From owner-freebsd-security Sun Nov 19 12:13:37 2000 Delivered-To: freebsd-security@freebsd.org Received: from ipass.one.net (news2.one.net [206.112.192.118]) by hub.freebsd.org (Postfix) with ESMTP id 61B1C37B479 for ; Sun, 19 Nov 2000 12:13:26 -0800 (PST) Received: from bigfoot.com (cvg-27-180-111.cinci.rr.com [24.27.180.111]) by ipass.one.net (8.8.7/8.8.7) with ESMTP id PAA06421 for ; Sun, 19 Nov 2000 15:17:07 -0500 Message-ID: <3A1833F4.A2A25FBC@bigfoot.com> Date: Sun, 19 Nov 2000 15:11:32 -0500 From: Sam Carleton X-Mailer: Mozilla 4.75 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: Re: help setting up a filewall References: <3A16C44B.4DEC2492@bigfoot.com> <20001118155447.K9740@149.211.6.64.reflexcom.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org "Crist J . Clark" wrote: > > * In the article, it looks like the author is allowing things like HTTP > > and SSH to come into the firewall machine. I want those things to be > > passed onto another internal machine. > > The rules may or may not change depending on where they are relative > to the divert(4) rule. Also, see 'redirect_address' and > 'redirect_port' in natd(8). You did not post your natd.conf, so I > can't tell if you are already using those. Sorry about that, this time I will including EVERYTHING :) > > Attached you will find my modifications to the rc.firewall script and > > relavent snips of rc.conf. If you have any thoughts on what I am doing > > wrong, please drop me an email. Thanks! > > A few nitpicks about your ruleset, but nothing absolutely leaped out > at me as a problem that would totally break everything. Since you did > not tell us exactly what kind of problem you are having, it's hard to > know what to look for. Well, the problem I am currently having is with DNS. The test enviornment that I have setup is such that there is no DNS server behind the FreeBSD firewall. The machine inside the firewall is not able to get a DNS request out. To make things more interesting, while booting the FreeBSD firewall, the rc.firewall script ALWAYS hangs on the two DNS lines. # Allow DNS queries out in the world ${fwcmd} add pass udp from ${iif} to any 53 keep-state ${fwcmd} add pass tcp from ${iif} to any 53 keep-state The setup I am looking for is one where anyone on the inside can get to any DNS server on the outside. I am going to have one caching DNS server on the inside, but if that is down, the clients will be configured to goto a DNS server outside the firewall. What rules would you setup for this configuration? This is what I have currently: -----------rc.conf----------- gateway_enable="YES" hostname="orchid.miltonstreet.com" ifconfig_ep0="DHCP" ifconfig_xl0="inet 192.168.100.6 netmask 255.255.255.0" inetd_enable="Yes" moused_enable="YES" nisdomainname="NO" router_enable="No" saver="fire" sendmail_enable="NO" sshd_enable="NO" usbd_enable="YES" firewall_enable="Yes" firewall_type="Simple" firewall_script="/etc/rc.firewall" firewall_quite="No" natd_program="/sbin/natd" natd_enable="Yes" natd_interface="ep0" natd_flags="-f /etc/natd.conf" -----------natd.conf----------- dynamic yes use_sockets yes same_ports yes -----------rc.firewall----------- ############ # Setup system for firewall service. # $FreeBSD: src/etc/rc.firewall,v 1.30.2.4 2000/05/28 19:17:15 asmodai Exp $ # Suck in the configuration variables. if [ -r /etc/defaults/rc.conf ]; then . /etc/defaults/rc.conf source_rc_confs elif [ -r /etc/rc.conf ]; then . /etc/rc.conf fi ############ # Define the firewall type in /etc/rc.conf. Valid values are: # open - will allow anyone in # simple - will try to protect a whole network # closed - totally disables IP services except via lo0 interface # UNKNOWN - disables the loading of firewall rules. # filename - will load the rules in the given filename (full path required) # # For ``simple'' the entries below should be customized # appropriately. ############ # # If you don't know enough about packet filtering, we suggest that you # take time to read this book: # # Building Internet Firewalls # Brent Chapman and Elizabeth Zwicky # # O'Reilly & Associates, Inc # ISBN 1-56592-124-0 # http://www.ora.com/ # # For a more advanced treatment of Internet Security read: # # Firewalls & Internet Security # Repelling the wily hacker # William R. Cheswick, Steven M. Bellowin # # Addison-Wesley # ISBN 0-201-6337-4 # http://www.awl.com/ # if [ -n "${1}" ]; then firewall_type="${1}" fi ############ # Set quiet mode if requested # case ${firewall_quiet} in [Yy][Ee][Ss]) fwcmd="/sbin/ipfw -q" ;; *) fwcmd="/sbin/ipfw" ;; esac ############ # Flush out the list before we begin. # ${fwcmd} -f flush ############ # These rules are required for using natd. All packets are passed to # natd before they encounter your remaining rules. The firewall rules # will then be run again on each packet after translation by natd, # minus any divert rules (see natd(8)). # case ${natd_enable} in [Yy][Ee][Ss]) if [ -n "${natd_interface}" ]; then ${fwcmd} add 50 divert natd all from any to any via ${natd_interface} fi ;; esac ############ # If you just configured ipfw in the kernel as a tool to solve network # problems or you just want to disallow some particular kinds of traffic # then you will want to change the default policy to open. You can also # do this as your only action by setting the firewall_type to ``open''. # # ${fwcmd} add 65000 pass all from any to any ############ # Only in rare cases do you want to change these rules # ${fwcmd} add 100 pass all from any to any via lo0 ${fwcmd} add 200 deny all from any to 127.0.0.0/8 # If you're using 'options BRIDGE', uncomment the following line to pass ARP #${fwcmd} add 300 pass udp from 0.0.0.0 2054 to 0.0.0.0 # Prototype setups. # case ${firewall_type} in [Oo][Pp][Ee][Nn]) ${fwcmd} add 65000 pass all from any to any ;; [Ss][Ii][Mm][Pp][Ll][Ee]) ############ # This is a prototype setup for a simple firewall. Configure this # machine as a named server and ntp server, and point all the machines # on the inside at this machine for those services. ############ # set these to your outside interface network and netmask and ip oif="ep0" # onet="192.0.2.0" # omask="255.255.255.240" # oip="192.0.2.1" # set these to your inside interface network and netmask and ip iif="xl1" inet="192.168.100.0" imask="255.255.255.0" iip="192.168.100.6" # Stop spoofing ${fwcmd} add deny all from ${inet}:${imask} to any in via ${oif} # ${fwcmd} add deny all from ${onet}:${omask} to any in via ${iif} # allow DHCP stuff ${fwcmd} add pass udp from any 67 to any 68 in via ${oif} ${fwcmd} add pass udp from any 68 to any 67 out via ${oif} # Stop RFC1918 nets on the outside interface ${fwcmd} add deny log all from 10.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from any to 10.0.0.0/8 out via ${oif} ${fwcmd} add deny log all from 172.16.0.0/12 to any via ${oif} ${fwcmd} add deny log all from any to 172.16.0.0/12 out via ${oif} # ${fwcmd} add deny log all from 192.168.0.0/16 to any via ${oif} # ${fwcmd} add deny log all from any to 192.168.0.0/16 out via ${oif} # Stop draft-manning-dsua-01.txt nets on the outside interface ${fwcmd} add deny log all from 0.0.0.0/8 to any via ${oif} ${fwcmd} add deny log all from any to 0.0.0.0/8 via ${oif} ${fwcmd} add deny log all from 169.254.0.0/16 to any via ${oif} ${fwcmd} add deny log all from any to 169.254.0.0/16 via ${oif} ${fwcmd} add deny log all from 192.0.2.0/24 to any via ${oif} ${fwcmd} add deny log all from any to 192.0.2.0/24 via ${oif} ${fwcmd} add deny log all from 224.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 224.0.0.0/4 via ${oif} ${fwcmd} add deny log all from 240.0.0.0/4 to any via ${oif} ${fwcmd} add deny log all from any to 240.0.0.0/4 via ${oif} # Allow TCP through if setup succeeded ${fwcmd} add pass tcp from any to any established # Allow IP fragments to pass through ${fwcmd} add pass all from any to any frag # HTTP - Allow access to our web server ${fwcmd} add pass tcp from any to any 80 setup # SMTP - Allow access to sendmail for incoming e-mail ${fwcmd} add pass tcp from any to any 25 setup # FTP - Allow incoming data channel for outgoing connections, # Reject&Log all incoming control connections ${fwcmd} add pass tcp from any 20 to any 1024-65535 setup ${fwcmd} add deny log tcp from any to any 21 in via ${oif} setup # SSH Login - Allow & Log all incoming ${fwcmd} add pass log tcp from any to any 22 in via ${oif} setup # IDENT - Reset incoming connections ${fwcmd} add reset tcp from any to any 113 in via ${oif} setup # Reject&Log all setup of incoming connections from the outside ${fwcmd} add deny log tcp from any to any in via ${oif} setup # Allow DNS queries out in the world ${fwcmd} add pass udp from ${iif} to any 53 keep-state ${fwcmd} add pass tcp from ${iif} to any 53 keep-state # Allow setup of any other TCP connection ${fwcmd} add pass tcp from any to any setup # Allow NTP queries out in the world ${fwcmd} add pass udp from any 123 to any 123 via ${oif} ${fwcmd} add pass udp from any 123 to any via ${iif} ${fwcmd} add pass udp from any to any 123 via ${iif} # TRACEROUTE - Allow outgoing, but not incoming ${fwcmd} add pass udp from any to any 33434-33523 out via ${oif} ### ICMP RULES # ICMP packets # Allow all ICMP packets on internal interface ${fwcmd} add pass icmp from any to any via ${iif} # Allow outgoing pings, but not incoming ${fwcmd} add pass icmp from any to any icmptypes 8 out via ${oif} ${fwcmd} add pass icmp from any to any icmptypes 0 in via ${oif} # Allow Destination Unreachable, Source Quench, Time Exceeded, and Bad Head ${fwcmd} add pass icmp from any to any icmptypes 3,4,11,12 via ${oif} # Deny the rest of them ${fwcmd} add deny icmp from any to any # Everything else is denied by default, unless the # IPFIREWALL_DEFAULT_TO_ACCEPT option is set in your kernel # config file. ;; [Uu][Nn][Kk][Nn][Oo][Ww][Nn]) ;; *) if [ -r "${firewall_type}" ]; then ${fwcmd} ${firewall_flags} ${firewall_type} fi ;; esac To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 19 14:50:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from mailhost01.reflexnet.net (mailhost01.reflexnet.net [64.6.192.82]) by hub.freebsd.org (Postfix) with ESMTP id 2FBE937B479 for ; Sun, 19 Nov 2000 14:50:46 -0800 (PST) Received: from 149.211.6.64.reflexcom.com ([64.6.211.149]) by mailhost01.reflexnet.net with Microsoft SMTPSVC(5.5.1877.197.19); Sun, 19 Nov 2000 14:46:53 -0800 Received: (from cjc@localhost) by 149.211.6.64.reflexcom.com (8.11.0/8.11.0) id eAJMmI422933; Sun, 19 Nov 2000 14:48:18 -0800 (PST) (envelope-from cjc) Date: Sun, 19 Nov 2000 14:48:17 -0800 From: "Crist J . Clark" To: Sam Carleton Cc: "security@FreeBSD.ORG" Subject: Re: help setting up a filewall Message-ID: <20001119144817.A12190@149.211.6.64.reflexcom.com> Reply-To: cjclark@alum.mit.edu References: <3A16C44B.4DEC2492@bigfoot.com> <20001118155447.K9740@149.211.6.64.reflexcom.com> <3A1833F4.A2A25FBC@bigfoot.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <3A1833F4.A2A25FBC@bigfoot.com>; from scarleton@bigfoot.com on Sun, Nov 19, 2000 at 03:11:32PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Sun, Nov 19, 2000 at 03:11:32PM -0500, Sam Carleton wrote: > "Crist J . Clark" wrote: [snip] > > > Attached you will find my modifications to the rc.firewall script and > > > relavent snips of rc.conf. If you have any thoughts on what I am doing > > > wrong, please drop me an email. Thanks! > > > > A few nitpicks about your ruleset, but nothing absolutely leaped out > > at me as a problem that would totally break everything. Since you did > > not tell us exactly what kind of problem you are having, it's hard to > > know what to look for. > > Well, the problem I am currently having is with DNS. The test enviornment that I have setup is such that > there is no DNS server behind the FreeBSD firewall. The machine inside the firewall is not able to get a > DNS request out. To make things more interesting, while booting the FreeBSD firewall, the rc.firewall > script ALWAYS hangs on the two DNS lines. > > # Allow DNS queries out in the world > ${fwcmd} add pass udp from ${iif} to any 53 keep-state > ${fwcmd} add pass tcp from ${iif} to any 53 keep-state You are using interface names where you should be using a hostname or IP address. It is probably hanging trying to do the DNS lookup on the hostname 'xl1.' You want, ${fwcmd} add pass udp from ${inet}:${imask} to any 53 keep-state ${fwcmd} add pass tcp from ${inet}:${imask} to any 53 keep-state But this is not going to work unless you add a check-state rule. How about checking right where we do the stateless pass of "established" connections. [snip] > [Ss][Ii][Mm][Pp][Ll][Ee]) [snip] # Allow established, dynamic connections ${fwcmd} add check-state > # Allow TCP through if setup succeeded > ${fwcmd} add pass tcp from any to any established > > # Allow IP fragments to pass through > ${fwcmd} add pass all from any to any frag [snip] -- Crist J. Clark cjclark@alum.mit.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Nov 19 19:52: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 0020937B479; Sun, 19 Nov 2000 19:51:46 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: New security policy for FreeBSD 3.x Reply-To: security-advisories@freebsd.org Message-Id: <20001120035146.0020937B479@hub.freebsd.org> Date: Sun, 19 Nov 2000 19:51:46 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- The FreeBSD Security Officer would like to announce a change in policy regarding security support for the FreeBSD 3.x branch. Due to the frequent difficulties encountered in fixing the old code contained in FreeBSD 3.x, we will no longer be requiring security problems to be fixed in that branch prior to the release of an advisory that also pertains to FreeBSD 4.x. In recent months this requirement has led to delays in the release of advisories, which negatively impacts users of the current FreeBSD release branch (FreeBSD 4.x). Security fixes which are committed to FreeBSD 3.5.1-STABLE prior to the advisory release will be included in the advisory, but the advisory release will not be delayed awaiting a fix in the 3.x branch when a fix is already in place in FreeBSD 4.x. Serious vulnerabilities will result in a reissue of the advisory once the problem is corrected in 3.5.1-STABLE. For less serious vulnerabilities a notification will be sent to the freebsd-security@FreeBSD.org mailing list only, to reduce overall subscriber traffic on the freebsd-security-notifications and freebsd-announce mailing lists. We will continue endeavouring to ensure that applicable security fixes are merged back to the 3.x branch by FreeBSD developers, and to work with them to develop or merge the appropriate fix prior to the advisory release, however as the 3.x branch is approaching end of life we anticipate that there may be an increasing time lag between the time of fix of a vulnerability in 4.x and when it is backported to 3.x. Given this reality, users are encouraged to consider plans to migrate security-critical systems to the 4.x branch over the coming months. FreeBSD committers who are interested in providing security support for older branches of FreeBSD should contact the Security Officer and they will be kept informed of fixes which require merging to the older branches. Comments on this policy are welcomed - please reply to security-officer@FreeBSD.org. Regards, Kris Kennaway FreeBSD Security Officer -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhifmlUuHi5z0oilAQHnBQP9ETb9xz1UGvU3JxbuvnKXlw6yFFQN15tN 7uwWdmA07FdoiLslK2O9zuR43pHv0HIprbdZVkXBSe4nOfBBaEgarcD/1kW+NVCr AjOuQQGUl/OjsdyzY524gWylSOg1aI7Lkf+RsUQWOS7Epe1kNCTJzC72SMtk70DH LMnQGgcDMpo= =I6rL -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 5:18: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from mout1.freenet.de (mout1.freenet.de [194.97.50.132]) by hub.freebsd.org (Postfix) with ESMTP id 927B237B479; Mon, 20 Nov 2000 05:17:56 -0800 (PST) Received: from [194.97.50.135] (helo=mx2.freenet.de) by mout1.freenet.de with esmtp (Exim 3.16 #20) id 13xqpW-0008CH-00; Mon, 20 Nov 2000 14:17:54 +0100 Received: from b1ada.pppool.de ([213.7.26.218] helo=Magelan.Leidinger.net) by mx2.freenet.de with esmtp (Exim 3.16 #26) id 13xqpW-0002zn-00; Mon, 20 Nov 2000 14:17:54 +0100 Received: from Leidinger.net (netchild@localhost [127.0.0.1]) by Magelan.Leidinger.net (8.11.1/8.11.1) with ESMTP id eAKCe5m03807; Mon, 20 Nov 2000 13:40:07 +0100 (CET) (envelope-from netchild@Leidinger.net) Message-Id: <200011201240.eAKCe5m03807@Magelan.Leidinger.net> Date: Mon, 20 Nov 2000 13:40:03 +0100 (CET) From: Alexander Leidinger Subject: Re: Base system gcc patch (Re: FYI: Propolice for gcc-2.95.2) To: kris@FreeBSD.ORG Cc: kjm@rins.ryukoku.ac.jp, security@FreeBSD.ORG In-Reply-To: <20001117154551.A77867@citusc17.usc.edu> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 17 Nov, Kris Kennaway wrote: > This was trivial to get working on FreeBSD, but here is a patch > against the system gcc in 4.x which will compile a ProPolice-enabled > version, so FreeBSD users can start easily making use of this. The > patch is the same for 5.x users except you will need to replace > "contrib/gcc" with "contrib/gcc.295" in the diff. > > http://www.freebsd.org/~kris/protector.patch Do you have something similar for the bounds checking patches? I tried it myself, but I've problems with the Makefile for libcheck and some unresolved symbols in cc_int (but I haven't tried very hard). Bye, Alexander. -- To boldly go where I surely don't belong. http://www.Leidinger.net Alexander @ Leidinger.net GPG fingerprint = 7423 F3E6 3A7E B334 A9CC B10A 1F5F 130A A638 6E7E To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 7:17:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from mirage.nlink.com.br (mirage.nlink.com.br [200.249.195.3]) by hub.freebsd.org (Postfix) with SMTP id B1AA137B4D7 for ; Mon, 20 Nov 2000 07:17:54 -0800 (PST) Received: (qmail 47151 invoked by uid 501); 20 Nov 2000 15:17:53 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 20 Nov 2000 15:17:53 -0000 Date: Mon, 20 Nov 2000 13:17:53 -0200 (EDT) From: Paulo Fragoso To: freebsd-security@freebsd.org Subject: Telnetd (TCP no PCB) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I've found two telnetd running on FreeBSD 4.1-20000907-STABLE whithout clients and after to run lsof it has reported this: telnetd 86351 root 0u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE telnetd 86351 root 1u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE telnetd 86351 root 2u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE telnetd 86862 root 0u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE telnetd 86862 root 1u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE telnetd 86862 root 2u IPv4 0t0 TCP no PCB, CANTSENDMORE, CANTRCVMORE What does mean that? Is that a security problem? Thanks, Paulo Fragoso. -- __O _-\<,_ Why drive when you can bike? (_)/ (_) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 11:40:28 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id C43DE37B479 for ; Mon, 20 Nov 2000 11:40:21 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAKJeoh83455; Mon, 20 Nov 2000 11:40:50 -0800 (PST) (envelope-from kris) Date: Mon, 20 Nov 2000 11:40:50 -0800 From: Kris Kennaway To: Alexander Leidinger Cc: kjm@rins.ryukoku.ac.jp, security@FreeBSD.ORG Subject: Re: Base system gcc patch (Re: FYI: Propolice for gcc-2.95.2) Message-ID: <20001120114050.B83383@citusc17.usc.edu> References: <20001117154551.A77867@citusc17.usc.edu> <200011201240.eAKCe5m03807@Magelan.Leidinger.