From owner-freebsd-security@FreeBSD.ORG Mon Jun 5 13:14:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B3F716AE4B for ; Mon, 5 Jun 2006 13:14:27 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C8B143D64 for ; Mon, 5 Jun 2006 13:14:25 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by py-out-1112.google.com with SMTP id m51so1385531pye for ; Mon, 05 Jun 2006 06:14:25 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=anX4rl1hhHn/yILevHr/dFBxKHlTpaoEcHbSw1D3fdd5d3ftUHcuOPm0QoSz77zdVzxarjnIn5yOhAOA2FEVke7Cm3EdGEwttqd08kDTuivpBXWYGZulfLSJQxnuqw8WDlRhl67ka/yj4F7xe56NOpsg6nTlm9TY6EX+/uU7wG4= Received: by 10.35.18.4 with SMTP id v4mr6394520pyi; Mon, 05 Jun 2006 06:14:24 -0700 (PDT) Received: by 10.35.121.7 with HTTP; Mon, 5 Jun 2006 06:14:24 -0700 (PDT) Message-ID: <8e96a0b90606050614l26db50f2nfcb26669d02a7ad9@mail.gmail.com> Date: Mon, 5 Jun 2006 14:14:24 +0100 From: "mal content" To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: PE disassembler for unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 13:14:32 -0000 Hello, I'm looking for a disassembler to examine a malicious Win32 binary on FreeBSD. Does anybody have any favourites? I see pedisassem in ports, but it looks to be broken and unmaintained (it crashes with a floating point error, currently). MC From owner-freebsd-security@FreeBSD.ORG Mon Jun 5 13:33:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 80B8D16B0CA for ; Mon, 5 Jun 2006 13:33:44 +0000 (UTC) (envelope-from lboehne@damogran.de) Received: from cthulhu.zoidberg.org (zoidberg.org [213.133.99.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8CF543D66 for ; Mon, 5 Jun 2006 13:33:42 +0000 (GMT) (envelope-from lboehne@damogran.de) Received: from localhost (dslb-084-063-047-188.pools.arcor-ip.net [::ffff:84.63.47.188]) (AUTH: PLAIN kasperle, TLS: TLSv1/SSLv3,256bits,AES256-SHA) by cthulhu.zoidberg.org with esmtp; Mon, 05 Jun 2006 15:33:36 +0200 id 040E4152.448432B0.00005613 From: Lutz Boehne To: freebsd-security@freebsd.org Date: Mon, 5 Jun 2006 15:32:46 +0200 User-Agent: KMail/1.9.1 References: <8e96a0b90606050614l26db50f2nfcb26669d02a7ad9@mail.gmail.com> In-Reply-To: <8e96a0b90606050614l26db50f2nfcb26669d02a7ad9@mail.gmail.com> MIME-Version: 1.0 Content-Type: multipart/signed; boundary="nextPart1390710.hGTDFCeDpH"; protocol="application/pgp-signature"; micalg=pgp-sha1 Content-Transfer-Encoding: 7bit Message-Id: <200606051532.52775.lboehne@damogran.de> Subject: Re: PE disassembler for unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 13:33:52 -0000 --nextPart1390710.hGTDFCeDpH Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Hi, > Hello, I'm looking for a disassembler to examine a malicious > Win32 binary on FreeBSD. Does anybody have any favourites? editors/hte (http://hte.sourceforge.net/) is fairly nice, disassembles ELF,= PE=20 and some other binary formats. Regards, Lutz --nextPart1390710.hGTDFCeDpH Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQBEhDKEDbEkl9DbWrYRAmfBAKCE4NSZWetpJ515vzvcYtACuvjUVACfSZBx evR3+DXrCfNA+rOerh0CmKw= =B7d/ -----END PGP SIGNATURE----- --nextPart1390710.hGTDFCeDpH-- From owner-freebsd-security@FreeBSD.ORG Mon Jun 5 16:02:41 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B18116AA19 for ; Mon, 5 Jun 2006 16:02:41 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4316643D7B for ; Mon, 5 Jun 2006 16:02:31 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 6083446B0E for ; Mon, 5 Jun 2006 12:02:30 -0400 (EDT) Date: Mon, 5 Jun 2006 17:02:30 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: freebsd-security@FreeBSD.org Message-ID: <20060605170155.W61202@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS (fwd) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 16:02:48 -0000 FYI for those working with audit and intrusion detection on FreeBSD. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 17:01:04 +0100 (BST) From: Robert Watson To: current@FreeBSD.org Cc: trustedbsd-audit@TrustedBSD.org Subject: Heads up: OpenBSM 1.0a6, per-auditpipe preselection imported to CVS This is a heads up to current@ users regarding two moderate sized sets of changes that entered FreeBSD CVS today: (1) I imported OpenBSM 1.0 alpha 6. (2) I imported support for per-auditpipe preselection. Detailed commit messages are below. Robert N M Watson ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 10:52:14 +0000 (UTC) From: Robert Watson To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/contrib/openbsm - Imported sources rwatson 2006-06-05 10:52:14 UTC FreeBSD src repository src/contrib/openbsm - Imported sources Update of /home/ncvs/src/contrib/openbsm In directory repoman.freebsd.org:/tmp/cvs-serv59860 Log Message: Vendor branch import of TrustedBSD OpenBSM 1.0 alpha 6: - Use AU_TO_WRITE and AU_NO_TO_WRITE for the 'keep' argument to au_close(); previously we used hard-coded 