From owner-freebsd-security@FreeBSD.ORG Mon Sep 15 15:10:06 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFA5816A4C0 for ; Mon, 15 Sep 2003 15:10:06 -0700 (PDT) Received: from util.inch.com (ns.inch.com [216.223.192.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFD5743F93 for ; Mon, 15 Sep 2003 15:10:05 -0700 (PDT) (envelope-from spork@inch.com) Received: from shell.inch.com (www.inch.com [216.223.192.20]) h8FMA5VL082229 for ; Mon, 15 Sep 2003 18:10:05 -0400 (EDT) (envelope-from spork@inch.com) Received: from shell.inch.com (localhost [127.0.0.1]) by shell.inch.com (8.12.8p1/8.12.8) with ESMTP id h8FMA4if095385 for ; Mon, 15 Sep 2003 18:10:04 -0400 (EDT) (envelope-from spork@inch.com) Received: from localhost (spork@localhost)h8FMA48q095381 for ; Mon, 15 Sep 2003 18:10:04 -0400 (EDT) X-Authentication-Warning: shell.inch.com: spork owned process doing -bs Date: Mon, 15 Sep 2003 18:10:04 -0400 (EDT) From: Charles Sprickman To: freebsd-security@freebsd.org Message-ID: <20030915180717.H60189@shell.inch.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: md5 salt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Sep 2003 22:10:07 -0000 Hi, I was looking at the crypt(3) manpage, and I'm having a hard time figuring out what the allowed characters are for the salt in md5 and blowfish encryption. For DES, it clearly states that only numbers, letters and digits may be used. Does anyone know the rules for md5/blowfish salt characters? Thanks, Charles -- Charles Sprickman spork@inch.com From owner-freebsd-security@FreeBSD.ORG Mon Sep 15 17:52:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1593C16A4B3 for ; Mon, 15 Sep 2003 17:52:04 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C3A243F93 for ; Mon, 15 Sep 2003 17:52:03 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8G0paCl075070 for ; Mon, 15 Sep 2003 20:51:46 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030915205323.076ad580@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Mon, 15 Sep 2003 20:53:56 -0400 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Fwd: Re: [Full-Disclosure] new ssh exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 00:52:04 -0000 Has anyone around here heard of this ? ---Mike >Subject: Re: [Full-Disclosure] new ssh exploit? >From: christopher neitzert >Reply-To: chris@neitzert.com >To: full-disclosure@lists.netsys.com >X-Mailer: Ximian Evolution 1.4.3.99 >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com >X-Mailman-Version: 2.0.12 >List-Unsubscribe: , > >List-Id: Discussion of security issues >List-Post: >List-Help: >List-Subscribe: , > >List-Archive: >Date: Mon, 15 Sep 2003 13:48:34 -0400 >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) >X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > >More on this; > >The systems in question are FreeBSD, RedHat, Gentoo, and Debian all >running the latest versions of OpenSSH. > >The attack makes an enormous amount of ssh connections and attempts >various offsets until it finds one that works permitting root login. > >I have received numerous messages from folks requesting anonymity or >direct-off-list-reply confirming this exploit; > >The suggestions I have heard are: > >Turn off SSH and > >1. upgrade to lsh. > >or > >2. add explicit rules to your edge devices allowing ssh from only-known >hosts. > >or > >3. put ssh behind a VPN on RFC-1918 space. > >thanks. > > > > >On Mon, 2003-09-15 at 12:02, christopher neitzert wrote: > > Does anyone know of or have source related to a new, and unpublished ssh > > exploit? An ISP I work with has filtered all SSH connections due to > > several root level incidents involving ssh. Any information is > > appreciated. > > > > >-- >Christopher Neitzert - GPG Key ID: 7DCC491B -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Mon Sep 15 23:36:40 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C808916A4B3 for ; Mon, 15 Sep 2003 23:36:40 -0700 (PDT) Received: from gandalf.online.bg (gandalf.online.bg [217.75.128.9]) by mx1.FreeBSD.org (Postfix) with SMTP id B870543FA3 for ; Mon, 15 Sep 2003 23:36:38 -0700 (PDT) (envelope-from roam@ringlet.net) Received: (qmail 27227 invoked from network); 16 Sep 2003 06:28:35 -0000 Received: from office.sbnd.net (HELO straylight.ringlet.net) (217.75.140.130) by gandalf.online.bg with SMTP; 16 Sep 2003 06:28:34 -0000 Received: (qmail 20755 invoked by uid 1000); 16 Sep 2003 06:36:33 -0000 Date: Tue, 16 Sep 2003 09:36:33 +0300 From: Peter Pentchev To: Charles Sprickman Message-ID: <20030916063632.GM397@straylight.oblivion.bg> Mail-Followup-To: Charles Sprickman , freebsd-security@freebsd.org References: <20030915180717.H60189@shell.inch.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="Q8BnQc91gJZX4vDc" Content-Disposition: inline In-Reply-To: <20030915180717.H60189@shell.inch.com> User-Agent: Mutt/1.5.4i cc: freebsd-security@freebsd.org Subject: Re: md5 salt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 06:36:40 -0000 --Q8BnQc91gJZX4vDc Content-Type: text/plain; charset=windows-1251 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Mon, Sep 15, 2003 at 06:10:04PM -0400, Charles Sprickman wrote: > Hi, >=20 > I was looking at the crypt(3) manpage, and I'm having a hard time figuring > out what the allowed characters are for the salt in md5 and blowfish > encryption. For DES, it clearly states that only numbers, letters and > digits may be used. >=20 > Does anyone know the rules for md5/blowfish salt characters? Well, a quick websearch on 'Modular Crypt Format', the name of the password format containing encryption algorithm magic, optional number of rounds, salt, and password hash, did not really turn up any standards or papers; maybe others would be more knowledgeable in this area. However, I did find a 07/99 post from Kris Kennaway at http://www.geocrawler.com/archives/3/169/1999/7/0/2467424/ in which he mentions that the salt is base64-encoded. The crypt.c and crypt-md5.c files in src/lib/libcrypt/ do not really pose any restrictions on the salt, short of the obvious one of its not containing a '$' character :) I guess going with the base64 characters would be a good bet. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@sbnd.net roam@FreeBSD.org PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint FDBA FD79 C26F 3C51 C95E DF9E ED18 B68D 1619 4553 If I were you, who would be reading this sentence? --Q8BnQc91gJZX4vDc Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Zq9w7Ri2jRYZRVMRAp3yAKCGm53ygbPvgwKwldBkbembtLasWACgs50B rQ49ZZwzigWPbzVKU5vJdMY= =J5kV -----END PGP SIGNATURE----- --Q8BnQc91gJZX4vDc-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 00:05:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8CAD316A4B3 for ; Tue, 16 Sep 2003 00:05:17 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7D5E443FBF for ; Tue, 16 Sep 2003 00:05:16 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h8G75Fi7005310; Tue, 16 Sep 2003 08:05:15 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h8G75FT3005309; Tue, 16 Sep 2003 08:05:15 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h8G75WCF078889; Tue, 16 Sep 2003 08:05:32 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200309160705.h8G75WCF078889@grimreaper.grondar.org> To: Peter Pentchev From: markm@freebsd.org In-Reply-To: Your message of "Tue, 16 Sep 2003 09:36:33 +0300." <20030916063632.GM397@straylight.oblivion.bg> Date: Tue, 16 Sep 2003 08:05:32 +0100 Sender: mark@grondar.org cc: freebsd-security@freebsd.org Subject: Re: md5 salt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 07:05:17 -0000 Peter Pentchev writes: > The crypt.c and crypt-md5.c files in src/lib/libcrypt/ do not really > pose any restrictions on the salt, short of the obvious one of its > not containing a '$' character :) > > I guess going with the base64 characters would be a good bet. Any character that does not mess up master.passwd. So ":" is also a no-no. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:02:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 759C416A4B3 for ; Tue, 16 Sep 2003 01:02:57 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id E2B7C43FAF for ; Tue, 16 Sep 2003 01:02:48 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 26303 invoked by uid 1005); 16 Sep 2003 08:03:23 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 08:03:20 -0000 Message-ID: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: Date: Tue, 16 Sep 2003 11:02:05 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:02:57 -0000 Hi list Several people have physical access to my FreeBSD box and I have the feeling that somebody try to get access with boot -s options . Can I log activity after boot -s option (change user password, install software and etc.). I use boot -s and change user password, but after reboot i can't find this atcivity in log files. The BSD box is shutdown and run again many time at day. Best regards, Nikolay Kanchev E-mail: niki@amk-drives.bg From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:12:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 638BA16A4B3 for ; Tue, 16 Sep 2003 01:12:38 -0700 (PDT) Received: from cicero0.cybercity.dk (cicero0.cybercity.dk [212.242.40.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id F35C043F3F for ; Tue, 16 Sep 2003 01:12:34 -0700 (PDT) (envelope-from db@traceroute.dk) Received: from user5.cybercity.dk (fxp0.user5.ip.cybercity.dk [212.242.41.51]) by cicero0.cybercity.dk (Postfix) with ESMTP id A89A329250 for ; Tue, 16 Sep 2003 10:12:33 +0200 (CEST) Received: from main (port132.ds1-arsy.adsl.cybercity.dk [212.242.239.73]) by user5.cybercity.dk (Postfix) with SMTP id 219E656377 for ; Tue, 16 Sep 2003 10:12:33 +0200 (CEST) Date: Tue, 16 Sep 2003 10:14:14 +0200 From: Socketd To: freebsd-security@freebsd.org Message-Id: <20030916101414.54b145ca.db@traceroute.dk> In-Reply-To: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:12:38 -0000 On Tue, 16 Sep 2003 11:02:05 +0100 "Nikolay Kanchev" wrote: > Several people have physical access to my FreeBSD box and I have the > feeling that somebody try to get access with boot -s options . Can I > log activity after boot -s option (change user password, install > software and etc.). I use boot -s and change user password, but after > reboot i can't find this atcivity in log files. > The BSD box is shutdown and run again many time at day. Why not set console in /etc/ttys to insecure? Then you can't login without a password. br socketd From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:18:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78FFE16A4B3 for ; Tue, 16 Sep 2003 01:18:05 -0700 (PDT) Received: from www.raditex.se (www.raditex.se [192.5.36.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9366A43FAF for ; Tue, 16 Sep 2003 01:17:59 -0700 (PDT) (envelope-from gh@raditex.se) Received: from gandalf.raditex.se (gandalf.raditex.se. [192.5.36.18]) by www.raditex.se (8.12.9/8.12.9) with ESMTP id h8GA4so9037953; Tue, 16 Sep 2003 10:04:54 GMT Date: Tue, 16 Sep 2003 10:57:34 +0000 (GMT) From: G Hasse To: Socketd In-Reply-To: <20030916101414.54b145ca.db@traceroute.dk> Message-ID: <20030916105523.K69601-100000@gandalf.raditex.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=iso-8859-1 Content-Transfer-Encoding: QUOTED-PRINTABLE cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:18:05 -0000 On Tue, 16 Sep 2003, Socketd wrote: > > The BSD box is shutdown and run again many time at day. Why is the box shutdown??? Are you doing kernel development or advanced devicedriver development? Why are you many persons on sutch a system in that case? And if you are doing kernel development all must have root access anyway? There is *no* reason to shut down the system in ordinary maintainance! GH ---------------------------------------------------------------- G=F6ran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:31:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF1CB16A4B3 for ; Tue, 16 Sep 2003 01:31:05 -0700 (PDT) Received: from pd6mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF98943F85 for ; Tue, 16 Sep 2003 01:31:03 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-ser.prod.shaw.ca [10.0.141.110])2003))freebsd-security@freebsd.org; Tue, 16 Sep 2003 02:31:03 -0600 (MDT) Received: from pn2ml6so.prod.shaw.ca (pn2ml6so-qfe0.prod.shaw.ca [10.0.121.150]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Tue, 16 Sep 2003 02:31:03 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Tue, 16 Sep 2003 02:31:03 -0600 (MDT) Date: Tue, 16 Sep 2003 01:31:01 -0700 From: Colin Percival In-reply-to: <20030916105523.K69601-100000@gandalf.raditex.se> X-Sender: cperciva@popserver.sfu.ca To: G Hasse Message-id: <5.0.2.1.1.20030916012711.02d23a88@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <20030916101414.54b145ca.db@traceroute.dk> cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:31:05 -0000 At 10:57 16/09/2003 +0000, G Hasse wrote: >There is *no* reason to shut down the system in ordinary >maintainance! I don't know if any of these apply in this case, but how about 1. Power consumption 2. Noise 3. Heat 4. Transportation 5. Hardware lifetime (potentially). Not all FreeBSD boxes are servers. Colin Percival From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:39:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C2A1916A4B3 for ; Tue, 16 Sep 2003 01:39:03 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id A14A243F3F for ; Tue, 16 Sep 2003 01:38:57 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 26908 invoked by uid 1005); 16 Sep 2003 08:39:37 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 08:39:34 -0000 Message-ID: <01c901c37c3e$a5425430$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> <20030916101414.54b145ca.db@traceroute.dk> Date: Tue, 16 Sep 2003 11:38:19 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:39:03 -0000 ----- Original Message ----- From: "Socketd" To: Sent: Tuesday, September 16, 2003 9:14 AM Subject: Re: boot -s - can i detect intruder > On Tue, 16 Sep 2003 11:02:05 +0100 > "Nikolay Kanchev" wrote: > > > Several people have physical access to my FreeBSD box and I have the > > feeling that somebody try to get access with boot -s options . Can I > > log activity after boot -s option (change user password, install > > software and etc.). I use boot -s and change user password, but after > > reboot i can't find this atcivity in log files. > > The BSD box is shutdown and run again many time at day. > > Why not set console in /etc/ttys to insecure? Then you can't login > without a password. > > br > socketd I will set this but first I want to try catch the intruder. If I understand when someone try to use boot -s and what is doing in box I can get him. --------------- G. Hasse wrote --------------- Why is the box shutdown??? Are you doing kernel development or advanced devicedriver development? Why are you many persons on sutch a system in that case? And if you are doing kernel development all must have root access anyway? There is *no* reason to shut down the system in ordinary maintainance! GH ----------------------- The box is a test box for training and people that work with box can reboot it. But this people not know that this is only test box, I tell them that this is small server for LAN becaus I want to test this mans. From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 01:56:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 666BB16A4B3 for ; Tue, 16 Sep 2003 01:56:56 -0700 (PDT) Received: from pol.dyndns.org (pol.net1.nerim.net [80.65.225.93]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18AD143F3F for ; Tue, 16 Sep 2003 01:56:55 -0700 (PDT) (envelope-from guy@device.dyndns.org) Received: from oemcomputer.device.dyndns.org (partserver.pol.local [172.16.10.10]) by pol.dyndns.org (8.12.9/8.12.6) with ESMTP id h8G8up2k032101 for ; Tue, 16 Sep 2003 10:56:53 +0200 (CEST) Message-Id: <5.2.1.1.0.20030916104158.00a70550@device.dyndns.org> X-Sender: guy@device.dyndns.org X-Mailer: QUALCOMM Windows Eudora Version 5.2.1 Date: Tue, 16 Sep 2003 10:51:02 +0200 To: freebsd-security@freebsd.org From: "Guy P." In-Reply-To: <20030916105523.K69601-100000@gandalf.raditex.se> References: <20030916101414.54b145ca.db@traceroute.dk> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 08:56:56 -0000 At 12:57 16/09/2003, you wrote: >On Tue, 16 Sep 2003, Socketd wrote: > > > > The BSD box is shutdown and run again many time at day. > >Why is the box shutdown??? Are you doing kernel development or >advanced devicedriver development? Why are you many persons >on sutch a system in that case? And if you are doing kernel >development all must have root access anyway? > >There is *no* reason to shut down the system in ordinary >maintainance! > >GH As far as i understood him, he meant that *someone who should not* is rebooting his machine, perhaps trying to use "boot -s" to get more access. To answer the question, i think there is no definitive way to avoid a motivated "hacker" with physical access to a machine to do whatever he want - he could even plug another dd to boot from, etc... If that box need protection, try to find a way to forbid physical access. I'm not sure about that, but i seem to remenber that default behaviour when using "boot -s" is to mount only root partition, and read-only, thus the "nothing logged". If you want to catch that bugger, you could use a hardware keystroke logger - but then, it's perhaps an oversized solution (costwise) depending how important it is for you to get him/her. unserious BOFH suggestion : plug a "specially crafted" keyboard with CTRL-ALT-DEL key sequence triggering funny events of your choice (alarm ring, AC power delivery to the cullprit fingers, ...) -- Guy From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 02:12:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ACDB816A4B3 for ; Tue, 16 Sep 2003 02:12:02 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1A55143FB1 for ; Tue, 16 Sep 2003 02:12:02 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 37389 invoked by uid 1000); 16 Sep 2003 09:12:01 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 16 Sep 2003 09:12:01 -0000 Date: Tue, 16 Sep 2003 02:12:01 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: Nikolay Kanchev , freebsd-security@freebsd.org In-Reply-To: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> Message-ID: <20030916013344.J55021@walter> References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 09:12:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Several people have physical access to my FreeBSD box and I have the feeling > that somebody try to get access with boot -s options . Can I log activity > after boot -s option (change user password, install software and etc.). > I use boot -s and change user password, but after reboot i can't find this > atcivity in log files. > The BSD box is shutdown and run again many time at day. Well, there might be some stuff you can do - maybe you can mod the kernel to log every execve(2) to a serial port or a line printer - maybe you could even log over the net or something. I've seen some patches to bash floating around that make logging of command history mandatory - this is a pretty useless approach if your attacker is at all sophisticated, but if the attacker is really clueless, it might help. Of course in this case, writing to disk will be problematic, because when you start up, the filesystem will be mounted read-only, and you can't necesarily count on any particular filesystem ever being read-write, and if a filesystem does become read-write, you'll have to take advantage of it quickly, because you don't know how long it's going to stay read-write. You could get a hardware keystroke logger - thinkgeek.com has one, and another company I forget the name of - find the tinfoilhat linux webpage, and start following links. If the attacker doesn't think to look for something like this, and if you have the money to spend, this might be the easiest approach for you. If someone has physical access to your machine, though, there's only so much you can do. The attacker can boot external media like floppies or cd's, and then alter your disk from there. You could configure the machine not to boot external media and set a bios password, but then the attacker could just open the machine, take the hard disk out, plug it into another computer and alter it there. Really the only thing you can do is to limit physical access - unless you are prepared to shell out for tamper-proof machines with crypto hardware, anyone with physical access can take over your system. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/ZtPhswXMWWtptckRAiqUAJ0a3fkvuPh2Vxj4veQSeQIBw5X7qACfR3WM GnNSEeKaC08vpJHMM/BQE3k= =6Nxn -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 03:39:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id F19F816A4B3 for ; Tue, 16 Sep 2003 03:39:02 -0700 (PDT) Received: from amk-drives.bg (ns.amk-drives.bg [62.73.77.208]) by mx1.FreeBSD.org (Postfix) with SMTP id 55FA443FB1 for ; Tue, 16 Sep 2003 03:38:55 -0700 (PDT) (envelope-from niki@amk-drives.bg) Received: (qmail 28560 invoked by uid 1005); 16 Sep 2003 10:39:30 -0000 Received: from unknown (HELO kanchev) (192.168.0.13) by 192.168.0.100 with SMTP; 16 Sep 2003 10:39:27 -0000 Message-ID: <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> From: "Nikolay Kanchev" To: References: <20030916120621.X69601-100000@gandalf.raditex.se> Date: Tue, 16 Sep 2003 13:38:11 +0100 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 8bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Virus-Scanned: by AMaViS perl-11 Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 10:39:03 -0000 Thanks all I know that if someone have physical access to my servers can penetrade into them. And this is a reason to test this guys with this fake server. Some of them thinks that they are "hackers" and try to crack passwords, install backdors and etc. For now not very successfully ;-) I will try to mod the kernel, hardware keylogers are expensive for me. Test complete after one week and I'm not sure that I have time to mod kernel, but now I find one free security camera and will install it in the room with box and capture guys activity, that I will have a proof :-) Best Regards Nikolay Kanchev ----- Original Message ----- From: "G Hasse" To: "Jason Stone" Cc: "Nikolay Kanchev" Sent: Tuesday, September 16, 2003 1:16 PM Subject: Re: boot -s - can i detect intruder On Tue, 16 Sep 2003, Jason Stone wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > > Several people have physical access to my FreeBSD box and I have the feeling > > that somebody try to get access with boot -s options . Can I log activity > > after boot -s option (change user password, install software and etc.). > > I use boot -s and change user password, but after reboot i can't find this > > atcivity in log files. > > The BSD box is shutdown and run again many time at day. > > Well, there might be some stuff you can do - maybe you can mod the kernel > to log every execve(2) to a serial port or a line printer - maybe you > could even log over the net or something. > > I've seen some patches to bash floating around that make logging of > command history mandatory - this is a pretty useless approach if your > attacker is at all sophisticated, but if the attacker is really clueless, > it might help. Of course in this case, writing to disk will be > problematic, because when you start up, the filesystem will be mounted > read-only, and you can't necesarily count on any particular filesystem > ever being read-write, and if a filesystem does become read-write, you'll > have to take advantage of it quickly, because you don't know how long it's > going to stay read-write. > > You could get a hardware keystroke logger - thinkgeek.com has one, and > another company I forget the name of - find the tinfoilhat linux webpage, > and start following links. If the attacker doesn't think to look for > something like this, and if you have the money to spend, this might be the > easiest approach for you. Note that on line 429 in init_main.c (FreeBSD 4.8) there is a list of shells to run. Normaly /sbin/init is run and in single user mode the user could select a shell of his own. (normaly sh). In that case it is possible to replase the normal sh and have a shell that loggs every command to a line-printer. Göran Hasse ---------------------------------------------------------------- Göran Hasse email: gh@raditex.se Tel: 08-6949270 Raditex AB http://www.raditex.se Fax: 08-4420570 Sickla Alle 7, 1tr Mob: 070-5530148 131 34 NACKA, SWEDEN From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 05:18:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A367916A4B3 for ; Tue, 16 Sep 2003 05:18:19 -0700 (PDT) Received: from enslaved.homeunix.org (ARennes-303-1-31-72.w81-248.abo.wanadoo.fr [81.248.97.