From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 16:55:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 930351065674 for ; Tue, 15 Nov 2011 16:55:15 +0000 (UTC) (envelope-from guy.helmer@palisadesystems.com) Received: from ps-2-a.compliancesafe.com (ps-2-a.compliancesafe.com [216.81.161.163]) by mx1.freebsd.org (Postfix) with ESMTP id 4BF218FC08 for ; Tue, 15 Nov 2011 16:55:15 +0000 (UTC) Received: from mail.palisadesystems.com (localhost.compliancesafe.com [127.0.0.1]) by ps-2-a.compliancesafe.com (8.14.4/8.14.3) with ESMTP id pAFGdapI077460 for ; Tue, 15 Nov 2011 10:39:37 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) Received: from guysmbp.dyn.palisadesys.com (GuysMBP.dyn.palisadesys.com [172.16.2.90]) (authenticated bits=0) by mail.palisadesystems.com (8.14.3/8.14.3) with ESMTP id pAFGdRXv080097 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Tue, 15 Nov 2011 10:39:28 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.palisadesystems.com pAFGdRXv080097 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=palisadesystems.com; s=mail; t=1321375168; bh=juaK1wJgHZ8tgZZ8GuVyLpDV9dCQ0Bvppg/kTRI4nNI=; l=128; h=From:Content-Type:Content-Transfer-Encoding:Subject:Date: Message-Id:To:Mime-Version; b=p75usy0y5PQXsMb+k8uujDe3iAHgw359GKkBNvmkyDCM7yddv4KY6QLxiwTKGRUe3 JPXdA6yQKmmGjxkTJlGgQ2EHpA8YuEkV0lgYQipO9V9ClUxd/YZMDq6PPuV69Aqj1G kptERIO2DfyuHaat03NWsvC1VL1gUDLYCfkhieME= From: Guy Helmer Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable Date: Tue, 15 Nov 2011 10:39:31 -0600 Message-Id: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> To: freebsd-security@freebsd.org Mime-Version: 1.0 (Apple Message framework v1251.1) X-Mailer: Apple Mail (2.1251.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.palisadesystems.com [172.16.1.5]); Tue, 15 Nov 2011 10:39:28 -0600 (CST) X-Palisade-MailScanner-Information: Please contact the ISP for more information X-Palisade-MailScanner-ID: pAFGdRXv080097 X-Palisade-MailScanner: Found to be clean X-Palisade-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-2.3, required 5, ALL_TRUSTED -1.00, BAYES_00 -1.90, J_CHICKENPOX_56 0.60) X-Palisade-MailScanner-From: guy.helmer@palisadesystems.com X-Spam-Status: No X-PacketSure-Scanned: Yes X-Mailman-Approved-At: Tue, 15 Nov 2011 17:00:59 +0000 Subject: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 16:55:15 -0000 I have a shell user who is able to login to his accounts via sshd on = FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and = .ssh/id_rsa.pub key pair without a password but nullok was not = specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication = using:=20 ------------- auth required pam_ssh.so no_warn = try_first_pass ------------- I enabled _openpam_debug in pam_ssh and found this during a login via = sshd to the user's account: ------------- Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/identity Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): loaded = '/home/targetuser/.ssh/id_rsa' from /home/targetuser/.ssh/id_rsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_ssh_load_key(): failed to = load key from /home/targetuser/.ssh/id_dsa Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Checking = login.access for user targetuser from host 172.16.1.240 Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got user: = targetuser Nov 15 09:51:53 fbsd8-i386 sshd[52853]: in pam_sm_acct_mgmt(): Got = login_cap ------------- The view from the client machine during the login: ------------- client:/usr/src/lib/libpam/modules/pam_ssh (557) ssh = targetuser@fbsd8-i386 SSH passphrase:=20 Last login: Tue Nov 15 08:39:28 2011 from 172.16.2.218 Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights = reserved. FreeBSD 8.2-RC3 (GENERIC) #0: Sat Jan 29 19:26:23 CST 2011 ------------- So, it asked for the target user's passphrase and successfully = authenticated