0 and 1 values. - Add man page for au_open(), au_write(), au_close(), and au_close_buffer(). - Support a more complete range of data types for the arbitrary data token: add AUR_CHAR (alias to AUR_BYTE), remove AUR_LONG, add AUR_INT32 (alias to AUR_INT), add AUR_INT64. - Add au_close_token(), which allows writing a single token_t to a memory buffer. Not likely to be used much by applications, but useful for writing test tools. - Modify au_to_file() so that it accepts a timeval in user space, not just kernel -- this is not a Solaris BSM API so can be modified without causing compatibility issues. - Define a new API, au_to_header32_tm(), which adds a struct timeval argument to the ordinary au_to_header32(), which is now implemented by wrapping au_to_header32_tm() and calling gettimeofday(). #ifndef KERNEL the APIs that invoke gettimeofday(), rather than having a variable definition. Don't try to retrieve time zone information using gettimeofday(), as it's not needed, and introduces possible failure modes. - Don't perform byte order transformations on the addr/machine fields of the terminal ID that appears in the process32/subject32 tokens. These are assumed to be IP addresses, and as such, to be in network byte order. - Universally, APIs now assume that IP addresses and ports are provided in network byte order. APIs now generally provide these types in network byte order when decoding. - Beginnings of an OpenBSM test framework can now be found in openbsm/test. This code is not built or installed by default. - auditd now assigns more appropriate syslog levels to its debugging and error information. - Support for audit filters introduced: audit filters are dynamically loaded shared objects that run in the context of a new daemon, auditfilterd. The daemon reads from an audit pipe and feeds both BSM and parsed versions of records to shared objects using a module API. This will provide a framework for the writing of intrusion detection services. - New utility API, audit_submit(), added to capture common elements of audit record submission for many applications. Obtained from: TrustedBSD Project Status: Vendor Tag: TrustedBSD Release Tags: OPENBSM_1_0_ALPHA_6 U src/contrib/openbsm/HISTORY U src/contrib/openbsm/LICENSE U src/contrib/openbsm/Makefile.am U src/contrib/openbsm/Makefile.in U src/contrib/openbsm/README U src/contrib/openbsm/TODO U src/contrib/openbsm/VERSION U src/contrib/openbsm/aclocal.m4 U src/contrib/openbsm/autogen.sh U src/contrib/openbsm/configure U src/contrib/openbsm/configure.ac U src/contrib/openbsm/bin/Makefile.am U src/contrib/openbsm/bin/Makefile.in U src/contrib/openbsm/bin/audit/Makefile.am U src/contrib/openbsm/bin/audit/Makefile.in U src/contrib/openbsm/bin/audit/audit.8 U src/contrib/openbsm/bin/audit/audit.c U src/contrib/openbsm/bin/auditd/Makefile.am U src/contrib/openbsm/bin/auditd/Makefile.in U src/contrib/openbsm/bin/auditd/audit_warn.c U src/contrib/openbsm/bin/auditd/auditd.8 U src/contrib/openbsm/bin/auditd/auditd.c U src/contrib/openbsm/bin/auditd/auditd.h N src/contrib/openbsm/bin/auditfilterd/Makefile.am N src/contrib/openbsm/bin/auditfilterd/Makefile.in N src/contrib/openbsm/bin/auditfilterd/auditfilterd.8 N src/contrib/openbsm/bin/auditfilterd/auditfilterd.c N src/contrib/openbsm/bin/auditfilterd/auditfilterd.h N src/contrib/openbsm/bin/auditfilterd/auditfilterd_conf.c U src/contrib/openbsm/bin/auditreduce/Makefile.am U src/contrib/openbsm/bin/auditreduce/Makefile.in U src/contrib/openbsm/bin/auditreduce/auditreduce.1 U src/contrib/openbsm/bin/auditreduce/auditreduce.c U src/contrib/openbsm/bin/auditreduce/auditreduce.h U src/contrib/openbsm/bin/praudit/Makefile.am U src/contrib/openbsm/bin/praudit/Makefile.in U src/contrib/openbsm/bin/praudit/praudit.1 U src/contrib/openbsm/bin/praudit/praudit.c U src/contrib/openbsm/bsm/Makefile.am U src/contrib/openbsm/bsm/Makefile.in U src/contrib/openbsm/bsm/audit.h N src/contrib/openbsm/bsm/audit_filter.h U src/contrib/openbsm/bsm/audit_internal.h U src/contrib/openbsm/bsm/audit_kevents.h U src/contrib/openbsm/bsm/audit_record.h U src/contrib/openbsm/bsm/audit_uevents.h U src/contrib/openbsm/bsm/libbsm.h U src/contrib/openbsm/compat/endian.h U src/contrib/openbsm/compat/queue.h U src/contrib/openbsm/config/config.guess U src/contrib/openbsm/config/config.h.in U src/contrib/openbsm/config/config.sub U src/contrib/openbsm/config/depcomp U src/contrib/openbsm/config/install-sh U src/contrib/openbsm/config/ltmain.sh U src/contrib/openbsm/config/missing U src/contrib/openbsm/etc/audit_class U src/contrib/openbsm/etc/audit_control U src/contrib/openbsm/etc/audit_event N src/contrib/openbsm/etc/audit_filter U src/contrib/openbsm/etc/audit_user U src/contrib/openbsm/etc/audit_warn U src/contrib/openbsm/libbsm/Makefile.am U src/contrib/openbsm/libbsm/Makefile.in U src/contrib/openbsm/libbsm/au_class.3 