From owner-freebsd-announce Mon Oct 8 14: 8:15 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id D2F9237B40D; Mon, 8 Oct 2001 14:08:02 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f98L82293106; Mon, 8 Oct 2001 14:08:02 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 8 Oct 2001 14:08:02 -0700 (PDT) Message-Id: <200110082108.f98L82293106@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:61.squid Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:61 Security Advisory FreeBSD, Inc. Topic: Squid in accelerator-only mode ignores ACLs Category: ports Modules: squid22, squid23, squid24 Announced: 2001-10-08 Credits: Paul Nasrat Affects: Ports collection prior to the correction date. Corrected: 2001-07-29 12:29:00 (squid23) 2001-08-28 16:48:35 2001 UTC (squid24) FreeBSD only: NO I. Background The Squid Internet Object Cache is a web proxy/cache. II. Problem Description If squid is configured in acceleration-only mode (http_accel_host is set, but http_accel_with_proxy is off), then as a result of a bug, access control lists (ACLs) are ignored. III. Impact A remote attacker may use the squid server in order to issue requests to hosts that are otherwise inaccessible. Because the squid server processes these requests as HTTP requests, the attacker cannot send or retrieve arbitrary data. However, the attacker could use squid's response to determine if a particular port is open on a victim host. Therefore, the squid server may be used to conduct a port scan. IV. Workaround 1) Do not run squid in acceleration-only mode. 2) Deinstall the squid port/package if you have it installed. V. Solution The port squid-2.3_1 and later 2.3 versions, and the port squid-2.4_5 and later 2.4 versions include fixes for this vulnerability. The squid-2.3 and squid-2.2 ports have been deprecated and removed from the ports collection, and users are advised to upgrade to squid-2.4 as soon as possible. 1) Upgrade your entire ports collection and rebuild the squid port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from the following directories: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/squid-2.3_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/squid-2.4_5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/squid-2.3_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/squid-2.4_5.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) Download a new port skeleton for the procmail port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD ports collection. Affected port Path Revision - ------------------------------------------------------------------------- squid22 *NOT CORRECTED* squid23 ports/www/squid23/Makefile 1.78 ports/www/squid23/distinfo 1.57 squid24 ports/www/squid24/Makefile 1.84 ports/www/squid24/distinfo 1.61 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO8IVHVUuHi5z0oilAQGK1AP+MZ+Drf7VzdO1O0nr4SIIS8/FGmLYsIha WsjWUBpmIeQk/c8jjLDMu32yIRoZNSu3F1Alc4XieDznAE8ZjburLMHY9RrQHOOY WKuBcjjgSpmeB84MVIT0nCOtlI6+cmk7gLflxNYwUY1QKkIff5KrhTRqByJnICW3 +g0WZtpdinE= =js2W -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Oct 8 14:10:17 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 6F16237B414; Mon, 8 Oct 2001 14:08:40 -0700 (PDT) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f98L8ec93282; Mon, 8 Oct 2001 14:08:40 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 8 Oct 2001 14:08:40 -0700 (PDT) Message-Id: <200110082108.f98L8ec93282@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:62.uucp Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:62 Security Advisory FreeBSD, Inc. Topic: UUCP allows local root exploit Category: core Module: uucp Announced: 2001-10-08 Credits: zen-parse@gmx.net Affects: All released versions of FreeBSD 4.x prior to 4.4. FreeBSD 4.3-STABLE prior to the correction date. Corrected: 2001-09-10 20:22:57 UTC (FreeBSD 4.3-STABLE) 2001-09-10 22:30:28 UTC (RELENG_4_3) FreeBSD only: NO I. Background Taylor UUCP is an implementation of the Unix-to-Unix Copy Protocol, a protocol sometimes used for mail delivery on systems where permanent IP connectivity to the internet is not available. II. Problem Description The UUCP suite of utilities allow a user-specified configuration file to be given on the command-line. This configuration file is incorrectly processed by the setuid uucp and/or setgid dialer UUCP utilities while running as the uucp user and/or dialer group, and allows unprivileged local users to execute arbitrary commands as the uucp user and/or dialer group. Since the uucp user owns most of the UUCP binaries (this is required for UUCP to be able to write to its spool directory during normal operation, by virtue of being setuid) the attacker can replace these binaries with trojaned versions which execute arbitrary commands as the user which runs them. The uustat binary is run as root by default during the daily maintenance scripts. All versions of FreeBSD 4.x prior to the correction date including 4.3-RELEASE are vulnerable to this problem, but it was corrected prior to the release of FreeBSD 4.4-RELEASE. III. Impact Unprivileged