From owner-freebsd-security-notifications Wed Feb 7 11:29: 5 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id AD74837B401; Wed, 7 Feb 2001 11:28:33 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JSXp03541; Wed, 7 Feb 2001 11:28:33 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:28:33 -0800 (PST) Message-Id: <200102071928.f17JSXp03541@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:10.bind [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:10 Security Advisory FreeBSD, Inc. Topic: bind remote denial of service [REVISED] Category: core, ports Module: bind Announced: 2001-01-23 Revised: 2001-02-07 Credits: Fabio Pietrosanti Affects: FreeBSD 3.x prior to the correction date. Ports collection prior to the correction date. Corrected: 2000-11-27 (FreeBSD 3.5-STABLE) 2001-01-05 (Ports collection) Vendor status: Updated version released FreeBSD only: NO 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-02-07 Rerelease to note the far more serious problems described in SA-01:18 I. Background bind is an implementation of the Domain Name System (DNS) protocols. II. Problem Description NOTE: It has come to our attention that there are a great deal more users downloading this advisory than the recently released SA-01:18, which also deals with the bind software. The latter advisory details a far more serious vulnerability, which affects all releases of FreeBSD, and it is recommended that all DNS administrators read advisory SA-01:18 immediately. A vulnerability exists with the bind nameserver dealing with compressed zone transfers. Due to a problem with the compressed zone transfer (ZXFR) implementation, if named is configured for zone transfers and recursive resolving, it will crash after a ZXFR for the authoritative zone and a query of a remote hostname. Since named is not configured under a watchdog process which will automatically restart it after a failure, this will lead to the denial of DNS service on the server. All versions of FreeBSD 3.x prior to the correction date including 3.5.1-RELEASE are vulnerable to this problem. In addition, the bind8 port in the ports collection is also vulnerable. FreeBSD 4.x is not affected since it contains versions of BIND 8.2.3. III. Impact Malicious remote users can cause the named daemon to crash, if it is configured to allow zone transfers and recursive queries. IV. Workaround A partial workaround can be implemented by disallowing zone transfers except from trusted hosts. Note that if the trusted hosts are compromised or contain malicious users, name servers with this bug will be vulnerable to the denial of service attack. V. Solution [Base system] Upgrade your vulnerable FreeBSD system to 3.5.1-STABLE after the correction date. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Upgrade your entire ports collection and rebuild the bind8 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.2p7.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.2p7.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGhrlUuHi5z0oilAQFgewP+NVsp0tymZ5KZvgy6sqewZzqcxPUDgBxw nBR9KI2BVofLD71wawX/uWmVM5mqeMeCjpVo3Vn6cZyB2JDqCEeK174ULmJJa/Yr OGQhfKMoIKRtRZcpF5U6mT/RpAJuhaAFyAvwZjAMoZv8AORxxydJGpa3MuH2YKFh V6PWzjcfkpk= =G19W -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 11:33:19 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5635F37B65D; Wed, 7 Feb 2001 11:32:41 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JWfV04151; Wed, 7 Feb 2001 11:32:41 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:32:41 -0800 (PST) Message-Id: <200102071932.f17JWfV04151@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:08.ipfw [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:08 Security Advisory FreeBSD, Inc. Topic: ipfw/ip6fw allows bypassing of 'established' keyword [REVISED] Category: core Module: kernel Announced: 2001-01-23 Revised: 2001-02-07 Credits: Aragon Gouveia Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases), FreeBSD 3.5-STABLE and 4.2-STABLE prior to the correction date. Corrected: 2001-01-09 (FreeBSD 4.2-STABLE) Patch regression existed between 2001-02-01 and 2001-02-03 2001-01-12 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-23 Initial release v1.1 2001-02-07 Note accidental reversion of changes in 4.2-STABLE I. Background ipfw is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ip6fw is the corresponding utility for IPv6 networks, included in FreeBSD 4.0 and above. It is based on an old version of ipfw and does not contain as many features. II. Problem Description Due to overloading of the TCP reserved flags field, ipfw and ip6fw incorrectly treat all TCP packets with the ECE flag set as being part of an established TCP connection, which will therefore match a corresponding ipfw rule containing the 'established' qualifier, even if the packet is not part of an established connection. The ECE flag is not believed to be in common use on the Internet at present, but is part of an experimental extension to TCP for congestion notification. At least one other major operating system will emit TCP packets with the ECE flag set under certain operating conditions. Only systems which have enabled ipfw or ip6fw and use a ruleset containing TCP rules which make use of the 'established' qualifier, such as "allow tcp from any to any established", are vulnerable. The exact impact of the vulnerability on such systems is undetermined and depends on the exact ruleset in use. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable, but it was corrected prior to the (future) release of FreeBSD 4.3. Unfortunately, the security fix was accidentally reverted during a merge of ipfw changes from FreeBSD 5.0-CURRENT. The regression existed between the following dates: Problem introduced: Thu, 1 Feb 2001 12:25:10 -0800 (PST) Problem fixed: Sat, 3 Feb 2001 21:49:00 -0800 (PST) The affected revision was CVS revision 1.131.2.13 of /usr/src/sys/netinet/ip_fw.c and the corrrected revision is 1.131.2.14. Note that revisions prior to 1.131.2.11 are vulnerable to the problem described in this advisory. Version 1.131.2.11, and prior versions patched using the original patch distributed with the advisory are not vulnerable to the problem. To verify the CVS revision of your ip_fw.c file, perform the following command: mollari# ident /usr/src/sys/netinet/ip_fw.c /usr/src/sys/netinet/ip_fw.c: $FreeBSD: src/sys/netinet/ip_fw.c,v 1.131.2.14 2001/02/04 05:48:59 rwatson Exp $ If you have revision 1.131.2.13, download the "regression" patch described in section V below. III. Impact Remote attackers who construct TCP packets with the ECE flag set may bypass certain ipfw rules, allowing them to potentially circumvent the firewall. The regression described above is actually a more serious vulnerability: instead of only allowing packets with the ECE flag set, typically requiring special tools, all TCP packets regardless of flags would be passed by the ipfw rule. IV. Workaround Because the vulnerability only affects 'established' rules and ECE- flagged TCP packets, this vulnerability can be removed by adjusting the system's rulesets. In general, it is possible to express most 'established' rules in terms of a general TCP rule (with no TCP flag qualifications) and a 'setup' rule, but may require some restructuring and renumbering of the ruleset. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, or or 4.2-STABLE after the correction date. 2) Patch your present system by downloading the relevant patch from the below location: [FreeBSD 4.x - patch for regression introduced on 2001-02-01] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.2-regression.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.2-regression.patch.asc [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-4.x.patch.asc [FreeBSD 3.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:08/ipfw-3.x.patch.asc Verify the detached PGP signature using your PGP utility. Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cp /usr/src/sys/netinet/tcp.h /usr/src/sys/netinet/ip_fw.h /usr/include/netinet/ # cd /usr/src/sbin/ipfw # make depend && make all install # cd /usr/src/sys/modules/ipfw # make depend && make all install For 4.x systems, perform the following additional steps: # cp /usr/src/sys/netinet6/ip6_fw.h /usr/include/netinet6/ # cd /usr/src/sbin/ip6fw # make depend && make all install # cd /usr/src/sys/modules/ip6fw # make depend && make all install NOTE: The ip6fw patches have not yet been tested but are believed to be correct. The ip6fw software is not currently maintained and may be removed in a future release. If the system is using the ipfw or ip6fw kernel modules (see kldstat(8)), the module may be unloaded and the corrected module loaded into the kernel using kldload(8)/kldunload(8). This will require that the firewall rules be reloaded, usually be executing the /etc/rc.firewall script. Because the loading of the ipfw or ip6fw module will result in the system denying all packets by default, this should only be attempted when accessing the system via console or by careful use of a command such as: # kldload ipfw && sh /etc/rc.firewall which performs both operations sequentially. Otherwise, if the system has ipfw or ip6fw compiled into the kernel, the kernel will also have to be recompiled and installed, and the system will have to be rebooted for the changes to take effect. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGip1UuHi5z0oilAQGwNQP/ROCEDN4TCR147vZGfYEMuDOf9L3QS5u1 fT/kgz/h+wpHOr5jf6MAxkgxQCjkEBhdtp8OdWsXXY6/3RYfAbqnFGKFQw71XalF 7iUXrmz8jQ9nmmW7BaMn0+omSwhmWgQkIL3IjZx7krND/X9OIvGCXk7Yk9+XdpIH OVshiguHbl4= =iSD2 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 11:35:34 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 90B8B37B65D; Wed, 7 Feb 2001 11:34:55 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JYtL04378; Wed, 7 Feb 2001 11:34:55 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:34:55 -0800 (PST) Message-Id: <200102071934.f17JYtL04378@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files [REVISED] Category: core Module: inetd Announced: 2001-01-29 Revised: 2001-02-07 Credits: dynamo Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter v1.2 2001-02-07 Include more details about vulnerability, correct patch instructions I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. This is only true if the internal ident service is run using the '-f' flag. An additional problem with the '-f' flag is that under certain circumstances the child inetd process can be made to block, potentially allowing a resource starvation condition on the server. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" and which contain the '-f' option to the auth service in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/usr.sbin/inetd # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/ # patch -p < /path/to/patch # cd /usr/src/usr.sbin/inetd # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGjQFUuHi5z0oilAQHp+wP6Ai0vulXi0pMas+T6NhSd0VCyB+veEqKS LqPvJG0Tb4j23qtBvNN9A6sHGVNopibFaj4nS06ztsCY7OX90uZPb1dRFkizIk5S 5BjQ6w4/ykvex5kTBm+O6rN2gtBk94h4ZzS3eqnjX9wkv+vjFdP83Z3vUKoCbI+x 2ZRgAJOrGyo= =+57x -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 11:39:42 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B94F037B65D; Wed, 7 Feb 2001 11:39:13 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17JdDS04961; Wed, 7 Feb 2001 11:39:13 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:39:13 -0800 (PST) Message-Id: <200102071939.f17JdDS04961@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:19.ja-xklock Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:19 Security Advisory FreeBSD, Inc. Topic: ja-xklock port contains a local root compromise Category: ports Module: ja-xklock Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: See below. Vendor status: N/A FreeBSD only: No I. Background The ja-xklock is a localized xlock clone, which locks an X display. II. Problem Description The ja-xklock port, versions 2.7.1 and earlier, contains an exploitable buffer overflow. Because the xklock program is also setuid root, unprivileged local users may gain root privileges on the local system. Because the ja-xklock port is unmaintained and due to the software's age, this vulnerability has not yet been corrected. Additionally, the ja-xklock port is scheduled for removal from the ports system if it has not been audited and fixed within one month of discovery. In the event the ja-xlock port is corrected, this advisory will be rereleased with updated information. The ja-xklock port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain root privileges on the local system. If you have not chosen to install the ja-xklock port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the ja-xklock port/package, if you have installed it. V. Solution It is suggested that an alternative, such as xlock or xlockmore, is used instead of the ja-xklock port. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGkUFUuHi5z0oilAQGzvwQAkiQisnaY94dUvy+a/RJoeY5j04yQf92u P8I5aTWn6CfVP2a5xpRW8I2xRpJtiUAVzNmAYflW9gGgzQL9GXHy8roiaYMP+V7Y X3zWhRV7Kb/L9jVKEGurwLaygF6m11AkmWUKbb8Hi95rzsJokTWA93MZK+exKfZ9 lFBOA3QC2vA= =gIGE -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 11:42:45 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 748EC37B401; Wed, 7 Feb 2001 11:42:07 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17Jg7N05262; Wed, 7 Feb 2001 11:42:07 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:42:07 -0800 (PST) Message-Id: <200102071942.f17Jg7N05262@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:20.mars_nwe Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:20 Security Advisory FreeBSD, Inc. Topic: mars_nwe contains potential remote root compromise Category: ports Module: mars_nwe Announced: 2001-02-07 Credits: Przemyslaw Frasunek Affects: Ports collection prior to the correction date. Corrected: 2001-01-30 Vendor status: Vendor notified FreeBSD only: NO I. Background mars_nwe is a Novell Netware server emulator. II. Problem Description The mars_nwe port, versions prior to 0.99.b19_1, contains a remote format string vulerability. Because of this vulnerability, a malicious remote user sending specially-crafted packets may be able to execute arbitrary code on the local system, potentially gaining root access. The mars_nwe port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause arbitrary code to be executed on the local system, potentially gaining root access. If you have not chosen to install the mars_nwe port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mars_nwe port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mars_nwe port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/mars_nwe-0.99.b19_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/net/mars_nwe-0.99.b19_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the mars_nwe port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGk4VUuHi5z0oilAQFwUAP9HAYPxR6z25Lg6QzlsWMBJt8UDx7JKZx8 bR4U9l6IFzNS3p4IgwtiFDrqfCNpRRBtWDrXYmpWdwL2g1cx6MGWLayCeGq6g1ha MfKTTPlFrmSorXm6NdtcH33wDD05ScWQPCjhATJT3b4VxcbfmR1SEPxqXBOw6Whe MFKc9SisWEc= =m02+ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 11:45:36 