From owner-freebsd-announce Mon Aug 27 14:45: 9 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5CCFF37B407; Mon, 27 Aug 2001 14:44:57 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7RLivL71152; Mon, 27 Aug 2001 14:44:57 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 27 Aug 2001 14:44:57 -0700 (PDT) Message-Id: <200108272144.f7RLivL71152@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:57 Security Advisory FreeBSD, Inc. Topic: sendmail contains local root vulnerability Category: core Module: sendmail Announced: 2001-08-27 Credits: Cade Cairnss Affects: FreeBSD 4-STABLE after August 27, 2000 and prior to the correction date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE Corrected: 2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE) 2001-08-22 05:34:11 UTC (RELENG_4_3) FreeBSD only: NO I. Background sendmail is a mail transfer agent. II. Problem Description Sendmail contains an input validation error which may lead to the execution of arbitrary code with elevated privileges by local users. Due to the improper use of signed integers in code responsible for the processing of debugging arguments, a local user may be able to supply the signed integer equivalent of a negative value supplied to sendmail's "trace vector". This may allow a local user to write data anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, the attacker may be able to cause arbitrary code to be executed with root privileges. III. Impact Local users may be able to execute arbitrary code with root privileges. IV. Workaround Do not allow untrusted users to execute the sendmail binary. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction date: The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libsmutil # make depend && make all # cd /usr/src/usr.sbin/sendmail # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-01:57.tgz Restart sendmail after applying the patch by executing the following commands as root: # killall sendmail # /usr/sbin/sendmail -bd -q30m The flags to sendmail may need to be adjusted as required for the local system configuration. VI. Correction details The following is the sendmail $Id$ revision number of the file that was corrected for the supported branches of FreeBSD. The $Id$ revision number of the installed source can be examined using the ident(1) command. Revision Path 8.20.22.4 src/contrib/sendmail/src/trace.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO4q+6lUuHi5z0oilAQH2xQP/e5UR1/UiVoNLjWnZr/3Ufk11/Dx0jeux W43znQ3Hae7ZDK17bUvvJ0t3uSq7mgzP1EmHYhjWWvrVNOaKLNO2C7oiTBWeyNWj J+hk26jZQO74mQDdZVwIr4SbE+tMTUIfEcVcXv7++ZS3xbyh3wyQKZipD5UElnLs ek/7MzKM83E= =Lv0A -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Aug 27 14:50:25 2001 Delivered-To: freebsd-announce@freebsd.org Received: from igloo.df.lth.se (igloo.df.lth.se [194.47.250.47]) by hub.freebsd.org (Postfix) with ESMTP id 1D22137B403 for ; Mon, 27 Aug 2001 14:41:59 -0700 (PDT) (envelope-from mva@df.lth.se) Received: from localhost (mva@localhost) by igloo.df.lth.se (8.9.3+Sun/8.9.3) with ESMTP id XAA00217 for ; Mon, 27 Aug 2001 23:41:56 +0200 (MEST) Date: Mon, 27 Aug 2001 23:41:56 +0200 (MEST) From: =?ISO-8859-1?Q?Martin_Wahl=E9n?= To: Subject: NordU2002 Call for Papers Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8BIT Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Announcement and Call for Papers -------------------------------- NordU2002- The fourth NordU2002/USENIX Conference February 18-22, 2002 Helsinki, Finland Information regarding The fourth Nordic EurOpen/USENIX Conference, to be held in Helsinki, Finland, February 18-22, 2002. A Conference organised by EurOpen.SE ­ The Swedish Association of Unix Users, and affiliate of USENIX, The Advanced Computing Systems Association and DKUUG the Danish UNIX-Systems User Group, NUUG Norwegian UNIX User Group and FUUG The Finnish UNIX User Group. Important Dates --------------- Extended abstracts due September 7, 2001 Notification of acceptance October 12, 2001 Final papers due December 7, 2001 Authors are invited to submit a one page abstract in English on any of the topics below to the Conference Secretariat. Submission should be original work and will be reviewed by the Technical Review Committee. All accepted papers will be available via a website on the Internet and in the conference proceedings after the Conference. Authors must register for the Conference