From owner-freebsd-announce Mon Sep 18 12: 2:54 2000 Delivered-To: freebsd-announce@freebsd.org Received: from envy.geekhouse.net (envy.geekhouse.net [64.81.6.50]) by hub.freebsd.org (Postfix) with ESMTP id 7C56437B422 for ; Mon, 18 Sep 2000 12:02:49 -0700 (PDT) Received: (from jim@localhost) by envy.geekhouse.net (8.11.0/8.11.0) id e8IJ2lV93519 for announce@FreeBSD.org; Mon, 18 Sep 2000 12:02:47 -0700 (PDT) (envelope-from jim) Date: Mon, 18 Sep 2000 12:02:47 -0700 From: Jim Mock To: announce@FreeBSD.org Subject: BSDCon 2000 Update Message-ID: <20000918120246.A42538@envy.geekhouse.net> Reply-To: jim@lust.geekhouse.net Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org As many of you are already aware, BSDCon 2000 is happening in about a month. The purpose of this message is to provide some updates and the schedule as it currently stands. For those of you who missed the original announcement back in May, BSDCon 2000 will be held at the Hyatt Regency in Monterey, California. Please see http://www.hyatt.com/usa/monterey/hotels/hotel_mrydm.html for more information about the hotel, their location, and so on. The floor plan is available at http://bsdcon.com/floorplan1.php3 for those who are curious. Pricing is as follows: Conference (Oct. 18-20): $495 Tutorial 1 (Oct. 14-15): $495 Tutorial 2 (Oct. 16-17): $495 Room rates at the Hyatt: $129/night In order to get the room rate, simply mention that you're attending BSDCon (or if they sound confused, BSD or BSDi). For more information about Monterey and the surrounding area, please visit the Lodging & Travel section of our web site at http://bsdcon.com/lodging.php3. You can register for BSDCon 2000 by calling 1-925-691-2800, or online, at http://bsdcon.com/registration.php3. Please note the last day for pre-registration is October 5th. After this date, only on-site registration will be done. If you are interested in being a sponsor or exhibitor at BSDCon 2000, please visit our web site and read the information available there. Papers and Tutorials ==================== For more information on the tutorials being presented, please visit http://bsdcon.com/tutorials.php3 for a brief overview and outline of each. For a list of papers being presented, along with who is presenting them, please see http://bsdcon.com/schedule.php3. Please keep in mind that the rooms and speakers may change. If you have any questions about the conference, please contact us at info@bsdcon.com. Alternatively, you can contact us by phone at 1-925-691-2800 or fax at 1-925-674-0821. Thanks, and hope to see you in Monterey next month! - jim -- jim mock work: jim@osd.bsdi.com | jim@FreeBSD.org http://soupnazi.org/ BSDi Open Source Div | http://bsdi.com This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Sep 20 14:21:52 2000 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 34F0F37B42C; Wed, 20 Sep 2000 14:21:37 -0700 (PDT) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-00:46.screen [UPDATED] Reply-To: security-advisories@freebsd.org Message-Id: <20000920212137.34F0F37B42C@hub.freebsd.org> Date: Wed, 20 Sep 2000 14:21:37 -0700 (PDT) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-00:46 Security Advisory FreeBSD, Inc. Topic: screen port contains local root compromise Category: ports Module: screen Announced: 2000-09-13 Updated: 2000-09-20 Affects: Ports collection prior to the correction date. Corrected: 2000-09-01 Credits: Jouko Pynnönen Vendor status: Updated version released FreeBSD only: NO I. Background screen is a popular application that multiplexes a physical terminal between several processes. II. Problem Description The screen port, versions 3.9.5 and before, contains a vulnerability which allows local users to gain root privileges. This is accomplished by inserting string-formatting operators into configuration parameters, which may allow arbitrary code to be executed. The screen port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 3800 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local users can obtain root privileges. If you have not chosen to install the screen port/package, then your system is not vulnerable to this problem. IV. Workaround Remove the setuid bit on the program: execute the following command as root: chmod 555 /usr/local/bin/screen-3.9.5 Note that this should be considered a temporary measure and may affect the behaviour of the screen program. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the screen port. NOTE: Be sure to delete the old package using pkg_delete before installing the new one! If you do not remove the old package you may still have a vulnerable setuid binary on your system. To check for old screen packages which are still installed, execute the following command: ls -d /var/db/pkg/screen-* For each returned entry, run pkg_delete on the directory name (e.g. pkg_delete screen-3.9.5). You will get warnings if more than one package is installed, but ignore them and proceed to rebuild the latest version of the screen port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/misc/screen-3.9.8.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/misc/screen-3.9.8.tgz NOTE: It may be several days before updated packages are available. 