with any password. I understand what happened but I'm = rather astonished by the result - I would not have expected pam_ssh to = have succeeded on a passwordless key file when a password was required = in the pam configuration file, based on the pam_ssh.8 man page: nullok Normally, keys with no passphrase are ignored for = authen- tication purposes. If this option is set, keys = with no passphrase will be taken into consideration, = allowing the user to log in with a blank password. Thoughts? Thanks, Guy Helmer -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure. From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 20:53:07 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id DA3E5106564A for ; Tue, 15 Nov 2011 20:53:07 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 9DB398FC16 for ; Tue, 15 Nov 2011 20:53:06 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 94DB15790; Tue, 15 Nov 2011 20:53:05 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 5D9698E88; Tue, 15 Nov 2011 21:53:05 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Guy Helmer References: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> Date: Tue, 15 Nov 2011 21:53:05 +0100 In-Reply-To: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> (Guy Helmer's message of "Tue, 15 Nov 2011 10:39:31 -0600") Message-ID: <861ut9rtu6.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 20:53:07 -0000 Guy Helmer writes: > I have a shell user who is able to login to his accounts via sshd on > FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and > .ssh/id_rsa.pub key pair without a password but nullok was not > specified, so I think this should be considered a bug. Agreed. Not quite sure how to fix it, but I'll look into it and try to get a patch in before 9.0. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 21:12:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7D1DF1065674 for ; Tue, 15 Nov 2011 21:12:48 +0000 (UTC) (envelope-from des@des.no) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 3C9978FC13 for ; Tue, 15 Nov 2011 21:12:48 +0000 (UTC) Received: from ds4.des.no (des.no [84.49.246.2]) by smtp.des.no (Postfix) with ESMTP id 597A257A1; Tue, 15 Nov 2011 21:12:47 +0000 (UTC) Received: by ds4.des.no (Postfix, from userid 1001) id 374458E8E; Tue, 15 Nov 2011 22:12:47 +0100 (CET) From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= To: Guy Helmer References: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> Date: Tue, 15 Nov 2011 22:12:46 +0100 In-Reply-To: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> (Guy Helmer's message of "Tue, 15 Nov 2011 10:39:31 -0600") Message-ID: <86ty65qecx.fsf@ds4.des.no> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="=-=-=" Cc: freebsd-security@freebsd.org Subject: Re: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 21:12:48 -0000 --=-=-= Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Guy Helmer writes: > I have a shell user who is able to login to his accounts via sshd on > FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and > .ssh/id_rsa.pub key pair without a password but nullok was not > specified, so I think this should be considered a bug. It turns out that this goes all the way to OpenSSL, which ignores the passphrase if the key is not encrypted. The only solution I can think of - more of a workaround, really - is to first try to load the key with an empty passphrase, and skip the key if that worked. See the attached (untested) patch. A more advanced patch would load all keys but require at least one of them to have a passphrase. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no --=-=-= Content-Type: text/x-patch Content-Disposition: attachment; filename=pam_ssh_nullok.diff Index: lib/libpam/modules/pam_ssh/pam_ssh.c =================================================================== --- lib/libpam/modules/pam_ssh/pam_ssh.c (revision 227125) +++ lib/libpam/modules/pam_ssh/pam_ssh.c (working copy) @@ -93,7 +93,8 @@ * struct pam_ssh_key containing the key and its comment. */ static struct pam_ssh_key * -pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase) +pam_ssh_load_key(const char *dir, const char *kfn, const char *passphrase, + int nullok) { struct pam_ssh_key *psk; char fn[PATH_MAX]; @@ -103,6 +104,21 @@ if (snprintf(fn, sizeof(fn), "%s/%s", dir, kfn) > (int)sizeof(fn)) return (NULL); comment = NULL; + if (!nullok) { + /* + * If the key is unencrypted, OpenSSL ignores the + * passphrase, so it will seem like the user typed in the + * right one. This allows a user to circumvent nullok by + * providing a dummy passphrase. Verify that the key + * really *is* encrypted by trying to load it with an + * empty passphrase. + */ + key = key_load_private(fn, "", &comment); + if (key != NULL) { + key_free(key); + return (NULL); + } + } key = key_load_private(fn, passphrase, &comment); if (key == NULL) { openpam_log(PAM_LOG_DEBUG, "failed to load key from %s", fn); @@ -180,7 +196,7 @@ /* try to load keys from all keyfiles we know of */ for (kfn = pam_ssh_keyfiles; *kfn != NULL; ++kfn) { - psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase); + psk = pam_ssh_load_key(pwd->pw_dir, *kfn, passphrase, nullok); if (psk != NULL) { pam_set_data(pamh, *kfn, psk, pam_ssh_free_key); ++nkeys; --=-=-=-- From owner-freebsd-security@FreeBSD.ORG Tue Nov 15 22:17:34 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AC0131065670 for ; Tue, 15 Nov 2011 22:17:34 +0000 (UTC) (envelope-from guy.helmer@palisadesystems.com) Received: from ps-2-a.compliancesafe.com (ps-2-a.compliancesafe.com [216.81.161.163]) by mx1.freebsd.org (Postfix) with ESMTP id 72E788FC08 for ; Tue, 15 Nov 2011 22:17:34 +0000 (UTC) Received: from mail.palisadesystems.com (localhost.compliancesafe.com [127.0.0.1]) by ps-2-a.compliancesafe.com (8.14.4/8.14.3) with ESMTP id pAFMH80A091682; Tue, 15 Nov 2011 16:17:09 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) Received: from guysmbp.dyn.palisadesys.com (GuysMBP.dyn.palisadesys.com [172.16.2.90]) (authenticated bits=0) by mail.palisadesystems.com (8.14.3/8.14.3) with ESMTP id pAFMGxcT089915 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO); Tue, 15 Nov 2011 16:17:00 -0600 (CST) (envelope-from guy.helmer@palisadesystems.com) X-DKIM: Sendmail DKIM Filter v2.8.3 mail.palisadesystems.com pAFMGxcT089915 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=palisadesystems.com; s=mail; t=1321395420; bh=GlzlvBN6GUj29PpNYQaQ0gVF7H3rnT56QUXCjCyL4hU=; l=128; h=Subject:Mime-Version:Content-Type:From:In-Reply-To:Date:Cc: Content-Transfer-Encoding:Message-Id:References:To; b=meCvptbwgt55ZgfKY0Gsq4Tci95BLXil9T8yw9xBuY/AATc6hNUIgrZJrqxHFRkFb MUpoUmA4C/DA3lCfWnXAXEV0tfEj8gUv/OwmbSgE5ns3GNFEmTV7K1ZtfKssJNDqWb deeOXd32xEQElA9baCMAK4JzbQypfvqvUaRpMui0= Mime-Version: 1.0 (Apple Message framework v1251.1) Content-Type: text/plain; charset=iso-8859-1 From: Guy Helmer In-Reply-To: <86ty65qecx.fsf@ds4.des.no> Date: Tue, 15 Nov 2011 16:17:03 -0600 Content-Transfer-Encoding: quoted-printable Message-Id: References: <98001F9B-0B96-4D17-9EAE-08B12A1C1C75@palisadesystems.com> <86ty65qecx.fsf@ds4.des.no> To: =?iso-8859-1?Q?Dag-Erling_Sm=F8rgrav?= X-Mailer: Apple Mail (2.1251.1) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.2.5 (mail.palisadesystems.com [172.16.1.5]); Tue, 15 Nov 2011 16:17:00 -0600 (CST) X-Palisade-MailScanner-Information: Please contact the ISP for more information X-Palisade-MailScanner-ID: pAFMGxcT089915 X-Palisade-MailScanner: Found to be clean X-Palisade-MailScanner-SpamCheck: not spam (whitelisted), SpamAssassin (score=-2.9, required 5, autolearn=not spam, ALL_TRUSTED -1.00, BAYES_00 -1.90) X-Palisade-MailScanner-From: guy.helmer@palisadesystems.com X-Spam-Status: No X-PacketSure-Scanned: Yes X-Mailman-Approved-At: Tue, 15 Nov 2011 22:21:36 +0000 Cc: freebsd-security@freebsd.org Subject: Re: Possible pam_ssh bug? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Nov 2011 22:17:34 -0000 On Nov 15, 2011, at 3:12 PM, Dag-Erling Sm=F8rgrav wrote: > Guy Helmer writes: >> I have a shell user who is able to login to his accounts via sshd on >> FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and >> .ssh/id_rsa.pub key pair without a password but nullok was not >> specified, so I think this should be considered a bug. >=20 > It turns out that this goes all the way to OpenSSL, which ignores the > passphrase if the key is not encrypted. The only solution I can think > of - more of a workaround, really - is to first try to load the key = with > an empty passphrase, and skip the key if that worked. See the = attached > (untested) patch. >=20 > A more advanced patch would load all keys but require at least one of > them to have a passphrase. >=20 > DES > --=20 > Dag-Erling Sm=F8rgrav - des@des.no >=20 > Yes, that patch applied OK to the 8.2 test machine and resolved the = issue with the unencrypted id_rsa private key. I didn't know of any = other way to check the key either - nothing jumped out at me from the = OpenSSL API documentation. Thanks for the quick turnaround, Guy -------- This message has been scanned by ComplianceSafe, powered by Palisade's PacketSure. From owner-freebsd-security@FreeBSD.ORG Wed Nov 16 13:54:05 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 62CB6106566B for ; Wed, 16 Nov 2011 13:54:05 +0000 (UTC) (envelope-from sidetripping@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 29E538FC14 for ; Wed, 16 Nov 2011 13:54:04 +0000 (UTC) Received: by ywe9 with SMTP id 9so7362187ywe.13 for ; Wed, 16 Nov 2011 05:54:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=iMSnVR13zEupLvZDd97BiZ6OyT2ulDPz+0Bdq6NTIUg=; b=VugqrfgAhCAf/C1oi5E+DRVJ4LmMp/c1dKBqdNS9OAmWyvFOx80wl5fbYrxlOErowE kSOzzn2i9pLFKjkiltlyYxz6w6mmv4n0tYsxEIMsqvIsKAIMjuzQRvG6NKbtkUepCaw2 y4JgpUJbjDHpe/rbH5k8ay6DeQZn2+/EuPrHY= MIME-Version: 1.0 Received: by 10.229.67.215 with SMTP id s23mr4588269qci.265.1321449775936; Wed, 16 Nov 2011 05:22:55 -0800 (PST) Received: by 10.229.220.79 with HTTP; Wed, 16 Nov 2011 05:22:55 -0800 (PST) Date: Wed, 16 Nov 2011 14:22:55 +0100 Message-ID: From: ian ivy To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Starting X11 with kernel secure level greater than -1/0. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Nov 2011 13:54:05 -0000 Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible because of /dev/kmem etc. access. It is default solution in OpenBSD, I guess. Hmm, I see, that there is not xf86 in /dev directory, but... I know, that there is already a couple of xf86 drivers (e.g. xf86-video-nv, xf86-video-intel or libXxf86vm etc). These drivers are not right/required/correct, right? Of course I can change this level after system and X's start, but it is not the point. Is there any solution? Best regards! Ian. __________________ * source: OpenBSD XF86(4) man page. http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 07:48:00 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 24FAD106564A for ; Thu, 17 Nov 2011 07:48:00 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id CD28A8FC0C for ; Thu, 17 Nov 2011 07:47:59 +0000 (UTC) Received: by ywe9 with SMTP id 9so1047890ywe.13 for ; Wed, 16 Nov 2011 23:47:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to; bh=OyoLfIl60erDRVNxcpJrozDWffCTH1EhBgNEgY8i9dk=; b=vMUX0WmL9CLeNolVvytw5ZfQCHlaaYSm90R+Vlz4WYfRLvw4xmy84L6x0nBXd3t7tJ 1XYvNuKJBrYAmbYT+17Yazzse9Z1oSKeLC+AhOeonDjonmWQJQ8U2wxlq9yx5fczk1ji yp/+TVBDKo8eG0GwdTT1bwKdWkyfx1X1VCL1s= Received: by 10.236.153.3 with SMTP id e3mr6890122yhk.68.1321514429745; Wed, 16 Nov 2011 23:20:29 -0800 (PST) Received: from DataIX.net (adsl-99-35-12-148.dsl.klmzmi.sbcglobal.net. [99.35.12.148]) by