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id EEAF943F85 for ; Tue, 16 Sep 2003 05:18:17 -0700 (PDT) (envelope-from hexa@enslaved.homeunix.org) Received: from enslaved.homeunix.org (localhost.enslaved.lan [127.0.0.1]) h8GCJYUP093405 for ; Tue, 16 Sep 2003 14:19:34 +0200 (CEST) (envelope-from hexa@enslaved.homeunix.org) Received: (from hexa@localhost) by enslaved.homeunix.org (8.12.8p1/8.12.8/Submit) id h8GCJYVB093404 for security@freebsd.org; Tue, 16 Sep 2003 14:19:34 +0200 (CEST) Date: Tue, 16 Sep 2003 14:19:34 +0200 From: GomoR To: security@freebsd.org Message-ID: <20030916141934.A93383@dani.enslaved.lan> Mail-Followup-To: security@freebsd.org References: <6.0.0.22.0.20030915205323.076ad580@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.0.20030915205323.076ad580@209.112.4.2>; from mike@sentex.net on Mon, Sep 15, 2003 at 08:53:56PM -0400 User-Agent: Mutt, and under FreeBSD, obviously ;-) Organization: FreeBSD Network - http://www.gomor.org/ Subject: Re: Fwd: Re: [Full-Disclosure] new ssh exploit? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 12:18:19 -0000 On Mon, Sep 15, 2003 at 08:53:56PM -0400, Mike Tancsa wrote: > > Has anyone around here heard of this ? > > ---Mike [..] I think it has just been commited, but not yet disclosed. See the diff in FreeBSD CVS: $ cd /usr/src/crypto/openssh $ cvs diff -r1.1.1.1.2.4 -r1.1.1.7 Index: buffer.c =================================================================== RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.4 retrieving revision 1.1.1.7 diff -r1.1.1.1.2.4 -r1.1.1.7 15c15 < RCSID("$OpenBSD: buffer.c,v 1.16 2002/06/26 08:54:18 markus Exp $"); --- > RCSID("$OpenBSD: buffer.c,v 1.17 2003/09/16 03:03:47 deraadt Exp $"); 71a72 > u_int newlen; 101,102c102,104 < buffer->alloc += len + 32768; < if (buffer->alloc > 0xa00000) --- > > newlen = buffer->alloc + len + 32768; > if (newlen > 0xa00000) 104,105c106,108 < buffer->alloc); < buffer->buf = xrealloc(buffer->buf, buffer->alloc); --- > newlen); > buffer->buf = xrealloc(buffer->buf, newlen); > buffer->alloc = newlen; -- ______________________________________________________________________ __ __ / || \ FreeBSD Network - http://www.GomoR.org/ | __ |___/ Security Engineer | || \ \__|| \ >I route, therefore I am< From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 05:40:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 52CEB16A4B3 for ; Tue, 16 Sep 2003 05:40:17 -0700 (PDT) Received: from otter3.centtech.com (moat3.centtech.com [207.200.51.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4147743FBD for ; Tue, 16 Sep 2003 05:40:16 -0700 (PDT) (envelope-from anderson@centtech.com) Received: from centtech.com (neutrino.centtech.com [204.177.173.28]) by otter3.centtech.com (8.12.3/8.12.3) with ESMTP id h8GCdl6T091906; Tue, 16 Sep 2003 07:39:53 -0500 (CDT) (envelope-from anderson@centtech.com) Message-ID: <3F67048F.90709@centtech.com> Date: Tue, 16 Sep 2003 07:39:43 -0500 From: Eric Anderson User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030624 Netscape/7.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Nikolay Kanchev References: <20030916120621.X69601-100000@gandalf.raditex.se> <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> In-Reply-To: <01e901c37c4f$646cfa30$0d00a8c0@amkdrives.bg> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 12:40:17 -0000 Nikolay Kanchev wrote: >Thanks all > >I know that if someone have physical access to my servers can penetrade into >them. And this is a reason to test this guys with this fake server. Some of >them thinks that they are "hackers" and try to crack passwords, install >backdors and etc. For now not very successfully ;-) > >I will try to mod the kernel, hardware keylogers are expensive for me. > >Test complete after one week and I'm not sure that I have time to mod >kernel, but now I find one free security camera and will install it in the >room with box and capture guys activity, that I will have a proof :-) > > Why not start syslogd (even in single user mode) set to log to a remote server? I doubt they unplug the network cable when going into single user mode. You'll have to force the network interface up, and have it start syslogd, but that should be it. You can also force the / partition to be mounted rw in single user mode (for catching someone it's probably ok, but I wouldn't leave it like that). Eric -- ------------------------------------------------------------------ Eric Anderson Systems Administrator Centaur Technology All generalizations are false, including this one. ------------------------------------------------------------------ From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 06:43:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7BD0B16A4B3 for ; Tue, 16 Sep 2003 06:43:50 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 54E7A43FB1 for ; Tue, 16 Sep 2003 06:43:49 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 9A39354840 for ; Tue, 16 Sep 2003 08:43:48 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 044786D454; Tue, 16 Sep 2003 08:43:47 -0500 (CDT) Date: Tue, 16 Sep 2003 08:43:47 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20030916134347.GA30359@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="XOIedfhf+7KOe/yw" Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 13:43:50 -0000 --XOIedfhf+7KOe/yw Content-Type: multipart/mixed; boundary="huq684BweRXVnRxX" Content-Disposition: inline --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable OK, an official OpenSSH advisory was released, see here: The fix is currently in FreeBSD -CURRENT and -STABLE. It will be applied to the security branches as well today. Attached are patches: buffer46.patch -- For FreeBSD 4.6-RELEASE and later buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier Currently, I don't believe that this bug is actually exploitable for code execution on FreeBSD, but I reserve the right to be wrong :-) Cheers, --=20 Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer45.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.3 diff -c -c -r1.1.1.1.2.3 buffer.c *** crypto/openssh/buffer.c 28 Sep 2001 01:33:33 -0000 1.1.1.1.2.3 --- crypto/openssh/buffer.c 16 Sep 2003 13:19:26 -0000 *************** *** 69,74 **** --- 69,76 ---- void buffer_append_space(Buffer *buffer, char **datap, u_int len) { + u_int newlen; +=20 /* If the buffer is empty, start using it from the beginning. */ if (buffer->offset =3D=3D buffer->end) { buffer->offset =3D 0; *************** *** 93,100 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; } =20 --- 95,106 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) ! fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; } =20 --huq684BweRXVnRxX Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="buffer46.patch" Content-Transfer-Encoding: quoted-printable Index: crypto/openssh/buffer.c =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D RCS file: /home/ncvs/src/crypto/openssh/buffer.c,v retrieving revision 1.1.1.1.2.4 diff -c -c -r1.1.1.1.2.4 buffer.c *** crypto/openssh/buffer.c 3 Jul 2002 22:11:41 -0000 1.1.1.1.2.4 --- crypto/openssh/buffer.c 16 Sep 2003 13:10:22 -0000 *************** *** 69,74 **** --- 69,75 ---- void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; =20 if (len > 0x100000) *************** *** 98,108 **** goto restart; } /* Increase the size of the buffer and retry. */ ! buffer->alloc +=3D len + 32768; ! if (buffer->alloc > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! buffer->alloc); ! buffer->buf =3D xrealloc(buffer->buf, buffer->alloc); goto restart; /* NOTREACHED */ } --- 99,111 ---- goto restart; } /* Increase the size of the buffer and retry. */ ! =09 ! newlen =3D buffer->alloc + len + 32768; ! if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", ! newlen); ! buffer->buf =3D xrealloc(buffer->buf, newlen); ! buffer->alloc =3D newlen; goto restart; /* NOTREACHED */ } --huq684BweRXVnRxX-- --XOIedfhf+7KOe/yw Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/ZxORFdaIBMps37IRArwEAJ4pkegMfNqSjkLvRgjCDDQa+9sXHwCfbgXd tlPyniRS899w5gbfV0HuuQk= =x62V -----END PGP SIGNATURE----- --XOIedfhf+7KOe/yw-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 07:47:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8A7FB16A4B3; Tue, 16 Sep 2003 07:47:31 -0700 (PDT) Received: from mercury.ccmr.cornell.edu (mercury.ccmr.cornell.edu [128.84.231.97]) by mx1.FreeBSD.org (Postfix) with ESMTP id 100C843FDD; Tue, 16 Sep 2003 07:47:30 -0700 (PDT) (envelope-from mitch@ccmr.cornell.edu) Received: from ori.ccmr.cornell.edu (ori.ccmr.cornell.edu [128.84.231.243]) h8GElS8Y025821; Tue, 16 Sep 2003 10:47:28 -0400 Received: from localhost (mitch@localhost) by ori.ccmr.cornell.edu (8.12.9/8.12.9) with ESMTP id h8GElSrq020865; Tue, 16 Sep 2003 10:47:28 -0400 X-Authentication-Warning: ori.ccmr.cornell.edu: mitch owned process doing -bs Date: Tue, 16 Sep 2003 10:47:28 -0400 (EDT) From: Mitch Collinsworth To: "Jacques A. Vidrine" In-Reply-To: <20030916134347.GA30359@madman.celabo.org> Message-ID: References: <20030916134347.GA30359@madman.celabo.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Content-Disposition: INLINE cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 14:47:31 -0000 Is this advisory available anywhere else? I'm continually getting server timeout when trying to load this URL. Meanwhile www.openssh.org doesn't seem to have any mention of the advisory. [?] -Mitch On Tue, 16 Sep 2003, Jacques A. Vidrine wrote: > OK, an official OpenSSH advisory was released, see here: > > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > applied to the security branches as well today. Attached are patches: > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > > Currently, I don't believe that this bug is actually exploitable for > code execution on FreeBSD, but I reserve the right to be wrong :-) > > Cheers, > -- > Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 07:49:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DF8616A4B3 for ; Tue, 16 Sep 2003 07:49:32 -0700 (PDT) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 779C843F3F for ; Tue, 16 Sep 2003 07:49:29 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 17358 invoked from network); 16 Sep 2003 14:46:57 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.241.54) by saraswati.gigatrex.com with SMTP; 16 Sep 2003 14:46:57 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.9/8.12.9) with ESMTP id h8GEnqJh046106; Tue, 16 Sep 2003 10:49:52 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h8GEnoSa046103; Tue, 16 Sep 2003 10:49:52 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 16 Sep 2003 10:49:46 -0400 (EDT) From: Matt Piechota To: G Hasse In-Reply-To: <20030916105523.K69601-100000@gandalf.raditex.se> Message-ID: <20030916104533.Q18356@cithaeron.argolis.org> References: <20030916105523.K69601-100000@gandalf.raditex.se> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 14:49:32 -0000 On Tue, 16 Sep 2003, G Hasse wrote: > There is *no* reason to shut down the system in ordinary > maintainance! I don't think I buy that. It's not a terrible idea to reboot a machine (if you have the luxury) after you make lots of changes simply to make sure that if comes back up in the same state you left it. That way if you lose power in the middle of the night, you don't get the 6am calls from users complaining that the database (web server, app server, etc) isn't running. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 07:54:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1E78316A4B3; Tue, 16 Sep 2003 07:54:14 -0700 (PDT) Received: from happygiraffe.net (happygiraffe.net [81.6.215.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1CF8D43FAF; Tue, 16 Sep 2003 07:54:11 -0700 (PDT) (envelope-from dom@happygiraffe.net) Received: from localhost (localhost.happygiraffe.net [127.0.0.1]) by happygiraffe.net (Postfix) with ESMTP id 4B19E5C89; Tue, 16 Sep 2003 15:54:09 +0100 (BST) Received: from happygiraffe.net ([127.0.0.1]) by localhost (ppe.happygiraffe.net [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 51253-03-3; Tue, 16 Sep 2003 15:54:08 +0100 (BST) Received: by happygiraffe.net (Postfix, from userid 1001) id D2EB75C79; Tue, 16 Sep 2003 15:54:08 +0100 (BST) Date: Tue, 16 Sep 2003 15:54:08 +0100 To: Mitch Collinsworth Message-ID: <20030916145408.GA51438@ppe.happygiraffe.net> References: <20030916134347.GA30359@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.1i From: dom@happygiraffe.net (Dominic Mitchell) X-Virus-Scanned: by amavisd-new at happygiraffe.net cc: "Jacques A. Vidrine" cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 14:54:14 -0000 On Tue, Sep 16, 2003 at 10:47:28AM -0400, Mitch Collinsworth wrote: > Is this advisory available anywhere else? I'm continually getting > server timeout when trying to load this URL. Meanwhile www.openssh.org > doesn't seem to have any mention of the advisory. [?] I can get a little bit of that URL to load, but it just times out after that. From the bit that I can see, however, it mentions: http://www.openssh.com/txt/buffer.adv Which is presently returning a 404. I'd just wait up for it to be propogated a little wider; doubtless it'll end up on bugtraq soon. -Dom From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 07:55:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF0CF16A4B3 for ; Tue, 16 Sep 2003 07:55:28 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DE23B43FB1 for ; Tue, 16 Sep 2003 07:55:26 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5B5F35485D; Tue, 16 Sep 2003 09:55:26 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id F33C06D454; Tue, 16 Sep 2003 09:55:25 -0500 (CDT) Date: Tue, 16 Sep 2003 09:55:25 -0500 From: "Jacques A. Vidrine" To: Mitch Collinsworth Message-ID: <20030916145525.GB90755@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Mitch Collinsworth , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 14:55:28 -0000 On Tue, Sep 16, 2003 at 10:47:28AM -0400, Mitch Collinsworth wrote: > Is this advisory available anywhere else? I'm continually getting > server timeout when trying to load this URL. Meanwhile www.openssh.org > doesn't seem to have any mention of the advisory. [?] It loads for me sometimes only. It is supposed to be at , but it isn't there yet. Here's the meat of it: ---- begin excerpt ---- This is the 1st revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively. 2. Solution: Upgrade to OpenSSH 3.7 or apply the following patch. ---- end excerpt ---- Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 08:09:26 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 463D316A4B3 for ; Tue, 16 Sep 2003 08:09:26 -0700 (PDT) Received: from corb.mc.mpls.visi.com (corb.mc.mpls.visi.com [208.42.156.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 667D643FB1 for ; Tue, 16 Sep 2003 08:09:25 -0700 (PDT) (envelope-from hawkeyd@visi.com) Received: from sheol.localdomain (unknown [208.42.101.193]) by corb.mc.mpls.visi.com (Postfix) with ESMTP id 00789F264 for ; Tue, 16 Sep 2003 10:00:56 -0500 (CDT) Received: (from hawkeyd@localhost) by sheol.localdomain (8.11.6p2/8.11.6) id h8GF0ue16824 for freebsd-security@freebsd.org; Tue, 16 Sep 2003 10:00:56 -0500 (CDT) (envelope-from hawkeyd) X-Spam-Policy: http://www.visi.com/~hawkeyd/index.html#mail Date: Tue, 16 Sep 2003 10:00:56 -0500 From: D J Hawkey Jr To: freebsd-security@freebsd.org Message-ID: <20030916150056.GA16806@sheol.localdomain> References: <20030916134347.GA30359@madman.celabo.org> <20030916145525.GB90755@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916145525.GB90755@madman.celabo.org> User-Agent: Mutt/1.4.1i Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: hawkeyd@visi.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:09:26 -0000 On Sep 16, at 09:55 AM, Jacques A. Vidrine wrote: > > Here's the meat of it: > > ---- begin excerpt ---- > This is the 1st revision of the Advisory. > > This document can be found at: http://www.openssh.com/txt/buffer.adv > > 1. Versions affected: > > All versions of OpenSSH's sshd prior to 3.7 contain a buffer > management error. It is uncertain whether this error is > potentially exploitable, however, we prefer to see bugs > fixed proactively. > > 2. Solution: > > Upgrade to OpenSSH 3.7 or apply the following patch. > ---- end excerpt ---- How far away are we from a FreeBSD SA? When the patch(es) are ready for all the other supported releases? Dave -- ______________________ ______________________ \__________________ \ D. J. HAWKEY JR. / __________________/ \________________/\ hawkeyd@visi.com /\________________/ http://www.visi.com/~hawkeyd/ From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 08:35:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5749416A4B3 for ; Tue, 16 Sep 2003 08:35:59 -0700 (PDT) Received: from mail.speakeasy.net (mail11.speakeasy.net [216.254.0.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F91743FBD for ; Tue, 16 Sep 2003 08:35:58 -0700 (PDT) (envelope-from mario@schmut.com) Received: (qmail 11783 invoked from network); 16 Sep 2003 15:35:57 -0000 Received: from unknown (HELO schmut.com) ([66.92.49.2]) (envelope-sender ) by mail11.speakeasy.net (qmail-ldap-1.03) with SMTP for ; 16 Sep 2003 15:35:57 -0000 Received: from 192.168.23.2 (SquirrelMail authenticated user mario@schmut.com) by webmail.schmut.com with HTTP; Tue, 16 Sep 2003 08:37:16 -0700 (PDT) Message-ID: <3322.192.168.23.2.1063726636.squirrel@webmail.schmut.com> Date: Tue, 16 Sep 2003 08:37:16 -0700 (PDT) From: "mario" To: In-Reply-To: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> X-Priority: 3 Importance: Normal X-Mailer: SquirrelMail (version 1.2.9) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: mario@schmut.com List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:35:59 -0000 maybe a hidden web cam. i'm told there are some, that fire up triggered by motion. mario;> - - - - - - - - House Of Sites - - - - - - - - Web Design :: Programming :: Hosting :: Maintenance Web site: http://www.HouseOfSites.net Email: mario@HouseOfSites.net Tel: 415-242-3376 ---------------------------------------------------- Do you schmut!? http://www.schmut.com > Hi list > > Several people have physical access to my FreeBSD box and I have the > feeling that somebody try to get access with boot -s options . Can I log > activity after boot -s option (change user password, install software > and etc.). I use boot -s and change user password, but after reboot i > can't find this atcivity in log files. > The BSD box is shutdown and run again many time at day. > > Best regards, > > Nikolay Kanchev > > E-mail: niki@amk-drives.bg > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to > "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 08:47:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CA0F416A4B3 for ; Tue, 16 Sep 2003 08:47:03 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id E4F1043FBD for ; Tue, 16 Sep 2003 08:47:02 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 921C65485D; Tue, 16 Sep 2003 10:47:02 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 30A076D454; Tue, 16 Sep 2003 10:47:02 -0500 (CDT) Date: Tue, 16 Sep 2003 10:47:02 -0500 From: "Jacques A. Vidrine" To: Marius Strom Message-ID: <20030916154702.GB90983@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Marius Strom , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916145918.GH87351@marius.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916145918.GH87351@marius.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:47:03 -0000 On Tue, Sep 16, 2003 at 09:59:18AM -0500, Marius Strom wrote: > Jacques, > Mind posting to -security which parts of the world need to be recompiled > for this patch to take effect? # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install For later versions of FreeBSD, you really only need rebuild libssh, but the above should be safe on any version. