From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 07:12:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 320E716A4CE for ; Wed, 26 Nov 2003 07:12:07 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14D7A43FDF for ; Wed, 26 Nov 2003 07:12:05 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQFC2m5024333 for ; Wed, 26 Nov 2003 10:12:02 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQFC4Ur054020 for ; Wed, 26 Nov 2003 10:12:04 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 26 Nov 2003 10:16:09 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 15:12:07 -0000 I wrote a small app that monitors a Back-UPS ES500 UPS via the uhid0 interface. I want to run the daemon with as little privs as possible. gastest# ls -l /dev/uhid0 crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 gastest# Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop privs of the daemon yet still be able to read from the device ? All I am doing is char *devname = "/dev/uhid0"; fd = open( devname, O_RDONLY ); if( fd < 0 ) { perror( "open" ); return -1; } do { count = read( fd, buff, sizeof( buff ) ); .... rest of the program -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 07:28:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 351EF16A4CE for ; Wed, 26 Nov 2003 07:28:36 -0800 (PST) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 7D5D143FD7 for ; Wed, 26 Nov 2003 07:28:34 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 8837 invoked from network); 26 Nov 2003 15:28:28 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.46.123) by saraswati.gigatrex.com with SMTP; 26 Nov 2003 15:28:28 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) hAQFSVpf023288; Wed, 26 Nov 2003 10:28:31 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)hAQFSVTF023285; Wed, 26 Nov 2003 10:28:31 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Nov 2003 10:28:31 -0500 (EST) From: Matt Piechota To: Mike Tancsa In-Reply-To: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> Message-ID: <20031126102631.L16087@cithaeron.argolis.org> References: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 15:28:36 -0000 On Wed, 26 Nov 2003, Mike Tancsa wrote: > gastest# ls -l /dev/uhid0 > crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 > gastest# > > Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop > privs of the daemon yet still be able to read from the device ? Maybe I'm a bit off, but: wouldn't it be okay to 'chgrp upsmon /dev/uhid0' in usbd.conf, and make a upsmon user and group to run the daemon under? -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 07:48:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6ED6516A4CE for ; Wed, 26 Nov 2003 07:48:09 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5585D43FE1 for ; Wed, 26 Nov 2003 07:48:08 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQFm5m5034567; Wed, 26 Nov 2003 10:48:05 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQFm5Ur054188; Wed, 26 Nov 2003 10:48:06 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 26 Nov 2003 10:53:20 -0500 To: Matt Piechota From: Mike Tancsa In-Reply-To: <20031126102631.L16087@cithaeron.argolis.org> References: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> <20031126102631.L16087@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: freebsd-security@freebsd.org Subject: Re: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 15:48:09 -0000 At 10:28 AM 26/11/2003, Matt Piechota wrote: >On Wed, 26 Nov 2003, Mike Tancsa wrote: > > > gastest# ls -l /dev/uhid0 > > crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 > > gastest# > > > > Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop > > privs of the daemon yet still be able to read from the device ? > >Maybe I'm a bit off, but: wouldn't it be okay to 'chgrp upsmon /dev/uhid0' >in usbd.conf, and make a upsmon user and group to run the daemon under? I know for our setup, there is nothing else that would need to talk to this device so I could do something like that. Not sure of the implications if someone unplugged the UPS and put their own device into the port. The physical server is in a locked box, but the UPS is not. So if they somehow managed to blow up the daemon by overflowing a buffer, it would be nice that its a non root user. However, I do not try and read more than sizeof(buffer) so I dont see any obvious ways... ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 08:36:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB3CF16A4CE for ; Wed, 26 Nov 2003 08:36:13 -0800 (PST) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 83B7043FBF for ; Wed, 26 Nov 2003 08:36:10 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 10862 invoked from network); 26 Nov 2003 16:36:05 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.46.123) by saraswati.gigatrex.com with SMTP; 26 Nov 2003 16:36:05 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) hAQGa9pf023601; Wed, 26 Nov 2003 11:36:09 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)hAQGa8wJ023598; Wed, 26 Nov 2003 11:36:08 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Nov 2003 11:36:08 -0500 (EST) From: Matt Piechota To: Mike Tancsa In-Reply-To: <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> Message-ID: <20031126113319.Q16087@cithaeron.argolis.org> References: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 16:36:13 -0000 On Wed, 26 Nov 2003, Mike Tancsa wrote: > I know for our setup, there is nothing else that would need to talk to this > device so I could do something like that. Not sure of the implications if > someone unplugged the UPS and put their own device into the port. The > physical server is in a locked box, but the UPS is not. So if they somehow > managed to blow up the daemon by overflowing a buffer, it would be nice > that its a non root user. However, I do not try and read more than > sizeof(buffer) so I dont see any obvious ways... Looking at /etc/usbd.conf, it appears that you can specify what USB Manuf and Device ID the UPS is, so it'd only chgrp stuff when the device was the UPS. I suppose that wouldn't stop someone who changed their device IDs to match the UPS, but that seems like a minimal risk. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 08:37:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D76D616A4D0 for ; Wed, 26 Nov 2003 08:37:44 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1078743FDF for ; Wed, 26 Nov 2003 08:37:40 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQGbbm5055870 for ; Wed, 26 Nov 2003 11:37:37 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQGbbUr054554 for ; Wed, 26 Nov 2003 11:37:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20031126112219.045d4668@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 26 Nov 2003 11:42:27 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> References: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> <20031126102631.L16087@cithaeron.argolis.org> <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new Subject: Re: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 16:37:45 -0000 Actually, I was reminded off list that I can drop privs after I open the device. eg fd = open( devname, O_RDONLY ); if( fd < 0 ) { perror( "open" ); return -1; } /* when we get a SigUSR spit out to syslog the current battery level */ signal(SIGUSR1, handleSignal); if (!(pwent = getpwnam("nobody"))) { fprintf(stderr, "There must be a user called nobody for this program to work!"); exit(1); } else if (setuid(pwent->pw_uid) == -1) { perror("Can't drop privileges"); exit(1); } Thanks to all who responded! ---Mike At 10:53 AM 26/11/2003, Mike Tancsa wrote: >At 10:28 AM 26/11/2003, Matt Piechota wrote: >>On Wed, 26 Nov 2003, Mike Tancsa wrote: >> >> > gastest# ls -l /dev/uhid0 >> > crw-rw---- 1 root operator 122, 0 Nov 12 05:26 /dev/uhid0 >> > gastest# >> > >> > Is it safe to chmod o+r /dev/uhid0 ? Or is there a better way to drop >> > privs of the daemon yet still be able to read from the device ? >> >>Maybe I'm a bit off, but: wouldn't it be okay to 'chgrp upsmon /dev/uhid0' >>in usbd.conf, and make a upsmon user and group to run the daemon under? > >I know for our setup, there is nothing else that would need to talk to >this device so I could do something like that. Not sure of the >implications if someone unplugged the UPS and put their own