mx.google.com with ESMTPS id k3sm93751498ann.0.2011.11.16.23.20.27 (version=TLSv1/SSLv3 cipher=OTHER); Wed, 16 Nov 2011 23:20:27 -0800 (PST) Sender: Jason Hellenthal Received: from DataIX.net (localhost [127.0.0.1]) by DataIX.net (8.14.5/8.14.5) with ESMTP id pAH7KOgp003129 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 17 Nov 2011 02:20:24 -0500 (EST) (envelope-from jhell@DataIX.net) Received: (from jhell@localhost) by DataIX.net (8.14.5/8.14.5/Submit) id pAH7KNro003126; Thu, 17 Nov 2011 02:20:24 -0500 (EST) (envelope-from jhell@DataIX.net) Date: Thu, 17 Nov 2011 02:20:23 -0500 From: Jason Hellenthal To: ian ivy Message-ID: <20111117072023.GA94228@DataIX.net> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pf9I7BMVVzbSWLtt" Content-Disposition: inline In-Reply-To: Cc: freebsd-security@freebsd.org Subject: Re: Starting X11 with kernel secure level greater than -1/0. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 07:48:00 -0000 --pf9I7BMVVzbSWLtt Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable If it is your objective to run an X server on your display then it would pr= obably suit you best to use MAC rather than securelevel. Opening /dev/(mem,= kmem,io) is a security vulnerability in itself which nearly scrathes any us= efulness of securelevel. In short form, what you think you are doing and wh= at you are actually doing are two very different things. See: mac_seeotheruids mac_bsdextended [ugidfw(8)] mac_partition And there are some sysctl values you can tune to not display as much inform= ation as well. Also don't forget to compile a kernel without BPF. ;) On Wed, Nov 16, 2011 at 02:22:55PM +0100, ian ivy wrote: > Hi, is there any chance (if yes, how to do this?) to use the xf86 > driver which "provides access to the memory and I/O ports of a > VGA board and to the PCI configuration registers for use by > the X servers when running with a kernel security level greater > than 0" in FreeBSD*? >=20 > Then it will be possible to start X environment with a kernel > secure level > 0, right? Normally it is impossible because of > /dev/kmem etc. access. It is default solution in OpenBSD, I guess. >=20 > Hmm, I see, that there is not xf86 in /dev directory, but... > I know, that there is already a couple of xf86 drivers (e.g. > xf86-video-nv, xf86-video-intel or libXxf86vm etc). > These drivers are not right/required/correct, right? >=20 > Of course I can change this level after system and X's start, > but it is not the point. Is there any solution? >=20 > Best regards! Ian. >=20 > __________________ > * source: OpenBSD XF86(4) man page. > http://www.marko.homeunix.org/cgi-bin/man-cgi?xf86+4 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --pf9I7BMVVzbSWLtt Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJOxLW3AAoJEJBXh4mJ2FR+/4EH/0HoMHou4KgaoArw6QzcxxQM hnk3aqMkkOOLIxh8VbtU3MZ5U/OzJZoZ768Gbcx8/4Gc/+U8HlcctbGw4kT6OVgx nc/55NlfkJT6GcN75CAXzENcNq6bQ0GMpXNuAQkq2DVUy25UdGDtDmVnROPLhlHO 6Wi8cVfO4FbYPjd4+lUgfbZZdK3JRz9sbI1XQeWkfVImlKT8DMnGlV6NUY1+pes+ GtV2ofuTMqLzhwnldHrnUHd9GSK9mFJFMiq43iqBNExEkJ496fCgn3FHtazqX0fQ zuGivHAAMHqfXVG2/hRXII4+79RUyYaluo7QLaq2ebyPSz2hcWKu4dEAftnlyC4= =9yg1 -----END PGP SIGNATURE----- --pf9I7BMVVzbSWLtt-- From owner-freebsd-security@FreeBSD.ORG Thu Nov 17 18:19:26 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 91CD51065670 for ; Thu, 17 Nov 2011 18:19:26 +0000 (UTC) (envelope-from sidetripping@gmail.com) Received: from mail-yx0-f182.google.com (mail-yx0-f182.google.com [209.85.213.182]) by mx1.freebsd.org (Postfix) with ESMTP id 50E378FC12 for ; Thu, 17 Nov 2011 18:19:26 +0000 (UTC) Received: by yenl11 with SMTP id l11so2096756yen.13 for ; Thu, 17 Nov 2011 10:19:25 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=abupWgKiM8m/5N/TMHlXpcg6qflZdpg9R4Ty4xkiePk=; b=fgAF8RahFYwMbtZ750vL2UTBDP97Q6BTSqAaEu1oX/SzD2SB7d+Hha1qWg7ejOQ+Vw 