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 08:50:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9497A16A4B3; Tue, 16 Sep 2003 08:50:55 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id BF81943F3F; Tue, 16 Sep 2003 08:50:54 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8GFoqCl077851; Tue, 16 Sep 2003 11:50:53 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030916115113.0316a810@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Tue, 16 Sep 2003 11:53:27 -0400 To: "Jacques A. Vidrine" , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <20030916134347.GA30359@madman.celabo.org> References: <20030916134347.GA30359@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:50:55 -0000 Hi, what is the proper building procedure ? If there is no /usr/obj cd /usr/src/secure/ make obj make depend make make install ---Mike At 09:43 AM 16/09/2003, Jacques A. Vidrine wrote: >OK, an official OpenSSH advisory was released, see here: >http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > > > >The fix is currently in FreeBSD -CURRENT and -STABLE. It will be >applied to the security branches as well today. Attached are patches: > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > >Currently, I don't believe that this bug is actually exploitable for >code execution on FreeBSD, but I reserve the right to be wrong :-) > >Cheers, >-- >Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal >nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se > > From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 08:51:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 73C3916A4B3 for ; Tue, 16 Sep 2003 08:51:10 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A81D443F93 for ; Tue, 16 Sep 2003 08:51:09 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5AF835487F; Tue, 16 Sep 2003 10:51:09 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 1647E6D454; Tue, 16 Sep 2003 10:51:09 -0500 (CDT) Date: Tue, 16 Sep 2003 10:51:09 -0500 From: "Jacques A. Vidrine" To: D J Hawkey Jr Message-ID: <20030916155108.GE90983@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , D J Hawkey Jr , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916145525.GB90755@madman.celabo.org> <20030916150056.GA16806@sheol.localdomain> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916150056.GA16806@sheol.localdomain> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 15:51:10 -0000 On Tue, Sep 16, 2003 at 10:00:56AM -0500, D J Hawkey Jr wrote: > How far away are we from a FreeBSD SA? A few hours. > When the patch(es) are ready > for all the other supported releases? The patches are ready and are at least on ftp2. But I generally wait until I have built and booted each security branch before committing to them. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:11:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 69F8E16A4B3 for ; Tue, 16 Sep 2003 09:11:23 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8035F43FBD for ; Tue, 16 Sep 2003 09:11:22 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2318554887; Tue, 16 Sep 2003 11:11:22 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id AFE256D454; Tue, 16 Sep 2003 11:11:21 -0500 (CDT) Date: Tue, 16 Sep 2003 11:11:21 -0500 From: "Jacques A. Vidrine" To: Udo Schweigert Message-ID: <20030916161121.GA91300@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Udo Schweigert , freebsd-security@FreeBSD.org References: <20030916134347.GA30359@madman.celabo.org> <20030916160543.GA28313@alaska.cert.siemens.de> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916160543.GA28313@alaska.cert.siemens.de> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:11:23 -0000 On Tue, Sep 16, 2003 at 06:05:43PM +0200, Udo Schweigert wrote: > On Tue, Sep 16, 2003 at 08:43:47 -0500, Jacques A. Vidrine wrote: > > OK, an official OpenSSH advisory was released, see here: > > > > > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > > applied to the security branches as well today. Attached are patches: > > > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > > > > And what about the port /usr/ports/security/openssh-portable? It should - at > least - be fixed for the 4.9-RELEASE. Ports fixed about 3 hours 27 minutes ago :-) Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:32:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EF26A16A4B3; Tue, 16 Sep 2003 09:32:02 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 56D3943FB1; Tue, 16 Sep 2003 09:32:02 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.9/8.12.6) with ESMTP id h8GGW1VI002729; Tue, 16 Sep 2003 09:32:02 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9/8.12.6/Submit) id h8GGW1PC002728; Tue, 16 Sep 2003 09:32:01 -0700 (PDT) Date: Tue, 16 Sep 2003 09:32:01 -0700 (PDT) From: Matthew Dillon Message-Id: <200309161632.h8GGW1PC002728@apollo.backplane.com> To: "Jacques A. Vidrine" References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> cc: Udo Schweigert cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:32:03 -0000 : :On Tue, Sep 16, 2003 at 06:05:43PM +0200, Udo Schweigert wrote: :> On Tue, Sep 16, 2003 at 08:43:47 -0500, Jacques A. Vidrine wrote: :> > OK, an official OpenSSH advisory was released, see here: :> > :> > :> > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be :> > applied to the security branches as well today. Attached are patches: :> > :> > buffer46.patch -- For FreeBSD 4.6-RELEASE and later :> > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier :> > :> :> And what about the port /usr/ports/security/openssh-portable? It should - at :> least - be fixed for the 4.9-RELEASE. : :Ports fixed about 3 hours 27 minutes ago :-) : :Cheers, :-- :Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal :nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se :_______________________________________________ :freebsd-security@freebsd.org mailing list :http://lists.freebsd.org/mailman/listinfo/freebsd-security :To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I've been staring at the patch for 30 minutes and I can't figure out what it is supposed to fix. Is there some other thread or signal or something that might access the buffer while it's length is in an indeterminant state? The code doesn't seem to be structured for that case. -Matt Matthew Dillon From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:35:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75C9616A4B3 for ; Tue, 16 Sep 2003 09:35:02 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8DB9F43FBF for ; Tue, 16 Sep 2003 09:35:01 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 21DA654846; Tue, 16 Sep 2003 11:35:01 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id B1DB86D454; Tue, 16 Sep 2003 11:35:00 -0500 (CDT) Date: Tue, 16 Sep 2003 11:35:00 -0500 From: "Jacques A. Vidrine" To: Matthew Dillon Message-ID: <20030916163500.GA93908@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Matthew Dillon , Udo Schweigert , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916160543.GA28313@alaska.cert.siemens.de> <20030916161121.GA91300@madman.celabo.org> <200309161632.h8GGW1PC002728@apollo.backplane.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309161632.h8GGW1PC002728@apollo.backplane.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: Udo Schweigert cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:35:02 -0000 On Tue, Sep 16, 2003 at 09:32:01AM -0700, Matthew Dillon wrote: > I've been staring at the patch for 30 minutes and I can't figure > out what it is supposed to fix. Is there some other thread or > signal or something that might access the buffer while it's length > is in an indeterminant state? The code doesn't seem to be structured > for that case. Taken from my draft advisory to be released shortly: --- excerpt --- II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. --- excerpt --- Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:40:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5365A16A4B3 for ; Tue, 16 Sep 2003 09:40:33 -0700 (PDT) Received: from gigatrex.com (saraswati.gigatrex.com [64.5.48.159]) by mx1.FreeBSD.org (Postfix) with SMTP id 4B19E43F93 for ; Tue, 16 Sep 2003 09:40:32 -0700 (PDT) (envelope-from piechota@argolis.org) Received: (qmail 14665 invoked from network); 16 Sep 2003 16:38:00 -0000 Received: from unknown (HELO cithaeron.argolis.org) (141.156.241.54) by saraswati.gigatrex.com with SMTP; 16 Sep 2003 16:38:00 -0000 Received: from cithaeron.argolis.org (localhost [127.0.0.1]) by cithaeron.argolis.org (8.12.9/8.12.9) with ESMTP id h8GGetJh046642; Tue, 16 Sep 2003 12:40:56 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost)h8GGerwn046639; Tue, 16 Sep 2003 12:40:53 -0400 (EDT) X-Authentication-Warning: cithaeron.argolis.org: piechota owned process doing -bs Date: Tue, 16 Sep 2003 12:40:53 -0400 (EDT) From: Matt Piechota To: mario In-Reply-To: <3322.192.168.23.2.1063726636.squirrel@webmail.schmut.com> Message-ID: <20030916124004.K18356@cithaeron.argolis.org> References: <014001c37c39$956ec2f0$0d00a8c0@amkdrives.bg> <3322.192.168.23.2.1063726636.squirrel@webmail.schmut.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: niki@amk-drives.bg cc: freebsd-security@freebsd.org Subject: Re: boot -s - can i detect intruder X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:40:33 -0000 On Tue, 16 Sep 2003, mario wrote: > maybe a hidden web cam. > i'm told there are some, that fire up triggered by motion. Or ping the machine constantly, and start recording if the machine stop responding. -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:44:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3DFA616A4B3; Tue, 16 Sep 2003 09:44:38 -0700 (PDT) Received: from vista.netmemetic.com (bb-203-125-40-73.singnet.com.sg [203.125.40.73]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5B04C43F85; Tue, 16 Sep 2003 09:44:37 -0700 (PDT) (envelope-from ngps@netmemetic.com) Received: by vista.netmemetic.com (Postfix, from userid 100) id 01FE983A; Wed, 17 Sep 2003 00:47:47 +0800 (SGT) Date: Wed, 17 Sep 2003 00:47:47 +0800 From: Ng Pheng Siong To: "Jacques A. Vidrine" , Udo Schweigert , freebsd-security@FreeBSD.org Message-ID: <20030916164747.GA536@vista.netmemetic.com> References: <20030916134347.GA30359@madman.celabo.org> <20030916160543.GA28313@alaska.cert.siemens.de> <20030916161121.GA91300@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916161121.GA91300@madman.celabo.org> User-Agent: Mutt/1.4.1i Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:44:38 -0000 On Tue, Sep 16, 2003 at 11:11:21AM -0500, Jacques A. Vidrine wrote: > > And what about the port /usr/ports/security/openssh-portable? It should - at > > least - be fixed for the 4.9-RELEASE. > > Ports fixed about 3 hours 27 minutes ago :-) I'm a little confused. I'm running 4.8-RELEASE-p4. After cvsup'ing, I see patch-buffer.c in openssh-portable timestamped at 16 Sep, whereas /usr/src/crypto/openssh shows files from 7 Apr and earlier. A previous post in this thread said "(cd /usr/src/secure/lib/libssh; make; blah blah)". Does this only apply to -STABLE and -CURRENT? Should I just install the port openssh-portable? Is this the raison d'etre for openssh-portable? Do I need to drive down to the data centre now? (Rhetorical question to self. ;-) Thanks. Cheers. -- Ng Pheng Siong http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:46:02 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 673F816A4B3 for ; Tue, 16 Sep 2003 09:46:02 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8CB6343FB1 for ; Tue, 16 Sep 2003 09:46:01 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 314C75487E; Tue, 16 Sep 2003 11:46:01 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id CAB266D454; Tue, 16 Sep 2003 11:46:00 -0500 (CDT) Date: Tue, 16 Sep 2003 11:46:00 -0500 From: "Jacques A. Vidrine" To: Ng Pheng Siong Message-ID: <20030916164600.GA5680@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Ng Pheng Siong , Udo Schweigert , freebsd-security@FreeBSD.org References: <20030916134347.GA30359@madman.celabo.org> <20030916160543.GA28313@alaska.cert.siemens.de> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916164747.GA536@vista.netmemetic.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: Udo Schweigert cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:46:02 -0000 On Wed, Sep 17, 2003 at 12:47:47AM +0800, Ng Pheng Siong wrote: > On Tue, Sep 16, 2003 at 11:11:21AM -0500, Jacques A. Vidrine wrote: > > > And what about the port /usr/ports/security/openssh-portable? It should - at > > > least - be fixed for the 4.9-RELEASE. > > > > Ports fixed about 3 hours 27 minutes ago :-) > > I'm a little confused. Then wait for the advisory. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:53:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DBBB016A4B3 for ; Tue, 16 Sep 2003 09:53:04 -0700 (PDT) Received: from util.inch.com (ns.inch.com [216.223.192.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B1EFE43F85 for ; Tue, 16 Sep 2003 09:53:03 -0700 (PDT) (envelope-from spork@inch.com) Received: from shell.inch.com (www.inch.com [216.223.192.20]) h8GGr0NX074364; Tue, 16 Sep 2003 12:53:00 -0400 (EDT) (envelope-from spork@inch.com) Received: from shell.inch.com (localhost [127.0.0.1]) by shell.inch.com (8.12.8p1/8.12.8) with ESMTP id h8GGr0if022356; Tue, 16 Sep 2003 12:53:00 -0400 (EDT) (envelope-from spork@inch.com) Received: from localhost (spork@localhost)h8GGqxHF022351; Tue, 16 Sep 2003 12:52:59 -0400 (EDT) X-Authentication-Warning: shell.inch.com: spork owned process doing -bs Date: Tue, 16 Sep 2003 12:52:59 -0400 (EDT) From: Charles Sprickman To: Ng Pheng Siong In-Reply-To: <20030916164747.GA536@vista.netmemetic.com> Message-ID: <20030916125051.N60189@shell.inch.com> References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:53:05 -0000 On Wed, 17 Sep 2003, Ng Pheng Siong wrote: > I'm a little confused. > > I'm running 4.8-RELEASE-p4. > > After cvsup'ing, I see patch-buffer.c in openssh-portable timestamped at 16 > Sep, whereas /usr/src/crypto/openssh shows files from 7 Apr and earlier. It hasn't hit 4.8 yet. You can try the following if you're in desperate need of the fix: ---- fetch http://www.openssh.com/txt/buffer.adv cd /usr/src/crypto/openssh patch < buffer.adv *then* follow the previous instructions for rebuilding ssh... Charles > A previous post in this thread said "(cd /usr/src/secure/lib/libssh; make; > blah blah)". Does this only apply to -STABLE and -CURRENT? > > Should I just install the port openssh-portable? Is this the raison d'etre > for openssh-portable? > > Do I need to drive down to the data centre now? (Rhetorical question to > self. ;-) > > Thanks. Cheers. > > -- > Ng Pheng Siong > > http://firewall.rulemaker.net -+- Manage Your Firewall Rulebase Changes > http://sandbox.rulemaker.net/ngps -+- Open Source Python Crypto & SSL > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 10:14:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 79D1E16A4B3 for ; Tue, 16 Sep 2003 10:14:54 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id A212C43F93 for ; Tue, 16 Sep 2003 10:14:53 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 3900A5485D; Tue, 16 Sep 2003 12:14:53 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id D19656D455; Tue, 16 Sep 2003 12:14:52 -0500 (CDT) Date: Tue, 16 Sep 2003 12:14:52 -0500 From: "Jacques A. Vidrine" To: Charles Sprickman Message-ID: <20030916171452.GA5814@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Charles Sprickman , Ng Pheng Siong , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916125051.N60189@shell.inch.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 17:14:54 -0000 On Tue, Sep 16, 2003 at 12:52:59PM -0400, Charles Sprickman wrote: > It hasn't hit 4.8 yet. Yes it has, as well as 4.7. It will be committed to all security branches down to RELENG_4_3. Hmm, I seem to have skipped RELENG_5_0, I'll get around to that also. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:15:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6059816A4BF for ; Tue, 16 Sep 2003 11:15:04 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id E218A43FBD for ; Tue, 16 Sep 2003 11:15:02 -0700 (PDT) (envelope-from unfurl@dub.net) Received: (qmail 96763 invoked by uid 1001); 16 Sep 2003 18:15:02 -0000 Date: 16 Sep 2003 11:15:02 -0700 Date: Tue, 16 Sep 2003 11:15:02 -0700 From: Bill Swingle To: "Jacques A. Vidrine" , Charles Sprickman , Ng Pheng Siong , freebsd-security@freebsd.org Message-ID: <20030916181502.GA95772@dub.net> References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="opJtzjQTFsWo+cga" Content-Disposition: inline In-Reply-To: <20030916171452.GA5814@madman.celabo.org> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD toxic.magnesium.net 5.1-RELEASE FreeBSD 5.1-RELEASE Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:15:04 -0000 --opJtzjQTFsWo+cga Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Does either of these patches apply to RELENG_5_1? -Bill On Tue, Sep 16, 2003 at 12:14:52PM -0500, Jacques A. Vidrine wrote: > On Tue, Sep 16, 2003 at 12:52:59PM -0400, Charles Sprickman wrote: > > It hasn't hit 4.8 yet. >=20 > Yes it has, as well as 4.7. It will be committed to all security > branches down to RELENG_4_3. >=20 > Hmm, I seem to have skipped RELENG_5_0, I'll get around to that also. >=20 > Cheers, > --=20 > Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.= se > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --opJtzjQTFsWo+cga Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/Z1MmUgAclY4JAiMRAiULAKCtfdET6EuNnj12+xraOsq4VgyNkACgzwJA EJvOjc2NGhEHfYXzqCspwE4= =MHGo -----END PGP SIGNATURE----- --opJtzjQTFsWo+cga-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:17:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75F3916A4C1; Tue, 16 Sep 2003 11:17:05 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1F2443FB1; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8GIH1Up072341; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8GIH1Kj072339; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) Date: Tue, 16 Sep 2003 11:17:01 -0700 (PDT) Message-Id: <200309161817.h8GIH1Kj072339@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:17:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_1 openssh-portable port prior to openssh-portable-3.6.1p2_1 Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) 2003-09-16 16:27:57 UTC (RELENG_5_1) 2003-09-16 17:34:32 UTC (RELENG_5_0) 2003-09-16 16:24:02 UTC (RELENG_4_8) 2003-09-16 16:45:16 UTC (RELENG_4_7) 2003-09-16 17:44:15 UTC (RELENG_4_6) 2003-09-16 17:45:23 UTC (RELENG_4_5) 2003-09-16 17:46:02 UTC (RELENG_4_4) 2003-09-16 17:46:37 UTC (RELENG_4_3) 2003-09-16 12:43:09 UTC (ports/security/openssh) 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693 FreeBSD only: NO I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 through 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.5 src/crypto/openssh/version.h 1.1.1.1.2.11 RELENG_5_1 src/UPDATING 1.251.2.4 src/crypto/openssh/buffer.c 1.1.1.6.4.1 src/crypto/openssh/version.h 1.20.2.1 src/sys/conf/newvers.sh 1.50.2.5 RELENG_5_0 src/UPDATING 1.229.2.18 src/crypto/openssh/buffer.c 1.1.1.6.2.1 src/crypto/openssh/version.h 1.18.2.1 src/sys/conf/newvers.sh 1.48.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.7 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 src/sys/conf/newvers.sh 1.44.2.29.2.6 RELENG_4_7 src/UPDATING 1.73.2.74.2.18 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.17 RELENG_4_6 src/UPDATING 1.73.2.68.2.46 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.35 RELENG_4_5 src/UPDATING 1.73.2.50.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.20.2.31 RELENG_4_4 src/UPDATING 1.73.2.43.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 src/sys/conf/newvers.sh 1.44.2.17.2.39 RELENG_4_3 src/UPDATING 1.73.2.28.2.35 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 src/sys/conf/newvers.sh 1.44.2.14.2.25 [Ports] ports/security/openssh-portable/Makefile 1.73 ports/security/openssh-portable/files/patch-buffer.c 1.1 ports/security/openssh/Makefile 1.120 ports/security/openssh/files/patch-buffer.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ PW0VvEnS7MMUYyekHuz49ro= =vcm1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:21:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4B10D16A4B3 for ; Tue, 16 Sep 2003 11:21:31 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7BCE343FE9 for ; Tue, 16 Sep 2003 11:20:03 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id B4BB454861; Tue, 16 Sep 2003 13:20:02 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 590A86D454; Tue, 16 Sep 2003 13:20:02 -0500 (CDT) Date: Tue, 16 Sep 2003 13:20:02 -0500 From: "Jacques A. Vidrine" To: Bill Swingle Message-ID: <20030916182002.GA6618@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Bill Swingle , Charles Sprickman , Ng Pheng Siong , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> <20030916181502.GA95772@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916181502.GA95772@dub.net> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:21:31 -0000 On Tue, Sep 16, 2003 at 11:15:02AM -0700, Bill Swingle wrote: > Does either of these patches apply to RELENG_5_1? *nod* buffer46.patch -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:34:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5968116A4B3 for ; Tue, 16 Sep 2003 11:34:00 -0700 (PDT) Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id C8E8243FA3 for ; Tue, 16 Sep 2003 11:33:58 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep11-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030916181929.HCAR4496.amsfep11-int.chello.nl@sitetronics.com>; Tue, 16 Sep 2003 20:19:29 +0200 Message-ID: <3F6753ED.9020700@sitetronics.com> Date: Tue, 16 Sep 2003 20:18:21 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Bill Swingle , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> <20030916181502.GA95772@dub.net> In-Reply-To: <20030916181502.GA95772@dub.net> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:34:00 -0000 No, neither will. There's only a couple of lines to modify though, so I just went and patched it by hand. --Devon Bill Swingle wrote: >Does either of these patches apply to RELENG_5_1? > >-Bill > >On Tue, Sep 16, 2003 at 12:14:52PM -0500, Jacques A. Vidrine wrote: > > >>On Tue, Sep 16, 2003 at 12:52:59PM -0400, Charles Sprickman wrote: >> >> >>>It hasn't hit 4.8 yet. >>> >>> >>Yes it has, as well as 4.7. It will be committed to all security >>branches down to RELENG_4_3. >> >>Hmm, I seem to have skipped RELENG_5_0, I'll get around to that also. >> >>Cheers, >>-- >>Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal >>nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se >>_______________________________________________ >>freebsd-security@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-security >>To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >> >> > > > From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:40:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D184D16A4B3 for ; Tue, 16 Sep 2003 11:40:36 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id DFCC543F93 for ; Tue, 16 Sep 2003 11:40:35 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 83D6354846; Tue, 16 Sep 2003 13:40:35 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 23EED6D454; Tue, 16 Sep 2003 13:40:35 -0500 (CDT) Date: Tue, 16 Sep 2003 13:40:35 -0500 From: "Jacques A. Vidrine" To: "Devon H. O'Dell" Message-ID: <20030916184035.GB6723@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Devon H. O'Dell" , Bill Swingle , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> <20030916181502.GA95772@dub.net> <3F6753ED.9020700@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F6753ED.9020700@sitetronics.