From owner-freebsd-security@FreeBSD.ORG Sun Jan 13 21:58:58 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 253F916A46C for ; Sun, 13 Jan 2008 21:58:58 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from mail.opengea.org (mail.opengea.org [85.48.253.234]) by mx1.freebsd.org (Postfix) with ESMTP id B972013C4CC for ; Sun, 13 Jan 2008 21:58:57 +0000 (UTC) (envelope-from jordi.espasa@opengea.org) Received: from localhost (tartarus [127.0.0.1]) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id CDFE3D50044 for ; Sun, 13 Jan 2008 22:41:12 +0100 (CET) X-Virus-Scanned: amavisd-new at opengea.org Received: from mail.opengea.org ([127.0.0.1]) by localhost (mail.opengea.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id SMWoatQmabhA for ; Sun, 13 Jan 2008 22:41:12 +0100 (CET) Received: from [192.168.1.33] (113.Red-83-46-132.dynamicIP.rima-tde.net [83.46.132.113]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: jordi.espasa@opengea.org) by mail.opengea.org (Opengea.org Project MailServer) with ESMTP id 71C99D50040 for ; Sun, 13 Jan 2008 22:41:12 +0100 (CET) Message-ID: <478A84DD.3040205@opengea.org> Date: Sun, 13 Jan 2008 22:38:37 +0100 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.6 (X11/20071022) MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Subject: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 13 Jan 2008 21:58:58 -0000 Hi all, I need to install an anti-rootkid in a lot of servers. I know that there're several options: tripwire, aide, chkrootkit... ¿What do you prefer? Obviously, I have to define my needs: - easy setup and configuration - actively developed -- Thanks, Jordi Espasa Clofent From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 10:15:14 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2881016A41A for ; Mon, 14 Jan 2008 10:15:14 +0000 (UTC) (envelope-from rob.gallagher@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.159]) by mx1.freebsd.org (Postfix) with ESMTP id B596513C46A for ; Mon, 14 Jan 2008 10:15:13 +0000 (UTC) (envelope-from rob.gallagher@gmail.com) Received: by fg-out-1718.google.com with SMTP id 16so2429894fgg.35 for ; Mon, 14 Jan 2008 02:15:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; bh=afvuNU5fQrkt6fDhThSu2RJNfTWSIbUvuXzJBlXTeLg=; b=hKAcn46KSwNEBT7wr1RG2imX30ysaKYjGI8jGJkbWJQyOL7rviW99rvLJcafXuvtp08tOyWieeKklpQTd8KJ12IIosZkFPoxz+xEwO8lnf3q0WQR7wmtMfYkvDynxFwgUG04nE1sWNIdXiY25OX6JjGxz+8lyQOjXGB+jcv6Sfo= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=J9WzjyNBklSz0padIRhtCnvIM14v/QjoCdQJubiTgCggtG72IO/xDx8ZQqSe3f50aV2vY5dWbQKUbIWteUCE9Juq7n05o3Z9TbITpKkeOLkbp3RIrEJ7ke2UNLA3JQOJyQL8qh6ym/aaNJSbc4zr9TYwnDBT0GBkGKlOjzKnp/U= Received: by 10.82.174.20 with SMTP id w20mr10622088bue.21.1200305712172; Mon, 14 Jan 2008 02:15:12 -0800 (PST) Received: by 10.82.148.18 with HTTP; Mon, 14 Jan 2008 02:15:12 -0800 (PST) Message-ID: <1d7a7b9d0801140215j2073fe4dr3d7da4c304160c0a@mail.gmail.com> Date: Mon, 14 Jan 2008 10:15:12 +0000 From: "Rob Gallagher" To: "Jordi Espasa Clofent" In-Reply-To: <478A84DD.3040205@opengea.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: base64 Content-Disposition: inline References: <478A84DD.3040205@opengea.org> Cc: freebsd-security@freebsd.org Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 10:15:14 -0000 LS0tLS1CRUdJTiBQR1AgU0lHTkVEIE1FU1NBR0UtLS0tLQpIYXNoOiBTSEExCgpIaSBKb3JkaSwK Ck9uIDEzLzAxLzIwMDgsIEpvcmRpIEVzcGFzYSBDbG9mZW50ICB3cm90ZToKPiBIaSBhbGwsCj4K PiBJIG5lZWQgdG8gaW5zdGFsbCBhbiBhbnRpLXJvb3RraWQgaW4gYSBsb3Qgb2Ygc2VydmVycy4g SSBrbm93IHRoYXQKPiB0aGVyZSdyZSBzZXZlcmFsIG9wdGlvbnM6IHRyaXB3aXJlLCBhaWRlLCBj aGtyb290a2l0Li4uCj4KPiDCv1doYXQgZG8geW91IHByZWZlcj8KPgo+IE9idmlvdXNseSwgSSBo YXZlIHRvIGRlZmluZSBteSBuZWVkczoKPgo+IC0gZWFzeSBzZXR1cCBhbmQgY29uZmlndXJhdGlv bgo+IC0gYWN0aXZlbHkgZGV2ZWxvcGVkCj4KCkkndmUgdXNlZCBJbnRlZ3JpdCAoaHR0cDovL2lu dGVncml0LnNvdXJjZWZvcmdlLm5ldCkgb24gcXVpdGUgYSBudW1iZXIKb2YgbWFjaGluZXMuIEl0 J3MgdmVyeSBlYXN5IHRvIHNldHVwIGFuZCBnZXQgZ29pbmcgcXVpY2tseS4gVGhlcmUgaXMgYQpw b3J0LCBidXQgaXQgZG9lc24ndCBzZWVtIHRvIGhhdmUgYmVlbiB1cGRhdGVkIHRvIHRoZSBsYXRl c3QgdmVyc2lvbgooNC4xKSB5ZXQuCgpyZwoKLSAtLQpyb2IuZ2FsbGFnaGVyIChhdCkgZ21haWwu Y29tIHx8IHd3dy5zcG9vZmVkcGFja2V0Lm5ldCB8fCBQSzogMHgxREQxM0E3OAoKLS0tLS1CRUdJ TiBQR1AgU0lHTkFUVVJFLS0tLS0KVmVyc2lvbjogR251UEcgdjEuNC43IChGcmVlQlNEKQpDb21t ZW50OiBodHRwOi8vZmlyZWdwZy50dXhmYW1pbHkub3JnCgppRDhEQlFGSGl6WXZpU2d5cFIzUk9u Z1JBZ1VTQUtDWlBnREsxT240YjhLQzN0M1lwd2ZYUERQWFVRQ2VLMW4rCmJUNzFGSVJZT3dydXg1 MlRCczBzazUwPQo9VEtkMgotLS0tLUVORCBQR1AgU0lHTkFUVVJFLS0tLS0K From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 15:07:27 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6092F16A417 for ; Mon, 14 Jan 2008 15:07:27 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: from grupposervizi.it (mail1.tagetik.com [85.18.71.243]) by mx1.freebsd.org (Postfix) with SMTP id 75D9713C4E3 for ; Mon, 14 Jan 2008 15:07:25 +0000 (UTC) (envelope-from raffaele.delorenzo@libero.it) Received: (qmail 9225 invoked by uid 453); 14 Jan 2008 15:07:24 -0000 Received: from [192.9.217.29] (HELO noel.grupposervizi.it) (192.9.217.29) by grupposervizi.it (qpsmtpd/0.31.1) with ESMTP; Mon, 14 Jan 2008 16:07:24 +0100 Message-ID: <478B7AA6.9010304@libero.it> Date: Mon, 14 Jan 2008 16:07:18 +0100 From: Raffaele De Lorenzo User-Agent: Thunderbird 2.0.0.9 (X11/20071204) MIME-Version: 1.0 To: freebsd-hackers@freebsd.org, freebsd-net@freebsd.org, freebsd-security@freebsd.org, freebsd-arch@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: "raffaele.delorenzo" Subject: Added native socks support to libc in FreeBSD 7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 15:07:27 -0000 Upgrade: 1) Added IPv6 Support (need to be tested) Cheers Raffaele Hi, i added a native (client) Socks V4/V5 support inside FreeBSD libc library. The work is based of my project (see http://csocks.altervista.org) CSOCKS. You