From owner-freebsd-security Sun Dec 17 15:52:42 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id PAA07080 for security-outgoing; Sun, 17 Dec 1995 15:52:42 -0800 (PST) Received: from mail.barrnet.net (mail.barrnet.net [131.119.246.7]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id PAA07069 for ; Sun, 17 Dec 1995 15:52:38 -0800 (PST) Received: from passer.osg.gov.bc.ca (passer.osg.gov.bc.ca [142.32.110.29]) by mail.barrnet.net (8.7.1/MAIL-RELAY-LEN) with ESMTP id JAA09656 for ; Tue, 12 Dec 1995 09:20:30 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by passer.osg.gov.bc.ca (8.7.2/8.6.10) with SMTP id JAA04184; Tue, 12 Dec 1995 09:16:32 -0800 (PST) From: Cy Schubert - BCSC Open Systems Group Message-Id: <199512121716.JAA04184@passer.osg.gov.bc.ca> X-Authentication-Warning: passer.osg.gov.bc.ca: Host localhost [127.0.0.1] didn't use HELO protocol Reply-to: cschuber@orca.gov.bc.ca X-Mailer: DXmail To: freebsd-security@freebsd.org cc: cy@passer.osg.gov.bc.ca Subject: Security Patches Date: Tue, 12 Dec 95 09:16:31 -0800 X-Mts: smtp Sender: owner-security@freebsd.org Precedence: bulk I am a recent convert from Linux to FreeBSD. I realize that FreeBSD 2.1 is out, however the only CDROM I've been able to get my hands on is FreeBSD 2.0.5. I am looking for security patches for FreeBSD 2.0.5, specifically patches for the telnetd (libc) problem and the syslog() (libc) problem. Where may these patches be found? Also, are there any patches for the lpr/lpd security problems? Regards, Phone: (604)389-3827 Cy Schubert OV/VM: BCSC02(CSCHUBER) Open Systems Support BITNET: CSCHUBER@BCSC02.BITNET BC Systems Corp. Internet: cschuber@uumail.gov.bc.ca cschuber@bcsc02.gov.bc.ca "Quit spooling around, JES do it." From owner-freebsd-security Mon Dec 18 17:14:26 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id RAA03926 for security-outgoing; Mon, 18 Dec 1995 17:14:26 -0800 (PST) Received: from the.link.ca (the.link.ca [198.169.185.1]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id RAA03920 for ; Mon, 18 Dec 1995 17:14:20 -0800 (PST) Received: from heathen.link.ca (jpw687.link.ca [198.169.185.96]) by the.link.ca (8.6.12/8.6.12) with SMTP id TAA02882; Mon, 18 Dec 1995 19:13:54 -0600 Date: Mon, 18 Dec 1995 19:13:54 -0600 Message-Id: <199512190113.TAA02882@the.link.ca> X-Sender: jpw687@the.link.ca X-Mailer: Windows Eudora Pro Version 2.1.2 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: sjb@universe.digex.net From: Blas Zappa Subject: Re: legal to export DES outside of the US via Canada? Cc: security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk At 12:48 PM 12/15/95 -0600, you wrote: >U.S. law doesn't (normally) apply to Canadian citizens, even though the >U.S. LEAs seem to think it should, so, having received ITAR-controlled >code under the above exemption, the Canadian citizen may do with it >what he will. It violates only the agreement he made with the >exporter, not law. No one will come to get him, and the exporter >should be safe from judgements. I was actually wondering about this just the other day.. if this is the case, and anyone wishes to export out of this continent I'd be glad to be a redistributor/courier.. I really hate ridiculous, unenforcable laws... -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Blas Zappa \ "If only they had used their aka \ terminals for niceness Jonathan Wilkins \ instead of evil" From owner-freebsd-security Tue Dec 19 16:55:04 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id QAA19620 for security-outgoing; Tue, 19 Dec 1995 16:55:04 -0800 (PST) Received: from seraph.uunet.ca (uunet.ca [142.77.1.254]) by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA19612 for ; Tue, 19 Dec 1995 16:54:55 -0800 (PST) Received: from now by mail.uunet.ca with UUCP id <251185-4>; Tue, 19 Dec 1995 19:57:58 -0500 From: Eric Siegerman Date: Tue, 19 Dec 1995 17:35:38 -0500 Message-ID: <951219173538.5102@now.com> To: sjb@universe.digex.net, Blas Zappa Subject: Re: legal to export DES outside of the US via Canada? Cc: security@freebsd.org Sender: owner-security@freebsd.org Precedence: bulk Blas Zappa wrote: > At 12:48 PM 12/15/95 -0600, you wrote: > > >U.S. law doesn't (normally) apply to Canadian citizens, even though the > >U.S. LEAs seem to think it should, so, having received ITAR-controlled > >code under the above exemption, the Canadian citizen may do with it > >what he will. It violates only the agreement he made with the > >exporter, not law. No one will come to get him, > > [...] > if this is the > case, and anyone wishes to export out of this continent I'd be glad to be a > redistributor/courier.. I'd advise looking into just how Canada's ITAR exemption came to be. I don't know, but I find it rather hard to imagine the US defence establishment allowing the exemption to be granted unless the Canadian government had agreed to enforce the