteic.com [62.17.159.133]) by mail.online.ie (Postfix) with ESMTP id 85DB77052 for ; Tue, 1 Apr 2003 16:04:29 +0100 (IST) From: Sascha Luck To: freebsd-security@freebsd.org Date: Tue, 1 Apr 2003 16:03:37 +0100 User-Agent: KMail/1.5 References: <200304011409.25515.bofh@online.ie> <5639.1049203140@www34.gmx.net> In-Reply-To: <5639.1049203140@www34.gmx.net> MIME-Version: 1.0 Content-Type: Text/Plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Description: clearsigned data Content-Disposition: inline Message-Id: <200304011603.45365.bofh@online.ie> Subject: Re: Jails and multihoming X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 15:04:34 -0000 =2D----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thus spake Clemens Hermann on Tuesday 01 April 2003 14:19: > Hi Sascha, > > > are there any plans to allow FreeBSD jails to bind to more than one > > IP address? > > http://garage.freebsd.pl/mijail.tbz > http://garage.freebsd.pl/mijail.README Thanks very much, I'll give that a try. It looks like it's only a=20 proof-of-concept, but is this patch going to be committed into the=20 mainstream source?=20 Cheers, s. =2D --=20 It strikes me that cats are like soft-tipped ammo, they're small when they enter your life, cause all kinds of havoc while they're in it, and then leave a gaping hole in your heart when they pass out of it. =2D --William Jennings in a.f.h =2D----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+iapP51unZWdvDMoRAoUrAKCVbIic/DbL9SORTlEop/VFqO3JWgCcDRGa va35KIC2qej9vrF+6F9gpik=3D =3DPX+H =2D----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 08:42:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3751737B401 for ; Tue, 1 Apr 2003 08:42:46 -0800 (PST) Received: from smtp-29.ig.com.br (smtp-29.ig.com.br [200.226.132.157]) by mx1.FreeBSD.org (Postfix) with SMTP id CA31743F75 for ; Tue, 1 Apr 2003 08:42:44 -0800 (PST) (envelope-from agressor@ig.com.br) Received: (qmail 2475 invoked from network); 1 Apr 2003 16:42:48 -0000 Received: from 222.156.226.200.in-addr.arpa.ig.com.br (HELO pegasus.example.net) (200.226.156.222) by smtp-29.ig.com.br with SMTP; 1 Apr 2003 16:42:48 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Agressor Chamaeleon To: security@FreeBSD.org Date: Tue, 1 Apr 2003 13:38:11 -0300 User-Agent: KMail/1.4.3 MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200304011338.11645.agressor@ig.com.br> Subject: kadmind patch error X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 16:42:46 -0000 Hello all I have a problem using kadmind patch. # cd /usr/src/kerberos5/libexec/k5admind # make depend && make all install =2E.. /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/lib/hdb/hdb.h= :41:=20 hdb_asn1.h: No such file or directory In file included from=20 /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadm_c= onn.c:34: /usr/src/kerberos5/libexec/k5admind/../../../crypto/heimdal/kadmin/kadmin= _locl.h:93:=20 hdb_err.h: No such file or directory mkdep: compile failed *** Error code 1 Stop in /usr/src/kerberos5/libexec/k5admind. Exit 1 =3D> hdb_asn1.h and hdb_err.h not exists in my 4.7 Release system. Somebody can help me? Thanks --=20 Renato Tambellini -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D- Administrador de Sistemas Unix Bauru, S=E3o Paulo From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 14:42:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A2BA37B401 for ; Tue, 1 Apr 2003 14:42:00 -0800 (PST) Received: from smtp800.mail.sc5.yahoo.com (smtp800.mail.sc5.yahoo.com [66.163.168.