From owner-freebsd-security@FreeBSD.ORG Mon Jan 18 14:12:28 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 754F9106568B for ; Mon, 18 Jan 2010 14:12:28 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3967E8FC1B for ; Mon, 18 Jan 2010 14:12:27 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id C298F1FFC22; Mon, 18 Jan 2010 14:12:26 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id B7E078448A; Mon, 18 Jan 2010 15:12:24 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Phil Oleson References: <4B50FF48.2070801@nixil.net> Date: Mon, 18 Jan 2010 15:12:24 +0100 In-Reply-To: <4B50FF48.2070801@nixil.net> (Phil Oleson's message of "Fri, 15 Jan 2010 16:50:32 -0700") Message-ID: <86pr5733jr.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.0.95 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: sendmail 8.14.4 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Jan 2010 14:12:28 -0000 Phil Oleson writes: > [...] a customers PCI scan is reporting this as a problem. I know > many of these scans tend to do version string checks and don't > actually check if the problem is possible to exploit, [...] It's much, much worse: the vulnerability lists used in these tools are usually generated by blindly concatenating the contents of various online vulnerability databases, with little or no quality control. Pretty much anyone and his dog can issue an advisory - just write something plausible-sounding and post it on bugtraq, and it will end up in a database somewhere, and eventually trickle down to one or more vulnerability scanners, even if nobody can reproduce it, and before you know it somebody has to make a public statement like this: http://maycontaintracesofbolts.blogspot.com/2008/07/old-history.html although it won't do much good, because the people who write those scanners don't give a shit as long as they get their money and / or fame. It is MHO that most "security experts" associated with "the end of the Internet is nigh, film at 11" press reports are frauds and narcissistic media whores. Unfortunately, journalists don't understand the tech and are too clueless and / or pressed for time to seek confirmation or clarification from reliable sources, so you end up with hagiographies like this: http://www.seattlepi.com/local/373426_insecure04.html Google has ~10k hits for "+Kaminsky +saved +the +Internet". Food for thought. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Wed Jan 20 20:06:55 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80EC71065670 for ; Wed, 20 Jan 2010 20:06:55 +0000 (UTC) (envelope-from bseklecki@collaborativefusion.com) Received: from mx00.pub.collaborativefusion.com (mx00.pub.collaborativefusion.com [206.210.89.199]) by mx1.freebsd.org (Postfix) with ESMTP id E1F078FC1D for ; Wed, 20 Jan 2010 20:06:54 +0000 (UTC) Received: from [192.168.2.161] (soundwave.ws.pitbpa0.priv.collaborativefusion.com [192.168.2.161]) (SSL: TLSv1/SSLv3,256bits,CAMELLIA256-SHA) by wingspan with esmtp; Wed, 20 Jan 2010 14:56:53 -0500 id 0003F407.000000004B576005.0001141A From: "Brian A. Seklecki" To: freebsd-security@freebsd.org Organization: Collaborative Fusion, Inc. Date: Wed, 20 Jan 2010 14:56:52 -0500 Message-Id: <1264017412.18129.38.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=_wingspan-70682-1264017413-0001-2" X-Mailer: Evolution 2.26.3 (2.26.3-1.fc11) X-Mailman-Approved-At: Thu, 21 Jan 2010 02:23:53 +0000 Subject: [Fwd: OpenSSL 1.0.0 beta5 release] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: bseklecki@collaborativefusion.