From owner-freebsd-security@FreeBSD.ORG Mon Feb 14 10:36:28 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45024106564A for ; Mon, 14 Feb 2011 10:36:28 +0000 (UTC) (envelope-from egoitz@ramattack.net) Received: from ks200575.kimsufi.com (ks200575.kimsufi.com [91.121.111.71]) by mx1.freebsd.org (Postfix) with ESMTP id 0AF558FC12 for ; Mon, 14 Feb 2011 10:36:27 +0000 (UTC) Received: from [192.168.1.154] (unknown [195.16.138.2]) by ks200575.kimsufi.com (Postfix) with ESMTPSA id 31A7EB224 for ; Mon, 14 Feb 2011 11:36:12 +0000 (UTC) Content-Type: text/plain; charset=iso-8859-1 Mime-Version: 1.0 (Apple Message framework v1082) From: Egoitz Aurrekoetxea Aurre In-Reply-To: Date: Mon, 14 Feb 2011 11:36:25 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: References: <4D42D2B2.4030806@tomjudge.com> <201101281209.51046.john@baldwin.cx> <4D42FF0E.9030407@tomjudge.com> <201101281427.19212.jhb@freebsd.org> <20110129003032.GA16316@movsx> <4D473A53.6000602@freebsd.org> To: freebsd-security@freebsd.org X-Mailer: Apple Mail (2.1082) Subject: Re: Recent full disclosure post - Local DOS X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Feb 2011 10:36:28 -0000 Hi all!, I have seen the patch has been applied in releng_7_4, releng_8_2, = stable, head... but not in releng_8_1 or releng_8_0... is it planned to = be applied too on this branches?? Thanks a lot. Bye! El 03/02/2011, a las 17:19, Egoitz Aurrekoetxea Aurre escribi=F3: > Hi all, >=20 > So then, this just crashes in current?? else... is it known which = kernel nic drivers cause this?. I have attempted to crash a 8.1-release = on vmware fusion virtual machine without success... >=20 > Thanks a lot!, > Bye! >=20 >=20 > El 31/01/2011, a las 23:40, Lawrence Stewart escribi=F3: >=20 >> On 01/29/11 11:30, Christian Peron wrote: >>> On Fri, Jan 28, 2011 at 02:27:18PM -0500, John Baldwin wrote: >>> [..] >>>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D >>>> --- tcp_usrreq.c (revision 218018) >>>> +++ tcp_usrreq.c (working copy) >>>> @@ -1330,7 +1330,8 @@ tcp_ctloutput(struct socket *so, struct = sockopt *s >>>> tp->t_flags |=3D TF_NOPUSH; >>>> else { >>>> tp->t_flags &=3D ~TF_NOPUSH; >>>> - error =3D tcp_output(tp); >>>> + if (TCPS_HAVEESTABLISHED(tp->t_state)) >>>> + error =3D tcp_output(tp); >>>> } >>>> INP_WUNLOCK(inp); >>>> break; >>>=20 >>> I was thinking of correcting it the same way.. I might even do = something >>> like: >>>=20 >>> else { >>> if (tp->t_flags & TF_NOPUSH) { >>> tp->t_flags &=3D ~TF_NOPUSH; >>> if (TCPS_HAVEESTABLISHED(tp->t_state)) >>> error =3D tcp_output(tp); >>> } >>> } >>>=20 >>> By default, this mask is not set.. so un-setting it and calling = tcp_output()=20 >>> if it was not already set seems wasteful >>=20 >> Apologies for tuning in late, but FWIW I concur and think the above >> patch is appropriate. >>=20 >> Cheers, >> Lawrence >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Feb 16 14:18:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 63FB81065670 for ; Wed, 16 Feb 2011 14:18:51 +0000 (UTC) (envelope-from Eric_vanGyzen@McAfee.com) Received: from dalsmrelay2.nai.com (dalsmrelay2.nai.com [205.227.136.216]) by mx1.freebsd.org (Postfix) with ESMTP id 2C8E48FC17 for ; Wed, 16 Feb 2011 14:18:50 +0000 (UTC) Received: from (unknown [10.64.5.52]) by dalsmrelay2.nai.com with smtp (TLS: TLSv1/SSLv3,128bits,AES128-SHA) id 