device into >the port. The physical server is in a locked box, but the UPS is not. So >if they somehow managed to blow up the daemon by overflowing a buffer, it >would be nice that its a non root user. However, I do not try and read >more than sizeof(buffer) so I dont see any obvious ways... > > ---Mike >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 08:38:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DC1B16A4CE for ; Wed, 26 Nov 2003 08:38:34 -0800 (PST) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F1A743FA3 for ; Wed, 26 Nov 2003 08:38:32 -0800 (PST) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQGcSm5056289; Wed, 26 Nov 2003 11:38:28 -0500 (EST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9p2/8.12.9) with ESMTP id hAQGcUUr054567; Wed, 26 Nov 2003 11:38:30 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <6.0.1.1.0.20031126114240.06f24d60@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.1.1 Date: Wed, 26 Nov 2003 11:43:19 -0500 To: Matt Piechota From: Mike Tancsa In-Reply-To: <20031126113319.Q16087@cithaeron.argolis.org> References: <6.0.1.1.0.20031126101602.06e8e9f0@209.112.4.2> <20031126102631.L16087@cithaeron.argolis.org> <6.0.1.1.0.20031126104757.034e1988@209.112.4.2> <20031126113319.Q16087@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavisd-new cc: freebsd-security@freebsd.org Subject: Re: perms of /dev/uhid0 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Nov 2003 16:38:34 -0000 At 11:36 AM 26/11/2003, Matt Piechota wrote: >Looking at /etc/usbd.conf, Sorry, I should have been more clear that this is a home grown program and not usbmon. ---Mike From owner-freebsd-security@FreeBSD.ORG Wed Nov 26 17:11:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF93C16A4CE for ; Wed, 26 Nov 2003 17:11:32 -0800 (PST) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 502F243FCB for ; Wed, 26 Nov 2003 17:11:31 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id D3E3B548A3 for ; Wed, 26 Nov 2003 19:11:30 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 6FDD16D455; Wed, 26 Nov 2003 19:11:30 -0600 (CST) Date: Wed, 26 Nov 2003 19:11:30 -0600 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20031127011130.GA80820@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="UugvWAfsgieZRqgk" Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: HEADS-UP: BIND denial-of-service vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Nov 2003 01:11:33 -0000 --UugvWAfsgieZRqgk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello Everyone, ISC has released new versions of BIND 8 which address a remotely exploitable denial-of-service vulnerability that may allow an attacker to perform `negative cache poisoning'--- convincing a name server that certain RRs do not exist (even though they may). I do not know of any workaround at this time. I have committed fixes to the RELENG_5_1 and RELENG_4_9 security branches. Due to personal obligations this evening [*], I will likely not update RELENG_4_8 and RELENG_4_7 until sometime tomorrow. Likewise, the advisory will follow tomorrow. However, you can find patches at the following URLs: [FreeBSD -CURRENT, -STABLE, 4.9] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch.asc [FreeBSD 5.1, 4.8] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch.asc [FreeBSD 4.7, 4.6, 4.5, 4.4] ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch.asc (If you don't find them at ftp.freebsd.org, try ftp2.freebsd.org.) I expect Doug Barton will upgrade BIND 8 in -STABLE and -CURRENT tonight or tomorrow. Cheers, --=20 Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se [*] Happy Thanksgiving to those celebrating it, by the way! ----- Forwarded message from Jacques Vidrine ----- Date: Wed, 26 Nov 2003 16:54:53 -0800 (PST) =46rom: Jacques Vidrine To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src UPDATING src/sys/conf newvers.sh src/contrib/bind Version src/contrib/bind/bin/named ns_resp.c Message-Id: <200311270054.hAR0srnr052777@repoman.freebsd.org> nectar 2003/11/26 16:54:53 PST FreeBSD src repository Modified files: (Branch: RELENG_5_1) . UPDATING=20 sys/conf newvers.sh=20 contrib/bind Version=20 contrib/bind/bin/named