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:40:36 -0000 On Tue, Sep 16, 2003 at 08:18:21PM +0200, Devon H. O'Dell wrote: > No, neither will. There's only a couple of lines to modify though, so I > just went and patched it by hand. Eh? To what patch are you referring? ftp://ftp2.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch applies to FreeBSD 4.3 through 4.5. ftp://ftp2.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch applies to FreeBSD 4.6 through 5.1. -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:41:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 17C5316A4B3; Tue, 16 Sep 2003 11:41:56 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 03FE743FA3; Tue, 16 Sep 2003 11:41:55 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08824; Tue, 16 Sep 2003 12:41:46 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030916123558.02cfdef0@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 16 Sep 2003 12:41:14 -0600 To: "Jacques A. Vidrine" , freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <20030916134347.GA30359@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:41:56 -0000 At 07:43 AM 9/16/2003, Jacques A. Vidrine wrote: >OK, an official OpenSSH advisory was released, see here: > Interesting. During the past 48 hours, we've been probed several times by hosts that connected to each of our servers on Port 22 and then disconnected without authenticating. (They were probably just looking for the greeting.) For example: Sep 14 11:18:54 www sshd[16658]: fatal: Timeout before authentication for 62.107.50.87. The source of the probes appears to be in Denmark. Could it be that some party or parties knew about this before the announcement and is probing for hosts to exploit? --Brett Glass From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:45:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B214316A4B3 for ; Tue, 16 Sep 2003 11:45:01 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id BDA9B43FB1 for ; Tue, 16 Sep 2003 11:45:00 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 61D375485D; Tue, 16 Sep 2003 13:45:00 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 207D46D454; Tue, 16 Sep 2003 13:45:00 -0500 (CDT) Date: Tue, 16 Sep 2003 13:45:00 -0500 From: "Jacques A. Vidrine" To: Brett Glass Message-ID: <20030916184500.GD6723@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030916123558.02cfdef0@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:45:01 -0000 On Tue, Sep 16, 2003 at 12:41:14PM -0600, Brett Glass wrote: > Could it be that some party or parties knew about this before the > announcement and is probing for hosts to exploit? There have been rumours of an ssh2 exploit for over a week. The first concrete indication that I received that there was a bug was an OpenBSD commit message last night. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:46:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5662F16A4BF for ; Tue, 16 Sep 2003 11:46:11 -0700 (PDT) Received: from theinternet.com.au (c210-49-139-216.carlnfd1.nsw.optusnet.com.au [210.49.139.216]) by mx1.FreeBSD.org (Postfix) with ESMTP id DCDF343FD7 for ; Tue, 16 Sep 2003 11:46:04 -0700 (PDT) (envelope-from akm@theinternet.com.au) Received: from theinternet.com.au (akm@localhost [127.0.0.1]) by theinternet.com.au (8.12.9/8.12.9) with ESMTP id h8GIk2BP050970; Wed, 17 Sep 2003 04:46:02 +1000 (EST) (envelope-from akm@theinternet.com.au) Received: (from akm@localhost) by theinternet.com.au (8.12.9/8.12.9/Submit) id h8GIk2vD050969; Wed, 17 Sep 2003 04:46:02 +1000 (EST) Date: Wed, 17 Sep 2003 04:46:02 +1000 From: Andrew Kenneth Milton To: Brett Glass Message-ID: <20030916184602.GJ2230@zeus.theinternet.com.au> References: <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030916123558.02cfdef0@localhost> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:46:11 -0000 +-------[ Brett Glass ]---------------------- | Could it be that some party or parties knew about this before the announcement | and is probing for hosts to exploit? I don't think it's possible for zero parties to know before the announcement. -- Totally Holistic Enterprises Internet| | Andrew Milton The Internet (Aust) Pty Ltd | M:+61 416 022 411 | ACN: 082 081 472 ABN: 83 082 081 472 |akm@theinternet.com.au| Carpe Daemon From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:47:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21AE316A4B3 for ; Tue, 16 Sep 2003 11:47:22 -0700 (PDT) Received: from moek.pir.net (moek.pir.net [130.64.1.215]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8BC3043FE3 for ; Tue, 16 Sep 2003 11:47:19 -0700 (PDT) (envelope-from pir@pir.net) Received: from pir by moek.pir.net with local (Exim) id 19zKr9-0000B7-00 for freebsd-security@freebsd.org; Tue, 16 Sep 2003 14:47:19 -0400 Date: Tue, 16 Sep 2003 14:47:18 -0400 From: Peter Radcliffe To: freebsd-security@freebsd.org Message-ID: <20030916184718.GD25118@pir.net> Mail-Followup-To: freebsd-security@freebsd.org References: <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030916123558.02cfdef0@localhost> User-Agent: Mutt/1.4.1i X-fish: < X-Copy-On-Listmail: Please do NOT Cc: me on list mail. Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: freebsd-security@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:47:22 -0000 Brett Glass probably said: > Interesting. During the past 48 hours, we've been probed several times by > hosts that connected to each of our servers on Port 22 and then disconnected > without authenticating. (They were probably just looking for the greeting.) > For example: I've been getting these scans periodicly (up to a dozen times a day) for the last couple of years. P. -- pir pir-sig@pir.net pir-sig@net.tufts.edu From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:50:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B254E16A4B3; Tue, 16 Sep 2003 11:50:13 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9F37A43F85; Tue, 16 Sep 2003 11:50:12 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id MAA08914; Tue, 16 Sep 2003 12:50:06 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030916124550.02a55970@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 16 Sep 2003 12:49:23 -0600 To: "Jacques A. Vidrine" From: Brett Glass In-Reply-To: <20030916184500.GD6723@madman.celabo.org> References: <4.3.2.7.2.20030916123558.02cfdef0@localhost> <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:50:13 -0000 At 12:45 PM 9/16/2003, Jacques A. Vidrine wrote: >There have been rumours of an ssh2 exploit for over a week. The >first concrete indication that I received that there was a bug was an >OpenBSD commit message last night. Interesting. I could scan the source, but perhaps you already have and can answer the following questions: 1. Could the bug be exploited by someone who had not authenticated with the server? 2. Can it be worked around by changing the configuration until one has time to patch? (You mention that it's an SSH2 exploit; perhaps one can disable SSH2 and use SSH1 in the interim?) --Brett Glass From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:54:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CCAF516A538 for ; Tue, 16 Sep 2003 11:54:19 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B68E43FBD for ; Tue, 16 Sep 2003 11:54:18 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 4761A54846; Tue, 16 Sep 2003 13:54:18 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id DB6946D454; Tue, 16 Sep 2003 13:54:17 -0500 (CDT) Date: Tue, 16 Sep 2003 13:54:17 -0500 From: "Jacques A. Vidrine" To: Brett Glass Message-ID: <20030916185417.GA6885@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Brett Glass , freebsd-security@FreeBSD.org References: <4.3.2.7.2.20030916123558.02cfdef0@localhost> <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> <4.3.2.7.2.20030916124550.02a55970@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4.3.2.7.2.20030916124550.02a55970@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@FreeBSD.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:54:19 -0000 On Tue, Sep 16, 2003 at 12:49:23PM -0600, Brett Glass wrote: > Interesting. > > I could scan the source, but perhaps you already have and can answer > the following questions: > > 1. Could the bug be exploited by someone who had not authenticated > with the server? > > 2. Can it be worked around by changing the configuration until one > has time to patch? (You mention that it's an SSH2 exploit; perhaps > one can disable SSH2 and use SSH1 in the interim?) AFAICT, you need not authenticate, it is not specific to protocol version 2, and there is no workaround. -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 11:58:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6D73A16A4B3 for ; Tue, 16 Sep 2003 11:58:48 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4F50543F85 for ; Tue, 16 Sep 2003 11:58:47 -0700 (PDT) (envelope-from damian@sentex.net) Received: from pegmatite.sentex.ca (pegmatite.sentex.ca [192.168.42.92]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8GIwkCk078832 for ; Tue, 16 Sep 2003 14:58:46 -0400 (EDT) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 60F4117137; Tue, 16 Sep 2003 14:58:44 -0400 (EDT) Date: Tue, 16 Sep 2003 14:58:44 -0400 From: Damian Gerow To: security@freebsd.org Message-ID: <20030916185844.GZ66001@sentex.net> References: <4.3.2.7.2.20030916123558.02cfdef0@localhost> <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> <4.3.2.7.2.20030916124550.02a55970@localhost> <20030916185417.GA6885@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916185417.GA6885@madman.celabo.org> X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:58:48 -0000 Thus spake Jacques A. Vidrine (nectar@freebsd.org) [16/09/03 14:55]: > AFAICT, you need not authenticate, it is not specific to protocol > version 2, and there is no workaround. So privsep won't help in this case? I haven't seen any direct mention of it yet, and my understanding of privsep is that it happens before authentication, so it's not clear if it would be a viable workaround or not. From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:02:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 21A6F16A4B3 for ; Tue, 16 Sep 2003 12:02:33 -0700 (PDT) Received: from lariat.org (lariat.org [63.229.157.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5530A43FB1 for ; Tue, 16 Sep 2003 12:02:31 -0700 (PDT) (envelope-from brett@lariat.org) Received: from mustang.lariat.org (IDENT:ppp1000.lariat.org@lariat.org [63.229.157.2]) by lariat.org (8.9.3/8.9.3) with ESMTP id NAA09040; Tue, 16 Sep 2003 13:02:25 -0600 (MDT) X-message-flag: Warning! Use of Microsoft Outlook renders your system susceptible to Internet worms. Message-Id: <4.3.2.7.2.20030916125523.02a52310@localhost> X-Sender: brett@localhost X-Mailer: QUALCOMM Windows Eudora Version 4.3.2 Date: Tue, 16 Sep 2003 12:56:08 -0600 To: freebsd-security@freebsd.org, freebsd-security@freebsd.org From: Brett Glass In-Reply-To: <20030916184718.GD25118@pir.net> References: <4.3.2.7.2.20030916123558.02cfdef0@localhost> <20030916134347.GA30359@madman.celabo.org> <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 19:02:33 -0000 At 12:47 PM 9/16/2003, Peter Radcliffe wrote: >I've been getting these scans periodicly (up to a dozen times a day) >for the last couple of years. That's good to know. We haven't, though, so I was wondering if the scans might be connected to the bug. --Brett From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:10:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8922A16A4D5; Tue, 16 Sep 2003 12:10:52 -0700 (PDT) Received: from amsfep16-int.chello.nl (amsfep16-int.chello.nl [213.46.243.26]) by mx1.FreeBSD.org (Postfix) with ESMTP id DA87643F93; Tue, 16 Sep 2003 12:10:48 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep16-int.chello.nl ESMTP <20030916191047.OTAO24754.amsfep16-int.chello.nl@sitetronics.com>; Tue, 16 Sep 2003 21:10:47 +0200 Message-ID: <3F675FF5.2070605@sitetronics.com> Date: Tue, 16 Sep 2003 21:09:41 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: "Jacques A. Vidrine" References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> <20030916181502.GA95772@dub.net> <3F6753ED.9020700@sitetronics.com> <20030916184035.GB6723@madman.celabo.org> In-Reply-To: <20030916184035.GB6723@madman.celabo.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 19:10:52 -0000 Using buffer46.patch you provided in the earlier email here (haven't tried the SA) I was unable to patch a 5.1-REL system -- both hunks failed. I think there were a couple extra comments in the header, but I'm not sure; I didn't look too hard. I just edited it by hand. --Devon Jacques A. Vidrine wrote: >On Tue, Sep 16, 2003 at 08:18:21PM +0200, Devon H. O'Dell wrote: > > >>No, neither will. There's only a couple of lines to modify though, so I >>just went and patched it by hand. >> >> > >Eh? To what patch are you referring? > >ftp://ftp2.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch >applies to FreeBSD 4.3 through 4.5. >ftp://ftp2.freebsd.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch >applies to FreeBSD 4.6 through 5.1. > > From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:25:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 324D316A4B3 for ; Tue, 16 Sep 2003 12:25:25 -0700 (PDT) Received: from mx2.nersc.gov (mx2.nersc.gov [128.55.6.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 49FB543FA3 for ; Tue, 16 Sep 2003 12:25:24 -0700 (PDT) (envelope-from dart@nersc.gov) Received: from mx2.nersc.gov (localhost [127.0.0.1]) by localhost.nersc.gov (Postfix) with ESMTP id 724A9776E for ; Tue, 16 Sep 2003 12:25:23 -0700 (PDT) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by mx2.nersc.gov (Postfix) with ESMTP id 2D6497767 for ; Tue, 16 Sep 2003 12:25:23 -0700 (PDT) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 1CFAEF8EB for ; Tue, 16 Sep 2003 12:25:23 -0700 (PDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: freebsd-security@freebsd.org In-Reply-To: Message from Brett Glass <4.3.2.7.2.20030916123558.02cfdef0@localhost> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_1688024332P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Tue, 16 Sep 2003 12:25:23 -0700 From: Eli Dart Message-Id: <20030916192523.1CFAEF8EB@gemini.nersc.gov> Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 19:25:25 -0000 --==_Exmh_1688024332P Content-Type: text/plain; charset=us-ascii In reply to Brett Glass : > At 07:43 AM 9/16/2003, Jacques A. Vidrine wrote: > > Could it be that some party or parties knew about this before the announcement > and is probing for hosts to exploit? I always assume that the blackhats are at least 6 to 12 months ahead of public disclosure.... The kiddies may not have as much of a lead, depending on how good their sources for exploit code are, but one should assume that Smart Bad People can own one's machines if one's only defense is a current patch set. --eli > > --Brett Glass > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --==_Exmh_1688024332P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE/Z2OjLTFEeF+CsrMRAinEAJ0XRjXxvKgIP6g86MsC4XvJQJ5OOgCgni/a Sq+D56RaPe+kVu45YRC38B8= =s+Nj -----END PGP SIGNATURE----- --==_Exmh_1688024332P-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 12:53:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0FFF716A4C1 for ; Tue, 16 Sep 2003 12:53:05 -0700 (PDT) Received: from aeimail.aei.ca (aeimail.aei.ca [206.123.6.14]) by mx1.FreeBSD.org (Postfix) with ESMTP id 17C6343FD7 for ; Tue, 16 Sep 2003 12:53:03 -0700 (PDT) (envelope-from anarcat@anarcat.ath.cx) Received: from shall.anarcat.ath.cx (jnzhcxnppdzsjmi4@dsl-133-58.aei.ca [66.36.133.58]) by aeimail.aei.ca (8.11.6/8.10.1) with ESMTP id h8GJr2208272 for ; Tue, 16 Sep 2003 15:53:02 -0400 (EDT) Received: from oder.anarcat.ath.cx (oder.anarcat.ath.cx [192.168.0.32]) by shall.anarcat.ath.cx (Postfix) with SMTP id ADC902F for ; Tue, 16 Sep 2003 15:53:00 -0400 (EDT) Received: by oder.anarcat.ath.cx (sSMTP sendmail emulation); Tue, 16 Sep 2003 15:53:00 -0400 Date: Tue, 16 Sep 2003 15:53:00 -0400 From: The Anarcat To: security@freebsd.org Message-ID: <20030916195300.GE515@inso.ath.cx> References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="1Ow488MNN9B9o/ov" Content-Disposition: inline In-Reply-To: <200309161817.h8GIH1GL072348@freefall.freebsd.org> User-Agent: Mutt/1.5.4i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 19:53:05 -0000 --1Ow488MNN9B9o/ov Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable really nothing but... [...] > Be sure to restart `sshd' after updating. >=20 > # kill `cat /var/run/sshd.pid` > # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) the path to sshd should be something more like /usr/sbin/sshd, no? A. --=20 There has been only one Christian. They caught him and crucified him -- early. - Mark Twain --1Ow488MNN9B9o/ov Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (GNU/Linux) iD8DBQE/Z2octtcWHAnWiGcRAj+YAJ9tXAx1wwU4lFfXe9+r6OwxMS/IoQCgiLZX mK/U9Rs+vZODEJVu7RHdFg4= =mPaP -----END PGP SIGNATURE----- --1Ow488MNN9B9o/ov-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 13:12:23 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4A7BC16A4B3 for ; Tue, 16 Sep 2003 13:12:23 -0700 (PDT) Received: from amsfep11-int.chello.nl (amsfep11-int.chello.nl [213.46.243.20]) by mx1.FreeBSD.org (Postfix) with ESMTP id A298A43FA3 for ; Tue, 16 Sep 2003 13:12:19 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep11-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030916201217.LABD4496.amsfep11-int.chello.nl@sitetronics.com>; Tue, 16 Sep 2003 22:12:17 +0200 Message-ID: <3F676E5F.4090409@sitetronics.com> Date: Tue, 16 Sep 2003 22:11:11 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: tburress@sjca.edu References: <20030916134347.GA30359@madman.celabo.org> <20030916161121.GA91300@madman.celabo.org> <20030916164747.GA536@vista.netmemetic.com> <20030916125051.N60189@shell.inch.com> <20030916171452.GA5814@madman.celabo.org> <20030916181502.GA95772@dub.net> <3F6753ED.9020700@sitetronics.com> <20030916184035.GB6723@madman.celabo.org> <3F675FF5.2070605@sitetronics.com> <20030916155619.O9821@causasui.polity.sjca.edu> In-Reply-To: <20030916155619.O9821@causasui.polity.sjca.edu> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 20:12:23 -0000 tburress@sjca.edu wrote >On Tue, 16 Sep 2003, Devon H. O'Dell wrote: > > > >>Using buffer46.patch you provided in the earlier email here (haven't >>tried the SA) I was unable to patch a 5.1-REL system -- both hunks >>failed. I think there were a couple extra comments in the header, but >>I'm not sure; I didn't look too hard. I just edited it by hand. >> >> > >I got it to work on 5.1-REL using buffer46.patch; I used the patch as it >came from the email above, and everything went smoothly. > > Ah well. Unless anybody's terribly worried that I've got some sort of horrible trojan (you know, one of those non-existant ones that turns a typecast into a rootshell), I think I'm okay. ;). --Devon From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 17:57:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE32C16A4B3 for ; Tue, 16 Sep 2003 17:57:47 -0700 (PDT) Received: from mx01.bos.ma.towardex.com (a65-124-16-8.svc.towardex.com [65.124.16.8]) by mx1.FreeBSD.org (Postfix) with ESMTP id E657743FA3 for ; Tue, 16 Sep 2003 17:57:46 -0700 (PDT) (envelope-from haesu@mx01.bos.ma.towardex.com) Received: by mx01.bos.ma.towardex.com (TowardEX ESMTP 3.0p11_DAKN, from userid 1001) id 5BF3E2F8F9; Tue, 16 Sep 2003 20:58:05 -0400 (EDT) Date: Tue, 16 Sep 2003 20:58:05 -0400 From: Haesu To: freebsd-security@freebsd.org Message-ID: <20030917005805.GA51599@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.4.1i Subject: [alambert@quickfire.org: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH Security Advisory: buffer.adv]] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 00:57:47 -0000 Is anybody aware of this? -hc ----- Forwarded message from Alex Lambert ----- 3.7.1 was just released. Two patches for similar issues in a very short timeframe. Who do they think they are -- Microsoft? apl -------- Original Message -------- Subject: OpenSSH Security Advisory: buffer.adv Date: Wed, 17 Sep 2003 01:13:30 +0200 From: Markus Friedl To: misc@openbsd.org This is the 2nd revision of the Advisory. This document can be found at: http://www.openssh.com/txt/buffer.adv 1. Versions affected: All versions of OpenSSH's sshd prior to 3.7.1 contain buffer management errors. It is uncertain whether these errors are potentially exploitable, however, we prefer to see bugs fixed proactively. Other implementations sharing common origin may also have these issues. 2. Solution: Upgrade to OpenSSH 3.7.1 or apply the following patch. =================================================================== Appendix A: patch for OpenSSH 3.6.1 and earlier Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.16 retrieving revision 1.18 diff -u -r1.16 -r1.18 --- buffer.c 26 Jun 2002 08:54:18 -0000 1.16 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* @@ -69,6 +74,7 @@ void * buffer_append_space(Buffer *buffer, u_int len) { + u_int newlen; void *p; if (len > 0x100000) @@ -98,11 +104,13 @@ goto restart; } /* Increase the size of the buffer and retry. */ - buffer->alloc += len + 32768; - if (buffer->alloc > 0xa00000) + + newlen = buffer->alloc + len + 32768; + if (newlen > 0xa00000) fatal("buffer_append_space: alloc %u not supported", - buffer->alloc); - buffer->buf = xrealloc(buffer->buf, buffer->alloc); + newlen); + buffer->buf = xrealloc(buffer->buf, newlen); + buffer->alloc = newlen; goto restart; /* NOTREACHED */ } Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } =================================================================== Appendix B: patch for OpenSSH 3.7 Index: buffer.