From owner-freebsd-security@FreeBSD.ORG Mon Jul 24 09:29:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A378F16A4DF; Mon, 24 Jul 2006 09:29:46 +0000 (UTC) (envelope-from harald@clef.at) Received: from stud3.tuwien.ac.at (stud3.tuwien.ac.at [193.170.75.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id B0C9643D46; Mon, 24 Jul 2006 09:29:45 +0000 (GMT) (envelope-from harald@clef.at) Received: from bluedaemon.clef.test (v209-200.vps.tuwien.ac.at [128.131.209.200]) by stud3.tuwien.ac.at (8.9.3 (PHNE_29774)/8.9.3) with ESMTP id LAA05207; Mon, 24 Jul 2006 11:29:43 +0200 (METDST) To: "Simon L. Nielsen" References: <44B7715E.8050906@suutari.iki.fi> <20060714154729.GA8616@psconsult.nl> <44B7D8B8.3090403@suutari.iki.fi> <20060716182315.GC3240@insomnia.benzedrine.cx> <20060717122127.GC1087@zaphod.nitro.dk> From: Harald Muehlboeck Date: Mon, 24 Jul 2006 11:32:36 +0200 Message-ID: <86wta3e4az.fsf@tuha.clef.at> User-Agent: Gnus/5.1006 (Gnus v5.10.6) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Mon, 24 Jul 2006 11:43:26 +0000 Cc: freebsd-security@freebsd.org, freebsd-pf@freebsd.org Subject: Re: Any ongoing effort to port /etc/rc.d/pf_boot, /etc/pf.boot.conf from NetBSD ? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Jul 2006 09:29:46 -0000 Simon L. Nielsen writes: > On 2006.07.16 20:23:15 +0200, Daniel Hartmeier wrote: > >> The "hole" being discussed is the time, during boot, before pf is fully >> functional with the production ruleset. For a comparatively long time, >> the pf module isn't even loaded yet. >> >> So, you first need to check the boot sequence for >> >> - interfaces being brought up before pf is loaded >> - addresses assigned to those interfaces >> - daemons starting and listening on those addresses >> - route table getting set up >> - IP forwarding getting enabled >> - etc. > > Since nobody else seems to have actually done this, I took a look at > FreeBSD's rcorder (on my -CURRENT laptop) and actually I don't really > see a hole. Most importantly pf is enabled before routing. > # rcorder -s nostart /etc/rc.d/* [...] > /etc/rc.d/ipfilter > [...] > /etc/rc.d/sysctl [...] > /etc/rc.d/pf > /etc/rc.d/routing > [...] But net.inet.ip.forwarding=1 can also be set in sysctl.conf(5), as well as many other options like bridging, ... (I don't know if it is usual to do so) From owner-freebsd-security@FreeBSD.ORG Fri Jul 28 05:03:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0115816A4DE; Fri, 28 Jul 2006 05:03:46 +0000 (UTC) (envelope-from freebsd@auscert.org.au) Received: from titania.auscert.org.au (gw.auscert.org.au [203.5.112.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 58A0743D45; Fri, 28 Jul 2006 05:03:44 +0000 (GMT) (envelope-from freebsd@auscert.org.au) Received: from app.auscert.org.au (app [10.0.1.192]) by titania.auscert.org.au (8.12.10/8.12.10) with ESMTP id k6S53huE011908; Fri, 28 Jul 2006 15:03:43 +1000 (EST) Received: from app.auscert.org.au (localhost.auscert.org.au [127.0.0.1]) by app.auscert.org.au (8.13.1/8.13.1) with ESMTP id k6S53hmW007056; Fri, 28 Jul 2006 15:03:43 +1000 (EST) (envelope-from freebsd@auscert.org.au) Message-Id: <200607280503.k6S53hmW007056@app.auscert.org.au> To: ports@freebsd.org from: Joel Hatton Date: Fri, 28 Jul 2006 15:03:43 +1000 X-Mailman-Approved-At: Fri, 28 Jul 2006 05:45:00 +0000 Cc: freebsd-security@freebsd.org Subject: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Jul 2006 05:03:46 -0000 Hi, FYI, Red Hat released an advisory today about a vulnerability in Ruby. So far it doesn't appear in the VuXML, but am I correct in presuming it will soon? https://rhn.redhat.com/errata/RHSA-2006-0604.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694 cheers, -- Joel Hatton -- Infrastructure Manager | Hotline: +61 7 3365 4417 AusCERT - Australia's national CERT | Fax: +61 7 3365 7031 The University of Queensland | WWW: www.auscert.org.au Qld 4072 Australia | Email: auscert@auscert.org.au From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 17:25:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71BBE16A4DE; Sat, 29 Jul 2006 17:25:26 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id ECB5643D60; Sat, 29 Jul 2006 17:25:25 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1G6sZ1-0001U7-AX; Sat, 29 Jul 2006 21:25:23 +0400 Message-ID: <44CB99E4.2080708@FreeBSD.org> Date: Sat, 29 Jul 2006 21:24:52 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.2 (X11/20060429) MIME-Version: 1.0 To: Shaun Amott References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> In-Reply-To: <20060729163453.GA89895@picobyte.