can get it here: http://csocks.altervista.org/download/FreeBSD_libc.tar.gz CHANGES: I changed the file: /usr/src/lib/libc/Makefile I added the Directory: /usr/src/lib/libc/socks They contains the files: csocks.c csocks.h csocks.conf.5 csocks.1 Makefile.inc I added the configuration file (csocks.conf in the /etc/ directory) /usr/src/etc/ INSTALL ISTRUCTIONS: copy the Makefile in /usr/src/lib/libc/ copy the directory socks in /usr/src/lib/libc/ touch /etc/csocks.conf recompile the libc and install it (cd /usr/src/lib/libc && make && make install) I Tested it in FreeBSD 7 only on i386 cheers Raffaele From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 18:36:49 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3EF9E16A417 for ; Mon, 14 Jan 2008 18:36:49 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id EA61913C447 for ; Mon, 14 Jan 2008 18:36:48 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id 65C4019E023; Mon, 14 Jan 2008 19:21:14 +0100 (CET) Received: from [192.168.1.2] (r3a200.net.upc.cz [213.220.192.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id E776219E019; Mon, 14 Jan 2008 19:21:07 +0100 (CET) Message-ID: <478BA818.2090103@quip.cz> Date: Mon, 14 Jan 2008 19:21:12 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: Jordi Espasa Clofent References: <478A84DD.3040205@opengea.org> In-Reply-To: <478A84DD.3040205@opengea.org> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 18:36:49 -0000 Jordi Espasa Clofent wrote: > Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ¿What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developed I am using security/rkhunter from ports. It is realy easy to setup and configure. I have some local scripts for periodic reports which I plan to submit in to PR database. Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 19:48:06 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D17B16A417 for ; Mon, 14 Jan 2008 19:48:06 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from smtp1.kolej.mff.cuni.cz (smtp1.kolej.mff.cuni.cz [78.128.192.10]) by mx1.freebsd.org (Postfix) with ESMTP id CB5D013C478 for ; Mon, 14 Jan 2008 19:48:05 +0000 (UTC) (envelope-from dan@obluda.cz) X-Envelope-From: dan@obluda.cz Received: from kgw.obluda.cz (openvpn.ms.mff.cuni.cz [195.113.20.87]) by smtp1.kolej.mff.cuni.cz (8.13.8/8.13.8) with ESMTP id m0EJBN24079815 for ; Mon, 14 Jan 2008 20:11:24 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <478BB3DA.5070302@obluda.cz> Date: Mon, 14 Jan 2008 20:11:22 +0100 From: Dan Lukes User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.8.1.11) Gecko/20071204 SeaMonkey/1.1.7 MIME-Version: 1.0 To: freebsd security References: <478A84DD.3040205@opengea.org> <478BA818.2090103@quip.cz> In-Reply-To: <478BA818.2090103@quip.cz> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 19:48:06 -0000 >> I need to install an anti-rootkid If I understand correctly, an intruder need to be superuser to be able to install a rootkit. If our intruders has superuser privileges, they can tamper any anti-rootkit. Is the main reason to install anti-rootkit we count the intruders are so dumb to look for one of port's anti-rootkit package before they do it's dirt work ? Or I miss something important ? Dan From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 20:33:53 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1AC7316A417 for ; Mon, 14 Jan 2008 20:33:53 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from dmzraw5.extranet.tce.com (dmzraw5.extranet.tce.com [157.254.234.142]) by mx1.freebsd.org (Postfix) with ESMTP id A976613C4D3 for ; Mon, 14 Jan 2008 20:33:52 +0000 (UTC) (envelope-from Klaus.Steden@thomson.net) Received: from indyvss1.am.thmulti.com (unknown [157.254.92.60]) by dmzraw5.extranet.tce.com (Postfix) with ESMTP id 569ED23B804; Mon, 14 Jan 2008 20:00:54 +0000 (GMT) Received: from localhost (localhost [127.0.0.1]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 217221179F7; Mon, 14 Jan 2008 20:00:54 +0000 (GMT) X-Virus-Scanned: Debian amavisd-new at thomson.net Received: from indyvss1.am.thmulti.com ([127.0.0.1]) by localhost (indyvss1.am.thmulti.com [127.0.0.1]) (amavisd-new, port 10024) with LMTP id gMlb0OI11A+A; Mon, 14 Jan 2008 20:00:53 +0000 (GMT) Received: from INDYSMAILCS04.am.thmulti.com (indyasmtp.am.thmulti.com [157.254.96.12]) by indyvss1.am.thmulti.com (Postfix) with ESMTP id 2E9771176CF; Mon, 14 Jan 2008 20:00:53 +0000 (GMT) Received: from INDYSMAILBH04.am.thmulti.com ([157.254.96.14]) by INDYSMAILCS04.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 15:00:53 -0500 Received: from CAMASMAILBH01.am.thmulti.com ([10.15.1.119]) by INDYSMAILBH04.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 15:00:53 -0500 Received: from BRBKSMAIL04.am.thmulti.com ([10.15.28.49]) by CAMASMAILBH01.am.thmulti.com with Microsoft SMTPSVC(6.0.3790.1830); Mon, 14 Jan 2008 12:00:51 -0800 Received: from 10.15.192.56 ([10.15.192.56]) by BRBKSMAIL04.am.thmulti.com ([10.15.28.49]) with Microsoft Exchange Server HTTP-DAV ; Mon, 14 Jan 2008 20:00:50 +0000 User-Agent: Microsoft-Entourage/11.3.3.061214 Date: Mon, 14 Jan 2008 12:00:39 -0800 From: Klaus Steden To: Dan Lukes , freebsd security Message-ID: Thread-Topic: Anti-Rootkit app Thread-Index: AchW6CJsYMVObsLbEdyQ2QAX8sXztA== In-Reply-To: <478BB3DA.5070302@obluda.cz> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit X-OriginalArrivalTime: 14 Jan 2008 20:00:51.0274 (UTC) FILETIME=[29BD6AA0:01C856E8] Cc: Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 20:33:53 -0000 Hi Dan, Good security is usually a comprehensive strategy, rather than hoping for a one-size-fits-all-magic-bullet solution. Combine a coherent packet filter with strong passwords, a competent IDS, BSD securelevels, and a file system integrity checker, and you've got a pretty solid strategy for dealing