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/buffer.c,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- buffer.c 16 Sep 2003 03:03:47 -0000 1.17 +++ buffer.c 16 Sep 2003 21:02:39 -0000 1.18 @@ -23,8 +23,11 @@ void buffer_init(Buffer *buffer) { - buffer->alloc = 4096; - buffer->buf = xmalloc(buffer->alloc); + const u_int len = 4096; + + buffer->alloc = 0; + buffer->buf = xmalloc(len); + buffer->alloc = len; buffer->offset = 0; buffer->end = 0; } @@ -34,8 +37,10 @@ void buffer_free(Buffer *buffer) { - memset(buffer->buf, 0, buffer->alloc); - xfree(buffer->buf); + if (buffer->alloc > 0) { + memset(buffer->buf, 0, buffer->alloc); + xfree(buffer->buf); + } } /* Index: channels.c =================================================================== RCS file: /cvs/src/usr.bin/ssh/channels.c,v retrieving revision 1.194 retrieving revision 1.195 diff -u -r1.194 -r1.195 --- channels.c 29 Aug 2003 10:04:36 -0000 1.194 +++ channels.c 16 Sep 2003 21:02:40 -0000 1.195 @@ -228,12 +228,13 @@ if (found == -1) { /* There are no free slots. Take last+1 slot and expand the array. */ found = channels_alloc; - channels_alloc += 10; if (channels_alloc > 10000) fatal("channel_new: internal error: channels_alloc %d " "too big.", channels_alloc); + channels = xrealloc(channels, + (channels_alloc + 10) * sizeof(Channel *)); + channels_alloc += 10; debug2("channel: expanding %d", channels_alloc); - channels = xrealloc(channels, channels_alloc * sizeof(Channel *)); for (i = found; i < channels_alloc; i++) channels[i] = NULL; } =================================================================== ----- End forwarded message ----- -- Sincerely, Haesu C. TowardEX Technologies, Inc. WWW: http://www.towardex.com E-mail: haesu@towardex.com Cell: (978) 394-2867 From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 18:12:58 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43DBB16A9BC for ; Tue, 16 Sep 2003 18:12:58 -0700 (PDT) Received: from ike.othius.com (24-90-215-123.nyc.rr.com [24.90.215.123]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6295B43FA3 for ; Tue, 16 Sep 2003 18:12:57 -0700 (PDT) (envelope-from justin@othius.com) Received: from localhost (justin@localhost [127.0.0.1]) by ike.othius.com (8.12.8p1/8.12.8) with ESMTP id h8H18hKX017020 for ; Tue, 16 Sep 2003 21:08:44 -0400 (EDT) (envelope-from justin@othius.com) Date: Tue, 16 Sep 2003 21:08:36 -0400 (EDT) From: Justin To: freebsd-security@freebsd.org Message-ID: <20030916210328.U442@ike.othius.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Scanned-By: MIMEDefang 2.37 Subject: OpenSSH 3.7.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 01:12:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2 http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2 Does this affect FreeBSD? - -Justin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z7QbdYQBw9Ox1VgRAsb2AJ0eZxI/s3Q5KJQxvgROLM8FnU1kiQCfSsma XcJ/R/6s9yQJwBTYDeWI2+Y= =BoVH -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 18:33:35 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E3C416A4B3 for ; Tue, 16 Sep 2003 18:33:35 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 906A343F85 for ; Tue, 16 Sep 2003 18:33:34 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 4A80054840; Tue, 16 Sep 2003 20:33:34 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id D14296D454; Tue, 16 Sep 2003 20:33:33 -0500 (CDT) Date: Tue, 16 Sep 2003 20:33:33 -0500 From: "Jacques A. Vidrine" To: Haesu Message-ID: <20030917013333.GD79049@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Haesu , freebsd-security@freebsd.org References: <20030917005805.GA51599@scylla.towardex.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917005805.GA51599@scylla.towardex.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Enough already (was Re: [alambert@quickfire.org: Heads up -- potential problems in 3.7, too? [Fwd: OpenSSH Security Advisory: buffer.adv]]) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 01:33:35 -0000 On Tue, Sep 16, 2003 at 08:58:05PM -0400, Haesu wrote: > Is anybody aware of this? Yes, and that may not be the last of it. I humbly suggest that folks stop mailing freebsd-security with these OpenSSH issues. It is just noise for most readers. I will post as fixes are incoporated into FreeBSD. I more strongly suggest you stop mailing *me* about them :-) I get reports from the authors already-- it is somewhat distracting to receive a dozen mostly-duplicate forwarded emails for each breaking detail. I always appreciate reports and do not usually mind duplicates-- I'd rather hear about an issue many times than not at all. But in this specific case, I'm getting too much mail. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 22:44:31 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C6ED116A4B3 for ; Tue, 16 Sep 2003 22:44:31 -0700 (PDT) Received: from post-20.mail.nl.demon.net (post-20.mail.nl.demon.net [194.159.73.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id ADA8C43FBD for ; Tue, 16 Sep 2003 22:44:30 -0700 (PDT) (envelope-from apehaar@text-only.demon.nl) Received: from [212.238.193.97] (helo=horcy) by post-20.mail.nl.demon.net with smtp (Exim 3.36 #2) id 19zV77-000L8x-00 for security@freebsd.org; Wed, 17 Sep 2003 05:44:29 +0000 Message-ID: <006301c37cde$c36dc200$0201a8c0@horcy> From: "horcy" To: References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> Date: Wed, 17 Sep 2003 07:44:29 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="Windows-1252" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 05:44:32 -0000 # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) how do i run that second line. # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) yes i'm a n00b but what ever i try i get some error msg telling me that it didnt work. i just started sshd with: sh /usr/sbin/sshd and worked too. But you would make me a very happy n00b if somebody can explain it :-) Regards, horcy http://www.text-only.demon.nl ----- Original Message ----- From: "FreeBSD Security Advisories" To: "FreeBSD Security Advisories" Sent: Tuesday, September 16, 2003 8:17 PM Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================ = > FreeBSD-SA-03:12 Security Advisory > FreeBSD, Inc. > > Topic: OpenSSH buffer management error > > Category: core, ports > Module: openssh, ports_openssh, openssh-portable > Announced: 2003-09-16 > Credits: The OpenSSH Project > Affects: All FreeBSD releases after 4.0-RELEASE > FreeBSD 4-STABLE prior to the correction date > openssh port prior to openssh-3.6.1_1 > openssh-portable port prior to openssh-portable-3.6.1p2_1 > Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) > 2003-09-16 16:27:57 UTC (RELENG_5_1) > 2003-09-16 17:34:32 UTC (RELENG_5_0) > 2003-09-16 16:24:02 UTC (RELENG_4_8) > 2003-09-16 16:45:16 UTC (RELENG_4_7) > 2003-09-16 17:44:15 UTC (RELENG_4_6) > 2003-09-16 17:45:23 UTC (RELENG_4_5) > 2003-09-16 17:46:02 UTC (RELENG_4_4) > 2003-09-16 17:46:37 UTC (RELENG_4_3) > 2003-09-16 12:43:09 UTC (ports/security/openssh) > 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) > CVE: CAN-2003-0693 > FreeBSD only: NO > > I. Background > > OpenSSH is a free version of the SSH protocol suite of network > connectivity tools. OpenSSH encrypts all traffic (including > passwords) to effectively eliminate eavesdropping, connection > hijacking, and other network-level attacks. Additionally, OpenSSH > provides a myriad of secure tunneling capabilities, as well as a > variety of authentication methods. `ssh' is the client application, > while `sshd' is the server. > > II. Problem Description > > When a packet is received that is larger than the space remaining in > the currently allocated buffer, OpenSSH's buffer management attempts > to reallocate a larger buffer. During this process, the recorded size > of the buffer is increased. The new size is then range checked. If > the range check fails, then fatal() is called to cleanup and exit. > In some cases, the cleanup code will attempt to zero and free the > buffer that just had its recorded size (but not actual allocation) > increased. As a result, memory outside of the allocated buffer will > be overwritten with NUL bytes. > > III. Impact > > A remote attacker can cause OpenSSH to crash. The bug is not believed > to be exploitable for code execution on FreeBSD. > > IV. Workaround > > Do one of the following: > > 1) Disable the base system sshd by executing the following command as > root: > > # kill `cat /var/run/sshd.pid` > > Be sure that sshd is not restarted when the system is restarted > by adding the following line to the end of /etc/rc.conf: > > sshd_enable="NO" > > AND > > Deinstall the openssh or openssh-portable ports if you have one of > them installed. > > V. Solution > > Do one of the following: > > [For OpenSSH included in the base system] > > 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, > RELENG_4_8, or RELENG_4_7 security branch dated after > the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or > 4.7-RELEASE-p15, respectively). > > 2) FreeBSD systems prior to the correction date: > > The following patches have been verified to apply to FreeBSD 4.x and > FreeBSD 5.x systems prior to the correction date. > > Download the appropriate patch and detached PGP signature from the following > locations, and verify the signature using your PGP utility. > > [FreeBSD 4.3 through 4.5] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc > > [FreeBSD 4.6 and later, FreeBSD 5.0 and later] > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc > > Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/sshd.patch > # cd /usr/src/secure/lib/libssh > # make depend && make all install > # cd /usr/src/secure/usr.sbin/sshd > # make depend && make all install > # cd /usr/src/secure/usr.bin/ssh > # make depend && make all install > > Be sure to restart `sshd' after updating. > > # kill `cat /var/run/sshd.pid` > # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) > > [For the OpenSSH ports] > > One of the following: > > 1) Upgrade your entire ports collection and rebuild the OpenSSH port. > > 2) Deinstall the old package and install a new package obtained from > the following directory: > > [i386] > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ > > [other platforms] > Packages are not automatically generated for other platforms at this > time due to lack of build resources. > > 3) Download a new port skeleton for the openssh or openssh-portable > port from: > > http://www.freebsd.org/ports/ > > and use it to rebuild the port. > > 4) Use the portcheckout utility to automate option (3) above. The > portcheckout port is available in /usr/ports/devel/portcheckout or the > package can be obtained from: > > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz > ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz > > Be sure to restart `sshd' after updating. > > # kill `cat /var/run/sshd.pid` > # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in the FreeBSD base system and ports collection. > > Branch Revision > Path > - ------------------------------------------------------------------------ - > [Base system] > RELENG_4 > src/crypto/openssh/buffer.c 1.1.1.1.2.5 > src/crypto/openssh/version.h 1.1.1.1.2.11 > RELENG_5_1 > src/UPDATING 1.251.2.4 > src/crypto/openssh/buffer.c 1.1.1.6.4.1 > src/crypto/openssh/version.h 1.20.2.1 > src/sys/conf/newvers.sh 1.50.2.5 > RELENG_5_0 > src/UPDATING 1.229.2.18 > src/crypto/openssh/buffer.c 1.1.1.6.2.1 > src/crypto/openssh/version.h 1.18.2.1 > src/sys/conf/newvers.sh 1.48.2.13 > RELENG_4_8 > src/UPDATING 1.73.2.80.2.7 > src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 > src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 > src/sys/conf/newvers.sh 1.44.2.29.2.6 > RELENG_4_7 > src/UPDATING 1.73.2.74.2.18 > src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 > src/sys/conf/newvers.sh 1.44.2.26.2.17 > RELENG_4_6 > src/UPDATING 1.73.2.68.2.46 > src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 > src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 > src/sys/conf/newvers.sh 1.44.2.23.2.35 > RELENG_4_5 > src/UPDATING 1.73.2.50.2.47 > src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 > src/sys/conf/newvers.sh 1.44.2.20.2.31 > RELENG_4_4 > src/UPDATING 1.73.2.43.2.48 > src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 > src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 > src/sys/conf/newvers.sh 1.44.2.17.2.39 > RELENG_4_3 > src/UPDATING 1.73.2.28.2.35 > src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 > src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 > src/sys/conf/newvers.sh 1.44.2.14.2.25 > [Ports] > ports/security/openssh-portable/Makefile 1.73 > ports/security/openssh-portable/files/patch-buffer.c 1.1 > ports/security/openssh/Makefile 1.120 > ports/security/openssh/files/patch-buffer.c 1.1 > - ------------------------------------------------------------------------ - > > Branch Version string > - ------------------------------------------------------------------------ - > HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 > RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 > RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 > RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 > RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 > RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 > RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 > RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916 > - ------------------------------------------------------------------------ - > > To view the version string of the OpenSSH server, execute the > following command: > > % /usr/sbin/sshd -\? > > The version string is also displayed when a client connects to the > server. > > To view the version string of the OpenSSH client, execute the > following command: > > % /usr/bin/ssh -V > > VII. References > > > > The Common Vulnerabilities and Exposures project (cve.mitre.org) has > assigned the name CAN-2003-0693 to this issue. > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.2.3 (FreeBSD) > > iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ > PW0VvEnS7MMUYyekHuz49ro= > =vcm1 > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 23:25:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 64BA016A4B3 for ; Tue, 16 Sep 2003 23:25:19 -0700 (PDT) Received: from post-20.mail.nl.demon.net (post-20.mail.nl.demon.net [194.159.73.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id C881543F3F for ; Tue, 16 Sep 2003 23:25:18 -0700 (PDT) (envelope-from apehaar@text-only.demon.nl) Received: from [212.238.193.97] (helo=horcy) by post-20.mail.nl.demon.net with smtp (Exim 3.36 #2) id 19zVkb-000NOO-00 for security@freebsd.org; Wed, 17 Sep 2003 06:25:17 +0000 Message-ID: <006f01c37ce4$770686d0$0201a8c0@horcy> From: "horcy" To: Date: Wed, 17 Sep 2003 08:25:18 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: thx Mike && Troy -nt- X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 06:25:19 -0000 -nt- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 23:34:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id AF5FF16A4B3 for ; Tue, 16 Sep 2003 23:34:57 -0700 (PDT) Received: from obsecurity.dyndns.org (adsl-64-169-107-253.dsl.lsan03.pacbell.net [64.169.107.253]) by mx1.FreeBSD.org (Postfix) with ESMTP id 896C043FBF for ; Tue, 16 Sep 2003 23:34:56 -0700 (PDT) (envelope-from kris@obsecurity.org) Received: from rot13.obsecurity.org (rot13.obsecurity.org [10.0.0.5]) by obsecurity.dyndns.org (Postfix) with ESMTP id 83CAE66CFA; Tue, 16 Sep 2003 23:34:50 -0700 (PDT) Received: by rot13.obsecurity.org (Postfix, from userid 1000) id 4FD11A88; Tue, 16 Sep 2003 23:34:50 -0700 (PDT) Date: Tue, 16 Sep 2003 23:34:50 -0700 From: Kris Kennaway To: Justin Message-ID: <20030917063450.GA14894@rot13.obsecurity.org> References: <20030916210328.U442@ike.othius.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="7AUc2qLy4jB3hD7Z" Content-Disposition: inline In-Reply-To: <20030916210328.U442@ike.othius.com> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: OpenSSH 3.7.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 06:34:57 -0000 --7AUc2qLy4jB3hD7Z Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Tue, Sep 16, 2003 at 09:08:36PM -0400, Justin wrote: >=20 > http://marc.theaimsgroup.com/?l=3Dopenbsd-misc&m=3D106375452423794&w=3D2 >=20 > http://marc.theaimsgroup.com/?l=3Dopenbsd-misc&m=3D106375456923804&w=3D2 >=20 > Does this affect FreeBSD? >=20 How about you actually read the FreeBSD mailing lists before asking the same question that has been asked n times already today. Kris --7AUc2qLy4jB3hD7Z Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aACJWry0BWjoQKURAszNAJ9SAoGFAgXzeds38eQ28vU7/8p08ACgtVVr kgW1x/P6z6UDlLk/X/+mGQ0= =I8eZ -----END PGP SIGNATURE----- --7AUc2qLy4jB3hD7Z-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 23:53:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8169716A4B3 for ; Tue, 16 Sep 2003 23:53:03 -0700 (PDT) Received: from pd3mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 688E143F3F for ; Tue, 16 Sep 2003 23:53:02 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-ser.prod.shaw.ca [10.0.141.177])2003)) with ESMTP id <0HLC0047MGB1XU@l-daemon> for security@freebsd.org; Tue, 16 Sep 2003 23:52:13 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca (pn2ml4so-qfe0.prod.shaw.ca [10.0.121.148]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLC00C22GB14K@l-daemon> for security@freebsd.org; Tue, 16 Sep 2003 23:52:13 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLC00F37GB0N2@l-daemon> for security@freebsd.org; Tue, 16 Sep 2003 23:52:13 -0600 (MDT) Date: Tue, 16 Sep 2003 22:52:10 -0700 From: Colin Percival In-reply-to: <006301c37cde$c36dc200$0201a8c0@horcy> X-Sender: cperciva@popserver.sfu.ca To: horcy , security@freebsd.org Message-id: <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 06:53:03 -0000 At 07:44 17/09/2003 +0200, horcy wrote: ># (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) > >yes i'm a n00b but what ever i try i get some error msg telling me that it >didnt work. i just started sshd with: >sh /usr/sbin/sshd and worked too. >But you would make me a very happy n00b if somebody can explain it :-) It's a typographical error -- it should have been ># (. /etc/rc.conf && ${sshd_program:-/usr/sbin/sshd} ${sshd_flags}) ^^^^^^^^^^^^^^ Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 00:36:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BA18216A4B3 for ; Wed, 17 Sep 2003 00:36:04 -0700 (PDT) Received: from msresearch.ma.cx (D950b.pppool.de [80.184.149.11]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5F2B043F75 for ; Wed, 17 Sep 2003 00:36:01 -0700 (PDT) (envelope-from root@msresearch.ma.cx) Received: from msresearch.ma.cx (localhost.msresearch.org [127.0.0.1]) by msresearch.ma.cx (8.12.9/8.12.9) with ESMTP id h8H7ZHnV049800; Wed, 17 Sep 2003 09:35:18 +0200 (CEST) (envelope-from root@msresearch.ma.cx) Received: (from root@localhost) by msresearch.ma.cx (8.12.9/8.12.9/Submit) id h8H7ZFAn049799; Wed, 17 Sep 2003 09:35:15 +0200 (CEST) (envelope-from root) Date: Wed, 17 Sep 2003 09:35:15 +0200 From: michael To: Nikolay Kanchev , freebsd-security@freebsd.org Message-ID: <20030917073514.GA49432@brenner.msresearch.org> References: <20030916182147.2C2A816A4C0@hub.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030916182147.2C2A816A4C0@hub.freebsd.org> User-Agent: Mutt/1.4.1i Subject: Re: freebsd-security Digest, Vol 26, Issue 1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 07:36:04 -0000 Hi, you should also disable the booting from cdrom or better remove the connctor-cable from the cdrom-drive. I be an experienced Admin and I know how to mount bsd-partitions w/o any logging.....use the SuSE-8.2 cdrom and start the rescue-system (i know not if it is possible with the original CD, may i have an modified frm me) this allow you to mount any partition an slice on the disks in the physical system. And at this point you have loosed all the security-solutions in the BSD themselfes. You should really connect an special crafted Hardware-Keylogger. I mean you can found an plan from this whit modified cabling to log the keystrokes to an another box (doubling and logging) or to logging into the serial-interface from another box.. btw Michael From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:14:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 506FE16A4B3 for ; Wed, 17 Sep 2003 01:14:00 -0700 (PDT) Received: from techno.sub.ru (webmail.sub.ru [213.247.139.22]) by mx1.FreeBSD.org (Postfix) with SMTP id AC78A43F85 for ; Wed, 17 Sep 2003 01:13:58 -0700 (PDT) (envelope-from tarkhil@webmail.sub.ru) Received: (qmail 38540 invoked by uid 0); 17 Sep 2003 08:13:12 -0000 Received: from unknown (HELO tarkhil.over.ru) (213.148.23.65) by webmail.sub.ru with SMTP; 17 Sep 2003 08:13:11 -0000 Date: Wed, 17 Sep 2003 12:13:37 +0400 From: Alex Povolotsky Cc: freebsd-security@freebsd.org Message-Id: <20030917121337.35ebf2c3.tarkhil@webmail.sub.ru> In-Reply-To: <20030917063450.GA14894@rot13.obsecurity.org> References: <20030916210328.U442@ike.othius.com> <20030917063450.GA14894@rot13.obsecurity.org> Organization: sub.ru X-Mailer: Sylpheed version 0.9.3claws (GTK+ 1.2.10; i386-portbld-freebsd4.6) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: OpenSSH 3.7.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:14:00 -0000 On Tue, 16 Sep 2003 23:34:50 -0700 Kris Kennaway wrote: KK> On Tue, Sep 16, 2003 at 09:08:36PM -0400, Justin wrote: KK> > KK> > http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2 KK> > KK> > http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2 KK> > KK> > Does this affect FreeBSD? KK> > KK> KK> How about you actually read the FreeBSD mailing lists before asking KK> the same question that has been asked n times already today. I just wonder if recent patches brings openssh from FreeBSD to 3.7 or to 3.7.1 level of protection? -- Alex. From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:19:21 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A7D1016A4B3 for ; Wed, 17 Sep 2003 01:19:21 -0700 (PDT) Received: from mail.bsdunix.ch (zux187-250.adsl.green.ch [80.254.187.250]) by mx1.FreeBSD.org (Postfix) with ESMTP id 473D243F75 for ; Wed, 17 Sep 2003 01:19:19 -0700 (PDT) (envelope-from turbo23@gmx.net) Received: (qmail 70800 invoked from network); 17 Sep 2003 08:15:29 -0000 Received: from unknown (HELO gmx.net) (thomas.vogt@bsdunix.ch@[62.2.201.130]) (envelope-sender )encrypted SMTP for ; 17 Sep 2003 08:15:29 -0000 Message-ID: <3F6817B4.1050404@gmx.net> Date: Wed, 17 Sep 2003 10:13:40 +0200 From: Thomas Vogt User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030901 Thunderbird/0.