From owner-freebsd-security@FreeBSD.ORG Sun Jul 28 09:03:45 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2DE17C65 for ; Sun, 28 Jul 2013 09:03:45 +0000 (UTC) (envelope-from kpaasial@gmail.com) Received: from mail-qe0-x233.google.com (mail-qe0-x233.google.com [IPv6:2607:f8b0:400d:c02::233]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E5DC925E9 for ; Sun, 28 Jul 2013 09:03:44 +0000 (UTC) Received: by mail-qe0-f51.google.com with SMTP id nd7so730810qeb.24 for ; Sun, 28 Jul 2013 02:03:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=qOddO7CrKRJ+V9spUsyyoOSXeN5FnL5CgN5zIDGit0c=; b=gSZtmA3YnWpwjxvGjjmQD5oAL7Wbyx/XGShdkFHyO9Jol7l7UwqkcQN7j1Tl1myKqz XWLKaiNQsdiwstDEC47s+kHpmcQRgSKeeqK6t4tpHMQzjMRVTsrIrqStsbYXeI+GsTA+ NRah6PwblFUl/M4OitO5hk5m6FKH5kNR2jQi3bJOtAG5qpu26/mzcQsTbyl8ERp9I3SV SpigqdujVt5cjrCmbL0tUZ8e/RZBaetfHG/n9FwcBKty4z5RBQIxIH44tgIr8UjFu212 fhu/poKHszsoot1VSN9dfTaTepj34XTHDUE/+b9msJopoKoMeMG/NII7/6sD7aHqZPt2 SREA== MIME-Version: 1.0 X-Received: by 10.224.19.198 with SMTP id c6mr38923304qab.2.1375002223351; Sun, 28 Jul 2013 02:03:43 -0700 (PDT) Received: by 10.224.78.194 with HTTP; Sun, 28 Jul 2013 02:03:43 -0700 (PDT) In-Reply-To: <20130727210809.GA70513@lonrach.local> References: <20130726230549.GB64252@lonrach.local> <20130727085458.GB68862@lonrach.local> <46029EF7-D574-4953-AE8D-4BA79F5295BB@plosh.net> <20130727210809.GA70513@lonrach.local> Date: Sun, 28 Jul 2013 12:03:43 +0300 Message-ID: Subject: Re: bind9 and CVE-2013-4854 From: Kimmo Paasiala To: freebsd-security Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 28 Jul 2013 09:03:45 -0000 A question related to this: What is it that prevents BIND from being removed from the base when there are very well working ports of BIND already that are far easier to update when vulnerabilities are found. Is it the dig(1), host(1) and nslookup(1) utilities? -Kimmo From owner-freebsd-security@FreeBSD.ORG Mon Jul 29 10:09:04 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 3F3E3D2 for ; Mon, 29 Jul 2013 10:09:04 +0000 (UTC) (envelope-from lars@e-new.0x20.net) Received: from mail.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id F0F152B2B for ; Mon, 29 Jul 2013 10:09:03 +0000 (UTC) Received: from e-new.0x20.net (mail.0x20.net [IPv6:2001:aa8:fffb:1::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mail.0x20.net (Postfix) with ESMTPS id 946366A6000; Mon, 29 Jul 2013 12:09:02 +0200 (CEST) Received: from e-new.0x20.net (localhost [127.0.0.1]) by e-new.0x20.net (8.14.7/8.14.7) with ESMTP id r6TA92C9018092; Mon, 29 Jul 2013 12:09:02 +0200 (CEST) (envelope-from lars@e-new.0x20.net) Received: (from lars@localhost) by e-new.0x20.net (8.14.7/8.14.7/Submit) id r6TA92UL016931; Mon, 29 Jul 2013 12:09:02 +0200 (CEST) (envelope-from lars) Date: Mon, 29 Jul 2013 12:09:02 +0200 From: Lars Engels To: Kimmo Paasiala Subject: Re: bind9 and CVE-2013-4854 Message-ID: <20130729100902.GM59101@e-new.0x20.net> References: <20130726230549.GB64252@lonrach.local> <20130727085458.GB68862@lonrach.local> <46029EF7-D574-4953-AE8D-4BA79F5295BB@plosh.net> <20130727210809.GA70513@lonrach.local> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="oJoa/b7Rsqp4yzB0" Content-Disposition: inline In-Reply-To: X-Editor: VIM - Vi IMproved 7.3 X-Operation-System: FreeBSD 8.4-RELEASE User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Mon, 29 Jul 2013 11:37:35 +0000 Cc: freebsd-security X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Jul 2013 10:09:04 -0000 --oJoa/b7Rsqp4yzB0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Jul 28, 2013 at 12:03:43PM +0300, Kimmo Paasiala wrote: > A question related to this: >=20 > What is it that prevents BIND from being removed from the base when > there are very well working ports of BIND already that are far easier > to update when vulnerabilities