with most of the bad things that show up on the Internet. This, of course, is all wasted if you leave your system unprotected physically, but I digress ... A common strategy with anti-rootkit software is to keep a copy of your signatures elsewhere -- either on removable media, or a remote system; you can use secure hashes to verify the integrity of the local signatures against your known good copy to ensure that the list hasn't been tampered with, and then verify the important parts of your OS against said list. A lot of computer intruders are dumb, and more important, lazy. Truly motivated and gifted crackers are a rarity, and if you get attacked by one of them, it can be difficult to deal with. However, good preventative security measures will keep the small fry and script kiddies at bay. Just my two cents. Klaus On 1/14/08 11:11 AM, "Dan Lukes" did etch on stone tablets: >>> I need to install an anti-rootkid > > If I understand correctly, an intruder need to be superuser to be able > to install a rootkit. > > If our intruders has superuser privileges, they can tamper any > anti-rootkit. > > Is the main reason to install anti-rootkit we count the intruders are > so dumb to look for one of port's anti-rootkit package before they do > it's dirt work ? > > Or I miss something important ? > > Dan > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 21:41:36 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2203916A41B for ; Mon, 14 Jan 2008 21:41:36 +0000 (UTC) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.8]) by mx1.freebsd.org (Postfix) with ESMTP id 7C68713C459 for ; Mon, 14 Jan 2008 21:41:35 +0000 (UTC) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (localhost [127.0.0.1]) by bewilderbeast.blackhelicopters.org (8.14.1/8.13.8) with ESMTP id m0ELOBQG018965; Mon, 14 Jan 2008 16:24:11 -0500 (EST) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost) by bewilderbeast.blackhelicopters.org (8.14.1/8.13.8/Submit) id m0ELOBOc018964; Mon, 14 Jan 2008 16:24:11 -0500 (EST) (envelope-from mwlucas) Date: Mon, 14 Jan 2008 16:24:11 -0500 From: "Michael W. Lucas" To: Jordi Espasa Clofent Message-ID: <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> References: <478A84DD.3040205@opengea.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <478A84DD.3040205@opengea.org> User-Agent: Mutt/1.4.2.2i X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (bewilderbeast.blackhelicopters.org [127.0.0.1]); Mon, 14 Jan 2008 16:24:11 -0500 (EST) Cc: freebsd-security@freebsd.org Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 21:41:36 -0000 On Sun, Jan 13, 2008 at 10:38:37PM +0100, Jordi Espasa Clofent wrote: > Hi all, > > I need to install an anti-rootkid in a lot of servers. I know that > there're several options: tripwire, aide, chkrootkit... > > ?What do you prefer? > > Obviously, I have to define my needs: > > - easy setup and configuration > - actively developed These needs are nice, but what effects do you want to achieve? If you want to verify that nobody's loaded a rootkit, you can use chkrootkit. Note that detecting a running rootkit is actively hard, and is prone to failure. If you want to verify that nobody has changed files on your system, you can use a tripwire-like system. Mtree(1) actually includes tripwire-like functionality, which I've used quite successfully in the past. I think that the latter is more realistic, but that's just my humble opinion. ==ml -- Michael W. Lucas mwlucas@BlackHelicopters.org, mwlucas@FreeBSD.org http://www.BlackHelicopters.org/~mwlucas/ Now Shipping: "Absolute FreeBSD" -- http://www.AbsoluteFreeBSD.com On 5/4/2007, the TSA kept 3 pairs of my soiled undies "for security reasons." From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 23:09:39 2008 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id F21D416A420; Mon, 14 Jan 2008 23:09:39 +0000 (UTC) (envelope-from security-advisories@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id D80EF13C4E1; Mon, 14 Jan 2008 23:09:39 +0000 (UTC) (envelope-from security-advisories@FreeBSD.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0EN9d5P056499; Mon, 14 Jan 2008 23:09:39 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0EN9dcp056498; Mon, 14 Jan 2008 23:09:39 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 14 Jan 2008 23:09:39 GMT Message-Id: <200801142309.m0EN9dcp056498@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:01.pty X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 23:09:40 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:01.pty Security Advisory The FreeBSD Project Topic: pty snooping Category: core Module: libc_stdlib / libutil Announced: 2008-01-14 Credits: John Baldwin Affects: FreeBSD 5.0 and later. Corrected: 2008-01-14 22:57:45 UTC (RELENG_7, 7.0-PRERELEASE) 2008-01-14 22:55:54 UTC (RELENG_7_0, 7.0-RC2) 2008-01-14 22:56:05 UTC (RELENG_6, 6.3-PRERELEASE) 2008-01-14 22:56:18 UTC (RELENG_6_3, 6.3-RELEASE) 2008-01-14 22:56:44 UTC (RELENG_6_2, 6.2-RELEASE-p10) 2008-01-14 22:56:56 UTC (RELENG_6_1, 6.1-RELEASE-p22) 2008-01-14 22:57:06 UTC (RELENG_5, 5.5-STABLE) 2008-01-14 22:57:19 UTC (RELENG_5_5, 5.5-RELEASE-p18) CVE Name: CVE-2008-0216, CVE-2008-0217 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background pt_chown is a setuid root support utility used by grantpt(3) to change ownership of a tty. openpty(3) is a support function in libutil which is used to obtain a pseudo-terminal. script(1) is a utility which makes a typescript of everything printed on a terminal. II. Problem Description Two issues exist in the FreeBSD pty handling. If openpty(3) is called as non-root user the newly created pseudo-terminal is world readable and writeable. While this is documented to be the case, script(1) still uses openpty(3) and script(1) may be used by non-root users [CVE-2008-0217]. The