From owner-freebsd-announce Mon Feb 10 18:37:23 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA04879 for freebsd-announce-outgoing; Mon, 10 Feb 1997 18:37:23 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA04874 for ; Mon, 10 Feb 1997 18:37:21 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id SAA04526 for ; Mon, 10 Feb 1997 18:37:19 -0800 (PST) To: announce@freebsd.org Subject: FreeBSD 3.0-970209-SNAP is now available. Date: Mon, 10 Feb 1997 18:37:19 -0800 Message-ID: <4522.855628639@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On ftp://ftp.freebsd.org/pub/FreeBSD/3.0-970209-SNAP and the various FreeBSD mirrors. A SNAPshot was done at this time for various reasons, chief among them being: o John Dyson's 4.4Lite2 changes were coming into -current, and I wanted a last SNAP out before this happened (it could be a couple of weeks before everything works properly in -current again). o A fair number of things have changed in sysinstall to fix various bugs and/or shortcomings reported in the previous SNAP. Some of these fixes, like those made to turn sysinstall into a more effective post-configuration tool, required architectural changes which may have other side-effects and should therefore be tested as vigorously as possible in this SNAP (both for installation and for post-install configuration). o I really wanted to. I've also rearranged the {README,ABOUT}.TXT files to hopefully present the important information in more cogent form. Further improvements in this area are probably called for. Feedback to current@freebsd.org please (unless it's a clear and obvious bug, in which case send-pr(1) or http://www.freebsd.org/send-pr should be employed). Thanks! Jordan From owner-freebsd-announce Tue Feb 11 20:46:50 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id UAA25190 for freebsd-announce-outgoing; Tue, 11 Feb 1997 20:46:50 -0800 (PST) Received: from time.cdrom.com (time.cdrom.com [204.216.27.226]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id UAA25181 for ; Tue, 11 Feb 1997 20:46:47 -0800 (PST) Received: from time.cdrom.com (localhost [127.0.0.1]) by time.cdrom.com (8.8.5/8.6.9) with ESMTP id UAA12355 for ; Tue, 11 Feb 1997 20:46:45 -0800 (PST) To: announce@freebsd.org Subject: Security Advisory - Recent compromise of freefall.freebsd.org Date: Tue, 11 Feb 1997 20:46:45 -0800 Message-ID: <12352.855722805@time.cdrom.com> From: "Jordan K. Hubbard" Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk Overview: The following advisory documents a recent security compromise on freefall.freebsd.org, the FreeBSD Project's master source repository machine, discussing some of the potential ramifications of the event and the recovery measures which are being carried out in its aftermath. Since investigation is still ongoing and at least one law enforcement agency is currently involved, some details will, of necessity, need to be deliberately vague or even omitted entirely for now. We apologize for this and promise to keep everyone as up-to-date as possible on events as the situation progresses, releasing information as we're allowed and deem it prudent. Anyone with an account on freefall.freebsd.org is strongly advised to *CHANGE THEIR PASSWORD*, both on freefall and on any other machines where the same password is used. Based on the Trojan horses we found, you should assume that your password was grabbed and transmitted to a hostile 3rd party if you logged in at any time on or after January 18th, 1997. It does not matter if you logged in with ssh or with telnet, you should assume that your password has been collected. Furthermore, if you used ssh, rlogin or telnet on freefall to go *out* to other machines then you should assume that password information given to these programs was also compromised. Details: The break-ins occurred on at least 2 cdrom.com machines, root being compromised in both instances, and numerous system binaries had Trojan horses inserted for the purpose of gathering and sending back password information. The method of entry used by the attacker(s) is not so important given that both systems were vulnerable to several significant, now known, security exploits at the time and any one of them could have been used to gain entry & root privilege. What is more interesting about this attack is the sophistication of the Trojan horses left behind, assembled as they were from a rather sophisticated "kit" put together by someone who clearly knew their way around a BSD system. This told us that we should not take this attack as just another incident of juvenille pranksterism but as something rather more serious. Since the CVS master repository machine was attacked, it would also be an immediate and obvious concern that the intruder may have taken advantage of their temporary root privileges to make modifications to the FreeBSD master source