9S/EVfhmcU9Sy7ExhYeD0qWzLGY+QEHjMOEzy7lVAHhlWLupv5gdfuCj9siSfYWTerfI bRYRIy2P4u24E74pWBU7owVuOTAGYWRekTmG8= MIME-Version: 1.0 Received: by 10.229.64.222 with SMTP id f30mr5333367qci.227.1321553965454; Thu, 17 Nov 2011 10:19:25 -0800 (PST) Received: by 10.229.220.79 with HTTP; Thu, 17 Nov 2011 10:19:25 -0800 (PST) In-Reply-To: <20111117072023.GA94228@DataIX.net> References: <20111117072023.GA94228@DataIX.net> Date: Thu, 17 Nov 2011 19:19:25 +0100 Message-ID: From: ian ivy To: Jason Hellenthal Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-security@freebsd.org Subject: Re: Starting X11 with kernel secure level greater than -1/0. X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 17 Nov 2011 18:19:26 -0000 Thanks Jason. Of course opening (or doing whatever with) mem, kmem etc. is a security flaw. A fatal flaw. I thought that OpenBSD team has done nice work to achieve a compromise between security and the use of X and it could be done with FreeBSD. I already have implemented some of MAC's policies (e.g. mac_seeotheruids), and a couple of sysctl's options, but for now, it is implemented for various testing. I have to read a lot more on these topics. :-) Kernel without BPF? OK! But not for now - I need to have DHCP upon startup for some time yet.! :-) Best regards! From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 02:55:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6E6C0106566B for ; Fri, 18 Nov 2011 02:55:10 +0000 (UTC) (envelope-from n3t0ps@gmail.com) Received: from mail-pz0-f44.google.com (mail-pz0-f44.google.com [209.85.210.44]) by mx1.freebsd.org (Postfix) with ESMTP id 394D28FC0C for ; Fri, 18 Nov 2011 02:55:10 +0000 (UTC) Received: by pzk33 with SMTP id 33so8606608pzk.3 for ; Thu, 17 Nov 2011 18:55:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=pwopClPBwR0Tgr9kLUeHkD7nkw1FQ6swB847Zxfn64c=; b=TK3DW6je8Dg1XFEFt8Kv1XfxFU/qqFs9BpX/TnXFvkfj10qAQlBn+xo/8r2HccsZTF 1gw5qHSGQ1zYeL0M5SE+PQBKC018rgoSYf9JSwZ060YcJMFOlyrvFsy5XycO97i/ksnH xfW/YIHAtsA/ce8HPdloAjlTUIJje2iemDAfc= MIME-Version: 1.0 Received: by 10.68.32.2 with SMTP id e2mr4747707pbi.68.1321583399048; Thu, 17 Nov 2011 18:29:59 -0800 (PST) Received: by 10.68.41.132 with HTTP; Thu, 17 Nov 2011 18:29:58 -0800 (PST) Date: Thu, 17 Nov 2011 21:29:58 -0500 Message-ID: From: sys Admin To: "freebsd-security@freebsd.org" Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 02:55:10 -0000 Hi Any plans to apply these patches to the bind version shipped with FreeBSD ? http://www.isc.org/software/bind/advisories/cve-2011-tbd Thanks From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 03:03:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1E9E11065676 for ; Fri, 18 Nov 2011 03:03:49 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) by mx1.freebsd.org (Postfix) with ESMTP id D6C298FC1A for ; Fri, 18 Nov 2011 03:03:48 +0000 (UTC) Received: from [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a] (saphire3.sentex.ca [IPv6:2607:f3e0:0:4:f025:8813:7603:7e4a]) by smarthost1.sentex.ca (8.14.5/8.14.4) with ESMTP id pAI33jFQ072055; Thu, 17 Nov 2011 22:03:45 -0500 (EST) (envelope-from mike@sentex.net) Message-ID: <4EC5CB06.4090302@sentex.net> Date: Thu, 17 Nov 2011 22:03:34 -0500 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101207 Thunderbird/3.1.7 MIME-Version: 1.0 To: sys Admin References: In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.71 on IPv6:2607:f3e0:0:1::12 Cc: "freebsd-security@freebsd.org" Subject: Re: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 03:03:49 -0000 On 11/17/2011 9:29 PM, sys Admin wrote: > Hi > Any plans to apply these patches to the bind version shipped with FreeBSD ? > > http://www.isc.org/software/bind/advisories/cve-2011-tbd Hi, They were committed already to RELENG_7,8 and 9 eg http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315.html ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 04:22:33 