ptsname(3) function incorrectly extracts two characters from the name of a device node in /dev without verifying that it's actually operating on a valid pty which the calling user owns. pt_chown uses the bad result from ptsname(3) to change ownership of a pty to the user calling pt_chown [CVE-2008-0216]. III. Impact If an unprivileged user is running script(1), or another program which uses openpty(3), an attacker may snoop text which is printed to the users terminal. If a malicious user has read access to a device node with characters in the device name that match the name of a pty, then the malicious user can read the content of the pty from another user. The malicious user can open a lot of tty's resulting in a high probabilty of a new user obtaining the pty name of a "vulnerable" pty. NOTE WELL: If a user snoops a pty the snooped text will not be shown to the real user, which in many cases mean the real owner of the pty will be able to know the attack is taking place. IV. Workaround Do not run script(1) as a non-root user. The ptsname(3) issue only affects FreeBSD 6.0 and newer. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.5, 6.1, 6.2, 6.3, and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 5.5] # fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch # fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch # fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch.asc [FreeBSD 7.0] # fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch # fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/lib/libutil/pty.c 1.15.4.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.18 src/sys/conf/newvers.sh 1.62.2.21.2.20 src/lib/libutil/pty.c 1.15.16.1 RELENG_6 src/lib/libc/stdlib/grantpt.c 1.4.2.2 src/lib/libutil/pty.c 1.15.10.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.3 src/sys/conf/newvers.sh 1.69.2.15.2.3 src/lib/libc/stdlib/grantpt.c 1.4.10.2 src/lib/libutil/pty.c 1.15.20.2 RELENG_6_2 src/UPDATING 1.416.2.29.2.13 src/sys/conf/newvers.sh 1.69.2.13.2.13 src/lib/libc/stdlib/grantpt.c 1.4.8.1 src/lib/libutil/pty.c 1.15.18.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.24 src/sys/conf/newvers.sh 1.69.2.11.2.24 src/lib/libc/stdlib/grantpt.c 1.4.6.1 src/lib/libutil/pty.c 1.15.14.1 RELENG_7 src/lib/libc/stdlib/grantpt.c 1.7.2.4 src/lib/libutil/pty.c 1.17.2.3 RELENG_7_0 src/UPDATING 1.507.2.3.2.1 src/sys/conf/newvers.sh 1.72.2.5.2.2 src/lib/libc/stdlib/grantpt.c 1.7.2.2.2.2 src/lib/libutil/pty.c 1.17.2.2.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0216 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0217 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:01.pty.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHi+nfFdaIBMps37IRAhtUAJ9GXtRjTIxcbrCOxoMnO50ZLc5mAgCdGSyO D83MVnUtP9rhzD2JfOPbaOw= =V/kt -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 23:09:43 2008 Return-Path: Delivered-To: freebsd-security@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 9A47C16A49C; Mon, 14 Jan 2008 23:09:43 +0000 (UTC) (envelope-from security-advisories@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 809F913C447; Mon, 14 Jan 2008 23:09:43 +0000 (UTC) (envelope-from security-advisories@FreeBSD.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.2/8.14.2) with ESMTP id m0EN9hq4056542; Mon, 14 Jan 2008 23:09:43 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.2/8.14.1/Submit) id m0EN9has056540; Mon, 14 Jan 2008 23:09:43 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 14 Jan 2008 23:09:43 GMT Message-Id: <200801142309.m0EN9has056540@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@FreeBSD.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 23:09:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:02.libc Security Advisory The FreeBSD Project Topic: inet_network() buffer overflow Category: core Module: libc Announced: 2008-01-14 Credits: Bjoern A. Zeeb and Nate Eldredge Affects: FreeBSD 6.2 Corrected: 2008-01-14 22:57:45 UTC (RELENG_7, 7.0-PRERELEASE) 2008-01-14 22:55:54 UTC (RELENG_7_0, 7.0-RC2) 2008-01-14 22:56:05 UTC (RELENG_6, 6.3-PRERELEASE) 2008-01-14 22:56:18 UTC (RELENG_6_3, 6.3-RELEASE) 2008-01-14 22:56:44 UTC (RELENG_6_2, 6.2-RELEASE-p10) CVE Name: CVE-2008-0122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The resolver is the part of libc that resolves hostnames (example.com) to internet protocol (IP) addresses (192.0.2.1) and vice versa. The inet_network() function returns an in_addr_t representing the network address of the IP address given to inet_network() as a character string in the dot-notation. II. Problem Description An off-by-one error in the inet_network() function could lead to memory corruption with certain inputs. III. Impact For programs which passes untrusted data to inet_network(), an attacker may be able to overwrite a region of memory with user defined data by causing specially crafted input to be passed to inet_network(). Depending on the region of memory the attacker is able to overwrite, this might lead to a denial of service or potentially code execution in the program using inet_network(). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7.0-PRERELEASE, or 6-STABLE, or to the, RELENG_7_0, RELENG_6_3, or RELENG_6_2 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.0, 6.3, or 6.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch # fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/lib/libc/inet/inet_network.c 1.2.2.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.3 src/sys/conf/newvers.sh 1.69.2.15.2.3 src/lib/libc/inet/inet_network.c 1.2.2.1.4.1 RELENG_6_2 src/UPDATING 1.416.2.29.2.13 src/sys/conf/newvers.sh 1.69.2.13.2.13 src/lib/libc/inet/inet_network.c 1.2.2.1.2.1 RELENG_7 src/lib/libc/inet/inet_network.c 1.4.2.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.1 src/sys/conf/newvers.sh 1.72.2.5.2.2 src/lib/libc/inet/inet_network.c 1.4.