repository, possibly to introduce back-doors for later use or cause deliberate embarrassment by introducing catastrophic failure modes. Fortunately, neither scenario is as fearsome as it might seem. For one thing, the CVS repository is replicated on hundreds of machines now, all syncing up with varying degrees of (deliberate) latency, and "CTM deltas" are also made continuously from this repository. These streams of CTM information can show exactly what changed from moment to moment in the source tree, entirely independently of the CVS mechanisms (which might be compromised) for doing so. There is also the fact that there are many, many eyes on the FreeBSD source tree right now, more than most of us probably ever thought possible in the beginning, and it's hard to believe that someone would be able to slip a significant attack past the eyes of that many people, watching their daily CTM deltas come by and reviewing, as they do, each change with heavy skepticism before bringing it into their own source trees. To date, no reports of anything suspicious have been received. In summary: We will continue to review our CTM deltas and we will look for signs of skullduggery, but we frankly feel that the real dangers here lie not so much in recently introduced changes, which are easily reviewed for and caught, but in those accidental security holes which have been buried in the BSD code for months or possibly years. Since security seems to have become the theme of the month, and many people have volunteered (in light of our recent 2.1.6 security fracas) to begin a much more serious and comprehensive security audit, we will take advantage of this opportunity to see that all code in the FreeBSD source tree, old and new alike, is reviewed line by line for buffer overflows, unguarded copies, back doors, whatever. We may not make it through every last byte, but we can certainly focus on the "hot spots" (suid programs and system utilities) and do our best to prevent problems like those which caused our recent headaches from reoccuring. This advisory is simply to inform those people who have used freefall in the last 40 days or so that they should change their passwords and to explain to people that yes, there was a break-in to freefall.freebsd.org and yes, we're aware of the issues this raises, both now and in the immediate future, and that we will be exerting significant effort over the next few weeks in dealing aggressively with security issues, both in FreeBSD and on the FreeBSD project machines. FreeBSD Auditing Project: Those interested in participating in "The Great Code Sweep", more officially known as the FreeBSD Auditing Project, should also send mail to me . I'll be working over the next 2 days on dividing /usr/src into reasonable, prioritized, chunks (there, I used "prioritized" in a sentence - I've always wanted to do that) and talking with the volunteer auditors about how to split the work up amongst everyone. Then we'll dive in and go to work! I'll be posting more details on just what it is we're looking for, and how to communicate changes back if you don't have commit access, in the coming days on the current@freebsd.org mailing list. Highlights will also be sent to announce@freebsd.org, including a second call for auditors and full instructions on how to participate, so hopefully no one should miss it. Thanks. Jordan From owner-freebsd-announce Fri Feb 14 18:18:36 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA20733 for freebsd-announce-outgoing; Fri, 14 Feb 1997 18:18:36 -0800 (PST) Received: from austin.polstra.com (austin.polstra.com [206.213.73.10]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id SAA20725 for ; Fri, 14 Feb 1997 18:18:32 -0800 (PST) Received: from austin.polstra.com (jdp@localhost) by austin.polstra.com (8.8.5/8.8.5) with ESMTP id SAA20668 for ; Fri, 14 Feb 1997 18:18:31 -0800 (PST) Message-Id: <199702150218.SAA20668@austin.polstra.com> To: freebsd-announce@freebsd.org Subject: New Norwegian CVSup mirror site Date: Fri, 14 Feb 1997 18:18:30 -0800 From: John Polstra Sender: owner-freebsd-announce@freebsd.org X-Loop: FreeBSD.org Precedence: bulk A new CVSup FreeBSD mirror site is now on-line in Norway. The host name is "cvsup.no.freebsd.org". Many thanks to Tor Egge for providing this valuable service! Here is the current list of CVSup mirror sites for FreeBSD: USA: cvsup.freebsd.org cvsup2.freebsd.org cvsup4.freebsd.org cvsup5.freebsd.org Argentina: cvsup.ar.freebsd.org Australia: cvsup.au.freebsd.org Germany: cvsup.de.freebsd.org Japan: cvsup.jp.freebsd.org Netherlands: cvsup.nl.freebsd.org Norway: cvsup.no.freebsd.org South Africa: cvsup.za.freebsd.org Taiwan: sup.tw.freebsd.org Please send additions or corrections to . -- John Polstra jdp@polstra.com John D. Polstra & Co., Inc. Seattle, Washington USA "Self-knowledge is always bad news." -- John Barth