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="jho1yZJdad60DJr+" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011201240.eAKCe5m03807@Magelan.Leidinger.net>; from Alexander@leidinger.net on Mon, Nov 20, 2000 at 01:40:03PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --jho1yZJdad60DJr+ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 20, 2000 at 01:40:03PM +0100, Alexander Leidinger wrote: > On 17 Nov, Kris Kennaway wrote: > > This was trivial to get working on FreeBSD, but here is a patch > > against the system gcc in 4.x which will compile a ProPolice-enabled > > version, so FreeBSD users can start easily making use of this. The > > patch is the same for 5.x users except you will need to replace > > "contrib/gcc" with "contrib/gcc.295" in the diff. > >=20 > > http://www.freebsd.org/~kris/protector.patch >=20 > Do you have something similar for the bounds checking patches? I tried > it myself, but I've problems with the Makefile for libcheck and some > unresolved symbols in cc_int (but I haven't tried very hard). Not yet.. Kris --jho1yZJdad60DJr+ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoZfkIACgkQWry0BWjoQKUJnQCgq/H1PSDPizI9asNiMoPj9nUW 1BYAoPBXz3JI2sZZht1VAQtccnhB9k91 =v77/ -----END PGP SIGNATURE----- --jho1yZJdad60DJr+-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:27:49 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id BE24037B4CF; Mon, 20 Nov 2000 13:27:27 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:71.mgetty Reply-To: security-advisories@freebsd.org Message-Id: <20001120212727.BE24037B4CF@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:27:27 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:71 Security Advisory FreeBSD, Inc. Topic: mgetty can create or overwrite files Category: ports Module: mgetty Announced: 2000-11-20 Credits: Stan Bubrouski Affects: Ports collection prior to the correction date. Corrected: 2000-9-10 Vendor status: Updated version released FreeBSD only: NO I. Background mgetty is a replacement for the getty utility designed for use with data and fax modems. II. Problem Description The mgetty port, versions prior to 1.1.22.8.17, contains a vulnerability that may allow local users to create or overwrite any file on the system. This is due to the faxrunqd daemon (which usually runs as root) following symbolic links when creating a .last_run file in the world-writable /var/spool/fax/outgoing/ directory. This presents a denial of service attack since the attacker can cause critical system files to be overwritten, but it is not believed the attacker has the ability to control the contents of the overwritten file. Therefore the possibility of using this attack to elevate privileges is believed to be minimal. The mgetty port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Unprivileged local users may create or overwrite any file on the system. If you have not chosen to install the mgetty port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mgetty port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mgetty port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/comms/mgetty-1.1.22.8.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/comms/mgetty-1.1.22.8.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/comms/mgetty-1.1.22.8.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/comms/mgetty-1.1.22.8.17.tgz 3) download a new port skeleton for the mgetty port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmWG1UuHi5z0oilAQE5jAP+Lj1qI76n/cHjmfR05NTckZ4EI1Fkt708 zZfEL9B4y8FCgluw9nLNhVKHYjkQFg/b0SEgBetElPu+k6ivcu9EqI2Gk4RIyT82 HJFqOOnvX2yodMgZo1NozEot3aw3DIQg8TFs0Z/w0E4e+02iCytPmZYfrE5vbWif q1qAcFpgJWE= =l2yv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:29:16 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 458E837B4CF; Mon, 20 Nov 2000 13:28:54 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:72.curl Reply-To: security-advisories@freebsd.org Message-Id: <20001120212854.458E837B4CF@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:28:54 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:72 Security Advisory FreeBSD, Inc. Topic: curl client-side vulnerability Category: ports Module: curl Announced: 2000-11-20 Credits: Wichert Akkerman Affects: Ports collection prior to the correction date. Corrected: 2000-10-30 Vendor status: Updated version released FreeBSD only: NO I. Background curl is a multi-protocol file retrieval tool. II. Problem Description The curl port, versions prior to 7.4.1, allows a client-side exploit through a buffer overflow in the error handling code. A malicious ftp server operator can cause arbitrary code to be executed by the user running the curl client. The curl port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious FTP server operators can execute arbitrary code on the local system when a file is downloaded from this server. If you have not chosen to install the curl port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the curl port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the curl port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/ftp/curl-7.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/ftp/curl-7.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/ftp/curl-7.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/ftp/curl-7.4.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/ftp/curl-7.4.1.tgz 3) download a new port skeleton for the curl port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmXtlUuHi5z0oilAQGoWwP8D4Do6NX9PMIrCaky4BU4rj37l5PO7kHn h94zc2ISFpX5IBceUDCbVNjJJPkA8hXHhWXHZulpruu6yza/V9Oo3Uz86HrzY4Tw 7Rj3iwQ/5/wJW3Ya/BcnBozk1/NlnAxGzKluTOlHe8UCFPV8JtCrE5RPRHMQ3BP8 IN3EDVdvLzw= =EQge -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:30:29 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id C4AB237B682; Mon, 20 Nov 2000 13:29:17 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:73.thttpd Reply-To: security-advisories@freebsd.org Message-Id: <20001120212917.C4AB237B682@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:29:17 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:73 Security Advisory FreeBSD, Inc. Topic: thttpd allows remote reading of local files Category: ports Module: thttpd Announced: 2000-11-20 Credits: ghandi@MINDLESS.COM Affects: Ports collection prior to the correction date. Corrected: 2000-10-30 Vendor status: Updated version released FreeBSD only: NO I. Background thttpd is a simple, small, fast HTTP server. II. Problem Description The thttpd port, versions prior to 2.20, allows remote viewing of arbitrary files on the local server. The 'ssi' cgi script does not correctly restrict URL-encoded requests containing ".." in the path. In addition, the cgi script does not have the same restrictions as the web server for preventing requests outside of the web root. These two flaws allow remote users to access any file on the system accessible to the web server user (user 'nobody' in the default configuration). The thttpd port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users may access any file on the system accessible to the web server user (user 'nobody' in the default installation). If you have not chosen to install the thttpd port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the thttpd port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the thttpd port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/thttpd-2.20b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/thttpd-2.20b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/thttpd-2.20b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/thttpd-2.20b.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/thttpd-2.20b.tgz 3) download a new port skeleton for the thttpd port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmWNFUuHi5z0oilAQF1sQP9Fc/jBFjSNhzGIGc+bglEOiepdajSk3Ep wtoLUQJug56qcbUtxgg6FxbDv7xW/uYZ1YKWYQsjAr0tyYv+zTSVgvxAhREY1En2 TIqrRTjTPir5yAodzsVvueTdjVhgQhWKHlrNMUKK3hfWoeLXiLhtFTDn8jam/2pO tw8I3tWT16I= =+HRv -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:31:25 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 0DFBE37B68D; Mon, 20 Nov 2000 13:29:49 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:74.php Reply-To: security-advisories@freebsd.org Message-Id: <20001120212949.0DFBE37B68D@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:29:49 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:75 Security Advisory FreeBSD, Inc. Topic: mod_php3/mod_php4 allows remote code execution Category: ports Module: mod_php3/mod_php4 Announced: 2000-11-20 Credits: Jouko Pynnönen Affects: Ports collection prior to the correction date. Corrected: 2000-10-12 (mod_php4), 2000-10-18 (mod_php3) Vendor status: Updated version released FreeBSD only: NO I. Background php is a commonly used HTML-embedded scripting language. II. Problem Description The mod_php ports, versions prior to 3.0.17 (mod_php3) and 4.0.3 (mod_php4), contain a potential vulnerablilty that may allow a malicious remote user to execute arbitrary code as the user running the web server, typically user 'nobody'. The vulnerability is due to a format string vulnerability in the error logging routines. A web server is vulnerable if error logging is enabled in php.ini. Additionally, individual php scripts may cause the web server to be vulnerable if the script uses the syslog() php function regardless of error logging in php.ini. The mod_php ports are not installed by default, nor are they "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4100 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain this problem since it was discovered after the releases, but it was corrected prior to the release of FreeBSD 4.2. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users can execute arbitrary code on the local system as the user running the webserver (typically user 'nobody'). This vulnerability requires error logging to be enabled in php.ini or by using the syslog() php function in a script. If you have not chosen to install the mod_php3 or mod_php4 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mod_php3/mod_php4 port/package, if you you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the mod_php3/mod_php4 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [php3] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/mod_php-3.0.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/mod_php-3.0.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/mod_php-3.0.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/mod_php-3.0.17.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/mod_php-3.0.17.tgz [php4] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/mod_php-4.0.3pl1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/mod_php-4.0.3pl1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/www/mod_php-4.0.3pl1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/mod_php-4.0.3pl1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/www/mod_php-4.0.3pl1.tgz 3) download a new port skeleton for the mod_php3/mod_php4 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmWdlUuHi5z0oilAQHlCQP/W+MsHrhJbBEg8JRhw5ZoGh8DI/KHD6gT PYgaIhr72vmHYN7xtkuHDxV1C5O15YC+z7CzZseYvpdfBDVDm3qKwBQdN5EuumQg 09LHPZEwayLYlgdRmoRQiP8OGsrYER29sYFQZlKvf8ZJw4tZkwJKPmpGBO5bxvSk +N5lbHKNdHw= =gy7y -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:37:40 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 7285337B4C5; Mon, 20 Nov 2000 13:36:45 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20001120213645.7285337B4C5@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:36:45 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:69 Security Advisory FreeBSD, Inc. Topic: telnetd allows remote system resource consumption [REVISED] Category: core Module: telnetd Announced: 2000-11-14 Revised: 2000-11-20 Credits: Jouko Pynnonen Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5.1-STABLE and 4.1.1-STABLE prior to the correction date. Corrected: 2000-11-19 (FreeBSD 4.1.1-STABLE) 2000-11-19 (FreeBSD 3.5.1-STABLE) FreeBSD only: NO 0. Revision History v1.0 2000-11-14 Initial release v1.1 2000-11-20 Corrected patch, pointed out by Christos Zoulas I. Background telnetd is the server for the telnet remote login protocol. II. Problem Description The telnet protocol allows for UNIX environment variables to be passed from the client to the user login session on the server. However, some of these environment variables have special meaning to the telnetd child process itself and may be used to affect its operation. Of particular relevance is the ability for remote users to cause an arbitrary file on the system to be searched for termcap data by passing the TERMCAP environment variable. Although any file on the local system can be read since the telnetd server runs as root, the contents of the file will not be reported in any way to the remote user unless it contains a valid termcap entry, in which case the corresponding termcap sequences will be used to format the output sent to the client. It is believed there is no risk of data disclosure through this vulnerability. However, an attacker who forces the server to search through a large file or to read from a device can cause resources to be spent by the server, including CPU cycles and disk read bandwidth, which can increase the server load and may prevent it from servicing legitimate user requests. Since the vulnerability occurs before the login(1) utility is spawned, it does not require authentication to a valid account on the server in order to exploit. All released versions of FreeBSD prior to the correction date including 4.0, 4.1, 4.1.1 and 3.5.1 are vulnerable to this problem, but it was fixed in the 4.1.1-STABLE branch prior to the release of FreeBSD 4.2-RELEASE. III. Impact Remote users without a valid login account on the server can cause resources such as CPU and disk read bandwidth to be consumed, causing increased server load and possibly denying service to legitimate users. IV. Workaround 1) Disable the telnet service, which is usually run out of inetd: comment out the following lines in /etc/inetd.conf, if present. telnet stream tcp nowait root /usr/libexec/telnetd telnetd telnet stream tcp6 nowait root /usr/libexec/telnetd telnetd 2) Impose access restrictions using TCP wrappers (/etc/hosts.allow), or a network-level packet filter such as ipfw(8) or ipf(8) on the perimeter firewall or the local machine, to limit access to the telnet service to trusted machines. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE or 3.5.1-STABLE after the respective correction dates. Note that the original patch was incorrect and caused telnetd to behave incorrectly in certain situations. 2) Apply the patch below and recompile the relevant files: Either save this advisory to a file, or download the patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1 ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:69/telnetd.patch.v1.1.asc Execute the following commands as root: # cd /usr/src/libexec/telnetd # patch -p < /path/to/patch_or_advisory # make depend && make all install Updated patch for vulnerable systems: Index: ext.h =================================================================== RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- ext.h 1999/08/28 00:10:22 1.7 +++ ext.h 2000/11/19 10:01:27 1.8 @@ -87,7 +87,7 @@ #endif extern int pty, net; -extern char *line; +extern char line[16]; extern int SYNCHing; /* we are in TELNET SYNCH mode */ #ifndef P Index: sys_term.c =================================================================== RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v retrieving revision 1.24 retrieving revision 1.26 diff -u -r1.24 -r1.26 --- sys_term.c 1999/08/28 00:10:24 1.24 +++ sys_term.c 2000/11/19 10:01:27 1.26 @@ -480,14 +480,10 @@ * * Returns the file descriptor of the opened pty. */ -#ifndef __GNUC__ -char *line = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; -#else -static char Xline[] = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; -char *line = Xline; -#endif #ifdef CRAY -char *myline = "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"; +char myline[16]; +#else +char line[16]; #endif /* CRAY */ int @@ -1799,6 +1795,13 @@ strncmp(*cpp, "_RLD_", 5) && strncmp(*cpp, "LIBPATH=", 8) && #endif + strncmp(*cpp, "LOCALDOMAIN=", 12) && + strncmp(*cpp, "RES_OPTIONS=", 12) && + strncmp(*cpp, "TERMINFO=", 9) && + strncmp(*cpp, "TERMINFO_DIRS=", 14) && + strncmp(*cpp, "TERMPATH=", 9) && + strncmp(*cpp, "TERMCAP=/", 9) && + strncmp(*cpp, "ENV=", 4) && strncmp(*cpp, "IFS=", 4)) *cpp2++ = *cpp; } Index: telnetd.c =================================================================== RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v retrieving revision 1.22 retrieving revision 1.24 diff -u -r1.22 -r1.24 --- telnetd.c 2000/01/25 14:52:00 1.22 +++ telnetd.c 2000/11/19 10:01:27 1.24 @@ -805,13 +805,12 @@ #else for (;;) { char *lp; - extern char *line, *getpty(); if ((lp = getpty()) == NULL) fatal(net, "Out of ptys"); if ((pty = open(lp, 2)) >= 0) { - strcpy(line,lp); + strlcpy(line,lp,sizeof(line)); line[5] = 't'; break; } @@ -1115,7 +1114,7 @@ IM = Getstr("im", &cp); IF = Getstr("if", &cp); if (HN && *HN) - (void) strcpy(host_name, HN); + (void) strlcpy(host_name, HN, sizeof(host_name)); if (IF && (if_fd = open(IF, O_RDONLY, 000)) != -1) IM = 0; if (IM == 0) Index: utility.c =================================================================== RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v retrieving revision 1.13 retrieving revision 1.14 diff -u -r1.13 -r1.14 --- utility.c 1999/08/28 00:10:25 1.13 +++ utility.c 2000/10/31 05:29:54 1.14 @@ -330,7 +330,7 @@ { char buf[BUFSIZ]; - (void) sprintf(buf, "telnetd: %s.\r\n", msg); + (void) snprintf(buf, sizeof(buf), "telnetd: %s.\r\n", msg); (void) write(f, buf, (int)strlen(buf)); sleep(1); /*XXX*/ exit(1); @@ -343,7 +343,7 @@ { char buf[BUFSIZ], *strerror(); - (void) sprintf(buf, "%s: %s", msg, strerror(errno)); + (void) snprintf(buf, sizeof(buf), "%s: %s", msg, strerror(errno)); fatal(f, buf); } -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmZhlUuHi5z0oilAQECjQP/RJyFP/msuoNj1ebyeE4PjXHFV99FoVIY jeBCjheFN+9kVR2ZqGxzhF8Ds1jsHI2oURhjNwRkf+OGNzCfDKEseTa0/Aa59XG5 68O9DKP2CEZnNra3N5uWCBX7ozGI1iCfJkBstSXBhdpyeumOjhfkEF1cwvJldyWl YMIWv/MwRWs= =wuWd -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 13:40:11 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D628E37B4D7; Mon, 20 Nov 2000 13:39:16 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:68.ncurses [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20001120213916.D628E37B4D7@hub.freebsd.org> Date: Mon, 20 Nov 2000 13:39:16 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:68 Security Advisory FreeBSD, Inc. Topic: ncurses allows local privilege escalation [REVISED] Category: core, ports Module: ncurses Announced: 2000-11-13 Revised: 2000-11-20 Affects: FreeBSD 5.0-CURRENT, 4.x prior to the correction date. FreeBSD 3.x not yet fixed. Corrected: 2000-10-11 (FreeBSD 4.1.1-STABLE) 2000-11-10 (ncurses port) Credits: Jouko Pynnonen FreeBSD only: NO 0. Revision History v1.0 2000-11-13 Initial release v1.1 2000-11-20 Corrected status of 3.x, referenced ncurses port I. Background ncurses is a text-mode display library used for formatting the output of applications on a variety of terminals. It is externally maintained, contributed code which is included in FreeBSD by default. II. Problem Description There exists an overflowable buffer in the libncurses library in the processing of cursor movement capabilities. An attacker can force a privileged application to use the attacker's termcap file containing a specially crafted terminal entry, which will trigger the vulnerability when the vulnerable ncurses code is called. This allows them to execute arbitrary code on the local system with the privileges of the exploited binary. The systat utility included in the FreeBSD base system is known to use vulnerable ncurses routines. It runs with increased privileges as a member of the kmem group, which allows it to read from kernel memory (but not write to it). A process with the ability to read from kernel memory can monitor privileged data such as network traffic, disk buffers and terminal activity, and may be able to leverage this to obtain further privileges on the local system or on other systems, including root privileges. There may be other vulnerable applications included in the FreeBSD base system, but no others are confirmed to be vulnerable due to the difficulty in identifying a complete list of vulnerable ncurses functions. However the following is a complete list of FreeBSD system binaries which link against ncurses and run with increased privileges. They may or may not be vulnerable to exploitation. /usr/sbin/lpc /usr/bin/top /usr/bin/systat FreeBSD 3.x and earlier versions use a very old, customized version of ncurses which is difficult to update without breaking backwards-compatibility. The update was made for FreeBSD 4.0, but 3.x will not be updated to the newer version. At this stage the vulnerability has not been fixed in FreeBSD 3.x. The ncurses port (versions prior to 5.2) also contains this vulnerability. It was corrected prior to the release of FreeBSD 4.2. III. Impact Certain setuid/setgid software (including FreeBSD base system utilities and third party ports/packages) may be vulnerable to a local exploit yielding privileged access. The /usr/bin/systat utility is known to be vulnerable to this problem in ncurses. At this time is unknown whether /usr/bin/top and /usr/sbin/lpc are also affected. The problems were corrected prior to the release of FreeBSD 4.2. IV. Workaround It is not feasible to reliably detect binaries which are vulnerable to the ncurses vulnerability, however the provided utility will scan for privileged binaries which use ncurses and which may potentially be vulnerable. Some of the binaries reported may not in fact be vulnerable, but should be recompiled anyway for maximum assurance of security. Statically linked binaries which are identified as potentially vulnerable should be recompiled from source code if possible, after patching and recompiling libc, in order to correct the vulnerability. Dynamically linked binaries will be corrected by simply patching and recompiling libc as described below. As an interim measure, consider removing any identified setuid or setgid binary, removing set[ug]id privileges from the file, or limiting the file access permissions, as appropriate. Of course, it is possible that some of the identified files may be required for the correct operation of your local system, in which case there is no clear workaround except for limiting the set of users who may run the binaries, by an appropriate use of user groups and removing the "o+x" file permission bit. 1) Download the 'scan_ncurses.sh' and 'test_ncurses.sh' scripts from ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh e.g. with the fetch(1) command: # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/scan_ncurses.sh Receiving scan_ncurses.sh (381 bytes): 100% 381 bytes transferred in 0.1 seconds (7.03 kBps) # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/tools/SA-00:68/test_ncurses.sh Receiving test_ncurses.sh (604 bytes): 100% 604 bytes transferred in 0.1 seconds (6.55 kBps) 2) Verify the md5 checksums and compare to the value below: # md5 scan_ncurses.sh MD5 (scan_ncurses.sh) = 597f63af701253f053581aa1821cbac1 # md5 test_ncurses.sh MD5 (test_ncurses.sh) = 12491ceb15415df7682e3797de53223e 3) Run the scan_ncurses.sh script against your system: # chmod a+x ./test_ncurses.sh # sh scan_ncurses.sh ./test_ncurses.sh / This will scan your entire system for setuid or setgid binaries which make use of the ncurses library. Each returned binary should be examined (e.g. with 'ls -l' and/or other tools) to determine what security risk it poses to your local environment, e.g. whether it can be run by arbitrary local users who may be able to exploit it to gain privileges. 