3) download a new port skeleton for the screen port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz VI. Revision History v1.0 2000-09-13 Initial release v1.1 2000-09-20 Add warning statement about properly deleting the old package before rebuilding the port -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBOckp91UuHi5z0oilAQECagQAjaQoHD2VSikfT0Lj4V3T1V4gFOYO/10z iTV+lZUhzE5EWGCdvitxjjJyjYAt+oTDzAZoOUn7uVX33rUl11860o0wIu9NCZrh EIQVAXHK9pzhfUNE0iLpCEtmCvNsOMoIxg3RmZ0QqaP4+iw+UvyOMxFqS/BXKWyN 7V3hKDfWN18= =UMEK -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Fri Sep 22 22:38:50 2000 Delivered-To: freebsd-announce@freebsd.org Received: from vnode.vmunix.com (vnode.vmunix.com [209.112.4.20]) by hub.freebsd.org (Postfix) with ESMTP id 8050B37B422 for ; Fri, 22 Sep 2000 22:38:37 -0700 (PDT) Received: by vnode.vmunix.com (Postfix, from userid 1005) id 8D780E; Sat, 23 Sep 2000 01:38:36 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by vnode.vmunix.com (Postfix) with ESMTP id 81A4E49A12 for ; Sat, 23 Sep 2000 01:38:36 -0400 (EDT) Date: Sat, 23 Sep 2000 01:38:36 -0400 (EDT) From: Chris Coleman To: announce@freebsd.org Subject: FreeBSD Real Quick Newsletter Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org FreeBSD Real-Quick(TM) News Letter. Things Happening in FreeBSD. Presented by Daemon News Bayonne Milestone #5 released September 16, 2000 Milestone #5 of Bayonne, the telephony server of the GNU project, has been released and is available for fro ftp://www.voxilla.org/pub/bayonne. This new milestone offers support for both GNU/Linux and FreeBSD systems. Pre-build FreeBSD binaries may be found at ftp://www.voxilla.org/pub/bayonne/freebsd. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1190 ********************************************************************** So you like FreeBSD? September 13, 2000 Just a little advocacy promotion piece I wrote tonight. It's important for people to realise that contributing to a project does not mean you have to be a coder, web guru, or ports hack. Anyone can make a difference. And it's easy, simple, doesn't cost you a cent. Bonus: you can do it in the privacy of your own home. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1186 ********************************************************************** FreeBSD Installation and Package Tools September 12, 2000 Jordan Hubbard wrote a draft describing the possible direction of FreeBSD's installation and package tools. From the abstract: This document discusses FreeBSD's installation, configuration and package management tools from the perspective of where they are and where I think they need to go. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1185 ********************************************************************** BSD Mall Upgrade 21 September 2000 Daemon News has upgraded the BSD Mall to the latest version of phpShop. We are now geared up to ship BSD products internationally. We have started to add books and BSD supported hardware. If you know of good BSD supported hardware that we should have listed, please tell us about it. We need your help to grow the BSD channel. MORE: http://daily.daemonnews.org/add_comment.php3?story_id=1205 *********************************************************************** Long-Term Monitoring with SNMP 21 September 2000 Michael Lucas, in his column Big Scary Daemons, shows us how to use mrtg to turn long-term SNMP statistics into easy-to-read web pages. It will even chart bar graphs. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1203 *********************************************************************** Understanding Shell Prompts September 19, 2000 Looking to change your default shell prompt? Dru Lavigne helps us understand the four major shells and how to change their prompts. Her column, FreeBSD Basics, at the O'Reilly Network is geared towards new users and often contains information relevant to all BSD. To help supplement this article, the BSD Support Forum is collecting user contributed shell prompts. Dru will be compiling a list from that. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1196 *********************************************************************** New BSD products at Think Geek September 15, 2000 I've already enjoyed some of Think Geeks products. Most people still can't figure out what my perl tshirt is supposed to say :-) Think Geek has now added two more BSD products to their catalog. There's a BSD mug and a BSD Grand Pilsner, which is also available as a two pack. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1188 *********************************************************************** BSD Businesses Recieving More Funds September 15, 2000 Two BSD based companies have recently received some additional funding. BSDi is getting $5 million from the Japan based ISP Livin' on the Edge, Ltd (LOTE). The recently launched Wasabi Systems has closed it's first round of financing raising over $500,000. MORE: http://daily.daemonnews.org/view_story.php3?story_id=1187 *********************************************************************** 802.11 at BSDcon September 11, 2000 For those of you with Orinocco (nee' WaveLan) cards, I plan on bringing an Airport to BSDcon, and (so long as they will let me) hooking it up to the terminal room LAN, like at the last Usenix conference. So, don't leave it at home! MORE: http://daily.daemonnews.org/view_story.php3?story_id=1182 *********************************************************************** Chris Coleman Daemon News O'Reilly Networks -- Open Source Editor http://www.daemonnews.org http://www.oreillynet.com/ This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message