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 0AB4543FA3 for ; Tue, 1 Apr 2003 14:41:58 -0800 (PST) (envelope-from fscked@pacbell.net) Received: from adsl-64-171-190-45.dsl.snfc21.pacbell.net (HELO pacbell.net) (fscked@pacbell.net@64.171.190.45 with plain) by smtp-sbc-v1.mail.vip.sc5.yahoo.com with SMTP; 1 Apr 2003 22:41:57 -0000 Message-ID: <3E8A159E.382DC088@pacbell.net> Date: Tue, 01 Apr 2003 14:41:34 -0800 From: richard childers / kg6hac X-Mailer: Mozilla 4.8 [en] (WinNT; U) X-Accept-Language: en MIME-Version: 1.0 To: andyf@speednet.com.au Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit cc: security@FreeBSD.ORG Subject: re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 22:42:00 -0000 Any chance this is an April Fool's joke? Inquiring minds see a real snakepit involved in applications setting and honoring a bit that conveys dishonorable intentions. /-: -- richard Date: Tue, 1 Apr 2003 13:43:06 +1000 (EST) From: Andy Farkas Subject: rfc3514 - Security Flag in the IPv4 Header To: security@FreeBSD.ORG Message-ID: <20030401133947.L96386-100000@hewey.af.speednet.com.au> Content-Type: TEXT/PLAIN; charset=US-ASCII Any chance of this being implemented in fbsd? Could be usefull ;-) ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 08:12:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 85D7937B401 for ; Tue, 1 Apr 2003 08:12:41 -0800 (PST) Received: from comp.chem.msu.su (comp-ext.chem.msu.su [158.250.32.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id B820C43F93 for ; Tue, 1 Apr 2003 08:12:36 -0800 (PST) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.12.3p2/8.12.3) with ESMTP id h31GBhhE021080 for ; Tue, 1 Apr 2003 20:12:25 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.12.3p2/8.12.3/Submit) id h31GBhSE021075 for security@freebsd.org; Tue, 1 Apr 2003 20:11:43 +0400 (MSD) (envelope-from yar) Date: Tue, 1 Apr 2003 20:11:43 +0400 From: Yar Tikhiy To: security@freebsd.org Message-ID: <20030401161142.GA19845@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.3i X-Mailman-Approved-At: Tue, 01 Apr 2003 19:16:48 -0800 Subject: LOG_AUTHPRIV and the default syslog.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 01 Apr 2003 16:12:41 -0000 Hello, Some time ago I wrote PR conf/48170, which discussed the following problem: Syslog messages of facility LOG_AUTHPRIV and priority LOG_NOTICE (or higher) are sent by default to the world-readable log file /var/log/messages. That seems unacceptable since the facility LOG_AUTHPRIV is for hiding sensitive log messages inside a protected file, e.g., /var/log/auth.log. For example, login(1) and ftpd(8) send messages about invalid login attempts to LOG_AUTHPRIV|LOG_NOTICE, which makes sense because: a) a username attempted may happen to be a password typed at a wrong prompt; b) an invalid login attempt is a thing to notice, so LOG_NOTICE is justified. The following patch was proposed: Index: syslog.conf =================================================================== RCS file: /home/ncvs/src/etc/syslog.conf,v retrieving revision 1.23 diff -u -r1.23 syslog.conf --- syslog.conf 21 Sep 2002 12:07:35 -0000 1.23 +++ syslog.conf 11 Feb 2003 11:39:55 -0000 @@ -6,7 +6,7 @@ # may want to use only tabs as field separators here. # Consult the syslog.conf(5) manpage. *.err;kern.debug;auth.notice;mail.crit /dev/console -*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages +*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err /var/log/messages security.* /var/log/security auth.info;authpriv.info /var/log/auth.log mail.info /var/log/maillog =================================================================== Since my PR has received no feedback, I'd like to discuss the above problem here before committing my patch. Have I overlooked any complications? -- Yar From owner-freebsd-security@FreeBSD.ORG Tue Apr 1 22:15:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AF5437B401 for ; Tue, 1 Apr 2003 22:15:17 -0800 (PST) Received: from mail2.qmul.ac.uk (mail2.qmul.ac.uk [138.37.6.