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:02.libc.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHi+ntFdaIBMps37IRAr+GAJ9YxPIsD5OeyYkrwo5auWKgQwZRywCdHSrY NsNxcHsgdo7divn+LEkQ9po= =3RQQ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Mon Jan 14 23:54:37 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 80D7216A417 for ; Mon, 14 Jan 2008 23:54:37 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.186]) by mx1.freebsd.org (Postfix) with ESMTP id 10E0D13C468 for ; Mon, 14 Jan 2008 23:54:36 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from [127.0.0.1] (port-212-202-210-187.dynamic.qsc.de [212.202.210.187]) by mrelayeu.kundenserver.de (node=mrelayeu1) with ESMTP (Nemesis) id 0MKwpI-1JEYvf3aEk-0005fI; Tue, 15 Jan 2008 00:41:25 +0100 Message-ID: <478BF315.8020106@nruns.com> Date: Tue, 15 Jan 2008 00:41:09 +0100 From: =?ISO-8859-1?Q?Jan_M=FCnther?= User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: "Michael W. Lucas" References: <478A84DD.3040205@opengea.org> <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> In-Reply-To: <20080114212411.GA18875@bewilderbeast.blackhelicopters.org> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX18Om8v7jKSLAQBPDJjIRCkQty73hPbEnUBbo7O n/fy72zA8MrF26i7Ifggp0yAv8XocN5HQ93p4GbW8xZlgzVA52 ao9E8b9OS3RxmBQj0TZsb2VjhZE6k7fi/a+5pw/ja8= Cc: freebsd-security@freebsd.org, Jordi Espasa Clofent Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 14 Jan 2008 23:54:37 -0000 Howdy, > If you want to verify that nobody has changed files on your system, > you can use a tripwire-like system. Mtree(1) actually includes > tripwire-like functionality, which I've used quite successfully in the > past. > > I think that the latter is more realistic, but that's just my humble > opinion. > > The point really is that people expect way too much from Tripwire-style file integrity checkers. No self respecting rootkit author nowadays writes anything that is based on replacing system binaries. Typically, there are KLD based rootkits, or even just ones that live in memory, which are impossible to catch with this approach. From what I recall (been ages since I looked into this) chkrootkit and rkhunter do some basic things to try and detect whether syscalls got hooked, but is absolutely nothing I would rely on. As Michael has pointed out, detecting a running rootkit is hard, if not close to impossible, if you have a skilled attacker (which, granted, is rarely the case). I'd put more stress on the preventive side of things, use MAC etc., and just generally monitor your system well, update it, and maintain it wisely - I think that's effort better spent. Cheers, Jan -- Jan Muenther, CTO Security, n.runs AG From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 00:15:51 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 76E8216A418 for ; Tue, 15 Jan 2008 00:15:51 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: from web50310.mail.re2.yahoo.com (web50310.mail.re2.yahoo.com [206.190.38.243]) by mx1.freebsd.org (Postfix) with SMTP id 078D813C469 for ; Tue, 15 Jan 2008 00:15:50 +0000 (UTC) (envelope-from tim1timau@yahoo.com) Received: (qmail 37989 invoked by uid 60001); 15 Jan 2008 00:15:50 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=X-YMail-OSG:Received:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding:Message-ID; b=ICwIjY+6KWExnfaVJ59NZtHp61J7RJ8Mso07fLC5zQfXOncEWg/6kJ+lZeH+n5uAO8uTo9JvWIC+X02dQA+5NhVYmUyoYLOwezUvIWl3cNehIBUtt9lEt9YqZMUv/Bvv9MRgmlFIhPmNgi49wPbcz3t+4qdEDJmfBmYv4f64Ato=; X-YMail-OSG: WughkZoVM1lYerVlL8NRNx42mocVfGcCZlA68SDrOSRjk6VYru_7KumOPLeG_y6YNZVtpvsr8DORfUrkb05DPo48.kpgmrSMvAY_KNgPSvc9s6sEhP52VIH9nlKfxOcmsZFC7rDYaXfoUcU- Received: from [203.49.197.51] by web50310.mail.re2.yahoo.com via HTTP; Mon, 14 Jan 2008 16:15:49 PST Date: Mon, 14 Jan 2008 16:15:49 -0800 (PST) From: Tim Clewlow To: Dan Lukes , freebsd security In-Reply-To: <478BB3DA.5070302@obluda.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Message-ID: <965729.35921.qm@web50310.mail.re2.yahoo.com> Cc: Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 00:15:51 -0000 --- Dan Lukes wrote: > >> I need to install an anti-rootkid > > If I understand correctly, an intruder need to be superuser to be able > to install a rootkit. > > If our intruders has superuser privileges, they can tamper any > anti-rootkit. > > Is the main reason to install anti-rootkit we count the intruders are > so dumb to look for one of port's anti-rootkit package before they do > it's dirt work ? > > Or I miss something important ? > > Dan One solution would be to have /var/log/auth.log being tailed out via a serial port to another computer that is not accessable via a network - or have it sent to a printer for a permanent hard-copy. It all depends on how much you really want to do in regard to security. Cheers, Tim. ____________________________________________________________________________________ Never miss a thing. Make Yahoo your home page. http://www.yahoo.com/r/hs From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 00:18:03 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7C9DF16A49E for ; Tue, 15 Jan 2008 00:18:03 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.126.177]) by mx1.freebsd.org (Postfix) with ESMTP id 0C30E13C4D3 for ; Tue, 15 Jan 2008 00:18:02 +0000 (UTC) (envelope-from jan.muenther@nruns.com) Received: from [127.0.0.1] (port-212-202-210-187.dynamic.qsc.de [212.202.210.187]) by mrelayeu.kundenserver.de (node=mrelayeu5) with ESMTP (Nemesis) id 0ML25U-1JEZVA06VX-000439; Tue, 15 Jan 2008 01:18:00 +0100 Message-ID: <478BFBB5.7000100@nruns.com> Date: Tue, 15 Jan 2008 01:17:57 +0100 From: =?ISO-8859-1?Q?Jan_M=FCnther?