From owner-freebsd-security Sun Nov 10 12:25:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2F0FB37B401; Sun, 10 Nov 2002 12:25:06 -0800 (PST) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 219BA43E3B; Sun, 10 Nov 2002 12:25:05 -0800 (PST) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (4oghlbdebvyox7kp@dsl-130-203.aei.ca [66.36.130.203]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id gAAKOmX21616; Sun, 10 Nov 2002 15:24:49 -0500 (EST) Received: from lenny.anarcat.ath.cx (lenny.anarcat.ath.cx [192.168.0.4]) by shall.anarcat.ath.cx (Postfix) with SMTP id D6D773ED; Sun, 10 Nov 2002 15:24:46 -0500 (EST) Received: by lenny.anarcat.ath.cx (sSMTP sendmail emulation); Sun, 10 Nov 2002 15:24:49 -0500 Date: Sun, 10 Nov 2002 15:24:49 -0500 From: The Anarcat To: Joshua Goodall Cc: jdp@freebsd.org, security@freebsd.org Subject: Re: Security issue in net/cvsup-mirror port Message-ID: <20021110202449.GA296@lenny.anarcat.ath.cx> References: <20021109231151.GF33758@roughtrade.net> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="uAKRQypu60I7Lcqm" Content-Disposition: inline In-Reply-To: <20021109231151.GF33758@roughtrade.net> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --uAKRQypu60I7Lcqm Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable You are perfectly right altought I don't understand why you feel you shouldn't file a PR for this. Also, I suggest the following patch instead: --- cvsupd.sh.orig Sun Nov 10 15:19:22 2002 +++ cvsupd.sh Sun Nov 10 15:23:08 2002 @@ -5,7 +5,7 @@ exit 1 fi base=3D${PREFIX}/etc/cvsup -rundir=3D/var/tmp +rundir=3D`mktemp -d /var/tmp/cvsupd.XXXXXX` out=3D${rundir}/cvsupd.out =20 export PATH=3D/bin:/usr/bin:${PREFIX}/sbin A. On Sun Nov 10, 2002 at 10:11:51AM +1100, Joshua Goodall wrote: > Hi, >=20 > Better not to file a PR for this, I feel. >=20 > I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that > it appends to the fixed-name file /var/tmp/cvsupd.out >=20 > Therefore if I were a malicious user, I could make a symlink of that > name in /var/tmp to effect arbitrary file corruption. If > I was really clever, I might point it at /root/.ssh/authorized_keys and > use secondary means to get cvsupd's output to include my public key. >=20 > Consider changing it to /var/log/cvsupd.out ? >=20 > Regards, > Joshua. >=20 > --=20 > Joshua Goodall > joshua@roughtrade.net "Your byte hit ratio is weak, old man" > "If you cache me now, I will dump more core than you can possibly imagine" >=20 > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message >=20 --=20 =46rom the age of uniformity, from the age of solitude, from the age of Big Brother, from the age of doublethink - greetings! --uAKRQypu60I7Lcqm Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) iD8DBQE9zsCQttcWHAnWiGcRAleSAJ95L97nPnoY77VWBG4ehMq9f+rvnACgoYa+ CmPkw9grLXJiHIYHnvP+vHk= =7YY3 -----END PGP SIGNATURE----- --uAKRQypu60I7Lcqm-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 11 3:15: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AE3A737B401; Mon, 11 Nov 2002 03:14:59 -0800 (PST) Received: from dire.bris.ac.uk (dire.bris.ac.uk [137.222.10.60]) by mx1.FreeBSD.org (Postfix) with ESMTP id E692543E6E; Mon, 11 Nov 2002 03:14:58 -0800 (PST) (envelope-from Jan.Grant@bristol.ac.uk) Received: from mail.ilrt.bris.ac.uk by dire.bris.ac.uk with SMTP-PRIV with ESMTP; Mon, 11 Nov 2002 11:14:49 +0000 Received: from cmjg (helo=localhost) by mail.ilrt.bris.ac.uk with local-esmtp (Exim 3.16 #1) id 18BCWP-0007d0-00; Mon, 11 Nov 2002 11:14:25 +0000 Date: Mon, 11 Nov 2002 11:14:25 +0000 (GMT) From: Jan Grant X-X-Sender: cmjg@mail.ilrt.bris.ac.uk To: Joshua Goodall Cc: jdp@freebsd.org, security Subject: Re: Security issue in net/cvsup-mirror port In-Reply-To: <20021109231151.GF33758@roughtrade.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 10 Nov 2002, Joshua Goodall wrote: > Hi, > > Better not to file a PR for this, I feel. > > I was just passing by net/cvsup-mirror/files/cvsupd.sh when I noticed that > it appends to the fixed-name file /var/tmp/cvsupd.out > > Therefore if I were a malicious user, I could make a symlink of that > name in /var/tmp to effect arbitrary file corruption. If > I was really clever, I might point it at /root/.ssh/authorized_keys and > use secondary means to get cvsupd's output to include my public key. > > Consider changing it to /var/log/cvsupd.out ? Yep. Also, consider mounting /var/tmp with nosymfollow. -- jan grant, ILRT, University of Bristol. http://www.ilrt.bris.ac.uk/ Tel +44(0)117 9287088 Fax +44 (0)117 9287112 http://ioctl.org/jan/ Hang on, wasn't he holding a wooden parrot? No! It was a porcelain owl. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 11 20:21:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2CD537B401 for ; Mon, 11 Nov 2002 20:21:21 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id B329243E3B for ; Mon, 11 Nov 2002 20:21:15 -0800 (PST) (envelope-from freebsd@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id gAC4L9TE016447 for ; Mon, 11 Nov 2002 21:21:15 -0700 (MST) (envelope-from freebsd@babayaga.neotext.ca) From: "Duncan Patton a Campbell is Dhu" To: security Subject: tcpdump question Date: Mon, 11 Nov 2002 22:21:09 -0600 Message-Id: <20021112042109.M47365@babayaga.neotext.ca> In-Reply-To: References: <20021109231151.GF33758@roughtrade.net> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I excute tcpdump as follows: wta# tcpdump tcpdump: listening on rl0 20:15:38.334292 wta.indx.ca > babayaga.neotext.ca: ESP(spi=0x000012f5,seq=0x5aa5) (DF) [tos 0x10] ^C 20:15:38.348979 583 packets received by filter 0 packets dropped by kernel And I see one (1) packet. The kernel counts 583, here (more depending on how long I wait). So, ummh, where are all the other packets? Thanks, Dhu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 11 20:43:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 868CF37B401 for ; Mon, 11 Nov 2002 20:43:32 -0800 (PST) Received: from nox.cx (nox.cx [216.12.18.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE59B43E77 for ; Mon, 11 Nov 2002 20:43:31 -0800 (PST) (envelope-from zakj-freebsd-security@nox.cx) Received: (qmail 41354 invoked by uid 1000); 12 Nov 2002 04:43:42 -0000 Date: Mon, 11 Nov 2002 23:43:42 -0500 From: Zak Johnson To: security Subject: Re: tcpdump question Message-ID: <20021112044342.GA41297@opiate.nox.cx> Mail-Followup-To: security References: <20021109231151.GF33758@roughtrade.net> <20021112042109.M47365@babayaga.neotext.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021112042109.M47365@babayaga.neotext.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Nov 11, 2002 at 10:21:09PM -0600, Duncan Patton a Campbell is Dhu wrote: > wta# tcpdump > tcpdump: listening on rl0 > 20:15:38.334292 wta.indx.ca > babayaga.neotext.ca: > ESP(spi=0x000012f5,seq=0x5aa5) (DF) [tos 0x10] > ^C > 20:15:38.348979 > 583 packets received by filter > 0 packets dropped by kernel > > So, ummh, where are all the other packets? Most likely awaiting name resolution. Try using tcpdump's -n switch. -Zak To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Nov 11 21:18:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A616037B401 for ; Mon, 11 Nov 2002 21:18:16 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D75B43E3B for ; Mon, 11 Nov 2002 21:18:16 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.6/8.12.6) with ESMTP id gAC5Ht2Z014856 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 11 Nov 2002 21:17:55 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.6/8.12.6/Submit) id gAC5HtMP014855; Mon, 11 Nov 2002 21:17:55 -0800 (PST) Date: Mon, 11 Nov 2002 21:17:55 -0800 From: Erick Mechler To: Duncan Patton a Campbell is Dhu Cc: security Subject: Re: tcpdump question Message-ID: <20021112051755.GS96637@techometer.net> References: <20021109231151.GF33758@roughtrade.net> <20021112042109.M47365@babayaga.neotext.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021112042109.M47365@babayaga.neotext.ca> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org :: I excute tcpdump as follows: :: :: wta# tcpdump :: tcpdump: listening on rl0 :: 20:15:38.334292 wta.indx.ca > babayaga.neotext.ca: :: ESP(spi=0x000012f5,seq=0x5aa5) (DF) [tos 0x10] :: ^C :: 20:15:38.348979 :: 583 packets received by filter :: 0 packets dropped by kernel :: So, ummh, where are all the other packets? Try running tcpdump with the -l ('el') flag and piping to `tee` as documented in the manpage. The -n flag will also speed up tcpdump's work. You should get what you expect using those two flags together. Cheers - Erick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 1:24:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E6C037B401; Tue, 12 Nov 2002 01:24:56 -0800 (PST) Received: from localhost.neotext.ca (h24-70-64-200.ed.shawcable.net [24.70.64.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEBA943E4A; Tue, 12 Nov 2002 01:24:54 -0800 (PST) (envelope-from freebsd@babayaga.neotext.ca) Received: from babayaga.neotext.ca (localhost.neotext.ca [127.0.0.1]) by localhost.neotext.ca (8.12.6/8.12.5) with ESMTP id gAC9OxTE020683; Tue, 12 Nov 2002 02:24:59 -0700 (MST) (envelope-from freebsd@babayaga.neotext.ca) Date: Tue, 12 Nov 2002 02:24:59 -0700 (MST) Message-Id: <200211120924.gAC9OxTE020683@localhost.neotext.ca> From: "Duncan Patton a Campbell is Dhu" To: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Subject: 4.7 Problems with gcc Date: Tue, 12 Nov 2002 03:24:59 -0600 Message-Id: <20021112092459.M16076@babayaga.neotext.ca> X-Mailer: Open WebMail 1.70 20020712 X-OriginatingIP: 127.0.0.1 (freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 This weekend I installed a 4.7-RELEASE system and have been plagued with problems on the box. I first noticed when I had to re-run "make" five or six times to get a mysql instance built. Same problem with apache2. Re-installing the machine proved no solution. So then I did a cvsup/buildworld, and ... same thing. Anyone else running into this? If not, I have some f$%'d hardware. RSVP and Thanks, Dhu ... cc -O -pipe -DINFODIR=\"/usr/share/info:/usr/local/info:/usr/X11R6/info:.\" -DHAVE_CONFIG_H -DLOCALEDIR=\"/usr/share/locale\" -I/usr/src/gnu/usr.bin/texinfo/info/../../../../contrib/texinfo -I/usr/src/gnu/usr.bin/texinfo/info/../../../../contrib/texinfo/lib -D__FBSDID=__RCSID -static -o info dir.o display.o doc.o dribble.o echo-area.o filesys.o footnotes.o gc.o indices.o info-utils.o info.o infodoc.o infomap.o m-x.o man.o nodemenu.o nodes.o search.o session.o signals.o terminal.o tilde.o variables.o window.o -ltermcap /usr/obj/usr/src/i386/usr/src/gnu/usr.bin/texinfo/info/../libtxi/libtxi.a ===> gnu/usr.bin/texinfo/infokey cc -O -pipe -DHAVE_CONFIG_H -DLOCALEDIR=\"/usr/share/locale\" -I/usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo -I/usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo/lib -D__FBSDID=__RCSID -c /usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo/info/infokey.c cc: Internal compiler error: program cc1 got fatal signal 11 *** Error code 1 Stop in /usr/src/gnu/usr.bin/texinfo/infokey. *** Error code 1 Stop in /usr/src/gnu/usr.bin/texinfo. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. *** Error code 1 Stop in /usr/src. Duncan Patton a Campbell is Duihb To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 2:25:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3092837B401; Tue, 12 Nov 2002 02:25:33 -0800 (PST) Received: from mx8.mail.ru (mx8.mail.ru [194.67.57.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D77443E7B; Tue, 12 Nov 2002 02:25:31 -0800 (PST) (envelope-from _pppp@mail.ru) Received: from drweb by mx8.mail.ru with drweb-scanned (Exim MX.8) id 18BYEa-0002mD-00; Tue, 12 Nov 2002 13:25:28 +0300 Received: from [213.128.193.142] (helo=mail.ru) by mx8.mail.ru with esmtp (Exim SMTP.8) id 18BYEa-0002cd-00; Tue, 12 Nov 2002 13:25:28 +0300 Message-ID: <3DD0D70D.7080904@mail.ru> Date: Tue, 12 Nov 2002 13:25:17 +0300 From: dima <_pppp@mail.ru> User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020816 X-Accept-Language: ru, en-us, en MIME-Version: 1.0 To: Duncan Patton a Campbell is Dhu Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: References: <200211120924.gAC9OxTE020683@localhost.neotext.ca> Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Anyone else running into this? If not, I have some f$%'d > hardware. > > ===> gnu/usr.bin/texinfo/infokey > cc -O -pipe -DHAVE_CONFIG_H > -DLOCALEDIR=\"/usr/share/locale\" > -I/usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo > -I/usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo/lib > -D__FBSDID=__RCSID -c > /usr/src/gnu/usr.bin/texinfo/infokey/../../../../contrib/texinfo/info/infokey.c > cc: Internal compiler error: program cc1 got fatal signal 11 > *** Error code 1 it was a well known hardware stress-test several years ago; i mean running gcc on large chunks of code. signal 11 points @ hardware probs, usually the RAM ones. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 9:28:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CAA437B61D for ; Tue, 12 Nov 2002 09:28:30 -0800 (PST) Received: from radix.cryptio.net (radix.cryptio.net [199.181.107.