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 486D143F3F for ; Tue, 1 Apr 2003 22:15:16 -0800 (PST) (envelope-from d.m.pick@qmul.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by mail2.qmul.ac.uk with esmtp (Exim 4.14) id 190bWV-0007K6-Kf; Wed, 02 Apr 2003 07:14:59 +0100 Received: from localhost ([127.0.0.1] helo=xi.css.qmw.ac.uk) by xi.css.qmw.ac.uk with esmtp (Exim 3.34 #1) id 190bWV-0009rF-00; Wed, 02 Apr 2003 07:14:59 +0100 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: richard childers / kg6hac In-reply-to: Your message of "Tue, 01 Apr 2003 14:41:34 -0800." <3E8A159E.382DC088@pacbell.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 02 Apr 2003 07:14:59 +0100 From: David Pick Message-Id: X-Sender-Host-Address: 138.37.8.11 X-Mailman-Approved-At: Tue, 01 Apr 2003 22:18:03 -0800 cc: security@FreeBSD.ORG Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 06:15:17 -0000 > Any chance this is an April Fool's joke? The idea is sound and brilliant in concept. > Inquiring minds see a real snakepit involved in applications > setting and honoring a bit that conveys dishonorable > intentions. /-: I think it's unfortunate that someone as well respected as Stephen Bellovin should fall prey to an obvious trap. One might very well think that it really doesn't matter which way a bit gets set (or, to put it another way, whether a zero or one value indicates "Evil"). Taken in isolation this is true; however, as with all "upwards compatible" changes to the Internet protocols, we have to take into account the previous situation. Pre-RFC3514 packets will have this bit set to a value of zero and this includes packets with evil intent. Since we know that *most* packets on the Intenet at the moment are of evil intent we should assume this fact and insist that packets should have this bit set to one to positivly assure us that the packet is *known* to have pure and unsullied motives. After all, in the security world it is recognised that a "default deny" policy is much stronger than a "default accept" policy. -- David Pick From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 04:48:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9C3237B401; Wed, 2 Apr 2003 04:48:49 -0800 (PST) Received: from smtp1.sentex.ca (smtp1.sentex.ca [199.212.134.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id CAF2043F93; Wed, 2 Apr 2003 04:48:48 -0800 (PST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by smtp1.sentex.ca (8.12.9/8.12.6) with ESMTP id h32Cmku3085228; Wed, 2 Apr 2003 07:48:47 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030402074159.0741a088@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Wed, 02 Apr 2003 07:46:51 -0500 To: Yar Tikhiy From: Mike Tancsa In-Reply-To: <20030401161142.GA19845@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed cc: security@freebsd.org Subject: Re: LOG_AUTHPRIV and the default syslog.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 12:48:50 -0000 I like the change and I dont think it would adversely affect any sites. ---Mike At 08:11 PM 4/1/2003 +0400, Yar Tikhiy wrote: >The following patch was proposed: > >Index: syslog.conf >=================================================================== >RCS file: /home/ncvs/src/etc/syslog.conf,v >retrieving revision 1.23 >diff -u -r1.23 syslog.conf >--- syslog.conf 21 Sep 2002 12:07:35 -0000 1.23 >+++ syslog.conf 11 Feb 2003 11:39:55 -0000 >@@ -6,7 +6,7 @@ > # may want to use only tabs as field separators here. > # Consult the syslog.conf(5) manpage. > *.err;kern.debug;auth.notice;mail.crit /dev/console >-*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages >+*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err >/var/log/messages > security.