are found. Is it the dig(1), host(1) > and nslookup(1) utilities? Yes. --oJoa/b7Rsqp4yzB0 Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.20 (FreeBSD) iEYEARECAAYFAlH2Pz4ACgkQKc512sD3afgNUgCgmGUvFJuJbYdWiG1On3KIoZDS tEEAn1Kqi1aOWxwvQBLZ2OOhhVHnjqZd =D/1Y -----END PGP SIGNATURE----- --oJoa/b7Rsqp4yzB0-- From owner-freebsd-security@FreeBSD.ORG Tue Jul 30 09:01:19 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4AE75EB0 for ; Tue, 30 Jul 2013 09:01:19 +0000 (UTC) (envelope-from erwin@mail.droso.net) Received: from mail.droso.net (koala.droso.dk [213.239.220.246]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 0C8112E99 for ; Tue, 30 Jul 2013 09:01:18 +0000 (UTC) Received: by mail.droso.net (Postfix, from userid 1001) id 34DD0820E; Tue, 30 Jul 2013 11:01:16 +0200 (CEST) Date: Tue, 30 Jul 2013 11:01:16 +0200 From: Erwin Lansing To: Peter Losher Subject: Re: bind9 and CVE-2013-4854 Message-ID: <20130730090115.GK84587@droso.dk> References: <20130726230549.GB64252@lonrach.local> <20130727085458.GB68862@lonrach.local> <46029EF7-D574-4953-AE8D-4BA79F5295BB@plosh.net> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <46029EF7-D574-4953-AE8D-4BA79F5295BB@plosh.net> X-Operating-System: FreeBSD/amd64 9.1-RELEASE User-Agent: Mutt/1.5.21 (2010-09-15) X-Mailman-Approved-At: Tue, 30 Jul 2013 11:27:27 +0000 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 09:01:19 -0000 On Sat, Jul 27, 2013 at 11:06:09AM -0700, Peter Losher wrote: > On 27 Jul 2013, at 1:54, Ollivier Robert wrote: > > > According to Mark Boolootian: > >> Thank you very much for that. Does this include the RRL/RPZ patches? > > > > The -P1 patch seems to apply and run on the -P2 version (security > > patch is very isolated to one line). > > Note that this week ISC have announced going forward that RRL will be > integrated into the mainline BIND releases. > > Re: > http://www.isc.org/blogs/isc-adds-ddos-defense-module-to-bind-software/ > > So the need for patches for RRL will be a moot point soon??? ;) > That's good news indeed, thanks for the pointer Peter. Erwin -- Erwin Lansing (o_ _o) http://droso.dk \\\_\ /_/// erwin@lansing.dk <____) (____> From owner-freebsd-security@FreeBSD.ORG Tue Jul 30 12:01:31 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id A7112B2E for ; Tue, 30 Jul 2013 12:01:31 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 61E8A2C53 for ; Tue, 30 Jul 2013 12:01:31 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.5/8.14.5) with ESMTP id r6UC1TSv027647 for ; Tue, 30 Jul 2013 08:01:29 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.5/8.14.4/Submit) id r6UC1TM8027644; Tue, 30 Jul 2013 08:01:29 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20983.43801.355884.938326@hergotha.csail.mit.edu> Date: Tue, 30 Jul 2013 08:01:29 -0400 From: Garrett Wollman To: freebsd-security@freebsd.org Subject: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 30 Jul 2013 08:01:29 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 30 Jul 2013 12:07:30 +0000 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:01:31 -0000 Am I the only person to be seeing this log message from sshd: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] ? (security/openssh-portable, with HPN patches and MIT Kerberos, although Kerberos is not actually configured on this server.) A work-around is to disable aes128-cbc in sshd_config, but it would be nice not to have my logs spammed with this. Currently running openssh-portable-6.2.p2_3,1, and I think it started with upgrade to 6.2. -GAWollman From owner-freebsd-security@FreeBSD.ORG Tue Jul 30 12:38:22 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 4E484E61 for ; Tue, 30 Jul 2013 12:38:22 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1-6.sentex.ca [IPv6:2607:f3e0:0:1::12]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 