From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 00:59:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5171537B401 for ; Sun, 6 Apr 2003 00:59:42 -0800 (PST) Received: from mx2.drweb.ru (blag1.drweb.ru [62.16.103.221]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6042C43FB1 for ; Sun, 6 Apr 2003 00:59:41 -0800 (PST) (envelope-from nikolaj@drweb.ru) Received: from ppp203.leivo.ru (ppp203.leivo.ru [194.105.199.203]) by mx2.drweb.ru (Postfix) with ESMTP id 68B4FAC84 for ; Sun, 6 Apr 2003 12:59:37 +0400 (MSD) Date: Sun, 6 Apr 2003 12:59:31 +0400 From: "Nikolaj I. Potanin" X-Mailer: The Bat! (v1.61) Business Organization: ID Anti-Virus Lab (SalD Ltd) X-Priority: 3 (Normal) Message-ID: <1010024029.20030406125931@drweb.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: Fixed MIME Content-Type header field X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 08:59:42 -0000 Hello All, What could mean the following in maillog: Apr 5 23:17:40 drweb sm-mta[87118]: h35JHb15087090: Fixed MIME Content-Type header field (possible attack) Is it something to worry about? -- Nikolaj I. Potanin, SA http://www.drweb.ru ID Anti-Virus Lab (SalD Ltd) nikolaj@drweb.ru St. Petersburg, Russia ph.: +7-812-3888624 From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 14:31:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EBBFD37B405 for ; Sun, 6 Apr 2003 14:31:34 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0908443F75 for ; Sun, 6 Apr 2003 14:31:34 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.7/8.12.7) with ESMTP id h36LVXoT021054 for ; Sun, 6 Apr 2003 22:31:33 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h36LVWiG021053 for security@freebsd.org; Sun, 6 Apr 2003 22:31:32 +0100 (BST) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1]) by grimreaper.grondar.org (8.12.8/8.12.7) with ESMTP id h36LSZ4j028263 for ; Sun, 6 Apr 2003 22:28:35 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200304062128.h36LSZ4j028263@grimreaper.grondar.org> To: security@freebsd.org From: markm@freebsd.org Date: Sun, 06 Apr 2003 22:28:35 +0100 Sender: mark@grondar.org Subject: Administrativia: Documentation project slightly on hold (sorry!) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 21:31:35 -0000 Hello security folks I (not so) recently asked for volunteers to the security documentation project. I got delightfully large number of volunteers! Thank you! Right now I have some personal (medical) issues to deal with, and I'll be out of town for the next 2 weeks. When I get back, we can move ahead at top speed. The project will have 3 parts. FAQ: This will cover any kind of basic security question. The intent is that the FAQ's should be the nitty-gritty quick-but-not-so-obvious tidbits that will make a sysadmins life easier in a collection. They should be the kind of thing that could be done as tip-of-the-day by something like fortune(6). HOWTOs: These would be longer documents where (perhaps) step-by-step setups are described. Eg, I want to write one where a FreeBSD Cluster-type NIS/Kerberos5 setup is described in a foolproof way. HANDBOOK: The handbook is in serious need of updating. For this list, only the security parts are of relevance. Folks can get on with it right away. Discussing the FAQ is specifically on-topic for this list (as long as it is focussed!). PLEASE PLEASE keep the technical focus. I don't want this list to degenerate into questions@ noise again. The others should be considered carefully, but (eg) if someone wrote a HOWTO and posted it here for review, it would be on-topic as long as it was a _security_ HOWTO. Markup issues are off-topic and irrelevant to this list. The choice of actual markup will be chosen later, but you can't go far wrong if you use DocBook or DocBook/XML. Whatever you use for your document, be prepared to modify the markup, so the safest may be plain ole ASCII. PS: When I get back, I'll also look at the issue of an open security-questions@ list. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 14:39:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F5D237B404 for ; Sun, 6 Apr 2003 14:39:41 -0700 (PDT) Received: from bilver.wjv.com (user38.net339.fl.sprint-hsd.net [65.40.24.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 536C243FBD for ; Sun, 6 Apr 2003 14:39:40 -0700 (PDT) (envelope-from bv@wjv.com) Received: from bilver.wjv.com (localhost.wjv.com [127.0.0.1]) by bilver.wjv.com (8.12.9/8.12.9) with ESMTP id h36Lda1i005235 for ; Sun, 6 Apr 2003 17:39:36 -0400 (EDT) (envelope-from bv@wjv.com) Received: (from bv@localhost) by bilver.wjv.com (8.12.9/8.12.9/Submit) id h36LdaOe005232 for freebsd-security@freebsd.org; Sun, 6 Apr 2003 17:39:36 -0400 (EDT) Date: Sun, 6 Apr 2003 17:39:35 -0400 From: Bill Vermillion To: freebsd-security@freebsd.org Message-ID: <20030406213935.GC4780@wjv.com> References: <20030406190041.E0B4437B404@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030406190041.E0B4437B404@hub.freebsd.org> Organization: W.J.Vermillion / Orlando - Winter Park ReplyTo: bv@wjv.com User-Agent: Mutt/1.5.1i X-Spam-Status: No, hits=-3.2 required=5.0 tests=IN_REP_TO,NOSPAM_INC,QUOTED_EMAIL_TEXT,REFERENCES, SPAM_PHRASE_00_01,USER_AGENT,USER_AGENT_MUTT version=2.43 Subject: Re: Fixed MIME content header field X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bv@wjv.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 21:39:42 -0000 Wise men talk because they have something to say, however on Sun, Apr 06, 2003 at 12:00 , freebsd-security-request@freebsd.org just had to say something so we heard: > Today's Topics: > > 1. Fixed MIME Content-Type header field (Nikolaj I. Potanin) > ---------------------------------------------------------------------- > > Message: 1 > Date: Sun, 6 Apr 2003 12:59:31 +0400 > From: "Nikolaj I. Potanin" > Subject: Fixed MIME Content-Type header field > To: freebsd-security@freebsd.org > Hello All, > What could mean the following in maillog: > Apr 5 23:17:40 drweb sm-mta[87118]: h35JHb15087090: Fixed MIME > Content-Type header field (possible attack) > Is it something to worry about? That's part of the new Sendmail if I'm not mistaken. You can see the info in the RELEASE notes for sendmail 8.12.9. That was one of the main fixes after the bug announcment about 10 days ago. Bill > End of freebsd-security Digest, Vol 2, Issue 6 > ********************************************** -- Bill Vermillion - bv @ wjv . com From owner-freebsd-security@FreeBSD.ORG Sun Apr 6 16:08:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4250737B401; Sun, 6 Apr 2003 16:08:28 -0700 (PDT) Received: from thalia.otenet.gr (thalia.otenet.gr [195.170.0.