* /var/log/security > auth.info;authpriv.info /var/log/auth.log > mail.info /var/log/maillog >=================================================================== > >Since my PR has received no feedback, I'd like to discuss the above >problem here before committing my patch. Have I overlooked any >complications? > >-- >Yar >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 05:02:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69EF437B482; Wed, 2 Apr 2003 05:02:47 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F1B343FA3; Wed, 2 Apr 2003 05:02:46 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id A830B4C45; Wed, 2 Apr 2003 07:02:45 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h32D2i708610; Wed, 2 Apr 2003 07:02:44 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 2 Apr 2003 07:02:44 -0600 From: D J Hawkey Jr To: Mike Tancsa Message-ID: <20030402070244.A8569@sheol.localdomain> References: <20030401161142.GA19845@comp.chem.msu.su> <5.2.0.9.0.20030402074159.0741a088@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.2.0.9.0.20030402074159.0741a088@192.168.0.12>; from mike@sentex.net on Wed, Apr 02, 2003 at 07:46:51AM -0500 cc: Yar Tikhiy cc: security@freebsd.org Subject: Re: LOG_AUTHPRIV and the default syslog.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 13:02:48 -0000 > At 08:11 PM 4/1/2003 +0400, Yar Tikhiy wrote: > >The following patch was proposed: > > > >Index: syslog.conf > >=================================================================== > >RCS file: /home/ncvs/src/etc/syslog.conf,v > >retrieving revision 1.23 > >diff -u -r1.23 syslog.conf > >--- syslog.conf 21 Sep 2002 12:07:35 -0000 1.23 > >+++ syslog.conf 11 Feb 2003 11:39:55 -0000 > >@@ -6,7 +6,7 @@ > > # may want to use only tabs as field separators here. > > # Consult the syslog.conf(5) manpage. > > *.err;kern.debug;auth.notice;mail.crit /dev/console > >-*.notice;kern.debug;lpr.info;mail.crit;news.err /var/log/messages > >+*.notice;authpriv.none;kern.debug;lpr.info;mail.crit;news.err > >/var/log/messages > > security.* /var/log/security > > auth.info;authpriv.info /var/log/auth.log > > mail.info /var/log/maillog > >=================================================================== > > > >Since my PR has received no feedback, I'd like to discuss the above > >problem here before committing my patch. Have I overlooked any > >complications? On Apr 02, at 07:46 AM, Mike Tancsa top-posted: > > I like the change and I dont think it would adversely affect any sites. > > ---Mike FWIW, long ago, I set one of mine up as: *.err;authpriv.none /dev/console *.notice;auth.info;kern.debug;security.none;local0.none;authpriv.none /var/log/messages security.*;local0.*;authpriv.* /var/log/security I must have been thinking the same thing Yar does WRT authpriv and /var/log/messages. Note that I also added local0, for ipmon(8); is it too late to consider this hack as well as Yar's? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 05:48:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B737037B401; Wed, 2 Apr 2003 05:47:59 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0646643FCB; Wed, 2 Apr 2003 05:47:59 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 374954C6F; Wed, 2 Apr 2003 07:47:58 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h32DlvV08830; Wed, 2 Apr 2003 07:47:57 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 2 Apr 2003 07:47:57 -0600 From: D J Hawkey Jr To: Yar Tikhiy Message-ID: <20030402074757.A8776@sheol.localdomain> References: <20030401161142.GA19845@comp.chem.msu.su> <5.2.0.9.0.20030402074159.0741a088@192.168.0.12> <20030402070244.A8569@sheol.localdomain> <20030402133625.GA81907@comp.chem.msu.su> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030402133625.GA81907@comp.chem.msu.su>; from yar@freebsd.org on Wed, Apr 02, 2003 at 05:36:25PM +0400 cc: security@freebsd.org Subject: Re: LOG_AUTHPRIV and the default syslog.