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2010 20:06:55 -0000 This is a MIME-formatted message. If you see this text it means that your E-mail software does not support MIME-formatted messages. --=_wingspan-70682-1264017413-0001-2 Content-Type: text/plain Content-Transfer-Encoding: quoted-printable All: Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as=20 well as with a provision/draft fix for CVE-2009-3555 MITM/Renegotiation Venerability. I suspect we wont have a patch out for RELENG_6_3 by the 31st? =20 But I'm willing to maintain one for another few months. ~BAS -------- Forwarded Message -------- From: OpenSSL Reply-to: openssl-users@openssl.org To: openssl-users@openssl.org, openssl-announce@openssl.org Subject: OpenSSL 1.0.0 beta5 release Date: Wed, 20 Jan 2010 19:19:16 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.0 Beta 5 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D [..snip...] Since the fourth beta, the following has happened: - Provisional TLS session renegotiation fix - Option to output hash using older algorithm in x509 utility - Compression session handling bug fix - Build system fixes. - Other bug fixes. Reports and patches should be sent to openssl-bugs@openssl.org. [..snip...] --=_wingspan-70682-1264017413-0001-2 Content-Type: application/pgp-signature; name="signature.asc" Content-Transfer-Encoding: 7bit Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEABECAAYFAktXYAQACgkQCne6BNDQ+R+M7ACcDjvjWE3h2ey2L1pwoCIb9S/Q uT4Anjq57M5q333l0rqdATTw/piqR6ux =SzGM -----END PGP SIGNATURE----- --=_wingspan-70682-1264017413-0001-2-- From owner-freebsd-security@FreeBSD.ORG Wed Jan 20 20:25:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A002B1065670 for ; Wed, 20 Jan 2010 20:25:46 +0000 (UTC) (envelope-from lavalamp@spiritual-machines.org) Received: from mx04.pub.collaborativefusion.com (mx04.pub.collaborativefusion.com [206.210.72.84]) by mx1.freebsd.org (Postfix) with ESMTP id 6FDCB8FC1B for ; Wed, 20 Jan 2010 20:25:46 +0000 (UTC) Received: from [192.168.2.161] ([206.210.89.202]) by mx04.pub.collaborativefusion.com (StrongMail Enterprise 4.1.1.4(4.1.1.4-47689)); Wed, 20 Jan 2010 15:37:18 -0500 X-VirtualServerGroup: Default X-MailingID: 00000::00000::00000::00000::::25 X-SMHeaderMap: mid="X-MailingID" X-Destination-ID: freebsd-security@freebsd.org X-SMFBL: ZnJlZWJzZC1zZWN1cml0eUBmcmVlYnNkLm9yZw== From: "Brian A. Seklecki" To: freebsd-security@freebsd.org Content-Type: text/plain Date: Wed, 20 Jan 2010 15:10:38 -0500 Message-Id: <1264018238.18129.46.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Mime-Version: 1.0 X-Mailer: Evolution 2.26.3 (2.26.3-1.fc11) Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Thu, 21 Jan 2010 02:37:20 +0000 Subject: [Fwd: OpenSSL 1.0.0 beta5 release] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 20 Jan 2010 20:25:46 -0000 All: Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as well as with a provision/draft fix for CVE-2009-3555 MITM/Renegotiation Venerability. I suspect we wont have a patch out for RELENG_6_3 by the 31st? But I'm willing to maintain one for another few months. ~BAS -------- Forwarded Message -------- From: OpenSSL Reply-to: openssl-users@openssl.org To: openssl-users@openssl.org, openssl-announce@openssl.org Subject: OpenSSL 1.0.0 beta5 release Date: Wed, 20 Jan 2010 19:19:16 +0100 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.0.0 Beta 5 ============================ [..snip...] Since the fourth beta, the following has happened: - Provisional TLS session renegotiation fix - Option to output hash using older algorithm in x509 utility - Compression session handling bug fix - Build system fixes. - Other bug fixes. Reports and patches should be sent to openssl-bugs@openssl.org. [..snip...] From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 08:17:41 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F1681065693 for ; Fri, 22 Jan 2010 08:17:41 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id C07388FC33 for ; Fri, 22 Jan 2010 08:17:40 +0000 (UTC) Received: (qmail 27920 