4) Remove the binaries, or reduce their file permissions, as appropriate. V. Solution Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild. Then run the scan_ncurses.sh script as instructed in section IV and identify any statically-linked binaries as reported by the script. These should either be removed, recompiled, or have privileges restricted to secure them against this vulnerability (since statically-linked binaries will not be affected by simply recompiling the shared libc library). To patch your present system: download the updated ncurses code from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:68/ncurses.tar.gz.asc Verify the detached PGP signature using your PGP utility. cd /usr/src tar xvfz /path/to/ncurses.tar.gz cd /usr/src/lib/libncurses make all make install In contrast to the usual practise, a simple patch fixing the security vulnerability is not provided because the vendor did not make one available, and the updated ncurses snapshot which fixed it contains numerous other changes whose purpose and relation to the fix was unclear. [ncurses port] If you have installed a vulnerable version of the ncurses port, one of the following steps may be used to upgrade it: 1) Upgrade your entire ports collection and rebuild the ncurses port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/ncurses-5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/ncurses-5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/ncurses-5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/ncurses-5.2.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/ncurses-5.2.tgz 3) download a new port skeleton for the ncurses port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmaFlUuHi5z0oilAQG5MwP9FStZoFKPCqfciIbIcFrE0wLYuEOeI24S j9D4rSwU1ALzHB7DMpeXmju5pDRROmgUTIOGnBN9FcXZly4lDN3Y9yyIeW6Ia5UZ wWbkhxsn573kD3P00WHAB1F1ccbbK4+SPNLkdJDgyyqAC4SdgeJEg5+z+Wcx7d3E t/Xsv/X1ylA= =ZiMW -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 14: 1:57 2000 Delivered-To: freebsd-security@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id D4FC437B65F; Mon, 20 Nov 2000 14:01:11 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-00:76.tcsh-csh Reply-To: security-advisories@freebsd.org Message-Id: <20001120220111.D4FC437B65F@hub.freebsd.org> Date: Mon, 20 Nov 2000 14:01:11 -0800 (PST) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:76 Security Advisory FreeBSD, Inc. Topic: tcsh/csh creates insecure temporary file Category: core, ports Module: tcsh, 44bsd-csh Announced: 2000-11-20 Affects: FreeBSD 4.x, 3.x prior to the correction date. Corrected: 2000-11-04 (FreeBSD 4.1.1-STABLE) 2000-11-05 (FreeBSD 3.5.1-STABLE) 2000-11-09 (44bsd-csh port) 2000-11-19 (tcsh port) Credits: proton FreeBSD only: NO I. Background tcsh is an updated version of the traditional BSD C Shell (csh). Versions of csh and tcsh are included in the FreeBSD ports collection (tcsh, 44bsd-csh) and the FreeBSD base system (csh, tcsh). II. Problem Description The csh and tcsh code creates temporary files when the '<<' operator is used, however these are created insecurely and use a predictable filename based on the process ID of the shell. An attacker can exploit this vulnerability to overwrite an arbitrary file writable by the user running the shell. The contents of the file are overwritten with the text being entered using the '<<' operator, so it will usually not be under the control of the attacker. Therefore the likely impact of this vulnerability is a denial of service since the attacker can cause critical files writable by the user to be overwritten. It is unlikely, although possible depending on the circumstances in which the '<<' operator is used, that the attacker could exploit the vulnerability to gain privileges (this typically requires that they have control over the contents the target file is overwritten with). All versions of FreeBSD prior to the correction date are vulnerable to this problem: the /bin/csh shell included in the base system (which is the same as /bin/tcsh in recent versions) as well as the tcsh (versions prior to 6.09.03_1) and 44bsd-csh ports (versions prior to 44bsd-csh-20001106) in the ports collection. The problems with the base system shells and the 44bsd-csh port were resolved prior to the release of FreeBSD 4.2. The tcsh port was not fixed prior to the release, but the port is disabled in FreeBSD 4.2 since the same software exists in the base system. III. Impact Unprivileged local users can cause an arbitrary file writable by a victim to be overwritten when the victim invokes the '<<' operator in csh or tcsh (e.g. from within a shell script). If you have not installed the tcsh or 44bsd-csh ports on your 4.1.1-STABLE system dated after the correction date, your system is not vulnerable to this problem. IV. Workaround None practical. V. Solution Upgrade your vulnerable FreeBSD system to 4.1.1-STABLE after the correction date, or patch your present system source code and rebuild. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.x base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/tcsh.patch.asc Verify the detached PGP signature using your PGP utility. cd /usr/src/contrib/tcsh patch -p < /path/to/patch cd /usr/src/bin/csh make depend && make all install [FreeBSD 3.x base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-00:76/csh.patch.asc Verify the detached PGP signature using your PGP utility. cd /usr/src/bin/csh patch -p < /path/to/patch make depend && make all install [Ports collection] One of the following: 1) Upgrade your entire ports collection and rebuild the tcsh/44bsd-csh port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [tcsh] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/tcsh-6.09.03_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/tcsh-6.09.03_1.tgz [44bsd-csh] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/44bsd-csh-20001106.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/44bsd-csh-20001106.tgz 3) download a new port skeleton for the tcsh/44bsd-csh port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOhmfAlUuHi5z0oilAQGTBQP/fKPInKBn9a5NZSc5fWPYKdQda2gL1Mji bMaOpF6DiYb9NqKSQdBayq+cf3SI0tqnx0MWDads+Vx6E7zZJ1Eai8zXB0vx37sO vYULKsaK0Gp2wvPfEn0lDUN1l6tn7OQJIXg63i9qF2r/88G2stNbuxG6w++uponc PsehE1pTGQY= =ZAeV -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 15:20:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from fledge.watson.org (fledge.watson.org [204.156.12.50]) by hub.freebsd.org (Postfix) with ESMTP id CFA0C37B4C5; Mon, 20 Nov 2000 15:20:09 -0800 (PST) Received: from fledge.watson.org (robert@fledge.pr.watson.org [192.0.2.3]) by fledge.watson.org (8.9.3/8.9.3) with SMTP id SAA40131; Mon, 20 Nov 2000 18:20:06 -0500 (EST) (envelope-from robert@fledge.watson.org) Date: Mon, 20 Nov 2000 18:20:06 -0500 (EST) From: Robert Watson X-Sender: robert@fledge.watson.org To: Warner Losh Cc: core@freebsd.org, freebsd-security@freebsd.org Subject: Re: Item In-Reply-To: <200011202312.QAA28676@harmony.village.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Mon, 20 Nov 2000, Warner Losh wrote: > I think we are done with this. I don't recall what David wanted here, > but I would submit that the definition of the security officer's team > should come from the security officer and therefore we're done now with > that. Unless David wanted a statement of the powers that core has > delegated to the SO, which isn't what I recall. > > Without objection, I'll go ahead and close this later in the week. Closing it sounds great. I think David's request was that we document the procedures and processes of the Security Officer team -- in particular, who's on it, how they get there, and what responsibilities they may hold. This is probably a task for the Security Officer team to come up with, and for Core to bless after possible detail negotiation. Robert N M Watson FreeBSD Core Team, TrustedBSD Project robert@fledge.watson.org NAI Labs, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 19: 6:55 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 6A34637B4C5; Mon, 20 Nov 2000 19:06:51 -0800 (PST) Received: (from root@localhost) by giganda.komkon.org (8.9.3/8.9.3) id WAA74232; Mon, 20 Nov 2000 22:06:45 -0500 (EST) (envelope-from str) Date: Mon, 20 Nov 2000 22:06:45 -0500 (EST) From: Igor Roshchin Message-Id: <200011210306.WAA74232@giganda.komkon.org> To: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:76.tcsh-csh Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > From: FreeBSD Security Advisories > Subject: FreeBSD Security Advisory: FreeBSD-SA-00:76.tcsh-csh > Date: Mon, 20 Nov 2000 14:01:11 -0800 (PST) > > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-00:76 Security Advisory > FreeBSD, Inc. > > Topic: tcsh/csh creates insecure temporary file > <..> > > 2) Deinstall the old package and install a new package dated after the > correction date, obtained from: > > [tcsh] > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/shells/tcsh-6.09.03_1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/shells/tcsh-6.09.03_1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/shells/tcsh-6.09.03_1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/shells/tcsh-6.09.03_1.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/shells/tcsh-6.09.03_1.tgz > <..> In 3-stable (on ftp.freebsd.org) I find: -rw-r--r-- 1 569 207 257477 Nov 18 15:16 ../All/tcsh-6.09.03.tgz Is it an updated version, or not ? The date is close, but the number is different, although the package has a date stamp when the problem was known (and fixed in some parts of the system) > Corrected: 2000-11-04 (FreeBSD 4.1.1-STABLE) > 2000-11-05 (FreeBSD 3.5.1-STABLE) > 2000-11-09 (44bsd-csh port) > 2000-11-19 (tcsh port) Similar situation is for 4-stable: > dir ../All/tcsh* -rw-r--r-- 1 569 207 1342 Nov 6 02:20 ../All/tcsh-6.09.03.tgz /.0/FreeBSD/ports/i386/packages-4-stable/shells freebsd> So, it is not completely clear if the packages are updated yet, or not. ( I hope I didn't miss the phrase that the packages might not be ready yet this time) Igor To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 19:26:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from roble.com (mx2.roble.com [206.40.34.15]) by hub.freebsd.org (Postfix) with ESMTP id 1BE6F37B479 for ; Mon, 20 Nov 2000 19:26:54 -0800 (PST) Received: from localhost (marquis@localhost) by roble.com with ESMTP id eAL3Qrl98991 for ; Mon, 20 Nov 2000 19:26:53 -0800 (PST) Date: Mon, 20 Nov 2000 19:26:53 -0800 (PST) From: Roger Marquis To: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Anyone have either of these patches run successfully? Here's the output from patch -p on a 4.1-RELEASE host. ---------------------------------------------------------------------- #patch -p < /tmp/telnetd.patch.v1.1 Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ext.h |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v |retrieving revision 1.7 |retrieving revision 1.8 |diff -u -r1.7 -r1.8 |--- ext.h 1999/08/28 00:10:22 1.7 |+++ ext.h 2000/11/19 10:01:27 1.8 -------------------------- Patching file ext.h using Plan A... Hunk #1 failed at 87. 1 out of 1 hunks failed--saving rejects to ext.h.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys_term.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v |retrieving revision 1.24 |retrieving revision 1.26 |diff -u -r1.24 -r1.26 |--- sys_term.c 1999/08/28 00:10:24 1.24 |+++ sys_term.c 2000/11/19 10:01:27 1.26 -------------------------- Patching file sys_term.c using Plan A... Hunk #1 failed at 480. Hunk #2 failed at 1795. 2 out of 2 hunks failed--saving rejects to sys_term.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: telnetd.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v |retrieving revision 1.22 |retrieving revision 1.24 |diff -u -r1.22 -r1.24 |--- telnetd.c 2000/01/25 14:52:00 1.22 |+++ telnetd.c 2000/11/19 10:01:27 1.24 -------------------------- Patching file telnetd.c using Plan A... Hunk #1 failed at 805. Hunk #2 failed at 1114. 2 out of 2 hunks failed--saving rejects to telnetd.c.rej Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: utility.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v |retrieving revision 1.13 |retrieving revision 1.14 |diff -u -r1.13 -r1.14 |--- utility.c 1999/08/28 00:10:25 1.13 |+++ utility.c 2000/10/31 05:29:54 1.14 -------------------------- Patching file utility.c using Plan A... Hunk #1 failed at 330. Hunk #2 failed at 343. 2 out of 2 hunks failed--saving rejects to utility.c.rej Hmm... Ignoring the trailing garbage. done ----------------------------------------------------------------------o -- Roger Marquis Roble Systems Consulting http://www.roble.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 21:21:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from giganda.komkon.org (giganda.komkon.org [209.125.17.66]) by hub.freebsd.org (Postfix) with ESMTP id 7727A37B4CF for ; Mon, 20 Nov 2000 21:21:28 -0800 (PST) Received: (from str@localhost) by giganda.komkon.org (8.9.3/8.9.3) id AAA77830; Tue, 21 Nov 2000 00:21:21 -0500 (EST) (envelope-from str) Date: Tue, 21 Nov 2000 00:21:21 -0500 (EST) From: Igor Roshchin Message-Id: <200011210521.AAA77830@giganda.komkon.org> To: marquis@roble.com, security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No problem on a 4.0-RELEASE box: mailhost: [22:19] [121] /usr/src/libexec/telnetd#patch -p < telnetd.patch.v1.1 Hmm... Looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: ext.h |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v |retrieving revision 1.7 |retrieving revision 1.8 |diff -u -r1.7 -r1.8 |--- ext.h 1999/08/28 00:10:22 1.7 |+++ ext.h 2000/11/19 10:01:27 1.8 -------------------------- Patching file ext.h using Plan A... Hunk #1 succeeded at 87. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: sys_term.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v |retrieving revision 1.24 |retrieving revision 1.26 |diff -u -r1.24 -r1.26 |--- sys_term.c 1999/08/28 00:10:24 1.24 |+++ sys_term.c 2000/11/19 10:01:27 1.26 -------------------------- Patching file sys_term.c using Plan A... Hunk #1 succeeded at 480. Hunk #2 succeeded at 1795. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: telnetd.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v |retrieving revision 1.22 |retrieving revision 1.24 |diff -u -r1.22 -r1.24 |--- telnetd.c 2000/01/25 14:52:00 1.22 |+++ telnetd.c 2000/11/19 10:01:27 1.24 -------------------------- Patching file telnetd.c using Plan A... Hunk #1 succeeded at 805. Hunk #2 succeeded at 1114. Hmm... The next patch looks like a unified diff to me... The text leading up to this was: -------------------------- |Index: utility.c |=================================================================== |RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v |retrieving revision 1.13 |retrieving revision 1.14 |diff -u -r1.13 -r1.14 |--- utility.c 1999/08/28 00:10:25 1.13 |+++ utility.c 2000/10/31 05:29:54 1.14 -------------------------- Patching file utility.c using Plan A... Hunk #1 succeeded at 330. Hunk #2 succeeded at 343. Hmm... Ignoring the trailing garbage. done Hope, that helps, Igor > Date: Mon, 20 Nov 2000 19:26:53 -0800 (PST) > From: Roger Marquis > To: security@FreeBSD.ORG > Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] > > Anyone have either of these patches run successfully? Here's the > output from patch -p on a 4.1-RELEASE host. > > ---------------------------------------------------------------------- > #patch -p < /tmp/telnetd.patch.v1.1 > Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ext.h > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v > |retrieving revision 1.7 > |retrieving revision 1.8 > |diff -u -r1.7 -r1.8 > |--- ext.h 1999/08/28 00:10:22 1.7 > |+++ ext.h 2000/11/19 10:01:27 1.8 > -------------------------- > Patching file ext.h using Plan A... > Hunk #1 failed at 87. > 1 out of 1 hunks failed--saving rejects to ext.h.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: sys_term.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v > |retrieving revision 1.24 > |retrieving revision 1.26 > |diff -u -r1.24 -r1.26 > |--- sys_term.c 1999/08/28 00:10:24 1.24 > |+++ sys_term.c 2000/11/19 10:01:27 1.26 > -------------------------- > Patching file sys_term.c using Plan A... > Hunk #1 failed at 480. > Hunk #2 failed at 1795. > 2 out of 2 hunks failed--saving rejects to sys_term.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: telnetd.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v > |retrieving revision 1.22 > |retrieving revision 1.24 > |diff -u -r1.22 -r1.24 > |--- telnetd.c 2000/01/25 14:52:00 1.22 > |+++ telnetd.c 2000/11/19 10:01:27 1.24 > -------------------------- > Patching file telnetd.c using Plan A... > Hunk #1 failed at 805. > Hunk #2 failed at 1114. > 2 out of 2 hunks failed--saving rejects to telnetd.c.rej > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: utility.