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 17:25:26 -0000 Shaun Amott wrote: > On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: >> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So >> far it doesn't appear in the VuXML, but am I correct in presuming it will >> soon? >> > > I've added it; thanks for the report. > Can we get patches somewhere? I can't find any. -- Dixi. Sem. From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 16:34:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB5F216A4E1; Sat, 29 Jul 2006 16:34:58 +0000 (UTC) (envelope-from shaun@FreeBSD.org) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id A264443D5A; Sat, 29 Jul 2006 16:34:57 +0000 (GMT) (envelope-from shaun@FreeBSD.org) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP; Sat, 29 Jul 2006 17:34:53 +0100 (BST) Date: Sat, 29 Jul 2006 17:34:53 +0100 From: Shaun Amott To: Joel Hatton Message-ID: <20060729163453.GA89895@picobyte.net> References: <200607280503.k6S53hmW007056@app.auscert.org.au> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <200607280503.k6S53hmW007056@app.auscert.org.au> User-Agent: Mutt/1.5.11 (FreeBSD i386) X-Mailman-Approved-At: Sat, 29 Jul 2006 19:30:29 +0000 Cc: ports@freebsd.org, freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 16:34:58 -0000 On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > > FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > far it doesn't appear in the VuXML, but am I correct in presuming it will > soon? > I've added it; thanks for the report. -- Shaun Amott [ PGP: 0x6B387A9A ] Scientia Est Potentia. From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 18:09:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1FAA16A4DA; Sat, 29 Jul 2006 18:09:07 +0000 (UTC) (envelope-from shaun@FreeBSD.org) Received: from dione.picobyte.net (host-212-158-207-124.bulldogdsl.com [212.158.207.124]) by mx1.FreeBSD.org (Postfix) with SMTP id A95DF43D53; Sat, 29 Jul 2006 18:09:06 +0000 (GMT) (envelope-from shaun@FreeBSD.org) Received: from charon.picobyte.net (charon.picobyte.net [IPv6:2001:4bd0:201e::fe03]) by dione.picobyte.net (Postfix) with ESMTP; Sat, 29 Jul 2006 19:09:05 +0100 (BST) Date: Sat, 29 Jul 2006 19:09:05 +0100 From: Shaun Amott To: Remko Lodder Message-ID: <20060729180904.GA90113@picobyte.net> References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> <44CBA0C8.3080605@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline In-Reply-To: <44CBA0C8.3080605@FreeBSD.org> User-Agent: Mutt/1.5.11 (FreeBSD i386) X-Mailman-Approved-At: Sat, 29 Jul 2006 19:31:59 +0000 Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org, Sergey Matveychuk Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 18:09:07 -0000 On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote: > > Sergey Matveychuk wrote: > >Shaun Amott wrote: > >>On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: > >>>FYI, Red Hat released an advisory today about a vulnerability in Ruby. So > >>>far it doesn't appear in the VuXML, but am I correct in presuming it will > >>>soon? > >>> > >>I've added it; thanks for the report. > >> > > > >Can we get patches somewhere? I can't find any. > > > > It is said that the patches are available through the CVSweb > but all the information I could fine was in japanese, which is > a bit difficult to read for me (read: i do not speak nor read > japanese at all). The CVE report seemed to imply that there was a fix in 1.8.5, which I assumed had therefore been released. But it seems this isn't the case. The Ruby folks say they don't publish advisories until there is a fix ready; and there is no mention of this vulnerability on the website. -- Shaun Amott [ PGP: 0x6B387A9A ] Scientia Est Potentia. From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 17:54:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F3BB16A4E0; Sat, 29 Jul 2006 17:54:17 +0000 (UTC) (envelope-from remko@freebsd.org) Received: from caelis.elvandar.org (caelis.elvandar.org [217.148.169.