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 13:48:00 -0000 On Apr 02, at 05:36 PM, Yar Tikhiy wrote: > > On Wed, Apr 02, 2003 at 07:02:44AM -0600, D J Hawkey Jr wrote: > > > > FWIW, long ago, I set one of mine up as: > > > > *.err;authpriv.none /dev/console > > *.notice;auth.info;kern.debug;security.none;local0.none;authpriv.none /var/log/messages > > security.*;local0.*;authpriv.* /var/log/security > > > > I must have been thinking the same thing Yar does WRT authpriv and > > /var/log/messages. > > > > Note that I also added local0, for ipmon(8); is it too late to > > consider this hack as well as Yar's? > > Today's style is to send messages from packet filters to > /var/log/security, and from authenticating functions to /var/log/auth.log. No disagreement. This is what I do with local0, and it's just my own preference to "depreciate" auth.log (which I don't advocate as policy). > Additionally I think it would be poor style to use local0 in the > default syslog.conf since local* should be left for site-specific > purposes. I agree completely, but... > Therefore I'd suggest changing src/sbin/ipmon/Makefile > so that it will add ``-DLOGFAC=LOG_SECURITY'' to CFLAGS, and syncing > ipmon.8; so ipmon(8) would behave consistently with the rest of the > system. ...I didn't know about that define! I try to leave /usr/src alone, but if a committer did this, I'd be all for it. I hereby revoke my request. > Yar Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 05:36:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D340F37B401 for ; Wed, 2 Apr 2003 05:36:33 -0800 (PST) Received: from comp.chem.msu.su (comp-ext.chem.msu.su [158.250.32.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8BBD43F75 for ; Wed, 2 Apr 2003 05:36:31 -0800 (PST) (envelope-from yar@comp.chem.msu.su) Received: from comp.chem.msu.su (localhost [127.0.0.1]) by comp.chem.msu.su (8.12.3p2/8.12.3) with ESMTP id h32DaRhE082772; Wed, 2 Apr 2003 17:36:27 +0400 (MSD) (envelope-from yar@comp.chem.msu.su) Received: (from yar@localhost) by comp.chem.msu.su (8.12.3p2/8.12.3/Submit) id h32DaQAG082771; Wed, 2 Apr 2003 17:36:26 +0400 (MSD) (envelope-from yar) Date: Wed, 2 Apr 2003 17:36:25 +0400 From: Yar Tikhiy To: D J Hawkey Jr Message-ID: <20030402133625.GA81907@comp.chem.msu.su> References: <20030401161142.GA19845@comp.chem.msu.su> <5.2.0.9.0.20030402074159.0741a088@192.168.0.12> <20030402070244.A8569@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030402070244.A8569@sheol.localdomain> User-Agent: Mutt/1.5.3i X-Mailman-Approved-At: Wed, 02 Apr 2003 09:55:54 -0800 cc: security@freebsd.org Subject: Re: LOG_AUTHPRIV and the default syslog.conf X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 02 Apr 2003 13:36:34 -0000 On Wed, Apr 02, 2003 at 07:02:44AM -0600, D J Hawkey Jr wrote: > > FWIW, long ago, I set one of mine up as: > > *.err;authpriv.none /dev/console > *.notice;auth.info;kern.debug;security.none;local0.none;authpriv.none /var/log/messages > security.*;local0.*;authpriv.* /var/log/security > > I must have been thinking the same thing Yar does WRT authpriv and > /var/log/messages. > > Note that I also added local0, for ipmon(8); is it too late to > consider this hack as well as Yar's? Today's style is to send messages from packet filters to /var/log/security, and from authenticating functions to /var/log/auth.log. Additionally I think it would be poor style to use local0 in the default syslog.conf since local* should be left for site-specific purposes. Therefore I'd suggest changing src/sbin/ipmon/Makefile so that it will add ``-DLOGFAC=LOG_SECURITY'' to CFLAGS, and syncing ipmon.8; so ipmon(8) would behave consistently with the rest of the system. -- Yar From owner-freebsd-security@FreeBSD.ORG Wed Apr 2 22:49:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B68837B401 for ; Wed, 2 Apr 2003 22:49:34 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id E2B5F43F85 for ; Wed, 2 Apr 2003 22:49:33 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id CF77615227; Wed, 2 Apr 2003 22:49:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id CC72915226 for ; Wed, 2 Apr 2003 22:49:30 -0800 (PST) Date: Wed, 2 Apr 2003 22:49:30 -0800 (PST) From: Mike Hoskins To: security@FreeBSD.ORG In-Reply-To: Message-ID: <20030402224630.V7394@fubar.adept.