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v > |retrieving revision 1.13 > |retrieving revision 1.14 > |diff -u -r1.13 -r1.14 > |--- utility.c 1999/08/28 00:10:25 1.13 > |+++ utility.c 2000/10/31 05:29:54 1.14 > -------------------------- > Patching file utility.c using Plan A... > Hunk #1 failed at 330. > Hunk #2 failed at 343. > 2 out of 2 hunks failed--saving rejects to utility.c.rej > Hmm... Ignoring the trailing garbage. > done > ----------------------------------------------------------------------o > > -- > Roger Marquis > Roble Systems Consulting > http://www.roble.com/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 21:28:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from rly-ip02.mx.aol.com (rly-ip02.mx.aol.com [152.163.225.160]) by hub.freebsd.org (Postfix) with ESMTP id ED6DE37B4D7 for ; Mon, 20 Nov 2000 21:28:23 -0800 (PST) Received: from tot-wl.proxy.aol.com (tot-wl.proxy.aol.com [205.188.199.1]) by rly-ip02.mx.aol.com (8.8.8/8.8.8/AOL-5.0.0) with ESMTP id AAA28322; Tue, 21 Nov 2000 00:28:08 -0500 (EST) Received: from pavilion (AC8E6614.ipt.aol.com [172.142.102.20]) by tot-wl.proxy.aol.com (8.10.0/8.10.0) with SMTP id eAL5S5832069; Tue, 21 Nov 2000 00:28:05 -0500 (EST) Message-ID: <00e301c0537b$d221fee0$0101a8c0@pavilion> From: "Richard Ward" To: "Igor Roshchin" , , References: <200011210521.AAA77830@giganda.komkon.org> Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] Date: Tue, 21 Nov 2000 00:28:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2615.200 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2615.200 X-Apparently-From: Nis8840@aol.com Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org It seems to have worked fine on my 4.1.1-STABLE server, also. Hopefully you will find an answer to your problem soon. -- Richard Ward, Founder Neonsky Internet Services http://www.neonsky.net ----- Original Message ----- From: Igor Roshchin To: ; Sent: Tuesday, November 21, 2000 12:21 AM Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] > > > No problem on a 4.0-RELEASE box: > > mailhost: [22:19] [121] /usr/src/libexec/telnetd#patch -p < telnetd.patch.v1.1 Hmm... Looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: ext.h > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v > |retrieving revision 1.7 > |retrieving revision 1.8 > |diff -u -r1.7 -r1.8 > |--- ext.h 1999/08/28 00:10:22 1.7 > |+++ ext.h 2000/11/19 10:01:27 1.8 > -------------------------- > Patching file ext.h using Plan A... > Hunk #1 succeeded at 87. > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: sys_term.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v > |retrieving revision 1.24 > |retrieving revision 1.26 > |diff -u -r1.24 -r1.26 > |--- sys_term.c 1999/08/28 00:10:24 1.24 > |+++ sys_term.c 2000/11/19 10:01:27 1.26 > -------------------------- > Patching file sys_term.c using Plan A... > Hunk #1 succeeded at 480. > Hunk #2 succeeded at 1795. > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: telnetd.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v > |retrieving revision 1.22 > |retrieving revision 1.24 > |diff -u -r1.22 -r1.24 > |--- telnetd.c 2000/01/25 14:52:00 1.22 > |+++ telnetd.c 2000/11/19 10:01:27 1.24 > -------------------------- > Patching file telnetd.c using Plan A... > Hunk #1 succeeded at 805. > Hunk #2 succeeded at 1114. > Hmm... The next patch looks like a unified diff to me... > The text leading up to this was: > -------------------------- > |Index: utility.c > |=================================================================== > |RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v > |retrieving revision 1.13 > |retrieving revision 1.14 > |diff -u -r1.13 -r1.14 > |--- utility.c 1999/08/28 00:10:25 1.13 > |+++ utility.c 2000/10/31 05:29:54 1.14 > -------------------------- > Patching file utility.c using Plan A... > Hunk #1 succeeded at 330. > Hunk #2 succeeded at 343. > Hmm... Ignoring the trailing garbage. > done > > > > Hope, that helps, > > Igor > > > > > Date: Mon, 20 Nov 2000 19:26:53 -0800 (PST) > > From: Roger Marquis > > To: security@FreeBSD.ORG > > Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] > > > > Anyone have either of these patches run successfully? Here's the > > output from patch -p on a 4.1-RELEASE host. > > > > ---------------------------------------------------------------------- > > #patch -p < /tmp/telnetd.patch.v1.1 > > Hmm... Looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |Index: ext.h > > |=================================================================== > > |RCS file: /home/ncvs/src/libexec/telnetd/ext.h,v > > |retrieving revision 1.7 > > |retrieving revision 1.8 > > |diff -u -r1.7 -r1.8 > > |--- ext.h 1999/08/28 00:10:22 1.7 > > |+++ ext.h 2000/11/19 10:01:27 1.8 > > -------------------------- > > Patching file ext.h using Plan A... > > Hunk #1 failed at 87. > > 1 out of 1 hunks failed--saving rejects to ext.h.rej > > Hmm... The next patch looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |Index: sys_term.c > > |=================================================================== > > |RCS file: /home/ncvs/src/libexec/telnetd/sys_term.c,v > > |retrieving revision 1.24 > > |retrieving revision 1.26 > > |diff -u -r1.24 -r1.26 > > |--- sys_term.c 1999/08/28 00:10:24 1.24 > > |+++ sys_term.c 2000/11/19 10:01:27 1.26 > > -------------------------- > > Patching file sys_term.c using Plan A... > > Hunk #1 failed at 480. > > Hunk #2 failed at 1795. > > 2 out of 2 hunks failed--saving rejects to sys_term.c.rej > > Hmm... The next patch looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |Index: telnetd.c > > |=================================================================== > > |RCS file: /home/ncvs/src/libexec/telnetd/telnetd.c,v > > |retrieving revision 1.22 > > |retrieving revision 1.24 > > |diff -u -r1.22 -r1.24 > > |--- telnetd.c 2000/01/25 14:52:00 1.22 > > |+++ telnetd.c 2000/11/19 10:01:27 1.24 > > -------------------------- > > Patching file telnetd.c using Plan A... > > Hunk #1 failed at 805. > > Hunk #2 failed at 1114. > > 2 out of 2 hunks failed--saving rejects to telnetd.c.rej > > Hmm... The next patch looks like a unified diff to me... > > The text leading up to this was: > > -------------------------- > > |Index: utility.c > > |=================================================================== > > |RCS file: /home/ncvs/src/libexec/telnetd/utility.c,v > > |retrieving revision 1.13 > > |retrieving revision 1.14 > > |diff -u -r1.13 -r1.14 > > |--- utility.c 1999/08/28 00:10:25 1.13 > > |+++ utility.c 2000/10/31 05:29:54 1.14 > > -------------------------- > > Patching file utility.c using Plan A... > > Hunk #1 failed at 330. > > Hunk #2 failed at 343. > > 2 out of 2 hunks failed--saving rejects to utility.c.rej > > Hmm... Ignoring the trailing garbage. > > done > > ----------------------------------------------------------------------o > > > > -- > > Roger Marquis > > Roble Systems Consulting > > http://www.roble.com/ > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 21:48: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 19A5037B4D7; Mon, 20 Nov 2000 21:48:01 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAL5msi92942; Mon, 20 Nov 2000 21:48:54 -0800 (PST) (envelope-from kris) Date: Mon, 20 Nov 2000 21:48:53 -0800 From: Kris Kennaway To: Igor Roshchin Cc: security-officer@freebsd.org, security@freebsd.org Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:76.tcsh-csh Message-ID: <20001120214853.B92862@citusc17.usc.edu> References: <200011210306.WAA74232@giganda.komkon.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="bp/iNruPH9dso1Pn" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011210306.WAA74232@giganda.komkon.org>; from str@giganda.komkon.org on Mon, Nov 20, 2000 at 10:06:45PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --bp/iNruPH9dso1Pn Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Nov 20, 2000 at 10:06:45PM -0500, Igor Roshchin wrote: > In 3-stable (on ftp.freebsd.org) I find: > -rw-r--r-- 1 569 207 257477 Nov 18 15:16 ../All/tcsh-6.09.03.tgz >=20 > Is it an updated version, or not ? > The date is close, but the number is different, > although the package has a date stamp when the problem was known > (and fixed in some parts of the system) No, this is the old, unfixed version. The version number must match or exceed the version number given in the advisory. > So, it is not completely clear if the packages are updated yet, or not. > ( I hope I didn't miss the phrase that the packages might not be ready yet > this time) You didn't - I forgot to put it in this time. The new package will probably be ready in a day or two, you can compile it from the port in the meantime. Kris --bp/iNruPH9dso1Pn Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaDMUACgkQWry0BWjoQKX1swCfeYRQCo9jm53Js3ZEt02Rq+9V r3oAoLg50ZdW3Tn2WMdnEuTvK0SnBwVn =eLRi -----END PGP SIGNATURE----- --bp/iNruPH9dso1Pn-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 21:54:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9F85F37B4C5 for ; Mon, 20 Nov 2000 21:54:35 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAL5tYd93076; Mon, 20 Nov 2000 21:55:34 -0800 (PST) (envelope-from kris) Date: Mon, 20 Nov 2000 21:55:34 -0800 From: Kris Kennaway To: Roger Marquis Cc: security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory: FreeBSD-SA-00:69.telnetd [REVISED] Message-ID: <20001120215534.D92862@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="oJ71EGRlYNjSvfq7" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from marquis@roble.com on Mon, Nov 20, 2000 at 07:26:53PM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --oJ71EGRlYNjSvfq7 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Mon, Nov 20, 2000 at 07:26:53PM -0800, Roger Marquis wrote: > Anyone have either of these patches run successfully? Here's the > output from patch -p on a 4.1-RELEASE host. Odd. I just tested on 4.1-R sources and it patched fine. Try refreshing your sources or something. Kris --oJ71EGRlYNjSvfq7 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaDlYACgkQWry0BWjoQKUK3gCdHk/vv8AYr8xHn6JrAEw09hAH otcAn3YT1PRQR5q0vfhEwO7pnhmy+FK9 =6q+9 -----END PGP SIGNATURE----- --oJ71EGRlYNjSvfq7-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 20 23:53:58 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 563AB37B4D7; Mon, 20 Nov 2000 23:53:49 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAL7rhQ18847; Tue, 21 Nov 2000 02:53:43 -0500 (EST) Date: Tue, 21 Nov 2000 02:53:43 -0500 (EST) From: Trevor Johnson To: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x In-Reply-To: <20001120035146.0020937B479@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Due to the frequent difficulties encountered in fixing the old code > contained in FreeBSD 3.x, we will no longer be requiring security > problems to be fixed in that branch prior to the release of an > advisory that also pertains to FreeBSD 4.x. In recent months this > requirement has led to delays in the release of advisories, which > negatively impacts users of the current FreeBSD release branch > (FreeBSD 4.x). IMO an advisory can be useful even when no fix is available, because it alerts the sysadmin to the fact that something is unsafe. Usually some defensive action can be taken. The problems with ncurses were reported on Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed version was not available until October. IMO that is too long a wait. Therefore I suggest making this new policy of not waiting a general one, rather than just for RELENG_3. Does the FreeBSD Project have a 3.x box for testing? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 21 0:33:16 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9157637B4CF; Tue, 21 Nov 2000 00:33:10 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAL8Y7595661; Tue, 21 Nov 2000 00:34:07 -0800 (PST) (envelope-from kris) Date: Tue, 21 Nov 2000 00:34:06 -0800 From: Kris Kennaway To: Trevor Johnson Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <20001121003406.A95525@citusc17.usc.edu> References: <20001120035146.0020937B479@hub.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="VS++wcV0S1rZb1Fb" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Tue, Nov 21, 2000 at 02:53:43AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --VS++wcV0S1rZb1Fb Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 21, 2000 at 02:53:43AM -0500, Trevor Johnson wrote: > > Due to the frequent difficulties encountered in fixing the old code > > contained in FreeBSD 3.x, we will no longer be requiring security > > problems to be fixed in that branch prior to the release of an > > advisory that also pertains to FreeBSD 4.x. In recent months this > > requirement has led to delays in the release of advisories, which > > negatively impacts users of the current FreeBSD release branch > > (FreeBSD 4.x). >=20 > IMO an advisory can be useful even when no fix is available, because it > alerts the sysadmin to the fact that something is unsafe. Usually some > defensive action can be taken. The problems with ncurses were reported on > Bugtraq in April (and FreeBSD was said to be vulnerable), but a fixed > version was not available until October. IMO that is too long a > wait. Therefore I suggest making this new policy of not waiting a general > one, rather than just for RELENG_3. This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, which is about the time it hit bugtraq, it was fixed 7 days later by the vendor and we imported it 2 days after that. You must be referring to some other problem. However, your general point is taken and it's something we'll consider. Kris --VS++wcV0S1rZb1Fb Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaM34ACgkQWry0BWjoQKX5rQCbBV211YeOuTOehM7o5uiadBuq R6sAnRBZuuc6zy4bW0VOKlIPfAIX6cHs =pSVJ -----END PGP SIGNATURE----- --VS++wcV0S1rZb1Fb-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 21 1: 2:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id E3C0537B4CF; Tue, 21 Nov 2000 01:02:14 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAL92EJ21702; Tue, 21 Nov 2000 04:02:14 -0500 (EST) Date: Tue, 21 Nov 2000 04:02:13 -0500 (EST) From: Trevor Johnson To: Kris Kennaway Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x In-Reply-To: <20001121003406.A95525@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, > which is about the time it hit bugtraq, it was fixed 7 days later by > the vendor and we imported it 2 days after that. You must be referring > to some other problem. It was only meant as an example, but: a buffer overflow bug in libncurses, which had to do with malicious settings of the TERMCAP environment variable, was reported in April on Bugtraq (http://www.securityfocus.com/archive/1/56721), and FreeBSD was said to be affected. I assumed that the recent ncurses advisory was supposed to cover it. > However, your general point is taken and it's something we'll > consider. Thank you. -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 21 1:13:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 838B037B4D7; Tue, 21 Nov 2000 01:13:29 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAL9EQd96460; Tue, 21 Nov 2000 01:14:26 -0800 (PST) (envelope-from kris) Date: Tue, 21 Nov 2000 01:14:26 -0800 From: Kris Kennaway To: Trevor Johnson Cc: security-officer@FreeBSD.org, security@FreeBSD.org Subject: Re: New security policy for FreeBSD 3.x Message-ID: <20001121011426.A96416@citusc17.usc.edu> References: <20001121003406.A95525@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="DocE+STaALJfprDB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Tue, Nov 21, 2000 at 04:02:13AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --DocE+STaALJfprDB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Nov 21, 2000 at 04:02:13AM -0500, Trevor Johnson wrote: > > This is untrue - we were informed by Jouko Pynonnen on 2 Oct 2000, > > which is about the time it hit bugtraq, it was fixed 7 days later by > > the vendor and we imported it 2 days after that. You must be referring > > to some other problem. >=20 > It was only meant as an example, but: a buffer overflow bug in > libncurses, which had to do with malicious settings of the TERMCAP > environment variable, was reported in April on Bugtraq > (http://www.securityfocus.com/archive/1/56721), and FreeBSD was said to be > affected. I assumed that the recent ncurses advisory was supposed to > cover it. FreeBSD-SA-00:17.libmytinfo.asc Kris --DocE+STaALJfprDB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoaPPIACgkQWry0BWjoQKVjdQCgoDugiDxE2zpz2tGpum98ijkR 3JwAn0Q+QtpdYNllWUnbjBAW/5JVs5rm =HWN0 -----END PGP SIGNATURE----- --DocE+STaALJfprDB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 21 9:51:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from txemail.bankofamerica.com (txemail.bankofamerica.com [171.161.160.14]) by hub.freebsd.org (Postfix) with ESMTP id B412737B4CF for ; Tue, 21 Nov 2000 09:51:42 -0800 (PST) Received: from tximail.bankofamerica.com (tximail.bankofamerica.com [171.182.168.13]) by txemail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id eALHpeh03446 for ; Tue, 21 Nov 2000 11:51:41 -0600 (CST) Received: from smtpsw01 (smtpsw01.tx.nbsi.com [159.185.89.135]) by tximail.bankofamerica.com (8.11.1/8.11.1) with ESMTP id eALHpeE27487 for ; Tue, 21 Nov 2000 11:51:40 -0600 (CST) Date: Tue, 21 Nov 2000 11:50:19 -0600 From: mike.sellenschuetter@bankofamerica.com Subject: rmuser To: freebsd-security@FreeBSD.ORG Message-id: <8625699E.0061FCDC.00@dalnsd40.bankofamerica.com> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-disposition: inline Content-transfer-encoding: 7BIT X-Lotus-FromDomain: BANKOFAMERICA Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I apologize if this is not the right mailing list for this question. We are running a small system which contains around 50 servers and workstations running FreeBSD 2.2.6 (we are upgrading to 4.1 after the Christmas holidays), and we have discovered that rmuser is not removing a user's at jobs. After removing a user with rmuser, atq still shows the job in the queue, but with "???" as the owner. I looked at the rmuser Perl script, and below is the "remove_at_jobs" subroutine from this script. sub remove_at_jobs { local($login_name, $uid) = @_; local($i, $owner, $found); $found = 0; opendir(ATDIR, $atjob_dir) || return; while ($i = readdir(ATDIR)) { next if $i eq '.'; next if $i eq '..'; next if $i eq '.lockfile'; $owner = (stat("$atjob_dir/$i"))[4]; # UID if ($uid == $owner) { if (!$found) { print STDERR "Removing user's at jobs:"; $found = 1; } # Use atrm to remove the job print STDERR " $i"; system('/usr/bin/atrm', $i); } } closedir(ATDIR); if ($found) { print STDERR " done.\n"; } } The problem appears to be with the "system('/usr/bin/atrm', $i);" command. $i is a filename, and the atrm command wants a job number, not a file name. Does anyone know if this problem is fixed in 4.1? Thank You Mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 21 13:16:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from ringworld.nanolink.com (ringworld.nanolink.com [195.24.48.13]) by hub.freebsd.org (Postfix) with SMTP id 21FFC37B479 for ; Tue, 21 Nov 2000 13:16:16 -0800 (PST) Received: (qmail 33166 invoked by uid 1000); 21 Nov 2000 18:48:36 -0000 Date: Tue, 21 Nov 2000 20:48:36 +0200 From: Peter Pentchev To: mike.sellenschuetter@bankofamerica.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: rmuser Message-ID: <20001121204836.F9661@ringworld.oblivion.bg> Mail-Followup-To: mike.sellenschuetter@bankofamerica.com, freebsd-security@FreeBSD.ORG References: <8625699E.0061FCDC.00@dalnsd40.bankofamerica.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <8625699E.0061FCDC.00@dalnsd40.bankofamerica.com>; from mike.sellenschuetter@bankofamerica.com on Tue, Nov 21, 2000 at 11:50:19AM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Tue, Nov 21, 2000 at 11:50:19AM -0600, mike.sellenschuetter@bankofamerica.com wrote: > I apologize if this is not the right mailing list for this question. We are > running a small system which contains around 50 servers and workstations running > FreeBSD 2.2.6 (we are upgrading to 4.1 after the Christmas holidays), and we > have discovered that rmuser is not removing a user's at jobs. After removing a > user with rmuser, atq still shows the job in the queue, but with "???" as the > owner. I looked at the rmuser Perl script, and below is the "remove_at_jobs" > subroutine from this script. > [snip] > > The problem appears to be with the "system('/usr/bin/atrm', $i);" command. $i > is a filename, and the atrm command wants a job number, not a file name. Does > anyone know if this problem is fixed in 4.1? Hi Mike, Basically what you need to do if you have filenames is parse the filenames - at least on 4.2-STABLE they contain the queue ID and the job number. However, if you would resort to using atrm either way, I think it might be a better solution to use atq, too - this way you do not have to depend on the job filenames changing silently underneath your feet (they *are* internal structures). Attached is a Perl script, adapted from what I've been using for some time, that calls atq once, parses its output to find the jobs belonging to that particular user, and then calls atrm exactly once, passing it all the jobs to be deleted. Hope that helps :) G'luck, Peter -- If you think this sentence is confusing, then change one pig. #!