From owner-freebsd-security Sun Mar 23 20:25:21 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB9AF37B401 for ; Sun, 23 Mar 2003 20:25:18 -0800 (PST) Received: from ns1.webwarrior.net (overlord-host99.dsl.visi.com [209.98.86.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B66343FA3 for ; Sun, 23 Mar 2003 20:25:18 -0800 (PST) (envelope-from friar_josh@webwarrior.net) Received: by ns1.webwarrior.net (Postfix, from userid 1003) id 5D4A3253B0; Sun, 23 Mar 2003 22:25:17 -0600 (CST) Date: Sun, 23 Mar 2003 22:25:17 -0600 From: Josh Paetzel To: Mark Murray Cc: security@freebsd.org Subject: Re: Documentation people needed. FreeBSD/Security clue beneficial. Message-ID: <20030324042517.GA716@ns1.webwarrior.net> References: <200303202024.h2KKOu4j058708@grimreaper.grondar.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Mar 23, 2003 at 12:18:41AM -0600, Michael Ray wrote: > On Thu, 20 Mar 2003 20:24:56 +0000, you wrote: > > >Hi all > > > >In the past, a heartening number of you offered up help in getting > >security-related documentation going. Some of you submitted stuff, > >and I asked some to hold off for a while until I could organise > >things. > > > >Now is the time. > > > >Please reply to this mail if you are (still) interested in this job. > >I'm looking for a _small_ team, not an individual. :-) > > > >M > > I am willing to contribute to this. Is there an outline of what we > would want to accomplish, etc? > > Mike > -- > http://www.cotse.net > Privacy Services > E-Mail, Remailers, Proxy, Usenet, Web-Hosting, and more. > Full server side control over your e-mail. Your mail, your rules. > I'm interested at the very least. More info on what it all entails would be nice. Josh To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 3: 9:46 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6CCF137B401 for ; Mon, 24 Mar 2003 03:09:43 -0800 (PST) Received: from pcwin002.win.tue.nl (pcwin002.win.tue.nl [131.155.71.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54DBA43FAF for ; Mon, 24 Mar 2003 03:09:42 -0800 (PST) (envelope-from stijn@pcwin002.win.tue.nl) Received: from pcwin002.win.tue.nl (orb_rules@localhost [127.0.0.1]) by pcwin002.win.tue.nl (8.12.8/8.12.8) with ESMTP id h2OB9SSZ067819; Mon, 24 Mar 2003 12:09:28 +0100 (CET) (envelope-from stijn@pcwin002.win.tue.nl) Received: (from stijn@localhost) by pcwin002.win.tue.nl (8.12.8/8.12.8/Submit) id h2OB99fW067818; Mon, 24 Mar 2003 12:09:09 +0100 (CET) Date: Mon, 24 Mar 2003 12:09:09 +0100 From: Stijn Hoop To: Michael Nottebrock Cc: budsz , FreeBSD-Security Subject: Re: About *.asc Message-ID: <20030324110909.GH67203@pcwin002.win.tue.nl> References: <20030321081451.GA13163@kumprang.or.id> <20030321082038.GC54854@pcwin002.win.tue.nl> <200303211429.09017.michaelnottebrock@gmx.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="LTeJQqWS0MN7I/qa" Content-Disposition: inline In-Reply-To: <200303211429.09017.michaelnottebrock@gmx.net> User-Agent: Mutt/1.4i X-Bright-Idea: Let's abolish HTML mail! X-Spam-Status: No, hits=-38.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --LTeJQqWS0MN7I/qa Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Mar 21, 2003 at 02:29:08PM +0100, Michael Nottebrock wrote: > On Friday 21 March 2003 09:20, Stijn Hoop wrote: > > To tell gpg that you trust that this is the key used by the FreeBSD > > officer: > > > > $ gpg --edit-key security-officer@freebsd.org > > > > enter 'trust' and then e.g. '4'. >=20 > Not quite. What you've just told gpg there is that you trust the owner of= the=20 > key to have an excellent understanding of key signing, and that his signa= ture=20 > on a key would be as good as your own. OK, I didn't know that (evidently). > The basic expression of trust in pgp is signing / locally signing a key. So you're saying that I should (at least locally) sign all keys that I *know* belong to a person? In other words, since it's obviously impractical to have everyone sign the FreeBSD security officer's key, I should locally sign it to signify *my* trust in the fact that that key really belongs to the officer? I'm just trying to make sure I understand here. Thanks for the clarificatio= n. --Stijn --=20 In the force if Yoda's so strong, construct a sentence with words in the proper order then why can't he? --LTeJQqWS0MN7I/qa Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+fudVY3r/tLQmfWcRArSrAKCueCvINKDu3DEQUZIromh8cVGN1gCffwK5 n1jDi26WSV0mNQMG7WdDYOU= =ck/d -----END PGP SIGNATURE----- --LTeJQqWS0MN7I/qa-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 4: 9: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA20837B401 for ; Mon, 24 Mar 2003 04:08:57 -0800 (PST) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id D7A8C43FB1 for ; Mon, 24 Mar 2003 04:08:55 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 15253 invoked from network); 24 Mar 2003 12:04:09 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 24 Mar 2003 12:04:09 -0000 Received: (qmail 9289 invoked by uid 1000); 24 Mar 2003 12:07:02 -0000 Date: Mon, 24 Mar 2003 14:07:02 +0200 From: Peter Pentchev To: Stijn Hoop Cc: Michael Nottebrock , budsz , FreeBSD-Security Subject: Re: About *.asc Message-ID: <20030324120702.GC615@straylight.oblivion.bg> Mail-Followup-To: Stijn Hoop , Michael Nottebrock , budsz , FreeBSD-Security References: <20030321081451.GA13163@kumprang.or.id> <20030321082038.GC54854@pcwin002.win.tue.nl> <200303211429.09017.michaelnottebrock@gmx.net> <20030324110909.GH67203@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vEao7xgI/oilGqZ+" Content-Disposition: inline In-Reply-To: <20030324110909.GH67203@pcwin002.win.tue.nl> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-38.8 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --vEao7xgI/oilGqZ+ Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Mar 24, 2003 at 12:09:09PM +0100, Stijn Hoop wrote: > On Fri, Mar 21, 2003 at 02:29:08PM +0100, Michael Nottebrock wrote: > > On Friday 21 March 2003 09:20, Stijn Hoop wrote: > > > To tell gpg that you trust that this is the key used by the FreeBSD > > > officer: > > > > > > $ gpg --edit-key security-officer@freebsd.org > > > > > > enter 'trust' and then e.g. '4'. > >=20 > > Not quite. What you've just told gpg there is that you trust the owner = of the=20 > > key to have an excellent understanding of key signing, and that his sig= nature=20 > > on a key would be as good as your own. >=20 > OK, I didn't know that (evidently). >=20 > > The basic expression of trust in pgp is signing / locally signing a key. >=20 > So you're saying that I should (at least locally) sign all keys that I > *know* belong to a person? >=20 > In other words, since it's obviously impractical to have everyone sign > the FreeBSD security officer's key, I should locally sign it to signify > *my* trust in the fact that that key really belongs to the officer? >=20 > I'm just trying to make sure I understand here. Thanks for the clarificat= ion. Basically, yes, but not *all* keys. The basis of PGP's web of trust is that you sign only a couple of keys that you know belong to people, and then your PGP software recognizes both those keys *and* keys signed by those keys, several levels deep, as deep as you configure it. In fact, you probably need to both sign a key and place your trust on it. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I've heard that this sentence is a rumor. --vEao7xgI/oilGqZ+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+fvTm7Ri2jRYZRVMRAh/7AJ9xb/ZoY4DpyzauuEDi5DsG24gzZQCeO2G7 b3K57KsnEGstLinQnRB4rPM= =PR6R -----END PGP SIGNATURE----- --vEao7xgI/oilGqZ+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 7:14:14 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8D22837B401 for ; Mon, 24 Mar 2003 07:14:11 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 00F7543F3F for ; Mon, 24 Mar 2003 07:14:11 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 6BD743D; Mon, 24 Mar 2003 09:14:10 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 65FAD78C43; Mon, 24 Mar 2003 09:14:10 -0600 (CST) Date: Mon, 24 Mar 2003 09:14:10 -0600 From: "Jacques A. Vidrine" To: twig les Cc: freebsd-security@freebsd.org Subject: Re: another TCPDump update question Message-ID: <20030324151410.GE94153@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , twig les , freebsd-security@freebsd.org References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030311231326.82217.qmail@web10107.mail.yahoo.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-30.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Mar 11, 2003 at 03:13:26PM -0800, twig les wrote: > The reason this ties into freebsd-security and not -questions is > I'm still waiting for official word on a patch/upgrade procedure > from the team. Am I being impatient here or did I miss > something? I checked back over security-notifications and saw > nothing. You didn't miss anything. There won't be a security advisory for this issue. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 7:30:27 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3167237B401; Mon, 24 Mar 2003 07:30:24 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id D1C4643FDF; Mon, 24 Mar 2003 07:30:22 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 2B77055EA; Mon, 24 Mar 2003 09:30:22 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2OFUL008322; Mon, 24 Mar 2003 09:30:21 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 24 Mar 2003 09:30:21 -0600 From: D J Hawkey Jr To: "Jacques A. Vidrine" Cc: twig les , freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question Message-ID: <20030324093021.A8296@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030324151410.GE94153@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 09:14:10AM -0600 X-Spam-Status: No, hits=-31.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 24, at 09:14 AM, Jacques A. Vidrine wrote: > > On Tue, Mar 11, 2003 at 03:13:26PM -0800, twig les wrote: > > The reason this ties into freebsd-security and not -questions is > > I'm still waiting for official word on a patch/upgrade procedure > > from the team. Am I being impatient here or did I miss > > something? I checked back over security-notifications and saw > > nothing. > > You didn't miss anything. There won't be a security advisory for this > issue. No? Without insulting anyone, may I ask why not? tcpdump is included in the base/standard OS, afterall, and so is libpcap, which appears to be related. IIRC, there have been SAs for DOS vulnerabilities before. What or where is the line for what is or is not eligible for a SA? > Cheers, > Jacques A. Vidrine http://www.celabo.org/ Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 8: 0:38 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D9BF37B405 for ; Mon, 24 Mar 2003 08:00:32 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5D3E43FFB for ; Mon, 24 Mar 2003 08:00:20 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 3C6FC69; Mon, 24 Mar 2003 10:00:20 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 20FF878C43; Mon, 24 Mar 2003 10:00:20 -0600 (CST) Date: Mon, 24 Mar 2003 10:00:20 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Cc: twig les , freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question Message-ID: <20030324160020.GA1911@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , twig les , freebsd-security@FreeBSD.ORG References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030324093021.A8296@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-31.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 24, 2003 at 09:30:21AM -0600, D J Hawkey Jr wrote: > On Mar 24, at 09:14 AM, Jacques A. Vidrine wrote: > > You didn't miss anything. There won't be a security advisory for this > > issue. > > No? > > Without insulting anyone, may I ask why not? tcpdump is included in the > base/standard OS, afterall, and so is libpcap, which appears to be related. > > IIRC, there have been SAs for DOS vulnerabilities before. What or where > is the line for what is or is not eligible for a SA? Well, there are no hard-n-fast rules. It's a judgement call. We generally limit SAs to those issues that we deem `important', so as not to devalue them. (c.f. The Boy Who Cried Wolf) You're right: there have been SAs for remote DoSs before. In this case, both the cirumstances that could lead to this remote DoS, and especially the impact of the bug are so minimal as to not be worth updating your system. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 9: 2:29 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 174B737B401; Mon, 24 Mar 2003 09:02:25 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2D9F443F85; Mon, 24 Mar 2003 09:02:24 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 6E8EE49A2; Mon, 24 Mar 2003 11:02:23 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2OH2MZ08732; Mon, 24 Mar 2003 11:02:22 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 24 Mar 2003 11:02:22 -0600 From: D J Hawkey Jr To: "Jacques A. Vidrine" Cc: twig les , freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question (going slightly off-topic) Message-ID: <20030324110222.A8625@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030324160020.GA1911@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 10:00:20AM -0600 X-Spam-Status: No, hits=-31.8 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 24, at 10:00 AM, Jacques A. Vidrine wrote: > > On Mon, Mar 24, 2003 at 09:30:21AM -0600, D J Hawkey Jr wrote: > > On Mar 24, at 09:14 AM, Jacques A. Vidrine wrote: > > > You didn't miss anything. There won't be a security advisory for this > > > issue. > > > > No? > > > > Without insulting anyone, may I ask why not? tcpdump is included in the > > base/standard OS, afterall, and so is libpcap, which appears to be related. > > > > IIRC, there have been SAs for DOS vulnerabilities before. What or where > > is the line for what is or is not eligible for a SA? > > Well, there are no hard-n-fast rules. It's a judgement call. We > generally limit SAs to those issues that we deem `important', so as > not to devalue them. (c.f. The Boy Who Cried Wolf) I can appreciate this, yes. Might it not be worth a SN, though? > You're right: there have been SAs for remote DoSs before. In this > case, both the cirumstances that could lead to this remote DoS, and > especially the impact of the bug are so minimal as to not be worth > updating your system. I'll defer to your judgement on this; I don't know how easy this hole is to exploit. But if you'll indulge me, I'm thinking of a larger picture that this might illustrate: www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump. They don't say a vulnerability was in libpcap, but if so, a quick scan of userland shows that pppd is linked to libpcap. By inference, I would think kernel-mode PPP falls in line with this, too. Now, there's a rather big "if" here, but if true, would this then qualify as worthy of a SA? As an aside, isn't BPF also tied to libpcap? I guess what my bigger concern is, is how much should a diligent SysAdmin have to scan external entities to be up on vulnerabilities of utilities that are part of the base/standard OS? My gut feeling is, "None, The Project should inform the user base.", but that may be too high a bar for what is esentially a for-free product. If my feeling is wrong, then I have to wonder if these utilities that are not "truly BSD" shouldn't be in the ports collection, and removed from the base? Having said all this, I do in fact applaud you and your team for what you do provide, considering it's all done gratis. > Cheers, > Jacques A. Vidrine http://www.celabo.org/ Thanks for listening, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 10:20:19 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C1AB37B401 for ; Mon, 24 Mar 2003 10:19:46 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6114043F3F for ; Mon, 24 Mar 2003 10:19:45 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D775F3D; Mon, 24 Mar 2003 12:19:44 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id AD04878C43; Mon, 24 Mar 2003 12:19:44 -0600 (CST) Date: Mon, 24 Mar 2003 12:19:44 -0600 From: "Jacques A. Vidrine" To: Stijn Hoop Cc: Michael Nottebrock , budsz , FreeBSD-Security Subject: Re: About *.asc Message-ID: <20030324181944.GG1911@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Stijn Hoop , Michael Nottebrock , budsz , FreeBSD-Security References: <20030321081451.GA13163@kumprang.or.id> <20030321082038.GC54854@pcwin002.win.tue.nl> <200303211429.09017.michaelnottebrock@gmx.net> <20030324110909.GH67203@pcwin002.win.tue.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030324110909.GH67203@pcwin002.win.tue.nl> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-32.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 24, 2003 at 12:09:09PM +0100, Stijn Hoop wrote: > So you're saying that I should (at least locally) sign all keys that I > *know* belong to a person? Yes. If you *know* it belongs to whoever, which you can only know if you got the fingerprint from them in person. > In other words, since it's obviously impractical to have everyone sign > the FreeBSD security officer's key, I should locally sign it to signify > *my* trust in the fact that that key really belongs to the officer? Right. You want to _locally_ sign it, because you are not prepared to certify to everyone else in the world that you *know* it is the security officer key. > I'm just trying to make sure I understand here. Thanks for the clarification. By the way, you may find fun, and it may help you figure out what keys you'd need to import to produce a real trust path to the SO key. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 10:44:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6084F37B401 for ; Mon, 24 Mar 2003 10:44:30 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 51B3443F75 for ; Mon, 24 Mar 2003 10:44:29 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D19B63D; Mon, 24 Mar 2003 12:44:28 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id B8F1578C43; Mon, 24 Mar 2003 12:44:28 -0600 (CST) Date: Mon, 24 Mar 2003 12:44:28 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Cc: twig les , freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question (going slightly off-topic) Message-ID: <20030324184428.GH1911@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , twig les , freebsd-security@FreeBSD.ORG References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org> <20030324110222.A8625@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030324110222.A8625@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-32.5 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Mar 24, 2003 at 11:02:22AM -0600, D J Hawkey Jr wrote: > On Mar 24, at 10:00 AM, Jacques A. Vidrine wrote: > > Well, there are no hard-n-fast rules. It's a judgement call. We > > generally limit SAs to those issues that we deem `important', so as > > not to devalue them. (c.f. The Boy Who Cried Wolf) > > I can appreciate this, yes. Might it not be worth a SN, though? Perhaps so. We (so-team) need to get back in the habit of issuing SNs. > > You're right: there have been SAs for remote DoSs before. In this > > case, both the cirumstances that could lead to this remote DoS, and > > especially the impact of the bug are so minimal as to not be worth > > updating your system. > > I'll defer to your judgement on this; I don't know how easy this hole > is to exploit. But if you'll indulge me, I'm thinking of a larger picture > that this might illustrate: OK, I'll indulge you :-) I don't want to say, ``just trust us'' --- we make mistakes. However, we did already do this same sort of analysis. > www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump. > They don't say a vulnerability was in libpcap, but if so, a quick scan > of userland shows that pppd is linked to libpcap. By inference, I would > think kernel-mode PPP falls in line with this, too. Now, there's a > rather big "if" here, but if true, would this then qualify as worthy > of a SA? As an aside, isn't BPF also tied to libpcap? The `if' is indeed big. The assumptions in the above paragraph don't hold: (1) The vulnerability was in a tcpdump printer, not libpcap. (2) While pppd does indeed use libpcap to implement packet filtering, kernel-mode PPP most certainly does not. (3) libpcap's live-capture mode is implemented on top of bpf, not the other way 'round. > I guess what my bigger concern is, is how much should a diligent SysAdmin > have to scan external entities to be up on vulnerabilities of utilities > that are part of the base/standard OS? My gut feeling is, "None, The > Project should inform the user base.", but that may be too high a bar > for what is esentially a for-free product. Well, that is a goal, actually. I will freely admit that we are falling short of that goal in the ports area right now, but I do not expect that to be a permanent situation. But as for this issue ... I honestly do not think it is important to any FreeBSD user. The only possible exception might be someone deploying tcpdump or tcpdump code fragments as part of an intrusion detection system (seems unlikely). Remember guys, we're talking about a command-line utility going into an infinite loop. No crashes. No code execution. No nothing, it just sits there printing to stdout. > If my feeling is wrong, then > I have to wonder if these utilities that are not "truly BSD" shouldn't > be in the ports collection, and removed from the base? Your feeling may be wrong in only one way: you seem to be assuming that the tcpdump issue did not get treatment. We got early notification, we looked at the bug, we looked at the fix, we analyzed the impact, and we decided that it was not an issue. It got fixed in -CURRENT, it got fixed in -STABLE (and for 4.8-RELEASE), but we do not believe that a security advisory was needed nor that it was a fix that should be incorporated into the security branches. i.e. the issue got handled with as much thoroughness as any issue that affects the base system does. You probably don't realize that there are many judgement calls such as this one that must be made every month. We invest a lot of time in each. > Having said all this, I do in fact applaud you and your team for what > you do provide, considering it's all done gratis. Thanks! We do appreciate feedback about what should and should not be considered for security advisories and the security branches. We rely on that feedback to make future decisions. In this case, I still think the right decision was made. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 11:19:16 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9884937B404; Mon, 24 Mar 2003 11:19:09 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9CF943FAF; Mon, 24 Mar 2003 11:19:08 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 2100A49F3; Mon, 24 Mar 2003 13:19:08 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2OJJ7t09812; Mon, 24 Mar 2003 13:19:07 -0600 (CST) (envelope-from hawkeyd) Date: Mon, 24 Mar 2003 13:19:07 -0600 From: D J Hawkey Jr To: "Jacques A. Vidrine" Cc: freebsd-security@FreeBSD.ORG Subject: Re: another TCPDump update question (going slightly off-topic) Message-ID: <20030324131907.A9716@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030311231326.82217.qmail@web10107.mail.yahoo.com> <20030324151410.GE94153@madman.celabo.org> <20030324093021.A8296@sheol.localdomain> <20030324160020.GA1911@madman.celabo.org> <20030324110222.A8625@sheol.localdomain> <20030324184428.GH1911@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030324184428.GH1911@madman.celabo.org>; from nectar@FreeBSD.ORG on Mon, Mar 24, 2003 at 12:44:28PM -0600 X-Spam-Status: No, hits=-32.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,RCVD_IN_UNCONFIRMED_DSBL,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 24, at 12:44 PM, Jacques A. Vidrine wrote: > > On Mon, Mar 24, 2003 at 11:02:22AM -0600, D J Hawkey Jr wrote: > > > > www.tcpdump.org shows a new libpcap "to go with" the updated tcpdump. > > They don't say a vulnerability was in libpcap, but if so, a quick scan > > of userland shows that pppd is linked to libpcap. By inference, I would > > think kernel-mode PPP falls in line with this, too. Now, there's a > > rather big "if" here, but if true, would this then qualify as worthy > > of a SA? As an aside, isn't BPF also tied to libpcap? > > The `if' is indeed big. The assumptions in the above paragraph > don't hold: > (1) The vulnerability was in a tcpdump printer, not libpcap. > (2) While pppd does indeed use libpcap to implement packet filtering, > kernel-mode PPP most certainly does not. > (3) libpcap's live-capture mode is implemented on top of bpf, not the > other way 'round. I stand corrected. Thanks. > But as for this issue ... I honestly do not think it is important to > any FreeBSD user. The only possible exception might be someone > deploying tcpdump or tcpdump code fragments as part of an intrusion > detection system (seems unlikely). > > Remember guys, we're talking about a command-line utility going into > an infinite loop. No crashes. No code execution. No nothing, it > just sits there printing to stdout. OK, I picked a bad example to illustrate my "bigger concern", as this issue isn't a security issue. My bad. > > If my feeling is wrong... > > Your feeling may be wrong in only one way: you seem to be assuming > that the tcpdump issue did not get treatment... > > i.e. the issue got handled with as much thoroughness as any issue that > affects the base system does... Oh, no, no... I didn't mean to imply that you blithly (sp?) dismissed the vulnerability out-of-hand. I know you're better than that. Thanks again. I'll go away now. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Mar 24 14:19: 1 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B83A37B405 for ; Mon, 24 Mar 2003 14:18:56 -0800 (PST) Received: from hub.org (hub.org [64.117.224.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 103B943FA3 for ; Mon, 24 Mar 2003 14:18:55 -0800 (PST) (envelope-from excalibur@hub.org) Received: from morpheus (u173n221.eastlink.ca [24.224.173.221]) by hub.org (Postfix) with ESMTP id 65C301038CFF; Fri, 21 Mar 2003 15:25:12 -0400 (AST) Subject: Re: Documentation people needed. FreeBSD/Security clue beneficial. From: Chris Bowlby Reply-To: excalibur@hub.org To: Nicholas Esborn Cc: Mark Murray , security@FreeBSD.ORG In-Reply-To: <20030321184515.GA90741@carbon.berkeley.netdot.net> References: <200303202024.h2KKOu4j058708@grimreaper.grondar.org> <20030321184515.GA90741@carbon.berkeley.netdot.net> Content-Type: text/plain Organization: Hub.Org Networking Services Message-Id: <1048274565.8108.27.camel@morpheus> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.2.2 Date: 21 Mar 2003 15:22:46 -0400 Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-32.4 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_XIMIAN autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 2003-03-21 at 14:45, Nicholas Esborn wrote: If no location has yet been give for it, I'd be willing to offer space on my extremefreebsd.org site (it's still in the works so it's easy to add new areas to it (it's also offline at the moment as I'm upgrading databases to 7.3 (should be done by tomorrow so please have a look if you want to at that time). > Hello, > > I'd be happy to contribute. Are there existing specific needs at the > moment? > > -nick > > On Thu, Mar 20, 2003 at 08:24:56PM +0000, Mark Murray wrote: > > Hi all > > > > In the past, a heartening number of you offered up help in getting > > security-related documentation going. Some of you submitted stuff, > > and I asked some to hold off for a while until I could organise > > things. > > > > Now is the time. > > > > Please reply to this mail if you are (still) interested in this job. > > I'm looking for a _small_ team, not an individual. :-) > > > > M > > -- > > Mark Murray > > iumop ap!sdn w,I idlaH > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message -- Chris Bowlby Hub.Org Networking Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 10: 9: 2 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E9B937B404 for ; Tue, 25 Mar 2003 10:08:53 -0800 (PST) Received: from blurp.one.pl (blurp.t4.ds.pwr.wroc.pl [156.17.226.240]) by mx1.FreeBSD.org (Postfix) with SMTP id E557E43FA3 for ; Tue, 25 Mar 2003 10:08:48 -0800 (PST) (envelope-from gizmen@blurp.one.pl) Received: (qmail 3436 invoked by uid 1002); 25 Mar 2003 18:09:01 -0000 Date: Tue, 25 Mar 2003 19:09:01 +0100 From: GiZmen To: freebsd-security@FreeBSD.ORG Subject: portsentry vs snort Message-ID: <20030325180901.GA3420@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-6.4 required=5.0 tests=USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi everyone, Can anybody write something about these two IDS. I dont know which one is better for freebsd 5.0 Im red something about these programs and i dont know which to chose on by freebsd box. I heard that snort is recommendet software for FBSD is that true ? Thanks for any sugestions. -- Best Regards: GiZmen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 10:23:34 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2ADB137B401 for ; Tue, 25 Mar 2003 10:23:30 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [206.103.225.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 350E443FA3 for ; Tue, 25 Mar 2003 10:23:29 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from enterprise.sfeng.sourcefire.com ([10.1.1.143]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Tue, 25 Mar 2003 13:23:27 -0500 Date: Tue, 25 Mar 2003 13:23:23 -0500 (EST) From: "Nigel Houghton " Reply-To: nigel.houghton@sourcefire.com To: GiZmen Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: portsentry vs snort In-Reply-To: <20030325180901.GA3420@blurp.one.pl> Message-ID: References: <20030325180901.GA3420@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-15.7 required=5.0 tests=IN_REP_TO,REFERENCES,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Apples and oranges :) In brief: Portsentry listens for connections on various ports and can respond to portscanning attempts. Snort is a lightweight IDS that you can use to detect miscreant behaviour directed at your network. Both will generate logs for your perusal. ------------------------------------------------------------- Nigel Houghton Security Engineer Sourcefire Inc. I believe you said: :Hi everyone, : :Can anybody write something about these two IDS. :I dont know which one is better for freebsd 5.0 :Im red something about these programs and i dont know which to chose on by :freebsd box. :I heard that snort is recommendet software for FBSD is that true ? : :Thanks for any sugestions. : :-- :Best Regards: : GiZmen : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 11: 1:34 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D926637B401 for ; Tue, 25 Mar 2003 11:01:30 -0800 (PST) Received: from blurp.one.pl (blurp.t4.ds.pwr.wroc.pl [156.17.226.240]) by mx1.FreeBSD.org (Postfix) with SMTP id 36E0F43F75 for ; Tue, 25 Mar 2003 11:01:24 -0800 (PST) (envelope-from gizmen@blurp.one.pl) Received: (qmail 3827 invoked by uid 1002); 25 Mar 2003 19:01:31 -0000 Date: Tue, 25 Mar 2003 20:01:31 +0100 From: GiZmen To: freebsd-security@FreeBSD.ORG Subject: Re: your mail Message-ID: <20030325190131.GA3776@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-8.3 required=5.0 tests=AWL,QUOTED_EMAIL_TEXT,QUOTE_TWICE_1,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > > Apples and oranges :) > > > > In brief: > > > > Portsentry listens for connections on various ports and can respond to > > portscanning attempts. > > > > Snort is a lightweight IDS that you can use to detect miscreant behaviour > > directed at your network. > > > > Both will generate logs for your perusal. > > > > > > :Hi everyone, > > : > > :Can anybody write something about these two IDS. > > :I dont know which one is better for freebsd 5.0 > > :Im red something about these programs and i dont know which to chose on by > > :freebsd box. > > :I heard that snort is recommendet software for FBSD is that true ? > > : > > :Thanks for any sugestions. > > : > ---end quoted text--- hmm thanks, so it is good to have both of these programs on my box? Can you write me what others programs you recommend to improve security of my box. Maybe you know some articles about that. thx -- Best Regards: GiZmen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 11:18:36 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4083637B401 for ; Tue, 25 Mar 2003 11:18:31 -0800 (PST) Received: from gi.sourcefire.com (gi.sourcefire.com [206.103.225.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 38E0743FAF for ; Tue, 25 Mar 2003 11:18:30 -0800 (PST) (envelope-from nigel@sourcefire.com) Received: from enterprise.sfeng.sourcefire.com ([10.1.1.143]) (AUTH: PLAIN nhoughton, ) by gi.sourcefire.com with esmtp; Tue, 25 Mar 2003 14:18:29 -0500 Date: Tue, 25 Mar 2003 14:18:24 -0500 (EST) From: "Nigel Houghton " Reply-To: nigel.houghton@sourcefire.com To: GiZmen Cc: "freebsd-security@FreeBSD.ORG" Subject: Re: your mail In-Reply-To: <20030325190131.GA3776@blurp.one.pl> Message-ID: References: <20030325190131.GA3776@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-15.7 required=5.0 tests=IN_REP_TO,REFERENCES,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org First URL is getting old, but is still pretty valid with useful links on the bottom: http://people.freebsd.org/~jkb/howto.html The best place to start with Snort: http://www.snort.org/docs/ I don't see a real need for portsentry if you are using Snort, Kris mentioned Snort reacting to portscans in his mail, you need to look at enabling flexresponse if you want to do that. There are *many* add-ons available for Snort, check out the Snort web site for details. You might want to enable ipfw (or some firewall of your choice) and employ the judicious use of rules. Use Snort to monitor the network. The thing is, it really all depends on your setup, do you use a single host or do you have a small home network, do you serve up web sites or run a mail server, do you require remote access to your hosts or local only? All these things (and many others) have an impact on what you should be looking at to secure your environment. My advice would be to think about what you want to achieve, write down everything you want to do and explore solutions. Google is your friend. I believe you said: :> :> > Apples and oranges :) :> > :> > In brief: :> > :> > Portsentry listens for connections on various ports and can respond to :> > portscanning attempts. :> > :> > Snort is a lightweight IDS that you can use to detect miscreant behaviour :> > directed at your network. :> > :> > Both will generate logs for your perusal. :> > :> > :> > :Hi everyone, :> > : :> > :Can anybody write something about these two IDS. :> > :I dont know which one is better for freebsd 5.0 :> > :Im red something about these programs and i dont know which to chose on by :> > :freebsd box. :> > :I heard that snort is recommendet software for FBSD is that true ? :> > : :> > :Thanks for any sugestions. :> > : :> ---end quoted text--- : : hmm thanks, so it is good to have both of these programs on my box? : : Can you write me what others programs you recommend to improve security of my box. : Maybe you know some articles about that. : : thx : : -- : Best Regards: : GiZmen : : :To Unsubscribe: send mail to majordomo@FreeBSD.org :with "unsubscribe freebsd-security" in the body of the message : To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 11:46:21 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 12CDD37B401 for ; Tue, 25 Mar 2003 11:46:17 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 61AEE43F75 for ; Tue, 25 Mar 2003 11:46:16 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id A8F574A72; Tue, 25 Mar 2003 13:46:15 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2PJkFV14510; Tue, 25 Mar 2003 13:46:15 -0600 (CST) (envelope-from hawkeyd) Date: Tue, 25 Mar 2003 13:46:14 -0600 From: D J Hawkey Jr To: nigel.houghton@sourcefire.com Cc: GiZmen , "freebsd-security@FreeBSD.ORG" Subject: Re: your mail Message-ID: <20030325134614.A14445@sheol.localdomain> Reply-To: hawkeyd@visi.com References: <20030325190131.GA3776@blurp.one.pl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from nigel@sourcefire.com on Tue, Mar 25, 2003 at 02:18:24PM -0500 X-Spam-Status: No, hits=-31.