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 06:49:34 -0000 On Wed, 2 Apr 2003, David Pick wrote: > > Any chance this is an April Fool's joke? Yes. > The idea is sound and brilliant in concept. It was a joke. :) > > Inquiring minds see a real snakepit involved in applications > > setting and honoring a bit that conveys dishonorable > > intentions. /-: Exactly, as if people wouldn't 'fiddle' with the bit. > I think it's unfortunate that someone as well respected as > Stephen Bellovin should fall prey to an obvious trap. One He didn't. :) Funny, this got sucked into *BSD and Linux CVS repositories, and discussed on a number of mailing lists. >From bmanning@karoshi.com Wed Apr 2 22:45:56 2003 Date: Tue, 1 Apr 2003 09:40:26 -0800 (PST) From: bmanning@karoshi.com To: nanog@nanog.org Subject: Re: RFC3514 > Well, you weren't taking it seriously, I hope. lol > -Jack Subject: cvs commit: src/sbin/ping ping.8 ping.c src/share/man/man4 inet.4 ip.4 src/sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h src/usr.bin/netstat inet.c Date: Tue, 1 Apr 2003 00:21:44 -0800 (PST) To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org mdodd 2003/04/01 00:21:44 PST FreeBSD src repository Modified files: sbin/ping ping.8 ping.c share/man/man4 inet.4 ip.4 sys/netinet in.h in_pcb.h ip.h ip_input.c ip_output.c ip_var.h usr.bin/netstat inet.c Log: Implement support for RFC 3514 (The Security Flag in the IPv4 Header). (See: ftp://ftp.rfc-editor.org/in-notes/rfc3514.txt) This fulfills the host requirements for userland support by way of the setsockopt() IP_EVIL_INTENT message. There are three sysctl tunables provided to govern system behavior. net.inet.ip.rfc3514: Enables support for rfc3514. As this is an Informational RFC and support is not yet widespread this option is disabled by default. net.inet.ip.hear_no_evil If set the host will discard all received evil packets. net.inet.ip.speak_no_evil If set the host will discard all transmitted evil packets. The IP statistics counter 'ips_evil' (available via 'netstat') provides information on the number of 'evil' packets recieved. For reference, the '-E' option to 'ping' has been provided to demonstrate and test the implementation. Revision Changes Path 1.47 +4 -2 src/sbin/ping/ping.8 1.92 +13 -1 src/sbin/ping/ping.c 1.21 +11 -0 src/share/man/man4/inet.4 1.29 +9 -0 src/share/man/man4/ip.4 1.75 +2 -0 src/sys/netinet/in.h 1.59 +1 -0 src/sys/netinet/in_pcb.h 1.22 +1 -0 src/sys/netinet/ip.h 1.232 +14 -0 src/sys/netinet/ip_input.c 1.181 +28 -1 src/sys/netinet/ip_output.c 1.72 +1 -0 src/sys/netinet/ip_var.h 1.57 +1 -0 src/usr.bin/netstat/inet.c ----- End forwarded message: -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Don't send email to the address listed here or you will be added to a blacklist! It is a TRAP for address harvesters. From owner-freebsd-security@FreeBSD.ORG Thu Apr 3 04:20:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DE2E37B401 for ; Thu, 3 Apr 2003 04:20:13 -0800 (PST) Received: from smtp1.cmg.com (smtp1.cmg.com [195.109.155.