29f9_22c8_3be0df80_39d6_11e0_bfb2_00219b929abd; Wed, 16 Feb 2011 14:08:31 +0000 Received: from AMERDALEXMB1.corp.nai.org ([fe80::387d:3d79:ad3b:b517]) by DALEXHT2.corp.nai.org ([::1]) with mapi; Wed, 16 Feb 2011 08:07:02 -0600 From: To: Date: Wed, 16 Feb 2011 08:07:00 -0600 Thread-Topic: BIND 9.7.3 -- TCP DoS in SO_ACCEPTFILTER Thread-Index: AcvN4sevZLfN1tQ5Tz6f38POuR4Bqw== Message-ID: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: acceptlanguage: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Subject: BIND 9.7.3 -- TCP DoS in SO_ACCEPTFILTER X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 14:18:51 -0000 The release notes for BIND 9.7.3 contain this: * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled allows for a TCP DoS attack. Until there is a kernel fix, ISC is disabling SO_ACCEPTFILTER support in BIND. [RT #22589] The CHANGES file also says: 2996. [security] Temporarily disable SO_ACCEPTFILTER support. [RT #22589] Can anyone tell me more? What releases are affected? Is a kernel patch in= the works? Thanks in advance, Eric From owner-freebsd-security@FreeBSD.ORG Wed Feb 16 21:24:40 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 231571065670 for ; Wed, 16 Feb 2011 21:24:40 +0000 (UTC) (envelope-from dougb@dougbarton.us) Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5]) by mx1.freebsd.org (Postfix) with ESMTP id C1ECD8FC15 for ; Wed, 16 Feb 2011 21:24:39 +0000 (UTC) Received: (qmail 6877 invoked by uid 399); 16 Feb 2011 20:57:58 -0000 Received: from router.ka9q.net (HELO doug-optiplex.ka9q.net) (dougb@dougbarton.us@75.60.237.91) by mail2.fluidhosting.com with ESMTPAM; 16 Feb 2011 20:57:58 -0000 X-Originating-IP: 75.60.237.91 X-Sender: dougb@dougbarton.us Message-ID: <4D5C3A55.9030702@dougbarton.us> Date: Wed, 16 Feb 2011 12:57:57 -0800 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; U; FreeBSD amd64; en-US; rv:1.9.2.13) Gecko/20110129 Thunderbird/3.1.7 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org> In-Reply-To: <35F3A97D5BAF454C84582219ABFAE3EC010AD9A7FB59@AMERDALEXMB1.corp.nai.org> X-Enigmail-Version: 1.1.2 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 16 Feb 2011 21:56:27 +0000 Cc: Eric_vanGyzen@McAfee.com Subject: Re: BIND 9.7.3 -- TCP DoS in SO_ACCEPTFILTER X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Feb 2011 21:24:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 02/16/2011 06:07, Eric_vanGyzen@McAfee.com wrote: | The release notes for BIND 9.7.3 contain this: | | * A bug in NetBSD and FreeBSD kernels with SO_ACCEPTFILTER enabled | allows for a TCP DoS attack. Until there is a kernel fix, ISC is | disabling SO_ACCEPTFILTER support in BIND. [RT #22589] | | The CHANGES file also says: | | 2996. [security] Temporarily disable SO_ACCEPTFILTER support. | [RT #22589] | | Can anyone tell me more? What releases are affected? Is a kernel patch in the works? The SO_ACCEPTFILTER feature is off by default for DNS in FreeBSD, so if you have not enabled it specifically, you're all set. :) If you have it enabled my suggestion is that you disable it. That said, the details of the issue are in the capable hands of the security officer team, so I will defer to them for further comment at the appropriate time. Meanwhile, you can safely deduce from the fact that we have not been blaring the trumpets from the rooftops about this issue that it is a fairly minor one. hope this helps, Doug - -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (FreeBSD) iQEcBAEBCAAGBQJNXDpVAAoJEFzGhvEaGryE8CYH/AyW1tJNhFNS3alUFGiux8u3 6jxX74qNzM5xcB1Z+0Nq9ydAXWBl36WJJRnQ+SunQSeD2dKPt79OmaHAf2oNC4P6 DaCE+dbJ7tTLH6XlGSEPawmcSY28uhKvbi39G9sz74GamZOxB2+GuUOlH4lXXF7x EvNV/0KCCeZ2jCvquZEPFG7fDOYhjHtpAeGKSjYysxhsxSHCKoscklGRG9prGu3t kF/aEGeGPTva5G/IlHZqppdSjeaRgMUIpfFgmOtUeBvkmn9wAF2BVKrc+d+pK31y hPFBCWtHEJ4MMoAPyQezgCkliCUx7ufw+ns/TQANE9fRhrmh6OClQZW8NE8Zoew= =IXOE -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Feb 18 20:44:09 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E2902106566B for ; Fri, 18 Feb 2011 20:44:09 +0000 (UTC) (envelope-from ipfreak@yahoo.com) Received: from web130202.mail.mud.yahoo.com (web130202.mail.mud.yahoo.com [66.94.238.138]) by mx1.freebsd.org (Postfix) with SMTP id A2B368FC16 for ; Fri, 18 Feb 2011 20:44:09 +0000 (UTC) Received: (qmail 94571 invoked by uid 60001); 18 Feb 2011 20:17:28 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1298060248; bh=l9Y6BvTPfDF/pxCB4yifHpgX5X5qzcC+pdYEPITUCDE=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=P0617BebBG/oPDysKQjbp8snnJw3HXGY7ZmnIzW8vrc+zXNTchgYGNlePl6+C2RzVgwb2vlJzquCFKPdSA8/Gu7cwROGDI5z6bcEi/2mf+RH1WfuaFnYIWFz0Jjk2PWN1J6HiNfsvuJ3PuUlgn0h0nYEmv+8CF5MPNrZw0NFJd8= DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:MIME-Version:Content-Type; b=EAfvav28NUgRjEDaGW0/wrCaBE5zNnNPl/Yq+GWAU8zZvLwGVFXwbQnFYL4xhAjPv3C/6xp9tuQ4dUW4glxteelNtoCDvQjm+hNttiEr+mSnbx2iNomWFoXE7fG/RIduF/71iSrzbDPxw7OeFeBrMdxMD7hMqyNuEOQc2JSzrxE=; Message-ID: <917980.94265.qm@web130202.mail.mud.yahoo.com> X-YMail-OSG: 2OroFb4VM1ke7MeER.iOJ6o6x_a4SMVaKG6oK6PBn0JIJZT r06MRFfRIMIk9Vi9KjIaCYzEj5D7.cC39PpmYtBJcprDX7d1UhuUlZ6T_EXn FtWv1LQmcHlnrxlhIZGzu6Of0H.XsRG5Z_RsPiyi7j.dPUTmfkFFe_ISX1O1 Ye2sJxf0qJWA1dsmfTRsgyN293ElPVl4kWuomp0FpzG25wxjLZJlvSu.3uX4 rBcwcgVe6euEaIona9MZkcOJFCkCNhMmAE3SqlxZjjNGFvGL9Dlq2QH6xo1E AxHiVOellbtabUALE9MpWdoNm_Q-- Received: from [166.34.112.99] by web130202.mail.mud.yahoo.com via HTTP; Fri, 18 Feb 2011 12:17:28 PST X-Mailer: YahooMailClassic/11.4.20 YahooMailWebService/0.8.109.292656 Date: Fri, 18 Feb 2011 12:17:28 -0800 (PST) From: gahn To: freebsd security MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Subject: nessus would not compile under 8.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Feb 2011 20:44:10 -0000 hi gurus: tried to install nessus and it would not compile: ===> Configuring for nessus-libraries-2.2.9_1 ******************************************************** * W a r n i n g * * * * Nessus needs Berkeley Packet Filter (bpf). * * To use nessus, your kernel must be rebuilt with bpf, * * and make bpf devices on /dev directory. * * * * Be sure to build as many bpf devices as you need. * * For more info on this read files/README.BPF * ******************************************************** *** Error code 1 Stop in /usr/ports/security/nessus-libraries. *** Error code 1 Stop in /usr/ports/security/nessus-libnasl. *** Error code 1 my bpf is enabled in kernel: user@host:/usr/ports/security/nessus:$ ls -al /dev/bpf* crw------- 1 root wheel 0, 24 Feb 18 12:36 /dev/bpf lrwxr-xr-x 1 root wheel 3 Feb 18 12:36 /dev/bpf0 -> bpf and i could not find this README>BPF: user@host:/usr/ports/security/nessus:$ more files/README.BPF files/README.BPF: No such file or directory my tcpdump and tshark work fine so it should not be bpf issue. any ideas? thanks