From owner-freebsd-security@FreeBSD.ORG Sun Aug 5 12:58:56 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8311216A421 for ; Sun, 5 Aug 2007 12:58:56 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from mx.nitro.dk (zarniwoop.nitro.dk [83.92.207.38]) by mx1.freebsd.org (Postfix) with ESMTP id 475B013C48A for ; Sun, 5 Aug 2007 12:58:55 +0000 (UTC) (envelope-from simon@zaphod.nitro.dk) Received: from zaphod.nitro.dk (unknown [192.168.3.39]) by mx.nitro.dk (Postfix) with ESMTP id F12291E8C0B; Sun, 5 Aug 2007 12:58:54 +0000 (UTC) Received: by zaphod.nitro.dk (Postfix, from userid 3000) id B1A6C11458; Sun, 5 Aug 2007 14:58:54 +0200 (CEST) Date: Sun, 5 Aug 2007 14:58:54 +0200 From: "Simon L. Nielsen" To: Josh Paetzel Message-ID: <20070805125853.GA1023@zaphod.nitro.dk> References: <001a01c7d4ee$d73f3fe0$26c39605@A3000> <20070802105338.GA1088@zaphod.nitro.dk> <20070805124144.GH83613@tcbug.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20070805124144.GH83613@tcbug.org> User-Agent: Mutt/1.5.16 (2007-06-09) Cc: freebsd-security@freebsd.org, John Freeman Subject: Re: Fw: FreeBSD Security Advisory FreeBSD-SA-07:07.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 12:58:56 -0000 On 2007.08.05 07:41:44 -0500, Josh Paetzel wrote: > Simon L. Nielsen wrote: > > > RELENG_6 was already fixed 2007-07-25 08:23:08 UTC by dougb, so the > > patch wasn't tested against RELENG_6 at all but only against the > > release / security branches. Most of the time the released patches > > will work against the stable branches, but not always. > > This is sort of an unusual situation isn't it, where RELENG_6 is fixed > prior to the SA being released? Not really unusual although many advisories have all branches fixed at the same time. The same happened for FreeBSD-SA-07:02.bind and FreeBSD-SA-07:03.ipv6, though it was only two days between RELENG_X and advisory in those cases. In this case the time between RELENG_X fix and advisory was a bit longer since dougb was very fast in getting HEAD/RELENG_[56] fixed and we couldn't get it all ready the week the BIND vulnerability was announced. > If so it might have been useful for > the SA to say something about affecting STABLE before xxxx-xx-xx where > xxxx-xx-xx is the date that the fix was committed. It actually already does since it's part of the normal advisory header information: [Quoting FreeBSD-SA-07:07.bind] Corrected: 2007-07-25 08:23:08 UTC (RELENG_6, 6.2-STABLE) 2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7) 2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19) 2007-07-25 08:24:40 UTC (RELENG_5, 5.5-STABLE) 2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15) -- Simon L. Nielsen FreeBSD Security Team From owner-freebsd-security@FreeBSD.ORG Sun Aug 5 13:09:43 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8390B16A417 for ; Sun, 5 Aug 2007 13:09:43 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from conn-smtp.mc.mpls.visi.com (conn.mc.mpls.visi.com [208.42.156.2]) by mx1.freebsd.org (Postfix) with ESMTP id 640A413C459 for ; Sun, 5 Aug 2007 13:09:43 +0000 (UTC) (envelope-from josh@tcbug.org) Received: from mail.tcbug.org (mail.tcbug.org [208.42.70.163]) by conn-smtp.mc.mpls.visi.com (Postfix) with ESMTP id 859048157; Sun, 5 Aug 2007 07:41:44 -0500 (CDT) Received: by mail.tcbug.org (Postfix, from userid 1001) id 5C1D7341C8D; Sun, 5 Aug 2007 07:41:44 -0500 (CDT) Date: Sun, 5 Aug 2007 07:41:44 -0500 From: Josh Paetzel To: "Simon L. Nielsen" Message-ID: <20070805124144.GH83613@tcbug.org> References: <001a01c7d4ee$d73f3fe0$26c39605@A3000> <20070802105338.GA1088@zaphod.nitro.dk> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ik0NlRzMGhMnxrMX" Content-Disposition: inline In-Reply-To: <20070802105338.GA1088@zaphod.nitro.dk> Cc: freebsd-security@freebsd.org, John Freeman Subject: Re: Fw: FreeBSD Security Advisory FreeBSD-SA-07:07.