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1263A43F3F for ; Thu, 3 Apr 2003 04:20:12 -0800 (PST) (envelope-from bob.kars@logicacmg.com) Received: from bnl-amv-mr01.bnl.group.cmg.com (bnl-amv-mr01.bnl.group.cmg.com [10.16.59.80]) by smtp1.cmg.com (8.12.3/8.12.3) with ESMTP id h33CKAOl004158 for ; Thu, 3 Apr 2003 14:20:10 +0200 (CEST) (envelope-from bob.kars@logicacmg.com) Received: from nl-amv-route01.cmg.nl ([10.16.127.107]) by bnl-amv-mr01.bnl.group.cmg.com with Microsoft SMTPSVC(5.0.2195.5329); Thu, 3 Apr 2003 14:20:05 +0200 Received: by NL-AMV-ROUTE01 with Internet Mail Service (5.5.2653.19) id ; Thu, 3 Apr 2003 14:20:05 +0200 Message-ID: <50640C246150D611BB7300104BB3F93965DE09@NL-AMV-MAIL03> From: Bob Kars To: "'freebsd-security@freebsd.org'" Date: Thu, 3 Apr 2003 14:20:03 +0200 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: text/plain; charset="iso-8859-1" X-OriginalArrivalTime: 03 Apr 2003 12:20:05.0765 (UTC) FILETIME=[5C124350:01C2F9DB] X-Virus-Scanned: CMG - by AMaViS / NAI Virus Scan Subject: RE: Welcome to the "freebsd-security" mailing list X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 12:20:13 -0000 -----Original Message----- From: freebsd-security-request@freebsd.org [mailto:freebsd-security-request@freebsd.org] Sent: donderdag 3 april 2003 14:10 To: bob.kars@logicacmg.com Subject: Welcome to the "freebsd-security" mailing list Welcome to the freebsd-security@freebsd.org mailing list! To post to this list, send your email to: freebsd-security@freebsd.org General information about the mailing list is at: http://lists.freebsd.org/mailman/listinfo/freebsd-security If you ever want to unsubscribe or change your options (eg, switch to or from digest mode, change your password, etc.), visit your subscription page at: http://lists.freebsd.org/mailman/options/freebsd-security/bob.kars%40logicac mg.com You can also make such adjustments via email by sending a message to: freebsd-security-request@freebsd.org with the word `help' in the subject or body (don't include the quotes), and you will get back a message with instructions. You must know your password to change your options (including changing the password, itself) or to unsubscribe. It is: Normally, Mailman will remind you of your freebsd.org mailing list passwords once every month, although you can disable this if you prefer. This reminder will also include instructions on how to unsubscribe or change your account options. There is also a button on your options page that will email your current password to you. From owner-freebsd-security@FreeBSD.ORG Thu Apr 3 11:56:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 346D837B401 for ; Thu, 3 Apr 2003 11:56:38 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC6F943FA3 for ; Thu, 3 Apr 2003 11:56:37 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 0684B1522C; Thu, 3 Apr 2003 11:56:32 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 05A9915227 for ; Thu, 3 Apr 2003 11:56:32 -0800 (PST) Date: Thu, 3 Apr 2003 11:56:32 -0800 (PST) From: Mike Hoskins To: security@FreeBSD.ORG In-Reply-To: Message-ID: <20030403115249.O44357@fubar.adept.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: rfc3514 - Security Flag in the IPv4 Header X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 03 Apr 2003 19:56:38 -0000 On Wed, 2 Apr 2003, Julian Elischer wrote: > > > I think it's unfortunate that someone as well respected as > > > Stephen Bellovin should fall prey to an obvious trap. One > > He didn't. :) Funny, this got sucked into *BSD and Linux CVS > > repositories, and discussed on a number of mailing lists. > But only int he context of a joke.. > especially the joke commit to FreeBSD.. Right, I got that much. That's why I thought it was funny... While I think it was funny, I also saw some earnest "Is this real?" posts to a few lists I was subscribed to, so I'm just over eager to respond with "It's just a joke!" ;) -mrh -- From: "Spam Catcher" To: spam-catcher@adept.org Don't send email to the address listed here or you will be added to a blacklist! It is a TRAP for address harvesters.