= User-Agent: Thunderbird 2.0.0.9 (Windows/20071031) MIME-Version: 1.0 To: Tim Clewlow References: <965729.35921.qm@web50310.mail.re2.yahoo.com> In-Reply-To: <965729.35921.qm@web50310.mail.re2.yahoo.com> X-Enigmail-Version: 0.95.6 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Provags-ID: V01U2FsdGVkX1+/R43ejE+Mc/Z0RLCP0/UkLAW+Z4Cij4/XIgT QA8JnVjRq9FQE4rjhAvHM6WBJdKt1jgccaX0BcN+3tggd2uLlx dOSLgiWP/QBj1lTkT6/ZZ6emAsolJE3Pbl23oy1cGs= Cc: Dan Lukes , freebsd security Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 00:18:03 -0000 Tim Clewlow schrieb: > > One solution would be to have /var/log/auth.log being tailed out via a serial > port to another computer that is not accessable via a network - or have it sent > to a printer for a permanent hard-copy. It all depends on how much you really > want to do in regard to security. > A good practice is running a log host which has a cable that has only RX wires connected. Cheers, Jan -- Jan Muenther, CTO Security, n.runs AG From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 04:43:21 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2A4A416A417 for ; Tue, 15 Jan 2008 04:43:21 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id F302513C448 for ; Tue, 15 Jan 2008 04:43:20 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.1/8.13.8) with ESMTP id m0F4SbXp087872 for ; Mon, 14 Jan 2008 23:28:37 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m0F4SaH1084137 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 14 Jan 2008 23:28:37 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801150428.m0F4SaH1084137@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Mon, 14 Jan 2008 23:28:46 -0500 To: freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <200801142309.m0EN9has056540@freefall.freebsd.org> References: <200801142309.m0EN9has056540@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 04:43:21 -0000 At 06:09 PM 1/14/2008, FreeBSD Security Advisories wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >============================================================================= >FreeBSD-SA-08:02.libc Security Advisory > The FreeBSD Project > >Topic: inet_network() buffer overflow > >For programs which passes untrusted data to inet_network(), an >attacker may be able to overwrite a region of memory with user defined >data by causing specially crafted input to be passed to >inet_network(). For the "usual suspects" of applications running, (e.g. sendmail, apache, BIND etc) would it be possible to pass crafted packets through to this function remotely via those apps ? ie how easy is this to do ? ---Mike From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 05:35:28 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E42BA16A418 for ; Tue, 15 Jan 2008 05:35:28 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id B116213C455 for ; Tue, 15 Jan 2008 05:35:28 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.13.8/8.13.8) with ESMTP id m0F52i4C033592; Tue, 15 Jan 2008 00:02:44 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.13.8/8.13.8/Submit) id m0F52i57033589; Tue, 15 Jan 2008 00:02:44 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <18316.15988.200577.209017@hergotha.csail.mit.edu> Date: Tue, 15 Jan 2008 00:02:44 -0500 From: Garrett Wollman To: Mike Tancsa In-Reply-To: <200801150428.m0F4SaH1084137@lava.sentex.ca> References: <200801142309.m0EN9has056540@freefall.freebsd.org> <200801150428.m0F4SaH1084137@lava.sentex.ca> X-Mailer: VM 7.17 under 21.4 (patch 21) "Educational Television" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (hergotha.csail.mit.edu [127.0.0.1]); Tue, 15 Jan 2008 00:02:44 -0500 (EST) X-Spam-Status: No, score=-1.4 required=5.0 tests=ALL_TRUSTED autolearn=disabled version=3.2.3 X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on hergotha.csail.mit.edu Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 05:35:29 -0000 < said: > For the "usual suspects" of applications running, (e.g. sendmail, > apache, BIND etc) would it be possible to pass crafted packets > through to this function remotely via those apps ? ie how easy is this to do ? inet_network() is a very infrequently-used function (perhaps because it's nearly useless except for backward-compatibility). It's referenced by getent(1), isdnd(8), timed(8), and mountd(8) -- the latter three I assume for configuration-file parsing -- and can also be called from getnetbyname(). libbind also includes an implementation of it, but bind itself doen't reference it. route(8) uses it to parse network numbers given on the command line. -GAWollman From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 05:22:55 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 742AD16A418 for ; Tue, 15 Jan 2008 05:22:55 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (drugs.dv.isc.org [IPv6:2001:470:1f00:820:214:22ff:fed9:fbdc]) by mx1.freebsd.org (Postfix) with ESMTP id 432A413C468 for ; Tue, 15 Jan 2008 05:22:54 +0000 (UTC) (envelope-from marka@isc.org) Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (8.14.2/8.14.1) with ESMTP id m0F5MqV1061436; Tue, 15 Jan 2008 16:22:52 +1100 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200801150522.m0F5MqV1061436@drugs.dv.isc.org> To: Mike Tancsa From: Mark Andrews In-reply-to: Your message of "Mon, 14 Jan 2008 23:28:46 CDT." <200801150428.m0F4SaH1084137@lava.sentex.ca> Date: Tue, 15 Jan 2008 16:22:52 +1100 Sender: marka@isc.org X-Mailman-Approved-At: Tue, 15 Jan 2008 05:50:20 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 05:22:55 -0000 > At 06:09 PM 1/14/2008, FreeBSD Security Advisories wrote: > >-----BEGIN PGP SIGNED MESSAGE----- > >Hash: SHA1 > > > >============================================================================ > = > >FreeBSD-SA-08:02.libc Security Advisor > y > > The FreeBSD Proje > ct > > > >Topic: inet_network() buffer overflow > > > >For programs which passes untrusted data to inet_network(), an > >attacker