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E0A543E3B for ; Tue, 12 Nov 2002 09:28:30 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: from radix.cryptio.net (localhost [127.0.0.1]) by radix.cryptio.net (8.12.6/8.12.6) with ESMTP id gACHSL2Z027232 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO) for ; Tue, 12 Nov 2002 09:28:21 -0800 (PST) (envelope-from emechler@radix.cryptio.net) Received: (from emechler@localhost) by radix.cryptio.net (8.12.6/8.12.6/Submit) id gACHSK3V027231 for security@freebsd.org; Tue, 12 Nov 2002 09:28:20 -0800 (PST) Date: Tue, 12 Nov 2002 09:28:20 -0800 From: Erick Mechler To: security@freebsd.org Subject: [Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] Message-ID: <20021112172820.GV96637@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following was just posted to bugtraq. Cheers - Erick ----- Forwarded message from Dave Ahmad ----- Date: Tue, 12 Nov 2002 10:05:42 -0700 (MST) From: Dave Ahmad To: bugtraq@securityfocus.com Subject: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd) David Mirza Ahmad Symantec 0x26005712 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 ---------- Forwarded message ---------- Return-Path: Delivered-To: da@securityfocus.com Received: (qmail 800 invoked from network); 12 Nov 2002 17:04:55 -0000 Received: from atla-mm1.iss.net (209.134.161.13) by mail.securityfocus.com with SMTP; 12 Nov 2002 17:04:55 -0000 Received: from atla-mm1.iss.net (localhost [127.0.0.1]) by atla-mm1.iss.net (8.12.2/8.12.2) with ESMTP id gACH4tKI001621; Tue, 12 Nov 2002 12:04:55 -0500 (EST) Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6]) by atla-mm1.iss.net (8.12.2/8.12.2) with ESMTP id gACGwJPN000338 for ; Tue, 12 Nov 2002 11:58:20 -0500 (EST) Received: from ra.iss.net (ra.iss.net [209.134.170.135]) by atla-mx1.iss.net (8.12.2/8.12.2) with ESMTP id gACGwIgC015983 for ; Tue, 12 Nov 2002 11:58:18 -0500 (EST) Received: (from xforce@localhost) by ra.iss.net (8.10.2+Sun/8.10.2) id gACGr7N00575; Tue, 12 Nov 2002 11:53:07 -0500 (EST) Message-Id: <200211121653.gACGr7N00575@ra.iss.net> To: alert@iss.net From: X-Force Subject: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 Sender: alert-admin@iss.net Errors-To: alert-admin@iss.net X-BeenThere: alert@iss.net X-Mailman-Version: 2.0.8 Precedence: bulk List-Help: List-Post: List-Subscribe: , List-Id: ISS security alert advisories List-Unsubscribe: , List-Archive: Date: Tue, 12 Nov 2002 11:53:07 -0500 (EST) -----BEGIN PGP SIGNED MESSAGE----- Internet Security Systems Security Brief November 12, 2002 Multiple Remote Vulnerabilities in BIND4 and BIND8 Synopsis: ISS X-Force has discovered several serious vulnerabilities in the Berkeley Internet Name Domain Server (BIND). BIND is the most common implementation of the DNS (Domain Name Service) protocol, which is used on the vast majority of DNS servers on the Internet. DNS is a vital Internet protocol that maintains a database of easy-to-remember domain names (host names) and their corresponding numerical IP addresses. Impact: The vulnerabilities described in this advisory affect nearly all currently deployed recursive DNS servers on the Internet. The DNS network is considered a critical component of Internet infrastructure. There is no information implying that these exploits are known to the computer underground, and there are no reports of active attacks. If exploits for these vulnerabilities are developed and made public, they may lead to compromise and DoS attacks against vulnerable DNS servers. Since the vulnerability is widespread, an Internet worm may be developed to propagate by exploiting the flaws in BIND. Widespread attacks against the DNS system may lead to general instability and inaccuracy of DNS data. Affected Versions: BIND SIG Cached RR Overflow Vulnerability BIND 8, versions up to and including 8.3.3-REL BIND 4, versions up to and including 4.9.10-REL BIND OPT DoS BIND 8, versions 8.3.0 up to and including 8.3.3-REL BIND SIG Expiry Time DoS BIND 8, versions up to and including 8.3.3-REL For the complete ISS X-Force Security Advisory, please visit: http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 ______ About Internet Security Systems (ISS) Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software and services that protect critical online resources from an ever- changing spectrum of threats and misuse. Internet Security Systems is headquartered in Atlanta, GA, with additional operations throughout the Americas, Asia, Australia, Europe and the Middle East. Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this document. It is not to be edited or altered in any way without the express written consent of the Internet Security Systems X-Force. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please email xforce@iss.net for permission. Disclaimer: The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. X-Force PGP Key available on MIT's PGP key server and PGP.com's key server, as well as at http://www.iss.net/security_center/sensitive.php Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBPdExszRfJiV99eG9AQEjKgP/dUFj2Hik6CofyaKqQYWW8LAIgLbZBJKN MZNpNYefF0aXm2lHhwis6XXxYNHHUvUIczRL6deTvxYavjjUdbkQssad5vS0pp/2 1IzU62NgGCHOOaAYUh3ecaYGPXWYoDZFLEMXFuoV6SC0uOpnOXdG+NSSfUwWXDTI rNIJ5UlHox0= =4W9H -----END PGP SIGNATURE----- ----- End forwarded message ----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 9:44:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4D9EC37B401 for ; Tue, 12 Nov 2002 09:44:53 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDD4F43E4A for ; Tue, 12 Nov 2002 09:44:52 -0800 (PST) (envelope-from nectar@nectar.cc) Received: by gw.nectar.cc (Postfix, from userid 1001) id 1CB602C; Tue, 12 Nov 2002 11:44:52 -0600 (CST) Date: Tue, 12 Nov 2002 11:44:52 -0600 From: "Jacques A. Vidrine" To: security@freebsd.org Subject: READ ME before asking about BIND (was Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8) Message-ID: <20021112174452.GE59786@hellblazer.nectar.cc> References: <20021112172820.GV96637@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021112172820.GV96637@techometer.net> User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [Just trying to head off inevitable questions.] On Tue, Nov 12, 2002 at 09:28:20AM -0800, Erick Mechler wrote: > The following was just posted to bugtraq. The FreeBSD Security Officer was notified this morning by CERT. The notification indicated that ISS would go public tomorrow (not today), and that vendors would need to contact ISC for patches. We've already contacted ISC and are waiting for a response. No doubt they are inundated with requests right now. Please be patient. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 15:43:11 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E79537B401 for ; Tue, 12 Nov 2002 15:43:05 -0800 (PST) Received: from WS11040202.bytecraft.au.com (ws11040202.bytecraft.au.com [203.39.118.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4B1B443E8A for ; Tue, 12 Nov 2002 15:43:03 -0800 (PST) (envelope-from MichaelCarew@bytecraftsystems.com) Received: from wombat.bytecraft.au.com (not verified[203.39.118.3]) by WS11040202.bytecraft.au.com with MailMarshal (4,2,5,0) id ; Wed, 13 Nov 2002 10:43:01 +1100 Received: from wscarewm (unknown [10.0.17.13]) by wombat.bytecraft.au.com (Postfix) with SMTP id BD1BD3FB4 for ; Wed, 13 Nov 2002 10:43:00 +1100 (EST) Message-ID: <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> From: "Michael Carew" To: References: <20021112172820.GV96637@techometer.net> Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] Date: Wed, 13 Nov 2002 10:41:15 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org One thing that the advisory seems to leave out, is limiting recursion, rather than disabling. In named.conf something similar to the following can be used to limit some exposure: options { allow-recursion { 127.0.0.1; 10.0.0.0/8; }; }; This is generally a good security practice anyway. Cheers, Michael ----- Original Message ----- From: "Erick Mechler" To: Sent: Wednesday, November 13, 2002 4:28 AM Subject: [Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] > The following was just posted to bugtraq. > > Cheers - Erick > > ----- Forwarded message from Dave Ahmad ----- > > Date: Tue, 12 Nov 2002 10:05:42 -0700 (MST) > From: Dave Ahmad > To: bugtraq@securityfocus.com > Subject: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and > BIND8 (fwd) > > > > David Mirza Ahmad > Symantec > > 0x26005712 > 8D 9A B1 33 82 3D B3 D0 40 EB AB F0 1E 67 C6 1A 26 00 57 12 > > ---------- Forwarded message ---------- > Return-Path: > Delivered-To: da@securityfocus.com > Received: (qmail 800 invoked from network); 12 Nov 2002 17:04:55 -0000 > Received: from atla-mm1.iss.net (209.134.161.13) > by mail.securityfocus.com with SMTP; 12 Nov 2002 17:04:55 -0000 > Received: from atla-mm1.iss.net (localhost [127.0.0.1]) > by atla-mm1.iss.net (8.12.2/8.12.2) with ESMTP id gACH4tKI001621; > Tue, 12 Nov 2002 12:04:55 -0500 (EST) > Received: from atla-mx1.iss.net (atla-mx1.iss.net [209.134.161.6]) > by atla-mm1.iss.net (8.12.2/8.12.2) with ESMTP id gACGwJPN000338 > for ; Tue, 12 Nov 2002 11:58:20 -0500 (EST) > Received: from ra.iss.net (ra.iss.net [209.134.170.135]) > by atla-mx1.iss.net (8.12.2/8.12.2) with ESMTP id gACGwIgC015983 > for ; Tue, 12 Nov 2002 11:58:18 -0500 (EST) > Received: (from xforce@localhost) > by ra.iss.net (8.10.2+Sun/8.10.2) id gACGr7N00575; > Tue, 12 Nov 2002 11:53:07 -0500 (EST) > Message-Id: <200211121653.gACGr7N00575@ra.iss.net> > To: alert@iss.net > From: X-Force > Subject: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 > and BIND8 > Sender: alert-admin@iss.net > Errors-To: alert-admin@iss.net > X-BeenThere: alert@iss.net > X-Mailman-Version: 2.0.8 > Precedence: bulk > List-Help: > List-Post: > List-Subscribe: , > > List-Id: ISS security alert advisories > List-Unsubscribe: , > > List-Archive: > Date: Tue, 12 Nov 2002 11:53:07 -0500 (EST) > > -----BEGIN PGP SIGNED MESSAGE----- > > Internet Security Systems Security Brief > November 12, 2002 > > Multiple Remote Vulnerabilities in BIND4 and BIND8 > > Synopsis: > > ISS X-Force has discovered several serious vulnerabilities in the Berkeley > Internet Name Domain Server (BIND). BIND is the most common implementation of > the DNS (Domain Name Service) protocol, which is used on the vast majority of > DNS servers on the Internet. DNS is a vital Internet protocol that maintains > a database of easy-to-remember domain names (host names) and their > corresponding numerical IP addresses. > > Impact: > > The vulnerabilities described in this advisory affect nearly all currently > deployed recursive DNS servers on the Internet. The DNS network is considered > a critical component of Internet infrastructure. There is no information > implying that these exploits are known to the computer underground, and there > are no reports of active attacks. If exploits for these vulnerabilities are > developed and made public, they may lead to compromise and DoS attacks against > vulnerable DNS servers. Since the vulnerability is widespread, an Internet > worm may be developed to propagate by exploiting the flaws in BIND. Widespread > attacks against the DNS system may lead to general instability and inaccuracy > of DNS data. > > Affected Versions: > > BIND SIG Cached RR Overflow Vulnerability > > BIND 8, versions up to and including 8.3.3-REL > BIND 4, versions up to and including 4.9.10-REL > > BIND OPT DoS > > BIND 8, versions 8.3.0 up to and including 8.3.3-REL > > BIND SIG Expiry Time DoS > > BIND 8, versions up to and including 8.3.3-REL > > For the complete ISS X-Force Security Advisory, please visit: > http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=21469 > > ______ > > About Internet Security Systems (ISS) Founded in 1994, Internet Security > Systems (ISS) (Nasdaq: ISSX) is a pioneer and world leader in software > and services that protect critical online resources from an ever- > changing spectrum of threats and misuse. Internet Security Systems is > headquartered in Atlanta, GA, with additional operations throughout the > Americas, Asia, Australia, Europe and the Middle East. > > Copyright (c) 2002 Internet Security Systems, Inc. All rights reserved > worldwide. > > Permission is hereby granted for the electronic redistribution of this > document. It is not to be edited or altered in any way without the > express written consent of the Internet Security Systems X-Force. If you > wish to reprint the whole or any part of this document in any other > medium excluding electronic media, please email xforce@iss.net for > permission. > > Disclaimer: The information within this paper may change without notice. > Use of this information constitutes acceptance for use in an AS IS > condition. There are NO warranties, implied or otherwise, with regard to > this information or its use. Any use of this information is at the > user's risk. In no event shall the author/distributor (Internet Security > Systems X-Force) be held liable for any damages whatsoever arising out > of or in connection with the use or spread of this information. > > X-Force PGP Key available on MIT's PGP key server and PGP.com's key > server, as well as at http://www.iss.net/security_center/sensitive.php > > Please send suggestions, updates, and comments to: X-Force > xforce@iss.net of Internet Security Systems, Inc. > > -----BEGIN PGP SIGNATURE----- > Version: 2.6.2 > > iQCVAwUBPdExszRfJiV99eG9AQEjKgP/dUFj2Hik6CofyaKqQYWW8LAIgLbZBJKN > MZNpNYefF0aXm2lHhwis6XXxYNHHUvUIczRL6deTvxYavjjUdbkQssad5vS0pp/2 > 1IzU62NgGCHOOaAYUh3ecaYGPXWYoDZFLEMXFuoV6SC0uOpnOXdG+NSSfUwWXDTI > rNIJ5UlHox0= > =4W9H > -----END PGP SIGNATURE----- > > ----- End forwarded message ----- > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ************************************************************************ > This Email has been scanned for Viruses by MailMarshal > an automated gateway email virus scanner. > > ************************************************************************ > ************************************************************************ This Email has been scanned for Viruses by MailMarshal an automated gateway email virus scanner. ************************************************************************ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 15:47:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D590B37B401 for ; Tue, 12 Nov 2002 15:47:07 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F14F43E42 for ; Tue, 12 Nov 2002 15:47:07 -0800 (PST) (envelope-from nectar@nectar.cc) Received: by gw.nectar.cc (Postfix, from userid 1001) id 913092C; Tue, 12 Nov 2002 17:47:06 -0600 (CST) Date: Tue, 12 Nov 2002 17:47:06 -0600 From: "Jacques A. Vidrine" To: Michael Carew Cc: freebsd-security@FreeBSD.ORG Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] Message-ID: <20021112234706.GB62028@hellblazer.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Michael Carew , freebsd-security@FreeBSD.ORG References: <20021112172820.GV96637@techometer.net> <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> User-Agent: Mutt/1.3.27i X-Url: http://www.celabo.