local users can overwrite the uustat binary, which is executed as root by the daily system maintenance scripts. This allows them to execute arbitrary commands as root the next time the daily maintenance scripts are run. IV. Workaround One or more of the following: 1) Set the noschg flag on all binaries owned by the uucp user: # chflags schg /usr/bin/cu /usr/bin/uucp /usr/bin/uuname \ /usr/bin/uustat /usr/bin/uux /usr/bin/tip /usr/libexec/uucp/uucico \ /usr/libexec/uucp/uuxqt 2) Remove the above binaries from the system, if UUCP is not in use. 3) Disable the daily UUCP maintenance tasks by adding the following lines to /etc/periodic.conf: # 340.uucp daily_uuclean_enable="NO" # Run uuclean.daily # 410.status-uucp daily_status_uucp_enable="NO" # Check uucp status # 300.uucp weekly_uucp_enable="NO" # Clean uucp weekly V. Solution We recommend that UUCP be removed entirely from systems containing untrusted users: to remove UUCP, refer to the directions in section IV above. Compiling the UUCP binaries when rebuilding the FreeBSD system can be prevented by adding the following line to /etc/make.conf: NOUUCP=true 1) Upgrade your vulnerable FreeBSD system to 4.4-RELEASE, 4.4-STABLE or the RELENG_4_3 security branch dated after the respective correction dates. 2) To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.3] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:62/uucp.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src # patch -p < /path/to/patch # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:62/security-patch-uucp-01.62.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-uucp-01.62.tgz VI. Correction details The following is the $FreeBSD$ revision number of the file that was corrected for the supported branches of FreeBSD. The $FreeBSD$ revision number of the installed source can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path [RELENG_4_3] Revision Path 1.8.4.1 src/gnu/libexec/uucp/cu/Makefile 1.6.4.1 src/gnu/libexec/uucp/uucp/Makefile 1.5.4.1 src/gnu/libexec/uucp/uuname/Makefile 1.5.4.1 src/gnu/libexec/uucp/uustat/Makefile 1.6.4.1 src/gnu/libexec/uucp/uux/Makefile 1.10.8.1 src/usr.bin/tip/tip/Makefile 1.3.2.2.2.1 src/etc/periodic/daily/410.status-uucp VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO8IU0FUuHi5z0oilAQFE4gP/dqLwzjAk3M5fhtfsENFy0OAlzQA70SG3 IJibpH19KdjcQX53CrLI/wI34JXqCVfiGpw2kLSysL6yfbBI+3Z2YUxPRaxrtoGF 9R4ZcCuuLuE14pCmAtWnLEdXFHVRThJzsLzk2xEZkhYU5hufW3+IqfIMcMNayQbf BSI5/zAjPG4= =TBLy -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Oct 11 16:10:44 2001 Delivered-To: freebsd-announce@freebsd.org Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (Postfix) with ESMTP id 4AAA437B40A for ; Thu, 11 Oct 2001 13:21:17 -0700 (PDT) Received: by vnode.vmunix.com (Postfix, from userid 1005) id E644D13; Thu, 11 Oct 2001 16:21:15 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by vnode.vmunix.com (Postfix) with ESMTP id D373A49A16 for ; Thu, 11 Oct 2001 16:21:15 -0400 (EDT) Date: Thu, 11 Oct 2001 16:21:15 -0400 (EDT) From: Chris Coleman To: announce@freebsd.org Subject: FreeBSD CD Subscriptions Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As many of you are already aware, Wind River has indicated that they are no longer interested in producing FreeBSD CD sets. To quote them from a slashdot interview, "Future FreeBSD releases will probably not be produced or distributed by Wind River." In answer to this, Daemon News is taking on the responsibility of producing, supporting, and promoting FreeBSD. Starting with the release of FreeBSD 4.5 we will be producing the official 4 CD sets made from the official FreeBSD project ISOs. We will work to put FreeBSD boxed sets in stores and into the hands of our international distributors. Daemon News is fully comitted to the BSD community and has been for three years. We have plans to put the revenue from FreeBSD CD sales back into the FreeBSD project much the same way that Walnut Creek did, by paying developers to code and promoting FreeBSD at trade shows. We already have a booth and plans to be at several major conferences. We are also providing a subscription service to FreeBSD CD sets much like Walnut Creek did. If you are a current subscriber of a WC/BSDi/WRS FreeBSD subscription, you will need to transfer it to Daemon News. (We have no affiliation with Wind River.) Wind River has announced that subscriptions for FreeBSD 4.4 are being shipped out, so you will need to order a "Next Release" subscription from Daemon News to receive FreeBSD 4.5 when it comes out. You can order current and next release subscriptions here: http://mall.daemonnews.org/?page=shop/flypage&product_id=1020 The number of subscriptions we receive will directly affect how much we are able to devote to the FreeBSD project. So join Daemon News in our committment to BSD and transfer your subscription. Chris Coleman Editor in Chief Daemon News E-Zine http://www.daemonnews.org Print Magazine http://magazine.daemonnews.org Open Packages http://www.openpackages.org This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message