invoked by uid 1008); 22 Jan 2010 09:06:52 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 09:06:52 -0000 Message-ID: <4B5958E2.9010509@el.net> Date: Fri, 22 Jan 2010 02:50:58 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 08:17:41 -0000 hi all... doing testing with pf... how is it possible that if i have these rules below in pf.conf if i do: telnet that.host.org 25 i get: Trying xx.xx.xx.xx... Connected to that.host.org. Escape character is '^]'. ........... etc ....... pf.conf contetns: tcp_in = "{ www, https }" ftp_in = "{ ftp }" udp = "{ domain, ntp }" ping = "echoreq" set skip on lo scrub in antispoof for eth0 inet block in all pass out all keep state pass proto udp to any port $udp pass inet proto icmp all icmp-type $ping keep state pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state pass proto tcp to any port ssh thanks.... From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 09:04:24 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94DB2106566C for ; Fri, 22 Jan 2010 09:04:24 +0000 (UTC) (envelope-from s4mmael@gmail.com) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 2BB448FC0A for ; Fri, 22 Jan 2010 09:04:23 +0000 (UTC) Received: by fxm27 with SMTP id 27so182212fxm.3 for ; Fri, 22 Jan 2010 01:04:23 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=xYVfACsZVm8QTQytzZW+QfY+vPtbBGGvaL0/yNzRMJM=; b=W1r4yeaf/MQ0s0tWxPMOPQD5bF0p5x2agDrAInjE0PBWd0MzHfsJBTyihJFZVQWisT MKDOdG4UHjjXV7LC1mdd5BnlhFpZc1t4cwbAGi/x7Xuvu1seVem6EsnjJD18ygdVJBxb hnpOFbZWNl3DhBaohB6zWslb0e9ze7siC7gts= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=rgXOld0e3DiHZo7xYZKeQ4xvPFU5tiTz8F5+G9FvIL+xROSiaaDD2LZhiF7JUVgh+j A9CiZVwShpsEWRCE9oCA93ixzU+PPrUCkxVKKNlVtHxRI+lzrH23gO+JsGoXQB+5o/q2 JYBlxU8vpNmzeLDFaCRrBgcEb4x93D/1I9zzE= MIME-Version: 1.0 Received: by 10.223.4.214 with SMTP id 22mr2586816fas.34.1264149171328; Fri, 22 Jan 2010 00:32:51 -0800 (PST) In-Reply-To: <4B5958E2.9010509@el.net> References: <4B5958E2.9010509@el.net> Date: Fri, 22 Jan 2010 11:32:51 +0300 Message-ID: <6e38aed81001220032p2f4948bftede7862e1d7c7cf7@mail.gmail.com> From: S4mmael To: kalin m Content-Type: text/plain; charset=ISO-8859-1 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 09:04:24 -0000 If I guess your idea right, you should specify direction like this: pass in proto udp to any port $udp "pass proto udp to any port $udp" passes traffic in any direction (ingoing and outgoing). 2010/1/22 kalin m : > > > hi all... > > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: > > tcp_in = "{ www, https }" > ftp_in = "{ ftp }" > udp = "{ domain, ntp }" > ping = "echoreq" > > set skip on lo > scrub in > > antispoof for eth0 inet > > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh > > > > thanks.... > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 09:09:37 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F2CB106571F for ; Fri, 22 Jan 2010 09:09:37 +0000 (UTC) (envelope-from patpro@patpro.net) Received: from rack.patpro.net (rack.patpro.net [193.30.227.216]) by mx1.freebsd.org (Postfix) with ESMTP id D26208FC1C for ; Fri, 22 Jan 2010 09:09:36 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP id 066F7181; Fri, 22 Jan 2010 10:09:36 +0100 (CET) X-Virus-Scanned: amavisd-new at patpro.net Received: from amavis-at-patpro.net ([127.0.0.1]) by localhost (rack.patpro.net [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6WfK4GJi97aG; Fri, 22 Jan 2010 10:09:33 +0100 (CET) Received: from [IPv6:::1] (localhost [127.0.0.1]) by rack.patpro.net (Postfix) with ESMTP; Fri, 22 Jan 2010 10:09:33 +0100 (CET) Message-Id: <04C950BC-79D6-40FF-81CA-75A10A817DE6@patpro.net> From: Patrick Proniewski To: kalin m In-Reply-To: <4B5958E2.9010509@el.net> Content-Type: multipart/signed; boundary=Apple-Mail-2-228846000; micalg=sha1; protocol="application/pkcs7-signature" Mime-Version: 