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C672F37B4EC; Wed, 7 Feb 2001 11:44:59 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17Jixq05555; Wed, 7 Feb 2001 11:44:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 11:44:59 -0800 (PST) Message-Id: <200102071944.f17Jixq05555@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:21.ja-elvis Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:21 Security Advisory FreeBSD, Inc. Topic: ja-elvis and ko-helvis ports contain a local root compromise Category: ports Module: ja-elvis/ko-helvis Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2001-01-28 Vendor status: Vendor notified FreeBSD only: No I. Background The ja-elvis and ko-helvis ports are localized versions of elvis, a vi editor clone. II. Problem Description The ja-elvis and ko-helvis ports, versions prior to ja-elvis-1.8.4_1 and ko-helvis-1.8h2_1, contain an exploitable buffer overflow in the elvrec utility. Because elvrec is setuid root, unprivileged local users may gain root privileges on the local system. The ja-elvis and ko-helvis ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain root privileges on the local system. If you have not chosen to install the ja-elvis or ko-helvis ports/packages, then your system is not vulnerable to this problem. IV. Workaround Deinstall the ja-elvis or ko-helvis port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the ja-elvis or ko-helvis port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] [ja-elvis] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/japanese/ja-elvis-1.8.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/japanese/ja-elvis-1.8.4_1.tgz [ko-helvis] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/korean/ko-helvis-1.8h2_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/korean/ko-helvis-1.8h2_1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the ja-elvis or ko-helvis port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGlh1UuHi5z0oilAQE/ggP/QR9lSQtamdAZCI1WXR2HwwVgu+UITBdK QCmYhia7H+YVRUp9Oiya1zZ/FyKQlz1VjoRVQEtU9jeHuo1tocABn6pobZLqc1z+ gyUHX6vbC4wNVB1PFMX6RYUCpP50K4/QS6kQmLJdspYteCE7om374QyKTzQgoObh 1FNmh60FcbI= =uB1V -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Wed Feb 7 12:38:40 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id A976537B4EC; Wed, 7 Feb 2001 12:38:11 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f17KcB513558; Wed, 7 Feb 2001 12:38:11 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 7 Feb 2001 12:38:11 -0800 (PST) Message-Id: <200102072038.f17KcB513558@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:22.dc20ctrl Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:22 Security Advisory FreeBSD, Inc. Topic: dc20ctrl port contains a locally exploitable buffer overflow yielding gid dialer Category: ports Module: dc20ctrl Announced: 2001-02-07 Credits: Found during internal auditing Affects: Ports collection prior to the correction date. Corrected: 2001-02-07 Vendor status: Vendor notified FreeBSD only: No I. Background dc20ctrl is a program to control Kodak DC20 digital cameras. II. Problem Description The dc20ctrl port, versions prior to 0.4_1, contains a locally exploitable buffer overflow. Because the dc20ctrl program is also setgid dialer, unprivileged local users may gain gid dialer on the local system. This may allow the users to gain unauthorized access to the serial port devices. The dc20ctrl port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may gain increased privileges on the local system including potentially unauthorized access to the serial port devices. If you have not chosen to install the dc20ctrl port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the dc20ctrl port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the dc20ctrl port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/graphics/dc20ctrl-0.4_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/graphics/dc20ctrl-0.4_1.tgz NOTE: it may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the dc20ctrl from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoGyClUuHi5z0oilAQFzvgP/fhW32mvqDBlqUodUFjjWYmRaLJmaU3Wi zNm5C/eb36jA9auvmZv9lE4UOlkPng1Kvhg8z0cSvWzhEUNk9IAdklvGsGXhvN/I rjJHdVG6qSFmmsfSrlQwwfNqbhivPITM7Iv2xH0WPLoaStvMnFFmm4bERPJ/4hAq 8O9ZKoRXqyA= =J8Ao -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Thu Feb 8 12:15:28 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from smtp.interlog.com (bretweir.total.net [154.11.89.176]) by hub.freebsd.org (Postfix) with SMTP id 9AE8837B6E4 for ; Thu, 8 Feb 2001 12:15:07 -0800 (PST) Received: (qmail 24220 invoked from network); 8 Feb 2001 20:15:04 -0000 Received: from unknown (HELO vws3.interlog.com) (207.34.202.29) by bretweir.total.net with SMTP; 8 Feb 2001 20:15:04 -0000 Received: by vws3.interlog.com (8.9.0/8.9.0) id PAA29895; Thu, 8 Feb 2001 15:15:04 -0500 (EST) Date: Thu, 8 Feb 2001 15:15:04 -0500 (EST) Message-Id: <200102082015.PAA29895@vws3.interlog.com> To: freebsd-security-notifications@freebsd.org From: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:INSERT_NUMBER_HERE Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org ============================================================================= FreeBSD-SA-01:INSERT_NUMBER_HERE Security Advisory FreeBSD, Inc. Topic: FreeBSD on record to set most advisory releases for year 2001 Category: All Announced: 2001-02-07 Credits: sil@loopback.antioffline.com http://www.antioffline.com Vendor status: Developers sleeping right now FreeBSD only: Yes I. Background FreeBSD is the most robust chopperating sysdumb in the world and we mean it. Our TCP stack will kick your TCP stacks hynee. Currently we are releasing an advisory every 1.95 days which means we are bound to surpass Microsoft. II. Problem Description We normally do not assess security when creating the ports distribution often allowing anyone to build any program we decide to run in the ports directory. Recently we have noticed that we can no longer fool users into thinking because we provide checksumming for the programs, that they will be secure. Unlinke other operating systems and the developers of them who audit their ports, we feel it is not our problem if someone accessess your system because we're too lazy to do things right the first time. III. Impact Obviously anyone can end up control your machine or worse. IV. Workaround We will not be mentioning the ultra secure OpenBSD operating system since we feel it is not our problem and does not help to promote a better OS than our own. V. Solution One of the following: 1) Rub a magic lamp and wait for the security genie to fix it. 2) Download NSA Linux so you too can have miniscule backdoors in it which you won't see. 3) Pray to the hacker god Kevin Mitnick for assistance. 4) Install a more secure O(penBSD)S NOTE: FreeBSD developers are now red faced VI. Shouts Hard Lee Strange Mike Hunt Ivana Swallows Mike Hock Dick Famous Kathie Lee Gifford To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Fri Feb 9 13:26:42 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 3B38037B699; Fri, 9 Feb 2001 13:26:13 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: Reminder notice about FreeBSD Security Advisories Message-Id: <20010209212613.3B38037B699@hub.freebsd.org> Date: Fri, 9 Feb 2001 13:26:13 -0800 (PST) Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- This is a reminder notice that all FreeBSD Security Advisories are signed with the PGP key of the security officer, available from the following location: ftp://ftp.freebsd.org/pub/FreeBSD/CERT/public_key.asc A copy of the public key containing more signatures may be retrieved from the http://keys.pgp.com key server. The PGP signature should be verified on all FreeBSD Security Advisories prior to trusting its contents -- recent events have reminded the community that e-mail may be trivially spoofed, and this is in fact the precise reason the security officer signs all official advisories. Advisories with missing or invalid signatures must be assumed to be written by third parties, and therefore unofficial and unsanctioned by the FreeBSD Project. While the recent examples of spoofed advisories were childish and easily seen to be counterfeits, the originator has done the service of reinforcing the point that signature verification is necessary. Consider the example of a spoofed advisory which appears to be fully legitimate and describes an abstruse and difficult to understand "security vulnerability", and which contains instructions which subtlely weaken or compromise the security of machines upon which the instructions are carried out. At this time, GnuPG is the PGP software recommended by the security officer for use on FreeBSD. This and other PGP software are also included in the FreeBSD ports collection and available commercially. Most modern mail software allows PGP signature verification to be done automatically at the time the message is displayed. Consult the documentation for your mail and PGP software to find out how to configure it to automatically verify signatures in e-mail. A sample configuration file for the mutt mail reader to allow automatic signature verfication (suitable for addition to the user's ~/.muttrc file) is available from: http://www.freebsd.org/~kris/muttrc-gpg This relies on the availability of the gnupg software (/usr/ports/security/gnupg). Note that the security-officer PGP key uses the IDEA algorithm for encrypted (as opposed to signed) messages you may wish to send to us, which is not included in gnupg by default. IDEA is covered by a patent, but the licensing terms permit use for non-commercial purposes. To install IDEA support, perform the following steps as root: # cd /usr/ports/security/gnupg-idea # make all install clean MAKE_IDEA=yes IDEA support is not required to verify signatures made by the security officer. Kris Kennaway FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOoRf/lUuHi5z0oilAQFSegQAkkzFwV/1uGv0W6CJmsNWExCrSZlGBk7p NixT7iXXa3CF0IllKadoTPr735IO3yKUsg/ujgWU0tpwnSLh6A9C8QqAkBBO2BJQ y/rLA9qFuz+a3sbrtBVSV7GSzQm7ebzyVpef/ThMfM69C5bnmnhlPWdB6qNbYQAj 2c7MKMGIHuQ= =Ud07 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message