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mar 25, at 02:18 PM, Nigel Houghton wrote: > > You might want to enable ipfw (or some firewall of your choice) and employ > the judicious use of rules. Use Snort to monitor the network. The thing > is, it really all depends on your setup, do you use a single host or do > you have a small home network, do you serve up web sites or run a mail > server, do you require remote access to your hosts or local only? All > these things (and many others) have an impact on what you should be > looking at to secure your environment. "Might want to enable [a firewall]..." ?! IMHO, you _must_ employ a firewall! The 'net is not the friendly, trusted, and scholastic environment it once was. Even Microsquish(tm) put one in XP Home Edition; if _they_ think it must be done, well... ;-, I filter outgoing packets too, and I know others that do as well, but maybe we're just over-zealous. You might want to look at Tripwire. It's not necessarily "light-weight", but it's good. Mail filters are a must now, if you ask me. Spam accounts for the majority of incoming mail anymore in an unfiltered environment. Don't use NFS or Samba on a public interface. That just begs for trouble. Ditto FTP and telnet. Use SSH, and keep the allowable hosts lists short and trustable. > My advice would be to think about what you want to achieve, write down > everything you want to do and explore solutions. Google is your friend. Yes, planning is everything. "Measure twice, and cut once.". Think about a DMZ if you're going to advertise public web, mail, etc., servers. These opinions are not of my employers', as I currently don't have one. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Mar 25 12:55:58 2003 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4E04C37B401 for ; Tue, 25 Mar 2003 12:55:53 -0800 (PST) Received: from web20703.mail.yahoo.com (web20703.mail.yahoo.com [216.136.226.176]) by mx1.FreeBSD.org (Postfix) with SMTP id A01B143FA3 for ; Tue, 25 Mar 2003 12:55:52 -0800 (PST) (envelope-from neoninternet@yahoo.com) Message-ID: <20030325205552.45387.qmail@web20703.mail.yahoo.com> Received: from [68.2.136.173] by web20703.mail.yahoo.com via HTTP; Tue, 25 Mar 2003 12:55:52 PST Date: Tue, 25 Mar 2003 12:55:52 -0800 (PST) From: ". ." Subject: Ident in a jailed environment (continued) To: freebsd-stable@freebsd.org Cc: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Spam-Status: No, hits=0.0 required=5.0 tests=none version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Sorry for the cross-post. I have seen this issue in both lists and just want to make sure it gets through to the proper people. I have sent this request to -stable list before, just reopening the issue: Hey. Ident under -stable doesn't work correctly. This has been discussed before and is fixed in 5.0 but I'm not sure if I want to use 5.0 on a production server. I applied a patch that was made by Robert Watson that was submitted in 2001 for 4.3 (I believe). It applies but still doesn't work. I have pasted the patch below. Does anyone have any other suggestions a hack to get ident to work inside a 4.7 jail? I have also patched tcp6_subr.c and udp_subr.c. I am just wanting to get ident working which is ipv4 tcp port 113. I've applied all the patches I could find (this one) and still nothing. The u_cansee code is no longer in 4.x so I can't put that in. I have tried built in auth, ident2, oidentd. None of them return correctly. Any ideas? Thanks, Kevin Bockman Index: tcp_subr.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/tcp_subr.c,v retrieving revision 1.73.2.22 diff -u -r1.73.2.22 tcp_subr.c --- tcp_subr.c 22 Aug 2001 00:59:12 -0000 1.73.2.22 +++ tcp_subr.c 7 Dec 2001 16:56:23 -0000 @@ -910,7 +910,7 @@ struct inpcb *inp; int error, s; - error = suser(req->p); + error = suser_xxx(NULL, req->p, PRISON_ROOT); if (error) return (error); error = SYSCTL_IN(req, addrs, sizeof(addrs)); __________________________________________________ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security@FreeBSD.ORG Tue Mar 25 18:00:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0105F37B405 for ; Tue, 25 Mar 2003 18:00:13 -0800 (PST) Received: from ivoti.terra.com.br (ivoti.terra.com.br [200.176.3.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id D429E43FD7 for ; Tue, 25 Mar 2003 18:00:10 -0800 (PST) (envelope-from trabunix@terra.com.br) Received: from marova.terra.com.br (marova.terra.com.br [200.176.3.39]) by ivoti.terra.com.br (Postfix) with ESMTP id 9B07440881D for ; Tue, 25 Mar 2003 23:00:09 -0300 (BRT) Received: from terra.com.br (alegrete.terra.com.br [200.176.3.179]) (authenticated user trabunix) by marova.terra.com.br (Postfix) with ESMTP id 27CD23DC079 for ; Tue, 25 Mar 2003 23:00:09 -0300 (BRT) Date: Wed, 26 Mar 2003 00:00:09 -0200 Message-Id: MIME-Version: 1.0 X-Sensitivity: 3 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable From: "=?iso-8859-1?Q?trabunix?=" To: "=?iso-8859-1?Q?freebsd-security?=" X-XaM3-API-Version: 3.2 R28 (B53 pl3) X-type: 0 X-SenderIP: 200.181.84.196 X-Spam-Status: No, hits=0.0 required=5.0 tests=none version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Cryptography Library for C/C++ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security issues [restricted posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 02:00:15 -0000 X-List-Received-Date: Wed, 26 Mar 2003 02:00:15 -0000 I need to use a cryptography library extension for C/C++ and I'd like to= know if anyone can tell me wich one on ports collection is better (the m= ost complete and "easy" to use).=0D=0AIs there anyway to use MIRACL on Fr= eeBSD(and how)? From owner-freebsd-security@FreeBSD.ORG Tue Mar 25 20:45:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0533937B401 for ; Tue, 25 Mar 2003 20:45:01 -0800 (PST) Received: from mail-2.zoominternet.net (mail-2.zoominternet.net [63.67.120.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 345FD43FA3 for ; Tue, 25 Mar 2003 20:45:00 -0800 (PST) (envelope-from behanna@zbzoom.net) Received: (qmail 29344 invoked from network); 26 Mar 2003 04:44:57 -0000 Received: from unknown (HELO browning.pennasoft.com) ([24.154.51.127]) (envelope-sender ) by mail-2.zoominternet.net (qmail-ldap-1.03) with SMTP for ; 26 Mar 2003 04:44:57 -0000 From: Chris BeHanna Organization: Western Pennsylvania Pizza Disposal Unit To: security@freebsd.org Date: Tue, 25 Mar 2003 23:45:15 -0500 User-Agent: KMail/1.5 References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200303252345.15365.behanna@zbzoom.net> X-Spam-Status: No, hits=-26.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Cryptography Library for C/C++ X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: FreeBSD Security issues [restricted posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 04:45:03 -0000 X-List-Received-Date: Wed, 26 Mar 2003 04:45:03 -0000 On Tuesday 25 March 2003 09:00 pm, trabunix wrote: > I need to use a cryptography library extension for C/C++ and I'd like to > know if anyone can tell me wich one on ports collection is better (the most > complete and "easy" to use). Is there anyway to use MIRACL on FreeBSD(and > how)? Have you looked at /usr/ports/security/cryptopp (Crypto++)? -- Chris BeHanna Software Engineer (Remove "bogus" before responding.) behanna@bogus.zbzoom.net Turning coffee into software since 1990. From owner-freebsd-security@FreeBSD.ORG Tue Mar 25 22:11:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 11C6E37B401 for ; Tue, 25 Mar 2003 22:11:53 -0800 (PST) Received: from pilchuck.reedmedia.net (pilchuck.reedmedia.net [209.166.74.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3551B43F93 for ; Tue, 25 Mar 2003 22:11:52 -0800 (PST) (envelope-from reed@reedmedia.net) Received: from reed by pilchuck.reedmedia.net with local-esmtp (Exim 3.12 #1 (Debian)) id 18y48Z-0006SE-00; Tue, 25 Mar 2003 22:11:47 -0800 Date: Tue, 25 Mar 2003 22:11:46 -0800 (PST) From: "Jeremy C. Reed" To: freebsd-security@FREEBSD.ORG Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-5.8 required=5.0 tests=USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Tue, 25 Mar 2003 22:15:19 -0800 Subject: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 06:12:00 -0000 X-List-Received-Date: Wed, 26 Mar 2003 06:12:00 -0000 In regards to FreeBSD-SA-03:05.xdr, does anyone know which static binaries or tools under /bin or /sbin actually use that problem code? The recent XDR fixes the xdrmem_getlong_aligned(), xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() functions, but it is difficult to know what uses these (going backwards manually). For example, a simple MD5 (of binaries before and after) shows many changes that are probably irrelevant. It is hard to tell if any static tools even use those changes; maybe mount_nfs and umount. And maybe /usr/lib/librpcsvc*. Is the XDR only used for RPC related tools? (Or is it is used as a generic portable binary data format used with all libc?) With some other libc security issues (such as with resolver), you can easily know which tools use that code. The various XDR-related advisories are vague and don't really mention what can be effected by this issue. (For last summer's xdr issue, it was suggested (for Solaris) that the Desktop Management Interface service daemon and Calendar Manager service daemon be disabled.) Jeremy C. Reed http://bsd.reedmedia.net/ p.s. I provide binary updates for customers; and for most issues I don't want to provide binaries that are not effected. From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 02:21:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6883B37B404 for ; Wed, 26 Mar 2003 02:21:03 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id E87D143FBF for ; Wed, 26 Mar 2003 02:21:00 -0800 (PST) (envelope-from barner@in.tum.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id 093E4625C; Wed, 26 Mar 2003 11:21:00 +0100 (MET) Received: from mail.informatik.tu-muenchen.de (mail.informatik.tu-muenchen.de [131.159.0.26]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id EF7667944; Wed, 26 Mar 2003 11:20:59 +0100 (MET) Received: from zi025.glhnet.mhn.de (unknown [129.187.19.157]) by mail.informatik.tu-muenchen.de (Postfix) with ESMTP id AC4FC6CB10; Wed, 26 Mar 2003 11:20:59 +0100 (MET) Received: by zi025.glhnet.mhn.de (Postfix, from userid 1000) id 7C64436D25; Wed, 26 Mar 2003 11:20:58 +0100 (CET) Date: Wed, 26 Mar 2003 11:20:57 +0100 From: Simon Barner To: "Jeremy C. Reed" Message-ID: <20030326102057.GC657@zi025.glhnet.mhn.de> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="zCKi3GIZzVBPywwA" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-31.7 required=5.0 tests=AWL,IN_REP_TO,PGP_SIGNATURE_2,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@FREEBSD.ORG Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 10:21:04 -0000 --zCKi3GIZzVBPywwA Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi Jeremy, > The recent XDR fixes the xdrmem_getlong_aligned(), > xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), > xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() > functions, but it is difficult to know what uses these (going backwards > manually). >=20 > For example, a simple MD5 (of binaries before and after) shows many > changes that are probably irrelevant. It is hard to tell if any static > tools even use those changes; maybe mount_nfs and umount. And maybe > /usr/lib/librpcsvc*. I would not rely on the binaries to find out, which programs make use of the above functions. That's one of the advantages of an open source os ;-) Something like cd /usr/src grep -rl 'xdrmem_getlong_aligned' * will print all the files that contain the string 'xdrmem_getlong_aligned'. = Based on the path name of those file, you will be able to find out which programs= use the xdr* functions. HTH, Simon --zCKi3GIZzVBPywwA Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+gX8JCkn+/eutqCoRAqIuAJ4j44ly1m7bZ/HLzZT7N2guqldT7gCgsHTg DpQs7uF/X4L7aJZBVebirkc= =kuPP -----END PGP SIGNATURE----- --zCKi3GIZzVBPywwA-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 04:10:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4771037B404 for ; Wed, 26 Mar 2003 04:10:44 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7C05A43F3F for ; Wed, 26 Mar 2003 04:10:43 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 94AB849DC; Wed, 26 Mar 2003 06:10:42 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2QCAfe17149; Wed, 26 Mar 2003 06:10:41 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 06:10:41 -0600 From: D J Hawkey Jr To: Simon Barner , "Jeremy C. Reed" Message-ID: <20030326061041.A17052@sheol.localdomain> References: <20030326102057.GC657@zi025.glhnet.mhn.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030326102057.GC657@zi025.glhnet.mhn.de>; from barner@in.tum.de on Wed, Mar 26, 2003 at 11:20:57AM +0100 X-Spam-Status: No, hits=-31.8 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 12:10:45 -0000 On Mar 26, at 11:20 AM, Simon Barner wrote: > > Hi Jeremy, > > > The recent XDR fixes the xdrmem_getlong_aligned(), > > xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), > > xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() > > functions, but it is difficult to know what uses these (going backwards > > manually). > > I would not rely on the binaries to find out, which programs make use of the > above functions. That's one of the advantages of an open source os ;-) > > Something like > > cd /usr/src > grep -rl 'xdrmem_getlong_aligned' * > > will print all the files that contain the string 'xdrmem_getlong_aligned'. Based > on the path name of those file, you will be able to find out which programs use > the xdr* functions. Actually, I _would_ check the binaries. Scanning /usr/src doesn't cover anything installed via the ports collection (/usr/ports), from other sources, or "home-grown" software. A week or so ago, I posted a command that scans the binaries: find $DIR -type f \ |xargs readelf -a 2>/dev/null \ |awk '/^File:/ { name = $2; printed = 0; } \ /XDR|xdr/ { if (!printed) { print name; printed = 1; } }' \ |xargs ldd 2>/dev/null If it reports a pathed file without listing any shared libraries, then it is statically-linked. I can't say this is the definitive answer, but it worked in a controlled environment (i.e., known binaries), as well as a live system. You can break down it's components to see what each pipe does. > HTH, > Simon HTH too, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 05:01:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6493537B404 for ; Wed, 26 Mar 2003 05:01:01 -0800 (PST) Received: from mailout.informatik.tu-muenchen.de (mailout.informatik.tu-muenchen.de [131.159.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F09243F75 for ; Wed, 26 Mar 2003 05:01:00 -0800 (PST) (envelope-from barner@in.tum.de) Received: from mailrelay1.informatik.tu-muenchen.de (mailrelay1.informatik.tu-muenchen.de [131.159.254.5]) by mailout.informatik.tu-muenchen.de (Postfix) with ESMTP id 9044B6271; Wed, 26 Mar 2003 14:00:59 +0100 (MET) Received: from mail.informatik.tu-muenchen.de (mail.informatik.tu-muenchen.de [131.159.0.26]) by mailrelay1.informatik.tu-muenchen.de (Postfix) with ESMTP id 801977944; Wed, 26 Mar 2003 14:00:59 +0100 (MET) Received: from zi025.glhnet.mhn.de (unknown [129.187.19.157]) by mail.informatik.tu-muenchen.de (Postfix) with ESMTP id 58B426CB10; Wed, 26 Mar 2003 14:00:59 +0100 (MET) Received: by zi025.glhnet.mhn.de (Postfix, from userid 1000) id 57AF536D38; Wed, 26 Mar 2003 14:00:57 +0100 (CET) Date: Wed, 26 Mar 2003 14:00:56 +0100 From: Simon Barner To: D J Hawkey Jr Message-ID: <20030326130056.GD657@zi025.glhnet.mhn.de> References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="ylS2wUBXLOxYXZFQ" Content-Disposition: inline In-Reply-To: <20030326061041.A17052@sheol.localdomain> User-Agent: Mutt/1.5.4i X-Spam-Status: No, hits=-31.9 required=5.0 tests=AWL,IN_REP_TO,PGP_SIGNATURE_2,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: "Jeremy C. Reed" cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 13:01:02 -0000 --ylS2wUBXLOxYXZFQ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline > Actually, I _would_ check the binaries. Scanning /usr/src doesn't cover > anything installed via the ports collection (/usr/ports), from other > sources, or "home-grown" software. I didn't think of non-base-system software, you are right. From that point of view, you are certainly right. As far as I understood your script, it scans the output of "readelf -a", and prints that file name if and only if this output contains "XDR" or "xdr". Will this work if the binary is stripped (sorry in case I just overlooked something stupid :-) Regards, Simon --ylS2wUBXLOxYXZFQ Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE+gaSICkn+/eutqCoRAp+WAJ4k3xFkk7mv6fl+RuK10BUZ9Ps9mACgqatu L+wA59UtnSzyY218KBhal2Y= =V2zG -----END PGP SIGNATURE----- --ylS2wUBXLOxYXZFQ-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 05:16:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1D9837B404 for ; Wed, 26 Mar 2003 05:16:41 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30A7D43F3F for ; Wed, 26 Mar 2003 05:16:39 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id 729CD4D5B; Wed, 26 Mar 2003 07:16:38 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2QDGbB17481; Wed, 26 Mar 2003 07:16:37 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 07:16:37 -0600 From: D J Hawkey Jr To: Simon Barner Message-ID: <20030326071637.A17385@sheol.localdomain> References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326130056.GD657@zi025.glhnet.mhn.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030326130056.GD657@zi025.glhnet.mhn.de>; from barner@in.tum.de on Wed, Mar 26, 2003 at 02:00:56PM +0100 X-Spam-Status: No, hits=-30.2 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,RCVD_IN_UNCONFIRMED_DSBL, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: "Jeremy C. Reed" cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 13:16:43 -0000 On Mar 26, at 02:00 PM, Simon Barner wrote: > > As far as I understood your script, it scans the output of "readelf -a", and > prints that file name if and only if this output contains "XDR" or "xdr". Will > this work if the binary is stripped (sorry in case I just overlooked something > stupid :-) Yes, it does. AFAIK, all base (and port?) software is [by default] stripped on installation, and the environment I tested that command with had stripped binaries. That isn't "stupid"; it took me a little while to work up that command (I didn't even know about readelf(1) until someone mentioned it to me). I'm no ELF expert - I'm no anything expert - but it appears that the ELF format itself contains these "labels". > Regards, > Simon Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 05:47:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AFB9137B404 for ; Wed, 26 Mar 2003 05:47:09 -0800 (PST) Received: from postfix.arnes.si (kanin.arnes.si [193.2.1.