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Nov 13, 2002 at 10:41:15AM +1100, Michael Carew wrote: > One thing that the advisory seems to leave out, is limiting recursion, > rather than disabling. It leaves it out because it doesn't help much. Your name server will still query other name servers, and those other name servers (or someone spoofing them, maybe) can send malicious replies that your name server will process. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 16: 0: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7F73437B401 for ; Tue, 12 Nov 2002 16:00:00 -0800 (PST) Received: from WS11040202.bytecraft.au.com (ws11040202.bytecraft.au.com [203.39.118.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 280BA43EA3 for ; Tue, 12 Nov 2002 15:59:59 -0800 (PST) (envelope-from MichaelCarew@bytecraftsystems.com) Received: from wombat.bytecraft.au.com (not verified[203.39.118.3]) by WS11040202.bytecraft.au.com with MailMarshal (4,2,5,0) id ; Wed, 13 Nov 2002 10:59:58 +1100 Received: from wscarewm (unknown [10.0.17.13]) by wombat.bytecraft.au.com (Postfix) with SMTP id BE9F13FB4 for ; Wed, 13 Nov 2002 10:59:57 +1100 (EST) Message-ID: <07fe01c28aa7$5bdeba10$0d11000a@wscarewm> From: "Michael Carew" To: References: <20021112172820.GV96637@techometer.net> <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> <20021112234706.GB62028@hellblazer.nectar.cc> Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] Date: Wed, 13 Nov 2002 10:58:12 +1100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2720.3000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At least limiting it prevents someone setting up an authoritative server, then making a query to that domain off your name server. They are then reliant on a legitimate client querying the server with the malicious content, rather than them doing it themselves. Reducing the changes substantially I would imagine. ----- Original Message ----- From: "Jacques A. Vidrine" To: "Michael Carew" Cc: Sent: Wednesday, November 13, 2002 10:47 AM Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] > On Wed, Nov 13, 2002 at 10:41:15AM +1100, Michael Carew wrote: > > One thing that the advisory seems to leave out, is limiting recursion, > > rather than disabling. > > It leaves it out because it doesn't help much. Your name server will > still query other name servers, and those other name servers (or > someone spoofing them, maybe) can send malicious replies that your > name server will process. > > Cheers, > -- > Jacques A. Vidrine http://www.celabo.org/ > NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos > jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > > ************************************************************************ > This Email has been scanned for Viruses by MailMarshal > an automated gateway email virus scanner. > > ************************************************************************ > ************************************************************************ This Email has been scanned for Viruses by MailMarshal an automated gateway email virus scanner. ************************************************************************ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 16:10:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76D1F37B401 for ; Tue, 12 Nov 2002 16:10:42 -0800 (PST) Received: from cithaeron.argolis.org (pool-138-88-90-249.res.east.verizon.net [138.88.90.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9491143E3B for ; Tue, 12 Nov 2002 16:10:36 -0800 (PST) (envelope-from piechota@argolis.org) Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.6/8.12.5) with ESMTP id gAD0AWhU036635; Tue, 12 Nov 2002 19:10:32 -0500 (EST) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by cithaeron.argolis.org (8.12.6/8.12.6/Submit) with ESMTP id gAD0AWQm036632; Tue, 12 Nov 2002 19:10:32 -0500 (EST) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 12 Nov 2002 19:10:32 -0500 (EST) From: Matt Piechota To: Michael Carew Cc: freebsd-security@FreeBSD.ORG Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] In-Reply-To: <07fe01c28aa7$5bdeba10$0d11000a@wscarewm> Message-ID: <20021112190402.T35102-100000@cithaeron.argolis.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 13 Nov 2002, Michael Carew wrote: > At least limiting it prevents someone setting up an authoritative server, > then making a query to that domain off your name server. > > They are then reliant on a legitimate client querying the server with the > malicious content, rather than them doing it themselves. > > Reducing the changes substantially I would imagine. Not as much as you'd think. If you use tcpwrappers and something like *.foo.edu, it'll do a reverse lookup to find out if a.b.c.d matches *.foo.edu. I think other things do at least reverse lookups as well (ie, so 'w' show what host I'm connecting from vs what IP). It's a little more difficult to have a reverse DNS domain, but not much. Besides, I think there's a few services that do a reverse then a forward to see if the names match. (I think I remember reading that) -- Matt Piechota To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Nov 12 16:17:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1C0C37B401 for ; Tue, 12 Nov 2002 16:17:17 -0800 (PST) Received: from mgw1-out.MEIway.com (mgw1.meiway.com [212.73.210.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 60C6143E77 for ; Tue, 12 Nov 2002 16:17:16 -0800 (PST) (envelope-from LConrad@Go2France.com) Received: from VirusGate.MEIway.com (virus-gate.meiway.com [212.73.210.91]) by mgw1-out.MEIway.com (Postfix Relay Hub) with ESMTP id 62497EF6AA for ; Wed, 13 Nov 2002 00:54:20 +0100 (CET) Received: from localhost (localhost.meiway.com [127.0.0.1]) by VirusGate.MEIway.com (Postfix) with SMTP id D6E225D009 for ; Wed, 13 Nov 2002 01:24:20 +0100 (CET) Received: from mail.Go2France.com (ms1.meiway.com [212.73.210.73]) by VirusGate.MEIway.com (Postfix) with ESMTP id 8EF0B5D008 for ; Wed, 13 Nov 2002 01:24:20 +0100 (CET) Received: from tx0-go2france-c.Go2France.com [66.64.14.18] by mail.Go2France.com with ESMTP (SMTPD32-6.06) id AC6C50290276; Wed, 13 Nov 2002 01:27:24 +0100 Message-Id: <5.1.1.6.2.20021112180339.00a891d8@mail.go2france.com> X-Sender: LConrad@Go2France.com@mail.go2france.com X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 12 Nov 2002 18:16:50 -0600 To: Freebsd-security@freebsd.org From: Len Conrad Subject: Re: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8 (fwd)] In-Reply-To: <07fe01c28aa7$5bdeba10$0d11000a@wscarewm> References: <20021112172820.GV96637@techometer.net> <07dc01c28aa4$fdb51d50$0d11000a@wscarewm> <20021112234706.GB62028@hellblazer.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >At least limiting it prevents someone setting up an authoritative server, >then making a query to that domain off your name server. In the Men and Mice DNS Security course, we call this "triggered poisoning". With BIND8, limiting/disabling recursion and disabling glue-fetching will keep your pretty secure from cache poisoning, and from this particular vulnerability. The attacker could send you email that bounced causing your MX to query his DNS to send the bounce msg, but your MX wouldn't be querying his tricked up DNS for SIG records. SIG records are for DNSSEC signed zones and signed records. How many BIND8 zones even have SIG records to respond with? Len To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 3: 5: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6BC0437B401 for ; Wed, 13 Nov 2002 03:05:00 -0800 (PST) Received: from mail.registru.md (host-212.56.195.38.mldnet.com [212.56.195.38]) by mx1.FreeBSD.org (Postfix) with ESMTP id 44B0343E6E for ; Wed, 13 Nov 2002 03:04:58 -0800 (PST) (envelope-from _ae@registru.md) Received: by mail.registru.md (Postfix, from userid 1230) id 544A4231E31; Wed, 13 Nov 2002 13:04:46 +0200 (EET) Received: from rumi.registru.md (rumi.registru.md [193.100.101.34]) by mail.registru.md (Postfix) with SMTP id BB185231E30 for ; Wed, 13 Nov 2002 13:04:45 +0200 (EET) Date: Wed, 13 Nov 2002 13:05:54 +0200 From: Alexandru G.Efrosi <_ae@registru.md> To: security@freebsd.org Subject: pam_radius Message-Id: <20021113130554.2551bd23._ae@registru.md> X-Mailer: Sylpheed version 0.8.1 (GTK+ 1.2.10; i386-unknown-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! I set accounting trough PAM to a remote RADIUS server with pam_radius.so in that way: login account required pam_radius.so and I receive an error in auth.log login: unable to resolve symbol: pam_sm_acct_mgmt But, with this error, authentication works fine. Why accounting does't work? System used: FreeBSD 4.7-STABLE #0: Mon Nov 11 15:37:23 EET 2002 Alexander To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 3:38:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 501EB37B401 for ; Wed, 13 Nov 2002 03:38:32 -0800 (PST) Received: from straylight.ringlet.net (office.sbnd.net [217.75.140.130]) by mx1.FreeBSD.org (Postfix) with SMTP id 7FF7B43E75 for ; Wed, 13 Nov 2002 03:38:28 -0800 (PST) (envelope-from roam@ringlet.net) Received: (qmail 87412 invoked by uid 1000); 13 Nov 2002 11:37:44 -0000 Date: Wed, 13 Nov 2002 13:37:44 +0200 From: Peter Pentchev To: "Alexandru G. Efrosi" <_ae@registru.md> Cc: security@freebsd.org Subject: Re: pam_radius Message-ID: <20021113113744.GB86564@straylight.oblivion.bg> Mail-Followup-To: "Alexandru G. Efrosi" <_ae@registru.md>, security@freebsd.org References: <20021113130554.2551bd23._ae@registru.md> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="YiEDa0DAkWCtVeE4" Content-Disposition: inline In-Reply-To: <20021113130554.2551bd23._ae@registru.md> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --YiEDa0DAkWCtVeE4 Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 13, 2002 at 01:05:54PM +0200, Alexandru G. Efrosi wrote: > Hi! >=20 > I set accounting trough PAM to a remote RADIUS server with pam_radius.so = in that way: > login account required pam_radius.so > and I receive an error in auth.log > login: unable to resolve symbol: pam_sm_acct_mgmt >=20 > But, with this error, authentication works fine. Why accounting does't wo= rk? > System used: FreeBSD 4.7-STABLE #0: Mon Nov 11 15:37:23 EET 2002 The pam_radius module does not implement accounting at all. This can be seen from the error message itself - the PAM system complains that it could not find the pam_sm_acct_mgmt symbol (function) within the pam_radius shared library. A quick look at src/lib/libpam/modules/pam_radius/pam_radius.c shows that, indeed, it only defines 'auth' and 'setcred' request handlers. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If there were no counterfactuals, this sentence would not have been paradox= ical. --YiEDa0DAkWCtVeE4 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE90jmI7Ri2jRYZRVMRApPsAJ9NSrbhMknJlgXtla434YLwxdmRMwCfZEP+ 0KinEPhetND4GRHQAGAZahE= =fjCT -----END PGP SIGNATURE----- --YiEDa0DAkWCtVeE4-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 3:59:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCC1B37B401 for ; Wed, 13 Nov 2002 03:59:13 -0800 (PST) Received: from whale.sunbay.crimea.ua (whale.sunbay.crimea.ua [212.110.138.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id DBE7143E75 for ; Wed, 13 Nov 2002 03:59:09 -0800 (PST) (envelope-from ru@whale.sunbay.crimea.ua) Received: from whale.sunbay.crimea.ua (ru@localhost [127.0.0.1]) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Sunbay) with ESMTP id gADBx45V093948 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 13 Nov 2002 13:59:04 +0200 (EET) (envelope-from ru@whale.sunbay.crimea.ua) Received: (from ru@localhost) by whale.sunbay.crimea.ua (8.12.6/8.12.6/Submit) id gADBx4Hd093943; Wed, 13 Nov 2002 13:59:04 +0200 (EET) Date: Wed, 13 Nov 2002 13:59:04 +0200 From: Ruslan Ermilov To: Peter Pentchev Cc: "Alexandru G. Efrosi" <_ae@registru.md>, security@FreeBSD.ORG Subject: Re: pam_radius Message-ID: <20021113115904.GA93213@sunbay.com> References: <20021113130554.2551bd23._ae@registru.md> <20021113113744.GB86564@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="45Z9DzgjV8m4Oswq" Content-Disposition: inline In-Reply-To: <20021113113744.GB86564@straylight.oblivion.bg> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --45Z9DzgjV8m4Oswq Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 13, 2002 at 01:37:44PM +0200, Peter Pentchev wrote: > On Wed, Nov 13, 2002 at 01:05:54PM +0200, Alexandru G. Efrosi wrote: > > Hi! > >=20 > > I set accounting trough PAM to a remote RADIUS server with pam_radius.s= o in that way: > > login account required pam_radius.so > > and I receive an error in auth.log > > login: unable to resolve symbol: pam_sm_acct_mgmt > >=20 > > But, with this error, authentication works fine. Why accounting does't = work? > > System used: FreeBSD 4.7-STABLE #0: Mon Nov 11 15:37:23 EET 2002 >=20 > The pam_radius module does not implement accounting at all. > This can be seen from the error message itself - the PAM system > complains that it could not find the pam_sm_acct_mgmt symbol (function) > within the pam_radius shared library. A quick look at > src/lib/libpam/modules/pam_radius/pam_radius.c shows that, indeed, it > only defines 'auth' and 'setcred' request handlers. >=20 For the record. What a given module provides is declared by PAM_SM_* defines, before inclusion of . Cheers, --=20 Ruslan Ermilov Sysadmin and DBA, ru@sunbay.com Sunbay Software AG, ru@FreeBSD.org FreeBSD committer, +380.652.512.251 Simferopol, Ukraine http://www.FreeBSD.org The Power To Serve http://www.oracle.com Enabling The Information Age --45Z9DzgjV8m4Oswq Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE90j6IUkv4P6juNwoRAuQIAJ4kILTnSRJjqJQBrz16HKDMF5wWnQCeOvJY l+kBtX71TaPF/F4N1Nv7WFo= =sMVH -----END PGP SIGNATURE----- --45Z9DzgjV8m4Oswq-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 11:20:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C165637B401 for ; Wed, 13 Nov 2002 11:20:21 -0800 (PST) Received: from antalya.lupe-christoph.de (pD9E882A8.dip0.t-ipconnect.de [217.232.130.168]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3ABB043E7B for ; Wed, 13 Nov 2002 11:20:20 -0800 (PST) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id E4FD15FF; Wed, 13 Nov 2002 20:20:14 +0100 (CET) Date: Wed, 13 Nov 2002 20:20:14 +0100 To: security@freebsd.org Subject: "Latest libpcap & tcpdump sources from tcpdump.org contain a trojan" Message-ID: <20021113192014.GC1848@lupe-christoph.