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1E47543F93; Sun, 6 Apr 2003 16:08:27 -0700 (PDT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a233.otenet.gr [212.205.215.233]) by thalia.otenet.gr (8.12.9/8.12.9) with ESMTP id h36N83xW015534; Mon, 7 Apr 2003 02:08:16 +0300 (EEST) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.9/8.12.9) with ESMTP id h36N7tfx015331; Mon, 7 Apr 2003 02:07:55 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.9/8.12.9/Submit) id h36N7tQ5015330; Mon, 7 Apr 2003 02:07:55 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Mon, 7 Apr 2003 02:07:55 +0300 From: Giorgos Keramidas To: markm@freebsd.org Message-ID: <20030406230755.GA15229@gothmog.gr> References: <200304062128.h36LSZ4j028263@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200304062128.h36LSZ4j028263@grimreaper.grondar.org> cc: freebsd-security@freebsd.org Subject: Re: Administrativia: Documentation project slightly on hold (sorry!) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 06 Apr 2003 23:08:28 -0000 On 2003-04-06 22:28, markm@freebsd.org wrote: > Hello security folks > I (not so) recently asked for volunteers to the security documentation > project. I got delightfully large number of volunteers! Thank you! > [...] > Right now I have some personal (medical) issues to deal with, Sorry to hear about this. My wishes for all to turn out well! > The project will have 3 parts. > HANDBOOK: The handbook is in serious need of updating. For this list, > only the security parts are of relevance. I've been meaning to sit down and rewrite the "firewalls" section of handbook/security/ for a while now, mostly to rearrange stuff and add new sections that describe ipfilter firewalls. If this seems like a part of what you wanted, let me know and I'll come back in a couple of days with some proof of concept stuff. - Giorgos From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 03:49:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0052E37B401 for ; Mon, 7 Apr 2003 03:49:51 -0700 (PDT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADE3543FBD for ; Mon, 7 Apr 2003 03:49:49 -0700 (PDT) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.6/8.12.6) with ESMTP id h37AnTFm022350 for ; Mon, 7 Apr 2003 12:49:31 +0200 (CEST) Message-Id: <5.1.1.6.0.20030407123758.00a6de48@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Mon, 07 Apr 2003 12:45:50 +0200 To: freebsd-security@freebsd.org From: "Guy P." In-Reply-To: <20030406230755.GA15229@gothmog.gr> References: <200304062128.h36LSZ4j028263@grimreaper.grondar.org> <200304062128.h36LSZ4j028263@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: by amavis-milter (http://www.amavis.org/) Subject: IPv6 error in log X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 10:49:51 -0000 Hi, Can anybody point me out to some ressource that would explain me what this line in /var/log/messages means : Apr 6 23:51:05 device /kernel: in6_purgeaddr: failed to remove a route to the p2p destination: fe80:0008::02e0:7dff:fe88:41e1 on tun0, errno=65 I don't have a clue about ipv6, and nothing on the box that message come from should use it afaik. Note that this happened at the time that computer was doing its daily ADSL reconnection. System on this box : FreeBSD 4.8-RC (STABLE) built on Mon Mar 31. Never seen that kind of message before. Should i worry about it ? I supose i should remove ipv6 support from kernel as i don't need it. Was there any kind of security issue related to ipv6 released yet ? thanks for your attention, and forgive my poor english :] -- Guy From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 06:16:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8487637B405; Mon, 7 Apr 2003 06:16:46 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 42E5043F93; Mon, 7 Apr 2003 06:16:45 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h37DGiMF061323; Mon, 7 Apr 2003 09:16:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030407092210.06702ff8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Mon, 07 Apr 2003 09:23:03 -0400 To: security@FreeBSD.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Fwd: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote root compromise X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 13:16:46 -0000 FYI >Mailing-List: contact vulnwatch-help@vulnwatch.org; run by ezmlm >List-Post: >List-Help: >List-Unsubscribe: >List-Subscribe: >Delivered-To: mailing list vulnwatch@vulnwatch.org >Delivered-To: moderator for vulnwatch@vulnwatch.org >Date: Mon, 7 Apr 2003 07:44:58 +0000 (UTC) >From: Erik Parker >X-X-Sender: Erik Parker >To: vulnwatch@vulnwatch.org >Subject: [VulnWatch] [DDI-1013] Buffer Overflow in Samba allows remote >root compromise > >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > > >|------------------------------------------------------------------------------| > Digital Defense Inc. Security Advisory > DDI-1013 labs@digitaldefense.net > http://www.digitaldefense.net/ >|------------------------------------------------------------------------------| > >Synopsis : Buffer Overflow in Samba allows remote root compromise >Package : Samba, Samba-TNG >Type : Remote Root Compromise >Issue date : 04-07-2003 >Versions Affected : < Samba 2.2.8a, <= Samba 2.0.10, < Samba-TNG 0.3.2 >Not Affected : Samba 3.0 Alpha Versions, CVS Versions of Samba-TNG >CVE Id : CAN-2003-0201 > >|------------------------------------------------------------------------------| > > >o Product description: > Samba is an Open Source/Free Software suite that provides seamless > file and > print services to SMB/CIFS clients. Samba-TNG was originally a fork off of > the Samba source tree, and aims at being a substitute for a Windows NT > domain > controller. > > >o Problem description: > An anonymous user can gain remote root access due to a buffer overflow > caused > by a StrnCpy() into a char array (fname) using a non-constant length > (namelen). > > StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */ > > In the call_trans2open function in trans2.c, the Samba StrnCpy function > copies pname into fname using namelen. The variable namelen is > assigned the > value of strlen(pname)+1, which causes the overflow. > > The variable 'fname' is a _typedef_ pstring, which is a char with a > size of > 1024. If pname is greater than 1024, you can overwrite almost anything you > want past the 1024th byte that fits inside of sizeof(pname), or the value > returned by SVAL(inbuf,smbd_tpscnt) in function reply_trans2(), which > should > be around 2000 bytes. > > The Common Vulnerabilities and Exposures (CVE) project has assigned > the name > CAN-2003-0201 to this issue. This is a candidate for inclusion in the CVE > list (http://cve.mitre.org), which standardizes names for security > problems. > > >o Testing Environment: > Tested against source compiles and binary packages of Samba from version > 2.2.5 to 2.2.8 on the following x86 platforms: > > Redhat Linux 7.1, 7.3, 8.0 > Gentoo Linux 1.4-rc3 > SuSe Linux 7.3 > FreeBSD 4.6, 4.8, 5.0 > Solaris 9 > > >o Solutions and Workarounds: > Upgrading to the latest version of Samba or Samba-TNG is the recommended > solution to this vulnerability. Samba version 2.2.8a, and Samba-TNG > version > 0.3.2 are not vulnerable. There will be no new releases for the 2.0 > line of > Samba code. The only fix for Samba 2.0 is to apply the patches that > Samba is > providing. > > A workaround in the current source code for this specific vulnerability > would be to modify the StrnCpy line found at line 250 in smbd/trans2.c > in the > Samba 2.2.8 source code: > > -StrnCpy(fname,pname,namelen); > +StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1)); > > As a result of this vulnerability being identified at least three others > have also been found by the Samba team after reviewing similar usages > in the > source tree. One is a static overflow and the other two are heap > overflows. > Applying the fix above will only protect against the specific problem > identified in this advisory. To fully protect yourself, you must apply the > patches from Samba, or upgrade to 2.2.8a. > > Samba is available for download from: http://www.samba.org/ > Samba-TNG is available for download from: http://www.samba-tng.org/ > > >o Exploit: > An exploit named trans2root.pl has been posted on the Digital Defense, > Inc. > website. A quick udp based based scanner named nmbping.pl has also been > posted to assist you in identifying Samba servers on your network. > Both are > available for download from the following URL: > > http://www.digitaldefense.net/labs/securitytools.html > > This exploit works against all distributions listed in the testing > environment section. Usage is as follows: > > trans2root.pl -t -H -h > > This exploit should work against all x86 Linux, Solaris, and FreeBSD > hosts > running the 2.2.x branch of Samba. Hosts with a non-executable stack > are not > vulnerable to this particular exploit. The exploit will cause the > target host > to connect back to the host running the exploit and spawn a root shell > on the > defined port (default is 1981). > > The scanner is very easy to use, and should detect and identify Samba and > Windows SMB services. Usage is as follows: > > nmbping.pl > > >o Forced Release: > This vulnerability is being actively exploited in the wild. Digital > Defense, > Inc. discovered this bug by analyzing a packet capture of an attack > against a > host running Samba 2.2.8. The attack captured was performed on April 1st, > 2003. Samba users are urged to check their Samba servers for signs of > compromise. Samba and Digital Defense, Inc. decided to release their > advisories before all vendors had a chance to update their packages due to > this vulnerability being actively exploited. > > >o Revision History: > 04-07-2003 Initial public release > > Latest revision available at: > http://www.digitaldefense.net/labs/advisories.html > > >o Vendor Contact Information: > 04-03-2003 security@samba.org notified > 04-03-2003 elrond@samba-tng.org notified. > 04-03-2003 Samba Team responds via telephone, acknowledges > vulnerability > 04-03-2003 Elrond of Samba-TNG responds and acknowledges vulnerability > 04-04-2003 Samba Team notifies vendorsec mailing list > 04-07-2003 Initial public release > >o Thanks to: > Elrond of Samba-TNG, The Samba Security Team, and everyone on the > Digital Defense Inc., SECOPS team. > >-----BEGIN PGP SIGNATURE----- > >iD8DBQE+kT/5jB+XO4ZKjSARAsJpAJsH05MqOIqauWrK1kKOAkwmCsXorgCeK92r >eDEmOgRY4z7Y0b7HecHyf+A= >=Af+n >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 07:24:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2070E37B401 for ; Mon, 7 Apr 2003 07:24:24 -0700 (PDT) Received: from hotmail.com (f61.law12.hotmail.com [64.4.19.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id B537E43FBD for ; Mon, 7 Apr 2003 07:24:23 -0700 (PDT) (envelope-from rdariot@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Apr 2003 07:24:23 -0700 Received: from 206.153.112.30 by lw12fd.law12.hotmail.msn.com with HTTP; Mon, 07 Apr 2003 14:24:23 GMT X-Originating-IP: [206.153.112.30] X-Originating-Email: [rdariot@hotmail.com] From: "Rubén Torres" To: freebsd-security@freebsd.org Date: Mon, 07 Apr 2003 09:24:23 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 07 Apr 2003 14:24:23.0544 (UTC) FILETIME=[62E80780:01C2FD11] Subject: C2 configuration requierements for freeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 14:24:24 -0000 Regards to everyone, I'm trying to make freeBSD compliant with C2 (orange book C2). Is there any guide for freeBSD made for this porpouse or similar? Thanks to all of you, Rubén _________________________________________________________________ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 08:51:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 29E4E37B401; Mon, 7 Apr 2003 08:51:42 -0700 (PDT) Received: from blackhelicopters.org (geburah.blackhelicopters.org [209.69.178.