/usr/bin/perl -wT use strict; my($path_atq, $path_atrm) = ("/usr/bin/atq", "/usr/bin/atrm"); remove_at_jobs("roam"); exit 0; sub invoke_atq { local *PIPE; my($user) = (shift || ""); my(@at) = (); my($pid, $line); return @at if ($user eq ""); if (!defined($pid = open(PIPE, "-|"))) { die("creating pipe to atq: $!\n"); } elsif ($pid == 0) { exec($path_atq, $user); } while(defined($_ = )) { chomp; if (/^\d\d:\d\d:\d\d\s+\d\d\/\d\d\/\d\d\s+(\S+)\s+\S+\s+(\d+)$/) { push(@at, $2) if ($1 eq $user); } } return @at; } sub invoke_atrm { local *ATRM; my($user) = (shift || ""); my(@jobs) = @_; my($pid); my($txt) = ""; return "Invalid arguments" if (($user eq "") || ($#jobs == -1)); if (!defined($pid = open(ATRM, "-|"))) { die("creating pipe to atrm: $!\n"); } elsif ($pid == 0) { exec($path_atrm, $user, @jobs); } # atrm only leaks some output on error.. while(defined($_ = )) { $txt .= $_; } return $txt; } sub remove_at_jobs { my($user) = (shift || ""); my(@at, $atrm); return 1 if ($user eq ""); @at = invoke_atq($user); return 0 if ($#at == -1); # No jobs for that user $atrm = invoke_atrm($user, @at); if ($atrm ne "") { print "$atrm\n"; return 1; } return 0; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 4:25: 4 2000 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 0BD3B37B479; Wed, 22 Nov 2000 04:25:02 -0800 (PST) Received: from [128.130.111.77] (taygeta [128.130.111.77]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id NAA29157; Wed, 22 Nov 2000 13:24:56 +0100 (MET) Date: Wed, 22 Nov 2000 13:24:56 +0100 (CET) From: Gerald Pfeifer To: , Subject: Security Advisories and the Announcements page Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I believe that a link to the security announcements should be added to the "Announcements" page that is link from the top of the homepage: http://www.freebsd.org/news/newsflash.html as Security Advisories also consitute a kind of announcement. Hope this helps, Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 4:33:19 2000 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id 6530C37B479 for ; Wed, 22 Nov 2000 04:33:17 -0800 (PST) Received: from [128.130.111.77] (taygeta [128.130.111.77]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id NAA29446 for ; Wed, 22 Nov 2000 13:33:12 +0100 (MET) Date: Wed, 22 Nov 2000 13:33:13 +0100 (CET) From: Gerald Pfeifer To: Subject: http://www.freebsd.org/security/ Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The link to "FreeBSD-SA-00:68.ncurses.asc" is broken. Half a dozen of current security advisories (tcsh,...) are missing. Hope this helps, Gerald -- Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 6:38:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.gwi.net (smtp.gwi.net [207.5.128.11]) by hub.freebsd.org (Postfix) with ESMTP id 0E07337B4D7 for ; Wed, 22 Nov 2000 06:38:08 -0800 (PST) Received: from Vinnie (csr6.suscom-maine.net [207.5.144.11]) by smtp.gwi.net (8.10.1/8.10.1) with SMTP id eAMEc2s06673 for ; Wed, 22 Nov 2000 09:38:02 -0500 (EST) Message-ID: <001101c05492$5db56020$3798fea9@suscommaine.net> From: "Bill Olson" To: References: Subject: Unsubscribe Date: Wed, 22 Nov 2000 09:41:57 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Unsubscribe ----- Original Message ----- From: "Gerald Pfeifer" To: Sent: Wednesday, November 22, 2000 7:33 AM Subject: http://www.freebsd.org/security/ > The link to "FreeBSD-SA-00:68.ncurses.asc" is broken. > > Half a dozen of current security advisories (tcsh,...) are missing. > > Hope this helps, > Gerald > -- > Gerald "Jerry" pfeifer@dbai.tuwien.ac.at http://www.dbai.tuwien.ac.at/~pfeifer/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 6:40: 6 2000 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (mg134-015.ricochet.net [204.179.134.15]) by hub.freebsd.org (Postfix) with ESMTP id AEDCF37B4C5; Wed, 22 Nov 2000 06:39:56 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id GAA00607; Wed, 22 Nov 2000 06:38:20 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200011221438.GAA00607@spammie.svbug.com> Date: Wed, 22 Nov 2000 06:38:19 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: Security Advisories and the Announcements page To: pfeifer@dbai.tuwien.ac.at Cc: freebsd-docs@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 22 Nov, Gerald Pfeifer wrote: > I believe that a link to the security announcements should be added to > the "Announcements" page that is link from the top of the homepage: > http://www.freebsd.org/news/newsflash.html > as Security Advisories also consitute a kind of announcement. > I agree. Policies, such as was released lately, show FreeBSD to responsible in dealing with issues. As such, policies are currently buried in mailing lists. Perhaps, I'm incorrect on this last point (the mailing list). If so, then I would appreciate correction. :-) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 6:40:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp.gwi.net (smtp.gwi.net [207.5.128.11]) by hub.freebsd.org (Postfix) with ESMTP id E8AD437B4C5 for ; Wed, 22 Nov 2000 06:40:24 -0800 (PST) Received: from Vinnie (csr6.suscom-maine.net [207.5.144.11]) by smtp.gwi.net (8.10.1/8.10.1) with SMTP id eAMEeOs06860 for ; Wed, 22 Nov 2000 09:40:24 -0500 (EST) Message-ID: <004501c05492$b2681d60$3798fea9@suscommaine.net> From: "Bill Olson" To: Subject: Unsubscribe Date: Wed, 22 Nov 2000 09:44:19 -0500 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0042_01C05468.C94EF1E0" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0042_01C05468.C94EF1E0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Unsubscribe ------=_NextPart_000_0042_01C05468.C94EF1E0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable
Unsubscribe
------=_NextPart_000_0042_01C05468.C94EF1E0-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 7: 7:46 2000 Delivered-To: freebsd-security@freebsd.org Received: from spammie.svbug.com (mg134-015.ricochet.net [204.179.134.15]) by hub.freebsd.org (Postfix) with ESMTP id DF3DF37B4D7; Wed, 22 Nov 2000 07:07:29 -0800 (PST) Received: from spammie.svbug.com (localhost.mozie.org [127.0.0.1]) by spammie.svbug.com (8.9.3/8.9.3) with ESMTP id HAA00642; Wed, 22 Nov 2000 07:06:34 -0800 (PST) (envelope-from jessem@spammie.svbug.com) Message-Id: <200011221506.HAA00642@spammie.svbug.com> Date: Wed, 22 Nov 2000 07:06:32 -0800 (PST) From: opentrax@email.com Reply-To: opentrax@email.com Subject: Re: New security policy for FreeBSD 3.x To: imp@village.org Cc: security-officer@FreeBSD.ORG, arch@FreeBSD.ORG In-Reply-To: <200011220624.XAA40393@harmony.village.org> MIME-Version: 1.0 Content-Type: TEXT/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On 21 Nov, Warner Losh wrote: > In message <200011211843.KAA00298@spammie.svbug.com> opentrax@email.com writes: > : Please note I've cc'd to arch. Could you make your > : comments there? > : > : On 19 Nov, FreeBSD Security Advisories wrote: > : > -----BEGIN PGP SIGNED MESSAGE----- > : > > : > The FreeBSD Security Officer would like to announce a change in policy > : > regarding security support for the FreeBSD 3.x branch. > : > > : > Due to the frequent difficulties encountered in fixing the old code > : > contained in FreeBSD 3.x, we will no longer be requiring security > : > problems to be fixed in that branch prior to the release of an > : > advisory that also pertains to FreeBSD 4.x. In recent months this > : > requirement has led to delays in the release of advisories, which > : > negatively impacts users of the current FreeBSD release branch > : > (FreeBSD 4.x). > : > > : Could you clarify exactly what you are saying? It's not clear. > : Perhaps a chart might help. > > [[ included original text to give context ]] > > Generally speaking, fixes go into -current first, then are MFC to > 4.x-stable and then MFC to 3.x-stable. Sometimes the MFC is easy > (when the code is substantially identical) and sometimes it isn't. In > the cases it isn't, we won't hold up the advisory for a 3.x fix. We > will inform select interested and sufficiently clueful parties of > pending advisories for which no 3.x solution is available. If they > can get us a fix for 3.x before we release our advisory (usually a few > days to a week depending on its severity and other factors), we will > include it in the advisory. If not, then the advisory goes out anyway > without a 3.x fix, with the usual room for negotiation for reasonable > extensions. > > In other words, fixes for 3.x will no longer gate security > advisories, but will be included if available. > Thank you for taking the time to explain this Warner. The original advisory was not as clear. However, I still fell a bit confused. As such, I would like to write a document that would explain this situation. This document would include a chart to help those that might need assitance (like me). I beleive that such a document would prove useful and would help the security-officer by providing a definitive document that could be pointed to. This document could also be included in future advisories, where needed. Let me say lastly that my first impression of this 'advisory' was not what you said, thereby leading to my confusion. Since I believe it clear, I would then suggest the aforementioned document which I am willing to collect/author/edit. best regards, Jessem. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 12:42:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 9451337B4C5 for ; Wed, 22 Nov 2000 12:42:33 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAMKhhG13315; Wed, 22 Nov 2000 12:43:43 -0800 (PST) (envelope-from kris) Date: Wed, 22 Nov 2000 12:43:43 -0800 From: Kris Kennaway To: Gerald Pfeifer Cc: freebsd-security@FreeBSD.ORG Subject: Re: http://www.freebsd.org/security/ Message-ID: <20001122124343.B13194@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cmJC7u66zC7hs+87" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from pfeifer@dbai.tuwien.ac.at on Wed, Nov 22, 2000 at 01:33:13PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cmJC7u66zC7hs+87 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 22, 2000 at 01:33:13PM +0100, Gerald Pfeifer wrote: > The link to "FreeBSD-SA-00:68.ncurses.asc" is broken. >=20 > Half a dozen of current security advisories (tcsh,...) are missing. Fixed last night. Kris --cmJC7u66zC7hs+87 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjocL/4ACgkQWry0BWjoQKX29ACfWmKESvohzNF0ZdfRgHwKLjuw zUEAoL6m9lcZkwq6Kk8I75V9RniRpTy3 =hCN9 -----END PGP SIGNATURE----- --cmJC7u66zC7hs+87-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 16:56:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id ABDCA37B4C5; Wed, 22 Nov 2000 16:56:17 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAN0vRJ17932; Wed, 22 Nov 2000 16:57:27 -0800 (PST) (envelope-from kris) Date: Wed, 22 Nov 2000 16:57:27 -0800 From: Kris Kennaway To: Gerald Pfeifer Cc: freebsd-docs@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Advisories and the Announcements page Message-ID: <20001122165727.A17904@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="X1bOJ3K7DJ5YkBrT" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from pfeifer@dbai.tuwien.ac.at on Wed, Nov 22, 2000 at 01:24:56PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --X1bOJ3K7DJ5YkBrT Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Nov 22, 2000 at 01:24:56PM +0100, Gerald Pfeifer wrote: > I believe that a link to the security announcements should be added to > the "Announcements" page that is link from the top of the homepage: > http://www.freebsd.org/news/newsflash.html > as Security Advisories also consitute a kind of announcement. Can you submit a patch please? Kris --X1bOJ3K7DJ5YkBrT Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoca3cACgkQWry0BWjoQKVzqQCfeartWSmwb/hi0k9RLCK0qjax KTMAn1Zvg7LbodAikXK5BzlH0OHzawT+ =quA5 -----END PGP SIGNATURE----- --X1bOJ3K7DJ5YkBrT-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 17:39:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from vexpert.dbai.tuwien.ac.at (vexpert.dbai.tuwien.ac.at [128.130.111.12]) by hub.freebsd.org (Postfix) with ESMTP id DB7E537B4CF; Wed, 22 Nov 2000 17:39:27 -0800 (PST) Received: from [128.130.111.2] (deneb [128.130.111.2]) by vexpert.dbai.tuwien.ac.at (8.9.3/8.9.3) with ESMTP id CAA15962; Thu, 23 Nov 2000 02:39:26 +0100 (MET) Date: Thu, 23 Nov 2000 02:39:25 +0100 (CET) From: Gerald Pfeifer To: Kris Kennaway Cc: , Subject: Re: Security Advisories and the Announcements page In-Reply-To: <20001122165727.A17904@citusc17.usc.edu> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 22 Nov 2000, Kris Kennaway wrote: > Can you submit a patch please? Well, it's really just one line, but here we go. The patch below is for . I intentionally use lower-case HTML tags, as this is what XHTML 1.0 (and thus any forthcoming standard) demands and also added a missing full-stop in the Java paragraph. Gerald --- newsflash.html.1 Tue Nov 14 07:14:14 2000 +++ newsflash.html Thu Nov 23 02:37:24 2000 @@ -26,13 +26,16 @@ subscribe to the freebsd-announce mailing list.

+

For FreeBSD Security Advisories, please refer to the our Security Information page.

+

The FreeBSD Real-Quick (TM) Newsletter (RQN) is a monthly (sometimes bi-weekly) newsletter containing recent developments in the FreeBSD arena. Subscribe to freebsd-announce to receive this newsletter via e-mail.

-

For latest news of FreeBSD Java Project please visit FreeBSD/Java NewsFlash page

+

For latest news of FreeBSD Java Project please visit FreeBSD/Java NewsFlash page.

For a detailed description of past, present, and future releases, see the Release To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 22 23:29:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from mta5-rme.xtra.co.nz (mta5-rme.xtra.co.nz [203.96.92.17]) by hub.freebsd.org (Postfix) with ESMTP id F044E37B479; Wed, 22 Nov 2000 23:27:47 -0800 (PST) Received: from themail.com ([210.54.197.59]) by mta5-rme.xtra.co.nz with SMTP id <20001123072744.OAIP60565.mta5-rme.xtra.co.nz@themail.com>; Thu, 23 Nov 2000 20:27:44 +1300 From: "turehu" To: Subject: Accept credit cards on-line THE EASY WAY! Mime-Version: 1.0 Content-Type: text/plain; charset="ISO-8859-1" Date: Thu, 23 Nov 2000 08:24:45 +1300 Content-Transfer-Encoding: 8bit Message-Id: <20001123072744.OAIP60565.mta5-rme.xtra.co.nz@themail.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org No set up fees No monthly interest No minimum transaction fees The only charge is a small percentage of the cost of the transaction. You can not lose money! You only pay fees if you sell your product. Get in the act and launch your online bussiness which will work for you 24hrs a day, seven days a week and it is worldwide. Want to find out more? Go to: http://www.cyberturf.com/creditcard If this Email has reached you by mistake, we apologize. To remove your Email from the mailing list please send: jennifer@nottern.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 6:42: 0 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.gutatelecom.ru (ns.gutatelecom.ru [195.7.161.13]) by hub.freebsd.org (Postfix) with ESMTP id 67D5D37B479 for ; Thu, 23 Nov 2000 06:41:58 -0800 (PST) Received: from hub.all.yans.ru (unknown [10.123.0.2]) by ns.gutatelecom.ru (Postfix) with ESMTP id 532666E718 for ; Thu, 23 Nov 2000 17:41:52 +0300 (MSK) Received: by hub.all.yans.ru (Postfix, from userid 300) id 189AC7F8C1; Thu, 23 Nov 2000 17:42:31 +0300 (MSK) Date: Thu, 23 Nov 2000 17:42:31 +0300 From: Ekaterina Ivannikova To: freebsd-security@freebsd.org Subject: How to isolate jails from the host system ? Message-ID: <20001123174231.A4498@hub.all.yans.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi All, what is the recommended way of isolating jails from the host system with regard to tcp/ip connections ? It appeares that though processes in a jail are not allowed to bind to the host system's ip address, they are still assigned this ip address if they try to connect to daemons running on the host system. Thus placing filters on lo0 doesn't help as the host system cannot distinguish between clients coming from a jail and its own processes. I'm running 4.2-STABLE cvsuped on Nov 21 if it matters. Regards, Ekaterina Ivannikova To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 8:31: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (libertad.univalle.edu.co [216.6.69.11]) by hub.freebsd.org (Postfix) with ESMTP id B05B137B479 for ; Thu, 23 Nov 2000 08:30:50 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id eANGder82406 for ; Thu, 23 Nov 2000 11:39:42 -0500 (COT) Date: Thu, 23 Nov 2000 11:39:40 -0500 (COT) From: Buliwyf McGraw To: security@FreeBSD.ORG Subject: ipf - icmp Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello... im doing some tests with ipf... i added this rules on the system: block in on sis0 proto icmp all block out on sis0 proto icmp all But, when i do a ping from another machine... the server answer the icmp request without problems... I ask: Are the rules failing??? ======================================================================= Buliwyf McGraw Administrador del Servidor Libertad Centro de Servicios de Informacion Universidad del Valle ======================================================================= To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 11:31:30 2000 Delivered-To: freebsd-security@freebsd.org Received: from tmd.df.ru (i.am.a.sincere.pathalogical.liar.org [216.58.112.97]) by hub.freebsd.org (Postfix) with ESMTP id 8F47537B479 for ; Thu, 23 Nov 2000 11:31:27 -0800 (PST) Received: from localhost (tmd@localhost) by tmd.df.ru (8.11.1/8.11.1) with ESMTP id eANJa2T18378 for ; Thu, 23 Nov 2000 14:36:04 -0500 (EST) (envelope-from tmd@tmd.df.ru) Date: Thu, 23 Nov 2000 14:35:56 -0500 (EST) From: Vlad To: security@FreeBSD.ORG Subject: Re: ipf - icmp In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Perhaps there are other rules that follow before/after that supercede the icmp ones. Try using "quick" option. pass in quick on sis0 proto icmp from any to any icmp-type 0 pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 pass in quick on sis0 proto icmp from any to any icmp-type timex pass out quick on sis0 proto icmp from any to any these entries will allow you to ping/traceroute anyone, will prohibit anyone from pinging/tracerouting you. On Thu, 23 Nov 2000, Buliwyf McGraw wrote: > > Hello... im doing some tests with ipf... i added this rules on the > system: > > block in on sis0 proto icmp all > block out on sis0 proto icmp all > > But, when i do a ping from another machine... the server answer the > icmp request without problems... I ask: Are the rules failing??? > > ======================================================================= > Buliwyf McGraw > Administrador del Servidor Libertad > Centro de Servicios de Informacion > Universidad del Valle > ======================================================================= > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 12:14:20 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.sonet.pt (unknown [195.8.11.18]) by hub.freebsd.org (Postfix) with SMTP id 7D10E37B4C5 for ; Thu, 23 Nov 2000 12:14:16 -0800 (PST) Received: (qmail 16375 invoked from network); 23 Nov 2000 21:19:21 -0000 Received: from unknown (HELO angelsp) (195.8.11.26) by 195.8.11.18 with SMTP; 23 Nov 2000 21:19:21 -0000 Message-ID: <00d001c05589$78602020$1a0b08c3@angelsp> From: "Jorge Filipe Andrade" To: , Subject: Security Advisories at FreeBSD 4.2? Date: Thu, 23 Nov 2000 20:10:48 -0000 Organization: =?iso-8859-1?Q?SONET_-_Servi=E7os_Internet=2C_Lda?= MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_00CD_01C05589.78462F80" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6700 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_00CD_01C05589.78462F80 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Hello, Somebody can say me, if exists Securty Advisores for FreeBSD 4.2-STABLE? Thank you! -- Best Regards, Jorge Filipe Andrade ___________________________ SONET - Servi=E7os Internet, Lda http://www.sonet.pt ------=_NextPart_000_00CD_01C05589.78462F80 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable

 
Somebody can say me, if exists Securty Advisores for = FreeBSD=20 4.2-STABLE?
Thank you!