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Please read http://www.hlug.org/modules.php?op=modload&name=News&file=article&sid=6&mode=thread&order=0&thold=0 Is FreeBSD affected? Thanks, Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | Big Misunderstandings #6398: The Titanic was not supposed to be | | unsinkable. The designer had a speech impediment. He said: "I have | | thith great unthinkable conthept ..." | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 11:26:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ACDD37B406 for ; Wed, 13 Nov 2002 11:26:46 -0800 (PST) Received: from peitho.fxp.org (peitho.fxp.org [209.26.95.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9097443E3B for ; Wed, 13 Nov 2002 11:26:45 -0800 (PST) (envelope-from cdf.lists@fxp.org) Received: by peitho.fxp.org (Postfix, from userid 1501) id AE5CB13731; Wed, 13 Nov 2002 14:26:44 -0500 (EST) Date: Wed, 13 Nov 2002 14:26:44 -0500 From: Chris Faulhaber To: Lupe Christoph Cc: security@freebsd.org Subject: Re: "Latest libpcap & tcpdump sources from tcpdump.org contain a trojan" Message-ID: <20021113192644.GA42896@peitho.fxp.org> References: <20021113192014.GC1848@lupe-christoph.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="IJpNTDwzlM2Ie8A6" Content-Disposition: inline In-Reply-To: <20021113192014.GC1848@lupe-christoph.de> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --IJpNTDwzlM2Ie8A6 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Nov 13, 2002 at 08:20:14PM +0100, Lupe Christoph wrote: > Hi! >=20 > Please read > http://www.hlug.org/modules.php?op=3Dmodload&name=3DNews&file=3Darticle&s= id=3D6&mode=3Dthread&order=3D0&thold=3D0 >=20 Nope, as with all base system sources, tcpdump and libpcap do not use the installed configure scripts for building. In addition, the trojaned tarballs only appeared a few days ago during which time the tcpdump and libpcap sources have not been updated in FreeBSD (not that we use the tarballs for tcpdump/libpcap imports). --=20 Chris D. Faulhaber - jedgar@fxp.org - jedgar@FreeBSD.org -------------------------------------------------------- FreeBSD: The Power To Serve - http://www.FreeBSD.org --IJpNTDwzlM2Ie8A6 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.0 (FreeBSD) Comment: FreeBSD: The Power To Serve iD8DBQE90qd0ObaG4P6BelARAk6mAJ0aeFn+pPiwn0O5atDRhQ3ElL8s3ACeLwp6 2B1wSaQiLknMTBWuyUUiDxQ= =XjCU -----END PGP SIGNATURE----- --IJpNTDwzlM2Ie8A6-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 16:52:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6BF137B401 for ; Wed, 13 Nov 2002 16:52:39 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B72843E7B for ; Wed, 13 Nov 2002 16:52:39 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.ca (ns.sentex.ca [199.212.134.1]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id gAE0qXwd090026 for ; Wed, 13 Nov 2002 19:52:33 -0500 (EST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by granite.sentex.ca (8.12.6/8.12.6) with ESMTP id gAE0qQhW005483 for ; Wed, 13 Nov 2002 19:52:27 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20021113195204.0782c6b0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 13 Nov 2002 19:53:40 -0500 To: security@FreeBSD.ORG From: Mike Tancsa Subject: Re: READ ME before asking about BIND (was Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8) In-Reply-To: <20021112174452.GE59786@hellblazer.nectar.cc> References: <20021112172820.GV96637@techometer.net> <20021112172820.GV96637@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Has anyone tried the patches on the ISC web site yet (http://www.isc.org/products/BIND/patches) against what is in STABLE ? ---Mike At 11:44 AM 11/12/2002 -0600, Jacques A. Vidrine wrote: >[Just trying to head off inevitable questions.] > >On Tue, Nov 12, 2002 at 09:28:20AM -0800, Erick Mechler wrote: > > The following was just posted to bugtraq. > >The FreeBSD Security Officer was notified this morning by CERT. The >notification indicated that ISS would go public tomorrow (not today), >and that vendors would need to contact ISC for patches. > >We've already contacted ISC and are waiting for a response. No doubt >they are inundated with requests right now. Please be patient. > >Cheers, >-- >Jacques A. Vidrine http://www.celabo.org/ >NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos >jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 19:33:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 40D1737B401 for ; Wed, 13 Nov 2002 19:33:24 -0800 (PST) Received: from mail.westbend.net (ns1.westbend.net [216.47.253.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C96043E4A for ; Wed, 13 Nov 2002 19:33:23 -0800 (PST) (envelope-from freebsd-security@westbend.net) Received: from Admin01 (admin01.westbend.net [216.47.253.18]) by mail.westbend.net (8.12.5/8.12.5) with SMTP id gAE3X9a2035500; Wed, 13 Nov 2002 21:33:09 -0600 (CST) (envelope-from freebsd-security@westbend.net) Message-ID: <02c901c28b8e$d3500990$12fd2fd8@Admin01> From: "Scot W. Hetzel" To: , "Mike Tancsa" References: <20021112172820.GV96637@techometer.net> <20021112172820.GV96637@techometer.net> <5.1.0.14.0.20021113195204.0782c6b0@192.168.0.12> Subject: Re: READ ME before asking about BIND (was Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8) Date: Wed, 13 Nov 2002 21:35:06 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) X-Spam-Status: No, hits=-1.2 required=8.0 tests=FWD_MSG,QUOTED_EMAIL_TEXT,REFERENCES,SPAM_PHRASE_01_02, USER_AGENT_OE version=2.43 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org From: "Mike Tancsa" > Has anyone tried the patches on the ISC web site yet > (http://www.isc.org/products/BIND/patches) against what is in STABLE ? > > ---Mike > The patch from the ISC.org website patches with no problems on 4.7-STABLE sources (cvs updated today). I'm in the process of compiling the sources. Scot To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 19:37:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 48D9937B401 for ; Wed, 13 Nov 2002 19:37:20 -0800 (PST) Received: from smtp2.sentex.ca (smtp2.sentex.ca [199.212.134.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id A5B7C43E4A for ; Wed, 13 Nov 2002 19:37:19 -0800 (PST) (envelope-from mike@sentex.net) Received: from granite.sentex.ca (ns.sentex.ca [199.212.134.1]) by smtp2.sentex.ca (8.12.6/8.12.6) with ESMTP id gAE3bJwd098037; Wed, 13 Nov 2002 22:37:19 -0500 (EST) (envelope-from mike@sentex.net) Received: from house.sentex.net (cage.simianscience.com [64.7.134.1]) by granite.sentex.ca (8.12.6/8.12.6) with ESMTP id gAE3bChW074942; Wed, 13 Nov 2002 22:37:13 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20021113223549.06fed2b0@192.168.0.12> X-Sender: mdtancsa@192.168.0.12 X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 13 Nov 2002 22:38:26 -0500 To: "Scot W. Hetzel" From: Mike Tancsa Subject: Re: READ ME before asking about BIND (was Fwd: ISS Security Advisory: Multiple Remote Vulnerabilities in BIND4 and BIND8) Cc: In-Reply-To: <02c901c28b8e$d3500990$12fd2fd8@Admin01> References: <20021112172820.GV96637@techometer.net> <20021112172820.GV96637@techometer.net> <5.1.0.14.0.20021113195204.0782c6b0@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Thanks. I had done so on a test machine and all seems to run for me as well. However, I guess the issue is moot now as it appears all has been committed to RELENG_4_7 a few hrs ago by Jacques Vidrine. ---Mike At 09:35 PM 11/13/2002 -0600, Scot W. Hetzel wrote: >From: "Mike Tancsa" > > Has anyone tried the patches on the ISC web site yet > > (http://www.isc.org/products/BIND/patches) against what is in STABLE ? > > > > ---Mike > > >The patch from the ISC.org website patches with no problems on 4.7-STABLE >sources (cvs updated today). > >I'm in the process of compiling the sources. > >Scot > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 21: 1:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B141837B401 for ; Wed, 13 Nov 2002 21:01:22 -0800 (PST) Received: from smtp01.wlv.untd.com (smtp01.wlv.untd.com [209.247.163.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 3551E43E91 for ; Wed, 13 Nov 2002 21:01:22 -0800 (PST) (envelope-from idiot1@netzero.net) Received: (qmail 24116 invoked from network); 14 Nov 2002 04:53:06 -0000 Received: from dialup-65.58.237.105.dial1.tampa1.level3.net (HELO netzero.net) (65.58.237.105) by smtp01.wlv.untd.com with SMTP; 14 Nov 2002 04:53:06 -0000 Message-ID: <3DD32C5A.9784D742@netzero.net> Date: Wed, 13 Nov 2002 23:53:46 -0500 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: list scripts, permissions, and ownerships. Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I have a problem. I am writing a script to create lists, and another to destroy them- that is, MAIL lists, such as mailman, majordomo, and mojomail and tinylist all work with. (I write TinyList.) The aliases file must have certain permissions, and it appears to be 644 in my freebsd box- hope that's correct, but it works fine. And the ownership is root, and that works fine. well, apache in the box is nobody:wheel and runs scripts as such. I have the scripts owned nobody:wheel also. They run, but it cannot access the aliases file-permissions/ownerships. OK, changed the relevant scripts' ownerships to root (gasp!) and tried to run things that way. still no luck. Scripts apparently are running as nobody, even though owned by root. OK, a few questions. First, how to I get a script to discover what identity it is running as? Second, how can I insure it runs as a particular identity(so as to be compatable with the email system), when run by the web server? third, what are the correct ownerships and permissions for /etc/mail and for aliases? Just want to make sure I have things right. -- end Respectfully, Kirk D Bailey +---------------------"Thou Art Free." -Eris-----------------------+ | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net | | KILL spam dead! http://www.scambusters.org/stopspam/#Pledge | | http://www.tinylist.org +--------+ mailto:grumpy@tinylist.org | +------------------Thinking| NORMAL |Thinking----------------------+ +--------+ --------------------------------------------- Introducing NetZero Long Distance 1st month Free! Sign up today at: www.netzerolongdistance.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 21:49:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17BD837B401 for ; Wed, 13 Nov 2002 21:49:51 -0800 (PST) Received: from mordrede.visionsix.com (mordrede.visionsix.com [65.202.119.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DD9743E77 for ; Wed, 13 Nov 2002 21:49:50 -0800 (PST) (envelope-from lists@visionsix.com) Received: from yogi (unverified [65.202.119.169]) by mordrede.visionsix.com (Vircom SMTPRS 1.4.232) with SMTP id ; Wed, 13 Nov 2002 23:49:47 -0600 Message-ID: <009f01c28ba1$310fa6a0$a977ca41@yogi> From: "Lewis Watson" To: "Kirk Bailey" , References: <3DD32C5A.9784D742@netzero.net> Subject: Re: list scripts, permissions, and ownerships. Date: Wed, 13 Nov 2002 23:46:34 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1106 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Kirk Bailey" To: Sent: Wednesday, November 13, 2002 10:53 PM Subject: list scripts, permissions, and ownerships. > First, how to I get a script to discover what identity it is running as? > > > Respectfully, > Kirk D Bailey Hi Kirk. I can help with this one.... put the command 'whoami' into the script..... hth, Lewis Watson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 22: 9:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BD1637B401 for ; Wed, 13 Nov 2002 22:09:36 -0800 (PST) Received: from smtp02.wlv.untd.com (smtp02.wlv.untd.com [209.247.163.58]) by mx1.FreeBSD.org (Postfix) with SMTP id BD0C243E75 for ; Wed, 13 Nov 2002 22:09:35 -0800 (PST) (envelope-from idiot1@netzero.net) Received: (qmail 17672 invoked from network); 14 Nov 2002 06:06:53 -0000 Received: from dialup-65.58.237.105.dial1.tampa1.level3.net (HELO netzero.net) (65.58.237.105) by smtp02.wlv.untd.com with SMTP; 14 Nov 2002 06:06:53 -0000 Message-ID: <3DD33DA6.55DB03A@netzero.net> Date: Thu, 14 Nov 2002 01:07:34 -0500 From: Kirk Bailey Organization: Silas Dent Memorial Cabal of ERIS Esoteric and hot dog boiling society X-Mailer: Mozilla 4.79 [en] (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: "security@FreeBSD.ORG" Subject: Re: list scripts, permissions, and ownerships. References: Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org oops. I quote: 7.Is the target user NOT superuser? Presently, suEXEC does not allow 'root' to execute CGI/SSI programs. Alas, the file appears to be owned by root. Now what? Noah K Sematimba wrote: > > I think that perhaps you need to read about apache's suEXEC mechanism: > > http://httpd.apache.org/docs/suexec.html > > cheers, > > Sematimba Noah Kevin > Systems Administrator > Africa Online Uganda Limited > Commercial Plaza Kampala Road > e-mail: ksemat@africaonline.co.ug > WEB: http://www.africaonline.co.ug > TEL: +256(41)258143 > FAX: +256(41)258144 > > On Wed, 13 Nov 2002, Kirk Bailey wrote: > > > I have a problem. I am writing a script to create lists, and another to destroy > > them- that is, MAIL lists, such as mailman, majordomo, and mojomail and tinylist > > all work with. (I write TinyList.) > > > > The aliases file must have certain permissions, and it appears to be 644 in my > > freebsd box- hope that's correct, but it works fine. And the ownership is root, > > and that works fine. > > > > well, apache in the box is nobody:wheel and runs scripts as such. I have the > > scripts owned nobody:wheel also. They run, but it cannot access the aliases > > file-permissions/ownerships. OK, changed the relevant scripts' ownerships to > > root (gasp!) and tried to run things that way. still no luck. Scripts apparently > > are running as nobody, even though owned by root. > > > > OK, a few questions. > > > > First, how to I get a script to discover what identity it is running as? > > > > Second, how can I insure it runs as a particular identity(so as to be compatable > > with the email system), when run by the web server? > > > > third, what are the correct ownerships and permissions for /etc/mail and for > > aliases? Just want to make sure I have things right. > > > > > > > > > > -- > > > > end > > > > Respectfully, > > Kirk D Bailey > > > > > > +---------------------"Thou Art Free." -Eris-----------------------+ > > | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net | > > | KILL spam dead! http://www.scambusters.org/stopspam/#Pledge | > > | http://www.tinylist.org +--------+ mailto:grumpy@tinylist.org | > > +------------------Thinking| NORMAL |Thinking----------------------+ > > +--------+ > > --------------------------------------------- > > Introducing NetZero Long Distance > > 1st month Free! > > Sign up today at: www.netzerolongdistance.com > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > -- end Respectfully, Kirk D Bailey +---------------------"Thou Art Free." -Eris-----------------------+ | http://www.howlermonkey.net mailto:highprimate@howlermonkey.net | | KILL spam dead! http://www.scambusters.org/stopspam/#Pledge | | http://www.tinylist.org +--------+ mailto:grumpy@tinylist.org | +------------------Thinking| NORMAL |Thinking----------------------+ +--------+ --------------------------------------------- Introducing NetZero Long Distance 1st month Free! Sign up today at: www.netzerolongdistance.