1.0 (Apple Message framework v936) Date: Fri, 22 Jan 2010 10:09:30 +0100 References: <4B5958E2.9010509@el.net> X-Mailer: Apple Mail (2.936) X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 09:09:37 -0000 --Apple-Mail-2-228846000 Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit On 22 janv. 10, at 08:50, kalin m wrote: > how is it possible that if i have these rules below in pf.conf if i > do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... quite strange. What does `pfctl -s all` return? patpro --Apple-Mail-2-228846000-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 09:59:40 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 376851065692 for ; Fri, 22 Jan 2010 09:59:40 +0000 (UTC) (envelope-from lolo@agneau.org) Received: from bergerie.agneau.org (bergerie.agneau.org [88.173.248.15]) by mx1.freebsd.org (Postfix) with ESMTP id EDC1B8FC1A for ; Fri, 22 Jan 2010 09:59:39 +0000 (UTC) Received: by bergerie.agneau.org (Postfix, from userid 500) id 7E55073803; Fri, 22 Jan 2010 10:39:55 +0100 (CET) Date: Fri, 22 Jan 2010 10:39:55 +0100 From: Laurent Frigault To: kalin m Message-ID: <20100122093955.GA44733@obelix.bergerie.agneau.org> References: <4B5958E2.9010509@el.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <4B5958E2.9010509@el.net> X-Powered-By: UUCP User-Agent: Mutt/1.5.20 (2009-06-14) Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 09:59:40 -0000 On Fri, Jan 22, 2010 at 02:50:58AM -0500, kalin m wrote: > doing testing with pf... > > how is it possible that if i have these rules below in pf.conf if i do: > telnet that.host.org 25 > > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... > > > pf.conf contetns: ... > set skip on lo .... You are in a jail and/or that.host.org is a local ip routed via lo0 ? -- Laurent Frigault | From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 10:18:20 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DF21D1065676 for ; Fri, 22 Jan 2010 10:18:20 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 3C93A8FC16 for ; Fri, 22 Jan 2010 10:18:20 +0000 (UTC) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.4/8.14.3) with ESMTP id o0MAI9Jg005086; Fri, 22 Jan 2010 10:18:10 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk o0MAI9Jg005086 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1264155490; bh=twppwhr/MCRcfbJAlDWJunxRw213enOyI0qxMNc1Oq4=; h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References: In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To: Message-ID:Mime-Version:References:To; z=Message-ID:=20<4B597B5B.6030802@infracaninophile.co.uk>|Date:=20F ri,=2022=20Jan=202010=2010:18:03=20+0000|From:=20Matthew=20Seaman= 20|Organization:=20Infracaninophi le|User-Agent:=20Thunderbird=202.0.0.23=20(X11/20100114)|MIME-Vers ion:=201.0|To:=20kalin=20m=20|CC:=20freebsd-security @freebsd.org|Subject:=20Re:=20pf=20rules|References:=20<4B5958E2.9 010509@el.net>|In-Reply-To:=20<4B5958E2.9010509@el.net>|X-Enigmail -Version:=200.95.6|Content-Type:=20multipart/signed=3B=20micalg=3D pgp-sha256=3B=0D=0A=20protocol=3D"application/pgp-signature"=3B=0D =0A=20boundary=3D"------------enig90A062888294AAA1D5DD4010"; b=Pki7S61Fdt74zZ2YJbhn3SG4OxWqipK6yRPRoV5g7T3Wb6Up1rUL9TxKD6pVjQzJY ZnGbZMiiRfggfw/Gpz/iy3pWql0JexHHU7Lk+NyiMue7b4oknmQuyDm21miHTmACeM 3Hqf4kxAQBPyfm3+E7elZe4tDzCNaiyL+B7PAtL0= X-Authentication-Warning: happy-idiot-talk.infracaninophile.co.uk: Host localhost [IPv6:::1] claimed to be happy-idiot-talk.infracaninophile.co.uk Message-ID: <4B597B5B.6030802@infracaninophile.co.uk> Date: Fri, 22 Jan 2010 10:18:03 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.23 (X11/20100114) MIME-Version: 1.0 To: kalin m References: <4B5958E2.9010509@el.net> In-Reply-To: <4B5958E2.9010509@el.net> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enig90A062888294AAA1D5DD4010" X-Virus-Scanned: clamav-milter 0.95.3 at happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS,URIBL_BLACK autolearn=no version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 10:18:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig90A062888294AAA1D5DD4010 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable kalin m wrote: >=20 >=20 > hi all... >=20 > doing testing with pf... >=20 > how is it possible that if i have these rules below in pf.conf if i do:= > telnet that.host.org 25 >=20 > i get: > Trying xx.xx.xx.xx... > Connected to that.host.org. > Escape character is '^]'. > ........... etc ....... >=20 >=20 > pf.conf contetns: >=20 > tcp_in =3D "{ www, https }" > ftp_in =3D "{ ftp }" > udp =3D "{ domain, ntp }" > ping =3D "echoreq" >=20 > set skip on lo > scrub in >=20 > antispoof for eth0 inet >=20 > block in all > pass out all keep state > pass proto udp to any port $udp > pass inet proto icmp all icmp-type $ping keep state > pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state > pass proto tcp to any port ssh Did your ruleset actually load into pf? If you run: # pfctl -nf pf.conf then any output indicates a problem with your pf.conf. Also, you can examine the loaded rule set by: # pfctl -sr This is generated from the pf.conf, but with all the list structures expanded into separate rules. You say: "antispoof for eth0 inet" -- this looks a bit dodgy to me: 'eth0' is a linuxism. There's no such network interface driver under FreeBSD, and you should probably replace that with the actual name of the interface out of the list returned by 'ifconfig -l' You don't rea= lly need the 'inet' bit either -- that will be added automatically, as well a= s matching 'inet6' rules if your system is IPv6 capable. Also, your=20 antispoof rules should come /after/ your generic 'block all' rule. Handy hint: it's good practice when writing pf.conf to define a macro with the interface name: $ext_if =3D "em0" and then use that macro liberally in your rules. Hmmm... I suppose pf is actually enabled on your system? You'ld need to put: pf_enable=3D"YES" pflog_enable=3D"YES" into /etc/rc.conf to have it start automatically, or if you want to start= things manually, do: # kldload pf # pfctl -e (but be careful with that if you aren't logged into the console, as you can lock yourself out) Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enig90A062888294AAA1D5DD4010 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAktZe2EACgkQ8Mjk52CukIw/aACfSWoSKDZq4kowGkyeHucVJYJY qXMAoIE4cHa3VIbo8wHmrUlkzV+SOGoi =7QFW -----END PGP SIGNATURE----- --------------enig90A062888294AAA1D5DD4010-- From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 15:35:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97F33106568F for ; Fri, 22 Jan 2010 15:35:46 +0000 (UTC) (envelope-from jmiller@securityfocus.com) Received: from outgoing2.securityfocus.com (outgoing.securityfocus.com [205.206.231.26]) by mx1.freebsd.org (Postfix) with ESMTP id 796CB8FC1B for ; Fri, 22 Jan 2010 15:35:46 +0000 (UTC) Received: from mail.securityfocus.com (mail.securityfocus.com [205.206.231.9]) by outgoing2.securityfocus.com (Postfix) with SMTP id AFBCF143A63 for ; Fri, 22 Jan 2010 08:35:45 -0700 (MST) Received: (qmail 24850 invoked by uid 533); 22 Jan 2010 15:35:45 -0000 Date: Fri, 22 Jan 2010 08:35:45 -0700 From: "Jason V. Miller" To: kalin m Message-ID: <20100122153545.GA23548@mail.securityfocus.com> References: <4B5958E2.9010509@el.