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: openssh 2n advisory X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:19:21 -0000 Hello Well the openssh discussion is a little confusing. http://www.openssh.com/txt/buffer.adv you can find a 2nd revision of the Advisory. It includes also a patch for channels.c. Will this patch also be commited for the freebsd security branch or port? regards Thomas Vogt From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:25:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1D67616A4BF for ; Wed, 17 Sep 2003 01:25:05 -0700 (PDT) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8634443FE1 for ; Wed, 17 Sep 2003 01:25:03 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd2mr4so.prod.shaw.ca (pd2mr4so-ser.prod.shaw.ca [10.0.141.107])2003))freebsd-security@freebsd.org; Wed, 17 Sep 2003 02:25:02 -0600 (MDT) Received: from pn2ml4so.prod.shaw.ca (pn2ml4so-qfe0.prod.shaw.ca [10.0.121.148]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) freebsd-security@freebsd.org; Wed, 17 Sep 2003 02:25:02 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Wed, 17 Sep 2003 02:25:02 -0600 (MDT) Date: Wed, 17 Sep 2003 01:25:00 -0700 From: Colin Percival In-reply-to: <20030917121337.35ebf2c3.tarkhil@webmail.sub.ru> X-Sender: cperciva@popserver.sfu.ca To: Alex Povolotsky Message-id: <5.0.2.1.1.20030917011802.02df0c68@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <20030917063450.GA14894@rot13.obsecurity.org> <20030916210328.U442@ike.othius.com> <20030917063450.GA14894@rot13.obsecurity.org> cc: freebsd-security@freebsd.org Subject: Re: OpenSSH 3.7.1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:25:05 -0000 At 12:13 17/09/2003 +0400, Alex Povolotsky wrote: >I just wonder if recent patches brings openssh from FreeBSD to 3.7 or to >3.7.1 level of protection? It looks like the 3.7.1 patches are in -CURRENT right now, while the release branches and ports only have the 3.7 fix. I think we can safely assume that the security officer will MFC these patches and send out a revised advisory once he is satisfied with them. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:44:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1ABBD16A4B3 for ; Wed, 17 Sep 2003 01:44:16 -0700 (PDT) Received: from web41808.mail.yahoo.com (web41808.mail.yahoo.com [66.218.93.142]) by mx1.FreeBSD.org (Postfix) with SMTP id 90C9A43FB1 for ; Wed, 17 Sep 2003 01:44:15 -0700 (PDT) (envelope-from cristiansirbu@yahoo.com) Message-ID: <20030917084415.85385.qmail@web41808.mail.yahoo.com> Received: from [141.85.254.32] by web41808.mail.yahoo.com via HTTP; Wed, 17 Sep 2003 01:44:15 PDT Date: Wed, 17 Sep 2003 01:44:15 -0700 (PDT) From: Cristian Sirbu To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Content-Filtered-By: Mailman/MimeDel 2.1.1 Subject: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:44:16 -0000 Hi, Could u recommend a secure ftp daemon? I want to be able to control the ports it uses.... and not to have to let all of the upper ports open. --------------------------------- Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:53:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4928F16A4ED for ; Wed, 17 Sep 2003 01:53:55 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0222143FBF for ; Wed, 17 Sep 2003 01:53:53 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep12-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030917085350.FXSA2869.amsfep12-int.chello.nl@sitetronics.com>; Wed, 17 Sep 2003 10:53:50 +0200 Message-ID: <3F6820D9.9040702@sitetronics.com> Date: Wed, 17 Sep 2003 10:52:41 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Cristian Sirbu References: <20030917084415.85385.qmail@web41808.mail.yahoo.com> In-Reply-To: <20030917084415.85385.qmail@web41808.mail.yahoo.com> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:53:55 -0000 X-List-Received-Date: Wed, 17 Sep 2003 08:53:55 -0000 With the default FreeBSD FTP daemon, you can already control the ports used. Simply change net.inet.ip.portrange.hifirst and net.inet.ip.portrange.hilast, which default to the following values: net.inet.ip.portrange.hifirst: 49152 net.inet.ip.portrange.hilast: 65535 --Devon Cristian Sirbu wrote: >Hi, > >Could u recommend a secure ftp daemon? I want to be able to control the ports it uses.... and not to have to let all of the upper ports open. > > >--------------------------------- >Do you Yahoo!? >Yahoo! SiteBuilder - Free, easy-to-use web site design software >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 01:53:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 25D2C16A4C1 for ; Wed, 17 Sep 2003 01:53:57 -0700 (PDT) Received: from burka.carrier.kiev.ua (burka.carrier.kiev.ua [193.193.193.107]) by mx1.FreeBSD.org (Postfix) with ESMTP id CA0AB43FE9 for ; Wed, 17 Sep 2003 01:53:54 -0700 (PDT) (envelope-from ska@lucky.net) Received: from ska@localhost [127.0.0.1] (ska@localhost [127.0.0.1]) by burka.carrier.kiev.ua with ESMTP id h8H8rmvM095468; Wed, 17 Sep 2003 11:53:50 +0300 (EEST) (envelope-from ska@burka.carrier.kiev.ua) Received: (from ska@localhost) by burka.carrier.kiev.ua (8.12.8p1/8.12.8/Submit) id h8H8rmJ2095465; Wed, 17 Sep 2003 11:53:48 +0300 (EEST) (envelope-from ska) Date: Wed, 17 Sep 2003 11:53:48 +0300 From: Sergey Kovalchuk To: Cristian Sirbu Message-ID: <20030917085348.GA93010@lucky.net> References: <20030917084415.85385.qmail@web41808.mail.yahoo.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917084415.85385.qmail@web41808.mail.yahoo.com> User-Agent: Mutt/1.4i X-Verify-Sender: verified cc: freebsd-security@freebsd.org Subject: Re: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 08:53:57 -0000 Buna ziua, Cristian Sirbu! I could recommend you vsftpd. The Real thing. > Hi, > > Could u recommend a secure ftp daemon? I want to be able to control the ports it uses.... and not to have to let all of the upper ports open. > > > --------------------------------- > Do you Yahoo!? > Yahoo! SiteBuilder - Free, easy-to-use web site design software > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" -- SKA249-RIPE Lucky Net From owner-freebsd-security@FreeBSD.ORG Tue Sep 16 09:05:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B9DF16A4B3; Tue, 16 Sep 2003 09:05:48 -0700 (PDT) Received: from goliath.siemens.de (goliath.siemens.de [192.35.17.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BB9243FDD; Tue, 16 Sep 2003 09:05:46 -0700 (PDT) (envelope-from udo.schweigert@siemens.com) Received: from mail3.siemens.de (mail3.siemens.de [139.25.208.14]) by goliath.siemens.de (8.11.7/8.11.7) with ESMTP id h8GG5i109613; Tue, 16 Sep 2003 18:05:44 +0200 (MEST) Received: from mars.cert.siemens.de (ust.mchp.siemens.de [139.23.201.17]) by mail3.siemens.de (8.11.7/8.11.7) with ESMTP id h8GG5hi09865; Tue, 16 Sep 2003 18:05:43 +0200 (MEST) Received: from alaska.cert.siemens.de (alaska.cert.siemens.de [139.23.202.134]) 1.46 2003/05/28 09:28:32 ust Exp $) with ESMTP id h8GG5hwg044370; Tue, 16 Sep 2003 18:05:43 +0200 (CEST) Received: from alaska.cert.siemens.de (alaska.cert.siemens.de [127.0.0.1]) hosts/alaska/mail/config.mc,v 1.15 2002/12/31 15:32:17 ust Exp $) with ESMTP id h8GG5hgw026583; Tue, 16 Sep 2003 18:05:43 +0200 (CEST) (envelope-from ust@alaska.cert.siemens.de) Received: (from ust@localhost) hosts/alaska/mail/submit.mc,v 1.4 2002/12/31 15:32:17 ust Exp $) id h8GG5hsh026030; Tue, 16 Sep 2003 18:05:43 +0200 (CEST) (envelope-from ust) Date: Tue, 16 Sep 2003 18:05:43 +0200 From: Udo Schweigert To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Message-ID: <20030916160543.GA28313@alaska.cert.siemens.de> References: <20030916134347.GA30359@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-15 Content-Disposition: inline In-Reply-To: <20030916134347.GA30359@madman.celabo.org> X-Operating-System: FreeBSD 4.9-PRERELEASE User-Agent: Mutt/1.5.4i X-Mailman-Approved-At: Wed, 17 Sep 2003 03:52:26 -0700 Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 16:05:48 -0000 On Tue, Sep 16, 2003 at 08:43:47 -0500, Jacques A. Vidrine wrote: > OK, an official OpenSSH advisory was released, see here: > > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > applied to the security branches as well today. Attached are patches: > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > And what about the port /usr/ports/security/openssh-portable? It should - at least - be fixed for the 4.9-RELEASE. Best regards -- Udo Schweigert, Siemens AG | Voice : +49 89 636 42170 CT IC CERT, Siemens CERT | Fax : +49 89 636 41166 D-81730 Muenchen / Germany | email : udo.schweigert@siemens.com From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 03:54:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2796616A4B3 for ; Wed, 17 Sep 2003 03:54:32 -0700 (PDT) Received: from nbh-gw.newchem.ru (novbytchem-2.ip.PeterStar.net [81.3.149.218]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67BC743FBD for ; Wed, 17 Sep 2003 03:54:30 -0700 (PDT) (envelope-from illich@newchem.ru) Received: from 127.0.0.1 ([192.168.204.4]) by nbh-gw.newchem.ru (8.12.9/8.12.7) with ESMTP id h8HAsOJa001387 for ; Wed, 17 Sep 2003 14:54:24 +0400 (MSD) (envelope-from illich@newchem.ru) X-AntiVirus: Checked by Dr.Web (http://www.drweb.net) Date: Wed, 17 Sep 2003 14:54:24 +0400 From: Illia Baidakov X-Mailer: The Bat! (v1.62q) Personal X-Priority: 3 (Normal) Message-ID: <863529878.20030917145424@newchem.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: SA-03:12: sshd stops to answer queries after applying the patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Illia Baidakov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 10:54:32 -0000 Hello freebsd-security, I've applied the patch from ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch for my 4.8 stable last cvsuped at 20 aug 2003. Now 'ssh -l user localhost' says: ssh_exchange_identification: connection closed by remote host Trying remote connections have the same result. sshd.log with log level 'verbose' does not contains any messages about incoming connections. Messages and othes logs are clear too. ipfw rules have not been changed. netstat lists me the listening socket for *.22 How should I correct this problem? Does anybody faced with such a problem up? -- Best regards, Illia mailto:illich@newchem.ru From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 06:26:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2368F16A4B3 for ; Wed, 17 Sep 2003 06:26:24 -0700 (PDT) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 59BC043FBD for ; Wed, 17 Sep 2003 06:26:23 -0700 (PDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8HDQMCl081987 for ; Wed, 17 Sep 2003 09:26:22 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030917092828.079a30f8@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 17 Sep 2003 09:29:00 -0400 To: security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Fwd: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) [CAN-2003-0694] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 13:26:24 -0000 More patch-o-rama :-( ---Mike >From: Michal Zalewski >To: bugtraq@securityfocus.com, , > >X-Nmymbofr: Nir Orb Buk >Subject: [Full-Disclosure] Sendmail 8.12.9 prescan bug (a new one) >[CAN-2003-0694] >Sender: full-disclosure-admin@lists.netsys.com >X-BeenThere: full-disclosure@lists.netsys.com >X-Mailman-Version: 2.0.12 >List-Unsubscribe: , > >List-Id: Discussion of security issues >List-Post: >List-Help: >List-Subscribe: , > >List-Archive: >Date: Wed, 17 Sep 2003 11:19:46 +0200 (CEST) >X-Virus-Scanned: by Sentex Communications (avscan1/20021227) >X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) > >Hello lists, > >-------- >Overview >-------- > > There seems to be a remotely exploitable vulnerability in Sendmail up to > and including the latest version, 8.12.9. The problem lies in prescan() > function, but is not related to previous issues with this code. > > The primary attack vector is an indirect invocation via parseaddr(), > although other routes are possible. Heap or stack structures, depending > on the calling location, can be overwritten due to the ability to go > past end of the input buffer in strtok()-alike routines. > > This is an early release, thanks to my sheer stupidity. > >-------------- >Attack details >-------------- > > Local exploitation on little endian Linux is confirmed to be trivial > via recipient.c and sendtolist(), with a pointer overwrite leading to a > neat case of free() on user-supplied data, i.e.: > > eip = 0x40178ae2 > edx = 0x41414141 > esi = 0x61616161 > > SEGV in chunk_free (ar_ptr=0x4022a160, p=0x81337e0) at malloc.c:3242 > > 0x40178ae2 : mov %esi,0xc(%edx) > 0x40178ae5 : mov %edx,0x8(%esi) > > Remote attack is believed to be possible. > >---------------- >Workaround / fix >---------------- > > Vendor was notified, and released an early patch attached below. > There are no known workarounds. > >Index: parseaddr.c >=================================================================== >RCS file: /cvs/src/gnu/usr.sbin/sendmail/sendmail/parseaddr.c,v >retrieving revision 1.16 >diff -u -r1.16 parseaddr.c >--- parseaddr.c 29 Mar 2003 19:44:01 -0000 1.16 >+++ parseaddr.c 16 Sep 2003 17:37:26 -0000 >@@ -700,7 +700,11 @@ > addr[MAXNAME] = '\0'; > returnnull: > if (delimptr != NULL) >+ { >+ if (p > addr) >+ p--; > *delimptr = p; >+ } > CurEnv->e_to = saveto; > return NULL; > } > >-- >------------------------- bash$ :(){ :|:&};: -- > Michal Zalewski * [http://lcamtuf.coredump.cx] > Did you know that clones never use mirrors? >--------------------------- 2003-09-16 21:18 -- > > > > > > > > > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.netsys.com/full-disclosure-charter.html -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 06:57:03 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 49B0416A4B3 for ; Wed, 17 Sep 2003 06:57:03 -0700 (PDT) Received: from postalley.nic.cc (postalley.nic.cc [206.253.214.200]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9B3B743F3F for ; Wed, 17 Sep 2003 06:57:02 -0700 (PDT) (envelope-from mark@foster.cc) Received: from ip-216-73-140-100.vantas.net ([216.73.140.100] helo=gentoo1.lan.enic.cc) by postalley.nic.cc with asmtp (Exim 3.35 #1) id 19zcnc-000KAT-00; Wed, 17 Sep 2003 06:56:52 -0700 From: Mark Foster To: Colin Percival In-Reply-To: <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-D22ZAS8g7HjkfQyfLgaj" Message-Id: <1063807011.15698.3.camel@gentoo1.enic.cc> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 Date: 17 Sep 2003 06:56:51 -0700 cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 13:57:03 -0000 --=-D22ZAS8g7HjkfQyfLgaj Content-Type: text/plain Content-Transfer-Encoding: quoted-printable Also, the command as shown doesn't work under csh, you must run under sh (or bash?) . serv1# kill `cat /var/run/sshd.pid` serv1# (. /etc/rc.conf && ${sshd_program:-/usr/sbin/sshd} ${sshd_flags}) Bad : modifier in $ (-). serv1# sh # (. /etc/rc.conf && ${sshd_program:-/usr/sbin/sshd} ${sshd_flags}) (This works) On Tue, 2003-09-16 at 22:52, Colin Percival wrote: > At 07:44 17/09/2003 +0200, horcy wrote: > ># (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) > > > >yes i'm a n00b but what ever i try i get some error msg telling me that = it > >didnt work. i just started sshd with: > >sh /usr/sbin/sshd and worked too. > >But you would make me a very happy n00b if somebody can explain it :-) --=20 Some days it's just not worth chewing through the restraints... Mark Foster http://mark.foster.cc/ --=-D22ZAS8g7HjkfQyfLgaj Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQA/aGgjsP1x4ZySqYcRAvCKAKCCoElSA8D3qjFJmD+OoHk3x754AwCghnSB jL2NjnRkBfaTF8tIBPp5L4M= =35+7 -----END PGP SIGNATURE----- --=-D22ZAS8g7HjkfQyfLgaj-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 07:01:09 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E6D316A4BF for ; Wed, 17 Sep 2003 07:01:09 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2542B43F85 for ; Wed, 17 Sep 2003 07:01:08 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id BBD3554846; Wed, 17 Sep 2003 09:01:07 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 5C43B6D454; Wed, 17 Sep 2003 09:01:07 -0500 (CDT) Date: Wed, 17 Sep 2003 09:01:07 -0500 From: "Jacques A. Vidrine" To: Mark Foster Message-ID: <20030917140107.GD91843@madman.celabo.org> References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1063807011.15698.3.camel@gentoo1.enic.cc> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 14:01:09 -0000 On Wed, Sep 17, 2003 at 06:56:51AM -0700, Mark Foster wrote: > Also, the command as shown doesn't work under csh, you must run under sh Good point. I've always assumed use of the real shell :-) for security advisories, but that is not a good assumption, particularly since by default the root user has csh. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 07:11:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B04F16A4B3 for ; Wed, 17 Sep 2003 07:11:29 -0700 (PDT) Received: from gateway.nixsys.be (gateway.nixsys.be [195.144.77.33]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ACA843FDF for ; Wed, 17 Sep 2003 07:11:28 -0700 (PDT) (envelope-from philip@nixsys.be) Received: from hermes.nixsys.be (hermes.nixsys.be [195.144.77.45]) by gateway.nixsys.be (Postfix) with ESMTP id DF891C159 for ; Wed, 17 Sep 2003 16:11:27 +0200 (CEST) Received: by hermes.nixsys.be (Postfix, from userid 1001) id 30D176E; Wed, 17 Sep 2003 16:11:27 +0200 (CEST) Date: Wed, 17 Sep 2003 16:11:26 +0200 From: Philip Paeps To: security@freebsd.org Message-ID: <20030917141126.GG656@hermes.nixsys.be> Mail-Followup-To: security@freebsd.org References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> <20030917140107.GD91843@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917140107.GD91843@madman.celabo.org> X-Date-in-Rome: ante diem XV Kalendas Octobres MMDCCLVI ab Urbe Condida X-PGP-Fingerprint: FA74 3C27 91A6 79D5 F6D3 FC53 BF4B D0E6 049D B879 X-Message-Flag: Get a proper mailclient! Mutt: User-Agent: Mutt/1.5.4i Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 14:11:29 -0000 On 2003-09-17 09:01:07 (-0500), Jacques A. Vidrine wrote: > On Wed, Sep 17, 2003 at 06:56:51AM -0700, Mark Foster wrote: > > Also, the command as shown doesn't work under csh, you must run under sh > > Good point. I've always assumed use of the real shell :-) for security > advisories, but that is not a good assumption, particularly since by default > the root user has csh. It might be a good idea just to stick 'sh' in front of the command then, in which case it should work even if a local setup has some odd shell for root? - Philip -- Philip Paeps Please don't CC me, I am subscribed to the list. There is no such thing as a "dirty capitalist", only a capitalist. From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 08:46:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A377716A4B3 for ; Wed, 17 Sep 2003 08:46:50 -0700 (PDT) Received: from elanus.its.uu.se (Elanus.its.UU.SE [130.238.4.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1898443FDD for ; Wed, 17 Sep 2003 08:46:49 -0700 (PDT) (envelope-from sopppp@home.se) Received: from elanus (localhost [127.0.0.1]) by localhost (Postfix) with SMTP id 78536E027 for ; Wed, 17 Sep 2003 17:46:47 +0200 (DFT) Received: from elanus.its.uu.se(127.0.0.1) by elanus.its.uu.se via virus-scan id s21112; Wed, 17 Sep 03 17:46:25 +0200 Received: from localhost (NL03-13-194.STUDENT.UU.SE [10.11.13.194]) by elanus.its.uu.se (Postfix) with ESMTP id D97C7E800 for ; Wed, 17 Sep 2003 17:44:18 +0200 (DFT) From: Martin Larsson To: freebsd-security@freebsd.org Content-Type: text/plain Message-Id: <1063813537.32477.0.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.3 Date: 17 Sep 2003 17:45:37 +0200 Content-Transfer-Encoding: 7bit Subject: third one? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: sopppp@home.se List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 15:46:50 -0000 http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html seems like 3.7.1 is still affected? From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 08:53:01 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5F69916A4B3 for ; Wed, 17 Sep 2003 08:53:01 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1D0A643FD7 for ; Wed, 17 Sep 2003 08:53:00 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id A4A6054846; Wed, 17 Sep 2003 10:52:59 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 457B96D454; Wed, 17 Sep 2003 10:52:59 -0500 (CDT) Date: Wed, 17 Sep 2003 10:52:59 -0500 From: "Jacques A. Vidrine" To: Martin Larsson Message-ID: <20030917155259.GA94980@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Martin Larsson , freebsd-security@freebsd.org References: <1063813537.32477.0.camel@localhost> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1063813537.32477.0.camel@localhost> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: third one? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 15:53:01 -0000 On Wed, Sep 17, 2003 at 05:45:37PM +0200, Martin Larsson wrote: > http://www.openpkg.org/security/OpenPKG-SA-2003.040-openssh.html > seems like 3.7.1 is still affected? These fixes have already been incorporated into the security branches this morning (ALL of them), and I'm on my way to the ports tree ... -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 09:21:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 78EC716A4B3 for ; Wed, 17 Sep 2003 09:21:20 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id C731D43FAF for ; Wed, 17 Sep 2003 09:21:19 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 5A3DA54846 for ; Wed, 17 Sep 2003 11:21:19 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id EE0026D454; Wed, 17 Sep 2003 11:21:18 -0500 (CDT) Date: Wed, 17 Sep 2003 11:21:18 -0500 From: "Jacques A. Vidrine" To: freebsd-security@freebsd.org Message-ID: <20030917162118.GB4838@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 16:21:20 -0000 You've probably already seen the latest sendmail vulnerability. http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html I believe you can apply the following patch to any of the security branches: http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 Download the patch and: # cd /usr/src # patch -p1 < /path/to/patch # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install Official advisory will go out later today. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 10:20:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6140916A4B3; Wed, 17 Sep 2003 10:20:28 -0700 (PDT) Received: from 194-185-53-242.f5.ngi.it (194-185-53-242.f5.ngi.it [194.185.53.242]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0A3043F3F; Wed, 17 Sep 2003 10:20:26 -0700 (PDT) (envelope-from mark@remotelab.org) Received: from remotelab.org (einstein.lab [192.168.168.2]) h8HHKOTt076800; Wed, 17 Sep 2003 19:20:25 +0200 (CEST) (envelope-from mark@remotelab.org) Message-ID: <3F6897D8.5050503@remotelab.org> Date: Wed, 17 Sep 2003 19:20:24 +0200 From: Marco Trentini User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030723 Thunderbird/0.1 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-stable@freebsd.org References: <3F688BD4.2030305@remotelab.org> In-Reply-To: <3F688BD4.2030305@remotelab.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org cc: varie@gufi.