U src/contrib/openbsm/libbsm/au_control.3 U src/contrib/openbsm/libbsm/au_event.3 U src/contrib/openbsm/libbsm/au_free_token.3 U src/contrib/openbsm/libbsm/au_io.3 U src/contrib/openbsm/libbsm/au_mask.3 N src/contrib/openbsm/libbsm/au_open.3 U src/contrib/openbsm/libbsm/au_token.3 U src/contrib/openbsm/libbsm/au_user.3 N src/contrib/openbsm/libbsm/audit_submit.3 U src/contrib/openbsm/libbsm/bsm_audit.c U src/contrib/openbsm/libbsm/bsm_class.c U src/contrib/openbsm/libbsm/bsm_control.c U src/contrib/openbsm/libbsm/bsm_event.c U src/contrib/openbsm/libbsm/bsm_flags.c U src/contrib/openbsm/libbsm/bsm_io.c U src/contrib/openbsm/libbsm/bsm_mask.c U src/contrib/openbsm/libbsm/bsm_notify.c U src/contrib/openbsm/libbsm/bsm_token.c U src/contrib/openbsm/libbsm/bsm_user.c U src/contrib/openbsm/libbsm/libbsm.3 U src/contrib/openbsm/libbsm/bsm_wrappers.c U src/contrib/openbsm/man/Makefile.am U src/contrib/openbsm/man/Makefile.in U src/contrib/openbsm/man/audit.2 U src/contrib/openbsm/man/audit.log.5 U src/contrib/openbsm/man/audit_class.5 U src/contrib/openbsm/man/audit_control.5 U src/contrib/openbsm/man/audit_event.5 U src/contrib/openbsm/man/audit_user.5 U src/contrib/openbsm/man/audit_warn.5 U src/contrib/openbsm/man/auditctl.2 U src/contrib/openbsm/man/auditon.2 U src/contrib/openbsm/man/getaudit.2 U src/contrib/openbsm/man/getauid.2 U src/contrib/openbsm/man/setaudit.2 U src/contrib/openbsm/man/setauid.2 N src/contrib/openbsm/modules/Makefile.am N src/contrib/openbsm/modules/Makefile.in N src/contrib/openbsm/modules/auditfilter_noop/Makefile.am N src/contrib/openbsm/modules/auditfilter_noop/Makefile.in N src/contrib/openbsm/modules/auditfilter_noop/auditfilter_noop.c N src/contrib/openbsm/test/Makefile.am N src/contrib/openbsm/test/Makefile.in N src/contrib/openbsm/test/bsm/Makefile.am N src/contrib/openbsm/test/bsm/Makefile.in N src/contrib/openbsm/test/bsm/generate.c U src/contrib/openbsm/tools/Makefile.am U src/contrib/openbsm/tools/Makefile.in U src/contrib/openbsm/tools/audump.c No conflicts created by this import ---------- Forwarded message ---------- Date: Mon, 5 Jun 2006 14:48:17 +0000 (UTC) From: Robert Watson To: src-committers@FreeBSD.org, cvs-src@FreeBSD.org, cvs-all@FreeBSD.org Subject: cvs commit: src/sys/security/audit audit.c audit_bsm_klib.c audit_ioctl.h audit_pipe.c audit_private.h audit_worker.c rwatson 2006-06-05 14:48:17 UTC FreeBSD src repository Modified files: sys/security/audit audit.c audit_bsm_klib.c audit_ioctl.h audit_pipe.c audit_private.h audit_worker.c Log: Introduce support for per-audit pipe preselection independent from the global audit trail configuration. This allows applications consuming audit trails to specify parameters for which audit records are of interest, including selecting records not required by the global trail. Allowing application interest specification without changing the global configuration allows intrusion detection systems to run without interfering with global auditing or each other (if multiple are present). To implement this: - Kernel audit records now carry a flag to indicate whether they have been selected by the global trail or by the audit pipe subsystem, set during record commit, so that this information is available after BSM conversion when delivering the BSM to the trail and audit pipes in the audit worker thread asynchronously. Preselection by either record target will cause the record to be kept. - Similar changes to preselection when the audit record is created when the system call is entering: consult both the global trail and pipes. - au_preselect() now accepts the class in order to avoid repeatedly looking up the mask for each preselection test. - Define a series of ioctls that allow applications to specify whether they want to track the global trail, or program their own preselection parameters: they may specify their own flags and naflags masks, similar to the global masks of the same name, as well as a set of per-auid masks. They also set a per-pipe mode specifying whether they track the global trail, or user their own -- the door is left open for future additional modes. A new ioctl is defined to allow a user process to flush the current audit pipe queue, which can be used after reprogramming pre-selection to make sure that only records of interest are received in future reads. - Audit pipe data structures are extended to hold the additional fields necessary to support preselection. By default, audit pipes track the global trail, so "praudit /dev/auditpipe" will track the global audit trail even though praudit doesn't program the audit pipe selection model. - Comment about the complexities of potentially adding partial read support to audit pipes. By using a set of ioctls, applications can select which records are of interest, and toggle the preselection mode. Obtained from: TrustedBSD Project Revision Changes Path 1.15 +28 -16 src/sys/security/audit/audit.c 1.4 +3 -6 src/sys/security/audit/audit_bsm_klib.c 1.3 +32 -0 src/sys/security/audit/audit_ioctl.h 1.7 +393 -13 src/sys/security/audit/audit_pipe.c 1.9 +13 -3 src/sys/security/audit/audit_private.h 1.8 +49 -27 src/sys/security/audit/audit_worker.c _______________________________________________ freebsd-current@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Jun 5 19:11:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 002AA16A8AA for ; Mon, 5 Jun 2006 19:11:36 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd4mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 515F343D48 for ; Mon, 5 Jun 2006 19:11:35 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr3so.prod.shaw.ca (pd4mr3so-qfe3.prod.shaw.ca [10.0.141.214]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J0E00855IKPJN20@l-daemon> for freebsd-security@freebsd.org; Mon, 05 Jun 2006 13:10:01 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd4mr3so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J0E002NPIKPY1D0@pd4mr3so.prod.shaw.ca> for freebsd-security@freebsd.org; Mon, 05 Jun 2006 13:10:01 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J0E0075HIKNC1B0@l-daemon> for freebsd-security@freebsd.org; Mon, 05 Jun 2006 13:10:01 -0600 (MDT) Received: (qmail 38279 invoked from network); Mon, 05 Jun 2006 19:09:59 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Mon, 05 Jun 2006 19:09:59 +0000 Date: Mon, 05 Jun 2006 12:09:59 -0700 From: FreeBSD Security Officer To: freebsd-security@freebsd.org, freebsd-stable@freebsd.org Message-id: <44848187.9070505@freebsd.org> Organization: FreeBSD Project MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 User-Agent: Thunderbird 1.5 (X11/20060416) Cc: Subject: Security Officer-supported branches update X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jun 2006 19:11:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at . FreeBSD 4.10 has `expired' and is no longer supported effective June 1, 2006. Also note that FreeBSD 5.3 and FreeBSD 5.4 will cease to be supported at the end of October 2006, and FreeBSD 6.0 will cease to be supported at the end of November 2006. If you are running FreeBSD 4.x for x less than 11, it is strongly recommended that you upgrade to FreeBSD 4.11 as soon as possible. If you are running FreeBSD 5.3, FreeBSD 5.4, or FreeBSD 6.0, it is strongly recommended that you make plans to upgrade to FreeBSD 5.5 or FreeBSD 6.1 in the next five months. [Excerpt from http://www.freebsd.org/security/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 5.x to 6.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_6. The corresponding builds have names like FreeBSD 6.1-STABLE. * Each FreeBSD Release has an associated Security Branch. The Security Branch tags have names like RELENG_6_1. The corresponding builds have names like FreeBSD 6.1-RELEASE-p1. Isses affecting the FreeBSD Ports Collection are covered in the FreeBSD VuXML document. Each branch is supported by the Security Officer for a limited time only, and is designated as one of `Early adopter', `Normal', or `Extended'. The designation is used as a guideline for determining the lifetime of the branch as follows. Early adopter Releases which are published from the -CURRENT branch will be supported by the Security Officer for a minimum of 6 months after the release. Normal Releases which are published from a -STABLE branch will be supported by the Security Officer for a minimum of 12 months after the release. Extended Selected releases will be supported by the Security Officer for a minimum of 24 months after the release. The current designation and estimated lifetimes of the currently supported branches are given below. The Estimated EoL (end-of-life) column gives the earliest date on which that branch is likely to be dropped. Please note that these dates may be extended into the future, but only extenuating circumstances would lead to a branch's support being dropped earlier than the date listed. +--------------------------------------------------------------------+ | Branch | Release | Type | Release date | Estimated EoL | |-----------+------------+--------+----------------+-----------------| |RELENG_4 |n/a |n/a |n/a |January 31, 2007 | |-----------+------------+--------+----------------+-----------------| |RELENG_4_11|4.11-RELEASE|Extended|January 25, 2005|January 31, 2007 | |-----------+------------+--------+----------------+-----------------| |RELENG_5 |n/a |n/a |n/a |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_3 |5.3-RELEASE |Extended|November 6, 2004|October 31, 2006 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_4 |5.4-RELEASE |Normal |May 9, 2005 |October 31, 2006 | |-----------+------------+--------+----------------+-----------------| |RELENG_5_5 |5.5-RELEASE |Extended|May 25, 2006 |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_6 |n/a |n/a |n/a |May 31, 2008 | |-----------+------------+--------+----------------+-----------------| |RELENG_6_0 |6.0-RELEASE |Normal |November 4, 2005|November 30, 2006| |-----------+------------+--------+----------------+-----------------| |RELENG_6_1 |6.1-RELEASE |Extended|May 9, 2006 |May 31, 2008 | +--------------------------------------------------------------------+ [End excerpt] Colin Percival FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (FreeBSD) iD8DBQFEhIGGFdaIBMps37IRAnhNAJ9rjsvGhKgBkknDFKiTdzlkg4+/qACfY4lx 3LlO9YCOYIaSQKG9nH0u0SM= =e5J/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Jun 6 13:07:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F33516ABB1; Tue, 6 Jun 2006 13:07:00 +0000 (UTC) (envelope-from unixtools@hotmail.com) Received: from hotmail.com (bay106-f4.bay106.hotmail.com [65.54.161.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADA3243D46; Tue, 6 Jun 2006 13:06:59 +0000 (GMT) (envelope-from unixtools@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 6 Jun 2006 06:06:58 -0700 Message-ID: Received: from 65.54.161.200 by by106fd.bay106.hotmail.msn.com with HTTP; Tue, 06 Jun 2006 13:06:55 GMT X-Originating-IP: [203.199.109.161] X-Originating-Email: [unixtools@hotmail.com] X-Sender: unixtools@hotmail.com From: "Sunil Sunder Raj" To: freebsd-ipfw@freebsd.org Date: Tue, 06 Jun 2006 13:06:55 +0000 Mime-Version: 1.0 Content-Type: text/plain; format=flowed X-OriginalArrivalTime: 06 Jun 2006 13:06:58.0919 (UTC) FILETIME=[18057F70:01C6896A] X-Mailman-Approved-At: Tue, 06 Jun 2006 13:53:05 +0000 Cc: freebsd-security@freebsd.org Subject: Need help on ipfw IDS support. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 13:07:03 -0000 Hi, Is it possible to integrate SNORT with IPFW. I have an entire network behind an IPFW BRIDGE. Just need IDS capability enabled for the network. Just an hint is enough. Any other way I can achieve this in IPFW. -Sunil Sunder Raj From owner-freebsd-security@FreeBSD.ORG Tue Jun 6 14:28:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7504616A4D4 for ; Tue, 6 Jun 2006 14:28:28 +0000 (UTC) (envelope-from BoFH@warpten.net) Received: from librarian.warpten.net (adsl-68-76-163-179.dsl.spfdil.ameritech.net [68.76.163.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07CD443D46 for ; Tue, 6 Jun 2006 14:28:25 +0000 (GMT) (envelope-from BoFH@warpten.net) Received: from localhost (localhost [127.0.0.1]) by librarian.warpten.net (Postfix) with ESMTP id 5B6D4109 for ; Tue, 6 Jun 2006 09:28:25 -0500 (CDT) Received: from librarian.warpten.net ([127.0.0.1]) by localhost (librarian.warpten.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90180-06 for ; Tue, 6 Jun 2006 09:28:12 -0500 (CDT) Received: from localhost (enterprise.warpten.net [192.168.1.1]) by librarian.warpten.net (Postfix) with ESMTP id 87C63100 for ; Tue, 6 Jun 2006 09:28:12 -0500 (CDT) Date: Tue, 6 Jun 2006 09:28:11 -0500 From: BOfH To: freebsd-security@freebsd.org Message-ID: <20060606142811.GA19457@warpten.net> Mail-Followup-To: BOfH , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Virus-Scanned: by amavisd-new at warpten.net Subject: Re: Need help on ipfw IDS support. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 14:28:38 -0000 On 0, Sunil Sunder Raj scribed: > Hi, > > Is it possible to integrate SNORT with IPFW. I have an entire > network behind an IPFW BRIDGE. Just need IDS capability enabled for > the network. Just an hint is enough. Any other way I can achieve > this in IPFW. > > -Sunil Sunder Raj Yes. Snort has a configure option to enable ipfw support in inline mode. -- BoFH excuse #446: Mailer-daemon is busy burning your message in hell From owner-freebsd-security@FreeBSD.ORG Tue Jun 6 14:22:08 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 489DE16B84E for ; Tue, 6 Jun 2006 14:22:08 +0000 (UTC) (envelope-from nigel@warpten.net) Received: from librarian.warpten.net (adsl-68-76-163-179.dsl.spfdil.ameritech.net [68.76.163.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BC0E43D46 for ; Tue, 6 Jun 2006 14:22:06 +0000 (GMT) (envelope-from nigel@warpten.net) Received: from localhost (localhost [127.0.0.1]) by librarian.warpten.net (Postfix) with ESMTP id 4F4C1246 for ; Tue, 6 Jun 2006 09:22:06 -0500 (CDT) Received: from librarian.warpten.net ([127.0.0.1]) by localhost (librarian.warpten.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 90180-05 for ; Tue, 6 Jun 2006 09:21:53 -0500 (CDT) Received: from localhost (enterprise.warpten.net [192.168.1.1]) by librarian.warpten.net (Postfix) with ESMTP id 8582B109 for ; Tue, 6 Jun 2006 09:21:53 -0500 (CDT) Date: Tue, 6 Jun 2006 09:21:52 -0500 From: Nigel Houghton To: freebsd-security@freebsd.org Message-ID: <20060606142151.GA19435@warpten.net> Mail-Followup-To: Nigel Houghton , freebsd-security@freebsd.org References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.1i X-Virus-Scanned: by amavisd-new at warpten.net X-Mailman-Approved-At: Tue, 06 Jun 2006 15:14:10 +0000 Subject: Re: Need help on ipfw IDS support. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 06 Jun 2006 14:22:16 -0000 On 0, Sunil Sunder Raj wrote: > Hi, > > Is it possible to integrate SNORT with IPFW. I have an entire network > behind an IPFW BRIDGE. Just need IDS capability enabled for the network. > Just an hint is enough. Any other way I can achieve this in IPFW. > > -Sunil Sunder Raj Yes, snort has a configure option to enable ipfw support. -- Nigel Darkness is not the absence of light. It is the presence of Vin Diesel. From owner-freebsd-security@FreeBSD.ORG Fri Jun 9 09:57:33 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2645016A41B; Fri, 9 Jun 2006 09:57:33 +0000 (UTC) (envelope-from tataz@tataz.chchile.org) Received: from smtp6-g19.free.fr (smtp6-g19.free.fr [212.27.42.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC9A643D73; Fri, 9 Jun 2006 09:57:32 +0000 (GMT) (envelope-from tataz@tataz.chchile.org) Received: from tatooine.tataz.chchile.org (tataz.chchile.org [82.233.239.98]) by smtp6-g19.free.fr (Postfix) with ESMTP id 1A4FC22591; Fri, 9 Jun 2006 11:57:31 +0200 (CEST) Received: from obiwan.tataz.chchile.org (unknown [192.168.1.25]) by tatooine.tataz.chchile.org (Postfix) with ESMTP id 3D1359C3F4; Fri, 9 Jun 2006 09:57:51 +0000 (UTC) Received: by obiwan.tataz.chchile.org (Postfix, from userid 1000) id 28B04405B; Fri, 9 Jun 2006 11:57:51 +0200 (CEST) Date: Fri, 9 Jun 2006 11:57:51 +0200 From: Jeremie Le Hen To: freebsd-current@FreeBSD.org, freebsd-security@FreeBSD.org Message-ID: <20060609095751.GI1273@obiwan.tataz.chchile.org> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20060526153422.GB25953@obiwan.tataz.chchile.org> User-Agent: Mutt/1.5.11 Cc: Subject: Re: [fbsd] Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 09:57:33 -0000 Hi list, I haven't got much feedback so far. I would be glad if any people who have been using this patch told be if they have been faced with some problems. Thank you Regards, Jeremie On Fri, May 26, 2006 at 05:34:22PM +0200, Jeremie Le Hen wrote: > Hi, > > first sorry for cross-posting but I thought this patch might interest > -CURRENT users as well as people concerned by security. > > I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step > further than it has been realized so far. > > It is available here : > http://tataz.chchile.org/~tataz/FreeBSD/SSP/ > > Everything is explained on the web page, but I will repeat some > informations here. The patchset is splitted in two parts to ease the > review of the patch. The -propolice patch is only the original > ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The > -freebsd patch contains the glue I have written to make things neat. > > The patch exists in both for CURRENT and RELENG_6. Both introduce a > new make.conf(5) (and src.conf(5)) knob to enable stack protection > on a per Makefile basis. It if of course possible to compile your > world with it. Please refer to the web page for more informations. > > The patch has been tested and works pretty well. My laptop and my > workstation at work are compiled with SSP : world, kernel and ports, > including X.org. > > I hope you will enjoy it. > Regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > From owner-freebsd-security@FreeBSD.ORG Fri Jun 9 13:04:31 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BB9D16A41B for ; Fri, 9 Jun 2006 13:04:31 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.FreeBSD.org (Postfix) with ESMTP id 302A743D79 for ; Fri, 9 Jun 2006 13:04:28 +0000 (GMT) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id B55CF5133B; Fri, 9 Jun 2006 15:04:27 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id 0426B51307 for ; Fri, 9 Jun 2006 15:04:22 +0200 (CEST) Date: Fri, 9 Jun 2006 15:02:00 +0200 From: Pawel Jakub Dawidek To: freebsd-security@FreeBSD.org Message-ID: <20060609130159.GD95774@garage.freebsd.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a2FkP9tdjPU2nyhF" Content-Disposition: inline X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 User-Agent: mutt-ng/devel-r535 (FreeBSD) X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: Subject: Data authentication for geli(8) committed to HEAD. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 13:04:31 -0000 --a2FkP9tdjPU2nyhF Content-Type: text/plain; charset=iso-8859-2 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi. geli(8) from FreeBSD-CURRENT is now able to perform data integrity verification (data authentication) using one of the following algorithms: - HMAC/MD5 - HMAC/SHA1 - HMAC/RIPEMD160 - HMAC/SHA256 - HMAC/SHA384 - HMAC/SHA512 One of the main design goals was to make it reliable and resistant to power failures or system crashes. This was very important to commit both data update and HMAC update as an atomic operation to the disk, so users don't have to fight with false positives. Even with data authentication enabled, geli(8) should still be fast - to provide the reliability I'm talking on internal journal or other complex mechanisms are used. It is still sector-to-sector encryption. If someone is interested in the data layout itself, it is described in the sys/geom/eli/g_eli_integrity.c file. Before you use this feature, please read "DATA AUTHENTICATION" section in the geli(8) manual page, to learn against which kind of attacks geli(8) can protect your data and against which it can not. While working on this, I improved crypto(9) framework a bit and various drivers. At this point, all crypto accelerators, which we support should work with geli(8) (ubsec(4), hifn(4), safe(4), padlock(4)), also with data authentication functionality. Enjoy! The work was sponsored by Wheel LTD. [http://www.wheel.pl], creator of authentication system - CERB - which allows to use mobile phone/device in two-factor authentication process. --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --a2FkP9tdjPU2nyhF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (FreeBSD) iD8DBQFEiXFHForvXbEpPzQRAnr+AKDqfjQq3RnPRUXsyL226G/pwfczjQCfatoC XoVbt/7nwJnN35Vfzt/cabc= =ZMPB -----END PGP SIGNATURE----- --a2FkP9tdjPU2nyhF-- From owner-freebsd-security@FreeBSD.ORG Fri Jun 9 20:40:12 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1A3416A477; Fri, 9 Jun 2006 20:40:12 +0000 (UTC) (envelope-from rip@overflow.no) Received: from mail.mailwhiz.net (mail.mailwhiz.net [24.244.141.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id D93F743D7C; Fri, 9 Jun 2006 20:40:09 +0000 (GMT) (envelope-from rip@overflow.no) Message-ID: <4489DCAE.3070005@overflow.no> Date: Fri, 09 Jun 2006 16:40:14 -0400 From: Chris User-Agent: Thunderbird 1.5.0.2 (X11/20060522) MIME-Version: 1.0 To: Jeremie Le Hen References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060609095751.GI1273@obiwan.tataz.chchile.org> In-Reply-To: <20060609095751.GI1273@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@FreeBSD.org, freebsd-current@FreeBSD.org Subject: Re: [fbsd] Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 20:40:12 -0000 Jeremie Le Hen wrote: > Hi list, > > I haven't got much feedback so far. I would be glad if any people > who have been using this patch told be if they have been faced with > some problems. > > Thank you > Regards, > Jeremie > > On Fri, May 26, 2006 at 05:34:22PM +0200, Jeremie Le Hen wrote: > >> Hi, >> >> first sorry for cross-posting but I thought this patch might interest >> -CURRENT users as well as people concerned by security. >> >> I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step >> further than it has been realized so far. >> >> It is available here : >> http://tataz.chchile.org/~tataz/FreeBSD/SSP/ >> >> Everything is explained on the web page, but I will repeat some >> informations here. The patchset is splitted in two parts to ease the >> review of the patch. The -propolice patch is only the original >> ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The >> -freebsd patch contains the glue I have written to make things neat. >> >> The patch exists in both for CURRENT and RELENG_6. Both introduce a >> new make.conf(5) (and src.conf(5)) knob to enable stack protection >> on a per Makefile basis. It if of course possible to compile your >> world with it. Please refer to the web page for more informations. >> >> The patch has been tested and works pretty well. My laptop and my >> workstation at work are compiled with SSP : world, kernel and ports, >> including X.org. >> >> I hope you will enjoy it. >> Regards, >> I'm using it successfuly with the stackp-gap and the random mmap on 6.1-RELEASE. No problems at all really :) Except that i want a nob for gcc to use the protection by default. We discussed this in another email. I'm also using nomad's 5.4 one of my 5.4-p14 with stack gap and random mmap (slight modication was needed to get it working), which for me has the desired default behaviour. I hope to see this on 6.x too, keep up the good work. - Chris From owner-freebsd-security@FreeBSD.ORG Fri Jun 9 23:30:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 070E016A46F; Fri, 9 Jun 2006 23:30:08 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2216843D7E; Fri, 9 Jun 2006 23:30:05 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.6/8.13.6/Debian-1) with ESMTP id k59NTbWN002621 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 10 Jun 2006 02:29:43 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.6/8.13.6) with ESMTP id k59NVmVd088400; Sat, 10 Jun 2006 02:31:49 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.6/8.13.6/Submit) id