1A2C22E93 for ; Tue, 30 Jul 2013 12:38:22 +0000 (UTC) Received: from [192.168.43.26] (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.14.5/8.14.5) with ESMTP id r6UCcIt7028152; Tue, 30 Jul 2013 08:38:19 -0400 (EDT) (envelope-from mike@sentex.net) Message-ID: <51F7B3AD.1060703@sentex.net> Date: Tue, 30 Jul 2013 08:38:05 -0400 From: Mike Tancsa Organization: Sentex Communications User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20120428 Thunderbird/12.0.1 MIME-Version: 1.0 To: Garrett Wollman Subject: Re: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] References: <20983.43801.355884.938326@hergotha.csail.mit.edu> In-Reply-To: <20983.43801.355884.938326@hergotha.csail.mit.edu> X-Enigmail-Version: 1.4.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.72 on 64.7.153.18 Cc: freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:38:22 -0000 On 7/30/2013 8:01 AM, Garrett Wollman wrote: > Am I the only person to be seeing this log message from sshd: > > fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] > nice not to have my logs spammed with this. Currently running > openssh-portable-6.2.p2_3,1, and I think it started with upgrade to > 6.2. There is an open PR which can be closed now at http://www.freebsd.org/cgi/query-pr.cgi?pr=171809 which points to http://lists.freebsd.org/pipermail/svn-src-head/2013-May/047921.html Change the default in /etc/ssh/sshd_config to UsePrivilegeSeparation yes as it sounds like you have hardware crypto on the box and you are using UsePrivilegeSeparation sandbox which is broken ---Mike -- ------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ From owner-freebsd-security@FreeBSD.ORG Tue Jul 30 12:57:53 2013 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id D03B0E79; Tue, 30 Jul 2013 12:57:53 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (wollman-1-pt.tunnel.tserv4.nyc4.ipv6.he.net [IPv6:2001:470:1f06:ccb::2]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 8D429212E; Tue, 30 Jul 2013 12:57:53 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.5/8.14.5) with ESMTP id r6UCvo2H028380; Tue, 30 Jul 2013 08:57:51 -0400 (EDT) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.5/8.14.4/Submit) id r6UCvoMC028377; Tue, 30 Jul 2013 08:57:50 -0400 (EDT) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <20983.47182.194861.736615@hergotha.csail.mit.edu> Date: Tue, 30 Jul 2013 08:57:50 -0400 From: Garrett Wollman To: Mike Tancsa Subject: Re: fatal: cipher_init: EVP_CipherInit: set key failed for aes128-cbc [preauth] In-Reply-To: <51F7B3AD.1060703@sentex.net> References: <20983.43801.355884.938326@hergotha.csail.mit.edu> <51F7B3AD.1060703@sentex.net> X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.4.3 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 30 Jul 2013 08:57:51 -0400 (EDT) X-Spam-Status: No, score=-1.0 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.3.2 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on hergotha.csail.mit.edu X-Mailman-Approved-At: Tue, 30 Jul 2013 15:22:42 +0000 Cc: freebsd-security@freebsd.org, bdrewery@freebsd.org X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Jul 2013 12:57:53 -0000 [Cc added, bdrewery@ who is the maintainer of security/openssh-portable] < said: > http://lists.freebsd.org/pipermail/svn-src-head/2013-May/047921.html > Change the default in /etc/ssh/sshd_config to No /etc/ssh here; this is ports openssh, not base (which doesn't exist in my world). > UsePrivilegeSeparation yes > as it sounds like you have hardware crypto on the box and you are using > UsePrivilegeSeparation sandbox > which is broken However, this fix does work (in /usr/local/etc/ssh/sshd_config). Apparently security/openssh-portable needs a fix similar to the base system head/crypto/openssh r251088. -GAWollman