and present their papers in person. Complete programme and registration information will be available by mid October 2001. To receive information about the fourth NordU2002/USENIX Conference, please visit http://www.nordu.org/NordU2002/ or send an e-mail to NordU2002@europen.se Topics ------ Security Operating Systems Open Source/Free Unix Interoperability Storage Area Network, SAN Technical Review Committee -------------------------- Mark Burgess Associate Professor Oslo University College e-mail: Mark.Burgess@iu.hio.no Serafim Dahl Högskoleadjunkt NADA/KTH The Royal Institute of Technology Stockholm e-mail: serafim@nada.kth.se Göran Fries Assoc.prof Department of Computer Science Lund University e-mail: goran@cs.lth.se Pasi Eronen Helsinki University of Technology pasi.eronen@nixu.fi Please send your abstract to: Congrex Sweden AB Attn: NordU2002 P.O. Box 5619 114 86 Stockholm SWEDEN Phone: +46 8 459 66 00 Fax: +46 8 661 91 25 E-mail:congrex@congrex.se This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Aug 28 0:54:16 2001 Delivered-To: freebsd-announce@freebsd.org Received: from ehk.xinu.nl (ehk.xs4all.nl [194.109.194.245]) by hub.freebsd.org (Postfix) with ESMTP id 681F937B409 for ; Tue, 28 Aug 2001 00:38:13 -0700 (PDT) (envelope-from edwin@xinu.nl) Received: by ehk.xinu.nl (Postfix, from userid 1001) id 82DF21F49; Tue, 28 Aug 2001 09:38:11 +0200 (CEST) Date: Tue, 28 Aug 2001 09:38:11 +0200 From: Edwin Kremer To: freebsd-announce@FreeBSD.ORG Subject: [Ann/CfP] SANE 2002 - May 27-31, 2002 (3rd Int'l System Administration & Networking Conference) Message-ID: <20010828093811.A5073@xinu.nl> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Announcement and Call for Papers ____ _ _ _ _____ ____ ___ ___ ____ / ___| / \ | \ | | ____| |___ \ / _ \ / _ \___ \ \___ \ / _ \ | \| | _| __) | | | | | | |__) | ___) / ___ \| |\ | |___ / __/| |_| | |_| / __/ |____/_/ \_\_| \_|_____| |_____|\___/ \___/_____| 3rd International SANE Conference May 27-31, 2002 Maastricht, The Netherlands A conference organized by the NLUUG, the UNIX User Group - The Netherlands co-sponsored by USENIX and NLnet Foundation OVERVIEW Technology is advancing, the systems administration profession is changing rapidly, and you have to master new skills to keep apace. At the 3rd International SANE (System Administration and Networking) technical conference and tutorial tracks you'll find a wealth of opportunities to meet other system administrators and network (security) professionals with similar interests, while attending a program that brings you the latest in tools, techniques, security and networking. You can learn from tutorials, refereed papers and invited talks. Visit the Vendor Exhibition for the hottest products and the latest books available. The official language at the conference will be English. The conference will be located at the Maastricht Exposition and Conference Center, MECC. IMPORTANT DATES Extended abstracts due: October 1, 2001 Notification to speakers: November 1, 2001 Final papers due: March 29, 2002 TUTORIAL PROGRAM (May 27-29) On Monday, Tuesday and Wednesday, a large selection of practical, problem-solving, in-depth tutorials will be presented to you by the most authoritative, popular and widely acclaimed speakers in the field. If you're interested in presenting a tutorial or would like to share ideas about what would make a terrific tutorial, please contact the Tutorial Coordinator by e-mail to: TECHNICAL CONFERENCE (May 30-31) Thursday and Friday will offer comprehensive technical sessions, including keynote address, presentations of refereed papers and invited talks. Join peers and gurus during the enjoyable social event and the dazzling inSANE Quiz. The SANE 2002 conference seeks original and innovative papers about the applications, architecture, implementation, performance and security of modern computing systems and IP networks. Papers that analyze problem areas and draw important conclusions from practical experience are especially welcome. Presentations are being solicited in areas including but not limited to: * Security tools and techniques: IPSEC, Network Intrusion Detection Systems, Firewalls, VPNs, practical cryptography, auditing and computer forensics * Attacks against networks and machines, including denial-of-service attacks * Adventures in nomadic and wireless computing * Web security fundamentals and practical