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:20:28 -0000 > -------- Original Message -------- > Subject: Sendmail vulnerability > Date: Wed, 17 Sep 2003 11:21:18 -0500 > From: Jacques A. Vidrine > To: freebsd-security@freebsd.org > > You've probably already seen the latest sendmail vulnerability. > > http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html > > > I believe you can apply the following patch to any of the security > branches: > > http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 > > > Download the patch and: > > # cd /usr/src > # patch -p1 < /path/to/patch > # cd /usr/src/usr.sbin/sendmail > # make obj && make depend && make && make install > > > Official advisory will go out later today. I've tried to make that but I get this error (on a stable with today sources): .... cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DMILTER -DNETINET6 -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DSTARTTLS -D_FFR_TLS_1 -c /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/util.c cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DMILTER -DNETINET6 -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DSTARTTLS -D_FFR_TLS_1 -c /usr/src/usr.sbin/sendmail/../../contrib/sendmail/src/version.c cc -O -pipe -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/src -I/usr/src/usr.sbin/sendmail/../../contrib/sendmail/include -I. -DNEWDB -DNIS -DMILTER -DNETINET6 -DTCPWRAPPERS -DMAP_REGEX -DDNSMAP -DSTARTTLS -D_FFR_TLS_1 -o sendmail alias.o arpadate.o bf.o collect.o conf.o control.o convtime.o daemon.o deliver.o domain.o envelope.o err.o headers.o macro.o main.o map.o mci.o milter.o mime.o parseaddr.o queue.o readcf.o recipient.o savemail.o sasl.o sfsasl.o shmticklib.o sm_resolve.o srvrsmtp.o stab.o stats.o sysexits.o timers.o tls.o trace.o udb.o usersmtp.o util.o version.o -lutil -lwrap /usr/src/lib/libsmutil/libsmutil.a /usr/src/lib/libsm/libsm.a -lssl -lcrypto cc: /usr/src/lib/libsmutil/libsmutil.a: No such file or directory cc: /usr/src/lib/libsm/libsm.a: No such file or directory *** Error code 1 Stop in /usr/src/usr.sbin/sendmail. .... -- Marco Trentini mark@remotelab.org http://www.remotelab.org/ From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 10:36:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 75D0916A4B3; Wed, 17 Sep 2003 10:36:48 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C2C943F3F; Wed, 17 Sep 2003 10:36:47 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 3153954840; Wed, 17 Sep 2003 12:36:47 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id CCC866D454; Wed, 17 Sep 2003 12:36:46 -0500 (CDT) Date: Wed, 17 Sep 2003 12:36:46 -0500 From: "Jacques A. Vidrine" To: Marco Trentini Message-ID: <20030917173646.GA5654@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Marco Trentini , freebsd-stable@freebsd.org, freebsd-security@freebsd.org, varie@gufi.org References: <3F688BD4.2030305@remotelab.org> <3F6897D8.5050503@remotelab.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F6897D8.5050503@remotelab.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org cc: varie@gufi.org cc: freebsd-stable@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:36:48 -0000 On Wed, Sep 17, 2003 at 07:20:24PM +0200, Marco Trentini wrote: > >-------- Original Message -------- > >Subject: Sendmail vulnerability > >Date: Wed, 17 Sep 2003 11:21:18 -0500 > >From: Jacques A. Vidrine > >To: freebsd-security@freebsd.org > > > >You've probably already seen the latest sendmail vulnerability. > > > >http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html > > > > > >I believe you can apply the following patch to any of the security > >branches: > > > >http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 > > > > > >Download the patch and: > > > > # cd /usr/src > > # patch -p1 < /path/to/patch > > # cd /usr/src/usr.sbin/sendmail > > # make obj && make depend && make && make install > > > > > >Official advisory will go out later today. > > I've tried to make that but I get this error (on a stable with today > sources): Sorry, I left out some steps that are in the draft advisory and are important if you don't already have a populated /usr/obj from a previous buildworld. # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libsm # make obj && make depend && make # cd /usr/src/lib/libsmutil # make obj && make depend && make # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 10:43:18 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 02B3916A4BF; Wed, 17 Sep 2003 10:43:18 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 128AC43F85; Wed, 17 Sep 2003 10:43:17 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9/8.12.9) with ESMTP id h8HHhDDR015402; Wed, 17 Sep 2003 13:43:13 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8HHhG5N083755; Wed, 17 Sep 2003 13:43:16 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 17 Sep 2003 13:46:14 -0400 To: "Jacques A. Vidrine" , freebsd-security@freebsd.org From: Mike Tancsa In-Reply-To: <20030917162118.GB4838@madman.celabo.org> References: <20030917162118.GB4838@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: gshapiro@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:43:18 -0000 Looks like they have released http://www.sendmail.org/8.12.10.html Are their plans to import/mfc this into stable ? No doubt a busy day for the Sendmail folk as well :-( ---Mike At 12:21 PM 17/09/2003, Jacques A. Vidrine wrote: >You've probably already seen the latest sendmail vulnerability. > >http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html > >I believe you can apply the following patch to any of the security >branches: > >http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 > >Download the patch and: > > # cd /usr/src > # patch -p1 < /path/to/patch > # cd /usr/src/usr.sbin/sendmail > # make obj && make depend && make && make install > > >Official advisory will go out later today. > >Cheers, >-- >Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal >nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 10:58:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9F40816A4B3; Wed, 17 Sep 2003 10:58:50 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8D2C843FAF; Wed, 17 Sep 2003 10:58:49 -0700 (PDT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9/8.12.9) with ESMTP id h8HHwjDR018366; Wed, 17 Sep 2003 13:58:45 -0400 (EDT) (envelope-from mike@sentex.net) Received: from simian.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8HHwl5N083822; Wed, 17 Sep 2003 13:58:48 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <6.0.0.22.0.20030917135827.0915f268@209.112.4.2> X-Sender: mdtpop@209.112.4.2 (Unverified) X-Mailer: QUALCOMM Windows Eudora Version 6.0.0.22 Date: Wed, 17 Sep 2003 14:01:29 -0400 To: Gregory Neil Shapiro From: Mike Tancsa In-Reply-To: <20030917175218.GX66258@horsey.gshapiro.net> References: <20030917162118.GB4838@madman.celabo.org> <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> <20030917175218.GX66258@horsey.gshapiro.net> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: By Sentex Communications (lava/20020517) cc: freebsd-security@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:58:50 -0000 If anything, just having the different version number on the banner makes it easier to track what has been updated as well as avoiding customers emailing us saying "Your version of sendmail is not safe" etc etc. Modifying the .mc is an option, but then its an extra step to unmodify it :-( Given that 4.9release has been pushed back a few weeks can the RE approve it ? Pretty please ? ;-) ---Mike At 01:52 PM 17/09/2003, Gregory Neil Shapiro wrote: >On Wed, Sep 17, 2003 at 01:46:14PM -0400, Mike Tancsa wrote: > > > > Looks like they have released http://www.sendmail.org/8.12.10.html > > > > Are their plans to import/mfc this into stable ? No doubt a busy day for > > the Sendmail folk as well :-( > >Import, yes. MFC is up to the RE's. From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 11:42:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D3B0C16A4B3 for ; Wed, 17 Sep 2003 11:42:33 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0186743FBF for ; Wed, 17 Sep 2003 11:42:33 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 908D25482B; Wed, 17 Sep 2003 13:42:32 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 2B3DA6D454; Wed, 17 Sep 2003 13:42:32 -0500 (CDT) Date: Wed, 17 Sep 2003 13:42:32 -0500 From: "Jacques A. Vidrine" To: Jonathan Lennox Message-ID: <20030917184232.GE6137@madman.celabo.org> References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> <20030917140107.GD91843@madman.celabo.org> <16232.43602.97364.411009@cnr.cs.columbia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <16232.43602.97364.411009@cnr.cs.columbia.edu> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: Mark Foster cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 18:42:33 -0000 On Wed, Sep 17, 2003 at 02:39:14PM -0400, Jonathan Lennox wrote: > Jacques A. Vidrine writes: > > On Wed, Sep 17, 2003 at 06:56:51AM -0700, Mark Foster wrote: > > > Also, the command as shown doesn't work under csh, you must run under sh > > > Good point. I've always assumed use of the real shell :-) for > > security advisories, but that is not a good assumption, particularly > > since by default the root user has csh. > > On FreeBSD 5.0 and later, wouldn't it be both simpler and safer to > recommend > # /etc/rc.d/sshd restart > instead? Then there would be two sets of instructions, which sucks. I think we'll just not do it quite completely and go with # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 12:24:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B294716A4B3 for ; Wed, 17 Sep 2003 12:24:36 -0700 (PDT) Received: from out005.verizon.net (out005pub.verizon.net [206.46.170.143]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9058443FB1 for ; Wed, 17 Sep 2003 12:24:35 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out005.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030917192434.ESPD15786.out005.verizon.net@mac.com> for ; Wed, 17 Sep 2003 14:24:34 -0500 Message-ID: <3F68B4EF.9050507@mac.com> Date: Wed, 17 Sep 2003 15:24:31 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> <20030917140107.GD91843@madman.celabo.org> <16232.43602.97364.411009@cnr.cs.columbia.edu> <20030917184232.GE6137@madman.celabo.org> In-Reply-To: <20030917184232.GE6137@madman.celabo.org> X-Enigmail-Version: 0.76.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out005.verizon.net from [68.237.14.199] at Wed, 17 Sep 2003 14:24:34 -0500 cc: security@FreeBSD.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:24:36 -0000 Jacques A. Vidrine wrote: > On Wed, Sep 17, 2003 at 02:39:14PM -0400, Jonathan Lennox wrote: [ ... ] >> On FreeBSD 5.0 and later, wouldn't it be both simpler and safer to >> recommend >> # /etc/rc.d/sshd restart >> instead? This can be dangerous if you are ssh'ed in, and the restart kills your connection rather than the daemon. > Then there would be two sets of instructions, which sucks. > > I think we'll just not do it quite completely and go with > > # kill `cat /var/run/sshd.pid` > # /usr/sbin/sshd This is good. -- -Chuck From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 12:36:04 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8628D16A4B3 for ; Wed, 17 Sep 2003 12:36:04 -0700 (PDT) Received: from apollo.backplane.com (apollo.backplane.com [216.240.41.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id E551B43F75 for ; Wed, 17 Sep 2003 12:36:03 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: from apollo.backplane.com (localhost [127.0.0.1]) by apollo.backplane.com (8.12.9/8.12.6) with ESMTP id h8HJa2LD012290; Wed, 17 Sep 2003 12:36:03 -0700 (PDT) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.12.9/8.12.6/Submit) id h8HJa2K5012289; Wed, 17 Sep 2003 12:36:02 -0700 (PDT) Date: Wed, 17 Sep 2003 12:36:02 -0700 (PDT) From: Matthew Dillon Message-Id: <200309171936.h8HJa2K5012289@apollo.backplane.com> To: Chuck Swiger References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> <20030917140107.GD91843@madman.celabo.org> <16232.43602.97364.411009@cnr.cs.columbia.edu> <20030917184232.GE6137@madman.celabo.org> <3F68B4EF.9050507@mac.com> cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:36:04 -0000 :[ ... ] : >> On FreeBSD 5.0 and later, wouldn't it be both simpler and safer to : >> recommend : >> # /etc/rc.d/sshd restart : >> instead? : :This can be dangerous if you are ssh'ed in, and the restart kills your :connection rather than the daemon. All the restart target does is basically kill the pid using the pid file and then restart the daemon, so it is no more dangerous then the below. -Matt Matthew Dillon : > Then there would be two sets of instructions, which sucks. : > : > I think we'll just not do it quite completely and go with : > : > # kill `cat /var/run/sshd.pid` : > # /usr/sbin/sshd : :This is good. : :-- :-Chuck From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 12:52:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 570B716A4C1 for ; Wed, 17 Sep 2003 12:52:53 -0700 (PDT) Received: from aristotle.tamu.edu (Aristotle.tamu.edu [165.91.161.90]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4383F43F75 for ; Wed, 17 Sep 2003 12:52:52 -0700 (PDT) (envelope-from rasmith@aristotle.tamu.edu) Received: from aristotle.tamu.edu (localhost [127.0.0.1]) by aristotle.tamu.edu (8.12.9/8.12.9) with ESMTP id h8HJqmcZ082311 for ; Wed, 17 Sep 2003 14:52:48 -0500 (CDT) (envelope-from rasmith@aristotle.tamu.edu) Message-Id: <200309171952.h8HJqmcZ082311@aristotle.tamu.edu> To: freebsd-security@freebsd.org In-Reply-To: Message from Matthew Dillon <200309171936.h8HJa2K5012289@apollo.backplane.com> Mime-Version: 1.0 (generated by tm-edit 7.106) Content-Type: text/plain; charset=US-ASCII Date: Wed, 17 Sep 2003 14:52:48 -0500 From: Robin Smith Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:52:53 -0000 >>>>> "Jacques" == Jacques A Vidrine writes: Jacques> I think we'll just not do it quite completely and go with Jacques> # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd Doesn't sshd respond to a HUP by re-executing itself rather than simply re-reading its config files? That is, wouldn't "kill -HUP `cat /var/run/sshd.pid` " do what's wanted (i.e. kill and restart the listening daemon while leaving the children for established connections alone)? From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 12:55:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5ED5816A4C0 for ; Wed, 17 Sep 2003 12:55:59 -0700 (PDT) Received: from out003.verizon.net (out003pub.verizon.net [206.46.170.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9648143FB1 for ; Wed, 17 Sep 2003 12:55:55 -0700 (PDT) (envelope-from cswiger@mac.com) Received: from mac.com ([68.237.14.199]) by out003.verizon.net (InterMail vM.5.01.05.33 201-253-122-126-133-20030313) with ESMTP id <20030917195554.XUZJ29617.out003.verizon.net@mac.com> for ; Wed, 17 Sep 2003 14:55:54 -0500 Message-ID: <3F68BC47.5010002@mac.com> Date: Wed, 17 Sep 2003 15:55:51 -0400 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, en MIME-Version: 1.0 References: <200309161817.h8GIH1GL072348@freefall.freebsd.org> <5.0.2.1.1.20030916225106.02e09dc0@popserver.sfu.ca> <1063807011.15698.3.camel@gentoo1.enic.cc> <20030917140107.GD91843@madman.celabo.org> <16232.43602.97364.411009@cnr.cs.columbia.edu> <20030917184232.GE6137@madman.celabo.org> <3F68B4EF.9050507@mac.com> <200309171936.h8HJa2K5012289@apollo.backplane.com> In-Reply-To: <200309171936.h8HJa2K5012289@apollo.backplane.com> X-Enigmail-Version: 0.76.5.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Authentication-Info: Submitted using SMTP AUTH at out003.verizon.net from [68.237.14.199] at Wed, 17 Sep 2003 14:55:54 -0500 cc: security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 19:55:59 -0000 Matthew Dillon wrote: [ ... ] > :This can be dangerous if you are ssh'ed in, and the restart kills your > :connection rather than the daemon. > > All the restart target does is basically kill the pid using the pid file > and then restart the daemon, so it is no more dangerous then the below. It's good that the FreeBSD script does not use 'killall' (for instance), but not every SysV sshd script is as sensible. Of course, if you argued that a NG sshd RC script might involve dependencies which affected other processes, you'd have a point. :-) -- -Chuck From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 13:41:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 23A7E16A4B3 for ; Wed, 17 Sep 2003 13:41:39 -0700 (PDT) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id E0BAB43FE0 for ; Wed, 17 Sep 2003 13:41:37 -0700 (PDT) (envelope-from admin@inet-solutions.be) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 8380637E73 for ; Wed, 17 Sep 2003 22:41:36 +0200 (MEST) Received: from sinix (D57652D1.kabel.telenet.be [213.118.82.209]) by adicia.telenet-ops.be (Postfix) with ESMTP id F374937FE7 for ; Wed, 17 Sep 2003 22:41:35 +0200 (MEST) From: "Sick`" To: Date: Wed, 17 Sep 2003 22:41:35 +0200 Message-ID: <006901c37d5c$16646f90$0200a8c0@sinix> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2616 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Importance: Normal Subject: FW: opiekey segfault ... isn't that harmfull? it's setuid root X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 20:41:39 -0000 Hi, I dunno much about exploiting, but I was wondering about the setuid root program 'opiepasswd' to use one-time-passwords. When having a seed of (null) and a sequence of -1, I get a segfault. Kernel/base: FreeBSD lama.inet-solutions.be 4.8-RELEASE-p4 FreeBSD 4.8-RELEASE-p4 #0: Sun Aug 31 21:00:38 CEST 2003 root@lama.inet-solutions.be:/usr/obj/usr/src/sys/LAMA i386 Make.conf: CPUTYPE=i686 CFLAGS= -O -pipe CXXFLAGS+= -fmemoize-lookups -fsave-memoized COPTFLAGS= -O -pipe ENABLE_SUIDPERL= true PERL_VER=5.6.1 PERL_VERSION=5.6.1 PERL_ARCH=mach NOPERL=yo NO_PERL=yo NO_PERL_WRAPPER=yo This is my terminal output: jimmy@lama (192.168.0.50) 13:47 ~ $ opiepasswd -c -n 1 -s ad2003 Adding jimmy: Only use this method from the console; NEVER from remote. If you are using telnet, xterm, or a dial-in, type ^C now or exit with no password. Then run opiepasswd without the -c parameter. Using MD5 to compute responses. Enter new secret pass phrase: TESTtestTEST Again new secret pass phrase: TESTtestTEST ID jimmy OTP key is 1 ad2003 HUT SWAY DANE TOLL DAM JUDO jimmy@lama (192.168.0.50) 13:47 ~ $ opiekey -n 2 1 ad2003 Using the MD5 algorithm to compute response. Reminder: Don't use opiekey from telnet or dial-in sessions. Enter secret pass phrase: TESTtestTEST 0: FLEW SLAY STAN BUNK RAT BACH 1: HUT SWAY DANE TOLL DAM JUDO jimmy@lama (192.168.0.50) 13:48 ~ $ ssh 192.168.0.50 otp-md5 0 ad2003 ext Password: FLEW SLAY STAN BUNK RAT BACH jimmy@lama (192.168.0.50) 13:49 ~ $ exit Connection to 192.168.0.50 closed. jimmy@lama (192.168.0.50) 13:51 ~ $ opieinfo -1 (null) jimmy@lama (192.168.0.50) 13:51 ~ $ opiepasswd Updating jimmy: Segmentation fault jimmy@lama (192.168.0.50) 13:51 ~ $ Jimmy Scott From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 14:58:20 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6E59816A4B3 for ; Wed, 17 Sep 2003 14:58:20 -0700 (PDT) Received: from magnesium.net (toxic.magnesium.net [207.154.84.15]) by mx1.FreeBSD.org (Postfix) with SMTP id AFFE043FE0 for ; Wed, 17 Sep 2003 14:58:19 -0700 (PDT) (envelope-from unfurl@dub.net) Received: (qmail 66369 invoked by uid 1001); 17 Sep 2003 21:58:19 -0000 Date: 17 Sep 2003 14:58:19 -0700 Date: Wed, 17 Sep 2003 14:58:19 -0700 From: Bill Swingle To: Tillman Message-ID: <20030917215819.GA64833@dub.net> References: <20030805104309.X21076@seekingfire.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="SUOF0GtieIMvvwua" Content-Disposition: inline In-Reply-To: <20030805104309.X21076@seekingfire.com> User-Agent: Mutt/1.4.1i X-Operating-System: FreeBSD toxic.magnesium.net 5.1-RELEASE FreeBSD 5.1-RELEASE cc: FreeBSD-Security Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 21:58:20 -0000 --SUOF0GtieIMvvwua Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I've done a lot of work in the past year with heimdal krb5 on freebsd and would love to help get this part of hte handbook updated. I'm docbook-ignorant so I'm only good for content. If you or others are interested, let's work together to get this chapter up to date. -Bill On Tue, Aug 05, 2003 at 10:43:09AM -0600, Tillman wrote: > Is anyone currently working on updating the Kerberos documentation in > the Handbook? if so, I'd like to help. If not, I'm hoping to find > someone who can get me up to speed on the FreeBSD docbook extensions :-) >=20 > -T >=20 >=20 > --=20 > "The truly paranoid administrator may wish to place motion detectors in > the air ducts." > - Practical UNIX & Internet Security, 2nd Edition > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" --=20 -=3D| Bill Swingle - -=3D| Every message PGP signed -=3D| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 -=3D| "Computers are useless. They can only give you answers" Pablo Picasso= =20 --SUOF0GtieIMvvwua Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/aNj7UgAclY4JAiMRAtxXAJ9hkLodkqFg8F3fNhyzeUjagnaWjQCgzLml iB+DFRl+Y6XdzfQUlj9Ir9Y= =2jI7 -----END PGP SIGNATURE----- --SUOF0GtieIMvvwua-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 15:38:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8EB9516A4C0; Wed, 17 Sep 2003 15:38:00 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9FD1F43FE9; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8HMbuFY078946; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8HMbumh078944; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Sep 2003 15:37:56 -0700 (PDT) Message-Id: <200309172237.h8HMbumh078944@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 22:38:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_3 openssh-portable port prior to openssh-portable-3.6.1p2_3 Corrected: 2003-09-17 16:24:02 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 14:46:58 UTC (RELENG_5_1, 5.1-RELEASE-p4) 2003-09-17 14:50:14 UTC (RELENG_5_0, 5.0-RELEASE-p13) 2003-09-17 14:51:09 UTC (RELENG_4_8, 4.8-RELEASE-p6) 2003-09-17 14:51:37 UTC (RELENG_4_7, 4.7-RELEASE-p16) 2003-09-17 14:52:08 UTC (RELENG_4_6, 4.6-RELEASE-p19) 2003-09-17 14:52:42 UTC (RELENG_4_5, 4.5-RELEASE-p31) 2003-09-17 14:57:32 UTC (RELENG_4_4, 4.4-RELEASE-p41) 2003-09-17 14:58:56 UTC (RELENG_4_3, 4.3-RELEASE-p37) 2003-09-17 16:07:48 UTC (ports/security/openssh) 2003-09-17 16:07:48 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693, CAN-2003-0695, CAN-2003-0682 FreeBSD only: NO 0. Revision History v1.0 2003-09-16 Initial release v1.1 2003-09-17 Typo in instructions for restarting sshd Additional buffer management errors corrected I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description Several operations within OpenSSH require dynamic memory allocation or reallocation. Examples are: the receipt of a packet larger than available space in a currently allocated buffer; creation of additional channels beyond the currently allocated maximum; and allocation of new sockets beyond the currently allocated maximum. Many of these operations can fail either due to `out of memory' or due to explicit checks for ridiculously sized requests. However, the failure occurs after the allocation size has already been updated, so that the bookkeeping data structures are in an inconsistent state (the recorded size is larger than the actual allocation). Furthermore, the detection of these failures causes OpenSSH to invoke several `fatal_cleanup' handlers, some of which may then attempt to use these inconsistent data structures. For example, a handler may zero and free a buffer in this state, and as a result memory outside of the allocated area will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 and 4.4] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch.asc [FreeBSD 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.7 src/crypto/openssh/channels.c 1.1.1.1.2.10 src/crypto/openssh/deattack.c 1.1.1.1.2.5 src/crypto/openssh/misc.c 1.1.1.1.2.3 src/crypto/openssh/session.c 1.4.2.18 src/crypto/openssh/ssh-agent.c 1.2.2.11 src/crypto/openssh/version.h 1.1.1.1.2.12 RELENG_5_1 src/UPDATING 1.251.2.5 src/crypto/openssh/buffer.c 1.1.1.6.4.2 src/crypto/openssh/channels.c 1.15.2.1 src/crypto/openssh/deattack.c 1.1.1.5.4.1 src/crypto/openssh/misc.c 1.1.1.4.2.1 src/crypto/openssh/session.c 1.40.2.1 src/crypto/openssh/ssh-agent.c 1.18.2.1 src/crypto/openssh/version.h 1.20.2.2 src/sys/conf/newvers.sh 1.50.2.6 RELENG_5_0 src/UPDATING 1.229.2.19 src/crypto/openssh/buffer.c 1.1.1.6.2.2 src/crypto/openssh/channels.c 1.13.2.1 src/crypto/openssh/deattack.c 1.1.1.5.2.1 src/crypto/openssh/misc.c 1.1.1.3.2.1 src/crypto/openssh/session.c 1.38.2.1 src/crypto/openssh/ssh-agent.c 1.16.2.1 src/crypto/openssh/version.h 1.18.2.2 src/sys/conf/newvers.sh 1.48.2.14 RELENG_4_8 src/UPDATING 1.73.2.80.2.8 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.2 src/crypto/openssh/channels.c 1.1.1.1.2.8.2.1 src/crypto/openssh/deattack.c 1.1.1.1.2.4.4.1 src/crypto/openssh/misc.c 1.1.1.1.2.2.4.1 src/crypto/openssh/session.c 1.4.2.17.