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3A57943FB1; Mon, 7 Apr 2003 08:51:39 -0700 (PDT) (envelope-from mwlucas@blackhelicopters.org) Received: from blackhelicopters.org (mwlucas@localhost [127.0.0.1]) by blackhelicopters.org (8.12.8/8.12.8) with ESMTP id h37FpcDn075069; Mon, 7 Apr 2003 11:51:38 -0400 (EDT) (envelope-from mwlucas@blackhelicopters.org) Received: (from mwlucas@localhost) by blackhelicopters.org (8.12.8/8.12.8/Submit) id h37Fpchc075068; Mon, 7 Apr 2003 11:51:38 -0400 (EDT) Date: Mon, 7 Apr 2003 11:51:38 -0400 From: "Michael W . Lucas" To: markm@freebsd.org Message-ID: <20030407115138.A74991@blackhelicopters.org> References: <200304062128.h36LSZ4j028263@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200304062128.h36LSZ4j028263@grimreaper.grondar.org>; from markm@freebsd.org on Sun, Apr 06, 2003 at 10:28:35PM +0100 cc: security@freebsd.org Subject: Re: Administrativia: Documentation project slightly on hold (sorry!) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 15:51:42 -0000 On Sun, Apr 06, 2003 at 10:28:35PM +0100, markm@freebsd.org wrote: > The project will have 3 parts. > > FAQ: This will cover any kind of basic security question. The intent is > that the FAQ's should be the nitty-gritty quick-but-not-so-obvious > tidbits that will make a sysadmins life easier in a collection. They > should be the kind of thing that could be done as tip-of-the-day > by something like fortune(6). First off, hope your health improves! Second, glad to see this going. Third, we have a "Security" section in the existing FAQ. Please do not divide FAQs among different FAQs; either add to the existing FAQ, or take the security questions from the current FAQ and incorporate them into your new FAQ. ==ml -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org http://www.BlackHelicopters.org/~mwlucas/ Absolute BSD: http://www.AbsoluteBSD.com/ From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 11:02:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ADF237B401 for ; Mon, 7 Apr 2003 11:02:32 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6A6D43FB1 for ; Mon, 7 Apr 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h37I2VUp045494 for ; Mon, 7 Apr 2003 11:02:31 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h37I2TC6045487 for security@freebsd.org; Mon, 7 Apr 2003 11:02:29 -0700 (PDT) Date: Mon, 7 Apr 2003 11:02:29 -0700 (PDT) Message-Id: <200304071802.h37I2TC6045487@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 18:02:32 -0000 Current FreeBSD problem reports No matches to your query From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 06:41:34 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 020E737B41B; Mon, 7 Apr 2003 06:41:33 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 76BF643FBD; Mon, 7 Apr 2003 06:41:32 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h37DfWUp004877; Mon, 7 Apr 2003 06:41:32 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h37DfWqV004874; Mon, 7 Apr 2003 06:41:32 -0700 (PDT) Date: Mon, 7 Apr 2003 06:41:32 -0700 (PDT) Message-Id: <200304071341.h37DfWqV004874@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk X-Mailman-Approved-At: Mon, 07 Apr 2003 11:09:49 -0700 Subject: FreeBSD Security Notice FreeBSD-SN-03:01 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 13:41:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SN-03:01 Security Notice The FreeBSD Project Topic: security issue in samba ports Announced: 2003-04-07 I. Introduction Several ports in the FreeBSD Ports Collection are affected by security issues. These are listed below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. These ports are not installed by default, nor are they ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: net/samba Affected: versions < samba-2.2.8_2, samba-2.2.8a Status: Fixed Two vulnerabilities recently: (1) Sebastian Krahmer of the SuSE Security Team identified vulnerabilities that could lead to arbitrary code execution as root, as well as a race condition that could allow overwriting of system files. (This vulnerability was previously fixed in Samba 2.2.8.) (2) Digital Defense, Inc. reports: ``This vulnerability, if exploited correctly, leads to an anonymous user gaining root access on a Samba serving system. All versions of Samba up to and including Samba 2.2.8 are vulnerable. Alpha versions of Samba 3.0 and above are *NOT* vulnerable.'' +------------------------------------------------------------------------+ Port name: net/samba-tng Affected: all versions Status: Not fixed Some or all of the vulnerabilities affecting Samba may also affect Samba-TNG. No confirmation or official patches are available at the time of this security notice. +------------------------------------------------------------------------+ III. Upgrading Ports/Packages To upgrade a fixed port/package, perform one of the following: 1) Upgrade your Ports Collection and rebuild and reinstall the port. Several tools are available in the Ports Collection to make this easier. See: /usr/ports/devel/portcheckout /usr/ports/misc/porteasy /usr/ports/sysutils/portupgrade 2) Deinstall the old package and install a new package obtained from [FreeBSD 4.x, i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/ [FreeBSD 5.x, i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/All/ Packages are not automatically generated for other architectures at this time. Note that new, official packages may not be available on all mirrors immediately. In the interim, Security Officer-generated packages (and detached digital signatures) are available for the i386 architecture at: [FreeBSD 4.x, i386] ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-stable/samba-2.2.8_2.tgz ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-4-stable/samba-2.2.8_2.tgz.asc [FreeBSD 5.x] ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-current/samba-2.2.8_2.tbz ftp://ftp2.FreeBSD.org/pub/FreeBSD/security-officer/ports/i386/packages-5-current/samba-2.2.8_2.tbz.asc +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kX+vFdaIBMps37IRAtkmAJ4ruhx4WQLeSPSPgfmzrVW4uYvVJACfRxem 4q3eO8IxTujzRR2QwH4eyK4= =/4KW -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 11:20:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CC0737B401 for ; Mon, 7 Apr 2003 11:20:30 -0700 (PDT) Received: from hotmail.com (oe67.law11.hotmail.com [64.4.16.