web site maintenance * Integrating new networking technologies like IPv6 * Network monitoring and traffic shaping solutions * System and network performance tuning * Managing enterprise-wide email and fighting SPAM * Innovative system administration tools and techniques * Distributed or automated system administration REFEREED PAPER SUBMISSIONS Papers for the technical sessions will be reviewed by the program committee. An award will be given at the conference for the best paper in this track. An extended abstract is required for the paper selection process. Abstracts must be submitted through the web form: http://www.nluug.nl/cgi-bin/sane2002-abstract Abstracts accompanied by non-disclosure agreement forms are not acceptable and will be returned unread. Authors of accepted submissions must provide a final paper for publication in the conference proceedings. These final papers are held in the highest confidence prior to publication in the conference proceedings. By agreeing to present your paper at SANE 2002, you also give license to the SANE 2002 conference organizers that it may be published on the NLUUG web site. CONFERENCE ORGANIZERS Program chair Edwin Kremer, TUNIX Open System Consultants, Nijmegen, NL Tutorial Coordinator Jos Alsters, C&CZ, KU Nijmegen, NL Program Committee Jaap Akkerhuis, Stichting Internet Domeinregistratie Nederland, Arnhem, NL Walter Belgers, AT Computing, Nijmegen, NL Ate Brink, Department of Computer Science, Utrecht University, NL Rudi van Drunen, Leiden Cytology and Pathology Lab, NL Peter Honeyman, CITI, University of Michigan, Ann Arbor, MI, USA Brad Knowles, Brussels, Belgium Brenda Langedijk, ITSX, Amsterdam, NL Alexios Zavras, Lucent Technologies -- Bell Labs, Athens, Greece Kristijan Zimmer, FER / HrOpen, Zagreb, Republic of Croatia Event Organization Jack Jansen, project coordinator, Oratrix, Amsterdam, NL Wytze van der Raay, treasurer, NLnet Foundation Marielle Klatten, conference organizer, ICONIQ, Amsterdam, NL ---------------------------------------------------------------------------- Complete program and registration information will be available in December 2001. For the latest information about the conference, please visit the SANE 2002 web site: http://www.nluug.nl/sane/ For questions not being answered at this web site, please contact the ICONIQ office by e-mail: ---------------------------------------------------------------------------- Best regards, -- _____ _ OSC Edwin Kremer |_ _| _ _ __ (_)_ __ TUNIX Open System Consultants BV | || | | | '_ \| \ \/ / Toernooiveld 124, 6525 EC Nijmegen, Netherlands | || |_| | | | | |> < phone: +31-(0)24-3528819 / fax: +31-(0)24-3500260 |_| \__,_|_| |_|_/_/\_\ This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Aug 29 16:24: 4 2001 Delivered-To: freebsd-announce@freebsd.org Received: from usenix.org (voyager.usenix.org [131.106.3.1]) by hub.freebsd.org (Postfix) with ESMTP id C86AC37B405; Wed, 29 Aug 2001 15:41:56 -0700 (PDT) (envelope-from sam@usenix.org) Received: from melange (vpn75.usenix.org [131.106.3.75]) by usenix.org (Switch-2.1.3/Switch-2.1.0) with SMTP id f7TMg3A27329; Wed, 29 Aug 2001 15:42:03 -0700 (PDT) Message-ID: <0f4b01c130db$c67dd170$24a6d4d1@melange> From: "Sam Leffler (at Usenix)" To: , Subject: BSDCon 2002 - Call for Papers deadline extended Date: Wed, 29 Aug 2001 15:41:42 -0700 Organization: Usenix Association MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The submission deadline for BSDCon 2002 has been extended until September 7! Contribute your ideas, proposals, and papers for tutorials, invited talks, refereed papers, workshops, and work-in-progress reports. BSDCon 2002 February 11-14, 2002 Cathedral Hill Hotel San Francisco, California, USA http://www.usenix.org/events/bsdcon02 We welcome submissions that address any and all aspects of BSD-derived systems and the Open Source world. The Call for Papers with submission guidelines and topics is now available on the USENIX Web site at: http://www.usenix.org/events/bsdcon02/cfp/ Sincerely, Sam Leffler, Program Chair Errno Consulting This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Aug 30 12:18:27 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 827A837B407; Thu, 30 Aug 2001 12:18:12 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7UJFv735421; Thu, 30 Aug 2001 12:15:57 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 30 Aug 