 
--
Best Regards,
 
<= /HTML> ------=_NextPart_000_00CD_01C05589.78462F80-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 13:27:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id EEAF537B479; Thu, 23 Nov 2000 13:27:46 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eANLSpw36135; Thu, 23 Nov 2000 13:28:51 -0800 (PST) (envelope-from kris) Date: Thu, 23 Nov 2000 13:28:51 -0800 From: Kris Kennaway To: Jorge Filipe Andrade Cc: freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Advisories at FreeBSD 4.2? Message-ID: <20001123132851.A36019@citusc17.usc.edu> References: <00d001c05589$78602020$1a0b08c3@angelsp> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <00d001c05589$78602020$1a0b08c3@angelsp>; from jfa@mail.sonet.pt on Thu, Nov 23, 2000 at 08:10:48PM -0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 23, 2000 at 08:10:48PM -0000, Jorge Filipe Andrade wrote: > Hello, >=20 > Somebody can say me, if exists Securty Advisores for FreeBSD 4.2-STABLE? > Thank you! FreeBSD 4.2-RELEASE came out on Monday. There are no known outstanding security issues against 4.2-RELEASE or later (e.g. 4.2-STABLE). Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjodjBMACgkQWry0BWjoQKU9UQCg9BEcPQWeYSVWFNPF01ASG1T/ EtUAn1my1qO/7c5nuuNrSHyAOnaW+eGT =WAtF -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 14:40:57 2000 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id A82BB37B479 for ; Thu, 23 Nov 2000 14:40:54 -0800 (PST) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id XAA08534; Thu, 23 Nov 2000 23:40:53 +0100 (MET) Received: by adv.devet.org (Postfix, from userid 100) id 3EB5A44AD; Thu, 23 Nov 2000 23:40:17 +0100 (CET) Date: Thu, 23 Nov 2000 23:40:17 +0100 To: tmd@tmd.df.ru Cc: security@freebsd.org Subject: Re: ipf - icmp Message-ID: <20001123234017.A66597@adv.devet.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i X-Newsgroups: list.freebsd.security In-Reply-To: Organization: Eindhoven, the Netherlands From: Arjan.deVet@adv.iae.nl (Arjan de Vet) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org In article you write: >Perhaps there are other rules that follow before/after >that supercede the icmp ones. Try using "quick" option. > >pass in quick on sis0 proto icmp from any to any icmp-type 0 >pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 >pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 >pass in quick on sis0 proto icmp from any to any icmp-type timex >pass out quick on sis0 proto icmp from any to any > >these entries will allow you to ping/traceroute anyone, will prohibit >anyone from pinging/tracerouting you. The following set of rules will accomplish the same in a better way: pass out quick on sis0 proto udp from any to any keep state keep frags pass out quick on sis0 proto icmp from any to any keep state keep frags The trick is to use 'keep state' on outgoing traceroute/ping udp/icmp packets. ipfilter will match any incoming icmp packets with the state table in an intelligent way. This means that an incoming icmp packet will only be allowed through if it matches with a traceroute/ping that originated from your machine. E.g., a fake icmp echo-reply will be blocked. I have no 'pass in' rules regarding icmp on my firewall, the ipfilter state table handles all incoming icmp traffic automatically. Arjan -- Arjan de Vet, Eindhoven, The Netherlands URL: http://www.iae.nl/users/devet/ for PGP key: finger devet@iae.nl To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 15:45:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from hboss-bsd.powersurfr.com (hboss-bsd.powersurfr.com [24.108.165.216]) by hub.freebsd.org (Postfix) with ESMTP id 6E5AF37B4C5 for ; Thu, 23 Nov 2000 15:45:30 -0800 (PST) Received: from localhost (akwan@localhost) by hboss-bsd.powersurfr.com (8.11.0/8.11.0) with ESMTP id eANNkgt00945 for ; Thu, 23 Nov 2000 16:46:43 -0700 (MST) (envelope-from akwan@hboss-bsd.powersurfr.com) Date: Thu, 23 Nov 2000 16:46:42 -0700 (MST) From: Al Kwan To: security@FreeBSD.ORG Subject: INBOX Locked In-Reply-To: <20001123234017.A66597@adv.devet.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I get this error upon opening pine: "Inbox is open by another process, access is readonly" FreeBSD V.4.1.1-Release Pine V.4.21 I haven't got any other pine processes running, even after I reboot and try pine right away, it says the same thing. /var/mail - permissions are rwx for owner/group/everyone /var/mail/akwan - permissions are rw for owner, no permissions for group/everyone Hope someone can help. Thx in advance, Al To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 16: 2:15 2000 Delivered-To: freebsd-security@freebsd.org Received: from hboss-bsd.powersurfr.com (hboss-bsd.powersurfr.com [24.108.165.216]) by hub.freebsd.org (Postfix) with ESMTP id 19A7537B4CF for ; Thu, 23 Nov 2000 16:02:11 -0800 (PST) Received: from localhost (akwan@localhost) by hboss-bsd.powersurfr.com (8.11.0/8.11.0) with ESMTP id eAO03Sq01062 for ; Thu, 23 Nov 2000 17:03:28 -0700 (MST) (envelope-from akwan@hboss-bsd.powersurfr.com) Date: Thu, 23 Nov 2000 17:03:28 -0700 (MST) From: Al Kwan To: security@FreeBSD.ORG Subject: Re: INBOX Locked In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello all, Figured it out after much frustration. Hopefully if anyone else gets this problem you can learn from my errors.. Somehow my /tmp (/usr/tmp) directory permissions changed to: drwxr-xr-x - so groups and everyone didn't have write access to tmp Pine needs that to put the mailbox file in while it works on it and lets you delete messages and so forth. Change permission on the /usr/tmp directory to allow write access and the INBOX stops being "readonly". Al Kwan On Thu, 23 Nov 2000, Al Kwan wrote: > Hello, > > I get this error upon opening pine: > > "Inbox is open by another process, access is readonly" > > FreeBSD V.4.1.1-Release > Pine V.4.21 > > I haven't got any other pine processes running, even after I reboot and > try pine right away, it says the same thing. > > /var/mail - permissions are rwx for owner/group/everyone > /var/mail/akwan - permissions are rw for owner, no permissions for > group/everyone > > Hope someone can help. Thx in advance, > > Al > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 18:54:14 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail-4.sjc.telocity.net (mail-4.sjc.telocity.net [216.227.56.44]) by hub.freebsd.org (Postfix) with ESMTP id 411F737B4CF; Thu, 23 Nov 2000 18:54:11 -0800 (PST) Received: from zoso (dsl-216-227-91-85.telocity.com [216.227.91.85]) by mail-4.sjc.telocity.net (8.9.3/8.9.3) with SMTP id SAA28799; Thu, 23 Nov 2000 18:50:32 -0800 (PST) From: "Otter" To: "Kris Kennaway" , "Jorge Filipe Andrade" Cc: , Subject: RE: Security Advisories at FreeBSD 4.2? Date: Thu, 23 Nov 2000 21:57:58 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-Reply-To: <20001123132851.A36019@citusc17.usc.edu> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org }On Thu, Nov 23, 2000 at 08:10:48PM -0000, Jorge Filipe Andrade wrote: }> Hello, }> }> Somebody can say me, if exists Securty Advisores for }FreeBSD 4.2-STABLE? }> Thank you! } }FreeBSD 4.2-RELEASE came out on Monday. There are no known }outstanding }security issues against 4.2-RELEASE or later (e.g. 4.2-STABLE). } }Kris } AND... when/if they are announced, you can find them if you read: ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/4.2-RELEASE/ERRATA.TXT -Otter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 18:59:33 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id C85CD37B4C5 for ; Thu, 23 Nov 2000 18:59:27 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAO2xH702772; Thu, 23 Nov 2000 21:59:17 -0500 (EST) Date: Thu, 23 Nov 2000 21:59:17 -0500 (EST) From: Trevor Johnson To: security@freebsd.org Cc: toasty@dragondata.com Subject: Joe's Own Editor File Link Vulnerability (fwd) Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=X-UNKNOWN Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I've gotten no response to the appended message. I installed joe from the current ports collection, a few minutes ago, and was able to confirm the bug. The Linux people (Red Hat, Immunix, Mandrake, and Debian) have released patched versions, but I haven't looked at their patches. Would it be all right if I marked the port forbidden (mentioning http://www.securityfocus.com/archive/1/145305), until the maintainer becomes available? -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt ---------- Forwarded message ---------- Date: Thu, 16 Nov 2000 23:57:07 -0500 (EST) From: Trevor Johnson To: toasty@dragondata.com Subject: Joe's Own Editor File Link Vulnerability (fwd) ---------- Forwarded message ---------- Date: Thu, 16 Nov 2000 09:27:13 +0100 From: advisories@WKIT.COM To: BUGTRAQ@SECURITYFOCUS.COM Subject: Joe's Own Editor File Link Vulnerability -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 TITLE: Joe's Own Editor File Link Vulnerability ADVISORY ID: WSIR-00/11-01 CONTACT: Patrik Birgersson, Wkit Security AB CLASS: File Handling Error OBJECT: joe(1) (exec) VENDOR: Josef H. Allen STATUS: Vendor not reachable REMOTE: No LOCAL: Yes DATE: 13/11/2000 VULNERABLE: Joe's Own Editor 2.8 Other versions/configurations not tested VULNERABILITY DESCRIPTION If a joe session with an unsaved file terminates abnormally, joe creates a rescue copy of the file being edited called DEADJOE. The creation of this rescue copy is made without checking if the file is a link. If it is a link, joe will append the information in the unsaved file to the file that is being linked to DEADJOE, resulting in a corrupted file. CONDITIONS 1. The malicious user must have write permissions in the directory where the file is being edited, in order to create a link 2. The 'victim user' must have write permissions for the 'victim file' 3. The 'victim user' joe session must terminate abnormally 4. The file being edited must not have been saved VULNERABILITY EXAMPLE - - Root is logged in remote - - Malicious user (X) notices that root is editing file.txt in /tmp (where X has write permissions) - - X creates a link from /etc/passwd (root = write permission) to /tmp/DEADJOE - - Root's connection is dropped or terminated under abnormal conditions (for example: root halts the system) before file.txt is saved, the editor will write a rescue copy to /tmp/DEADJOE - - The editor won't check if /tmp/DEADJOE is a link, and appends the content of file.txt to /etc/passwd SOLUTION/VENDOR INFORMATION/WORKAROUND No information available. CREDITS This vulnerability was discovered and documented by Christer Öberg and Patrik Birgersson of Wkit Security AB, Håverud, Sweden. Other advisories from Wkit Security AB can be obtained from: http://www.wkit.com/advisories/ DISCLAMER The contents of this advisory is copyright (c) 2000 Wkit Security AB and may be distributed freely, provided that no fee is charged and proper credit is given. Wkit Security AB takes no credit for this discovery if someone else has published this information in the public domain before this advisory was released. The information herein is intended for educational purposes, not for malicious use. Wkit Security AB takes no responsibility whatsoever for the use of this information. ABOUT THE COMPANY Wkit Security AB is an independent data security company working with security-related services and products. Wkit Security AB plays a leading role in the development of security thinking, regarding internal and external data communication at companies and other organizations that store sensitive information. The company consists of two divisions: a service division, performing security analysis and security reviews, and a product division. We work together with strategic partners to bring programs and services into the market. Our services and products are continuously developed to optimally follow the world demand for IT security. 30 DAY DISCLOSURE Whenever Wkit Security AB finds any security related flaws in operating system, or application, we will provide the vendor responsible for the product with a detailed Incident Report. We believe that 30 days is appropriate for the vendor to fix the problem before we publish the incident report on our own web page and other mailing lists/websites we find suitable for the majority of the worldwide users. If the vendor has a reasonable cause why they can't fix the problem in 30 days we can, after discussion, agree on a longer disclosure time. ACKNOWLEDGEMENTS Wkit Security AB's highest priority is for the public security, and will never release Incidents Reports without informing the vendor and give them reasonable (30 day) time to fix the problem. In general, Wkit Security AB follows the guidelines for reporting security breaches we found on the vendors homepage or similar. We urge vendors that in the same way we follow their guidelines, that the vendor informs us about the solution; if possible, 2 days before the fix/solution will be presented for the majority. This gives us the chance to prepare our web page to inform about the Incident and to present a solution in the way the vendor suggest at the time when it is present for the majority. CONTACT Wkit Security AB should be contacted through advisories@wkit.com if no other agreement has been done. Every incident report is assigned a report number WSIR-xx/xx-xx (Wkit Security AB Incident Report) and one responsible contact person from Wkit Security. When communicating with Wkit Security AB in the matter of the Incident Reports, be sure to add the WSIR number in the email to avoid any problems. *************************************************************************** Wkit Security AB Upperudsvägen 4 S-464 72 Håverud SWEDEN http://www.wkit.com e-mail: advisories@wkit.com *************************************************************************** -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBOhJlSW7fLJob6xkXEQJgpACfSP5fzZWft5antg+DdXMdYcAOVSQAoKN/ lhge4y3XCAroyWUA004N/acM =LYU/ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 19:15:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id 0892B37B4C5 for ; Thu, 23 Nov 2000 19:15:39 -0800 (PST) Received: (qmail 8645 invoked by uid 0); 24 Nov 2000 03:15:37 -0000 Received: from p3ee21638.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.56) by mail.gmx.net (mail04) with SMTP; 24 Nov 2000 03:15:37 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id VAA20005 for freebsd-security@freebsd.org; Thu, 23 Nov 2000 21:27:57 +0100 Date: Thu, 23 Nov 2000 21:27:57 +0100 From: Gerhard Sittig To: freebsd-security@freebsd.org Subject: Re: How to isolate jails from the host system ? Message-ID: <20001123212757.W27042@speedy.gsinet> Mail-Followup-To: freebsd-security@freebsd.org References: <20001123174231.A4498@hub.all.yans.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i In-Reply-To: <20001123174231.A4498@hub.all.yans.ru>; from kate@gutatelecom.ru on Thu, Nov 23, 2000 at 05:42:31PM +0300 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote: > > It appeares that though processes in a jail are not allowed to > bind to the host system's ip address, they are still assigned > this ip address if they try to connect to daemons running on > the host system. That's hard to believe. :) At least it contradicts the jail(2) idea. Processes in jails can *only* bind to the IP assigned to the jail. Not even 127.0.0.1 is available. Although there was (is?) a bug with UDP packets mistakenly being sent _from_ the host's address under certain circumstances. But a fix is available, search for "jail" in the gnats database. What you cannot defend against is processes in the host to bind to IPs delegated into jails. But you don't run any services in the host except for the jail(8)s, do you? There's no real need to do so except for the administrative access sshd -- unless one has a serial console ... virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 22:21:42 2000 Delivered-To: freebsd-security@freebsd.org Received: from mtu.ru (ns.mtu.ru [195.34.32.10]) by hub.freebsd.org (Postfix) with ESMTP id 4C47837B4CF; Thu, 23 Nov 2000 22:21:37 -0800 (PST) X-Recipient: freebsd-isp@FreeBSD.ORG Received: from pentium (ppp101-137.dialup.mtu-net.ru [212.188.101.137]) by mtu.ru (Postfix) with ESMTP id 97CBE76F9; Fri, 24 Nov 2000 09:21:33 +0300 (MSK) (envelope-from kulakov@kudesniki.ru) Reply-To: From: "Vladimir I. Kulakov" To: , Subject: DOS atack of hardware problem? Date: Fri, 24 Nov 2000 09:21:32 +0300 X-MSMail-Priority: Normal X-Priority: 3 X-Mailer: Microsoft Internet Mail 4.70.1155 MIME-Version: 1.0 Content-Type: text/plain; charset=Windows-1251 Content-Transfer-Encoding: 7bit Message-Id: <20001124062133.97CBE76F9@mtu.ru> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello! Last week I noticed some strange messages in my log files: fxp0 : device timeout After that the ping bacame unstable, and somtimes the server was unreachable. Our we replugged the server from 100 Mbit/s 3com switch to ordinary 10 Mbit/s hub. It helped. The server started to work fine, but a few days after that the problems appeard again. It seems the network card in our server unpedicably swithes from 100 to 10 Mbits and from half-duplex to full duplex. When we plugged the server to uplink port in our swith, everything is working fine again... Our Ethernet card - Intel Ether Express Pro 100/s Can it be a flud or some kind of DOS-atack or it just a hardware problem? I tried another network card (also Ehter Express 100), but it's getting even worse - the server does not work at all. What is the best way to solve such a problem finally? Many thanks in advance... ----------------------------------------------------- Vladimir I. Kulakov http://www.kudesniki.ru/ VK9-RIPN kulakov@kudesniki.ru 2:5020/779.27@fidonet.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 22:26: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id F164937B4CF for ; Thu, 23 Nov 2000 22:25:59 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAO6R5j41368; Thu, 23 Nov 2000 22:27:05 -0800 (PST) (envelope-from kris) Date: Thu, 23 Nov 2000 22:27:05 -0800 From: Kris Kennaway To: Trevor Johnson Cc: security@FreeBSD.ORG, toasty@dragondata.com Subject: Re: Joe's Own Editor File Link Vulnerability (fwd) Message-ID: <20001123222704.A41336@citusc17.usc.edu> References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="d6Gm4EdcadzBjdND" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from trevor@jpj.net on Thu, Nov 23, 2000 at 09:59:17PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --d6Gm4EdcadzBjdND Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Nov 23, 2000 at 09:59:17PM -0500, Trevor Johnson wrote: > I've gotten no response to the appended message. >=20 > I installed joe from the current ports collection, a few minutes ago, and > was able to confirm the bug. >=20 > The Linux people (Red Hat, Immunix, Mandrake, and Debian) have released > patched versions, but I haven't looked at their patches. >=20 > Would it be all right if I marked the port forbidden (mentioning > http://www.securityfocus.com/archive/1/145305), until the maintainer > becomes available? Yes. If you could also patch it it would be fine by me :-) Kris --d6Gm4EdcadzBjdND Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoeCjgACgkQWry0BWjoQKWrfgCgyDJfOFE9Nt3d0PwbWSsoa2k5 3MAAnj33PbRbvpr1Thooi63fxZaoha0a =9X9q -----END PGP SIGNATURE----- --d6Gm4EdcadzBjdND-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 22:31:22 2000 Delivered-To: freebsd-security@freebsd.org Received: from temphost.dragondata.com (temphost.dragondata.com [63.167.131.128]) by hub.freebsd.org (Postfix) with ESMTP id BC40E37B479 for ; Thu, 23 Nov 2000 22:31:19 -0800 (PST) Received: (from toasty@localhost) by temphost.dragondata.com (8.9.3/8.9.3) id AAA17422; Fri, 24 Nov 2000 00:34:36 -0600 (CST) (envelope-from toasty) From: Kevin Day Message-Id: <200011240634.AAA17422@temphost.dragondata.com> Subject: Re: Joe's Own Editor File Link Vulnerability (fwd) To: trevor@jpj.net (Trevor Johnson) Date: Fri, 24 Nov 2000 00:34:31 -0600 (CST) Cc: security@freebsd.org, toasty@dragondata.com In-Reply-To: from "Trevor Johnson" at Nov 23, 2000 09:59:17 PM X-Mailer: ELM [version 2.5 PL3] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > > I've gotten no response to the appended message. > > I installed joe from the current ports collection, a few minutes ago, and > was able to confirm the bug. > > The Linux people (Red Hat, Immunix, Mandrake, and Debian) have released > patched versions, but I haven't looked at their patches. > > Would it be all right if I marked the port forbidden (mentioning > http://www.securityfocus.com/archive/1/145305), until the maintainer > becomes available? > -- > Trevor Johnson > http://jpj.net/~trevor/gpgkey.txt If you fowarded this to me before, it must have gotten lost during my many server moves over the past couple of months, I apologize. I'll send an e-mail to the author of Joe an e-mail about this, but from my past experiences with him, he's quite busy with other projects and may not have time for a complete new version immediately. I'll come up with a quick patch for now to include, that one of you can verify for accuracy (if desired) to include in our local port patches. Thanks, Kevin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 23 22:42: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from grok.example.net (cr479972-a.rct1.bc.wave.home.com [24.113.37.168]) by hub.freebsd.org (Postfix) with ESMTP id CACFF37B4D7; Thu, 23 Nov 2000 22:42:06 -0800 (PST) Received: by grok.example.net (Postfix, from userid 1000) id 1F7CD212E29; Thu, 23 Nov 2000 22:42:06 -0800 (PST) Date: Thu, 23 Nov 2000 22:42:05 -0800 From: Steve Reid To: "Vladimir I. Kulakov" Cc: freebsd-isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: DOS atack of hardware problem? Message-ID: <20001123224205.A1105@grok> References: <20001124062133.97CBE76F9@mtu.