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id DC39443F3F for ; Mon, 7 Apr 2003 11:20:29 -0700 (PDT) (envelope-from parisstc@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Mon, 7 Apr 2003 11:20:27 -0700 Received: from 213.16.158.10 by oe67.law11.hotmail.com with DAV; Mon, 07 Apr 2003 18:20:27 +0000 X-Originating-IP: [213.16.158.10] X-Originating-Email: [parisstc@hotmail.com] From: "Paris Stefas" To: =?iso-8859-7?Q?Rub=E9n_Torres?= References: Date: Mon, 7 Apr 2003 21:20:20 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-7" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Message-ID: X-OriginalArrivalTime: 07 Apr 2003 18:20:27.0764 (UTC) FILETIME=[5D707B40:01C2FD32] cc: freebsd-security@freebsd.org Subject: Re: C2 configuration requierements for freeBSD X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 18:20:30 -0000 Hi, take a look at http://www.trustedbsd.org you'll probably find some things there that might help you Paris Stefas ----- Original Message ----- From: "Rubén Torres" To: Sent: Monday, April 07, 2003 17:24 Subject: C2 configuration requierements for freeBSD > Regards to everyone, > > I'm trying to make freeBSD compliant with C2 (orange book C2). > Is there any guide for freeBSD made for this porpouse or similar? > > Thanks to all of you, > > Rubén > > _________________________________________________________________ > MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. > http://join.msn.com/?page=features/virus > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Mon Apr 7 12:02:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D89B37B401 for ; Mon, 7 Apr 2003 12:02:51 -0700 (PDT) Received: from ms-smtp-01.nyroc.rr.com (ms-smtp-01.nyroc.rr.com [24.92.226.148]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49A1043FBF for ; Mon, 7 Apr 2003 12:02:50 -0700 (PDT) (envelope-from njyoder@gummibears.nu) Received: from chesire (roc-66-66-19-79.rochester.rr.com [66.66.19.79]) h37J2ipL028622 for ; Mon, 7 Apr 2003 15:02:44 -0400 (EDT) Resent-Date: Mon, 7 Apr 2003 15:02:44 -0400 (EDT) Resent-Message-Id: <200304071902.h37J2ipL028622@ms-smtp-01.nyroc.rr.com> Date: Mon, 7 Apr 2003 15:02:42 -0400 From: "Nathan J. Yoder" X-Mailer: The Bat! (v1.62i) Educational X-Priority: 3 (Normal) Message-ID: <11345416793.20030407150242@gummibears.nu> To: freebsd-security@freebsd.org Resent-From: "Nathan J. Yoder" MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: timing related vunlerability that reveals whether files exist without regard to permissions X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "Nathan J. Yoder" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 07 Apr 2003 19:02:51 -0000 There was a recent post to BugTraq (April 2nd) detailing a multi-platform vulnerability. An archived copy of this posting can be found at http://www.securityfocus.com/archive/1/317425. This vulnerability is a timing based attack on system calls that can be used to reveal whether or not a file exists without regard to permissions. The attack works based off the fact that using the open() system call to test whether a file exists will return significantly faster if the file doesn't exist (about 4 times faster in my testing). This vulnerability in itself does not present a serious security risk, however as outlined by the BugTraq post it can be used in conjunction with another attack. Even worse, the idea that such a timing related vulnerability exists and that it wasn't accounted for at all suggests that many other system calls and aspects of various OSes (not just FreeBSD) may be vulnerable to more serious timing related vulnerabilities. Call me paranoid, but in lieu of this, the ssl timing attack (ability to derive the private key), the recent qpopper one (ability to test to see if users exist), my daemon-sense is tingling, telling me that there is going to be a huge flood of timing attacks over the next few years. One of the problems is that compensating for this is not easy because there is no generic solution short of adding intentional delays (like with Matt Blaze's? quantization library), which gives you a fixed performance penalty. TESTING DETAILS I ran the following commands on a FreeBSD 4.7-RELEASE computer using the exploit provided in the BugTraq posting. Provided below is 3 trial runs of the program. Note the time discrepancy between trying to open an existing and non-existent file. NOTE: I needed to remove the O_SYNC flag from the "int flags" line (it doesn't seem to exist on 4.7-R) and I needed to include the header file in the exploit to make it work. [njyoder@topcat ~/temp]$ uname -a FreeBSD topcat.mine.nu 4.7-RELEASE-p6 FreeBSD 4.7-RELEASE-p6 #21: Sat Mar 1 06:07:58 EST 2003 njyoder@topcat.mine.nu:/usr/obj/usr/src/sys/TOPCAT i386 [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:29 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 83 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (29 usecs), got m [+] /root/non-existant doesn't exist (21 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 86 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 23 usecs, got m [+] Using 36 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (28 usecs), got m [+] /root/non-existant doesn't exist (22 usecs), got m [+] cleaning up [njyoder@topcat ~/temp]$ ./evil [+] creating unreachable [+] creating unreachable/iexist [+] chmod 0'ing unreachable [+] d--------- 2 njyoder users 512 Apr 5 17:30 unreachable/ [+] Timing open() on unreachable/iexist [+] Successful: 84 usecs, got m [+] Timing open() on unreachable/non-existant [+] Failure: 22 usecs, got m [+] Using 35 as our cutoff. [+] testing /root/.bashrc and /root/non-existant [+] /root/.bashrc doesn't exist (27 usecs), got m [+] /root/non-existant doesn't exist (20 usecs), got m [+] cleaning up ------------------------------------------------ Nathan J. Yoder http://www.gummibears.nu/ http://www.gummibears.nu/files/njyoder_pgp.key ------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 03:21:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B1D537B401 for ; Tue, 8 Apr 2003 03:21:37 -0700 (PDT) Received: from smtp2.home.se (smtp2.home.se [195.66.35.