ns_resp.c=20 Log: Correct a remote denial-of-service attack in named(8). =20 Revision Changes Path 1.251.2.13 +3 -0 src/UPDATING 1.1.1.11.2.1 +1 -1 src/contrib/bind/Version 1.1.1.11.2.1 +9 -3 src/contrib/bind/bin/named/ns_resp.c 1.50.2.13 +1 -1 src/sys/conf/newvers.sh ----- End forwarded message ----- ----- Forwarded message from Jacques Vidrine ----- Date: Wed, 26 Nov 2003 16:56:06 -0800 (PST) =46rom: Jacques Vidrine To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src UPDATING src/sys/conf newvers.sh src/contrib/bind Version src/contrib/bind/bin/named ns_resp.c Message-Id: <200311270056.hAR0u62k052941@repoman.freebsd.org> nectar 2003/11/26 16:56:06 PST FreeBSD src repository Modified files: (Branch: RELENG_4_9) . UPDATING=20 sys/conf newvers.sh=20 contrib/bind Version=20 contrib/bind/bin/named ns_resp.c=20 Log: Correct a remote denial-of-service attack in named(8). =20 Revision Changes Path 1.73.2.89.2.2 +12 -0 src/UPDATING 1.1.1.3.2.9.2.1 +1 -1 src/contrib/bind/Version 1.1.1.2.2.10.2.1 +9 -3 src/contrib/bind/bin/named/ns_resp.c 1.44.2.32.2.2 +1 -1 src/sys/conf/newvers.sh ----- End forwarded message ----- --UugvWAfsgieZRqgk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/xU9CFdaIBMps37IRAujJAJ9IiFfICLAxC3cjuxeuyiK7/X2KtwCeMcNf WfgT8Xi8deadiIDN/qWDQIk= =i2LN -----END PGP SIGNATURE----- --UugvWAfsgieZRqgk-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 28 03:59:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 831AE16A4CE for ; Fri, 28 Nov 2003 03:59:47 -0800 (PST) Received: from mandy.mts.ru (mandy.mts.ru [81.211.47.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6139743FDD for ; Fri, 28 Nov 2003 03:58:40 -0800 (PST) (envelope-from tiamat@komi.mts.ru) Received: from maeko.inside.mts.ru (maeko [192.168.10.3]) by mandy.mts.ru with SMTP id hASBuXb21270 for ; Fri, 28 Nov 2003 14:56:33 +0300 (MSK) Received: from stella.komi.mts.ru ([10.50.1.1]) by maeko.inside.mts.ru (NAVGW 2.5.2.12) with SMTP id M2003112814563321720 for ; Fri, 28 Nov 2003 14:56:33 +0300 Received: from nbdav (nb-dav.komi.mts.ru [10.50.1.185]) (user=tiamat mech=NTLM bits=0) by stella.komi.mts.ru (MTS Komi/Smtp) with ESMTP id hASBuXFm038955 for ; Fri, 28 Nov 2003 14:56:33 +0300 (MSK) (envelope-from tiamat@komi.mts.ru) Message-ID: <02be01c3b5a6$a78a8ea0$b901320a@komi.mts.ru> From: =?koi8-r?B?5MXK1MXSIOHMxcvTwc7E0iD3wczF0snF18ne?= To: Date: Fri, 28 Nov 2003 14:56:27 +0300 Organization: =?koi8-r?B?5snMycHMIO/h7yAi7c/CyczYztnFIPTFzMXzydPUxc3ZIiDXIMcu8w==?= =?koi8-r?B?2cvU2dfLwdLFLCDy6y4=?= MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Kerberized applications in FreeBSD 5.x X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 11:59:47 -0000 In FreeBSD 5.x only telnet/telnetd works 'out of box' with kerberos. Why ftp/ftpd, ssh/sshd and cvs do not support kerberos ? Thanks! From owner-freebsd-security@FreeBSD.ORG Fri Nov 28 14:48:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4366716A4CE; Fri, 28 Nov 2003 14:48:55 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EAA8D43FDD; Fri, 28 Nov 2003 14:48:49 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id hASMmnFY026437; Fri, 28 Nov 2003 14:48:49 -0800 (PST) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id hASMmng4026435; Fri, 28 Nov 2003 14:48:49 -0800 (PST) (envelope-from security-advisories@freebsd.org) Date: Fri, 28 Nov 2003 14:48:49 -0800 (PST) Message-Id: <200311282248.hASMmng4026435@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:19.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 22:48:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:19.bind Security Advisory The FreeBSD Project Topic: bind8 negative cache poison attack Category: contrib Module: contrib_bind Announced: 2003-11-28 Credits: Internet Software Consortium Affects: FreeBSD versions through 4.9-RELEASE and 5.1-RELEASE 4-STABLE prior to the correction date Corrected: 2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE) 2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11) 2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19) 2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1) 2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14) 