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3ACAE106566C for ; Fri, 18 Nov 2011 04:22:33 +0000 (UTC) (envelope-from n3t0ps@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id EF2F78FC0A for ; Fri, 18 Nov 2011 04:22:32 +0000 (UTC) Received: by ghbz10 with SMTP id z10so157385ghb.13 for ; Thu, 17 Nov 2011 20:22:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=xjpcTFKxFZXZg90r+j609ISWnfRg/4w94k+LLQOPVAw=; b=H4ryRS5pEuk5ktHNXUO1B5utS98J+bFyjK+5/3ie5gJmPs1T0itSAiI87mWzzDQT1g dIu3/zyW1UEMjRsMmOEvJ18yyQ7mL6zWgZhJNfT29pZ09ig1Sn51sU2DMRvFp2ZfUech N8JTybdNnTZkATzwuvq7l0+LT0xv9LHwchhfw= MIME-Version: 1.0 Received: by 10.68.72.104 with SMTP id c8mr860716pbv.34.1321590152056; Thu, 17 Nov 2011 20:22:32 -0800 (PST) Received: by 10.68.41.132 with HTTP; Thu, 17 Nov 2011 20:22:32 -0800 (PST) In-Reply-To: <4EC5CB06.4090302@sentex.net> References: <4EC5CB06.4090302@sentex.net> Date: Thu, 17 Nov 2011 23:22:32 -0500 Message-ID: From: sys Admin To: Mike Tancsa Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: "freebsd-security@freebsd.org" Subject: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 04:22:33 -0000 On Thursday, November 17, 2011, Mike Tancsa wrote: > On 11/17/2011 9:29 PM, sys Admin wrote: >> Hi >> Any plans to apply these patches to the bind version shipped with FreeBSD ? >> >> http://www.isc.org/software/bind/advisories/cve-2011-tbd > > Hi, > They were committed already to RELENG_7,8 and 9 > > eg > http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315.html > > > > ---Mike > Not sure how I missed but thanks ! > -- > ------------------- > Mike Tancsa, tel +1 519 651 3400 > Sentex Communications, mike@sentex.net > Providing Internet services since 1994 www.sentex.net > Cambridge, Ontario Canada http://www.tancsa.com/ > From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 07:40:59 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6B2ED1065670 for ; Fri, 18 Nov 2011 07:40:59 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk [IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78]) by mx1.freebsd.org (Postfix) with ESMTP id F16558FC1F for ; Fri, 18 Nov 2011 07:40:58 +0000 (UTC) Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk [81.187.76.163]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id pAI7etPe045486 (version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO) for ; Fri, 18 Nov 2011 07:40:55 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: OpenDKIM Filter v2.4.1 smtp.infracaninophile.co.uk pAI7etPe045486 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=infracaninophile.co.uk; s=201001-infracaninophile; t=1321602055; bh=VGaYFKLG4XMbQyrfVVDnTkRzGlic/Kjl2de5reJlueE=; h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Cc; b=i51JWTqFy4HDyV2WuQEm8WpRcfqjQXHWyZOD4i63/HwQ/kZMTosKLunqQ17T/9r0t ZPMRt7uQr5LGMPv4/2RbfX4cWFnSBCJVxfZmFRVX8I5k6XMySdfo+Nq7El1/ddl8Wd uFpcj1jM4OMGBhmp0Gd7NefCHY+r663fArn4+mZo= Message-ID: <4EC60C00.30001@infracaninophile.co.uk> Date: Fri, 18 Nov 2011 07:40:48 +0000 From: Matthew Seaman User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:8.0) Gecko/20111105 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4EC5CB06.4090302@sentex.net> In-Reply-To: X-Enigmail-Version: 1.3.3 OpenPGP: id=60AE908C Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enig467D03F72316D1D1A8CEAF9F" X-Virus-Scanned: clamav-milter 0.97.3 at lucid-nonsense.