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4619D43F3F for ; Tue, 8 Apr 2003 03:21:36 -0700 (PDT) (envelope-from sopppp@home.se) Received: from sopppp@home.se [130.243.70.136] by home.se with NetMail ModWeb Module; Tue, 08 Apr 2003 12:21:08 +0200 From: "Martin Larsson" To: freebsd-security@freebsd.org Date: Tue, 08 Apr 2003 12:21:08 +0200 X-Mailer: NetMail ModWeb Module X-Sender: sopppp@home.se MIME-Version: 1.0 Message-ID: <1049797268.4be09680sopppp@home.se> Content-Type: text/plain; charset="ISO-8859-1" Content-Transfer-Encoding: quoted-printable Subject: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2003 10:21:37 -0000 hi is there any way to build 4.8 release with this fstack protection? or atleast some ports is there any good info on this? the only page i found= was that ibm page but it seemed outdated. //martin From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 05:12:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DC60D37B405; Tue, 8 Apr 2003 05:12:06 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD79E43F75; Tue, 8 Apr 2003 05:12:05 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h38CC5Up050417; Tue, 8 Apr 2003 05:12:05 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h38CC5pm050416; Tue, 8 Apr 2003 05:12:05 -0700 (PDT) Date: Tue, 8 Apr 2003 05:12:05 -0700 (PDT) Message-Id: <200304081212.h38CC5pm050416@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Notice FreeBSD-SN-03:02 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2003 12:12:07 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SN-03:02 Security Notice The FreeBSD Project Topic: security issue in SETI@home client Announced: 2003-04-08 I. Introduction A port in the FreeBSD Ports Collection is affected by a security issue. Summary information is given below with references and affected versions. All versions given refer to the FreeBSD port/package version numbers. The listed vulnerabilities are not specific to FreeBSD unless otherwise noted. This port is not installed by default, nor is it ``part of FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of third-party applications in a ready-to-install format. FreeBSD makes no claim about the security of these third-party applications. See for more information about the FreeBSD Ports Collection. II. Ports +------------------------------------------------------------------------+ Port name: astro/setiathome Affected: All versions Status: Not fixed Excerpt from Berend-Jan Wever a.k.a. SkyLined's advisory: ``There is a bufferoverflow in the server responds handler. Sending an overly large string followed by a newline ('\n') character to the client will trigger this overflow. This has been tested with various versions of the client. All versions are presumed to have this flaw in some form.'' Example exploits for FreeBSD and other systems exist. A new version of SETI@home for FreeBSD is not available at the time of this security notice. +------------------------------------------------------------------------+ FreeBSD Security Notices are communications from the Security Officer intended to inform the user community about potential security issues, such as bugs in the third-party applications found in the Ports Collection, which will not be addressed in a FreeBSD Security Advisory. Feedback on Security Notices is welcome at . -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+kruuFdaIBMps37IRAksIAKCXua4QQz3P3Y4qysYW8/ftjQhozQCfVnNw PZAo0yzuFpYydTgYrodW+4Q= =DQki -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 08:56:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A939537B401 for ; Tue, 8 Apr 2003 08:56:06 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id E50AD43FB1 for ; Tue, 8 Apr 2003 08:56:05 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 37377 invoked from network); 8 Apr 2003 15:56:04 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 8 Apr 2003 15:56:04 -0000 X-pair-Authenticated: 209.68.2.70 Date: Tue, 8 Apr 2003 10:52:17 -0500 (CDT) From: Mike Silbersack To: Martin Larsson In-Reply-To: <1049797268.4be09680sopppp@home.se> Message-ID: <20030408105014.G91225@odysseus.silby.com> References: <1049797268.4be09680sopppp@home.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2003 15:56:06 -0000 On Tue, 8 Apr 2003, Martin Larsson wrote: > hi is there any way to build 4.8 release with this fstack protection? > or atleast some ports is there any good info on this? the only page i found was that ibm page but it seemed outdated. > > //martin > > _______________________________________________ > freebsd-security@freebsd.org mailing list The instructions shouldn't need much updating, things haven't changed all that much. Take a stab at it, post instructions once you have it working. :) (When I last tried it on a 4.7 box, it did require a bit of tweaking to the patch, but it wasn't too major. The big issue was to not repeatedly apply the patch, as patch is dumb, and it kept appending the newly added stack protector patch file to itself each time. That confused me greatly at the time.) Mike "Silby" Silbersack From owner-freebsd-security@FreeBSD.ORG Tue Apr 8 10:42:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C0A37B41C for ; Tue, 8 Apr 2003 10:42:01 -0700 (PDT) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91F2943F3F for ; Tue, 8 Apr 2003 10:41:58 -0700 (PDT) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h38HhP3U019496 for ; Tue, 8 Apr 2003 18:43:25 +0100 (BST) (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.9/8.12.8/Submit) id h38HhPkq019495 for security@freebsd.org; Tue, 8 Apr 2003 18:43:25 +0100 (BST) Date: Tue, 8 Apr 2003 18:43:24 +0100 From: Jez Hancock To: FreeBSD Security List Message-ID: <20030408174324.GB18965@users.munk.nu> Mail-Followup-To: FreeBSD Security List Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="0F1p//8PRICkK4MW" Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.4.1i Subject: [labs@idefense.com: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 