may be able to overwrite a region of memory with user defined > >data by causing specially crafted input to be passed to > >inet_network(). > > For the "usual suspects" of applications running, (e.g. sendmail, > apache, BIND etc) would it be possible to pass crafted packets > through to this function remotely via those apps ? ie how easy is this to do > ? The usual suspects don't call inet_network(). route calls inet_network() but not routed doesn't. Mark % nm /usr/obj/usr/src/usr.sbin/sendmail/sendmail | grep inet U __inet_addr U __inet_ntoa U __inet_ntop U __inet_pton % % nm /usr/obj/usr/src/usr.sbin/named/named | grep inet U __inet_aton U __inet_ntop U __inet_pton 0817f084 d cfg_type_inetcontrol 0814ee20 t inet_ntop4 0814f0f8 t inet_pton4 080fb668 t inet_totext 0817f0a0 d inetcontrol_fields % % nm /usr/obj/usr/src/sbin/route/route | grep inet U __inet_aton U __inet_lnaof U __inet_network U __inet_ntoa 08049a94 T inet_makenetandmask % > ---Mike > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 05:57:45 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8292C16A419 for ; Tue, 15 Jan 2008 05:57:45 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost2.sentex.ca (smarthost2.sentex.ca [205.211.164.50]) by mx1.freebsd.org (Postfix) with ESMTP id 5EEF713C45B for ; Tue, 15 Jan 2008 05:57:45 +0000 (UTC) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost2.sentex.ca (8.14.1/8.13.8) with ESMTP id m0F5viav043882; Tue, 15 Jan 2008 00:57:44 -0500 (EST) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.8/8.13.3) with ESMTP id m0F5vhmf084591 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 15 Jan 2008 00:57:43 -0500 (EST) (envelope-from mike@sentex.net) Message-Id: <200801150557.m0F5vhmf084591@lava.sentex.ca> X-Mailer: QUALCOMM Windows Eudora Version 7.1.0.9 Date: Tue, 15 Jan 2008 00:53:25 -0500 To: Mark Andrews From: Mike Tancsa In-Reply-To: <200801150522.m0F5MqV1061436@drugs.dv.isc.org> References: <200801150522.m0F5MqV1061436@drugs.dv.isc.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 05:57:45 -0000 At 12:22 AM 1/15/2008, Mark Andrews wrote: > > > > For the "usual suspects" of applications running, (e.g. sendmail, > > apache, BIND etc) would it be possible to pass crafted packets > > through to this function remotely via those apps ? ie how easy > is this to do > > ? > > The usual suspects don't call inet_network(). > route calls inet_network() but not routed doesn't. Thanks to all who responded so far! I had a look at some of the ports I am using and so far all I found was find . -name "*.c" | xargs grep inet_network ./apache13-modssl/work/apache_1.3.33/src/modules/proxy/proxy_util.c: if (host[i] == '\0' && (ap_inet_addr(host) == -1 || inet_network(host) == -1)) ---Mike From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 05:25:16 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 88C6916A41A for ; Tue, 15 Jan 2008 05:25:16 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from gir.gshapiro.net (gir.gshapiro.net [209.246.26.16]) by mx1.freebsd.org (Postfix) with ESMTP id 87D9813C455 for ; Tue, 15 Jan 2008 05:25:16 +0000 (UTC) (envelope-from gshapiro@freebsd.org) Received: from monkeyboy.local (c-67-164-3-230.hsd1.ca.comcast.net [67.164.3.230]) (authenticated bits=128) by gir.gshapiro.net (8.14.2/8.14.2) with ESMTP id m0F58fqp079974 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 14 Jan 2008 21:08:43 -0800 (PST) (envelope-from gshapiro@freebsd.org) X-DomainKeys: Sendmail DomainKeys Filter v0.6.0 gir.gshapiro.net m0F58fqp079974 Date: Mon, 14 Jan 2008 21:07:45 -0800 From: Gregory Shapiro To: Mike Tancsa Message-ID: <20080115050745.GB17475@monkeyboy.local> References: <200801142309.m0EN9has056540@freefall.freebsd.org> <200801150428.m0F4SaH1084137@lava.sentex.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200801150428.m0F4SaH1084137@lava.sentex.ca> User-Agent: Mutt/1.5.17 (2007-11-01) X-Mailman-Approved-At: Tue, 15 Jan 2008 06:05:52 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 05:25:16 -0000 >> Topic: inet_network() buffer overflow > > For the "usual suspects" of applications running, (e.g. sendmail, apache, > BIND etc) would it be possible to pass crafted packets through to this > function remotely via those apps ? ie how easy is this to do ? Speaking solely for sendmail, this issue does not appear to impact sendmail or any utilities/libraries in the sendmail distribution. Nothing in the sendmail distribution calls inet_network() or getnet*() (which appears to use inet_network() in libc). From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 07:51:20 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C116616A41A; Tue, 15 Jan 2008 07:51:20 +0000 (UTC) (envelope-from gahr@gahr.ch) Received: from cpanel03.rubas-s03.net (cpanel03.rubas-s03.net [195.182.222.73]) by mx1.freebsd.org (Postfix) with ESMTP id 7947F13C467; Tue, 15 Jan 2008 07:51:20 +0000 (UTC) (envelope-from gahr@gahr.ch) Received: from 80-218-191-236.dclient.hispeed.ch ([80.218.191.236] helo=gahrtop.localhost) by cpanel03.rubas-s03.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1JEYhN-0001bO-WF; Tue, 15 Jan 2008 00:26:34 +0100 Message-ID: <478BEF36.40803@gahr.ch> Date: Tue, 15 Jan 2008 00:24:38 +0100 From: Pietro Cerutti User-Agent: Thunderbird 2.0.0.9 (X11/20071121) MIME-Version: 1.0 To: freebsd-security@FreeBSD.org References: <200801142309.m0EN9h5x056530@freefall.freebsd.org> In-Reply-To: <200801142309.m0EN9h5x056530@freefall.freebsd.org> X-Enigmail-Version: 0.95.5 OpenPGP: id=9571F78E; url=http://www.gahr.ch/pgp Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig11F4FF56B880BE78C61DE9C5" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cpanel03.rubas-s03.