2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24) 2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27) 2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37) 2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47) CVE Name: CAN-2003-0914 FreeBSD only: NO For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 8 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is the Internet domain name server. II. Problem Description A programming error in BIND 8 named can result in a DNS message being incorrectly cached as a negative response. III. Impact An attacker may arrange for malicious DNS messages to be delivered to a target name server, and cause that name server to cache a negative response for some target domain name. The name server would thereafter respond negatively to legitimate queries for that domain name, resulting in a denial-of-service for applications that require DNS. Almost all Internet applications require DNS, such as the Web, email, and chat networks. IV. Workaround No workaround is known. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.9-STABLE; or to the RELENG_5_1, RELENG_4_9, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.9 and -STABLE systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-836.patch.asc [FreeBSD 4.8 and 5.1 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-834.patch.asc [FreeBSD 4.4, 4.5, 4.6, 4.7, and 5.0 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:19/bind-833.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libbind # make obj && make depend && make # cd /usr/src/lib/libisc # make obj && make depend && make # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # cd /usr/src/libexec/named-xfer # make obj && make depend && make && make install After upgrading or patching your system, you must restart named. Execute the following command as root: # ndc restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/bind/CHANGES 1.1.1.7.2.11 src/contrib/bind/README 1.1.1.7.2.9 src/contrib/bind/Version 1.1.1.3.2.10 src/contrib/bind/bin/named-xfer/named-xfer.c 1.3.2.8 src/contrib/bind/bin/named/Makefile 1.3.2.6 src/contrib/bind/bin/named/ns_init.c 1.1.1.2.2.6 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.11 src/contrib/bind/bin/nslookup/commands.l 1.4.2.5 src/contrib/bind/bin/nslookup/debug.c 1.3.2.6 src/contrib/bind/bin/nslookup/getinfo.c 1.3.2.9 src/contrib/bind/bin/nslookup/main.c 1.3.2.7 src/contrib/bind/doc/man/dig.1 1.3.2.4 src/contrib/bind/doc/man/host.1 1.3.2.5 src/contrib/bind/doc/man/nslookup.8 1.2.2.5 src/contrib/bind/port/freebsd/include/port_after.h 1.6.2.9 src/contrib/bind/port/freebsd/include/port_before.h 1.1.1.2.2.6 RELENG_5_1 src/UPDATING 1.251.2.13 src/sys/conf/newvers.sh 1.50.2.13 src/contrib/bind/Version 1.1.1.11.2.1 src/contrib/bind/bin/named/ns_resp.c 1.1.1.11.2.1 RELENG_5_0 src/UPDATING 1.229.2.25 src/sys/conf/newvers.sh 1.48.2.20 src/contrib/bind/Version 1.1.1.10.2.1 src/contrib/bind/bin/named/ns_resp.c 1.1.1.10.2.1 RELENG_4_9 src/UPDATING 1.73.2.89.2.2 src/sys/conf/newvers.sh 1.44.2.32.2.2 src/contrib/bind/Version 1.1.1.3.2.9.2.1 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.10.2.1 RELENG_4_8 src/UPDATING 1.73.2.80.2.16 src/sys/conf/newvers.sh 1.44.2.29.2.15 src/contrib/bind/Version 1.1.1.3.2.8.2.1 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.9.2.1 RELENG_4_7 src/UPDATING 1.73.2.74.2.27 src/sys/conf/newvers.sh 1.44.2.26.2.26 src/contrib/bind/Version 1.1.1.3.2.7.2.1 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.7.2.2 RELENG_4_6 src/UPDATING 1.73.2.68.2.56 src/sys/conf/newvers.sh 1.44.2.23.2.44 src/contrib/bind/Version 1.1.1.3.2.6.2.2 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.6.2.3 RELENG_4_5 src/UPDATING 1.73.2.50.2.54 src/sys/conf/newvers.sh 1.44.2.20.2.38 src/contrib/bind/Version 1.1.1.3.2.4.4.2 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.4.4.3 RELENG_4_4 src/UPDATING 1.73.2.43.2.55 src/sys/conf/newvers.sh 1.44.2.17.2.46 src/contrib/bind/Version 1.1.1.3.2.4.2.2 src/contrib/bind/bin/named/ns_resp.c 1.1.1.2.2.4.2.3 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/x8/PFdaIBMps37IRAsl8AJ9zgqn4QmO08d9zj9de8/uGKIQBNgCfeHKC tM9nSOzoCrM+O+TpNn6ewt4= =PJi2 -----END PGP SIGNATURE-----