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Description: Message Content-Disposition: inline In-Reply-To: <4B5958E2.9010509@el.net> User-Agent: Mutt/1.4.1i Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 15:35:46 -0000 Others have already given some good feedback (and asked some good questions), but: > pass out all keep state You're allowing out the initial TCP SYN, and creating a state entry for the connection here. You should be able to make outgoing connections anywhere with this rule. Once a state entry gets created, the state table will match on the traffic for the session, and the rules list won't have to be evaluated. J. -- Jason V. Miller From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 16:19:38 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7392106566C for ; Fri, 22 Jan 2010 16:19:38 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id 51AEB8FC08 for ; Fri, 22 Jan 2010 16:19:37 +0000 (UTC) Received: (qmail 82242 invoked by uid 1008); 22 Jan 2010 17:35:32 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 17:35:32 -0000 Message-ID: <4B59D019.7040409@el.net> Date: Fri, 22 Jan 2010 11:19:37 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: S4mmael References: <4B5958E2.9010509@el.net> <6e38aed81001220032p2f4948bftede7862e1d7c7cf7@mail.gmail.com> In-Reply-To: <6e38aed81001220032p2f4948bftede7862e1d7c7cf7@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 16:19:38 -0000 not sure if that would affect smtp. would it? how so? S4mmael wrote: > If I guess your idea right, you should specify direction like this: > pass in proto udp to any port $udp > > "pass proto udp to any port $udp" passes traffic in any direction > (ingoing and outgoing). > > 2010/1/22 kalin m : > >> hi all... >> >> doing testing with pf... >> >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... >> >> >> pf.conf contetns: >> >> tcp_in = "{ www, https }" >> ftp_in = "{ ftp }" >> udp = "{ domain, ntp }" >> ping = "echoreq" >> >> set skip on lo >> scrub in >> >> antispoof for eth0 inet >> >> block in all >> pass out all keep state >> pass proto udp to any port $udp >> pass inet proto icmp all icmp-type $ping keep state >> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state >> pass proto tcp to any port ssh >> >> >> >> thanks.... >> >> >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> >> From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 16:21:18 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5DF4A106566C for ; Fri, 22 Jan 2010 16:21:18 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id 9D6778FC24 for ; Fri, 22 Jan 2010 16:21:17 +0000 (UTC) Received: (qmail 82488 invoked by uid 1008); 22 Jan 2010 17:37:11 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 17:37:11 -0000 Message-ID: <4B59D07C.2020601@el.net> Date: Fri, 22 Jan 2010 11:21:16 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: =?ISO-8859-1?Q?R=E9mi_LAURENT?= References: <4B5958E2.9010509@el.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 16:21:18 -0000 # pfctl -s rules scrub in all fragment reassemble block drop in on ! bge0 inet from xxx.xxx.xxx.xxx/28 to any block drop in inet from xxx.xxx.xxx.xxx to any block drop in all pass out all flags S/SA keep state pass out inet proto udp from any to any port 33433 >< 33626 keep state pass proto udp from any to any port = domain keep state pass proto udp from any to any port = ntp keep state pass inet proto icmp all icmp-type echoreq keep state pass in inet proto tcp from any to any port = http flags S/FSA synproxy state pass in inet proto tcp from any to any port = https flags S/FSA synproxy state pass proto tcp from any to any port = ssh flags S/SA keep state Rémi LAURENT wrote: > Hi, > > Maybe you can give us the result of a pfctl -s rules because i don't see > how you can have this connection. > >> hi all... >> >> doing testing with pf... >> >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... >> >> >> pf.conf contetns: >> >> tcp_in = "{ www, https }" >> ftp_in = "{ ftp }" >> udp = "{ domain, ntp }" >> ping = "echoreq" >> >> set skip on lo >> scrub in >> >> antispoof for eth0 inet >> >> block in all >> pass out all keep state >> pass proto udp to any port $udp >> pass inet proto icmp all icmp-type $ping keep state >> pass in inet proto tcp to any port $tcp_in flags S/SAF synproxy state >> pass proto tcp to any port ssh >> >> >> >> thanks.... >> >> >> >> _______________________________________________ >> freebsd-security@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-security >> To unsubscribe, send any mail to >> "freebsd-security-unsubscribe@freebsd.org" >> >> > > > From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 16:22:52 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F274210656C0 for ; Fri, 22 Jan 2010 16:22:52 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id 440518FC12 for ; Fri, 22 Jan 2010 16:22:52 +0000 (UTC) Received: (qmail 82801 invoked by uid 1008); 22 Jan 2010 17:38:46 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 17:38:46 -0000 Message-ID: <4B59D0DB.20509@el.net> Date: Fri, 22 Jan 2010 11:22:51 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Patrick Proniewski References: <4B5958E2.9010509@el.net> <04C950BC-79D6-40FF-81CA-75A10A817DE6@patpro.net> In-Reply-To: <04C950BC-79D6-40FF-81CA-75A10A817DE6@patpro.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 16:22:53 -0000 yea.. all shows a lot... which part would you like to see? i just sent out the current rules out to the list... Patrick Proniewski wrote: > On 22 janv. 10, at 08:50, kalin m wrote: > >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... > > > quite strange. > > What does `pfctl -s all` return? > > patpro From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 16:23:21 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5F0D210656C3 for ; Fri, 22 Jan 2010 16:23:21 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id CE2FB8FC17 for ; Fri, 22 Jan 2010 16:23:20 +0000 (UTC) Received: (qmail 82869 invoked by uid 1008); 22 Jan 2010 17:39:15 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@24.193.246.51) by mail.el.net with ESMTPA; 22 Jan 2010 17:39:15 -0000 Message-ID: <4B59D0F7.7000206@el.net> Date: Fri, 22 Jan 2010 11:23:19 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: Laurent Frigault References: <4B5958E2.9010509@el.net> <20100122093955.GA44733@obelix.bergerie.agneau.org> In-Reply-To: <20100122093955.GA44733@obelix.bergerie.agneau.org> Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 16:23:21 -0000 Laurent Frigault wrote: > On Fri, Jan 22, 2010 at 02:50:58AM -0500, kalin m wrote: > >> doing testing with pf... >> >> how is it possible that if i have these rules below in pf.conf if i do: >> telnet that.host.org 25 >> >> i get: >> Trying xx.xx.xx.xx... >> Connected to that.host.org. >> Escape character is '^]'. >> ........... etc ....... >> >> >> pf.conf contetns: >> > ... > >> set skip on lo >> > .... > > You are in a jail and/or that.host.org is a local ip routed via lo0 ? > > no jail... From owner-freebsd-security@FreeBSD.ORG Fri Jan 22 18:23:47 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AFC7106566C for ; Fri, 22 Jan 2010 18:23:47 +0000 (UTC) (envelope-from kalin@el.net) Received: from mail.el.net (mail.el.net [74.1.12.120]) by mx1.freebsd.org (Postfix) with ESMTP id BDDA68FC0C for ; Fri, 22 Jan 2010 18:23:46 +0000 (UTC) Received: (qmail 97678 invoked by uid 1008); 22 Jan 2010 19:39:41 -0000 Received: from unknown (HELO kalins-macbook-pro.local) (kalin@el.net@74.1.12.115) by mail.el.net with ESMTPA; 22 Jan 2010 19:39:41 -0000 Message-ID: <4B59ED31.10304@el.net> Date: Fri, 22 Jan 2010 13:23:45 -0500 From: kalin m User-Agent: Thunderbird 2.0.0.23 (Macintosh/20090812) MIME-Version: 1.0 To: "Jason V. Miller" References: <4B5958E2.9010509@el.net> <20100122153545.GA23548@mail.securityfocus.com> In-Reply-To: <20100122153545.GA23548@mail.securityfocus.