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95.4i In-Reply-To: <20001124062133.97CBE76F9@mtu.ru>; from Vladimir I. Kulakov on Fri, Nov 24, 2000 at 09:21:32AM +0300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, Nov 24, 2000 at 09:21:32AM +0300, Vladimir I. Kulakov wrote: > It seems the network card in our server unpedicably swithes from 100 > to 10 Mbits and from half-duplex to full duplex. Try setting the speed and duplex manually. Like this in rc.conf, but with your real IP and netmask of course: ifconfig_fxp0="inet 192.168.1.2 netmask 255.255.255.0 \ media 100baseTX mediaopt full-duplex" I've seen problems with autonegotiate too. I wouldn't set up a production box without setting this manually. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 0:15: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from ns.gutatelecom.ru (ns.gutatelecom.ru [195.7.161.13]) by hub.freebsd.org (Postfix) with ESMTP id B8EC237B4CF for ; Fri, 24 Nov 2000 00:15:06 -0800 (PST) Received: from hub.all.yans.ru (unknown [10.123.0.2]) by ns.gutatelecom.ru (Postfix) with ESMTP id B84006E702 for ; Fri, 24 Nov 2000 11:15:05 +0300 (MSK) Received: by hub.all.yans.ru (Postfix, from userid 300) id B859A7F8C1; Fri, 24 Nov 2000 11:16:30 +0300 (MSK) Date: Fri, 24 Nov 2000 11:16:30 +0300 From: Ekaterina Ivannikova To: freebsd-security@freebsd.org Subject: Re: How to isolate jails from the host system ? Message-ID: <20001124111630.A2238@hub.all.yans.ru> References: <20001123174231.A4498@hub.all.yans.ru> <20001123212757.W27042@speedy.gsinet> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20001123212757.W27042@speedy.gsinet>; from Gerhard.Sittig@gmx.net on Thu, Nov 23, 2000 at 09:27:57PM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, Nov 23, 2000 at 09:27:57PM +0100, Gerhard Sittig wrote: > On Thu, Nov 23, 2000 at 17:42 +0300, Ekaterina Ivannikova wrote: > > > > It appeares that though processes in a jail are not allowed to > > bind to the host system's ip address, they are still assigned > > this ip address if they try to connect to daemons running on > > the host system. > > That's hard to believe. :) At least it contradicts the jail(2) > idea. Processes in jails can *only* bind to the IP assigned to > the jail. Not even 127.0.0.1 is available. > > Although there was (is?) a bug with UDP packets mistakenly being > sent _from_ the host's address under certain circumstances. But > a fix is available, search for "jail" in the gnats database. > I triped over this one. This is bug kern/20946, status closed, but it seems that the relevant patch did not make it into the -STABLE source. The patch may be found at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/udp_usrreq.c.diff?r1=1.73&r2=1.74&f=u Thanx for your help, now it works as expected. Regards, Ekaterina Ivannikova To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 0:30:47 2000 Delivered-To: freebsd-security@freebsd.org Received: from castle.dreaming.org (castle.dreaming.org [209.146.217.193]) by hub.freebsd.org (Postfix) with ESMTP id 7E06737B479; Fri, 24 Nov 2000 00:30:41 -0800 (PST) Received: from cr592943a (cr592943-a.bloor1.on.wave.home.com [24.156.38.199]) by castle.dreaming.org (8.11.1/8.11.1) with SMTP id eAO8Tjd82928; Fri, 24 Nov 2000 03:29:45 -0500 (EST) (envelope-from mit@mitayai.net) From: "Will Mitayai Keeso Rowe" To: "Steve Reid" , "Vladimir I. Kulakov" Cc: , Subject: RE: DOS atack of hardware problem? Date: Fri, 24 Nov 2000 03:30:54 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <20001123224205.A1105@grok> Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org has this been known to happen with xl0/3Com 3C509TX? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Steve Reid Sent: Friday, November 24, 2000 1:42 AM To: Vladimir I. Kulakov Cc: freebsd-isp@FreeBSD.ORG; security@FreeBSD.ORG Subject: Re: DOS atack of hardware problem? On Fri, Nov 24, 2000 at 09:21:32AM +0300, Vladimir I. Kulakov wrote: > It seems the network card in our server unpedicably swithes from 100 > to 10 Mbits and from half-duplex to full duplex. Try setting the speed and duplex manually. Like this in rc.conf, but with your real IP and netmask of course: ifconfig_fxp0="inet 192.168.1.2 netmask 255.255.255.0 \ media 100baseTX mediaopt full-duplex" I've seen problems with autonegotiate too. I wouldn't set up a production box without setting this manually. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 2:57:49 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id DCE7837B4CF for ; Fri, 24 Nov 2000 02:57:46 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id LAA48760; Fri, 24 Nov 2000 11:57:40 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Vlad Cc: security@FreeBSD.ORG Subject: Re: ipf - icmp References: From: Dag-Erling Smorgrav Date: 24 Nov 2000 11:57:39 +0100 In-Reply-To: Vlad's message of "Thu, 23 Nov 2000 14:35:56 -0500 (EST)" Message-ID: Lines: 17 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Vlad writes: > pass in quick on sis0 proto icmp from any to any icmp-type 0 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > pass in quick on sis0 proto icmp from any to any icmp-type timex > pass out quick on sis0 proto icmp from any to any > > these entries will allow you to ping/traceroute anyone, will prohibit > anyone from pinging/tracerouting you. No. There is no way to completely prevent someone from tracerouting you. You can make it slightly harder by blocking incoming UDP (which your ruleset does not), but that's about it. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 3:43:52 2000 Delivered-To: freebsd-security@freebsd.org Received: from nevermind.kiev.ua (unknown [212.109.53.33]) by hub.freebsd.org (Postfix) with ESMTP id 1C47C37B479 for ; Fri, 24 Nov 2000 03:43:48 -0800 (PST) Received: (from never@localhost) by nevermind.kiev.ua (8.11.1/8.11.1) id eAOBgKQ17355; Fri, 24 Nov 2000 13:42:21 +0200 (EET) (envelope-from never) Date: Fri, 24 Nov 2000 13:42:19 +0200 From: Nevermind To: Dag-Erling Smorgrav Cc: Vlad , security@FreeBSD.ORG Subject: Re: ipf - icmp Message-ID: <20001124134218.A17181@nevermind.kiev.ua> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Fri, Nov 24, 2000 at 11:57:39AM +0100 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, Dag-Erling Smorgrav! On Fri, Nov 24, 2000 at 11:57:39AM +0100, you wrote: > Vlad writes: > > pass in quick on sis0 proto icmp from any to any icmp-type 0 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 3 > > pass in quick on sis0 proto icmp from any to any icmp-type unreach code 4 > > pass in quick on sis0 proto icmp from any to any icmp-type timex > > pass out quick on sis0 proto icmp from any to any > > > > these entries will allow you to ping/traceroute anyone, will prohibit > > anyone from pinging/tracerouting you. > No. There is no way to completely prevent someone from tracerouting > you. You can make it slightly harder by blocking incoming UDP (which > your ruleset does not), but that's about it. Why not to use ipfw? ipfw add deny icmp from any to any via sis0 -- Alexandr P. Kovalenko http://nevermind.kiev.ua/ NEVE-RIPE To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 3:52:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by hub.freebsd.org (Postfix) with ESMTP id 8071837B479 for ; Fri, 24 Nov 2000 03:52:32 -0800 (PST) Received: (from des@localhost) by flood.ping.uio.no (8.9.3/8.9.3) id MAA48969; Fri, 24 Nov 2000 12:52:15 +0100 (CET) (envelope-from des@ofug.org) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Nevermind Cc: Vlad , security@FreeBSD.ORG Subject: Re: ipf - icmp References: <20001124134218.A17181@nevermind.kiev.ua> From: Dag-Erling Smorgrav Date: 24 Nov 2000 12:52:14 +0100 In-Reply-To: Nevermind's message of "Fri, 24 Nov 2000 13:42:19 +0200" Message-ID: Lines: 14 User-Agent: Gnus/5.0802 (Gnus v5.8.2) Emacs/20.4 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Nevermind writes: > > No. There is no way to completely prevent someone from tracerouting > > you. You can make it slightly harder by blocking incoming UDP (which > > your ruleset does not), but that's about it. > Why not to use ipfw? > ipfw add deny icmp from any to any via sis0 This still won't prevent traceroutes. The only 100% foolproof way to prevent anyone from tracerouting your machine is to take it off the net. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 5:15:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.mclink.it (net128-053.mclink.it [195.110.128.53]) by hub.freebsd.org (Postfix) with ESMTP id 1DF9437B479 for ; Fri, 24 Nov 2000 05:15:37 -0800 (PST) Received: from net147-007.mclink.it (net147-007.mclink.it [195.110.147.7]) by mail.mclink.it (8.9.3/8.9.0) with ESMTP id OAA03218; Fri, 24 Nov 2000 14:15:27 +0100 (CET) Date: Fri, 24 Nov 2000 14:08:47 +0100 From: Massimo Fubini X-Mailer: The Bat! (v1.45) Reply-To: Massimo Fubini X-Priority: 3 (Normal) Message-ID: <18813810961.20001124140847@aexis-telecom.it> To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re[2]: ipf - icmp In-reply-To: References: <20001124134218.A17181@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Dag-Erling and all the group, Friday, November 24, 2000, 12:52:14 PM, you wrote: DES> Nevermind writes: >> > No. There is no way to completely prevent someone from tracerouting >> > you. You can make it slightly harder by blocking incoming UDP (which >> > your ruleset does not), but that's about it. Traceroute is based on ttl expiration.... What you can do is blocking all the packet with a small ttl, so you will never have a ttl == 0 in your internal network. If you have no more than 3 hops in your internal network, and you discard all the packet with a ttl < 4 you will never have ttl expiration, and this will make very hard for program like traceroute, or firewalk to map your internal network. Something can be done to understand if a port is closed at the firewall or at the host... but it is an other topic. Best regards, Massimo PS It is my first post in *@freebsd.org, I'm a beginner with freebsd, and hope I will learn a lot from this lists. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 10:21:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from gaia.nimnet.asn.au (nimbin.lnk.telstra.net [139.130.45.143]) by hub.freebsd.org (Postfix) with ESMTP id 0D7E937B479 for ; Fri, 24 Nov 2000 10:21:36 -0800 (PST) Received: from localhost (smithi@localhost) by gaia.nimnet.asn.au (8.8.8/8.8.8R1.2) with SMTP id FAA12254; Sat, 25 Nov 2000 05:20:50 +1100 (EST) (envelope-from smithi@nimnet.asn.au) Date: Sat, 25 Nov 2000 05:20:50 +1100 (EST) From: Ian Smith To: Al Kwan Cc: security@FreeBSD.ORG Subject: Re: INBOX Locked In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Thu, 23 Nov 2000, Al Kwan wrote: > Hello all, > > Figured it out after much frustration. Hopefully if anyone else gets this > problem you can learn from my errors.. > > Somehow my /tmp (/usr/tmp) directory permissions changed to: > > drwxr-xr-x - so groups and everyone didn't have write access to tmp > > Pine needs that to put the mailbox file in while it works on it and lets > you delete messages and so forth. > > Change permission on the /usr/tmp directory to allow write access and the > INBOX stops being "readonly". Sure, but .. > > /var/mail - permissions are rwx for owner/group/everyone .. are you sure your /var/mail is world writeable? If so, why? Ian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 12:15:35 2000 Delivered-To: freebsd-security@freebsd.org Received: from mail.gmx.net (pop.gmx.net [194.221.183.20]) by hub.freebsd.org (Postfix) with SMTP id D90AF37B479 for ; Fri, 24 Nov 2000 12:15:32 -0800 (PST) Received: (qmail 11623 invoked by uid 0); 24 Nov 2000 20:15:31 -0000 Received: from p3ee21675.dip.t-dialin.net (HELO speedy.gsinet) (62.226.22.117) by mail.gmx.net (mail03) with SMTP; 24 Nov 2000 20:15:31 -0000 Received: (from sittig@localhost) by speedy.gsinet (8.8.8/8.8.8) id RAA21698 for freebsd-security@freebsd.org; Fri, 24 Nov 2000 17:42:31 +0100 Date: Fri, 24 Nov 2000 17:42:31 +0100 From: Gerhard Sittig To: FreeBSD Security Subject: static ARP tables Message-ID: <20001124174231.Z27042@speedy.gsinet> Mail-Followup-To: FreeBSD Security Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0i Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org You might be interested in the conf/23063 PR with the "[PATCH] for static ARP tables in rc.network" synopsis (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063). I understand that -security subscribers are the ones to use these things more probably than others. Please comment on the patch to improve it since it's far from perfect. Thank you for your attention! virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 13: 3:44 2000 Delivered-To: freebsd-security@freebsd.org Received: from hboss-bsd.powersurfr.com (hboss-bsd.powersurfr.com [24.108.165.216]) by hub.freebsd.org (Postfix) with ESMTP id 1139F37B4CF for ; Fri, 24 Nov 2000 13:03:42 -0800 (PST) Received: from localhost (akwan@localhost) by hboss-bsd.powersurfr.com (8.11.0/8.11.0) with ESMTP id eAOL4uT00252; Fri, 24 Nov 2000 14:04:57 -0700 (MST) (envelope-from akwan@hboss-bsd.powersurfr.com) Date: Fri, 24 Nov 2000 14:04:56 -0700 (MST) From: Al Kwan To: Ian Smith Cc: security@FreeBSD.ORG Subject: Re: INBOX Locked In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org /var/mail is readable by all. I figure they need read access to view the directory and their mailboxes within. Would their email still work if they didn't have read access to that dir? Al On Sat, 25 Nov 2000, Ian Smith wrote: > On Thu, 23 Nov 2000, Al Kwan wrote: > > > Hello all, > > > > Figured it out after much frustration. Hopefully if anyone else gets this > > problem you can learn from my errors.. > > > > Somehow my /tmp (/usr/tmp) directory permissions changed to: > > > > drwxr-xr-x - so groups and everyone didn't have write access to tmp > > > > Pine needs that to put the mailbox file in while it works on it and lets > > you delete messages and so forth. > > > > Change permission on the /usr/tmp directory to allow write access and the > > INBOX stops being "readonly". > > Sure, but .. > > > > /var/mail - permissions are rwx for owner/group/everyone > > .. are you sure your /var/mail is world writeable? If so, why? > > Ian > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 14: 5: 7 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0341B37B4CF; Fri, 24 Nov 2000 14:05:03 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAOM5xi61812; Fri, 24 Nov 2000 14:05:59 -0800 (PST) (envelope-from kris) Date: Fri, 24 Nov 2000 14:05:58 -0800 From: Kris Kennaway To: Otter Cc: Jorge Filipe Andrade , freebsd-stable@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Security Advisories at FreeBSD 4.2? Message-ID: <20001124140558.B59742@citusc17.usc.edu> References: <20001123132851.A36019@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="cvVnyQ+4j833TQvp" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from otterr@telocity.com on Thu, Nov 23, 2000 at 09:57:58PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --cvVnyQ+4j833TQvp Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 23, 2000 at 09:57:58PM -0500, Otter wrote: > when/if they are announced, you can find them if you read: > ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/4.2-RELEASE/ERRATA.TXT Actually, we don't usually update the errata when security advisories are released. There are too many other things to do. I should remove the text from there and replace it with a pointer to the list on the website. Kris --cvVnyQ+4j833TQvp Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoe5kYACgkQWry0BWjoQKUF8QCeLZrDVWIXJxhcDnuZvAV//HFG iFwAn1bC6Wm/KBOTlgCWj7IWi/xjLvk+ =5WQB -----END PGP SIGNATURE----- --cvVnyQ+4j833TQvp-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 14:10:34 2000 Delivered-To: freebsd-security@freebsd.org Received: from phalse.2600.com (phalse.2600.COM [216.66.24.2]) by hub.freebsd.org (Postfix) with ESMTP id 29F4D37B4C5 for ; Fri, 24 Nov 2000 14:10:30 -0800 (PST) Received: from localhost (localhost [[UNIX: localhost]]) by phalse.2600.com (8.8.8/8.8.8) with ESMTP id RAA25473 for ; Fri, 24 Nov 2000 17:10:28 -0500 (EST) Date: Fri, 24 Nov 2000 17:10:22 -0500 (EST) From: Dominick LaTrappe To: freebsd-security@freebsd.org Subject: Re: static ARP tables In-Reply-To: <20001124174231.Z27042@speedy.gsinet> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Fri, 24 Nov 2000 Gerhard Sittig wrote: > You might be interested in the conf/23063 PR with the > "[PATCH] for static ARP tables in rc.network" synopsis > (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063). With software-set MAC addresses supported by a number of cards, this patch does not provide much security. (2)=Ethernet, (3)=IP. If Mallory wants to play ARP games on your local network, to get Alice(2) to talk with Mallory(2) when she really means to talk with Bob(2), Mallory's ultimate plan is still for Alice(3) to talk with Mallory(3). Using IPsec AH all over this network will prevent Mallory(3) from successfully sending IP packets with a source address other than Mallory(3)'s. (Specifically, the packet will be dropped by the recipient.) If this isn't enough, using IPsec ESP all over this network will prevent Mallory(3) from understanding any IP packets not truly bound for Mallory(3). Now, all that Mallory(2) has done is caused a DoS. Unless you can hardcode per-port MAC addresses into your switch, with exactly one host interface connected to each port, using IPsec like this is a good idea IMHO. Of course, there are all kinds of devices, including the common SoHo router, that don't support any kind of IPsec. How to prevent Mallory from masquerading as these is another story. ||| Dominick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 15: 8:41 2000 Delivered-To: freebsd-security@freebsd.org Received: from bastuba.partitur.se (bastuba.partitur.se [212.209.169.194]) by hub.freebsd.org (Postfix) with ESMTP id 443A537B4CF for ; Fri, 24 Nov 2000 15:08:37 -0800 (PST) Received: from elbas.partitur.se (elbas.partitur.se [212.209.169.222]) by bastuba.partitur.se (8.9.3/8.9.3) with ESMTP id AAA09555; Sat, 25 Nov 2000 00:08:35 +0100 (CET) (envelope-from girgen@partitur.se) Received: from partitur.se (localhost.partitur.se [127.0.0.1]) by elbas.partitur.se (8.11.1/8.11.1) with ESMTP id eAON8ZN35520; Sat, 25 Nov 2000 00:08:35 +0100 (CET) (envelope-from girgen@partitur.se) Message-ID: <3A1EF4F3.1DBB456C@partitur.se> Date: Sat, 25 Nov 2000 00:08:35 +0100 From: Palle Girgensohn Organization: Partitur X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.2-RELEASE i386) X-Accept-Language: sv, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: telnet, SRA & preventing remote login as root? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi! I just realized a strange thing: Since 4.0, telnetd has SRA support. The SRA login dialog seems to bypass login(1) and I can't find a proper way prevent root from beeing able to login remotely. Here's what happens: $ telnet hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. FreeBSD/i386 (hostname.domain) (ttyp2) login: root Password: Login incorrect login: Connection closed by foreign host. $ fine, this is what I want... but: $ telnet -l root hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. Trying SRA secure login: User (root): root Password: [ SRA accepts you ] Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994 The Regents of the University of California. All rights reserved. ... (I'm logged in as root) WTF! This is a standard 4.2-RELEASE system. Before 4.0, it wasn't possible to remotely log in as root (well, not any proper documented way...:) and I am a bit surprised that I suddenly can. I tried stopping this with login.access, but it seems it is not used by the SRA login dialog. I tried telnetd -X SRA (in inetd.conf), and this works (but crashes my 4.0-stable server just as PR 19606 says) but is still a workaround, since it removes the SRA altogether. Also, I tried telnetd -a off, and this will create double login dialogs, the second beeing login(1): $ telnet -l root hostname Trying 1.2.3.4... Connected to hostname.domain Escape character is '^]'. Trying SRA secure login: User (root): root Password: [ SRA accepts you ] Password: Login incorrect login: root Password: Login incorrect login: Connection closed by foreign host. $ Is this intentional? /Palle To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 15:32: 8 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id 0450837B4C5; Fri, 24 Nov 2000 15:32:04 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAONX7q71755; Fri, 24 Nov 2000 15:33:07 -0800 (PST) (envelope-from kris) Date: Fri, 24 Nov 2000 15:33:07 -0800 From: Kris Kennaway To: "Brian F. Feldman" Cc: security@FreeBSD.org Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <20001124153307.A71713@citusc17.usc.edu> References: <200011242328.eAONSJ560421@green.dyndns.