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Nov 13 23:19:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0289137B401; Wed, 13 Nov 2002 23:19:29 -0800 (PST) Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id C51B843E42; Wed, 13 Nov 2002 23:19:27 -0800 (PST) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [IPv6:::1]) by onion.ish.org (8.12.6/8.12.6/2002-08-28) with ESMTP id gAE7JPGx032184; Thu, 14 Nov 2002 16:19:26 +0900 (JST) (envelope-from ishizuka@ish.org) Date: Thu, 14 Nov 2002 16:19:25 +0900 (JST) Message-Id: <20021114.161925.95516452.ishizuka@ish.org> To: security-advisories@FreeBSD.ORG Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind From: Masachika ISHIZUKA In-Reply-To: <200211140624.gAE6OXcA038916@freefall.freebsd.org> References: <200211140624.gAE6OXcA038916@freefall.freebsd.org> X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > FreeBSD-SA-02:43.bind Security Advisory > [snip] > > V. Solution > 2) To patch your present system: > > The following patch has been verified to apply to FreeBSD 4.4, 4.5, > 4.6, and 4.7 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:43/bind.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/named > # make depend && make && make install > # cd /usr/src/libexec/named-xfer > # make depend && make && make install Hi, this is ishizuka@ish.org. I cannot patch with above commands for 4.7-RELEASE. The correct commands are as follows? # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libisc # make # cd /usr/src/lib/libbind # make # cd /usr/src/usr.sbin/named # make depend && make && make install # cd /usr/src/libexec/named-xfer # make depend && make && make install -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 4:31: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C85937B401 for ; Thu, 14 Nov 2002 04:31:04 -0800 (PST) Received: from mail-gp.star.spb.ru (gamma.star.spb.ru [217.195.79.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C62A43E3B for ; Thu, 14 Nov 2002 04:31:02 -0800 (PST) (envelope-from nkritsky@internethelp.ru) Received: from green.star.spb.ru (green.star.spb.ru [217.195.79.10]) by mail-gp.star.spb.ru (8.9.3/8.9.3) with ESMTP id PAA61255; Thu, 14 Nov 2002 15:30:46 +0300 (MSK) Received: from IBMKA ([217.195.82.21]) by green.star.spb.ru with SMTP (Microsoft Exchange Internet Mail Service Version 5.5.2653.13) id VCZNDKNQ; Thu, 14 Nov 2002 15:30:45 +0300 Date: Thu, 14 Nov 2002 15:30:47 +0300 From: "Nickolay A. Kritsky" X-Mailer: The Bat! (v1.49) Personal Reply-To: "Nickolay A. Kritsky" X-Priority: 3 (Normal) Message-ID: <6080042384.20021114153047@internethelp.ru> To: Kirk Bailey Cc: "security@FreeBSD.ORG" Subject: Re: list scripts, permissions, and ownerships. In-reply-To: <3DD32C5A.9784D742@netzero.net> References: <3DD32C5A.9784D742@netzero.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello Kirk, Thursday, November 14, 2002, 7:53:46 AM, you wrote: KB> I have a problem. I am writing a script to create lists, and another to destroy KB> them- that is, MAIL lists, such as mailman, majordomo, and mojomail and tinylist KB> all work with. (I write TinyList.) KB> The aliases file must have certain permissions, and it appears to be 644 in my KB> freebsd box- hope that's correct, but it works fine. And the ownership is root, KB> and that works fine. KB> well, apache in the box is nobody:wheel and runs scripts as such. I have the KB> scripts owned nobody:wheel also. They run, but it cannot access the aliases KB> file-permissions/ownerships. OK, changed the relevant scripts' ownerships to KB> root (gasp!) and tried to run things that way. still no luck. Scripts apparently KB> are running as nobody, even though owned by root. KB> OK, a few questions. KB> First, how to I get a script to discover what identity it is running as? id(1) whoami(1) KB> Second, how can I insure it runs as a particular identity(so as to be compatable KB> with the email system), when run by the web server? apache has some feature called `suexec'. I think it can help you. Search the apache manual. ;------------------------------------------- ; NKritsky ; mailto:nkritsky@internethelp.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 4:52:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8469E37B401; Thu, 14 Nov 2002 04:52:56 -0800 (PST) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id B081443E97; Thu, 14 Nov 2002 04:52:50 -0800 (PST) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6/8.12.6) with ESMTP id gAECqkTP089713; Thu, 14 Nov 2002 14:52:46 +0200 (EET) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6/8.12.6/Submit) id gAECqk9v089712; Thu, 14 Nov 2002 14:52:46 +0200 (EET) Date: Thu, 14 Nov 2002 14:52:46 +0200 From: Alexandr Kovalenko To: FreeBSD Security Cc: nectar@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114125246.GA89143@nevermind.kiev.ua> References: <200211140624.gAE6OXcA038916@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <200211140624.gAE6OXcA038916@freefall.freebsd.org> User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello, FreeBSD Security Advisories! On Wed, Nov 13, 2002 at 10:24:33PM -0800, you wrote: > ============================================================================= > FreeBSD-SA-02:43.bind Security Advisory > The FreeBSD Project > > Topic: multiple vulnerabilities in BIND > > Category: core > Module: bind > Announced: 2002-11-14 > Credits: ISS X-Force > Affects: All released versions of FreeBSD > Corrected: 2002-11-14 05:15:15 UTC (RELENG_4) > 2002-11-14 02:05:57 UTC (RELENG_4_7) > 2002-11-14 03:18:41 UTC (RELENG_4_6) > 2002-11-14 04:05:12 UTC (RELENG_4_5) > 2002-11-14 05:11:57 UTC (RELENG_4_4) > FreeBSD only: NO [dd] > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/named > # make depend && make && make install > # cd /usr/src/libexec/named-xfer > # make depend && make && make install These instructions are incorrect, correct ones are: # cd /usr/src # patch < /patch/to/patch # cd /usr/src/lib/libbind # make depend && make && make install # cd /usr/src/lib/libisc # make depend && make && make install # cd /usr/src/usr.sbin/named # make depend && make && make install # cd /usr/src/libexec/named-xfer # make depend && make && make install -- NEVE-RIPE Ukrainian FreeBSD User Group http://uafug.org.ua/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 5:32:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4EF0D37B401 for ; Thu, 14 Nov 2002 05:32:39 -0800 (PST) Received: from proxy.centtech.com (moat.centtech.com [207.200.51.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADBDD43E7B for ; Thu, 14 Nov 2002 05:32:37 -0800 (PST) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAEDWQc16542; Thu, 14 Nov 2002 07:32:27 -0600 (CST) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id gAEDWQN09216; Thu, 14 Nov 2002 07:32:26 -0600 (CST) Received: from centtech.com (electron [204.177.173.173]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id gAEDWMX09201; Thu, 14 Nov 2002 07:32:23 -0600 (CST) Message-ID: <3DD3A5E7.8020908@centtech.com> Date: Thu, 14 Nov 2002 07:32:23 -0600 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.0.1) Gecko/20020823 Netscape/7.0 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kirk Bailey Cc: "security@FreeBSD.ORG" Subject: Re: list scripts, permissions, and ownerships. References: <3DD33DA6.55DB03A@netzero.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Kirk Bailey wrote: > oops. I quote: > > 7.Is the target user NOT superuser? > > Presently, suEXEC does not allow 'root' to execute CGI/SSI > programs. > > Alas, the file appears to be owned by root. Now what? I'm assuming by "owned by root" you mean setuid bit is on and the ownership is root? Just making a file owned by root doesn't make it run as root. If you DID have the setuid bit on, and it IS root owned, you are in dangerous waters. It's not really a great idea to have suid root programs running from a web site - all it takes is for you to miss one thing and the "evil hacker" has root access on your box, instead of just access as "nobody". The nobody user should be able to read the aliases file just fine with no extra permissions. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology Beware the fury of a patient man. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 6:51: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6EBCD37B401 for ; Thu, 14 Nov 2002 06:50:58 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0089643E3B for ; Thu, 14 Nov 2002 06:50:58 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 9689057; Thu, 14 Nov 2002 08:50:57 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 6679B137BDD; Thu, 14 Nov 2002 08:50:55 -0600 (CST) Date: Thu, 14 Nov 2002 08:50:55 -0600 From: "Jacques A. Vidrine" To: Alexandr Kovalenko Cc: FreeBSD Security Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114145055.GB75450@madman.nectar.cc> References: <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114125246.GA89143@nevermind.kiev.ua> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021114125246.GA89143@nevermind.kiev.ua> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 02:52:46PM +0200, Alexandr Kovalenko wrote: > Hello, FreeBSD Security Advisories! [...] > These instructions are incorrect, correct ones are: [...] Thanks very much! Someone else pointed this out as well. We will issue an updated advisory. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 6:54:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5437937B401 for ; Thu, 14 Nov 2002 06:54:11 -0800 (PST) Received: from gunjin.wccnet.org (gunjin.wccnet.org [198.111.176.99]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AB0B43E4A for ; Thu, 14 Nov 2002 06:54:10 -0800 (PST) (envelope-from anthony@gunjin.wccnet.org) Received: from gunjin.wccnet.org (localhost.rexroof.com [127.0.0.1]) by gunjin.wccnet.org (8.12.3/8.12.2) with ESMTP id gAEF25Lj021108; Thu, 14 Nov 2002 10:02:05 -0500 (EST) Received: (from anthony@localhost) by gunjin.wccnet.org (8.12.3/8.12.3/Submit) id gAEF240b021107; Thu, 14 Nov 2002 10:02:04 -0500 (EST) Date: Thu, 14 Nov 2002 10:02:04 -0500 From: Anthony Schneider To: Eric Anderson Cc: Kirk Bailey , "security@FreeBSD.ORG" Subject: Re: list scripts, permissions, and ownerships. Message-ID: <20021114150204.GA20990@x-anthony.com> References: <3DD33DA6.55DB03A@netzero.net> <3DD3A5E7.8020908@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3DD3A5E7.8020908@centtech.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org suexec executes cgi scripts as the owning user. the idea (very briefly) is to get around mutual "nobody" ownership of files and such. as for the original question, from "scripts" there are many ways to get your uid. system commands: whoami, id bash/zsh: echo $UID csh/tcsh (not so certain about csh...): echo $uid perl: print $< . "\n"; i'm sure that python, tcl, ruby and others have methods along the lines of a getuid() call. i believe in python you can import OS and getuid(). something to keep in consideration is the existence of the effective uid, which can generally be reached by similar methods, like geteuid(), or echo $EUID. -Anthony. On Thu, Nov 14, 2002 at 07:32:23AM -0600, Eric Anderson wrote: > Kirk Bailey wrote: > >oops. I quote: > > > > 7.Is the target user NOT superuser? > > > > Presently, suEXEC does not allow 'root' to execute CGI/SSI > > programs. > > > >Alas, the file appears to be owned by root. Now what? > > > I'm assuming by "owned by root" you mean setuid bit is on and the > ownership is root? Just making a file owned by root doesn't make it run > as root. If you DID have the setuid bit on, and it IS root owned, you > are in dangerous waters. It's not really a great idea to have suid root > programs running from a web site - all it takes is for you to miss one > thing and the "evil hacker" has root access on your box, instead of just > access as "nobody". > > The nobody user should be able to read the aliases file just fine with > no extra permissions. > > Eric > > > -- > ------------------------------------------------------------------ > Eric Anderson Systems Administrator Centaur Technology > Beware the fury of a patient man. > ------------------------------------------------------------------ > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 8:33:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81C6637B401; Thu, 14 Nov 2002 08:33:29 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0902443E4A; Thu, 14 Nov 2002 08:33:29 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 8169B61; Thu, 14 Nov 2002 10:33:28 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id EE359137BDD; Thu, 14 Nov 2002 10:33:27 -0600 (CST) Date: Thu, 14 Nov 2002 10:33:27 -0600 From: "Jacques A. Vidrine" To: Masachika ISHIZUKA Cc: security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114163327.GD23981@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Masachika ISHIZUKA , security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021114.161925.95516452.ishizuka@ish.