US rules when it comes to reexporting, and had passed the laws necessary to implement that agreement. You may find CSIS or the RCMP on your case -- with *Canadian* law on their side -- or it may turn out that the first person quoted above is right, and you can reexport with impunity. But it would be wise to investigate *first*! > >and the [American, I presume you meant] exporter > >should be safe from judgements. But not necessarily from harassment; just ask Steve Jackson. Besides which, does anyone know what burden is laid by the ITAR-exemption rule on Americans who export restricted stuff to Canada under its terms? It may make them legally responsible if the Canadian they (legally) export to then re-exports without the proper licences. This may be hard to get a conviction on in case of freeware, but "they" can make life pretty miserable in the meantime. > I really hate ridiculous, unenforcable laws... But ridiculous, (semi-)enforceable ones are a whole lot worse. Just ask Phil Zimmerman. -- | | /\ |-_|/ > Eric Siegerman, Toronto, Ont. erics@now.com | | / ... that foreign country, the future, whither we are all willy-nilly being deported... -- John Brunner From owner-freebsd-security Thu Dec 21 12:00:14 1995 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id MAA03793 for security-outgoing; Thu, 21 Dec 1995 12:00:14 -0800 (PST) Received: from netmail1.austin.ibm.com (netmail1.austin.ibm.com [129.35.208.96]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id MAA03698 for ; Thu, 21 Dec 1995 12:00:07 -0800 (PST) Received: from ozymandias.austin.ibm.com (ozymandias.austin.ibm.com [9.3.140.170]) by netmail1.austin.ibm.com (8.6.12/8.6.11) with SMTP id OAA48281; Thu, 21 Dec 1995 14:00:01 -0600 Received: from localhost.austin.ibm.com by ozymandias.austin.ibm.com (AIX 3.2/UCB 5.64/4.03-client-2.6) for security@freebsd.org at austin.ibm.com; id AA14454; Thu, 21 Dec 1995 13:59:58 -0600 Message-Id: <9512211959.AA14454@ozymandias.austin.ibm.com> From: sjb@universe.digex.net To: Eric Siegerman Cc: Blas Zappa , security@freebsd.org Subject: Re: legal to export DES outside of the US via Canada? In-Reply-To: (Your message of Tue, 19 Dec 1995 17:35:38 CST.) <951219173538.5102@now.com> Date: Thu, 21 Dec 1995 13:59:58 -0600 Sender: owner-security@freebsd.org Precedence: bulk Eric Siegerman writes >Blas Zappa wrote: >> At 12:48 PM 12/15/95 -0600, you wrote: >> >> >U.S. law doesn't (normally) apply to Canadian citizens, even though the >> >U.S. LEAs seem to think it should, so, having received ITAR-controlled >> >code under the above exemption, the Canadian citizen may do with it >> >what he will. It violates only the agreement he made with the >> >exporter, not law. No one will come to get him, >> >> [...] >> if this is the >> case, and anyone wishes to export out of this continent I'd be glad to be a >> redistributor/courier.. This is still a problem. The U.S. government can still prosecute the person who sent it to you if they can make a reasonable case that the American knew you'd re-export. *You're* safe, but he isn't. >I'd advise looking into just how Canada's ITAR exemption came to >be. I don't know, but I find it rather hard to imagine the US >defence establishment allowing the exemption to be granted unless >the Canadian government had agreed to enforce the US rules when >it comes to reexporting, and had passed the laws necessary to >implement that agreement. >From what I've heard on lists where the subject is important, the "loophole" is real. Canada *does* have laws which cover the vast majority of ITAR. The general state of relaxed trade restrictions with Canada makes it necessary that the government be willing to overlook the little bit that isn't covered. >You may find CSIS or the RCMP on your case -- with *Canadian* law >on their side -- or it may turn out that the first person quoted >above is right, and you can reexport with impunity. But it would >be wise to investigate *first*! True of any legal advice from lay persons. >> >and the [American, I presume you meant] exporter >> >should be safe from judgements. > >But not necessarily from harassment; just ask Steve Jackson. > >Besides which, does anyone know what burden is laid by the >ITAR-exemption rule on Americans who export restricted stuff to >Canada under its terms? It may make them legally responsible if >the Canadian they (legally) export to then re-exports without the >proper licences. This may be hard to get a conviction on in case >of freeware, but "they" can make life pretty miserable in the >meantime. I'm pretty sure that getting some form of agreement from the Canadian to not export should be enough, assuming there isn't reason to think you knew the agreement to be false. Being on the list and having seen the above quoted message from Blas Zappa, it probably wouldn't be enough to have some sort of verbal agreement from him.