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="9amGYk9869ThD9tj" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <200011242328.eAONSJ560421@green.dyndns.org>; from green@FreeBSD.org on Fri, Nov 24, 2000 at 06:28:19PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --9amGYk9869ThD9tj Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Nov 24, 2000 at 06:28:19PM -0500, Brian F. Feldman wrote: > What's new in this release? Mostly the adding of the AES (Rijndael) to t= he=20 > SSH2 algorithms. Is anything now broken? Well, nothing new broken that = I=20 Doesn't that rely on AES support in OpenSSL? > There's some weird issue where for the Diffie-Hellman exchange, OpenSSH= =20 > wants primes but doesn't seem to want to generate them... it expects an > /etc/ssh/primes (which should become /var/run/ssh_primes, if anything) an= d I=20 > have no clue where the program is that supposedly generates them. So, fo= r=20 > SSH2, the authentication stage generates a large warning and uses a=20 > hardcoded prime. This should not actually have an affect on security,=20 > though, according to my understanding of the Diffie-Hellman protocol. They're static - OpenBSD just committed the file with some good primes generated from OpenSSL, presumably. Kris --9amGYk9869ThD9tj Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjoe+rMACgkQWry0BWjoQKUc/gCghafS9pr8E5Bee+oFJ0nUOuz5 ErEAnROdPkl5v/gO6a3N0iSV7sjnnou/ =Oa5X -----END PGP SIGNATURE----- --9amGYk9869ThD9tj-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 24 18:31:50 2000 Delivered-To: freebsd-security@freebsd.org Received: from cfdnet.me.tuns.ca (CFDnet.me.TUNS.Ca [134.190.50.164]) by hub.freebsd.org (Postfix) with ESMTP id CB00537B479; Fri, 24 Nov 2000 18:31:43 -0800 (PST) Received: from localhost (freebsd@localhost) by cfdnet.me.tuns.ca (8.9.3/8.9.3) with ESMTP id WAA01002; Fri, 24 Nov 2000 22:27:34 -0400 (AST) (envelope-from freebsd@cfdnet.me.tuns.ca) Date: Fri, 24 Nov 2000 22:27:34 -0400 (AST) From: Theo Bell To: "Vladimir I. Kulakov" Cc: freebsd-isp@FreeBSD.ORG, security@FreeBSD.ORG Subject: Re: DOS atack of hardware problem? In-Reply-To: <20001124062133.97CBE76F9@mtu.ru> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi, I had this problem with a D-Link 530TX card using device vr0. I swapped cards a couple of times to no avail. Finally I changed the network cable and the problem went away. I can't say for sure that is the solution to your problem, but you never know... HTH Theo Bell On Fri, 24 Nov 2000, Vladimir I. Kulakov wrote: > Hello! > > Last week I noticed some strange messages in my log files: > fxp0 : device timeout > > After that the ping bacame unstable, and somtimes the > server was unreachable. > > Our we replugged the server from 100 Mbit/s 3com switch to > ordinary 10 Mbit/s hub. It helped. The server started to work > fine, but a few days after that the problems appeard again. > It seems the network card in our server unpedicably > swithes from 100 to 10 Mbits and from half-duplex to full duplex. > When we plugged the server to uplink port in our swith, everything > is working fine again... > > Our Ethernet card - Intel Ether Express Pro 100/s > > Can it be a flud or some kind of DOS-atack or it just a hardware > problem? I tried another network card (also Ehter Express 100), > but it's getting even worse - the server does not work at all. > > What is the best way to solve such a problem finally? > > Many thanks in advance... > > ----------------------------------------------------- > Vladimir I. Kulakov http://www.kudesniki.ru/ > VK9-RIPN > kulakov@kudesniki.ru > 2:5020/779.27@fidonet.org > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 2: 5:38 2000 Delivered-To: freebsd-security@freebsd.org Received: from post.webmailer.de (natmail2.webmailer.de [192.67.198.65]) by hub.freebsd.org (Postfix) with ESMTP id EE39C37B4C5; Sat, 25 Nov 2000 02:05:28 -0800 (PST) Received: from localhost.localdom (p3E9E156A.dip.t-dialin.net [62.158.21.106]) by post.webmailer.de (8.9.3/8.8.7) with ESMTP id LAA29145; Sat, 25 Nov 2000 11:05:29 +0100 (MET) Received: from masterpc (master [192.168.0.1]) by localhost.localdom (8.11.1/8.11.1) with ESMTP id eAPA5JG06563; Sat, 25 Nov 2000 11:05:19 +0100 (CET) Date: Sat, 25 Nov 2000 11:05:04 -0800 From: Boris X-Mailer: The Bat! (v1.46d) Personal Reply-To: Boris X-Priority: 3 (Normal) Message-ID: <7885578635.20001125110504@x-itec.de> To: Kris Kennaway Cc: "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re[2]: OpenSSH 2.3.0 pre-upgrade In-reply-To: <20001124153307.A71713@citusc17.usc.edu> References: <200011242328.eAONSJ560421@green.dyndns.org> <20001124153307.A71713@citusc17.usc.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello Kris, Friday, November 24, 2000, 3:33:07 PM, you wrote: KK> They're static - OpenBSD just committed the file with some good primes KK> generated from OpenSSL, presumably. KK> Kris How to recreate these numbers? I do not like static factors for encryption, they are always a security risc -- Best regards, Boris mailto:koester@x-itec.de To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 4:44:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from smtp23.singnet.com.sg (smtp23.singnet.com.sg [165.21.101.203]) by hub.freebsd.org (Postfix) with ESMTP id 2889E37B4C5 for ; Sat, 25 Nov 2000 04:44:37 -0800 (PST) Received: from netserver01 (ad202.166.106.112.magix.com.sg [202.166.106.112]) by smtp23.singnet.com.sg (8.9.3/8.9.3) with SMTP id UAA22340 for ; Sat, 25 Nov 2000 20:44:35 +0800 (envelope-from spades@galaxynet.org) Message-Id: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> X-Sender: spades@smtp.magix.com.sg X-Mailer: Windows Eudora Pro Version 3.0 (32) Date: Sat, 25 Nov 2000 20:45:08 +0800 To: freebsd-security@freebsd.org From: Spades Subject: Re: wuftp Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I run FreeBSD 4.1.1-release, is it vulnerable to the wuftp exploit? I think someone tried to overflow my office server with mass anonymous login. Any idea or comments? ---------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 4:47:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from fw.wintelcom.net (ns1.wintelcom.net [209.1.153.20]) by hub.freebsd.org (Postfix) with ESMTP id E29A037B4CF for ; Sat, 25 Nov 2000 04:47:22 -0800 (PST) Received: (from bright@localhost) by fw.wintelcom.net (8.10.0/8.10.0) id eAPClJ320955; Sat, 25 Nov 2000 04:47:19 -0800 (PST) Date: Sat, 25 Nov 2000 04:47:19 -0800 From: Alfred Perlstein To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: wuftp Message-ID: <20001125044719.J8051@fw.wintelcom.net> References: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg>; from spades@galaxynet.org on Sat, Nov 25, 2000 at 08:45:08PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org * Spades [001125 04:44] wrote: > I run FreeBSD 4.1.1-release, is it vulnerable to the wuftp exploit? > > I think someone tried to overflow my office server with mass anonymous > login. > > Any idea or comments? Upgrade to the lastest version of wu-ftpd. They probably tried some linux/solaris version of the script to exploit. -- -Alfred Perlstein - [bright@wintelcom.net|alfred@freebsd.org] "I have the heart of a child; I keep it in a jar on my desk." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 4:50:24 2000 Delivered-To: freebsd-security@freebsd.org Received: from blues.jpj.net (blues.jpj.net [204.97.17.146]) by hub.freebsd.org (Postfix) with ESMTP id 4866A37B4CF for ; Sat, 25 Nov 2000 04:50:22 -0800 (PST) Received: from localhost (trevor@localhost) by blues.jpj.net (right/backatcha) with ESMTP id eAPCoJK23262; Sat, 25 Nov 2000 07:50:19 -0500 (EST) Date: Sat, 25 Nov 2000 07:50:18 -0500 (EST) From: Trevor Johnson To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: wuftp In-Reply-To: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > I run FreeBSD 4.1.1-release, is it vulnerable to the wuftp exploit? According to ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-00:29.wu-ftpd.asc.v1.1 that was fixed in June (before FreeBSD 4.1.1 was released). -- Trevor Johnson http://jpj.net/~trevor/gpgkey.txt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 6:19:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from beethoven.singa.pore.net (beethoven.singa.pore.net [202.156.1.28]) by hub.freebsd.org (Postfix) with ESMTP id 1A72737B479 for ; Sat, 25 Nov 2000 06:19:43 -0800 (PST) Received: from sleipnir (mcns46.docsis24.singa.pore.net [202.156.24.46]) by beethoven.singa.pore.net (8.9.3/8.9.3) with SMTP id WAA10415; Sat, 25 Nov 2000 22:20:26 +0800 (SST) Message-ID: <001501c056ea$c437c860$2e189cca@sleipnir> From: "James Lim" To: , "Spades" References: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> Subject: Re: wuftp Date: Sat, 25 Nov 2000 22:19:46 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, I just don't understand. Why use wuftpd which is notorious? Try some other daemons like proftpd or ncftpd Regards, James Lim evilfry at sg.freebsd.org ----- Original Message ----- From: "Spades" To: Sent: Saturday, November 25, 2000 8:45 PM Subject: Re: wuftp > I run FreeBSD 4.1.1-release, is it vulnerable to the wuftp exploit? > > I think someone tried to overflow my office server with mass anonymous > login. > > Any idea or comments? > ---------- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 7:13:17 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id E765E37B4C5 for ; Sat, 25 Nov 2000 07:13:09 -0800 (PST) Received: (qmail 75833 invoked from network); 26 Nov 2000 00:13:00 +0900 Received: from stanley.orangenetwork.net (HELO stanley) (211.123.49.54) by ns.orangenetwork.net with SMTP; 26 Nov 2000 00:13:00 +0900 Date: Sun, 26 Nov 2000 00:12:00 +0900 From: Melon To: freebsd-security@freebsd.org Subject: Re[2]: wuftp In-Reply-To: <001501c056ea$c437c860$2e189cca@sleipnir> References: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> <001501c056ea$c437c860$2e189cca@sleipnir> Message-Id: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I'm trying to use ProFTPD 1.2.0 rc2 instead of wu-ftpd 2.6.1 After installing ProFTPD, I found No modules loaded for `ftp' service error messeges each time user succesffully logged in. How come this message appear? Any suggestions will be appreciated. Melon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 7:17:56 2000 Delivered-To: freebsd-security@freebsd.org Received: from pro.lookanswer.com (pro.lookanswer.com [195.66.202.99]) by hub.freebsd.org (Postfix) with SMTP id ECBBA37B479 for ; Sat, 25 Nov 2000 07:17:44 -0800 (PST) Received: (qmail 66561 invoked by uid 1001); 25 Nov 2000 15:17:37 -0000 From: Alex Koshterek Reply-To: havoc@lookanswer.com To: Melon Subject: Re: Re[2]: wuftp Date: Sat, 25 Nov 2000 17:15:58 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain; charset="US-ASCII" References: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> <001501c056ea$c437c860$2e189cca@sleipnir> <3A1FD6C030C.864DMELON@postman.orangenetwork.net> In-Reply-To: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> Cc: freebsd-security@FreeBSD.ORG MIME-Version: 1.0 Message-Id: <00112517173700.50981@pro.lookanswer.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ÓÂ , 25 ÎÏÑ 2000, Melon ÎÁÐÉÓÁÌ: > Hello, > > I'm trying to use ProFTPD 1.2.0 rc2 instead of wu-ftpd 2.6.1 > > After installing ProFTPD, I found > No modules loaded for `ftp' service > error messeges each time user succesffully logged in. > This is a PAM. I got same messages. I think, you can remove lines about ftpd from /etc/pam.conf Alex To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 7:28:36 2000 Delivered-To: freebsd-security@freebsd.org Received: from postman.orangenetwork.net (ns.orangenetwork.net [211.123.49.50]) by hub.freebsd.org (Postfix) with SMTP id 63A6D37B479 for ; Sat, 25 Nov 2000 07:28:29 -0800 (PST) Received: (qmail 76141 invoked from network); 26 Nov 2000 00:28:23 +0900 Received: from stanley.orangenetwork.net (HELO stanley) (211.123.49.54) by ns.orangenetwork.net with SMTP; 26 Nov 2000 00:28:23 +0900 Date: Sun, 26 Nov 2000 00:27:22 +0900 From: Melon To: havoc@lookanswer.com, freebsd-security@freebsd.org Subject: Re[4]: wuftp In-Reply-To: <00112517173700.50981@pro.lookanswer.com> References: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> <00112517173700.50981@pro.lookanswer.com> Message-Id: <3A1FDA5A2F8.864EMELON@postman.orangenetwork.net> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver 1.26.05 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I think so. But when I tried to build without PAM support, I failed. Anyhow, is this message harmful for security or function? Melon On Sat, 25 Nov 2000 17:15:58 +0200 Alex Koshterek wrote: > > Hello, > > > > I'm trying to use ProFTPD 1.2.0 rc2 instead of wu-ftpd 2.6.1 > > > > After installing ProFTPD, I found > > No modules loaded for `ftp' service > > error messeges each time user succesffully logged in. > > > This is a PAM. I got same messages. > I think, you can remove lines about ftpd from /etc/pam.conf > > Alex > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 7:39:48 2000 Delivered-To: freebsd-security@freebsd.org Received: from pro.lookanswer.com (pro.lookanswer.com [195.66.202.99]) by hub.freebsd.org (Postfix) with SMTP id C92EE37B4CF for ; Sat, 25 Nov 2000 07:39:43 -0800 (PST) Received: (qmail 83973 invoked by uid 1001); 25 Nov 2000 15:39:36 -0000 From: Alex Koshterek Reply-To: havoc@lookanswer.com To: Melon , freebsd-security@FreeBSD.ORG Subject: Re: Re[4]: wuftp Date: Sat, 25 Nov 2000 17:38:44 +0200 X-Mailer: KMail [version 1.0.28] Content-Type: text/plain; charset="US-ASCII" References: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> <00112517173700.50981@pro.lookanswer.com> <3A1FDA5A2F8.864EMELON@postman.orangenetwork.net> In-Reply-To: <3A1FDA5A2F8.864EMELON@postman.orangenetwork.net> MIME-Version: 1.0 Message-Id: <00112517393602.50981@pro.lookanswer.com> Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org ÓÂ , 25 ÎÏÑ 2000, Melon ÎÁÐÉÓÁÌ: > I think so. > But when I tried to build without PAM support, I failed. > > Anyhow, is this message harmful for security or function? > > Melon You can simple ignore this message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 9: 2:43 2000 Delivered-To: freebsd-security@freebsd.org Received: from obelix.rby.hk-r.se (obelix-b.rby.hk-r.se [194.47.132.4]) by hub.freebsd.org (Postfix) with ESMTP id 6E50437B479 for ; Sat, 25 Nov 2000 09:02:38 -0800 (PST) Received: from orc.rby.hk-r.se (orc [194.47.134.179]) by obelix.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id eAPH2aK06919 for ; Sat, 25 Nov 2000 18:02:36 +0100 (MET) Received: from localhost (t98pth@localhost) by orc.rby.hk-r.se (8.10.2/8.10.2) with ESMTP id eAPH2ZS10001 for ; Sat, 25 Nov 2000 18:02:35 +0100 (MET) Date: Sat, 25 Nov 2000 18:02:35 +0100 (MET) From: =?ISO-8859-1?Q?P=E4r_Thoren?= To: freebsd-security@freebsd.org Subject: secure tunnel Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Can I forward port 80 on a natd server so that every connection that is made by local machines (nat clients) to port 80 on the natdserver(on the internal interface) will go to another server? Can this be done with ssh tunneling so that the connection between the natdserver and the other www server will be secure? /P=E4r To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 11:44:25 2000 Delivered-To: freebsd-security@freebsd.org Received: from ocis.ocis.net (ocis.ocis.net [209.52.173.1]) by hub.freebsd.org (Postfix) with ESMTP id 80D0A37B479 for ; Sat, 25 Nov 2000 11:44:23 -0800 (PST) Received: from localhost (vdrifter@localhost) by ocis.ocis.net (8.9.3/8.9.3) with ESMTP id LAA30966 for ; Sat, 25 Nov 2000 11:44:22 -0800 Date: Sat, 25 Nov 2000 11:44:22 -0800 (PST) From: John F Cuzzola To: security@freebsd.org Subject: jail Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi all, I'm trying to configure a jail on my 4.2 system. Following the instructions on "man jail" ... cd /usr/src make hierarchy DESTDIR=/path/to/jail I get the message "I dont know how to make hierarchy". I've installed the full sources (I believe). Can someone please fill me in. Thanks To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 13:11: 9 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id D610437B4C5; Sat, 25 Nov 2000 13:11:07 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAPLC5M04775; Sat, 25 Nov 2000 13:12:05 -0800 (PST) (envelope-from kris) Date: Sat, 25 Nov 2000 13:12:05 -0800 From: Kris Kennaway To: Boris Cc: "Brian F. Feldman" , security@FreeBSD.ORG Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <20001125131205.A4706@citusc17.usc.edu> References: <200011242328.eAONSJ560421@green.dyndns.org> <20001124153307.A71713@citusc17.usc.edu> <7885578635.20001125110504@x-itec.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="NzB8fVQJ5HfG6fxh" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <7885578635.20001125110504@x-itec.de>; from koester@x-itec.de on Sat, Nov 25, 2000 at 11:05:04AM -0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --NzB8fVQJ5HfG6fxh Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Nov 25, 2000 at 11:05:04AM -0800, Boris wrote: > How to recreate these numbers? I do not like static factors for > encryption, they are always a security risc Read about Diffie-Hellman. It is not a security risk. Kris --NzB8fVQJ5HfG6fxh Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjogKyUACgkQWry0BWjoQKUwgQCePUuaI2HQNfotb/VrAMygq0LA rDMAniMMOFOb2k66/EuXUX818bjvtD6A =mVm8 -----END PGP SIGNATURE----- --NzB8fVQJ5HfG6fxh-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 13:14:54 2000 Delivered-To: freebsd-security@freebsd.org Received: from citusc17.usc.edu (citusc17.usc.edu [128.125.38.177]) by hub.freebsd.org (Postfix) with ESMTP id F3BA937B479 for ; Sat, 25 Nov 2000 13:14:52 -0800 (PST) Received: (from kris@localhost) by citusc17.usc.edu (8.11.1/8.11.1) id eAPLFk004887; Sat, 25 Nov 2000 13:15:46 -0800 (PST) (envelope-from kris) Date: Sat, 25 Nov 2000 13:15:46 -0800 From: Kris Kennaway To: Spades Cc: freebsd-security@FreeBSD.ORG Subject: Re: wuftp Message-ID: <20001125131546.A4850@citusc17.usc.edu> References: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-md5; protocol="application/pgp-signature"; boundary="tThc/1wpZn/ma/RB" Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.32.20001125204508.01752dd0@smtp.magix.com.sg>; from spades@galaxynet.org on Sat, Nov 25, 2000 at 08:45:08PM +0800 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org --tThc/1wpZn/ma/RB Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Sat, Nov 25, 2000 at 08:45:08PM +0800, Spades wrote: > I run FreeBSD 4.1.1-release, is it vulnerable to the wuftp exploit? wu-ftpd isn't part of any version of FreeBSD. Which version of *wu-ftpd* are you running? Kris --tThc/1wpZn/ma/RB Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iEYEARECAAYFAjogLAIACgkQWry0BWjoQKW2SQCfY/R+7eXwc/3pp07p2dt7KrnK KrEAnR2XgM4EMUv+HMFVgGIPrNSetIgl =CF98 -----END PGP SIGNATURE----- --tThc/1wpZn/ma/RB-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 14:13: 2 2000 Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 0784A37B4C5 for ; Sat, 25 Nov 2000 14:13:00 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id PAA26585; Sat, 25 Nov 2000 15:12:56 -0700 (MST) Message-Id: <200011252212.PAA26585@faith.cs.utah.edu> Subject: Re: static ARP tables To: Gerhard.Sittig@gmx.net Date: Sat, 25 Nov 2000 15:12:56 -0700 (MST) Cc: freebsd-security@FreeBSD.ORG In-Reply-To: from "Dominick LaTrappe" at Nov 24, 2000 05:10:22 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Lo and behold, Dominick LaTrappe once said: > > On Fri, 24 Nov 2000 Gerhard Sittig wrote: > > You might be interested in the conf/23063 PR with the > > "[PATCH] for static ARP tables in rc.network" synopsis > > (http://www.freebsd.org/cgi/query-pr.cgi?pr=23063). > > With software-set MAC addresses supported by a number of cards, this patch > does not provide much security. When used in conjunction with switch-enfored MAC security, it's actually quite useful. You yourself state this; I have a need for exactly this kind of functionality for Utah's network testbed, actually. You have a point, of course; this shouldn't be plugged as "the perfect solution for ip-based authentication," because it does have many holes of which a user must be aware, but it's a very nice thing to have around, and I'd love to see it controllable via rc.conf. One thing that would be nice from my perspective would be the ability to specify an external file that contains the static ARP entries, e.g. static_arp_table="/etc/arpfile" (The same kind of functionality currently provided by rc.firewall). Thanks, Gerhard! -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 25 14:59:39 2000 Delivered-To: freebsd-security@freebsd.org Received: from beethoven.singa.pore.net (beethoven.singa.pore.net [202.156.1.28]) by hub.freebsd.org (Postfix) with ESMTP id C8CBA37B4CF for ; Sat, 25 Nov 2000 14:59:33 -0800 (PST) Received: from sleipnir (mcns46.docsis24.singa.pore.net [202.156.24.46]) by beethoven.singa.pore.net (8.9.3/8.9.3) with SMTP id GAA20947; Sun, 26 Nov 2000 06:59:18 +0800 (SST) Message-ID: <001301c05733$423b3920$2e189cca@sleipnir> From: "James Lim" To: "Melon" , , References: <3A1FD6C030C.864DMELON@postman.orangenetwork.net> <00112517173700.50981@pro.lookanswer.com> <3A1FDA5A2F8.864EMELON@postman.orangenetwork.net> Subject: Re: Re[4]: wuftp Date: Sun, 26 Nov 2000 06:58:41 +0800 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4522.1200 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hi there, Make sure u have AuthPAM off in the proftpd.conf :) Hope this Helps, Regards, James Lim ----- Original Message ----- From: "Melon" To: ; Sent: Saturday, November 25, 2000 11:27 PM Subject: Re[4]: wuftp > I think so. > But when I tried to build without PAM support, I failed. > > Anyhow, is this message harmful for security or function? > > Melon > > > On Sat, 25 Nov 2000 17:15:58 +0200 > Alex Koshterek wrote: > > > > Hello, > > > > > > I'm trying to use ProFTPD 1.2.0 rc2 instead of wu-ftpd 2.6.1 > > > > > > After installing ProFTPD, I found > > > No modules loaded for `ftp' service > > > error messeges each time user succesffully logged in. > > > > > This is a PAM. I got same messages. > > I think, you can remove lines about ftpd from /etc/pam.conf > > > > Alex > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message