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 04:19:25PM +0900, Masachika ISHIZUKA wrote: > Hi, this is ishizuka@ish.org. > > I cannot patch with above commands for 4.7-RELEASE. > The correct commands are as follows? > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libisc > # make Rather: # make depend && make > # cd /usr/src/lib/libbind > # make Rather: # make depend && make > # cd /usr/src/usr.sbin/named > # make depend && make && make install > # cd /usr/src/libexec/named-xfer > # make depend && make && make install Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 9:10:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2193F37B401; Thu, 14 Nov 2002 09:10:26 -0800 (PST) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09D8943E42; Thu, 14 Nov 2002 09:10:24 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id gAEHALD36392; Thu, 14 Nov 2002 11:10:22 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20021114111020.0102afe0@sage-american.com> X-Sender: jacks@sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 14 Nov 2002 11:10:20 -0600 To: "Jacques A. Vidrine" , Masachika ISHIZUKA From: "Jack L. Stone" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Cc: security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <20021114163327.GD23981@madman.nectar.cc> References: <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:33 AM 11.14.2002 -0600, Jacques A. Vidrine wrote: >On Thu, Nov 14, 2002 at 04:19:25PM +0900, Masachika ISHIZUKA wrote: >> Hi, this is ishizuka@ish.org. >> >> I cannot patch with above commands for 4.7-RELEASE. >> The correct commands are as follows? >> >> # cd /usr/src >> # patch < /path/to/patch >> # cd /usr/src/lib/libisc >> # make > >Rather: > # make depend && make > >> # cd /usr/src/lib/libbind >> # make > >Rather: > # make depend && make > >> # cd /usr/src/usr.sbin/named >> # make depend && make && make install >> # cd /usr/src/libexec/named-xfer >> # make depend && make && make install > >Cheers, >-- >Jacques A. Vidrine http://www.celabo.org/ I believe the "&&" construct is now deprecated in FBSD-4.7..... Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 9:13: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6072137B401; Thu, 14 Nov 2002 09:13:02 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id D784243E3B; Thu, 14 Nov 2002 09:13:01 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 63DC761; Thu, 14 Nov 2002 11:13:01 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 9FEE1137BDD; Thu, 14 Nov 2002 11:13:00 -0600 (CST) Date: Thu, 14 Nov 2002 11:13:00 -0600 From: "Jacques A. Vidrine" To: "Jack L. Stone" Cc: Masachika ISHIZUKA , security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114171300.GI23981@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , "Jack L. Stone" , Masachika ISHIZUKA , security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3.0.5.32.20021114111020.0102afe0@sage-american.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 11:10:20AM -0600, Jack L. Stone wrote: > I believe the "&&" construct is now deprecated in FBSD-4.7..... No, I think you are confused. -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 9:18:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A755B37B401 for ; Thu, 14 Nov 2002 09:18:24 -0800 (PST) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id EDC6E43E6E for ; Thu, 14 Nov 2002 09:18:22 -0800 (PST) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.6/8.12.6) with ESMTP id gAEHIGAw083446; Thu, 14 Nov 2002 12:18:16 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Thu, 14 Nov 2002 12:20:54 -0500 To: "Jack L. Stone" From: Mike Tancsa Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3.0.5.32.20021114111020.0102afe0@sage-american.com> References: <20021114163327.GD23981@madman.nectar.cc> <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (obsidian/20020517) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:10 AM 14/11/2002 -0600, Jack L. Stone wrote: >I believe the "&&" construct is now deprecated in FBSD-4.7..... I think you were thinking of && & which is no longer "supported" ---Mike >Best regards, >Jack L. Stone, >Administrator > >Sage American >http://www.sage-american.com >jacks@sage-american.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 9:29:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ECC6237B401 for ; Thu, 14 Nov 2002 09:29:15 -0800 (PST) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2515143E77 for ; Thu, 14 Nov 2002 09:29:15 -0800 (PST) (envelope-from klaus@kobold.compt.com) Date: Thu, 14 Nov 2002 12:29:08 -0500 From: Klaus Steden To: Mike Tancsa Cc: "Jack L. Stone" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114122907.E36056@cthulu.compt.com> References: <20021114163327.GD23981@madman.nectar.cc> <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca>; from mike@sentex.net on Thu, Nov 14, 2002 at 12:20:54PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 11:10 AM 14/11/2002 -0600, Jack L. Stone wrote: > >I believe the "&&" construct is now deprecated in FBSD-4.7..... > > > I think you were thinking of && & which is no longer "supported" > Isn't '&&' a shell construct? Why would it be deprecated since all it does is indicate to the shell to run the command immediately following it pending the successful completion of the command immediately preceding it? Not to split hairs or anything, but did I miss a meeting or something? Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 9:29:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E14537B401; Thu, 14 Nov 2002 09:29:20 -0800 (PST) Received: from anuket.mj.niksun.com (gwnew.niksun.com [65.115.46.162]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8647543E77; Thu, 14 Nov 2002 09:29:19 -0800 (PST) (envelope-from arao@niksun.com) Received: from there (anuket.mj.niksun.com [10.70.0.5]) by anuket.mj.niksun.com (8.12.3/8.12.3) with SMTP id gAEHS1VB024143; Thu, 14 Nov 2002 12:28:01 -0500 (EST) (envelope-from arao@niksun.com) X-RAV-AntiVirus: This e-mail has been scanned for viruses. Message-Id: <200211141728.gAEHS1VB024143@anuket.mj.niksun.com> Content-Type: text/plain; charset="iso-8859-1" From: Amit Rao To: "Jack L. Stone" , "Jacques A. Vidrine" , Masachika ISHIZUKA Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Date: Thu, 14 Nov 2002 12:28:06 -0500 X-Mailer: KMail [version 1.3.2] Cc: security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG References: <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> In-Reply-To: <3.0.5.32.20021114111020.0102afe0@sage-american.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thursday 14 November 2002 12:10 pm, Jack L. Stone wrote: > At 10:33 AM 11.14.2002 -0600, Jacques A. Vidrine wrote: > >On Thu, Nov 14, 2002 at 04:19:25PM +0900, Masachika ISHIZUKA wrote: > >> Hi, this is ishizuka@ish.org. > >> > >> I cannot patch with above commands for 4.7-RELEASE. > >> The correct commands are as follows? > >> > >> # cd /usr/src > >> # patch < /path/to/patch > >> # cd /usr/src/lib/libisc > >> # make > > > >Rather: > > # make depend && make > > > >> # cd /usr/src/lib/libbind > >> # make > > > >Rather: > > # make depend && make > > > >> # cd /usr/src/usr.sbin/named > >> # make depend && make && make install > >> # cd /usr/src/libexec/named-xfer > >> # make depend && make && make install > > > >Cheers, > >-- > >Jacques A. Vidrine http://www.celabo.org/ > > I believe the "&&" construct is now deprecated in FBSD-4.7..... I think you are referring to: "sh(1) no longer accepts invalid constructs as command & && command, && command, or || command." from freebsd 4.7 relnotes. It just means that you cannot do anymore in sh: $ echo hello & && echo world $ && echo hello world etc To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 10:18:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0C4E337B401 for ; Thu, 14 Nov 2002 10:18:23 -0800 (PST) Received: from mail.rpi.edu (mail.rpi.edu [128.113.22.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7430C43EAA for ; Thu, 14 Nov 2002 10:18:22 -0800 (PST) (envelope-from drosih@rpi.edu) Received: from [128.113.24.47] (gilead.netel.rpi.edu [128.113.24.47]) by mail.rpi.edu (8.12.1/8.12.1) with ESMTP id gAEIIFbv012388; Thu, 14 Nov 2002 13:18:15 -0500 Mime-Version: 1.0 X-Sender: drosih@mail.rpi.edu Message-Id: In-Reply-To: <3.0.5.32.20021114111020.0102afe0@sage-american.com> References: <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> Date: Thu, 14 Nov 2002 13:18:14 -0500 To: "Jack L. Stone" From: Garance A Drosihn Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Cc: freebsd-security@FreeBSD.ORG Content-Type: text/plain; charset="us-ascii" ; format="flowed" X-Scanned-By: MIMEDefang 2.3 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:10 AM -0600 11/14/02, Jack L. Stone wrote: > >I believe the "&&" construct is now deprecated in FBSD-4.7..... > You are thinking of the construct: cmd1 & cmd2 Which used to be accepted, but really never did make much sense. That's using the '&' (to background cmd1) not '&&' ("logical and", aka "do cmd2 if-and-only-if cmd1 worked"). -- Garance Alistair Drosehn = gad@gilead.netel.rpi.edu Senior Systems Programmer or gad@freebsd.org Rensselaer Polytechnic Institute or drosih@rpi.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 10:25:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C5E637B401 for ; Thu, 14 Nov 2002 10:25:54 -0800 (PST) Received: from kobayashi.uits.iupui.edu (kobayashi.uits.iupui.edu [134.68.5.17]) by mx1.FreeBSD.org (Postfix) with ESMTP id 32F7343E6E for ; Thu, 14 Nov 2002 10:25:53 -0800 (PST) (envelope-from ajk@iu.edu) Received: from kobayashi.uits.iupui.edu (localhost [127.0.0.1]) by kobayashi.uits.iupui.edu (8.12.3/8.12.3) with ESMTP id gAEIO4UP098154 for ; Thu, 14 Nov 2002 13:24:05 -0500 (EST) (envelope-from ajk@iu.edu) To: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind References: <20021114163327.GD23981@madman.nectar.cc> <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> <20021114122907.E36056@cthulu.compt.com> From: ajk@iu.edu (Andrew J. Korty) Date: Thu, 14 Nov 2002 13:24:04 -0500 In-Reply-To: <20021114122907.E36056@cthulu.compt.com> (Klaus Steden's message of "Thu, 14 Nov 2002 12:29:08 -0500") Message-ID: User-Agent: Gnus/5.090008 (Oort Gnus v0.08) Emacs/21.2 (i386--freebsd) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Why do the advisories use && at all? What's wrong with "make depend all install"? -- Andrew J. Korty, Principal Security Engineer Office of the Vice President for Information Technology Indiana University To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 10:45:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6077E37B401 for ; Thu, 14 Nov 2002 10:45:16 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id D13E243E42 for ; Thu, 14 Nov 2002 10:45:15 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 5A21438; Thu, 14 Nov 2002 12:45:15 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id C4986137BDD; Thu, 14 Nov 2002 12:45:14 -0600 (CST) Date: Thu, 14 Nov 2002 12:45:14 -0600 From: "Jacques A. Vidrine" To: "Andrew J. Korty" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114184514.GL23981@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , "Andrew J. Korty" , freebsd-security@FreeBSD.ORG References: <20021114163327.GD23981@madman.nectar.cc> <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> <20021114122907.E36056@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 01:24:04PM -0500, Andrew J. Korty wrote: > Why do the advisories use && at all? What's wrong with > "make depend all install"? Because `make all install' needs the results of `make depend': i.e. it includes a file generated by `make depend'. It's not `make depend && make all install' simply because I prefer to hit the default make target rather than specifying `all'. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 10:47:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3FE8137B401 for ; Thu, 14 Nov 2002 10:47:33 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id B652243E7B for ; Thu, 14 Nov 2002 10:47:32 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 49B2738; Thu, 14 Nov 2002 12:47:32 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id 043DC137BDD; Thu, 14 Nov 2002 12:47:31 -0600 (CST) Date: Thu, 14 Nov 2002 12:47:31 -0600 From: "Jacques A. Vidrine" To: Garance A Drosihn Cc: "Jack L. Stone" , freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114184731.GM23981@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Garance A Drosihn , "Jack L. Stone" , freebsd-security@FreeBSD.ORG References: <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 01:18:14PM -0500, Garance A Drosihn wrote: > You are thinking of the construct: > > cmd1 & cmd2 ITYM `cmd1 & && cmd2', which should never have worked. However, `cmd1 & cmd2' makes perfect sense. I think we are wandering off-topic. Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 13:23:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFC1837B401; Thu, 14 Nov 2002 13:23:25 -0800 (PST) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id 196B543E7B; Thu, 14 Nov 2002 13:23:24 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id gAELNMD39249; Thu, 14 Nov 2002 15:23:22 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20021114152321.0102ac30@sage-american.com> X-Sender: jacks@sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 14 Nov 2002 15:23:21 -0600 To: Amit Rao , "Jacques A. Vidrine" , Masachika ISHIZUKA From: "Jack L. Stone" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Cc: security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG In-Reply-To: <200211141728.gAEHS1VB024143@anuket.mj.niksun.com> References: <3.0.5.32.20021114111020.0102afe0@sage-american.com> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:28 PM 11.14.2002 -0500, Amit Rao wrote: >On Thursday 14 November 2002 12:10 pm, Jack L. Stone wrote: >> At 10:33 AM 11.14.2002 -0600, Jacques A. Vidrine wrote: >> >On Thu, Nov 14, 2002 at 04:19:25PM +0900, Masachika ISHIZUKA wrote: >> >> Hi, this is ishizuka@ish.org. >> >> >> >> I cannot patch with above commands for 4.7-RELEASE. >> >> The correct commands are as follows? >> >> >> >> # cd /usr/src >> >> # patch < /path/to/patch >> >> # cd /usr/src/lib/libisc >> >> # make >> > >> >Rather: >> > # make depend && make >> > >> >> # cd /usr/src/lib/libbind >> >> # make >> > >> >Rather: >> > # make depend && make >> > >> >> # cd /usr/src/usr.sbin/named >> >> # make depend && make && make install >> >> # cd /usr/src/libexec/named-xfer >> >> # make depend && make && make install >> > >> >Cheers, >> >-- >> >Jacques A. Vidrine http://www.celabo.org/ >> >> I believe the "&&" construct is now deprecated in FBSD-4.7..... > >I think you are referring to: >"sh(1) no longer accepts invalid constructs as command & && command, && >command, or || command." from freebsd 4.7 relnotes. > >It just means that you cannot do anymore in sh: >$ echo hello & && echo world >$ && echo hello world >etc > YES! That is what I meant....!! It is affecting some startup scripts for things like MySQL for instance... Sorry, didn't mean to go off point.... Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 13:25:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4208337B401 for ; Thu, 14 Nov 2002 13:25:26 -0800 (PST) Received: from sage-one.net (adsl-65-71-135-137.dsl.crchtx.swbell.net [65.71.135.137]) by mx1.FreeBSD.org (Postfix) with ESMTP id EF9A843E91 for ; Thu, 14 Nov 2002 13:25:20 -0800 (PST) (envelope-from jacks@sage-american.com) Received: from sagea (sagea [192.168.0.3]) by sage-one.net (8.11.6/8.11.6) with SMTP id gAELPED39277; Thu, 14 Nov 2002 15:25:15 -0600 (CST) (envelope-from jacks@sage-american.com) Message-Id: <3.0.5.32.20021114152513.0102ac30@sage-american.com> X-Sender: jacks@sage-american.com X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32) Date: Thu, 14 Nov 2002 15:25:13 -0600 To: Scott Gerhardt , Mike Tancsa From: "Jack L. Stone" Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Cc: In-Reply-To: References: <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:45 AM 11.14.2002 -0600, Scott Gerhardt wrote: > > >> At 11:10 AM 14/11/2002 -0600, Jack L. Stone wrote: >>> I believe the "&&" construct is now deprecated in FBSD-4.7..... >> >> >> I think you were thinking of && & which is no longer "supported" >> > >Ok, now that & && etc. is no longer supported, what is the alternative >syntax? > > > I have simply changed the "& &&" to drop the "&&"..... makes the scripts work under 4.7. Best regards, Jack L. Stone, Administrator Sage American http://www.sage-american.com jacks@sage-american.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 14:20:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52E2437B401 for ; Thu, 14 Nov 2002 14:20:12 -0800 (PST) Received: from addu.axelero.hu (mail02.axelero.hu [195.228.240.77]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C2B043EAF for ; Thu, 14 Nov 2002 14:20:06 -0800 (PST) (envelope-from Gabor@Zahemszky.HU) Received: from Picasso.Zahemszky.HU (adsl-3-70.adsl-pool.axelero.hu [62.201.70.3]) by mail02.axelero.hu (iPlanet Messaging Server 5.1 HotFix 0.6 (built Apr 26 2002)) with ESMTP id <0H5L00GFD7DHOU@mail02.axelero.hu> for freebsd-security@freebsd.org; Thu, 14 Nov 2002 23:20:05 +0100 (MET) Received: from Picasso.Zahemszky.HU (localhost.Zahemszky.HU [127.0.0.1]) by Picasso.Zahemszky.HU (8.12.6/8.12.6) with ESMTP id gAEMPPmt009475 for ; Thu, 14 Nov 2002 23:25:25 +0100 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.12.6/8.12.6/Submit) id gAEMPPxY009474 for freebsd-security@freebsd.org; Thu, 14 Nov 2002 23:25:25 +0100 (CET) Date: Thu, 14 Nov 2002 23:25:25 +0100 From: Zahemszky =?iso-8859-2?Q?G=E1bor?= Subject: Overwrite the base krb4 and krb5 with the port To: freebsd-security@freebsd.org Reply-To: Gabor@Zahemszky.HU Mail-Followup-To: Zahemszky =?iso-8859-2?Q?G=E1bor?= , freebsd-security@freebsd.org Message-id: <20021114222525.GD824@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.5.1i X-Operating-System: FreeBSD 4.7-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! Are there any mechanism to overwrite the Kerberos 4 and Kereros 5 version in the base system, with the one in the port tree-version? Something similar to the OPENSSL_OVERWRITE_BASE and OPENSSH_OVERWRITE_BASE defines? (It looks like somebody - not me - found a bug in the base krb5-conf version, which isn't in the port version .) Bye, Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 14:27:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EDCE937B401 for ; Thu, 14 Nov 2002 14:27:43 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-146.dsl.lsan03.pacbell.net [63.207.60.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95CE943E91 for ; Thu, 14 Nov 2002 14:27:38 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 08E1B66D9C; Thu, 14 Nov 2002 14:27:38 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 5342A1238; Thu, 14 Nov 2002 14:30:14 -0800 (PST) Date: Thu, 14 Nov 2002 14:30:14 -0800 From: Kris Kennaway To: "Andrew J. Korty" Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114223013.GA11863@rot13.obsecurity.org> References: <20021114163327.GD23981@madman.nectar.cc> <20021114.161925.95516452.ishizuka@ish.org> <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> <5.1.1.6.0.20021114122014.067d0a68@marble.sentex.ca> <20021114122907.E36056@cthulu.compt.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="82I3+IH0IqGh5yIs" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --82I3+IH0IqGh5yIs Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Thu, Nov 14, 2002 at 01:24:04PM -0500, Andrew J. Korty wrote: > Why do the advisories use && at all? What's wrong with > "make depend all install"? This is not the same as 'make depend && make all install'. Your form won't use the newly built dependencies in the remaining targets; you need to use a separate invocation of make to use the right (newly-generated) dependency list. Kris --82I3+IH0IqGh5yIs Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) iD8DBQE91CP1Wry0BWjoQKURAsT9AJ9/RlREgtlhKw78w8rHbHlMPsVv+QCg0xo7 AcNTNv2PaxnTd0UhDQHNK58= =P3GV -----END PGP SIGNATURE----- --82I3+IH0IqGh5yIs-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 14:29:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7910B37B401; Thu, 14 Nov 2002 14:29:26 -0800 (PST) Received: from obsecurity.dyndns.org (adsl-63-207-60-146.dsl.lsan03.pacbell.net [63.207.60.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id B349643EAA; Thu, 14 Nov 2002 14:29:25 -0800 (PST) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 9F9F066E2B; Thu, 14 Nov 2002 14:29:12 -0800 (PST) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 5C13F123F; Thu, 14 Nov 2002 14:31:23 -0800 (PST) Date: Thu, 14 Nov 2002 14:31:23 -0800 From: Kris Kennaway To: "Jack L. Stone" Cc: Amit Rao , "Jacques A. Vidrine" , Masachika ISHIZUKA , security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind Message-ID: <20021114223111.GB11863@rot13.obsecurity.org> References: <3.0.5.32.20021114111020.0102afe0@sage-american.com> <20021114.161925.95516452.ishizuka@ish.org> <3.0.5.32.20021114111020.0102afe0@sage-american.com> <3.0.5.32.20021114152321.0102ac30@sage-american.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3.0.5.32.20021114152321.0102ac30@sage-american.com> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 03:23:21PM -0600, Jack L. Stone wrote: > YES! That is what I meant....!! It is affecting some startup scripts for > things like MySQL for instance... Please submit a PR for these (after ensuring that you have up-to-date ports). Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 14:35: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4DC2E37B404 for ; Thu, 14 Nov 2002 14:35:04 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C8FB43F57 for ; Thu, 14 Nov 2002 14:34:57 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D072338; Thu, 14 Nov 2002 16:34:52 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id CB37E137BDD; Thu, 14 Nov 2002 16:34:51 -0600 (CST) Date: Thu, 14 Nov 2002 16:34:51 -0600 From: "Jacques A. Vidrine" To: Zahemszky =?euc-jp?B?R8OhYm9y?= Cc: freebsd-security@freebsd.org Subject: Re: Overwrite the base krb4 and krb5 with the port Message-ID: <20021114223451.GU23981@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Zahemszky =?euc-jp?B?R8OhYm9y?= , freebsd-security@freebsd.org References: <20021114222525.GD824@Picasso.Zahemszky.HU> Mime-Version: 1.0 Content-Type: text/plain; charset=euc-jp Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20021114222525.GD824@Picasso.Zahemszky.HU> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 11:25:25PM +0100, Zahemszky G?«¡bor wrote: > Hi! > > Are there any mechanism to overwrite the Kerberos 4 and Kereros 5 version > in the base system, with the one in the port tree-version? Something > similar to the OPENSSL_OVERWRITE_BASE and OPENSSH_OVERWRITE_BASE > defines? No, and this will not likely ever be supported in the port. > (It looks like somebody - not me - found a bug in the base krb5-conf version, > which isn't in the port version .) Can you expand on this? -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 16:21:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64C4437B401 for ; Thu, 14 Nov 2002 16:21:18 -0800 (PST) Received: from gil.axelero.hu (mail01.axelero.hu [195.228.240.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF86143E4A for ; Thu, 14 Nov 2002 16:21:16 -0800 (PST) (envelope-from Gabor@Zahemszky.HU) Received: from Picasso.Zahemszky.HU (adsl-3-70.adsl-pool.axelero.hu [62.201.70.3]) by mail01.axelero.hu (iPlanet Messaging Server 5.1 HotFix 0.9 (built May 30 2002)) with ESMTP id <0H5L00MA1CZ9KC@mail01.axelero.hu> for freebsd-security@freebsd.org; Fri, 15 Nov 2002 01:21:10 +0100 (MET) Received: from Picasso.Zahemszky.HU (localhost.Zahemszky.HU [127.0.0.1]) by Picasso.Zahemszky.HU (8.12.6/8.12.6) with ESMTP id gAF0QTmt019938 for ; Fri, 15 Nov 2002 01:26:29 +0100 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.12.6/8.12.6/Submit) id gAF0QTCQ019937 for freebsd-security@freebsd.org; Fri, 15 Nov 2002 01:26:29 +0100 (CET) Date: Fri, 15 Nov 2002 01:26:29 +0100 From: Zahemszky =?iso-8859-2?Q?G=E1bor?= Subject: Re: Overwrite the base krb4 and krb5 with the port In-reply-to: <20021114223451.GU23981@madman.nectar.cc> To: freebsd-security@freebsd.org Reply-To: Gabor@Zahemszky.HU Mail-Followup-To: Zahemszky =?iso-8859-2?Q?G=E1bor?= , freebsd-security@freebsd.org Message-id: <20021115002629.GA19919@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.5.1i X-Operating-System: FreeBSD 4.7-STABLE References: <20021114222525.GD824@Picasso.Zahemszky.HU> <20021114223451.GU23981@madman.nectar.cc> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Nov 14, 2002 at 04:34:51PM -0600, Jacques A. Vidrine wrote: > On Thu, Nov 14, 2002 at 11:25:25PM +0100, Zahemszky G???bor wrote: > > Hi! > > > > Are there any mechanism to overwrite the Kerberos 4 and Kereros 5 version > > in the base system, with the one in the port tree-version? Something > > similar to the OPENSSL_OVERWRITE_BASE and OPENSSH_OVERWRITE_BASE > > defines? > > No, and this will not likely ever be supported in the port. > > > (It looks like somebody - not me - found a bug in the base krb5-conf version, > > which isn't in the port version .) > > Can you expand on this? he wrote it, on 4.7R: root@freebsd:/usr/src# krb5-config --cflags -I/usr/include @INCLUDE_des@ (By the way, in a fresh cvsupped STABLE, I got only: root@freebsd:/usr/src# krb5-config --cflags -I/usr/include - so I think it was a bug on 4.7R.) Sorry. Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 16:58:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3AB1237B401; Thu, 14 Nov 2002 16:58:37 -0800 (PST) Received: from onion.ish.org (onion.ish.org [210.145.219.202]) by mx1.FreeBSD.org (Postfix) with ESMTP id EE78043E42; Thu, 14 Nov 2002 16:58:35 -0800 (PST) (envelope-from ishizuka@ish.org) Received: from localhost (ishizuka@localhost [IPv6:::1]) by onion.ish.org (8.12.6/8.12.6/2002-08-28) with ESMTP id gAF0wOGx098649; Fri, 15 Nov 2002 09:58:24 +0900 (JST) (envelope-from ishizuka@ish.org) Date: Fri, 15 Nov 2002 09:58:24 +0900 (JST) Message-Id: <20021115.095824.74654806.ishizuka@ish.org> To: security-advisories@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:43.bind From: Masachika ISHIZUKA In-Reply-To: <20021114163327.GD23981@madman.nectar.cc> References: <200211140624.gAE6OXcA038916@freefall.freebsd.org> <20021114.161925.95516452.ishizuka@ish.org> <20021114163327.GD23981@madman.nectar.cc> X-PGP-Fingerprint20: 276D 697A C2CB 1580 C683 8F18 DA98 1A4A 50D2 C4CB X-PGP-Fingerprint16: C6 DE 46 24 D7 9F 22 EB 79 E2 90 AB 1B 9A 35 2E X-PGP-Public-Key: http://www.ish.org/pgp-public-key.txt X-URL: http://www.ish.org/ X-Mailer: Mew version 2.2 on Emacs 21.2 / Mule 5.0 (SAKAKI) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >> I cannot patch with above commands for 4.7-RELEASE. >> The correct commands are as follows? >> >> # cd /usr/src >> # patch < /path/to/patch >> # cd /usr/src/lib/libisc >> # make > > Rather: > # make depend && make > [snip] > Thanks. | We will issue an updated advisory. Thank you. -- ishizuka@ish.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Nov 14 20:28: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D7CD637B401 for ; Thu, 14 Nov 2002 20:28:02 -0800 (PST) Received: from mail1.big.or.jp (mail1.big.or.jp [210.197.72.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90DF943E91 for ; Thu, 14 Nov 2002 20:28:01 -0800 (PST) (envelope-from tak@big.or.jp) Received: from [210.224.172.172] (c172.osc.sakura.ad.jp [210.224.172.172]) by mail1.big.or.jp (Postfix) with ESMTP id A4072334E7 for ; Fri, 15 Nov 2002 13:27:54 +0900 (JST) Date: Fri, 15 Nov 2002 13:27:48 +0900 From: takanyon To: security@FreeBSD.ORG Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:41.smrsh Message-Id: <20021115132158.939E.TAK@big.or.