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6769A43F75 for ; Wed, 26 Mar 2003 05:47:08 -0800 (PST) (envelope-from uros.juvan@arnes.si) Received: from rzenik.arnes.si (rzenik.arnes.si [193.2.1.232]) by postfix.arnes.si (Postfix) with ESMTP id 43332A9E29 for ; Wed, 26 Mar 2003 14:47:07 +0100 (MET) Received: from arnes.si (grad.arnes.si [193.2.1.211]) by rzenik.arnes.si (Postfix) with ESMTP id AB94742B4B for ; Wed, 26 Mar 2003 14:47:06 +0100 (MET) Message-ID: <3E81AF6C.3060705@arnes.si> Date: Wed, 26 Mar 2003 14:47:24 +0100 From: Uros Juvan User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3) Gecko/20030312 X-Accept-Language: en-us, en, sl MIME-Version: 1.0 Cc: security at FreeBSD References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326130056.GD657@zi025.glhnet.mhn.de> <20030326071637.A17385@sheol.localdomain> In-Reply-To: <20030326071637.A17385@sheol.localdomain> X-Enigmail-Version: 0.73.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-28.6 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,MISSING_HEADERS,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MOZILLA_UA autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 13:47:12 -0000 Idea is cool, but it just won't work on staticaly linked files, you can test this with: # readelf -a /bin/ls for example :( I don't think there is 100% way of telling whether staticaly linked file is linked against vulnerable xdr_mem.o, especially because obviously rcsid string is undefined in source file. Exept of course searching for machine bytes composing vulnerable code :) Regards, Uros Juvan D J Hawkey Jr wrote: >On Mar 26, at 02:00 PM, Simon Barner wrote: > > >>As far as I understood your script, it scans the output of "readelf -a", and >>prints that file name if and only if this output contains "XDR" or "xdr". Will >>this work if the binary is stripped (sorry in case I just overlooked something >>stupid :-) >> >> > >Yes, it does. AFAIK, all base (and port?) software is [by default] stripped >on installation, and the environment I tested that command with had stripped >binaries. > >That isn't "stupid"; it took me a little while to work up that command >(I didn't even know about readelf(1) until someone mentioned it to me). >I'm no ELF expert - I'm no anything expert - but it appears that the ELF >format itself contains these "labels". > > > >>Regards, >> Simon >> >> > >Dave > > > From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 06:02:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA3DA37B404 for ; Wed, 26 Mar 2003 06:02:05 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDCDA43F93 for ; Wed, 26 Mar 2003 06:02:04 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 5DA6851; Wed, 26 Mar 2003 08:02:04 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 3A0AC78C43; Wed, 26 Mar 2003 08:02:04 -0600 (CST) Date: Wed, 26 Mar 2003 08:02:04 -0600 From: "Jacques A. Vidrine" To: "Jeremy C. Reed" Message-ID: <20030326140204.GC33671@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Jeremy C. Reed" , freebsd-security@FREEBSD.ORG References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-31.8 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@FREEBSD.ORG Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 14:02:06 -0000 On Tue, Mar 25, 2003 at 10:11:46PM -0800, Jeremy C. Reed wrote: > In regards to FreeBSD-SA-03:05.xdr, does anyone know which static binaries > or tools under /bin or /sbin actually use that problem code? > > The recent XDR fixes the xdrmem_getlong_aligned(), > xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), > xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() > functions, but it is difficult to know what uses these (going backwards > manually). You'll never find it starting with those :-) Rather, look for uses of xdrmem_create. [...] > Is the XDR only used for RPC related tools? (Or is it is used as a generic > portable binary data format used with all libc?) Well, not _only_ for RPC, but certainly RPC is the big consumer. Almost any RPC application will also be using an xdrmem stream. Depending upon the data types marshalled through the stream, one of the affected routines may be called. Other applications could also use XDR directly, such as to serialize data for storage. I don't think this is very common. > With some other libc security issues (such as with resolver), you can > easily know which tools use that code. > > The various XDR-related advisories are vague and don't really mention what > can be effected by this issue. > > (For last summer's xdr issue, it was suggested (for Solaris) that the > Desktop Management Interface service daemon and Calendar Manager service > daemon be disabled.) > > Jeremy C. Reed > http://bsd.reedmedia.net/ > > p.s. I provide binary updates for customers; and for most issues I don't > want to provide binaries that are not effected. Have a look at Colin Percival's binary updates stuff. He believes he has overcome these issues. Also, one can pull out the `relevant' ELF sections, and compare those for a pretty good picture. You could use objcopy. I've used libelf to do the same. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 06:10:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C215837B405 for ; Wed, 26 Mar 2003 06:10:25 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E56943F85 for ; Wed, 26 Mar 2003 06:10:25 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 81BF19A; Wed, 26 Mar 2003 08:10:24 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 6C68D78C43; Wed, 26 Mar 2003 08:10:24 -0600 (CST) Date: Wed, 26 Mar 2003 08:10:24 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030326141024.GD33671@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , Simon Barner , "Jeremy C. Reed" , security at FreeBSD References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030326061041.A17052@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-31.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: "Jeremy C. Reed" cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 14:10:26 -0000 On Wed, Mar 26, 2003 at 06:10:41AM -0600, D J Hawkey Jr wrote: > Actually, I _would_ check the binaries. Scanning /usr/src doesn't cover > anything installed via the ports collection (/usr/ports), from other > sources, or "home-grown" software. > > A week or so ago, I posted a command that scans the binaries: > > find $DIR -type f \ > |xargs readelf -a 2>/dev/null \ > |awk '/^File:/ { name = $2; printed = 0; } \ > /XDR|xdr/ { if (!printed) { print name; printed = 1; } }' \ > |xargs ldd 2>/dev/null > > If it reports a pathed file without listing any shared libraries, then > it is statically-linked. > > I can't say this is the definitive answer, but it worked in a controlled > environment (i.e., known binaries), as well as a live system. You can > break down it's components to see what each pipe does. This approach won't work for static binaries (which is what the poster was inquiring about). It also will fail you in this case. Since (most) affected binaries do not call xdrmem_* directly, those names will not appear in the binaries' symbol tables. (Although related names might, which may or may not be enough for you to go on.) Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 06:15:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A88437B404 for ; Wed, 26 Mar 2003 06:15:39 -0800 (PST) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B2FC43F75 for ; Wed, 26 Mar 2003 06:15:38 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id DA29E4C82; Wed, 26 Mar 2003 08:15:37 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2QEFbc17852; Wed, 26 Mar 2003 08:15:37 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 08:15:37 -0600 From: D J Hawkey Jr To: Uros Juvan Message-ID: <20030326081537.C17610@sheol.localdomain> References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326130056.GD657@zi025.glhnet.mhn.de> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3E81AF6C.3060705@arnes.si>; from uros.juvan@arnes.si on Wed, Mar 26, 2003 at 02:47:24PM +0100 X-Spam-Status: No, hits=-31.0 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 14:15:40 -0000 On Mar 26, at 02:47 PM, Uros Juvan wrote: > > Idea is cool, but it just won't work on staticaly linked files, you can > test this with: > > # readelf -a /bin/ls Oh, man! It seems as though my command requires that a statically-linked binary has "relocation sections" (whatever they are), at the very least. > I don't think there is 100% way of telling whether staticaly linked file > is linked against vulnerable xdr_mem.o, especially because obviously > rcsid string is undefined in source file. > Exept of course searching for machine bytes composing vulnerable code :) It appears that you're correct. Bummer for me, as I've put out that command a couple of times now. I _hate_ looking stupid in public, especially when I think I've done something really smart. :-( > Regards, > Uros Juvan Thanks for hitting me with the Clue Stick. I'll shut up now. Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 06:38:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F0D437B404; Wed, 26 Mar 2003 06:38:17 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84F4243F3F; Wed, 26 Mar 2003 06:38:16 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 9F0E24F9E; Wed, 26 Mar 2003 08:38:15 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2QEcFW18008; Wed, 26 Mar 2003 08:38:15 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 08:38:14 -0600 From: D J Hawkey Jr To: "Jacques A. Vidrine" , Simon Barner , "Jeremy C. Reed" , security at FreeBSD Message-ID: <20030326083814.E17610@sheol.localdomain> References: <20030326102057.GC657@zi025.glhnet.mhn.de> <20030326061041.A17052@sheol.localdomain> <20030326141024.GD33671@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030326141024.GD33671@madman.celabo.org>; from nectar@FreeBSD.org on Wed, Mar 26, 2003 at 08:10:24AM -0600 X-Spam-Status: No, hits=-31.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 14:38:18 -0000 On Mar 26, at 08:10 AM, Jacques A. Vidrine wrote: > > On Wed, Mar 26, 2003 at 06:10:41AM -0600, D J Hawkey Jr wrote: > > > > find $DIR -type f \ > > |xargs readelf -a 2>/dev/null \ > > |awk '/^File:/ { name = $2; printed = 0; } \ > > /XDR|xdr/ { if (!printed) { print name; printed = 1; } }' \ > > |xargs ldd 2>/dev/null > > > > If it reports a pathed file without listing any shared libraries, then > > it is statically-linked. > > This approach won't work for static binaries (which is what the poster > was inquiring about). So someone else has proven to me. > It also will fail you in this case. Since (most) affected binaries do > not call xdrmem_* directly, those names will not appear in the > binaries' symbol tables. (Although related names might, which may or > may not be enough for you to go on.) As I replied to him, thanks for hitting me with the Clue Stick. Are my posts _really_ making it to freebsd-security? The archive web page shows nothing at all for today, majordomo says I'm not subscribed anymore, yet I'm getting replies from folk I haven't sent to directly. If not, I suppose I'll have to re-post my replies? Maybe after trying to re-subscribe? stumblemumblegrumble Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:03:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C1AE737B404 for ; Wed, 26 Mar 2003 13:03:19 -0800 (PST) Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA2AC43F75 for ; Wed, 26 Mar 2003 13:03:18 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id 5DFA9864312; Wed, 26 Mar 2003 15:57:19 -0500 (EST) Received: from 24.114.6.105 by www.fastmail.ca with HTTP; Wed, 26 Mar 2003 20:57:18 +0000 (UTC) MIME-Version: 1.0 Message-Id: <3E82142E.000017.64676@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_IJJD2I4YA1UMYJ0CCJD0" To: freebsd-security@freebsd.org Date: Wed, 26 Mar 2003 15:57:18 -0500 (EST) From: "Michael Richards" X-Fastmail-IP: [24.114.6.105] X-Spam-Status: No, hits=0.0 required=5.0 tests=none version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:03:20 -0000 --------------Boundary-00=_IJJD2I4YA1UMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit We're supposed to provide redundant firewall service. I'm wondering if anyone has ever tried to do this and if it's realistic. Basically 2 firewall machines hooked up so if one fails the other will transparently step in. I've googled it to death without much luck. The security issue here lies in that the 2 firewalls can't talk to each other. So if I'm keeping state on a connection then the second firewall has to know about that connection otherwise it will close if that firewall dies. Any ideas? -Michael _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_IJJD2I4YA1UMYJ0CCJD0-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:30:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E653D37B405 for ; Wed, 26 Mar 2003 13:30:55 -0800 (PST) Received: from gigatrex.com (graceland.gigatrex.com [209.10.113.211]) by mx1.FreeBSD.org (Postfix) with SMTP id 67B0043F3F for ; Wed, 26 Mar 2003 13:30:50 -0800 (PST) (envelope-from piechota@argolis.org) Received: (qmail 6713 invoked from network); 26 Mar 2003 21:35:00 -0000 Received: from unknown (HELO cithaeron.argolis.org) (138.88.83.93) by graceland.gigatrex.com with SMTP; 26 Mar 2003 21:35:00 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.8/8.12.7) with ESMTP id h2QLUmxN009251; Wed, 26 Mar 2003 16:30:48 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h2QLUm53009248; Wed, 26 Mar 2003 16:30:48 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> Message-ID: <20030326161559.P9110@cithaeron.argolis.org> References: <3E82142E.000017.64676@ns.interchange.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-26.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_OSIRUSOFT_COM,REFERENCES,REPLY_WITH_QUOTES, X_AUTH_WARNING autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:30:59 -0000 On Wed, 26 Mar 2003, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. Caveat: I haven't tried any of this, and there may be a canned solution I don't know about. If I were doing this, I'd do a serial connection between the two boxes (I assume they're in the same room). If you're just looking for failover (and not load balancing), you could designate one to be the master, and whenever it adds or deletes a dynamic rule, it prints it out to the serial port. The slave machine watches the serial port and adds rules when it sees them come over. That'll basically work, although you really need to do some sort of handshaking, heart beat, and sync (so when the master comes back, it can read in the new rules the slave created while it was minding the shop. I suspect matching 'expect' scripts tied to the serial lines could get the job done. Something like switch on: RULEADD - ipfw add $rest_of_line RULEDEL - this'll be a little tougher since you're have to match the rule to the number (unless you always add the rule with the number from the master) RULEDMP - ipfw list HRTBEAT - actually, you don't really need this, but it's nice to keep status. Just an idea. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:37:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B5A037B404 for ; Wed, 26 Mar 2003 13:37:25 -0800 (PST) Received: from proverbs.outreachnetworks.com (proverbs.outreachnetworks.com [65.196.249.4]) by mx1.FreeBSD.org (Postfix) with SMTP id 5A8B143F75 for ; Wed, 26 Mar 2003 13:37:24 -0800 (PST) (envelope-from elh@outreachnetworks.com) Received: (qmail 2925 invoked from network); 26 Mar 2003 21:37:22 -0000 Received: from phoncella.outreachnetworks.com (HELO preacher) (65.196.249.11) by proverbs.outreachnetworks.com with SMTP; 26 Mar 2003 21:37:22 -0000 Received: (nullmailer pid 1228 invoked by uid 1000); Wed, 26 Mar 2003 21:37:21 -0000 Date: Wed, 26 Mar 2003 16:37:21 -0500 From: Eric L Howard To: freebsd-security@freebsd.org Message-ID: <20030326213721.GB524@outreachnetworks.com> Mail-Followup-To: freebsd-security@freebsd.org References: <3E82142E.000017.64676@ns.interchange.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> X-Favorite-Scripture: Romans 8:18 X-Theocratic-Rule-Advocate: http://www.crossmovement.com X-Registered-Secret-Agent: Agent Double-Naught Seven X-Operating-System: Linux 2.4.18-bf2.4 User-Agent: Mutt/1.5.3i X-Spam-Status: No, hits=-26.0 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:37:28 -0000 At a certain time, now past [Wed, Mar 26, 2003 at 03:57:18PM -0500], Michael Richards spake thusly: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. [admin@zechariah ports]# make search key=freevrrpd Port: freevrrpd-0.8.4_1 Path: /usr/ports/net/freevrrpd Info: This a VRRP RFC2338 Compliant implementation under FreeBSD Maint: spe@bsdfr.org Index: net B-deps: R-deps: http://redundancy.redundancy.org/fbsd_lb.html Though I've used VRRP quite a bit, I have not used the freevrrpd implementation. ~elh -- Eric L. Howard e l h @ o u t r e a c h n e t w o r k s . c o m ------------------------------------------------------------------------ www.OutreachNetworks.com 313.297.9900 ------------------------------------------------------------------------ JabberID: elh@jabber.org Advocate of the Theocratic Rule From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 08:18:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D653D37B40E; Wed, 26 Mar 2003 08:18:07 -0800 (PST) Received: from pilchuck.reedmedia.net (pilchuck.reedmedia.net [209.166.74.74]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0983A43F85; Wed, 26 Mar 2003 08:18:07 -0800 (PST) (envelope-from reed@reedmedia.net) Received: from reed by pilchuck.reedmedia.net with local-esmtp (Exim 3.12 #1 (Debian)) id 18yDbG-0006kW-00; Wed, 26 Mar 2003 08:18:02 -0800 Date: Wed, 26 Mar 2003 08:18:02 -0800 (PST) From: "Jeremy C. Reed" To: "Jacques A. Vidrine" In-Reply-To: <20030326140204.GC33671@madman.celabo.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-15.