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id E928043D45; Sat, 29 Jul 2006 17:54:16 +0000 (GMT) (envelope-from remko@freebsd.org) Received: from localhost (caelis.elvandar.org [217.148.169.59]) by caelis.elvandar.org (Postfix) with ESMTP id 0865992FEA5; Sat, 29 Jul 2006 19:54:16 +0200 (CEST) Received: from caelis.elvandar.org ([217.148.169.59]) by localhost (caelis.elvandar.org [217.148.169.59]) (amavisd-new, port 10024) with ESMTP id 38429-04; Sat, 29 Jul 2006 19:54:15 +0200 (CEST) Message-ID: <44CBA0C8.3080605@FreeBSD.org> Date: Sat, 29 Jul 2006 19:54:16 +0200 From: Remko Lodder User-Agent: Thunderbird 1.5.0.5 (Macintosh/20060719) MIME-Version: 1.0 To: Sergey Matveychuk References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> In-Reply-To: <44CB99E4.2080708@FreeBSD.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: by the elvandar.org maildomain X-Mailman-Approved-At: Sat, 29 Jul 2006 19:35:36 +0000 Cc: Joel Hatton , ports@freebsd.org, freebsd-security@freebsd.org, Shaun Amott Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: remko@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 17:54:17 -0000 Sergey Matveychuk wrote: > Shaun Amott wrote: >> On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: >>> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So >>> far it doesn't appear in the VuXML, but am I correct in presuming it will >>> soon? >>> >> I've added it; thanks for the report. >> > > Can we get patches somewhere? I can't find any. > It is said that the patches are available through the CVSweb but all the information I could fine was in japanese, which is a bit difficult to read for me (read: i do not speak nor read japanese at all). We might have a shot on how different vendors resolved this issue and generate patches from that.. -- Kind regards, Remko Lodder ** remko@elvandar.org FreeBSD ** remko@FreeBSD.org /* Quis custodiet ipsos custodes */ From owner-freebsd-security@FreeBSD.ORG Sat Jul 29 19:50:22 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4155116A4DE; Sat, 29 Jul 2006 19:50:22 +0000 (UTC) (envelope-from sem@FreeBSD.org) Received: from mail.ciam.ru (ns.ciam.ru [213.247.195.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id CD35F43D5D; Sat, 29 Jul 2006 19:50:21 +0000 (GMT) (envelope-from sem@FreeBSD.org) Received: from [87.240.16.199] (helo=[192.168.0.4]) by mail.ciam.ru with esmtpa (Exim 4.x) id 1G6upH-0003f7-Hs; Sat, 29 Jul 2006 23:50:19 +0400 Message-ID: <44CBBBDC.70409@FreeBSD.org> Date: Sat, 29 Jul 2006 23:49:48 +0400 From: Sergey Matveychuk User-Agent: Thunderbird 1.5.0.2 (X11/20060429) MIME-Version: 1.0 To: Shaun Amott References: <200607280503.k6S53hmW007056@app.auscert.org.au> <20060729163453.GA89895@picobyte.net> <44CB99E4.2080708@FreeBSD.org> <44CBA0C8.3080605@FreeBSD.org> <20060729180904.GA90113@picobyte.net> In-Reply-To: <20060729180904.GA90113@picobyte.net> Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Joel Hatton , ports@freebsd.org, Remko Lodder , freebsd-security@freebsd.org Subject: Re: Ruby vulnerability? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Jul 2006 19:50:22 -0000 Shaun Amott wrote: > On Sat, Jul 29, 2006 at 07:54:16PM +0200, Remko Lodder wrote: >> Sergey Matveychuk wrote: >>> Shaun Amott wrote: >>>> On Fri, Jul 28, 2006 at 03:03:43PM +1000, Joel Hatton wrote: >>>>> FYI, Red Hat released an advisory today about a vulnerability in Ruby. So >>>>> far it doesn't appear in the VuXML, but am I correct in presuming it will >>>>> soon? >>>>> >>>> I've added it; thanks for the report. >>>> >>> Can we get patches somewhere? I can't find any. >>> >> It is said that the patches are available through the CVSweb >> but all the information I could fine was in japanese, which is >> a bit difficult to read for me (read: i do not speak nor read >> japanese at all). > > The CVE report seemed to imply that there was a fix in 1.8.5, which I > assumed had therefore been released. But it seems this isn't the case. > > The Ruby folks say they don't publish advisories until there is a fix > ready; and there is no mention of this vulnerability on the website. > CVE report is very unpleasant: "Multiple unspecified vulnerabilities". Secunia has more professional report. RedHat is only vendor who released updates, but they are binary. So, there is no known fix now. I hope ruby team will release 1.8.5 ASAP. -- Dixi. Sem.