k59NVmOw088399; Sat, 10 Jun 2006 02:31:48 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Sat, 10 Jun 2006 02:31:48 +0300 From: Giorgos Keramidas To: Chris Message-ID: <20060609233148.GA88285@gothmog.pc> References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060609095751.GI1273@obiwan.tataz.chchile.org> <4489DCAE.3070005@overflow.no> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4489DCAE.3070005@overflow.no> X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-3.096, required 5, autolearn=not spam, ALL_TRUSTED -1.80, AWL 1.30, BAYES_00 -2.60) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: freebsd-security@freebsd.org, freebsd-current@freebsd.org, Jeremie Le Hen Subject: Re: [fbsd] Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jun 2006 23:30:09 -0000 On 2006-06-09 16:40, Chris wrote: >Jeremie Le Hen wrote: >> On Fri, May 26, 2006 at 05:34:22PM +0200, Jeremie Le Hen wrote: >>> Hi, >>> first sorry for cross-posting but I thought this patch might interest >>> -CURRENT users as well as people concerned by security. >>> >>> I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step >>> further than it has been realized so far. >>> >>> It is available here : >>> http://tataz.chchile.org/~tataz/FreeBSD/SSP/ >> >> Hi list, >> I haven't got much feedback so far. I would be glad if any people >> who have been using this patch told be if they have been faced with >> some problems. >[...] > I'm using it successfuly with the stackp-gap and the random mmap > on 6.1-RELEASE. No problems at all really :) Except that i want a nob > for gcc to use the protection by default. We discussed this in another > email. You can always use `/etc/make.conf' to set it globally, right? From owner-freebsd-security@FreeBSD.ORG Sat Jun 10 16:36:11 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C44CA16A66F for ; Sat, 10 Jun 2006 16:36:11 +0000 (UTC) (envelope-from hugo@barafranca.com) Received: from mail.barafranca.com (mail.barafranca.com [67.19.101.164]) by mx1.FreeBSD.org (Postfix) with ESMTP id C987D49B1D for ; Sat, 10 Jun 2006 15:37:41 +0000 (GMT) (envelope-from hugo@barafranca.com) Received: from localhost (localhost [127.0.0.1]) by mail.barafranca.com (Postfix) with ESMTP id 5F076C382B; Sat, 10 Jun 2006 15:49:51 +0000 (UTC) Received: from mail.barafranca.com ([67.19.101.164]) by localhost (mail.barafranca.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 35523-07; Sat, 10 Jun 2006 15:49:50 +0000 (UTC) Received: from [192.168.0.1] (unknown [81.84.174.2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.barafranca.com (Postfix) with ESMTP id D4A15C3855; Sat, 10 Jun 2006 15:49:40 +0000 (UTC) Message-ID: <448AE73E.3080604@barafranca.com> Date: Sat, 10 Jun 2006 16:37:34 +0100 From: Hugo Silva User-Agent: Thunderbird 1.5.0.2 (X11/20060516) MIME-Version: 1.0 To: Jeremie Le Hen , freebsd-security@freebsd.org References: <20060526153422.GB25953@obiwan.tataz.chchile.org> <20060609095751.GI1273@obiwan.tataz.chchile.org> In-Reply-To: <20060609095751.GI1273@obiwan.tataz.chchile.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at barafranca.com Cc: Subject: Re: [fbsd] Integrating ProPolice/SSP into FreeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 10 Jun 2006 16:36:12 -0000 Jeremie Le Hen wrote: > Hi list, > > I haven't got much feedback so far. I would be glad if any people > who have been using this patch told be if they have been faced with > some problems. > > Thank you > Regards, > Jeremie > > On Fri, May 26, 2006 at 05:34:22PM +0200, Jeremie Le Hen wrote: > >> Hi, >> >> first sorry for cross-posting but I thought this patch might interest >> -CURRENT users as well as people concerned by security. >> >> I wrote a patch that integrates ProPolice/SSP into FreeBSD, one step >> further than it has been realized so far. >> >> It is available here : >> http://tataz.chchile.org/~tataz/FreeBSD/SSP/ >> >> Everything is explained on the web page, but I will repeat some >> informations here. The patchset is splitted in two parts to ease the >> review of the patch. The -propolice patch is only the original >> ProPolice patch for GCC 3.4.4 applied on FreeBSD source tree. The >> -freebsd patch contains the glue I have written to make things neat. >> >> The patch exists in both for CURRENT and RELENG_6. Both introduce a >> new make.conf(5) (and src.conf(5)) knob to enable stack protection >> on a per Makefile basis. It if of course possible to compile your >> world with it. Please refer to the web page for more informations. >> >> The patch has been tested and works pretty well. My laptop and my >> workstation at work are compiled with SSP : world, kernel and ports, >> including X.org. >> >> I hope you will enjoy it. >> Regards, >> Been using this since you announced it here, no problems at all. 6.1-STABLE, kernel, ports, world built with SSP. Best regards, Hugo