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, QUOTE_TWICE_1,REPLY_WITH_QUOTES,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Wed, 26 Mar 2003 14:53:17 -0800 cc: freebsd-security@FREEBSD.ORG Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 16:18:09 -0000 On Wed, 26 Mar 2003, Jacques A. Vidrine wrote: > It also will fail you in this case. Since (most) affected binaries do > not call xdrmem_* directly, those names will not appear in the > binaries' symbol tables. (Although related names might, which may or > may not be enough for you to go on.) That is why I was wondering if anyone knew what actually uses the functions that had security issues :) On Wed, 26 Mar 2003, Jacques A. Vidrine wrote: > > The recent XDR fixes the xdrmem_getlong_aligned(), > > xdrmem_putlong_aligned(), xdrmem_getlong_unaligned(), > > xdrmem_putlong_unaligned(), xdrmem_getbytes(), and/or xdrmem_putbytes() > > functions, but it is difficult to know what uses these (going backwards > > manually). > > You'll never find it starting with those :-) Rather, look for uses of > xdrmem_create. I understand. (I already couldn't find any of those functions used by anything else other than xdrmem_create.) That is my point: it is hard to tell what uses what. > Well, not _only_ for RPC, but certainly RPC is the big consumer. > Almost any RPC application will also be using an xdrmem stream. > Depending upon the data types marshalled through the stream, one of > the affected routines may be called. > > Other applications could also use XDR directly, such as to serialize > data for storage. I don't think this is very common. Thanks for the explanation. (Now to figure out what is actually effected.) > Have a look at Colin Percival's binary updates stuff. He believes he > has overcome these issues. I will look at it closer. (But I was told off-list that it didn't. Nevertheless, it would be nice to find a way to automate this.) > Also, one can pull out the `relevant' ELF sections, and compare those > for a pretty good picture. You could use objcopy. I've used libelf > to do the same. Thanks for the ideas. I will give these a try. I see libelf is a library for manipulating ELF -- is there a tool that uses it (like Solaris pvs(1))? Jeremy C. Reed http://bsd.reedmedia.net/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:18:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9429137B404 for ; Wed, 26 Mar 2003 13:18:55 -0800 (PST) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2431F43F3F for ; Wed, 26 Mar 2003 13:18:55 -0800 (PST) (envelope-from randall@isber.ucsb.edu) Received: from research.isber.ucsb.edu ([128.111.147.5]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 18yIIK-0009wu-00; Wed, 26 Mar 2003 13:18:48 -0800 Date: Wed, 26 Mar 2003 13:18:48 -0800 (PST) From: randall ehren To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanner: exiscan *18yIIK-0009wu-00*V7xKhgQYadM* (ISBER - Institute for Social, Behavioral, and Economic Research) X-Spam-Status: No, hits=-12.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Wed, 26 Mar 2003 14:53:17 -0800 cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:18:56 -0000 > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. http://www.isber.ucsb.edu/~randall/firewall/redundant/ i have this setup in use at work, it's an automatic failover but does not keep existing connections, so things like SSH sessions would be dropped. -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 15:35:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADEA837B404 for ; Wed, 26 Mar 2003 15:35:00 -0800 (PST) Received: from mail.interchange.ca (ns.interchange.ca [216.126.79.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AFF143F93 for ; Wed, 26 Mar 2003 15:35:00 -0800 (PST) (envelope-from michael@fastmail.ca) Received: by mail.interchange.ca (Fastmailer, from userid 555) id B8BB18675B6; Wed, 26 Mar 2003 18:31:56 -0500 (EST) Received: from 24.114.6.105 by www.fastmail.ca with HTTP; Wed, 26 Mar 2003 23:31:56 +0000 (UTC) MIME-Version: 1.0 Message-Id: <3E82386C.000003.20487@ns.interchange.ca> Content-Type: Multipart/Mixed; boundary="------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0" To: elliot@cs.montana.edu Date: Wed, 26 Mar 2003 18:31:56 -0500 (EST) From: "Michael Richards" X-Fastmail-IP: [24.114.6.105] X-Spam-Status: No, hits=-1.6 required=5.0 tests=AWL,QUOTED_EMAIL_TEXT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 23:35:01 -0000 --------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0 Content-Type: Text/Plain Content-Transfer-Encoding: 7bit The problem here is really 2 pronged: 1) I need some means of realising that the firewall just died and transparently switching over to the backup or load balancing the two so if one dies the other takes up the slack. 2) I need a means of syncing the state info so existing connections won't be torn down if they end up going through the other firewall. Sounds like a solution people would normally pay an obscene amount of money for but I'd be surprised if there isn't a way to do this. Maybe something with routing could do the balancing... -Michael >> -SNIP >> The security issue here lies in that the 2 firewalls can't talk >> to each other. So if I'm keeping state on a connection then the >> second firewall has to know about that connection otherwise it >> will close if that firewall dies. >> > what do you mean, can't talk to each other? > /usr/src/ports/net/freevrrpd/ might help you a little, but not > state awareness _________________________________________________________________ http://fastmail.ca/ - Fast Secure Web Email for Canadians --------------Boundary-00=_8PQDULUXFQQMYJ0CCJD0-- From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 15:45:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0F22C37B404 for ; Wed, 26 Mar 2003 15:45:17 -0800 (PST) Received: from lament.noc.uk.easynet.net (lament.noc.uk.easynet.net [195.40.7.149]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8288343F75 for ; Wed, 26 Mar 2003 15:45:16 -0800 (PST) (envelope-from ben@lament.noc.uk.easynet.net) Received: by lament.noc.uk.easynet.net (Postfix, from userid 1001) id 153DA961; Wed, 26 Mar 2003 23:45:15 +0000 (GMT) Date: Wed, 26 Mar 2003 23:45:14 +0000 From: Ben Hughes To: freebsd-security@freebsd.org Message-ID: <20030326234514.GA33356@uk.easynet.net> References: <3E82386C.000003.20487@ns.interchange.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E82386C.000003.20487@ns.interchange.ca> User-Agent: Mutt/1.4.1i X-Living: The Dream(tm) X-Stop: Reading the X-Headers, you really must be bored. X-Spam-Status: No, hits=-31.2 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,NO_DNS_FOR_FROM, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Wed, 26 Mar 2003 15:52:36 -0800 cc: Michael Richards Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 23:45:23 -0000 On Wed, Mar 26, 2003 at 06:31:56PM -0500, Michael Richards wrote: > 2) I need a means of syncing the state info so existing connections > won't be torn down if they end up going through the other firewall. I've often thought about using /sbin/ipfs over a serial cable/link, or a modified version therein.. No idea if it's doable, but it's a really rather pleasant idea (: -- Ben Hughes, | False sense of Security Dept. From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 18:25:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AC6837B404; Wed, 26 Mar 2003 18:25:58 -0800 (PST) Received: from mta01-svc.ntlworld.com (mta01-svc.ntlworld.com [62.253.162.41]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1B0E43F3F; Wed, 26 Mar 2003 18:25:56 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from piii600.wadham.ox.ac.uk ([81.103.196.4]) by mta01-svc.ntlworld.comESMTP <20030327022555.FLW6166.mta01-svc.ntlworld.com@piii600.wadham.ox.ac.uk>; Thu, 27 Mar 2003 02:25:55 +0000 Message-Id: <5.0.2.1.1.20030327021835.01e005c8@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 27 Mar 2003 02:25:53 +0000 To: "Jeremy C. Reed" , "Jacques A. Vidrine" From: Colin Percival In-Reply-To: References: <20030326140204.GC33671@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Spam-Status: No, hits=-25.4 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 02:26:01 -0000 At 08:18 26/03/2003 -0800, Jeremy C. Reed wrote: >On Wed, 26 Mar 2003, Jacques A. Vidrine wrote: > > Have a look at Colin Percival's binary updates stuff. He believes he > > has overcome these issues. > >I will look at it closer. (But I was told off-list that it didn't. >Nevertheless, it would be nice to find a way to automate this.) To clarify: I'm not sure if my code worked properly here. It certainly hasn't missed any files, but it might have introduced false positives -- I was surprised by the number of files it identified as having changed. I'm currently looking at this in more detail to determine if in fact these are false positives. Colin Percival PS. Can I convince anyone to look at ports/50202? From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 21:22:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A19ED37B404 for ; Wed, 26 Mar 2003 21:22:14 -0800 (PST) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B07B43FA3 for ; Wed, 26 Mar 2003 21:22:13 -0800 (PST) (envelope-from bde@zeta.org.au) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id QAA24970; Thu, 27 Mar 2003 16:22:06 +1100 Date: Thu, 27 Mar 2003 16:22:05 +1100 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: Uros Juvan In-Reply-To: <3E81AF6C.3060705@arnes.si> Message-ID: <20030327160638.J1404@gamplex.bde.org> References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-26.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 05:22:17 -0000 On Wed, 26 Mar 2003, Uros Juvan wrote: > Idea is cool, but it just won't work on staticaly linked files, you can > test this with: > > # readelf -a /bin/ls > > for example :( > > I don't think there is 100% way of telling whether staticaly linked file > is linked against vulnerable xdr_mem.o, especially because obviously > rcsid string is undefined in source file. This isn't so obvious: %%% Script started on Thu Mar 27 16:07:33 2003 ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $ ttyp0:bde@besplex:/tmp> exit Script done on Thu Mar 27 16:07:44 2003 %%% (strings -a shows a few other interesting strings and lots of bloat.) xdr_mem.c has always had some sort of id string, but putting the string in the object file was broken for many years by putting the rcsid in the LIBC_SCCS section and then renaming LIBC_SCCS to LIBC_RCS in the Makefile without adjusting any source files that had ids. This was fixed relatively recently in -current but is still broken in RELENG_4. Bruce From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 21:45:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5FB2337B404 for ; Wed, 26 Mar 2003 21:45:06 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 968C443FAF for ; Wed, 26 Mar 2003 21:45:05 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id BCB084B29; Wed, 26 Mar 2003 23:45:04 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2R5j4A21786; Wed, 26 Mar 2003 23:45:04 -0600 (CST) (envelope-from hawkeyd) Date: Wed, 26 Mar 2003 23:45:04 -0600 From: D J Hawkey Jr To: Bruce Evans Message-ID: <20030326234503.A21679@sheol.localdomain> References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030327160638.J1404@gamplex.bde.org>; from bde@zeta.org.au on Thu, Mar 27, 2003 at 04:22:05PM +1100 X-Spam-Status: No, hits=-31.4 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 05:45:07 -0000 On Mar 27, at 04:22 PM, Bruce Evans wrote: > > On Wed, 26 Mar 2003, Uros Juvan wrote: > > > Idea is cool, but it just won't work on staticaly linked files, you can > > test this with: > > > > # readelf -a /bin/ls > > > > for example :( > > > > I don't think there is 100% way of telling whether staticaly linked file > > is linked against vulnerable xdr_mem.o, especially because obviously > > rcsid string is undefined in source file. > > This isn't so obvious: > > %%% > Script started on Thu Mar 27 16:07:33 2003 > ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem > $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $ > ttyp0:bde@besplex:/tmp> exit > > Script done on Thu Mar 27 16:07:44 2003 > %%% > > (strings -a shows a few other interesting strings and lots of bloat.) > > xdr_mem.c has always had some sort of id string, but putting the string > in the object file was broken for many years by putting the rcsid in > the LIBC_SCCS section and then renaming LIBC_SCCS to LIBC_RCS in the > Makefile without adjusting any source files that had ids. This was fixed > relatively recently in -current but is still broken in RELENG_4. OK, I now have to take this a little off-topic, and ask the following: Given that it's improbable, if not nearly impossible, to discover what statically-linked binaries may be involved with any vulnerability, isn't it reasonable to ask if the benefits of statically-linked binaries aren't outweighed by the [security] drawbacks? Granted, a "no static binaries" policy wouldn't cover things outside of any given distribution, but at that point, the vendor is absolved. > Bruce Should this move on over to freebsd-hackers@ ? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 22:58:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F252037B404 for ; Wed, 26 Mar 2003 22:57:59 -0800 (PST) Received: from cirb503493.alcatel.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3E51143FAF for ; Wed, 26 Mar 2003 22:57:58 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])h2R6vsM2018972; Thu, 27 Mar 2003 17:57:54 +1100 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h2R6vqeX018971; Thu, 27 Mar 2003 17:57:52 +1100 (EST) Date: Thu, 27 Mar 2003 17:57:52 +1100 From: Peter Jeremy To: D J Hawkey Jr Message-ID: <20030327065752.GA18940@cirb503493.alcatel.com.au> References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> <20030326234503.A21679@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030326234503.A21679@sheol.localdomain> User-Agent: Mutt/1.4.1i X-Spam-Status: No, hits=-29.3 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 06:58:01 -0000 On Wed, Mar 26, 2003 at 11:45:04PM -0600, D J Hawkey Jr wrote: >Given that it's improbable, if not nearly impossible, to discover what >statically-linked binaries may be involved with any vulnerability, isn't >it reasonable to ask if the benefits of statically-linked binaries aren't >outweighed by the [security] drawbacks? This particular bikeshed has been discussed to death several times. I suggest you peruse the archives rather than re-opening it. Peter From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 23:01:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24AEC37B404 for ; Wed, 26 Mar 2003 23:01:24 -0800 (PST) Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 890EA43F85 for ; Wed, 26 Mar 2003 23:01:22 -0800 (PST) (envelope-from bde@zeta.org.au) Received: from katana.zip.com.au (katana.zip.com.au [61.8.7.246]) by mailman.zeta.org.au (8.9.3/8.8.7) with ESMTP id SAA09001; Thu, 27 Mar 2003 18:01:12 +1100 Date: Thu, 27 Mar 2003 18:01:11 +1100 (EST) From: Bruce Evans X-X-Sender: bde@gamplex.bde.org To: D J Hawkey Jr In-Reply-To: <20030326234503.A21679@sheol.localdomain> Message-ID: <20030327174923.P1825@gamplex.bde.org> References: <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> <20030326234503.A21679@sheol.localdomain> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-26.1 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 07:01:25 -0000 On Wed, 26 Mar 2003, D J Hawkey Jr wrote: > On Mar 27, at 04:22 PM, Bruce Evans wrote: > > > > On Wed, 26 Mar 2003, Uros Juvan wrote: > > > > > Idea is cool, but it just won't work on staticaly linked files, you can > > > test this with: > > > > > > # readelf -a /bin/ls > > > > > > for example :( > > ... > > This isn't so obvious: > > > > %%% > > Script started on Thu Mar 27 16:07:33 2003 > > ttyp0:bde@besplex:/tmp> strings -a /bin/ls | grep xdr_mem > > $FreeBSD: src/lib/libc/xdr/xdr_mem.c,v 1.11 2002/03/22 21:53:26 obrien Exp $ > > ttyp0:bde@besplex:/tmp> exit > > > > Script done on Thu Mar 27 16:07:44 2003 > > %%% > > ... > > OK, I now have to take this a little off-topic, and ask the following: > > Given that it's improbable, if not nearly impossible, to discover what > statically-linked binaries may be involved with any vulnerability, isn't This isn't given. It is very easy to see xdr_mem.c in static binaries in -current (see above). If there were no id string, then is still easy to see what is in static binaries if you don't strip them. I install them stripped but keep the originals in /usr/obj. > it reasonable to ask if the benefits of statically-linked binaries aren't > outweighed by the [security] drawbacks? The only security drawbacks with statically-linked binaries are that you can't fix security bugs for multiple programs by installing 1 new library. This is also a security drawforward - installing 1 new library with a security bug gives security bugs in multiple programs. Bruce From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 23:29:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F7E437B404; Wed, 26 Mar 2003 23:29:47 -0800 (PST) Received: from mta05-svc.ntlworld.com (mta05-svc.ntlworld.com [62.253.162.45]) by mx1.FreeBSD.org (Postfix) with ESMTP id B40E343F93; Wed, 26 Mar 2003 23:29:45 -0800 (PST) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from piii600.wadham.ox.ac.uk ([81.103.196.4]) by mta05-svc.ntlworld.comESMTP <20030327072944.DEPS310.mta05-svc.ntlworld.com@piii600.wadham.ox.ac.uk>; Thu, 27 Mar 2003 07:29:44 +0000 Message-Id: <5.0.2.1.1.20030327055355.029c1478@popserver.sfu.ca> X-Sender: cperciva@popserver.sfu.ca X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Date: Thu, 27 Mar 2003 07:29:42 +0000 To: "Jeremy C. Reed" , "Jacques A. Vidrine" From: Colin Percival In-Reply-To: <5.0.2.1.1.20030327021835.01e005c8@popserver.sfu.ca> References: <20030326140204.GC33671@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Spam-Status: No, hits=-22.