08 Apr 2003 17:42:02 -0000 --0F1p//8PRICkK4MW Content-Type: text/plain; charset=us-ascii Content-Disposition: inline FYI --0F1p//8PRICkK4MW Content-Type: message/rfc822 Content-Disposition: inline Content-Transfer-Encoding: 8bit Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h38HAF3U018956 for ; Tue, 8 Apr 2003 18:10:15 +0100 (BST) (envelope-from bugtraq-return-9111-munk=munk.nu@securityfocus.com) Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 11C158F2C0; Tue, 8 Apr 2003 10:59:26 -0600 (MDT) Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list bugtraq@securityfocus.com Delivered-To: moderator for bugtraq@securityfocus.com Received: (qmail 8970 invoked from network); 8 Apr 2003 16:42:15 -0000 From: "iDEFENSE Labs" To: bugtraq@securityfocus.com Date: Tue, 8 Apr 2003 12:44:39 -0400 Subject: iDEFENSE Security Advisory 04.08.03: Denial of Service in Apache HTTP Server 2.x Reply-To: labs@idefense.com Message-ID: <3E92C437.22201.645BF98@localhost> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 iDEFENSE Security Advisory 04.08.03: http://www.idefense.com/advisory/04.08.03.txt Denial of Service in Apache HTTP Server 2.x April 8, 2003 I. BACKGROUND The Apache Software Foundation's HTTP Server Project is an effort to develop and maintain an open-source web server for modern operating systems including Unix and Microsoft Corp.'s Windows. More information is available at http://httpd.apache.org/ . II. DESCRIPTION Remote exploitation of a memory leak in the Apache HTTP Server causes the daemon to over utilize system resources on an affected system. The problem is HTTP Server's handling of large chunks of consecutive linefeed characters. The web server allocates an eighty-byte buffer for each linefeed character without specifying an upper limit for allocation. Consequently, an attacker can remotely exhaust system resources by generating many requests containing these characters. III. ANALYSIS While this type of attack is most effective in an intranet setting, remote exploitation over the Internet, while bandwidth intensive, is feasible. Remote exploitation could consume system resources on a targeted system and, in turn, render the Apache HTTP daemon unavailable. iDEFENSE has performed research using proof of concept exploit code to demonstrate the impact of this vulnerability. A successful exploitation scenario requires between two and seven megabytes of traffic exchange. IV. DETECTION Both the Windows and Unix implementations of Apache HTTP Server 2.0.44 are vulnerable; all 2.x versions up to and including 2.0.44 are most likely vulnerable as well. V. VENDOR FIX/RESPONSE Apache HTTP Server 2.0.45, which fixes this vulnerability, can be downloaded at http://httpd.apache.org/download.cgi . This release introduces a limit of 100 blank lines accepted before an HTTP connection is discarded. VI. CVE INFORMATION The Mitre Corp.'s Common Vulnerabilities and Exposures (CVE) Project has assigned the identification number CAN-2003-0132 to this issue. VII. DISCLOSURE TIMELINE 01/23/2003 Issue disclosed to iDEFENSE 03/06/2003 security@apache.org contacted 03/06/2003 Response from Lars Eilebrecht 03/11/2003 Status request from iDEFENSE 03/13/2003 Response received from Mark J Cox 03/23/2003 Response received from Brian Pane 03/25/2003 iDEFENSE clients notified 04/08/2003 Coordinated Public Disclosure Get paid for security research http://www.idefense.com/contributor.html Subscribe to iDEFENSE Advisories: send email to listserv@idefense.com, subject line: "subscribe" About iDEFENSE: iDEFENSE is a global security intelligence company that proactively monitors sources throughout the world — from technical vulnerabilities and hacker profiling to the global spread of viruses and other malicious code. Our security intelligence services provide decision-makers, frontline security professionals and network administrators with timely access to actionable intelligence and decision support on cyber-related threats. For more information, visit http://www.idefense.com . -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPpL7k/rkky7kqW5PEQKSEQCfbqX0EJWYTE1oqFUwpBqGWiFI5esAoMZI P/F2T7UtpHxj1aaJqnJzSyFa =1dI8 -----END PGP SIGNATURE----- --0F1p//8PRICkK4MW-- From owner-freebsd-security@FreeBSD.ORG Wed Apr 9 12:28:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D15C737B401 for ; Wed, 9 Apr 2003 12:28:44 -0700 (PDT) Received: from mail.be.ubizen.com (batty.be.ubizen.com [212.113.70.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAB9343FAF for ; Wed, 9 Apr 2003 12:28:43 -0700 (PDT) (envelope-from niels.heinen@ubizen.com) Received: (from local) by mail.be.ubizen.com id h39JSfEU010513 for ; Wed, 9 Apr 2003 21:28:41 +0200 Received: from UNKNOWN(10.0.0.108), claiming to be "amaya.be.ubizen.com" via SMTP by batty.netvision.be, id smtpd10500aaa; Wed Apr 9 19:28:29 2003 Received: (qmail 26153 invoked from network); 9 Apr 2003 19:28:29 -0000 Received: from unknown (HELO ubi) (10.0.0.10) by amaya.be.ubizen.com with SMTP; 9 Apr 2003 19:28:29 -0000 Received: from ubizen.com (demandred.be.ubizen.com [212.113.70.130]) <0HD3001NVCRGXK@ubi.be.ubizen.com>; Wed, 09 Apr 2003 21:28:29 +0200 (MET DST) Date: Wed, 09 Apr 2003 21:28:10 +0200 From: Niels Heinen To: Mike Silbersack Message-id: <3E94744A.1030102@ubizen.