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - gahr.ch X-Source: X-Source-Args: X-Source-Dir: Cc: FreeBSD Security Advisories Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 07:51:20 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig11F4FF56B880BE78C61DE9C5 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable > # fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch The off-by-one error is still there.. --=20 Pietro Cerutti PGP Public Key: http://gahr.ch/pgp --------------enig11F4FF56B880BE78C61DE9C5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHi+86wMJqmJVx944RCnqHAKDUV8V3aXNPwyL1tmnv73EobeuZdQCgpHqJ L9lf0pCiUd0NKtlICMWmtB8= =ZamI -----END PGP SIGNATURE----- --------------enig11F4FF56B880BE78C61DE9C5-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 07:59:47 2008 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5408A16A420 for ; Tue, 15 Jan 2008 07:59:47 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from fw.ax.cz (195.22.43.87.adsl.nextra.cz [195.22.43.87]) by mx1.freebsd.org (Postfix) with ESMTP id A5BBD13C47E for ; Tue, 15 Jan 2008 07:59:46 +0000 (UTC) (envelope-from dan@obluda.cz) Received: from [172.20.1.4] (vlasta.hide.ax.cz [172.20.1.4]) by fw.ax.cz (8.13.8/8.13.8) with ESMTP id m0F7nQw2049026 for ; Tue, 15 Jan 2008 08:49:28 +0100 (CET) (envelope-from dan@obluda.cz) Message-ID: <478C6581.5090603@obluda.cz> Date: Tue, 15 Jan 2008 08:49:21 +0100 From: Dan Lukes Organization: SISAL, MFF UK User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.11) Gecko/20071128 SeaMonkey/1.1.7 MIME-Version: 1.0 To: freebsd security References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Anti-Rootkit app X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 07:59:47 -0000 >> Is the main reason to install anti-rootkit we count the intruders are >> so dumb to look for one of port's anti-rootkit package before they do >> it's dirt work ? >> >> Or I miss something important ? Klaus Steden wrote: > Good security is usually a comprehensive strategy E.g. "Exactly, you mised nothing important" ;-) Thanks. Dan From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 10:27:20 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EC8ED16A417; Tue, 15 Jan 2008 10:27:20 +0000 (UTC) (envelope-from gahr@gahr.ch) Received: from cpanel03.rubas-s03.net (cpanel03.rubas-s03.net [195.182.222.73]) by mx1.freebsd.org (Postfix) with ESMTP id B36E413C44B; Tue, 15 Jan 2008 10:27:20 +0000 (UTC) (envelope-from gahr@gahr.ch) Received: from 80-218-191-236.dclient.hispeed.ch ([80.218.191.236] helo=gahrtop.localhost) by cpanel03.rubas-s03.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.68) (envelope-from ) id 1JEj0p-0007CZ-4C; Tue, 15 Jan 2008 11:27:19 +0100 Message-ID: <478C8A54.6050009@gahr.ch> Date: Tue, 15 Jan 2008 11:26:28 +0100 From: Pietro Cerutti User-Agent: Thunderbird 2.0.0.9 (X11/20071121) MIME-Version: 1.0 To: freebsd-security@FreeBSD.org References: <200801142309.m0EN9h5x056530@freefall.freebsd.org> <478BEF36.40803@gahr.ch> In-Reply-To: <478BEF36.40803@gahr.ch> X-Enigmail-Version: 0.95.5 OpenPGP: id=9571F78E; url=http://www.gahr.ch/pgp Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigE892EE20B5AF6700B4AB08E3" X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - cpanel03.rubas-s03.net X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - gahr.ch X-Source: X-Source-Args: X-Source-Dir: Cc: FreeBSD Security Advisories Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:02.libc X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 10:27:21 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigE892EE20B5AF6700B4AB08E3 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Pietro Cerutti wrote: >> # fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch >=20 > The off-by-one error is still there.. >=20 Errata corrige: the off-by-one error is in my head... --=20 Pietro Cerutti PGP Public Key: http://gahr.ch/pgp --------------enigE892EE20B5AF6700B4AB08E3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFHjIpYwMJqmJVx944RCnEKAJ47XZfko3Pl5pfvpVHEbvJ8PzjBrgCeKhcA fRojyhGgy+vMGiiUB+3Zg+o= =tjU1 -----END PGP SIGNATURE----- --------------enigE892EE20B5AF6700B4AB08E3-- From owner-freebsd-security@FreeBSD.ORG Tue Jan 15 15:13:29 2008 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BC2C416A418 for ; Tue, 15 Jan 2008 15:13:29 +0000 (UTC) (envelope-from mike@urgle.com) Received: from anchor-post-30.mail.demon.net (anchor-post-30.mail.demon.net [194.217.242.88]) by mx1.freebsd.org (Postfix) with ESMTP id 878BA13C461 for ; Tue, 15 Jan 2008 15:13:29 +0000 (UTC) (envelope-from mike@urgle.com) Received: from cheddar.urgle.com ([80.177.40.53]) by anchor-post-30.mail.demon.net with esmtp (Exim 4.67) id 1JEnIh-000NE4-3A for freebsd-security@FreeBSD.org; Tue, 15 Jan 2008 15:02:04 +0000 Received: from mike by cheddar.urgle.com with local (Exim 4.69 (FreeBSD)) (envelope-from ) id 1JEnIh-000FPn-9b for freebsd-security@FreeBSD.org; Tue, 15 Jan 2008 15:02:03 +0000 Date: Tue, 15 Jan 2008 15:02:03 +0000 From: Mike Bristow To: freebsd-security@FreeBSD.org Message-ID: <20080115150203.GA58658@cheddar.urgle.com> References: <200801142309.m0EN9dTO056488@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200801142309.m0EN9dTO056488@freefall.freebsd.org> User-Agent: Mutt/1.5.17 (2007-11-01) X-Mailman-Approved-At: Tue, 15 Jan 2008 15:18:10 +0000 Cc: Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:01.pty X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 15 Jan 2008 15:13:29 -0000 On Mon, Jan 14, 2008 at 11:09:39PM +0000, FreeBSD Security Advisories wrote: > RELENG_7_0 > src/UPDATING 1.507.2.3.2.1 > src/sys/conf/newvers.sh 1.72.2.5.2.2 This version of this file does not exist (if I look at http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/conf/newvers.sh, for example). The same problem applies to the other recent security advisory. Sorry if I'm the millionth person to tell you this. -- Shenanigans! Shenanigans! Best of 3! -- Flash