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 07:29:48 -0000 At 02:25 27/03/2003 +0000, I wrote: > To clarify: I'm not sure if my code worked properly here. It certainly > hasn't missed any files, but it might have introduced false positives -- > I was surprised by the number of files it identified as having > changed. I'm currently looking at this in more detail to determine if in > fact these are false positives. And the answer is, they're not false positives. libc/xdr/xdr_mem is used by libc/rpc/clnt_tcp, which is used by libc/yp/yplib, and that is included in: /bin/csh /bin/date /bin/ls /bin/mv /bin/pax /bin/ps /bin/rcp /bin/rm /bin/sh /bin/tcsh /bin/unlink /sbin/atm /sbin/dhclient /sbin/dump /sbin/fastboot /sbin/fasthalt /sbin/fsck /sbin/fsdb /sbin/halt /sbin/ifconfig /sbin/init /sbin/ip6fw /sbin/ipf /sbin/ipfstat /sbin/ipfw /sbin/ipmon /sbin/ipnat /sbin/mknod /sbin/mount /sbin/mount_msdos /sbin/mount_nfs /sbin/mount_ntfs /sbin/mount_nwfs /sbin/mount_portal /sbin/mountd /sbin/natd /sbin/nfsd /sbin/nos-tun /sbin/ping /sbin/ping6 /sbin/quotacheck /sbin/rdump /sbin/reboot /sbin/restore /sbin/route /sbin/routed /sbin/rrestore /sbin/rtquery /sbin/shutdown /sbin/umount /sbin/vinum /usr/bin/tar /usr/lib/libc.a /usr/lib/libc.so.4 /usr/lib/libc_p.a /usr/lib/libc_pic.a /usr/lib/libc_r.a /usr/lib/libc_r.so.4 /usr/lib/libc_r_p.a /usr/libexec/elf/gdb Of course, in most (all?) of these cases it would be impossible to exploit the xdr bug, but all those files contain the modified code. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 01:17:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C82A537B40E for ; Thu, 27 Mar 2003 01:17:03 -0800 (PST) Received: from avgw.vxserver.com (mail.ridgeway-sys.com [194.128.67.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 0143044108 for ; Thu, 27 Mar 2003 01:08:04 -0800 (PST) (envelope-from raqlist@fareham.org) Received: from disney.internal.ridgewaysystems.com ([194.128.67.181]) by avgw.vxserver.com (NAVGW 2.5.2.12) with SMTP id M2003032709064002480 for ; Thu, 27 Mar 2003 09:06:40 GMT Received: from Unknown [10.1.1.113] by disney.internal.ridgewaysystems.com - SurfControl E-mail Filter (4.5); Thursday, 27 March 2003, 09:15:29 Message-ID: <3E82BF70.25089.A1C525A@localhost> From: "Roger " To: freebsd-security@freebsd.org Date: Thu, 27 Mar 2003 09:08:00 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-mailer: Pegasus Mail for Windows (v4.01) References: <3E82142E.000017.64676@ns.interchange.ca> Priority: normal In-reply-to: <20030326161559.P9110@cithaeron.argolis.org> Content-description: Mail message body X-Spam-Status: No, hits=-19.6 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 09:17:23 -0000 You would have to fake up the MAC addresses on the Ethernet ports (other wise the ARP tables will be wrong), and sync the TCP/IP stack's state for it to work. That would need more than a serial port to sync. Roger. Date sent: Wed, 26 Mar 2003 16:30:48 -0500 (EST) From: Matt Piechota To: Michael Richards Copies to: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? > On Wed, 26 Mar 2003, Michael Richards wrote: > > > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > > > > The security issue here lies in that the 2 firewalls can't talk to > > each other. So if I'm keeping state on a connection then the second > > firewall has to know about that connection otherwise it will close if > > that firewall dies. > > Caveat: I haven't tried any of this, and there may be a canned solution I > don't know about. > > If I were doing this, I'd do a serial connection between the two boxes (I > assume they're in the same room). If you're just looking for failover > (and not load balancing), you could designate one to be the master, and > whenever it adds or deletes a dynamic rule, it prints it out to the serial > port. The slave machine watches the serial port and adds rules when it > sees them come over. > > That'll basically work, although you really need to do some sort of > handshaking, heart beat, and sync (so when the master comes back, it can > read in the new rules the slave created while it was minding the shop. From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 03:24:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 923B637B401 for ; Thu, 27 Mar 2003 03:24:36 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B86543F3F for ; Thu, 27 Mar 2003 03:24:34 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr364-a24.otenet.gr [195.167.109.56]) by mailsrv.otenet.gr (8.12.8/8.12.8) with ESMTP id h2RBO8h1018808; Thu, 27 Mar 2003 13:24:10 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.8/8.12.8) with ESMTP id h2RBO7Tr008899; Thu, 27 Mar 2003 13:24:07 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.8/8.12.8/Submit) id h2RAdjVu008478; Thu, 27 Mar 2003 12:39:45 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 27 Mar 2003 12:39:45 +0200 From: Giorgos Keramidas To: Michael Richards Message-ID: <20030327103945.GA8208@gothmog.gr> References: <3E82386C.000003.20487@ns.interchange.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3E82386C.000003.20487@ns.interchange.ca> X-RAVMilter-Version: 8.4.2(snapshot 20021217) (terpsi) X-Spam-Status: No, hits=-25.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 11:24:39 -0000 On 2003-03-26 18:31, Michael Richards wrote: > The problem here is really 2 pronged: > 1) I need some means of realising that the firewall just died and > transparently switching over to the backup or load balancing the two > so if one dies the other takes up the slack. > > 2) I need a means of syncing the state info so existing connections > won't be torn down if they end up going through the other firewall. Hmmm, you could probably do some ingenious stuff with ipfs and a shared disk partition, where the 'active' firewall save its state periodically. When this falls over, the code that handles the switch to the 'backup' machine could reload the state from the shared disk :) From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 03:29:07 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CDDA437B401 for ; Thu, 27 Mar 2003 03:29:07 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 10C4943F75 for ; Thu, 27 Mar 2003 03:29:07 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8EB6969; Thu, 27 Mar 2003 05:29:06 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 67BE978C43; Thu, 27 Mar 2003 05:29:06 -0600 (CST) Date: Thu, 27 Mar 2003 05:29:06 -0600 From: "Jacques A. Vidrine" To: "Jeremy C. Reed" Message-ID: <20030327112906.GC98283@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Jeremy C. Reed" , freebsd-security@FREEBSD.ORG References: <20030326140204.GC33671@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-31.9 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@FREEBSD.ORG Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 11:29:08 -0000 On Wed, Mar 26, 2003 at 08:18:02AM -0800, Jeremy C. Reed wrote: > Thanks for the ideas. I will give these a try. I see libelf is a library > for manipulating ELF -- is there a tool that uses it (like Solaris > pvs(1))? Not that I'm aware. I wrote a quick-n-dirty python wrapper and used it to pull out the following sections for comparison: significant_sections = [ '.ctors', '.data', '.dtors', '.fini', '.init', '.rodata', '.text', ] That seemed to be sufficient. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 03:46:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6635737B401 for ; Thu, 27 Mar 2003 03:46:18 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6E8443F85 for ; Thu, 27 Mar 2003 03:46:17 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 256C72E; Thu, 27 Mar 2003 05:46:17 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 060FE78C43; Thu, 27 Mar 2003 05:46:16 -0600 (CST) Date: Thu, 27 Mar 2003 05:46:16 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030327114616.GE98283@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , Bruce Evans , security at FreeBSD References: <20030326061041.A17052@sheol.localdomain> <20030326071637.A17385@sheol.localdomain> <3E81AF6C.3060705@arnes.si> <20030327160638.J1404@gamplex.bde.org> <20030326234503.A21679@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030326234503.A21679@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 X-Spam-Status: No, hits=-32.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: security at FreeBSD Subject: Re: what actually uses xdr_mem.c? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 11:46:20 -0000 On Wed, Mar 26, 2003 at 11:45:04PM -0600, D J Hawkey Jr wrote: > OK, I now have to take this a little off-topic, and ask the following: > > Given that it's improbable, if not nearly impossible, to discover what > statically-linked binaries may be involved with any vulnerability, isn't > it reasonable to ask if the benefits of statically-linked binaries aren't > outweighed by the [security] drawbacks? > > Granted, a "no static binaries" policy wouldn't cover things outside of > any given distribution, but at that point, the vendor is absolved. IMHO making security updates for a completely-dynamically-linked system would be easier. However, it's not a panacea and there are reasons one might still want static binaries. This is not a given: > Given that it's improbable, if not nearly impossible, to discover > what statically-linked binaries may be involved with any > vulnerability, The way to determine it is to run `make release' without the fix, then `make release' with the fix, and intelligently compare the results. It is hard, not `nearly impossible'. > Should this move on over to freebsd-hackers@ ? I think it should stop here :-) We don't need another static-vs-dynamic thread right now (e.g. yet another one finally finished on freebsd-arch yesterday). Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 06:10:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A13B037B401 for ; Thu, 27 Mar 2003 06:10:15 -0800 (PST) Received: from smtp.datapro.co.za (mail.uskonet.com [196.3.164.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6756043FA3 for ; Thu, 27 Mar 2003 06:10:12 -0800 (PST) (envelope-from etienne@unix.za.org) Received: from madcow.datapro.co.za ([196.35.242.87]) by smtp.datapro.co.za (8.12.8/8.12.8) with ESMTP id h2REA77K013119; Thu, 27 Mar 2003 16:10:08 +0200 From: Etienne Ledoux To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> References: <3E82142E.000017.64676@ns.interchange.ca> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Evolution/1.0.2 Date: 27 Mar 2003 16:08:23 +0200 Message-Id: <1048774105.27599.15.camel@madcow> Mime-Version: 1.0 X-Spam-Status: No, hits=-32.4 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_XIMIAN autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 14:10:46 -0000 I guess this idea isn't as good but it worked for me. I used ipf (ipfw or anything else should work too) with freevrrpd. Both master and slave firewalls are exactly the same except for my second firewall had to extra rules right at the top: # Allow all established connections pass in quick proto tcp all flags A/SA keep state keep frags pass out quick proto tcp all flags A/SA keep state keep frags #pass in quick proto udp all keep state keep frags #pass out quick proto udp all keep state keep frags This automatically created the state entries for established connections as soon as the other firewall goes down. But I guess most people won't like having those rules in their rulebase. e. On Wed, 2003-03-26 at 22:57, Michael Richards wrote: > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. > > Any ideas? > > -Michael > _________________________________________________________________ > http://fastmail.ca/ - Fast Secure Web Email for Canadians > ---- > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 06:55:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DD5C737B401 for ; Thu, 27 Mar 2003 06:55:41 -0800 (PST) Received: from annaconda.mitternachtsstun.de (p3EE229D7.dip.t-dialin.net [62.226.41.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 191FB43FAF for ; Thu, 27 Mar 2003 06:55:38 -0800 (PST) (envelope-from lordbyte@annaconda.mitternachtsstun.de) Received: from annaconda.mitternachtsstun.de (localhost [127.0.0.1]) h2REtVDR014075; Thu, 27 Mar 2003 15:55:31 +0100 Received: (from lordbyte@localhost)h2REtPkd014073; Thu, 27 Mar 2003 15:55:25 +0100 Date: Thu, 27 Mar 2003 15:55:25 +0100 From: Markus Boelter To: Giorgos Keramidas , freebsd-security@freebsd.org Message-ID: <20030327145525.GF24413@mitternachtsstun.de> References: <3E82386C.000003.20487@ns.interchange.ca> <20030327103945.GA8208@gothmog.gr> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030327103945.GA8208@gothmog.gr> User-Agent: Mutt/1.4i X-Spam-Status: No, hits=-31.3 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_NJABL,REFERENCES,REPLY_WITH_QUOTES,USER_AGENT_MUTT, X_NJABL_DIALUP autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 14:55:43 -0000 Hi! On Thu, Mar 27, 2003 at 12:39:45PM +0200, Giorgos Keramidas wrote: > Hmmm, you could probably do some ingenious stuff with ipfs and a > shared disk partition, where the 'active' firewall save its state > periodically. When this falls over, the code that handles the switch > to the 'backup' machine could reload the state from the shared disk :) Hm - and if the disk fails, you don't have redundancy :)) cu! Markus -- please don't send me any html-messages! pgp-fingerprint: 0FFC 3A33 8B54 DDB9 0F3D BFD5 CFB1 6038 FB0E 1D5B pgp-public-key: http://www.mitternachtsstun.de/gpg-key.markus.txt From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 08:21:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DEAE737B401 for ; Thu, 27 Mar 2003 08:21:50 -0800 (PST) Received: from mailsrv.otenet.gr (mailsrv.otenet.gr [195.170.0.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE04743FA3 for ; Thu, 27 Mar 2003 08:21:46 -0800 (PST) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.gr (patr530-a040.otenet.gr [212.205.215.40]) by mailsrv.otenet.gr (8.12.8/8.12.8) with ESMTP id h2RGLgd8008845; Thu, 27 Mar 2003 18:21:43 +0200 (EET) Received: from gothmog.gr (gothmog [127.0.0.1]) by gothmog.gr (8.12.8/8.12.8) with ESMTP id h2RGLfTr016171; Thu, 27 Mar 2003 18:21:41 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.gr (8.12.8/8.12.8/Submit) id h2RGLbLA016166; Thu, 27 Mar 2003 18:21:37 +0200 (EET) (envelope-from keramida@ceid.upatras.gr) Date: Thu, 27 Mar 2003 18:21:37 +0200 From: Giorgos Keramidas To: Markus Boelter Message-ID: <20030327162137.GA16141@gothmog.gr> References: <3E82386C.000003.20487@ns.interchange.ca> <20030327103945.GA8208@gothmog.gr> <20030327145525.GF24413@mitternachtsstun.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030327145525.GF24413@mitternachtsstun.de> X-RAVMilter-Version: 8.4.2(snapshot 20021217) (terpsi) X-Spam-Status: No, hits=-25.3 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, RCVD_IN_UNCONFIRMED_DSBL,REFERENCES,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 16:21:52 -0000 On 2003-03-27 15:55, Markus Boelter wrote: >On Thu, Mar 27, 2003 at 12:39:45PM +0200, Giorgos Keramidas wrote: >> Hmmm, you could probably do some ingenious stuff with ipfs and a >> shared disk partition, where the 'active' firewall save its state >> periodically. When this falls over, the code that handles the switch >> to the 'backup' machine could reload the state from the shared disk :) > > Hm - and if the disk fails, you don't have redundancy :)) Erm, it quickly gets ugly, but you can always save state in a disk that is local to any of the two machines, i.e. one that is shared over the network from some other place where you can guarantee redundancy using other means. Anyway, I'm not a high-availability expert, so I should shuttup now :) From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 08:41:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA7AD37B401 for ; Thu, 27 Mar 2003 08:41:24 -0800 (PST) Received: from avgw.vxserver.com (mail.ridgeway-sys.com [194.128.67.178]) by mx1.FreeBSD.org (Postfix) with SMTP id 86A0543F85 for ; Thu, 27 Mar 2003 08:41:23 -0800 (PST) (envelope-from raqlist@fareham.org) Received: from disney.internal.ridgewaysystems.com ([194.128.67.181]) by avgw.vxserver.com (NAVGW 2.5.2.12) with SMTP id M2003032716400003105 for ; Thu, 27 Mar 2003 16:40:00 GMT Received: from Unknown [10.1.1.113] by disney.internal.ridgewaysystems.com - SurfControl E-mail Filter (4.5); Thursday, 27 March 2003, 16:48:50 Message-ID: <3E8329B1.23977.BBB6042@localhost> From: "Roger " To: freebsd-security@freebsd.org Date: Thu, 27 Mar 2003 16:41:21 -0000 MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7BIT X-mailer: Pegasus Mail for Windows (v4.01) References: <20030327145525.GF24413@mitternachtsstun.de> Priority: normal In-reply-to: <20030327162137.GA16141@gothmog.gr> Content-description: Mail message body X-Spam-Status: No, hits=-14.8 required=5.0 tests=AWL,IN_REP_TO,REFERENCES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 16:41:25 -0000 Forget the ipfw state, the ARP and TCP layers will are bigger problems if you want to keep existing connections alive. MAC layer:- If your 'primary' boxes fails then unless you fake the MAC addresses on the interfaces, the nearby IP routers won't have the IP->MAC routing tables set up for 2 minutes (ARP will cache it for 20 seconds, but if your packets keep retrying then only after 2 minutes will it eventually force and ARP request over the wire). Even if you fake the MAC addresses then you'll have to send a packet out from both interfaces so that the Ethernet switches know that the location of the MAC address has changed other wise you still wouldn't get the packets. TCP:- Unless you mirror the entire internal state of the connection you'll have problems, what happens one end of the connection asks your 'secondary' box to repeat a packet which got lost en-route from the 'primary' box ? What about sequence numbers ? You could use a non-statefull firewall and avoid all the firewall state problems (OK you get another set of problems instead), but if you want the existing connections to survive the handover, you got several other (more complex) layers to worry about ! Roger. From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 11:04:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7757737B401 for ; Thu, 27 Mar 2003 11:04:56 -0800 (PST) Received: from cirb503493.alcatel.com.au (c18609.belrs1.nsw.optusnet.com.au [210.49.80.204]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29AE543F75 for ; Thu, 27 Mar 2003 11:04:55 -0800 (PST) (envelope-from peterjeremy@optushome.com.au) Received: from cirb503493.alcatel.com.au (localhost.alcatel.com.au [127.0.0.1])h2RJ4rM2019942; Fri, 28 Mar 2003 06:04:53 +1100 (EST) (envelope-from jeremyp@cirb503493.alcatel.com.au) Received: (from jeremyp@localhost) by cirb503493.alcatel.com.au (8.12.8/8.12.8/Submit) id h2RJ4k4b019941; Fri, 28 Mar 2003 06:04:46 +1100 (EST) Date: Fri, 28 Mar 2003 06:04:45 +1100 From: Peter Jeremy To: Etienne Ledoux Message-ID: <20030327190445.GC11307@cirb503493.alcatel.com.au> References: <3E82142E.000017.64676@ns.interchange.ca> <1048774105.27599.15.camel@madcow> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1048774105.27599.15.camel@madcow> User-Agent: Mutt/1.4.1i X-Spam-Status: No, hits=-30.1 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2003 19:04:57 -0000 On Thu, Mar 27, 2003 at 04:08:23PM +0200, Etienne Ledoux wrote: >Both master and slave firewalls are exactly the same except for my >second firewall had to extra rules right at the top: > ># Allow all established connections >pass in quick proto tcp all flags A/SA keep state keep frags >pass out quick proto tcp all flags A/SA keep state keep frags >#pass in quick proto udp all keep state keep frags >#pass out quick proto udp all keep state keep frags This means you've lost all the benefits of stateful packet filtering (and the above is a fairly big security hole since you're allowing any connection spoofing attempts to succeed). This also doesn't address NAT state tables - which is critical for me. Peter From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 19:48:49 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A127337B401 for ; Thu, 27 Mar 2003 19:48:49 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29B2843F85 for ; Thu, 27 Mar 2003 19:48:49 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h2S3mm5b017428 for ; Thu, 27 Mar 2003 21:48:48 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200303280348.h2S3mm5b017428@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Date: Thu, 27 Mar 2003 21:48:48 -0600 From: Martin McCormick X-Spam-Status: No, hits=0.0 required=5.0 tests=none version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 03:48:50 -0000 Every attempt to connect to anything from a new FreeBSD system results in a "host key verification failed." ssh 127.0.0.1 even fails this way. I started with a new FreeBSD4.7 installation and un-tarred the contents of another 4.7 system to essentially clone this one. My tar ball purposefully did not have the /etc/ssh directory in it so as to not overwrite any of the files in the new installation so I ended up with all the proper key files like I should. I can successfully connect to the system from remote hosts so sshd is working. I even regenerated my own host key with ssh-keygen -tdsa and that worked. Is there anywhere else besides my directory and /etc/ssh I should look to see what got clobbered? It worked fine before I unpacked the tar ball. I even deliberately deleted all the host keys in /etc/ssh and made it regenerate new ones. Other than the expected effect of causing the remote systems to complain about the host identity changing, nothing else happened. Martin McCormick WB5AGZ Stillwater, OK OSU Center for Computing and Information Services Network Operations Group From owner-freebsd-security@FreeBSD.ORG Thu Mar 27 19:53:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 931) id BF8D037B404; Thu, 27 Mar 2003 19:53:00 -0800 (PST) Date: Thu, 27 Mar 2003 21:53:00 -0600 From: Juli Mallett To: Martin McCormick Message-ID: <20030327215300.A92121@FreeBSD.org> References: <200303280348.h2S3mm5b017428@dc.cis.okstate.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <200303280348.h2S3mm5b017428@dc.cis.okstate.edu>; from martin@dc.cis.okstate.edu on Thu, Mar 27, 2003 at 09:48:48PM -0600 Organisation: The FreeBSD Project X-Alternate-Addresses: , , , , X-Towel: Yes X-Negacore: Yes X-Title: Code Maven X-Spam-Status: No, hits=-24.1 required=5.0 tests=AWL,IN_REP_TO,REFERENCES,USER_AGENT_MUTT autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: freebsd-security@FreeBSD.ORG Subject: Re: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 03:53:01 -0000 * De: Martin McCormick [ Data: 2003-03-27 ] [ Subjecte: How did I Break ssh? ] > Every attempt to connect to anything from a new FreeBSD > system results in a "host key verification failed." > > ssh 127.0.0.1 even fails this way. Update your .ssh/ directories in their knowledge of this host, to not assume the old key. -- juli mallett. email: jmallett@freebsd.org; aim: bsdflata; efnet: juli; From owner-freebsd-security@FreeBSD.ORG Wed Mar 26 13:18:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9429137B404 for ; Wed, 26 Mar 2003 13:18:55 -0800 (PST) Received: from isber.ucsb.edu (research.isber.ucsb.edu [128.111.147.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2431F43F3F for ; Wed, 26 Mar 2003 13:18:55 -0800 (PST) (envelope-from randall@isber.ucsb.edu) Received: from research.isber.ucsb.edu ([128.111.147.5]) by isber.ucsb.edu with esmtp (Exim 3.36 #2) id 18yIIK-0009wu-00; Wed, 26 Mar 2003 13:18:48 -0800 Date: Wed, 26 Mar 2003 13:18:48 -0800 (PST) From: randall ehren To: Michael Richards In-Reply-To: <3E82142E.000017.64676@ns.interchange.ca> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanner: exiscan *18yIIK-0009wu-00*V7xKhgQYadM* (ISBER - Institute for Social, Behavioral, and Economic Research) X-Spam-Status: No, hits=-12.3 required=5.0 tests=IN_REP_TO,QUOTED_EMAIL_TEXT,USER_AGENT_PINE autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Thu, 27 Mar 2003 23:46:41 -0800 cc: freebsd-security@freebsd.org Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 21:18:56 -0000 > We're supposed to provide redundant firewall service. I'm wondering > if anyone has ever tried to do this and if it's realistic. Basically > 2 firewall machines hooked up so if one fails the other will > transparently step in. I've googled it to death without much luck. > > The security issue here lies in that the 2 firewalls can't talk to > each other. So if I'm keeping state on a connection then the second > firewall has to know about that connection otherwise it will close if > that firewall dies. http://www.isber.ucsb.edu/~randall/firewall/redundant/ i have this setup in use at work, it's an automatic failover but does not keep existing connections, so things like SSH sessions would be dropped. -randall -- :// randall s. ehren :// voice 805.893.5632 :// systems administrator :// isber|survey|avss.ucsb.edu :// institute for social, behavioral, and economic research From owner-freebsd-security@FreeBSD.ORG Fri Mar 28 14:26:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02DE237B401 for ; Fri, 28 Mar 2003 14:26:30 -0800 (PST) Received: from dc.cis.okstate.edu (dc.cis.okstate.edu [139.78.100.219]) by mx1.FreeBSD.org (Postfix) with ESMTP id 762E643FD7 for ; Fri, 28 Mar 2003 14:26:29 -0800 (PST) (envelope-from martin@dc.cis.okstate.edu) Received: from dc.cis.okstate.edu (localhost.cis.okstate.edu [127.0.0.1]) by dc.cis.okstate.edu (8.12.6/8.12.6) with ESMTP id h2SMQT5b039844 for ; Fri, 28 Mar 2003 16:26:29 -0600 (CST) (envelope-from martin@dc.cis.okstate.edu) Message-Id: <200303282226.h2SMQT5b039844@dc.cis.okstate.edu> To: freebsd-security@FreeBSD.ORG Date: Fri, 28 Mar 2003 16:26:29 -0600 From: Martin McCormick X-Spam-Status: No, hits=0.0 required=5.0 tests=none version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 22:26:33 -0000 My thanks to all who have offered suggestions as to what to try. Here is what I have learned today. I can completely remove .ssh from my home directory as in rm -r ~/.ssh and I get the "host key verification failed." message rather than an attempt to add a new key to whatever system I am trying to access. ssh does recreate .ssh, but it is empty. This is definitely related to my overlaying of the tar archive as I can demonstrate it on two different systems. I simply had not noticed it on the first one I built until now. I can use ssh-keygen to generate all my local keys with no effect except that the keys are good. If I copy the public key in to the authorized_keys file on a remote system, it gets me in to the sick system without a password. All in-bound connections work exactly as they should. No outbound connections using ssh work at all. The system I built that became the source of the tar balls which almost have built the other two systems couldn't be better. Its ssh outbound connections work perfectly. This has got to be something that either does not survive the tar extraction or it is something that only fits the system it was generated on. The only files I know about that are unique are all the keys in /etc/ssh and all the keys in each user home directory. The problem is system-wide on all the effected systems. I did notice on the other system I cloned that the presence of a known_hosts file caused any ssh attempt to return the same error that one gets when there have been too many retries at logging in to a remote host. The verification failure always occurs after the communication starts and keys are exchanged. If I try ssh -v 127.0.0.1 or ssh -v someremotehost.org, the debug output is almost identical between a working system and these sick ones except that I am offered a chance to add 127.0.0.1 to the list on the good system while the bad one just fails. If I answer no to the good system, I get the "host key verification failed" message, also. Any other ideas are appreciated. The idea of building new systems partly from tar balls appears to mostly work well if the systems are the same architecture which these are so it is important to know what is happening here because I suspect it isn't too hard to fix. Martin McCormick From owner-freebsd-security@FreeBSD.ORG Fri Mar 28 14:50:15 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9271D37B401 for ; Fri, 28 Mar 2003 14:50:15 -0800 (PST) Received: from fubar.adept.org (fubar.adept.org [63.147.172.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id D78E443FDD for ; Fri, 28 Mar 2003 14:50:14 -0800 (PST) (envelope-from mike@adept.org) Received: by fubar.adept.org (Postfix, from userid 1001) id 6C7411522A; Fri, 28 Mar 2003 14:49:51 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by fubar.adept.org (Postfix) with ESMTP id 6BAE215227 for ; Fri, 28 Mar 2003 14:49:51 -0800 (PST) Date: Fri, 28 Mar 2003 14:49:51 -0800 (PST) From: Mike Hoskins To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <20030328144454.A10259-100000@fubar.adept.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-19.5 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Subject: Re: Multiple Firewalls with ipfilter? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 22:50:16 -0000 On Wed, 26 Mar 2003, randall ehren wrote: > > We're supposed to provide redundant firewall service. I'm wondering > > if anyone has ever tried to do this and if it's realistic. Basically > > 2 firewall machines hooked up so if one fails the other will > > transparently step in. I've googled it to death without much luck. > http://www.isber.ucsb.edu/~randall/firewall/redundant/ > i have this setup in use at work, it's an automatic failover but does not > keep existing connections, so things like SSH sessions would be dropped. Nice setup... If reliability is such a concern, the original poster could also move the state 'in front' of the firewalls. I.e. Invest in some stateful load balancers. I've asked a similar question in the past, and had the stateful (BSD) firewall discussion a few times, and that's often the suggestion that gets thrown around. I agree an alternative would be nice if you're on a budget, but you often get what you pay for. Using something new and/or experimental may not be the best option based upon the type of traffic these firewalls will be passing. -mrh From owner-freebsd-security@FreeBSD.ORG Fri Mar 28 08:37:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 532B137B401 for ; Fri, 28 Mar 2003 08:37:56 -0800 (PST) Received: from smtpzilla5.xs4all.nl (smtpzilla5.xs4all.nl [194.109.127.141]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30B5743F75 for ; Fri, 28 Mar 2003 08:37:55 -0800 (PST) (envelope-from akruijff@xs4all.nl) Received: from akruijff.xs4all.nl (akruijff.xs4all.nl [194.109.0.117]) by smtpzilla5.xs4all.nl (8.12.0/8.12.0) with ESMTP id h2SGbpIq034079; Fri, 28 Mar 2003 17:37:51 +0100 (CET) Content-Type: text/plain; charset="iso-8859-1" From: Alex de Kruijff To: Martin McCormick , freebsd-security@FreeBSD.ORG Date: Fri, 28 Mar 2003 17:37:51 +0100 User-Agent: KMail/1.4.3 References: <200303280348.h2S3mm5b017428@dc.cis.okstate.edu> In-Reply-To: <200303280348.h2S3mm5b017428@dc.cis.okstate.edu> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200303281737.51054.akruijff@xs4all.nl> X-Spam-Status: No, hits=-31.9 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_KMAIL autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) X-Mailman-Approved-At: Fri, 28 Mar 2003 15:36:00 -0800 Subject: Re: How did I Break ssh? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2003 16:37:57 -0000 On Friday 28 March 2003 04:48, Martin McCormick wrote: > Every attempt to connect to anything from a new FreeBSD > system results in a "host key verification failed." > > =09ssh 127.0.0.1 even fails this way. > > =09I started with a new FreeBSD4.7 installation and > un-tarred the contents of another 4.7 system to essentially clone > this one. > What does the /var/log/messages say just before or after you tried to log= on to=20 that machine? --=20 Alex From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 00:28:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 36F7637B401 for ; Sat, 29 Mar 2003 00:28:26 -0800 (PST) Received: from th23.opsion.fr (th23.opsion.fr [62.39.122.33]) by mx1.FreeBSD.org (Postfix) with SMTP id 228AD43FBD for ; Sat, 29 Mar 2003 00:28:25 -0800 (PST) (envelope-from dhombrecher@ifrance.com) Received: from 81.56.157.175 [81.56.157.175] by th23.opsion.fr id 200303290826.0ab7; Sat, 29 Mar 2003 08:26:10 GMT Message-ID: <000d01c2f5cd$498b9360$020d390a@d> From: "Dirk Hombrecher" To: Date: Sat, 29 Mar 2003 09:29:11 +0100 MIME-Version: 1.0 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: IPFW2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 08:28:27 -0000 Hi, has anybody an example of firewall rules written with IPFW2 using the = MAC asdress? Regards, Dirk Hombrecher From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 07:10:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44B0937B404 for ; Sat, 29 Mar 2003 07:10:41 -0800 (PST) Received: from hub.org (hub.org [64.117.224.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id C331A43FBD for ; Sat, 29 Mar 2003 07:10:40 -0800 (PST) (envelope-from excalibur@hub.org) Received: from excalibur.hub.org (u231n71.eastlink.ca [24.222.231.71]) by hub.org (Postfix) with ESMTP id 8865D1038CC4 for ; Sat, 29 Mar 2003 11:10:33 -0400 (AST) Message-Id: <5.2.0.9.0.20030329110305.009fd8e0@mail.hub.org> X-Sender: excalibur@hub.org@mail.hub.org X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 29 Mar 2003 11:10:56 -0400 To: security@freebsd.org From: Chris Bowlby Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: Documentation people needed. FreeBSD/Security clue beneficial. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 15:11:12 -0000 Hi All, Ok after watching all the discussion about some security documentation and teams I have come up with a few ideas that might help out some. I'm willing to program an interface at the extremefreebsd.org site (yes I know it's still new and under some work) that will allow the following: 1. A dedicated page for security related posts (articles, docs, advisories, etc) at security.extremefreebsd.org. 2. The founding members of the team will have voting rights on who can be added to the team, through an account interface. 3. Articles can be posted within a standard formatting template, based on the specs I receive from the team. 4. Any posts that are commited (approved by the team members) will show up in the main news section for extreme freebsd. 5. I can program an interface to allow others to include the posts on their sites, very similar to what freebsd.org does to allow other websites to link to the new articles. 6. Any ideas that I have not thought of, but the team has come up with I can add to the site as needed. I am willing to donate my time and the site for this purpose, all I really need is a few specs on what types of interfaces you'd like to use to edit/add/archive content via the browser. I don't mean generic login pages, etc but the exact layout of the articles, advisories and such... Once I have that I can go ape guns on getting the programming done while the team(s) are formed... From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 11:11:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5341237B401 for ; Sat, 29 Mar 2003 11:11:01 -0800 (PST) Received: from users.munk.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AFA943FB1 for ; Sat, 29 Mar 2003 11:10:58 -0800 (PST) (envelope-from munk@users.munk.nu) Received: from users.munk.nu (munk@localhost [127.0.0.1]) by users.munk.nu (8.12.8/8.12.8) with ESMTP id h2TJCrHP080293 for ; Sat, 29 Mar 2003 19:12:53 GMT (envelope-from munk@users.munk.nu) Received: (from munk@localhost) by users.munk.nu (8.12.8/8.12.8/Submit) id h2TJCpOo080292 for security@freebsd.org; Sat, 29 Mar 2003 19:12:51 GMT Date: Sat, 29 Mar 2003 19:12:51 +0000 From: Jez Hancock To: security@freebsd.org Message-ID: <20030329191251.GB80087@users.munk.nu> Mail-Followup-To: security@freebsd.org References: <5.2.0.9.0.20030329110305.009fd8e0@mail.hub.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.2.0.9.0.20030329110305.009fd8e0@mail.hub.org> User-Agent: Mutt/1.4.1i Subject: Re: Documentation people needed. FreeBSD/Security clue beneficial. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 19:11:33 -0000 On Sat, Mar 29, 2003 at 11:10:56AM -0400, Chris Bowlby wrote: > I am willing to donate my time and the site for this purpose, all I > really need is a few specs on what types of interfaces you'd like to use to > edit/add/archive content via the browser. I don't mean generic login pages, > etc but the exact layout of the articles, advisories and such... Once I > have that I can go ape guns on getting the programming done while the > team(s) are formed... Perhaps it would be an idea to become familiar with the docproj package and the format they use for their documentation if you haven't done so already. I had a quick read through the requirements for documentation submitted to freebsd.org doc team a while ago (after installing /usr/ports/textproc/docproj/) and as I remember they have a selection of SGML templates that they use to build their books. It might save a lot of time later if you could have all documents on your server in SGML so you can later mark them up how you want, depending on the media used. What do you plan on developing the user interface in by the way? Who would comprise the core security doc team? I suppose this is a question for Jacques Vidrine as security officer(?). Jez From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 11:31:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C68CC37B401 for ; Sat, 29 Mar 2003 11:31:10 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 05FE343F93 for ; Sat, 29 Mar 2003 11:31:10 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2TJV7rj084340 for ; Sat, 29 Mar 2003 14:31:07 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 29 Mar 2003 14:36:29 -0500 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Security fix (Fwd: sendmail 8.12.9 available X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 19:31:13 -0000 From bugtraq :-( >-----BEGIN PGP SIGNED MESSAGE----- > >Sendmail, Inc., and the Sendmail Consortium announce the availability >of sendmail 8.12.9. It contains a fix for a critical security >problem discovered by Michal Zalewski whom we thank for bringing >this problem to our attention. Sendmail urges all users to either >upgrade to sendmail 8.12.9 or apply a patch for your sendmail version >that is part of this announcement. Remember to check the PGP >signatures of patches or releases obtained via FTP or HTTP (to check >the correctness of the patches in this announcement please verify >the PGP signature of it). For those not running the open source >version, check with your vendor for a patch. > >We apologize for releasing this information today (2003-03-29) but >we were forced to do so by an e-mail on a public mailing list (that >has been sent by an irresponsible individual) which contains >information about the security flaw. > >For a complete list of changes see the release notes down below. > >Please send bug reports to sendmail-bugs@sendmail.org as usual. > >Note: We have changed the way we digitally sign the source code >distributions to simplify verification: in contrast to earlier >versions two .sig files are provided, one each for the gzip'ed >version and the compressed version. That is, instead of signing the >tar file, we sign the compressed/gzip'ed files, so you do not need >to uncompress the file before checking the signature. > >This version can be found at > >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.gz.sig >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z >ftp://ftp.sendmail.org/pub/sendmail/sendmail.8.12.9.tar.Z.sig > >and the usual mirror sites. > >MD5 signatures: > >3dba3b6d769b3681640d0a38b0eba48c sendmail.8.12.9.tar.gz >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.gz.sig >268fc4045ba3eac6dfd9dc95d889ba5f sendmail.8.12.9.tar.Z >19e39c9e9bc8fae288245c546639e1f4 sendmail.8.12.9.tar.Z.sig > >You either need the first two files or the third and fourth, i.e., >the gzip'ed version or the compressed version and the corresponding >.sig file. The PGP signature was created using the Sendmail Signing >Key/2003, available on the web site (http://www.sendmail.org/) or >on the public key servers. > >Since sendmail 8.11 and later includes hooks to cryptography, the >following information from OpenSSL applies to sendmail as well. > > PLEASE REMEMBER THAT EXPORT/IMPORT AND/OR USE OF STRONG CRYPTOGRAPHY > SOFTWARE, PROVIDING CRYPTOGRAPHY HOOKS OR EVEN JUST COMMUNICATING > TECHNICAL DETAILS ABOUT CRYPTOGRAPHY SOFTWARE IS ILLEGAL IN SOME > PARTS OF THE WORLD. SO, WHEN YOU IMPORT THIS PACKAGE TO YOUR > COUNTRY, RE-DISTRIBUTE IT FROM THERE OR EVEN JUST EMAIL TECHNICAL > SUGGESTIONS OR EVEN SOURCE PATCHES TO THE AUTHOR OR OTHER PEOPLE > YOU ARE STRONGLY ADVISED TO PAY CLOSE ATTENTION TO ANY EXPORT/IMPORT > AND/OR USE LAWS WHICH APPLY TO YOU. THE AUTHORS ARE NOT LIABLE FOR > ANY VIOLATIONS YOU MAKE HERE. SO BE CAREFUL, IT IS YOUR RESPONSIBILITY. > > > SENDMAIL RELEASE NOTES > $Id: RELEASE_NOTES,v 8.1340.2.132 2003/03/29 14:02:26 ca Exp $ > > >This listing shows the version of the sendmail binary, the version >of the sendmail configuration files, the date of release, and a >summary of the changes in that release. > >8.12.9/8.12.9 2003/03/29 > SECURITY: Fix a buffer overflow in address parsing due to > a char to int conversion problem which is potentially > remotely exploitable. Problem found by Michal Zalewski. > Note: an MTA that is not patched might be vulnerable to > data that it receives from untrusted sources, which > includes DNS. > To provide partial protection to internal, unpatched sendmail MTAs, > 8.12.9 changes by default (char)0xff to (char)0x7f in > headers etc. To turn off this conversion compile with > -DALLOW_255 or use the command line option -d82.101. > To provide partial protection for internal, unpatched MTAs that > may be > performing 7->8 or 8->7 bit MIME conversions, the default > for MaxMimeHeaderLength has been changed to 2048/1024. > Note: this does have a performance impact, and it only > protects against frontal attacks from the outside. > To disable the checks and return to pre-8.12.9 defaults, > set MaxMimeHeaderLength to 0/0. > Do not complain about -ba when submitting mail. Problem noted > by Derek Wueppelmann. > Fix compilation with Berkeley DB 1.85 on systems that do not > have flock(2). Problem noted by Andy Harper of Kings > College London. > Properly initialize data structure for dns maps to avoid various > errors, e.g., looping processes. Problem noted by > Maurice Makaay. > CONFIG: Prevent multiple application of rule to add smart host. > Patch from Andrzej Filip. > CONFIG: Fix queue group declaration in MAILER(`usenet'). > CONTRIB: buildvirtuser: New option -t builds the virtusertable > text file instead of the database map. > Portability: > Revert wrong change made in 8.12.7 and actually use the > builtin getopt() version in sendmail on Linux. > This can be overridden by using -DSM_CONF_GETOPT=0 > in which case the OS supplied version will be used. > > >Instructions to extract and apply the patches for sendmail: > >The data below is a uuencoded, gzip'ed tar file. Store the data >between "========= begin patch ========" and "========= end patch >==========" into a file called "patch.sm" and apply the following >command: > >uudecode -p < patch.sm | gunzip -c | tar -xf - > >This will give you these files (explanation for each file is on >the left, only "prescan.VERSION.patch" are the files). > >prescan.8.12.8.patch only for 8.12.8, changes version string to 8.12.8p1 >prescan.8.12.patch for 8.12.0 - 8.12.7, does not change version string >prescan.8.11.6.patch only for 8.11.6, changes version string to 8.11.6p2 >prescan.8.11.patch for 8.11.0 - 8.11.5, does not change version string >prescan.8.9.3.patch only for 8.9.3, changes version string to 8.9.3p2 >prescan.8.9.patch for 8.9.0 - 8.9.2, does not change version string > >Apply the appropriate patch to your version of the sendmail source >code (change the version number below to the right one!), e.g., > >cd sendmail-8.12.8/sendmail >patch < prescan.8.12.8.patch > >recompile sendmail, and install the new binary. > >========= begin patch ======== > >========= end patch ========== >-----BEGIN PGP SIGNATURE----- >Version: GnuPG v1.2.1 (OpenBSD) > >iQCVAwUBPoXFgyGD4bE5bweJAQEk9gQAvhx73sgGCLaUiNkDRKiPECbrDcgn9fH0 >JncwWXpYNlLoVFgk1VHbBTeFqtGwTVXIFUOyQvIwO8Vh53iHbffv/4NZCsZuWwpT >L7v+uCAN0IvYQUZUUvvcJJJsEUkyYzSKCnNewYhFGDmLa1Sx6x59fYw2hfseZ/HK >hjC59XbAdSk= >=t4zn >-----END PGP SIGNATURE----- -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 11:40:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F3D9A37B401 for ; Sat, 29 Mar 2003 11:40:39 -0800 (PST) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EA9D43F93 for ; Sat, 29 Mar 2003 11:40:39 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.8/8.12.8) with ESMTP id h2TJebrj084362; Sat, 29 Mar 2003 14:40:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.2.0.9.0.20030329144414.0786c4c8@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9 Date: Sat, 29 Mar 2003 14:45:59 -0500 To: security@freebsd.org From: Mike Tancsa In-Reply-To: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: Security fix (Fwd: sendmail 8.12.9 available X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 19:40:42 -0000 At 02:36 PM 29/03/2003 -0500, Mike Tancsa wrote: > From bugtraq :-( And just a few minutes later, the kind people at sendmail have mfc'd it to RELENG_4. Thanks! >gshapiro 2003/03/29 11:33:18 PST > > FreeBSD src repository > > Modified files: (Branch: RELENG_4) > contrib/sendmail FREEBSD-upgrade RELEASE_NOTES > contrib/sendmail/cf README > contrib/sendmail/cf/cf submit.cf > contrib/sendmail/cf/m4 cfhead.m4 proto.m4 version.m4 > contrib/sendmail/cf/mailer usenet.m4 > contrib/sendmail/contrib buildvirtuser > contrib/sendmail/doc/op op.me > contrib/sendmail/editmap editmap.8 > contrib/sendmail/include/sm bdb.h conf.h > contrib/sendmail/libmilter/docs api.html design.html > index.html installation.html > other.html overview.html > sample.html > smfi_addheader.html > smfi_addrcpt.html > smfi_chgheader.html > smfi_delrcpt.html > smfi_getpriv.html > smfi_getsymval.html > smfi_main.html > smfi_register.html > smfi_replacebody.html > smfi_setbacklog.html > smfi_setconn.html > smfi_setpriv.html > smfi_setreply.html > smfi_settimeout.html > xxfi_abort.html xxfi_body.html > xxfi_close.html > xxfi_connect.html > xxfi_envfrom.html > xxfi_envrcpt.html > xxfi_eoh.html xxfi_eom.html > xxfi_header.html > xxfi_helo.html > contrib/sendmail/libsm clock.c config.c > contrib/sendmail/mail.local mail.local.c > contrib/sendmail/src README collect.c conf.c deliver.c > headers.c main.c milter.c parseaddr.c > queue.c readcf.c sendmail.h sm_resolve.c > srvrsmtp.c tls.c usersmtp.c version.c > Log: > MFC: sendmail 8.12.9 import > > Approved by: re (bmah) > > Revision Changes Path > 1.1.2.16 +5 -5 src/contrib/sendmail/FREEBSD-upgrade > 1.1.1.3.2.15 +38 -1 src/contrib/sendmail/RELEASE_NOTES > 1.1.1.3.2.15 +2 -3 src/contrib/sendmail/cf/README > 1.1.1.1.2.8 +7 -5 src/contrib/sendmail/cf/cf/submit.cf > 1.3.6.8 +4 -2 src/contrib/sendmail/cf/m4/cfhead.m4 > 1.1.1.4.2.13 +7 -3 src/contrib/sendmail/cf/m4/proto.m4 > 1.1.1.3.2.15 +2 -2 src/contrib/sendmail/cf/m4/version.m4 > 1.1.1.2.6.3 +3 -3 src/contrib/sendmail/cf/mailer/usenet.m4 > 1.1.1.1.2.5 +22 -5 src/contrib/sendmail/contrib/buildvirtuser > 1.1.1.3.2.15 +14 -5 src/contrib/sendmail/doc/op/op.me > 1.1.1.1.2.2 +3 -3 src/contrib/sendmail/editmap/editmap.8 > 1.1.1.1.2.2 +5 -5 src/contrib/sendmail/include/sm/bdb.h > 1.1.1.1.2.7 +3 -2 src/contrib/sendmail/include/sm/conf.h > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/api.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/design.html > 1.1.1.1.2.2 +3 -3 src/contrib/sendmail/libmilter/docs/index.html > 1.1.1.1.2.3 +3 > -7 src/contrib/sendmail/libmilter/docs/installation.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/other.html > 1.1.1.1.2.2 +3 -3 src/contrib/sendmail/libmilter/docs/overview.html > 1.1.1.1.2.3 +2 -2 src/contrib/sendmail/libmilter/docs/sample.html > 1.1.1.1.2.3 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_addheader.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_addrcpt.html > 1.1.1.1.2.3 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_chgheader.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_delrcpt.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_getpriv.html > 1.1.1.1.2.3 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_getsymval.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/smfi_main.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_register.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_replacebody.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_setbacklog.html > 1.1.1.1.2.2 +16 > -6 src/contrib/sendmail/libmilter/docs/smfi_setconn.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_setpriv.html > 1.1.1.1.2.4 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_setreply.html > 1.1.1.1.2.3 +2 > -2 src/contrib/sendmail/libmilter/docs/smfi_settimeout.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/xxfi_abort.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/xxfi_body.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/xxfi_close.html > 1.1.1.1.2.2 +2 > -2 src/contrib/sendmail/libmilter/docs/xxfi_connect.html > 1.1.1.1.2.2 +3 > -3 src/contrib/sendmail/libmilter/docs/xxfi_envfrom.html > 1.1.1.1.2.2 +3 > -3 src/contrib/sendmail/libmilter/docs/xxfi_envrcpt.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/xxfi_eoh.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/xxfi_eom.html > 1.1.1.1.2.2 +3 > -3 src/contrib/sendmail/libmilter/docs/xxfi_header.html > 1.1.1.1.2.2 +2 -2 src/contrib/sendmail/libmilter/docs/xxfi_helo.html > 1.1.1.1.2.5 +3 -3 src/contrib/sendmail/libsm/clock.c > 1.1.1.1.2.3 +5 -2 src/contrib/sendmail/libsm/config.c > 1.6.6.14 +3 -3 src/contrib/sendmail/mail.local/mail.local.c > 1.1.1.3.2.14 +5 -2 src/contrib/sendmail/src/README > 1.1.1.4.2.12 +6 -1 src/contrib/sendmail/src/collect.c > 1.5.2.14 +125 -5 src/contrib/sendmail/src/conf.c > 1.1.1.3.2.14 +14 -3 src/contrib/sendmail/src/deliver.c > 1.4.2.10 +9 -1 src/contrib/sendmail/src/headers.c > 1.1.1.3.2.15 +10 -1 src/contrib/sendmail/src/main.c > 1.1.1.1.2.16 +24 -14 src/contrib/sendmail/src/milter.c > 1.1.1.2.6.13 +14 -3 src/contrib/sendmail/src/parseaddr.c > 1.1.1.3.2.14 +6 -6 src/contrib/sendmail/src/queue.c > 1.1.1.4.2.14 +27 -1 src/contrib/sendmail/src/readcf.c > 1.1.1.4.2.15 +4 -1 src/contrib/sendmail/src/sendmail.h > 1.1.1.1.2.3 +11 -10 src/contrib/sendmail/src/sm_resolve.c > 1.1.1.2.6.14 +1 -3 src/contrib/sendmail/src/srvrsmtp.c > 1.1.1.1.2.5 +1 -1 src/contrib/sendmail/src/tls.c > 1.1.1.3.2.12 +8 -8 src/contrib/sendmail/src/usersmtp.c > 1.1.1.3.2.15 +2 -2 src/contrib/sendmail/src/version.c >_______________________________________________ >cvs-all@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/cvs-all >To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 13:11:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C968637B401 for ; Sat, 29 Mar 2003 13:11:33 -0800 (PST) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30FD743FB1 for ; Sat, 29 Mar 2003 13:11:33 -0800 (PST) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 4FC114E86; Sat, 29 Mar 2003 15:11:32 -0600 (CST) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id h2TLBVk13733; Sat, 29 Mar 2003 15:11:31 -0600 (CST) (envelope-from hawkeyd) Date: Sat, 29 Mar 2003 15:11:31 -0600 From: D J Hawkey Jr To: Mike Tancsa Message-ID: <20030329151131.B13660@sheol.localdomain> References: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca> <5.2.0.9.0.20030329144414.0786c4c8@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <5.2.0.9.0.20030329144414.0786c4c8@marble.sentex.ca>; from mike@sentex.net on Sat, Mar 29, 2003 at 02:45:59PM -0500 cc: security@freebsd.org Subject: Re: Security fix (Fwd: sendmail 8.12.9 available X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 21:12:05 -0000 On Mar 29, at 02:45 PM, Mike Tancsa wrote: > > At 02:36 PM 29/03/2003 -0500, Mike Tancsa wrote: > > > From bugtraq :-( > > And just a few minutes later, the kind people at sendmail have mfc'd it to > RELENG_4. Thanks! I see that RELENG_4_6 and RELENG_4_5 got or are getting MFC'd, too. Will there be an SA (with the customary SA patchfiles) for this? I want to patch some RELENG_4_5 machines, rather than cvsup(1) them, because I've patched them for SA-03:01 through SA-03:06. cvsup(1) will revert/overwrite all those patches, right? SA-03:04 was for sendmail, and the patchfile for RELENG_4_6 applied to RELENG_4_5 with just a few [sic] "fuzzy lines". I know I'm on my own in supporting RELENG_4_5, but the right tools (a patchfile, even if for RELENG_4_6) would make the job a lot easier. Thanks, Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 14:12:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFD9037B401 for ; Sat, 29 Mar 2003 14:12:32 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 548E443F3F for ; Sat, 29 Mar 2003 14:12:32 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id D39C82F for ; Sat, 29 Mar 2003 16:12:31 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 36E0178C43; Sat, 29 Mar 2003 16:12:31 -0600 (CST) Date: Sat, 29 Mar 2003 16:12:31 -0600 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20030329221231.GA83862@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 Subject: HEADS UP: new sendmail issue X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security@FreeBSD.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2003 22:12:37 -0000 Hello, Expect to see commits to all branches today, and a FreeBSD advisory following sometime today or tomorrow. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Sat Mar 29 18:01:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1D1E37B404 for ; Sat, 29 Mar 2003 18:01:24 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id AA58443FCB for ; Sat, 29 Mar 2003 18:01:23 -0800 (PST) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.nectar.cc (Postfix) with ESMTP id 1EF542F; Sat, 29 Mar 2003 20:01:23 -0600 (CST) Received: by madman.celabo.org (Postfix, from userid 1001) id 6F01578C43; Sat, 29 Mar 2003 20:01:22 -0600 (CST) Date: Sat, 29 Mar 2003 20:01:22 -0600 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030330020122.GA83978@madman.celabo.org> References: <5.2.0.9.0.20030329143542.037b1600@marble.sentex.ca> <5.2.0.9.0.20030329144414.0786c4c8@marble.sentex.ca> <20030329151131.B13660@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030329151131.B13660@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.3i-ja.1 cc: security@freebsd.org Subject: Re: Security fix (Fwd: sendmail 8.12.9 available X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 30 Mar 2003 02:01:28 -0000 On Sat, Mar 29, 2003 at 03:11:31PM -0600, D J Hawkey Jr wrote: > Will there be an SA (with the customary SA patchfiles) for this? yes > I know I'm on my own in supporting RELENG_4_5, but the right tools > (a patchfile, even if for RELENG_4_6) would make the job a lot easier. You can use the sendmail.org supplied patches. cd /usr/src/contrib/sendmail/src patch -s -p1 < /path/to/patch cd /usr/src/lib/libsm make obj && make depend && make cd /usr/src/lib/libsmutil make obj && make depend && make cd /usr/src/usr.sbin/sendmail make obj && make depend && make && make install Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se