2001 12:15:57 -0700 (PDT) Message-Id: <200108301915.f7UJFv735421@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:58.lpd Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:58 Security Advisory FreeBSD, Inc. Topic: lpd contains remote root vulnerability Category: core Module: lpd Announced: 2001-08-30 Credits: ISS X-Force Affects: All released versions FreeBSD 4.x, 3.x, FreeBSD 4.3-STABLE, 3.5.1-STABLE prior to the correction date Corrected: 2001-08-30 09:27:41 UTC (FreeBSD 4.3-STABLE) 2001-08-30 09:28:35 UTC (RELENG_4_3) 2001-08-30 09:46:44 UTC (FreeBSD 3.5.1-STABLE) FreeBSD only: NO I. Background lpd is the BSD line printer daemon used to print local and remote print jobs. II. Problem Description Users on the local machine or on remote systems which are allowed to access the local line printer daemon may be able to cause a buffer overflow. By submitting a specially-crafted incomplete print job and subsequently requesting a display of the printer queue, a static buffer overflow may be triggered. This may cause arbitrary code to be executed on the local machine as root. In order to remotely exploit this vulnerability, the remote machine must be given access to the local printer daemon via a hostname entry in /etc/hosts.lpd or /etc/hosts.equiv. lpd is not enabled on FreeBSD by default. All versions of FreeBSD prior to the correction date including FreeBSD 4.3 contain this problem. The base system that will ship with FreeBSD 4.4 does not contain this problem since it was corrected before the release. III. Impact Users on the local machine and on remote systems which are allowed to connect to the local printer daemon may be able to trigger a buffer overflow causing arbitrary code to be executed on the local system as root. lpd is not enabled by default. If you have not enabled lpd, your system is not vulnerable. IV. Workaround Disable lpd by executing the following command as root: # killall lpd V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 3.x, 4.x systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.2-RELEASE, 4.3-RELEASE, 4.3-STABLE and 3.5.1-STABLE dated prior to the correction date. It may or may not apply to older, unsupported versions of FreeBSD. Download the relevant patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3-RELEASE, 4.3-STABLE] # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-4.3.patch.asc [FreeBSD 4.2-RELEASE, 3.5.1-STABLE] # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:58/lpd-3.x-4.2.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/usr.sbin/lpr # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-01.58.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:58/security-patch-lpd-01.58.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-lpd-01.58.tgz Restart lpd after applying the patch by executing the following commands as root: # killall lpd # /usr/sbin/lpd VI. Correction details The following is the $FreeBSD$ revision number of the file that was corrected for the supported branches of FreeBSD. The $FreeBSD$ revision number of the installed source can be examined using the ident(1) command. The patch provided above does not cause these revision numbers to be updated. [FreeBSD 4.3-STABLE] Revision Path 1.15.2.8 src/usr.sbin/lpr/common_source/displayq.c [RELENG_4_3] Revision Path 1.15.2.3.2.1 src/usr.sbin/lpr/common_source/displayq.c [FreeBSD 3.5.1-STABLE] Revision Path 1.14.2.2 src/usr.sbin/lpr/common_source/displayq.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO46QLFUuHi5z0oilAQEJQQQAkjEeA8fQMhbFswTq743vCdfGKTSZbXRI IF1hbTPKQ8G+dX57lMDgkR7WiFOf/DR9AFuX6gevCslCNJo8hySW74UxnnRv67/6 lsNUqWfAXD+d/yDUMO6amWUlz8xFNpIHa5Zf8F1QaPI3TBzrKKPekFUa3sHwlBD1 WSFK0ZoFMgw= =8ZK/ -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Aug 30 12:21:35 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8965537B405; Thu, 30 Aug 2001 12:21:23 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f7UJK3I35716; Thu, 30 Aug 2001 12:20:03 -0700 (PDT) (envelope-from security-advisories@FreeBSD.org) Date: Thu, 30 Aug 2001 12:20:03 -0700 (PDT) Message-Id: <200108301920.f7UJK3I35716@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:57.sendmail [REVISED] Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:57 Security Advisory FreeBSD, Inc. Topic: sendmail contains local root vulnerability [REVISED] Category: core Module: sendmail Announced: 2001-08-27 Revised: 2001-08-30 Credits: Cade Cairnss Affects: FreeBSD 4-STABLE after August 27, 2000 and prior to the correction date, FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE Corrected: 2001-08-21 01:36:37 UTC (FreeBSD 4.3-STABLE) 2001-08-22 05:34:11 UTC (RELENG_4_3) FreeBSD only: NO 0. Revision History v1.0 2001-08-27 Initial release v1.1 2001-08-30 Update package to remove setuid bit from saved file; add non-openssl package; correct typo in package instructions; note that $Id$ not updated in RELENG_4_3. I. Background sendmail is a mail transfer agent. II. Problem Description Sendmail contains an input validation error which may lead to the execution of arbitrary code with elevated privileges by local users. Due to the improper use of signed integers in code responsible for the processing of debugging arguments, a local user may be able to supply the signed integer equivalent of a negative value supplied to sendmail's "trace vector". This may allow a local user to write data anywhere within a certain range of locations in process memory. Because the '-d' command-line switch is processed before the program drops its elevated privileges, the attacker may be able to cause arbitrary code to be executed with root privileges. III. Impact Local users may be able to execute arbitrary code with root privileges. IV. Workaround Do not allow untrusted users to execute the sendmail binary. V. Solution One of the following: 1) Upgrade your vulnerable FreeBSD system to 4.3-STABLE or the RELENG_4_3 security branch after the respective correction dates. 2) FreeBSD 4.x systems after August 27, 2000 and prior to the correction date: The following patch has been verified to apply to FreeBSD 4.1.1-RELEASE, 4.2-RELEASE, 4.3-RELEASE and 4-STABLE dated prior to the correction date. Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch # fetch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:57/sendmail.patch.asc Execute the following commands as root: # cd /usr/src # patch -p < /path/to/patch # cd /usr/src/lib/libsmutil # make depend && make all # cd /usr/src/usr.sbin/sendmail # make depend && make all install 3) FreeBSD 4.3-RELEASE systems: ** NOTE: The initial version of the upgrade package did not remove ** setuid root privileges from the saved copy of the sendmail binary. ** To correct this, deinstall the old package using the pkg_delete(1) ** command and install the corrected package as described below. An experimental upgrade package is available for users who wish to provide testing and feedback on the binary upgrade process. This package may be installed on FreeBSD 4.3-RELEASE systems only, and is intended for use on systems for which source patching is not practical or convenient. If you use the upgrade package, feedback (positive or negative) to security-officer@FreeBSD.org is requested so we can improve the process for future advisories. During the installation procedure, backup copies are made of the files which are replaced by the package. These backup copies will be reinstalled if the package is removed, reverting the system to a pre-patched state. Two versions of the package are available, depending on whether or not OpenSSL is installed. If the file /usr/lib/libcrypto.so exists on the local system, follow the directions in section 1a) below, otherwise follow the directions in section 1b). After adding the package, proceed with the instructions in section 2). 1a) If crypto is installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-crypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-crypto-01.57.tgz 1b) If crypto is not installed: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/packages/SA-01:57/security-patch-sendmail-nocrypto-01.57.tgz.asc Verify the detached PGP signature using your PGP utility. # pkg_add security-patch-sendmail-nocrypto-01.57.tgz 2) Restart sendmail after applying the patch by executing the following commands as root: # killall sendmail # /usr/sbin/sendmail -bd -q30m The flags to sendmail may need to be adjusted as required for the local system configuration. VI. Correction details The following is the sendmail $Id$ revision number of the file that was corrected for the supported branches of FreeBSD. The $Id$ revision number of the installed source can be examined using the ident(1) command. Note that the $Id$ tag was not updated on the RELENG_4_3 branch because a newer vendor release of sendmail was not