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT X-Accept-Language: en-us, en User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.1) Gecko/20030104 References: <1049797268.4be09680sopppp@home.se> <20030408105014.G91225@odysseus.silby.com> X-Sanitizer: Out cc: freebsd-security@freebsd.org Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 09 Apr 2003 19:28:45 -0000 FYI, They just released the patch for 4.8: http://www.trl.ibm.com/projects/security/ssp/buildfreebsd.html Cheers, Niels Mike Silbersack wrote: > On Tue, 8 Apr 2003, Martin Larsson wrote: > > >>hi is there any way to build 4.8 release with this fstack protection? >>or atleast some ports is there any good info on this? the only page i found was that ibm page but it seemed outdated. >> >>//martin >> >>_______________________________________________ >>freebsd-security@freebsd.org mailing list > > > The instructions shouldn't need much updating, things haven't changed all > that much. Take a stab at it, post instructions once you have it working. > :) > > (When I last tried it on a 4.7 box, it did require a bit of tweaking to > the patch, but it wasn't too major. The big issue was to not repeatedly > apply the patch, as patch is dumb, and it kept appending the newly added > stack protector patch file to itself each time. That confused me greatly > at the time.) > > Mike "Silby" Silbersack > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Apr 10 23:18:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B83237B401 for ; Thu, 10 Apr 2003 23:18:19 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id C523143F93 for ; Thu, 10 Apr 2003 23:18:18 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated bits=0) by mail.fpsn.net (8.12.9/8.12.9) with ESMTP id h3B6I5aM005780 for ; Fri, 11 Apr 2003 00:18:11 -0600 (MDT) Message-ID: <3E965DF7.EA582C4A@fpsn.net> Date: Fri, 11 Apr 2003 00:17:27 -0600 From: Colin Faber Organization: fpsn.net, Inc. X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Filter-Engine: scanmail (Ruckus scanmail) 1.0-Alpha (ab 1.52) X-Filter-Url: http://www.fpsn.net/ruckus X-Spam: No X-Pass: ce6123eac61f19c08e1030e2e56e9f6c Subject: (OT) functional? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 06:18:19 -0000 Hi folks, sorry for the posting but I haven't received a message from this list in almost a week and was wondering if my account was not working correctly. -- Colin Faber (303) 859-1491 fpsn.net, Inc. * Black holes are where God divided by zero. * From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 02:30:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C025D37B401 for ; Fri, 11 Apr 2003 02:30:28 -0700 (PDT) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C38443F3F for ; Fri, 11 Apr 2003 02:30:27 -0700 (PDT) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.9/8.12.8) with ESMTP id h3B9VuJ0012789; Fri, 11 Apr 2003 10:31:56 +0100 (BST) (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.9/8.12.8/Submit) id h3B9VtM1012788; Fri, 11 Apr 2003 10:31:55 +0100 (BST) Date: Fri, 11 Apr 2003 10:31:55 +0100 From: Jez Hancock To: freebsd-security@freebsd.org Message-ID: <20030411093155.GB12323@users.munk.nu> Mail-Followup-To: freebsd-security@freebsd.org, Colin Faber References: <3E965DF7.EA582C4A@fpsn.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E965DF7.EA582C4A@fpsn.net> User-Agent: Mutt/1.4.1i Subject: Re: (OT) functional? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 09:30:29 -0000 On Fri, Apr 11, 2003 at 12:17:27AM -0600, Colin Faber wrote: > Hi folks, > > sorry for the posting but I haven't received a message from this list > in almost a week and was wondering if my account was not working > correctly. It's better to check on one of the online archives to see if any recent activity has occured rather than spam the whole list :) http://marc.theaimsgroup.com/?l=freebsd-security&r=1&b=200304&w=2 For example shows a reliable account of the mails received for the current week. Best Regards, Jez From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 11:28:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8485A37B401 for ; Fri, 11 Apr 2003 11:28:19 -0700 (PDT) Received: from perrin.int.nxad.com (internal.ext.nxad.com [69.1.70.251]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2DDC943FBD for ; Fri, 11 Apr 2003 11:28:19 -0700 (PDT) (envelope-from sean@perrin.int.nxad.com) Received: by perrin.int.nxad.com (Postfix, from userid 1001) id 8E6F72106B; Fri, 11 Apr 2003 11:27:58 -0700 (PDT) Date: Fri, 11 Apr 2003 11:27:58 -0700 From: Sean Chittenden To: security@freebsd.org Message-ID: <20030411182758.GN79923@perrin.int.nxad.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="m0XfRaZG5aslkcJX" Content-Disposition: inline User-Agent: Mutt/1.4i X-PGP-Key: finger seanc@FreeBSD.org X-PGP-Fingerprint: 3849 3760 1AFE 7B17 11A0 83A6 DD99 E31F BC84 B341 X-Web-Homepage: http://sean.chittenden.org/ Subject: How often should an encrypted session be rekeyed? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Apr 2003 18:28:19 -0000 --m0XfRaZG5aslkcJX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Using OpenSSL, is there a preferred/recommended rate of rekeying an encrypted stream of data? Does OpenSSL handle this for developers behind the scenes? Does it even need to be rekeyed? Thanks in advance. -sc --=20 Sean Chittenden --m0XfRaZG5aslkcJX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Comment: Sean Chittenden iD8DBQE+lwkt3ZnjH7yEs0ERArm8AJ44SFuUkjanHyM6UdPiGJ3gBeTlhgCgzRaa zjJGyx0moCAes5+zC6TFtUg= =FKvS -----END PGP SIGNATURE----- --m0XfRaZG5aslkcJX-- From owner-freebsd-security@FreeBSD.ORG Fri Apr 11 22:01:51 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FD9E37B401 for ; Fri, 11 Apr 2003 22:01:51 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id BB01E43FBF for ; Fri, 11 Apr 2003 22:01:50 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 95982 invoked from network); 12 Apr 2003 05:01:50 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 12 Apr 2003 05:01:50 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 11 Apr 2003 11:58:02 -0500 (CDT) From: Mike Silbersack To: Martin Blapp In-Reply-To: <20030411111302.G4749@cvs.imp.ch> Message-ID: <20030411115522.I6045@odysseus.silby.com> References: <20030411111302.G4749@cvs.imp.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: fstack protector X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Apr 2003 05:01:51 -0000 On Fri, 11 Apr 2003, Martin Blapp wrote: > Can't we add this to the gcc in the base_system for CURRENT ? > > It seems that OpenBSD 3.3 will contain this too as they > mention. > > Martin > > Martin Blapp, That'd work, except that then be dependant on the patch continuing to work during every gcc upgrade. One possible solution would be to have a gcc-ssp port which would build a SSP version of the base system's compiler, and call it gcc-ssp or something. Then we could make certain ports depend on using it, perhaps. The _real_ solution is for the gcc guys to integrate it into gcc 3.3, but I'm not sure how that could be made to happen. Mike "Silby" Silbersack