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Josh Paetzel List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 13:09:43 -0000 --ik0NlRzMGhMnxrMX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Simon L. Nielsen wrote: > On 2007.08.02 14:21:07 +0400, John Freeman wrote: > >=20 > >> John Freeman wrote: > >>=20 > >>> Same problem on AMD64 build. I'm too lazy to attach full text, this > >>> system doesn't use bind and jail. > >>=20 > >> What branch are you tracking? > >=20 > > After today's cvsup all ok , it solved? Wasn't compile only after patch= =20 > > included in SA. >=20 > RELENG_6 was already fixed 2007-07-25 08:23:08 UTC by dougb, so the > patch wasn't tested against RELENG_6 at all but only against the > release / security branches. Most of the time the released patches > will work against the stable branches, but not always. >=20 > --=20 > Simon L. Nielsen > FreeBSD Security Team This is sort of an unusual situation isn't it, where RELENG_6 is fixed prior to the SA being released? If so it might have been useful for the SA to say something about affecting STABLE before xxxx-xx-xx where xxxx-xx-xx is the date that the fix was committed. --=20 Thanks, Josh Paetzel --ik0NlRzMGhMnxrMX Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.3 (FreeBSD) iD8DBQFGtcWHJvkB8SevrssRAiORAKCSGhQp2JCDS60D+zGMt3R2vJ3X3wCeNLc7 gEUrbY6VH11/MJIpaRVqwwE= =8VOw -----END PGP SIGNATURE----- --ik0NlRzMGhMnxrMX-- From owner-freebsd-security@FreeBSD.ORG Sun Aug 5 13:58:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8F47116A417 for ; Sun, 5 Aug 2007 13:58:05 +0000 (UTC) (envelope-from noc@webazilla.com) Received: from webazilla.com (relay1.webazilla.com [194.187.96.44]) by mx1.freebsd.org (Postfix) with ESMTP id 5D19913C45A for ; Sun, 5 Aug 2007 13:58:04 +0000 (UTC) (envelope-from noc@webazilla.com) Received: from bill.webazilla.com ([88.85.67.199]) by webazilla.com with esmtps (TLSv1:AES256-SHA:256) (envelope-from ) id 1IHgcL-000NPw-1p for freebsd-security@freebsd.org; Sun, 05 Aug 2007 15:58:03 +0200 Received: from " apache" by bill.webazilla.com with local (envelope-from ) id 1IHgcD-0001u8-T5 for freebsd-security@freebsd.org; Sun, 05 Aug 2007 15:57:53 +0200 From: "Remko Lodder" In-Reply-To: <46B5D762.5040905@FreeBSD.org> References: <200708012127.l71LR0AZ068305@freefall.freebsd.org> <46B2088F.4020105@webazilla.com> <46B2C433.6080200@webazilla.com> <46B5D762.5040905@FreeBSD.org> Message-ID: Precedence: bulk X-RT-Loop-Prevention: tt RT-Ticket: tt #17465 Managed-by: RT 3.6.4 (http://www.bestpractical.com/rt/) RT-Originator: remko@FreeBSD.org To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 8bit X-RT-Original-Encoding: utf-8 Date: Sun, 05 Aug 2007 15:57:53 +0200 X-Spam-Score: -18 X-Mailman-Approved-At: Sun, 05 Aug 2007 15:10:24 +0000 Subject: Re: [tt #17465] [Comment] FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: noc@webazilla.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 05 Aug 2007 13:58:05 -0000 WebaZilla - Support [kv] wrote: > Bezruk wrote: >> This is a comment. It is not sent to the Requestor(s): >> >> On Thu Aug 02 18:39:00 2007, kv wrote: >>> Если возле компа, посмотри плиз, на duty dhcpd я опустил, а подниматься >>> он вообще не хочет. В логах полная тишина, я подозреваю, это из-за >>> каких-то вопросов с безопасностью на этом сервере. >>> >> А че было-то? > > логическая ошибка > > > So, this is an english text, what was above? -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Mon Aug 6 21:23:05 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6C0CF16A417 for ; Mon, 6 Aug 2007 21:23:05 +0000 (UTC) (envelope-from security@rinet.ru) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.freebsd.org (Postfix) with ESMTP id CDEE313C465 for ; Mon, 6 Aug 2007 21:23:04 +0000 (UTC) (envelope-from security@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.14.1/8.14.1) with ESMTP id l76Kxi2r061697; Tue, 7 Aug 2007 00:59:44 +0400 (MSD) (envelope-from security@rinet.ru) Date: Tue, 7 Aug 2007 00:59:44 +0400 (MSD) From: "RiNet Security Dept." X-X-Sender: marck@woozle.rinet.ru To: Remko Lodder In-Reply-To: Message-ID: <20070807005714.W61555@woozle.rinet.ru> References: <200708012127.l71LR0AZ068305@freefall.freebsd.org> <46B2088F.4020105@webazilla.com> <46B2C433.6080200@webazilla.com> <46B5D762.5040905@FreeBSD.org> X-NCC-RegID: ru.rinet X-OpenPGP-Key-ID: 6B691B03 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=KOI8-r Content-Transfer-Encoding: 8BIT