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.05.06 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > -----BEGIN PGP SIGNED MESSAGE----- > > ============================================================================= > FreeBSD-SA-02:41.smrsh Security Advisory > The FreeBSD Project > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/sendmail > # make depend && make && make install Now, isn't smrsh installed? # make install install -c -s -o root -g smmsp -m 2555 sendmail /usr/libexec/sendmail install -c -o root -g wheel -m 444 mailq.1.gz /usr/share/man/man1 install -c -o root -g wheel -m 444 newaliases.1.gz /usr/share/man/man1 install -c -o root -g wheel -m 444 aliases.5.gz /usr/share/man/man5 install -c -o root -g wheel -m 444 sendmail.8.gz /usr/share/man/man8 I performed it as follows. # cd /usr/src/libexec/smrsh/ # make depend && make && make install install -c -s -o root -g wheel -m 555 smrsh /usr/libexec install -c -o root -g wheel -m 444 smrsh.8.gz /usr/share/man/man8 takanyon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 15 9:21:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C78C37B401 for ; Fri, 15 Nov 2002 09:21:17 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7583843E42 for ; Fri, 15 Nov 2002 09:21:16 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 0BC1E2C; Fri, 15 Nov 2002 11:21:16 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id C016B137BDD; Fri, 15 Nov 2002 11:21:15 -0600 (CST) Date: Fri, 15 Nov 2002 11:21:15 -0600 From: "Jacques A. Vidrine" To: Zahemszky =?euc-jp?B?R8OhYm9y?= Cc: freebsd-security@freebsd.org Subject: Re: Overwrite the base krb4 and krb5 with the port Message-ID: <20021115172115.GH66445@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Zahemszky =?euc-jp?B?R8OhYm9y?= , freebsd-security@freebsd.org References: <20021114222525.GD824@Picasso.Zahemszky.HU> <20021114223451.GU23981@madman.nectar.cc> <20021115002629.GA19919@Picasso.Zahemszky.HU> Mime-Version: 1.0 Content-Type: text/plain; charset=euc-jp Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <20021115002629.GA19919@Picasso.Zahemszky.HU> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 15, 2002 at 01:26:29AM +0100, Zahemszky G?«¡bor wrote: > On Thu, Nov 14, 2002 at 04:34:51PM -0600, Jacques A. Vidrine wrote: > > On Thu, Nov 14, 2002 at 11:25:25PM +0100, Zahemszky G???bor wrote: > > > Hi! > > > > > > Are there any mechanism to overwrite the Kerberos 4 and Kereros 5 version > > > in the base system, with the one in the port tree-version? Something > > > similar to the OPENSSL_OVERWRITE_BASE and OPENSSH_OVERWRITE_BASE > > > defines? > > > > No, and this will not likely ever be supported in the port. > > > > > (It looks like somebody - not me - found a bug in the base krb5-conf version, > > > which isn't in the port version .) > > > > Can you expand on this? > > he wrote it, on 4.7R: > root@freebsd:/usr/src# krb5-config --cflags > -I/usr/include @INCLUDE_des@ > > (By the way, in a fresh cvsupped STABLE, I got only: > root@freebsd:/usr/src# krb5-config --cflags > -I/usr/include > - so I think it was a bug on 4.7R.) > > Sorry. Thanks. Yes, it is a bug, one that I apparently introduced 8 weeks ago when I imported the last release of Heimdal. I will fix. Was there a PR open for this? Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 15 9:24:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED00B37B432 for ; Fri, 15 Nov 2002 09:24:14 -0800 (PST) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 610D943E77 for ; Fri, 15 Nov 2002 09:24:14 -0800 (PST) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id EABB195; Fri, 15 Nov 2002 11:24:13 -0600 (CST) Received: by madman.nectar.cc (Postfix, from userid 1001) id F13D0137BDD; Fri, 15 Nov 2002 11:24:12 -0600 (CST) Date: Fri, 15 Nov 2002 11:24:12 -0600 From: "Jacques A. Vidrine" To: takanyon Cc: security@FreeBSD.ORG Subject: Re: ANNOUNCE: FreeBSD Security Advisory FreeBSD-SA-02:41.smrsh Message-ID: <20021115172412.GI66445@madman.nectar.cc> References: <20021115132158.939E.TAK@big.or.jp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20021115132158.939E.TAK@big.or.jp> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.1i-ja.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 15, 2002 at 01:27:48PM +0900, takanyon wrote: > > > > -----BEGIN PGP SIGNED MESSAGE----- > > > > ============================================================================= > > FreeBSD-SA-02:41.smrsh Security Advisory > > The FreeBSD Project > > > b) Execute the following commands as root: > > > > # cd /usr/src > > # patch < /path/to/patch > > # cd /usr/src/usr.sbin/sendmail > > # make depend && make && make install > > Now, isn't smrsh installed? I know :-( The advisory on the FTP server has the correct instructions (or will... it may not have been mirrored from ftp-master yet). The correct patch instructions are: ------ 2) To patch your present system: The following patch has been verified to apply to FreeBSD 4.4, FreeBSD 4.5, and FreeBSD 4.6 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [For FreeBSD 4.6 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh.patch.asc [For FreeBSD 4.3, 4.4, and 4.5 systems] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:41/smrsh2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch [The following two steps apply only to FreeBSD 4.6 systems.] # cd /usr/src/lib/libsm # make depend && make # cd /usr/src/lib/libsmutil # make depend && make # cd /usr/src/libexec/smrsh # make depend && make && make install ------ Cheers, -- Jacques A. Vidrine http://www.celabo.org/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Nov 15 22:13: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AB2E737B401; Fri, 15 Nov 2002 22:13:01 -0800 (PST) Received: from gil.axelero.hu (mail01.axelero.hu [195.228.240.76]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5CCF143E75; Fri, 15 Nov 2002 22:13:00 -0800 (PST) (envelope-from Gabor@Zahemszky.HU) Received: from Picasso.Zahemszky.HU (adsl-72-70.adsl-pool.axelero.hu [62.201.70.72]) by mail01.axelero.hu (iPlanet Messaging Server 5.1 HotFix 0.9 (built May 30 2002)) with ESMTP id <0H5N000AHNL0OH@mail01.axelero.hu>; Sat, 16 Nov 2002 07:05:25 +0100 (MET) Received: from Picasso.Zahemszky.HU (localhost.Zahemszky.HU [127.0.0.1]) by Picasso.Zahemszky.HU (8.12.6/8.12.6) with ESMTP id gAG6Alei000357; Sat, 16 Nov 2002 07:10:47 +0100 Received: (from zgabor@localhost) by Picasso.Zahemszky.HU (8.12.6/8.12.6/Submit) id gAG6Ague000356; Sat, 16 Nov 2002 07:10:42 +0100 (CET) Date: Sat, 16 Nov 2002 07:10:42 +0100 From: Zahemszky =?iso-8859-2?Q?G=E1bor?= Subject: Re: Overwrite the base krb4 and krb5 with the port In-reply-to: <20021115172115.GH66445@madman.nectar.cc> To: freebsd-security@freebsd.org Cc: "Jacques A. Vidrine" Reply-To: Gabor@Zahemszky.HU Mail-Followup-To: Zahemszky =?iso-8859-2?Q?G=E1bor?= , freebsd-security@freebsd.org, "Jacques A. Vidrine" Message-id: <20021116061042.GB300@Picasso.Zahemszky.HU> MIME-version: 1.0 Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Content-disposition: inline User-Agent: Mutt/1.5.1i X-Operating-System: FreeBSD 4.7-STABLE References: <20021114222525.GD824@Picasso.Zahemszky.HU> <20021114223451.GU23981@madman.nectar.cc> <20021115002629.GA19919@Picasso.Zahemszky.HU> <20021115172115.GH66445@madman.nectar.cc> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, Nov 15, 2002 at 11:21:15AM -0600, Jacques A. Vidrine wrote: > On Fri, Nov 15, 2002 at 01:26:29AM +0100, Zahemszky G???bor wrote: > > On Thu, Nov 14, 2002 at 04:34:51PM -0600, Jacques A. Vidrine wrote: > > > On Thu, Nov 14, 2002 at 11:25:25PM +0100, Zahemszky G???bor wrote: > > > > Hi! > > > > > > > > Are there any mechanism to overwrite the Kerberos 4 and Kereros 5 version > > > > in the base system, with the one in the port tree-version? Something > > > > similar to the OPENSSL_OVERWRITE_BASE and OPENSSH_OVERWRITE_BASE > > > > defines? > > > > > > No, and this will not likely ever be supported in the port. > > > > > > > (It looks like somebody - not me - found a bug in the base krb5-conf version, > > > > which isn't in the port version .) > > > > > > Can you expand on this? > > > > he wrote it, on 4.7R: > > root@freebsd:/usr/src# krb5-config --cflags > > -I/usr/include @INCLUDE_des@ > > > > (By the way, in a fresh cvsupped STABLE, I got only: > > root@freebsd:/usr/src# krb5-config --cflags > > -I/usr/include > > - so I think it was a bug on 4.7R.) > > > > Sorry. > > Thanks. > Yes, it is a bug, one that I apparently introduced 8 weeks ago > when I imported the last release of Heimdal. > I will fix. Was there a PR open for this? No, please make it! Zahy < Gabor at Zahemszky dot HU > -- #!/bin/ksh Z='21N16I25C25E30, 40M30E33E25T15U!' ;IFS=' ABCDEFGHIJKLMNOPQRSTUVWXYZ ';set $Z ;for i { [[ $i = ? ]]&&print $i&&break;[[ $i = ??? ]]&&j=$i&&i=${i%?};typeset -i40 i=8#$i;print -n ${i#???};[[ "$j" = ??? ]]&&print -n "${j#??} "&&j=;typeset +i i;};IFS=' 0123456789 ';set $Z;for i { [[ $i = , ]]&&i=2;[[ $i = ?? ]]||typeset -l i;j="$j $i";typeset +l i;};print "$j" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 16 7:31:24 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7089937B401 for ; Sat, 16 Nov 2002 07:31:21 -0800 (PST) Received: from totem.fix.no (totem.fix.no [80.91.32.29]) by mx1.FreeBSD.org (Postfix) with ESMTP id 02EFB43E91 for ; Sat, 16 Nov 2002 07:31:21 -0800 (PST) (envelope-from anders@totem.fix.no) Received: by totem.fix.no (Postfix, from userid 1000) id 1C54820248; Sat, 16 Nov 2002 16:31:25 +0100 (CET) Date: Sat, 16 Nov 2002 16:31:25 +0100 From: Anders Nordby To: security@FreeBSD.org Subject: Limiting commands to run with SSH key authorization Message-ID: <20021116153124.GA58620@totem.fix.no> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="G4iJoqBmSsgzjUCe" Content-Disposition: inline X-PGP-Key: http://anders.fix.no/pgp/ X-PGP-Key-FingerPrint: 1E0F C53C D8DF 6A8F EAAD 19C5 D12A BC9F 0083 5956 User-Agent: Mutt/1.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --G4iJoqBmSsgzjUCe Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Howdy, I just finished a Perl program to verify whether the program intended for running through SSH with key based authorization: a) has only valid characters. b) matches an authorized_keys configurable regexp, if you want to be able to run for example "rsync --server WHATNOT. example authorized_keys: command="/usr/local/bin/checksshcmd -c \"^rsync --server \"" 1024 35 XXXXX.. foo@barhost If a and be are not satisfied, program intended to run will not. I've attached the program. I'd be happy to receive feedback on the security/usability of it, as you see it. Or if you have any improvements you can think of.. Sometimes you may need to allow the user to have som variations on the commands to use, this is an attempt to address that as opposed to just using command= some command that runs a specific command only. (Perl haters can go to /dev/null.) Cheers, -- Anders. --G4iJoqBmSsgzjUCe Content-Type: application/x-perl Content-Disposition: attachment; filename="checksshcmd.pl" Content-Transfer-Encoding: quoted-printable #! /usr/bin/perl -T=0A# anders@fix.no, 2002-11-13=0A=0A# do not include das= h to allow "-", it's hard-coded to be possible to use in=0A# the regexp (- = is normally a range)=0A$okchars =3D "a-zA-Z/. ";=0A=0Ause Getopt::Std;=0A$E= NV{PATH} =3D "/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin"= ;=0Adelete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};=0A=0Asub enotallowed= =0A{=0A print "Not allowed to run program.\n";=0A exit 1;=0A}=0A=0Agetopts(= 'c:');=0A$runcmd =3D $ENV{SSH_ORIGINAL_COMMAND};=0A=0Aif ($runcmd =3D~ /^([= -$okchars]+)$/) {=0A $runcmd =3D $1;=0A} else {=0A enotallowed;=0A}=0A=0Aif= ((defined $opt_c) && ($ENV{SSH_ORIGINAL_COMMAND} =3D~ /$opt_c/)) {=0A exec= ($runcmd);=0A} else {=0A enotallowed;=0A}=0A --G4iJoqBmSsgzjUCe-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 16 10:29: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E293237B404 for ; Sat, 16 Nov 2002 10:29:04 -0800 (PST) Received: from serv1.vsi.ru (serv1.vsi.ru [80.82.32.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4CA6043E3B for ; Sat, 16 Nov 2002 10:29:03 -0800 (PST) (envelope-from oleg@oleg.vsi.ru) Received: from w2k (nasx-d124.dial.vsi.ru [80.82.38.124]) by serv1.vsi.ru (8.11.6+Sun/8.11.6) with SMTP id gAGISrj10743 for ; Sat, 16 Nov 2002 21:28:54 +0300 (MSK) Message-ID: <004301bcf2bd$5b170fb0$7c265250@w2k> From: "Oleg Derevenetz" To: References: <200211151351.gAFDppkR008448@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:41.smrsh [REVISED] Date: Sun, 16 Nov 1997 21:27:53 +0300 MIME-Version: 1.0 Content-Type: text/plain; charset="koi8-r" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4920.2300 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4920.2300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/libsm > # make depend && make > # cd /usr/src/lib/libsmutil > # make depend && make > # cd /usr/src/usr.sbin/sendmail > # make depend && make && make install But how about this: # cd /usr/src/libexec/smrsh # make depend && make && make install ? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Nov 16 19:53:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ACDE37B401 for ; Sat, 16 Nov 2002 19:53:25 -0800 (PST) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BA42B43E4A for ; Sat, 16 Nov 2002 19:53:24 -0800 (PST) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id gAH3rOUA005198 for ; Sat, 16 Nov 2002 20:53:24 -0700 (MST) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id gAH3rOvB005197 for security@freebsd.org; Sat, 16 Nov 2002 20:53:24 -0700 (MST) Date: Sat, 16 Nov 2002 20:53:24 -0700 From: "David G. Andersen" To: security@freebsd.org Subject: Portmap localhost bind bug - commit fix? Message-ID: <20021116205324.B4590@cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Would someone be willing to take a look at PR 30235, and perhaps commit its patch, or the equivalent functionality? At present, it's impossible to get portmap to bind to only localhost, requiring that you use ipfw to filter it out if you want to use it for local only services. This is due to a bug in the portmap interface checking logic, and the PR above fixes this problem. It's a very, very welcome feature for the security paranoid who nevertheless need to run portmap. I've been running the patch for a week or so on a number of machines, and it's happy. (It's simple enough...). PR has been hanging around since 2001. Many thanks! -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message