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on lucid-nonsense.infracaninophile.co.uk Subject: Re: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 07:40:59 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig467D03F72316D1D1A8CEAF9F Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 18/11/2011 04:22, sys Admin wrote: > On Thursday, November 17, 2011, Mike Tancsa wrote: >> On 11/17/2011 9:29 PM, sys Admin wrote: >>> Hi >>> Any plans to apply these patches to the bind version shipped with > FreeBSD ? >>> >>> http://www.isc.org/software/bind/advisories/cve-2011-tbd >> >> Hi, >> They were committed already to RELENG_7,8 and 9 >> >> eg >> > http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/00631= 5.html >> >> >> >> ---Mike >> >=20 > Not sure how I missed but thanks ! Actually, it was patched in stable/7, stable/8, HEAD and ports -- stable/9 is notably missing from that list. Presumably stable/9 will be patched eventually, but as it's in the process of forking of the release/9.0 branch right now, the bind patches will have to wait. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig467D03F72316D1D1A8CEAF9F Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7GDAYACgkQ8Mjk52CukIwp8ACdHDpJ85CYb/KecQOi7wAWtMmi Y0MAn1phzx6vo+2MYPVw65QqUDnBZNEk =MdZV -----END PGP SIGNATURE----- --------------enig467D03F72316D1D1A8CEAF9F-- From owner-freebsd-security@FreeBSD.ORG Fri Nov 18 09:38:10 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6341D106566C for ; Fri, 18 Nov 2011 09:38:10 +0000 (UTC) (envelope-from delphij@gmail.com) Received: from mail-yw0-f54.google.com (mail-yw0-f54.google.com [209.85.213.54]) by mx1.freebsd.org (Postfix) with ESMTP id 245888FC0C for ; Fri, 18 Nov 2011 09:38:09 +0000 (UTC) Received: by ywe9 with SMTP id 9so3321347ywe.13 for ; Fri, 18 Nov 2011 01:38:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=S6CZkMc/n8WBuEdy6fln8hlWRdm/H8KCa3yIITU/+zc=; b=FZkAtGHthQAhmKSDIcpdOOkgK53D5/OGvIDiPUCEUDB9YQ+qbpL24W7wiHqQ1BcO3l hsEEoNVpknV2Mo1Qlfx/Iv83efvoDB1QbZrBMbp9tDpypIPH0JsvtWtp4GMh88aoGqjJ wqmxYp3MK8/5lkgjf4y/hWSep9tx/Q+y23RV4= MIME-Version: 1.0 Received: by 10.224.185.205 with SMTP id cp13mr875092qab.34.1321607583935; Fri, 18 Nov 2011 01:13:03 -0800 (PST) Received: by 10.229.212.4 with HTTP; Fri, 18 Nov 2011 01:13:03 -0800 (PST) In-Reply-To: <4EC60C00.30001@infracaninophile.co.uk> References: <4EC5CB06.4090302@sentex.net> <4EC60C00.30001@infracaninophile.co.uk> Date: Fri, 18 Nov 2011 01:13:03 -0800 Message-ID: From: Xin LI To: Matthew Seaman Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: Latest bind advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Nov 2011 09:38:10 -0000 On Thu, Nov 17, 2011 at 11:40 PM, Matthew Seaman wrote: > On 18/11/2011 04:22, sys Admin wrote: >> On Thursday, November 17, 2011, Mike Tancsa wrote: >>> On 11/17/2011 9:29 PM, sys Admin wrote: >>>> Hi >>>> Any plans to apply these patches to the bind version shipped with >> FreeBSD ? >>>> >>>> http://www.isc.org/software/bind/advisories/cve-2011-tbd >>> >>> Hi, >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0They were committed already to RELENG_7,8 an= d 9 >>> >>> eg >>> >> http://lists.freebsd.org/pipermail/svn-src-stable-8/2011-November/006315= .html >>> >>> >>> >>> =C2=A0 =C2=A0 =C2=A0 =C2=A0---Mike >>> >> >> Not sure how I missed but thanks ! > > Actually, it was patched in stable/7, stable/8, HEAD and ports -- > stable/9 is notably missing from that list. =C2=A0Presumably stable/9 wil= l be > patched eventually, but as it's in the process of forking of the > release/9.0 branch right now, the bind patches will have to wait. stable/{7,8} and HEAD have the "best known fix" but we are still waiting for a final one (or decide if the existing solution had solved the problem completely, ISC is still working on investigation). We (secteam@) will issue a security advisory once we are sure that the fix is finalized and yes, all supported branches would be patched at that time and update would made available through freebsd-update, etc. At this time it's advisable that users use the BIND version from ports, or use an alternative (e.g. dns/unbound), if resolving DNS server functionality is desired; it seems that authoritive-only DNS servers are NOT affected by the problem as far as we know. Cheers, --=20 Xin LI https://www.delphij.net/ FreeBSD - The Power to Serve! Live free or die