X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (woozle.rinet.ru [0.0.0.0]); Tue, 07 Aug 2007 00:59:44 +0400 (MSD) X-Mailman-Approved-At: Mon, 06 Aug 2007 21:40:33 +0000 Cc: freebsd-security@freebsd.org Subject: Re: [tt #17465] [Comment] FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 06 Aug 2007 21:23:05 -0000 On Sun, 5 Aug 2007, Remko Lodder wrote: RL> >>> , , duty dhcpd , RL> >>> . , , - RL> >>> - . RL> >>> RL> >> -? RL> > RL> > RL> > RL> > RL> > RL> RL> So, this is an english text, what was above? I suppose it was russian sysadms talk unexpected CC:d to -stable. Quick'n'dirty translation: - dhcpd has been stopped, but can't start again. Was it security issue? Nothing are in the logs. - what was wrong? - logical error Sincerely, D.Marck [DM5020, MCK-RIPE, DM3-RIPN] [ FreeBSD committer: marck@FreeBSD.org ] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Fri Aug 10 12:20:01 2007 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B63E16A419 for ; Fri, 10 Aug 2007 12:20:01 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: from mail.garage.freebsd.pl (arm132.internetdsl.tpnet.pl [83.17.198.132]) by mx1.freebsd.org (Postfix) with ESMTP id 09F5313C45E for ; Fri, 10 Aug 2007 12:20:00 +0000 (UTC) (envelope-from pjd@garage.freebsd.pl) Received: by mail.garage.freebsd.pl (Postfix, from userid 65534) id 67F1448803; Fri, 10 Aug 2007 14:02:20 +0200 (CEST) Received: from localhost (pjd.wheel.pl [10.0.1.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.garage.freebsd.pl (Postfix) with ESMTP id D8453487FA; Fri, 10 Aug 2007 14:02:08 +0200 (CEST) Date: Fri, 10 Aug 2007 14:01:22 +0200 From: Pawel Jakub Dawidek To: stef@memberwebs.com Message-ID: <20070810120122.GF12687@garage.freebsd.pl> References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl> <20070719203428.C44AAD4C09@mx.npubs.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="p7qwJlK53pWzbayA" Content-Disposition: inline In-Reply-To: <20070719203428.C44AAD4C09@mx.npubs.com> User-Agent: Mutt/1.4.2.3i X-PGP-Key-URL: http://people.freebsd.org/~pjd/pjd.asc X-OS: FreeBSD 7.0-CURRENT i386 X-Spam-Checker-Version: SpamAssassin 3.0.4 (2005-06-05) on mail.garage.freebsd.pl X-Spam-Level: X-Spam-Status: No, score=-5.9 required=3.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.0.4 Cc: freebsd-security@freebsd.org, Pieter de Boer Subject: Re: kern.chroot_allow_open_directories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 10 Aug 2007 12:20:01 -0000 --p7qwJlK53pWzbayA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jul 19, 2007 at 08:34:29PM +0000, Stef Walter wrote: > Pieter de Boer wrote: > >> Is this sysctl meant to prevent breaking out of a chroot? Or am I > >> missing the point of 'kern.chroot_allow_open_directories'? > >> > > If the sysctl was set to 0 at the moment chroot() was called, then the > > chroot() would have failed if the calling process had open directories > > (that's what the sysctl is meant to do, if I'm understanding the source > > right). If directories weren't open, the chroot() would work, but the > > process would obviously not be able to open directories outside the > > chroot after that, even if you'd set the sysctl to 1. > >=20 > > As I see it, there's no problem here, but could be wrong; chroot() is > > tricky afaik.. >=20 > Yes, it sure is. >=20 > However if a root process inside the chroot jail reset that sysctl, > after which it seems it could perform the usual break out thingy: >=20 > http://www.bpfh.net/simes/computing/chroot-break.html >=20 > I guess what I was wondering, is if FreeBSD is in fact immune to this > attack, and whether it makes sense to chroot superuser processes on FreeB= SD. Superuser running inside chroot(2) has many ways to escape. You bascially gain no additional security in chrooting a process that will continue to operate with privileges. You should either chroot and drop privileges or use jail(2). --=20 Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! --p7qwJlK53pWzbayA Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFGvFOSForvXbEpPzQRAl13AJ0fz3GK8itPktD0MXLBOmRjMv7d1ACg8toF oAiKbqMRJJsLQUcK7EP01rM= =BJNN -----END PGP SIGNATURE----- --p7qwJlK53pWzbayA--