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: pf rules X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Jan 2010 18:23:47 -0000 thanks... i was under the impression that if you have everything blocked the initial syn request will be ignored. it doesn't make sense otherwise.... Jason V. Miller wrote: > Others have already given some good feedback (and asked some good > questions), but: > > >> pass out all keep state >> > > You're allowing out the initial TCP SYN, and creating a state entry for the > connection here. You should be able to make outgoing connections anywhere > with this rule. > > Once a state entry gets created, the state table will match on the traffic > for the session, and the rules list won't have to be evaluated. > > J. > > From owner-freebsd-security@FreeBSD.ORG Sat Jan 23 11:04:45 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7BCA6106566C for ; Sat, 23 Jan 2010 11:04:45 +0000 (UTC) (envelope-from remko@elvandar.org) Received: from mailgate.jr-hosting.nl (mailgate.jr-hosting.nl [78.46.126.30]) by mx1.freebsd.org (Postfix) with ESMTP id 3AB968FC16 for ; Sat, 23 Jan 2010 11:04:45 +0000 (UTC) Received: from websrv01.jr-hosting.nl (websrv01 [78.47.69.233]) by mailgate.jr-hosting.nl (Postfix) with ESMTP id 69B211CC49; Sat, 23 Jan 2010 11:48:07 +0100 (CET) Received: from a83-163-38-147.adsl.xs4all.nl ([83.163.38.147] helo=[10.0.2.66]) by websrv01.jr-hosting.nl with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.71 (FreeBSD)) (envelope-from ) id 1NYdXD-000Fli-A7; Sat, 23 Jan 2010 11:48:07 +0100 Mime-Version: 1.0 (Apple Message framework v1077) Content-Type: text/plain; charset=us-ascii From: Remko Lodder In-Reply-To: <1264018238.18129.46.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> Date: Sat, 23 Jan 2010 11:48:06 +0100 Content-Transfer-Encoding: quoted-printable Message-Id: <4887DC5C-CC18-4CCC-9484-FF5FE91024E0@elvandar.org> References: <1264018238.18129.46.camel@soundwave.ws.pitbpa0.priv.collaborativefusion.com> To: Brian A. Seklecki X-Mailer: Apple Mail (2.1077) Cc: freebsd-security@freebsd.org Subject: Re: [Fwd: OpenSSL 1.0.0 beta5 release] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 23 Jan 2010 11:04:45 -0000 Dear Brian, I am not sure whether there was a reply yet, but we received the message = in good order and had logged this on our agenda. Someone will have a look at this and take appropriate actions. Best regards, Remko On Jan 20, 2010, at 9:10 PM, Brian A. Seklecki wrote: > All: >=20 > Per Daniele Sluijters's inquiry on the 15th,CVE-2009-4355, as=20 > well as with a provision/draft fix for CVE-2009-3555 > MITM/Renegotiation Venerability. >=20 > I suspect we wont have a patch out for RELENG_6_3 by the 31st? =20 > But I'm willing to maintain one for another few months. >=20 > ~BAS >=20 > -------- Forwarded Message -------- > From: OpenSSL > Reply-to: openssl-users@openssl.org > To: openssl-users@openssl.org, openssl-announce@openssl.org > Subject: OpenSSL 1.0.0 beta5 release > Date: Wed, 20 Jan 2010 19:19:16 +0100 >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 >=20 >=20 > OpenSSL version 1.0.0 Beta 5 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D >=20 > [..snip...] >=20 > Since the fourth beta, the following has happened: >=20 > - Provisional TLS session renegotiation fix > - Option to output hash using older algorithm in x509 utility > - Compression session handling bug fix > - Build system fixes. > - Other bug fixes. >=20 > Reports and patches should be sent to openssl-bugs@openssl.org. >=20 > [..snip...] >=20 >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" --=20 /"\ Best regards, | remko@FreeBSD.org \ / Remko Lodder | remko@EFnet X http://www.evilcoder.org/ | / \ ASCII Ribbon Campaign | Against HTML Mail and News