imported, instead only this vulnerability was patched. Revision Path 8.20.22.4 src/contrib/sendmail/src/trace.c VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBO46RWlUuHi5z0oilAQH+VwP+MBpBopVejzWdHAjm0cEslleHZThEjja4 qNd28CAQOy5KAdDcP61pqT2LcxlFUXyjRPjcVo6eqGaO63Lz3Ov2nnm3LPfcyR18 PQaQkezGxTIfORuXxZiNA4EI51zjoquIRVWwMJaR1Azx+vf/u9XPIDVKA7rkL3df wvTf9D4V7ZU= =L1XV -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Thu Aug 30 18:43:57 2001 Delivered-To: freebsd-announce@freebsd.org Received: from winston.freebsd.org (adsl-64-173-15-98.dsl.sntc01.pacbell.net [64.173.15.98]) by hub.freebsd.org (Postfix) with ESMTP id 9C78A37B401 for ; Thu, 30 Aug 2001 15:48:41 -0700 (PDT) (envelope-from jkh@freebsd.org) Received: from localhost (localhost [127.0.0.1]) by winston.freebsd.org (8.11.6/8.11.6) with ESMTP id f7UMkPv13931 for ; Thu, 30 Aug 2001 15:46:25 -0700 (PDT) (envelope-from jkh@freebsd.org) To: announce@freebsd.org Subject: New release date for FreeBSD 5.0-RELEASE X-Mailer: Mew version 1.94.1 on Emacs 20.7 / Mule 4.0 (HANANOEN) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <20010830154625V.jkh@freebsd.org> Date: Thu, 30 Aug 2001 15:46:25 -0700 From: Jordan Hubbard X-Dispatcher: imput version 20000228(IM140) Lines: 58 Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org As most of you know, 5.0-RELEASE was originally scheduled for November 2001, it being our intention to release 5.0 before the end of 2001 without also colliding with the Christmas / New Years holidays. Unfortunately, a lot of the features on the TODO list for 5.0, such as SMPng (next-generation symmetric multi-processing), KSE (kernel scheduler entities) or support for a new architectures like the PowerPC, SPARC64 or IA64 (Itanium) are nowhere close to being complete. Without these features, there's just not a lot of reason for 5.0 to exist in non-snapshot form and it's therefore been decided that rather than release 5.0 prematurely, we're going to give ourselves the time we need to finish it properly. It should also be noted that a lot of the resources which were expected to be available to do this work have either not materialized as expected or have dropped off the face of the earth. There were 15 people (not counting Apple's participating engineers) involved at the SMPng kick-off, for example, yet not a single one of them has been actively involved with the project for the last 6 months, all such work falling to a single engineer (John Baldwin) who was not even present at the first planning meeting. A lot of this is undoubtedly due to the economic down-turn and the decline in resources which various companies have had available to donate to such efforts, but we still have to take this into account in our project planning and that's why the shipping date is going to be pushed ahead as far as it is. This is not a resource problem we're going to overcome in the next couple of months, and slipping just a little bit won't accomplish our goals, it will merely set us up for another slip when the time comes. ***************************************************************************** * The projected ship date for FreeBSD 5.0-RELEASE is now November 1st, 2002 * ***************************************************************************** That will give us a full 14 months to finish the various works-in-progress for 5.0-RELEASE and give it the kind of testing it will need to truly be an improvement, from both a performance and a stability perspective, over the 4.x branch. We will continue to ship releases along the 4.x-STABLE branch during the interval, of course, and will be constantly striving to merge our best work from -CURRENT so that the -STABLE branch remains a good place to be. 4.x-STABLE is one of this project's best branches yet and running it is certainly no sacrifice, but we'll be making an extra effort to ensure that staleness doesn't set in during its somewhat extended lifetime. Finally, I hope that the developers working on 5.0-CURRENT don't take this as an excuse to down tools and take a few months off since that will only ensure that we slip again. We've taken on some truly significant challenges with 5.0 and it will take everyone working as hard as they can to both meet this new deadline and release something that lives up to everyone's expectations. Thanks! - Jordan This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message