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.10.2.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.2 src/sys/conf/newvers.sh 1.44.2.29.2.7 RELENG_4_7 src/UPDATING 1.73.2.74.2.19 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.7.2.1 src/crypto/openssh/deattack.c 1.1.1.1.2.4.2.1 src/crypto/openssh/misc.c 1.1.1.1.2.2.2.1 src/crypto/openssh/session.c 1.4.2.16.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.8.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.2 src/sys/conf/newvers.sh 1.44.2.26.2.18 RELENG_4_6 src/UPDATING 1.73.2.68.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.3 src/crypto/openssh/channels.c 1.1.1.1.2.6.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.3.4.2 src/crypto/openssh/misc.c 1.1.1.1.2.1.4.2 src/crypto/openssh/session.c 1.4.2.12.2.2 src/crypto/openssh/ssh-agent.c 1.2.2.7.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.3 src/sys/conf/newvers.sh 1.44.2.23.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.5.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.3.2.1 src/crypto/openssh/scp.c 1.1.1.1.2.4.2.1 src/crypto/openssh/session.c 1.4.2.11.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.7.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.3 src/sys/conf/newvers.sh 1.44.2.20.2.32 RELENG_4_4 src/UPDATING 1.73.2.43.2.49 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.2 src/crypto/openssh/channels.c 1.1.1.1.2.4.4.2 src/crypto/openssh/deattack.c 1.1.1.1.2.2.4.1 src/crypto/openssh/scp.c 1.1.1.1.2.3.4.1 src/crypto/openssh/session.c 1.4.2.8.4.2 src/crypto/openssh/ssh-agent.c 1.2.2.6.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.4 src/sys/conf/newvers.sh 1.44.2.17.2.40 RELENG_4_3 src/UPDATING 1.73.2.28.2.36 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.4.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.2.2.1 src/crypto/openssh/scp.c 1.1.1.1.2.3.2.1 src/crypto/openssh/session.c 1.4.2.8.2.2 src/crypto/openssh/ssh-agent.c 1.2.2.6.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.4 src/sys/conf/newvers.sh 1.44.2.14.2.26 [Ports] ports/security/openssh-portable/Makefile 1.75 ports/security/openssh-portable/files/patch-buffer.c 1.2 ports/security/openssh-portable/files/patch-deattack.c 1.1 ports/security/openssh-portable/files/patch-misc.c 1.3 ports/security/openssh-portable/files/patch-session.c 1.16 ports/security/openssh-portable/files/patch-ssh-agent.c 1.1 ports/security/openssh/Makefile 1.122 ports/security/openssh/files/patch-buffer.c 1.2 ports/security/openssh/files/patch-deattack.c 1.1 ports/security/openssh/files/patch-misc.c 1.3 ports/security/openssh/files/patch-session.c 1.15 ports/security/openssh/files/patch-ssh-agent.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030917 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030917 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030917 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030917 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030917 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030917 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030917 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030917 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aKuVFdaIBMps37IRAj/nAJ9x7UQj1Mp0vTAZBHnjGsp/9LQLlQCfVybJ AVHLwTVUmQXV9S2naBBX14I= =JhlR -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 15:38:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B1BAA16A4C0; Wed, 17 Sep 2003 15:38:22 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 35B2543FE9; Wed, 17 Sep 2003 15:38:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8HMcKFY079026; Wed, 17 Sep 2003 15:38:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8HMcKgj079024; Wed, 17 Sep 2003 15:38:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Sep 2003 15:38:20 -0700 (PDT) Message-Id: <200309172238.h8HMcKgj079024@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 22:38:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:13.sendmail Security Advisory The FreeBSD Project Topic: a third sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-09-17 Credits: Michal Zalewski Todd C. Miller Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-17 15:18:20 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 20:19:00 UTC (RELENG_5_1, 5.1-RELEASE-p5) 2003-09-17 20:19:22 UTC (RELENG_5_0, 5.0-RELEASE-p14) 2003-09-17 20:19:52 UTC (RELENG_4_8, 4.8-RELEASE-p7) 2003-09-17 20:20:08 UTC (RELENG_4_7, 4.7-RELEASE-p17) 2003-09-17 20:20:31 UTC (RELENG_4_6, 4.6-RELEASE-p20) 2003-09-17 20:20:54 UTC (RELENG_4_5, 4.5-RELEASE-p32) 2003-09-17 20:21:15 UTC (RELENG_4_4, 4.4-RELEASE-p42) 2003-09-17 20:21:40 UTC (RELENG_4_3, 4.3-RELEASE-p38) 2003-09-17 20:22:03 UTC (RELENG_3) FreeBSD only: NO I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). II. Problem Description A buffer overflow that may occur during header parsing was identified. NOTE WELL: This issue is distinct from the issue described in `FreeBSD-SA-03:04.sendmail' and `FreeBSD-SA-03:07.sendmail', although the impact is very similar. III. Impact An attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. The malicious message might be handled (and the vulnerability triggered) by the initial sendmail MTA, by any relaying sendmail MTA, or by the delivering sendmail process. IV. Workaround Disable sendmail by executing the following commands as root: # sh /etc/rc.sendmail stop # chmod 0 /usr/libexec/sendmail/sendmail Be sure that sendmail is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.1, 4.8, and 4.7 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libsm # make obj && make depend && make # cd /usr/src/lib/libsmutil # make obj && make depend && make # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.14 RELENG_5_1 src/UPDATING 1.251.2.6 src/contrib/sendmail/src/parseaddr.c 1.1.1.17.2.1 src/contrib/sendmail/src/version.c 1.1.1.19.2.1 src/sys/conf/newvers.sh 1.50.2.7 RELENG_5_0 src/UPDATING 1.229.2.20 src/contrib/sendmail/src/parseaddr.c 1.1.1.14.2.3 src/contrib/sendmail/src/version.c 1.1.1.16.2.2 src/sys/conf/newvers.sh 1.48.2.15 RELENG_4_8 src/UPDATING 1.73.2.80.2.9 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.12.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.14.2.2 src/sys/conf/newvers.sh 1.44.2.29.2.8 RELENG_4_7 src/UPDATING 1.73.2.74.2.20 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.10.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.12.2.2 src/sys/conf/newvers.sh 1.44.2.26.2.19 RELENG_4_6 src/UPDATING 1.73.2.68.2.48 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.8.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.9.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.37 RELENG_4_5 src/UPDATING 1.73.2.50.2.49 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.4.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.4.2 src/sys/conf/newvers.sh 1.44.2.20.2.33 RELENG_4_4 src/UPDATING 1.73.2.43.2.50 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.17.2.41 RELENG_4_3 src/UPDATING 1.73.2.28.2.37 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.4.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.4.2.2 src/sys/conf/newvers.sh 1.44.2.14.2.27 RELENG_3 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.2.3 src/contrib/sendmail/src/version.c 1.1.1.2.2.3 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aOHgFdaIBMps37IRAl09AKCVMKQCzC62EF7vZFnsZVoaGWpIMACfVGq0 0df1GogdqBVYUXzNBdHrwYA= =4xqj -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 16:29:52 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9505116A4B3 for ; Wed, 17 Sep 2003 16:29:52 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id 892DE43FE3 for ; Wed, 17 Sep 2003 16:29:51 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id 7DDC286 for ; Wed, 17 Sep 2003 17:29:50 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8HNToY11946 for freebsd-security@FreeBSD.ORG; Wed, 17 Sep 2003 17:29:50 -0600 Date: Wed, 17 Sep 2003 17:29:50 -0600 From: Tillman Hodgson To: FreeBSD-Security Message-ID: <20030917172950.B19532@seekingfire.com> References: <20030805104309.X21076@seekingfire.com> <20030917215819.GA64833@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030917215819.GA64833@dub.net>; from unfurl@dub.net on Wed, Sep 17, 2003 at 02:58:19PM -0700 X-Urban-Legend: There is lots of hidden information in headers Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 23:29:52 -0000 On Wed, Sep 17, 2003 at 02:58:19PM -0700, Bill Swingle wrote: > I've done a lot of work in the past year with heimdal krb5 on freebsd > and would love to help get this part of hte handbook updated. I'm > docbook-ignorant so I'm only good for content. If you or others are > interested, let's work together to get this chapter up to date. Check out the current copy of the Handbook ;-) The Handbook is pretty much orientated towards "get 'em up and running quickly". I think some Kerberos-specific documentation on some of the more in-depth issues would be useful. Are you interested in working on something like that? -T -- Outside of poetry there is no Zen, outside of Zen there is no poetry. Ten'in Ryutaku From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 17:38:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EA93A16A4B3 for ; Wed, 17 Sep 2003 17:38:44 -0700 (PDT) Received: from mail.npubs.com (npubs.com [209.66.100.224]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7273443F3F for ; Wed, 17 Sep 2003 17:38:44 -0700 (PDT) (envelope-from nielsen@memberwebs.com) Resent-Message-Id: Message-ID: <3F68FE17.5050700@memberwebs.com> From: Nielsen User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5b) Gecko/20030901 Thunderbird/0.2 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org X-Enigmail-Version: 0.81.6.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Resent-Date: Thu, 18 Sep 2003 08:50:26 +0000 (GMT) Resent-From: nielsen@memberwebs.com (Postfix Filters) Subject: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 18 Sep 2003 00:38:45 -0000 X-List-Received-Date: Thu, 18 Sep 2003 00:38:45 -0000 It seems (at least for me) the patches on ftp.freebsd.org are out of date for the 03:12 security advisory (openssh). ftp2.freebsd.org has them fine. I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? What compounds the issue is that right now the old openssh 3.7 patches are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be found on ftp2.freebsd.org). This could conceivably cause someone to miss a patch. Am i doing something wrong? If not, then this is just a little heads up. Perhaps it would be better to include ftp2.freebsd.org links in the security advisories. Hate to complain. The FreeBSD security team has done a great job, especially in the midst of this whole openssh mess. Nate Nielsen From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 20:40:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DAE7816A4B3 for ; Wed, 17 Sep 2003 20:40:16 -0700 (PDT) Received: from eth0.b.smtp.sonic.net (eth0.b.smtp.sonic.net [64.142.19.4]) by mx1.FreeBSD.org (Postfix) with ESMTP id DDBA143FB1 for ; Wed, 17 Sep 2003 20:40:13 -0700 (PDT) (envelope-from bmah@intruder.kitchenlab.org) Received: from intruder.kitchenlab.org (adsl-64-142-29-77.sonic.net [64.142.29.77])h8I3eDZK022900 (version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO); Wed, 17 Sep 2003 20:40:13 -0700 Received: from intruder.kitchenlab.org (bmah@localhost [127.0.0.1]) h8I3e8Hl042756; Wed, 17 Sep 2003 20:40:12 -0700 (PDT) (envelope-from bmah@intruder.kitchenlab.org) Message-Id: <200309180340.h8I3e8Hl042756@intruder.kitchenlab.org> X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: Nielsen In-Reply-To: <3F68FE17.5050700@memberwebs.com> References: <3F68FE17.5050700@memberwebs.com> Comments: In-reply-to Nielsen message dated "Wed, 17 Sep 2003 17:39:33 -0700." From: "Bruce A. Mah" X-Face: g~c`.{#4q0"(V*b#g[i~rXgm*w;:nMfz%_RZLma)UgGN&=j`5vXoU^@n5v4:OO)c["!w)nD/!!~e4Sj7LiT'6*wZ83454H""lb{CC%T37O!!'S$S&D}sem7I[A 2V%N&+ X-Image-Url: http://www.employees.org/~bmah/Images/bmah-cisco-small.gif X-Url: http://www.employees.org/~bmah/ Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_591933040P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Wed, 17 Sep 2003 20:40:08 -0700 Sender: bmah@intruder.kitchenlab.org cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: bmah@freebsd.org List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 03:40:17 -0000 --==_Exmh_591933040P Content-Type: text/plain; charset=us-ascii If memory serves me right, Nielsen wrote: > It seems (at least for me) the patches on ftp.freebsd.org are out of > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has > them fine. > > I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? > > What compounds the issue is that right now the old openssh 3.7 patches > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be > found on ftp2.freebsd.org). This could conceivably cause someone to miss > a patch. As I understand the problem, it has to do with the updating cycles of the mirrors (both ftp.freebsd.org machines get their content in much the same way as any of the other top-level mirrors). By sheer luck, it might be possible that ftp.freebsd.org might sychronize later than the other mirrors. There's other factors, such as the periodicity of updating, that also come into play. I'm not sure what's a good solution to this. I know that security-team is aware of the problem, in fact it came up in the security-officer BoF at BSDCon. (One possibility might be to put the advisories on the Web site and force an update immediately after an advisory is issued. I do this during the late stages of a release cycle to push out the release announcements and release notes. The problem with this, however, is that everyone is conditioned to look to the FTP sites for advisories.) Bruce. --==_Exmh_591933040P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) Comment: Exmh version 2.5+ 20020506 iD8DBQE/aSkY2MoxcVugUsMRAk6xAJwJhMT3iwgAp23/KX4UZ5nqMAsbJgCg/0k2 sZJA9eEVILjJ2GYgOBFtdwU= =J2qE -----END PGP SIGNATURE----- --==_Exmh_591933040P-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 20:49:05 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C704316A4B3; Wed, 17 Sep 2003 20:49:05 -0700 (PDT) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id BE3A443FB1; Wed, 17 Sep 2003 20:49:04 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd4mr1so.prod.shaw.ca (pd4mr1so-qfe3.prod.shaw.ca [10.0.141.212]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLE003O159RF5@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Received: from pn2ml7so.prod.shaw.ca (pn2ml7so-qfe0.prod.shaw.ca [10.0.121.151]) by l-daemon (iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003)) with ESMTP id <0HLE0017N59RRX@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) with ESMTP id <0HLE00MBB59Q2H@l-daemon>; Wed, 17 Sep 2003 21:49:03 -0600 (MDT) Date: Wed, 17 Sep 2003 20:49:01 -0700 From: Colin Percival In-reply-to: <200309180340.h8I3e8Hl042756@intruder.kitchenlab.org> X-Sender: cperciva@popserver.sfu.ca To: bmah@freebsd.org, Nielsen Message-id: <5.0.2.1.1.20030917204627.02df0a38@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <3F68FE17.5050700@memberwebs.com> <3F68FE17.5050700@memberwebs.com> cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 03:49:05 -0000 At 20:40 17/09/2003 -0700, Bruce A. Mah wrote: >I'm not sure what's a good solution to this. I know that security-team >is aware of the problem, in fact it came up in the security-officer BoF >at BSDCon. It was mentioned, but I don't recall anything being decided. >(One possibility might be to put the advisories on the Web site and >force an update immediately after an advisory is issued. I do this >during the late stages of a release cycle to push out the release >announcements and release notes. The problem with this, however, is >that everyone is conditioned to look to the FTP sites for advisories.) One option would be to put the patch signatures on the website (where they could be force-updated). Nobody would ever consider applying a patch without verified the attached signature, right? Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 21:17:10 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2660716A4B3 for ; Wed, 17 Sep 2003 21:17:10 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id B391043FB1 for ; Wed, 17 Sep 2003 21:17:08 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.10/8.12.9) with ESMTP id h8I4H7Nh051846 for ; Thu, 18 Sep 2003 16:17:07 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Thu, 18 Sep 2003 16:17:07 +1200 (NZST) From: Andrew McNaughton To: freebsd-security@freebsd.org In-Reply-To: <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> Message-ID: <20030918161314.J29876@a2.scoop.co.nz> References: <20030917162118.GB4838@madman.celabo.org> <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 04:17:10 -0000 I've been using sendmail from ports for some time. I just upgraded to sendmail 8.12.10 by changing the version number in the makefile, then doing `make makesum build deinstall reinstall`. Everything built cleanly, started up ok, accepted a delivery and generally looks oK so far an outgoiand looks ok so far. Andrew On Wed, 17 Sep 2003, Mike Tancsa wrote: > Date: Wed, 17 Sep 2003 13:46:14 -0400 > From: Mike Tancsa > To: Jacques A. Vidrine , freebsd-security@freebsd.org > Cc: gshapiro@freebsd.org > Subject: Re: Sendmail vulnerability > > > Looks like they have released http://www.sendmail.org/8.12.10.html > > Are their plans to import/mfc this into stable ? No doubt a busy day for > the Sendmail folk as well :-( > > ---Mike > > At 12:21 PM 17/09/2003, Jacques A. Vidrine wrote: > >You've probably already seen the latest sendmail vulnerability. > > > >http://lists.netsys.com/pipermail/full-disclosure/2003-September/010287.html > > > >I believe you can apply the following patch to any of the security > >branches: > > > >http://cvsweb.freebsd.org/src/contrib/sendmail/src/parseaddr.c.diff?r1=1.1.1.17&r2=1.1.1.18 > > > >Download the patch and: > > > > # cd /usr/src > > # patch -p1 < /path/to/patch > > # cd /usr/src/usr.sbin/sendmail > > # make obj && make depend && make && make install > > > > > >Official advisory will go out later today. > > > >Cheers, > >-- > >Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > >nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 03:08:38 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A740216A4B3 for ; Thu, 18 Sep 2003 03:08:38 -0700 (PDT) Received: from worf.kerna.com (worf.kerna.com [194.106.143.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 16D6C43F85 for ; Thu, 18 Sep 2003 03:08:37 -0700 (PDT) (envelope-from james@kerna.ie) Received: (qmail 85024 invoked by uid 1001); 18 Sep 2003 10:09:07 -0000 Date: Thu, 18 Sep 2003 11:09:07 +0100 From: James Raftery To: freebsd-security@freebsd.org Message-ID: <20030918100907.GA85007@bender.kerna.ie> References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309172237.h8HMbuvK078935@freefall.freebsd.org> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 10:08:38 -0000 X-List-Received-Date: Thu, 18 Sep 2003 10:08:38 -0000 On Wed, Sep 17, 2003 at 03:37:56PM -0700, FreeBSD Security Advisories wrote: > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch [snip] The patch above doesn't appear to modify src/crypto/openssh/version.h > Branch Version string > - ------------------------------------------------------------------------- > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917 After patching (on the 4.7 security branch), my version string still says: sshd version OpenSSH_3.4p1 FreeBSD-20020702 Would the Security Team mind publishing a version of the patch that modifies the version string? Thanks, james From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 03:09:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC29016A4B3 for ; Thu, 18 Sep 2003 03:09:00 -0700 (PDT) Received: from amun.isnic.is (amun.isnic.is [193.4.58.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8416B43FBF for ; Thu, 18 Sep 2003 03:08:59 -0700 (PDT) (envelope-from oli@amun.isnic.is) Received: from amun.isnic.is (oli@localhost [127.0.0.1]) by amun.isnic.is (8.12.9/8.12.9/isnic) with ESMTP id h8IA8tbx063253; Thu, 18 Sep 2003 10:08:56 GMT (envelope-from oli@amun.isnic.is) Received: (from oli@localhost) by amun.isnic.is (8.12.9/8.12.9/Submit) id h8IA8t5O063252; Thu, 18 Sep 2003 10:08:55 GMT (envelope-from oli) Date: Thu, 18 Sep 2003 10:08:55 +0000 From: Olafur Osvaldsson To: Nielsen Message-ID: <20030918100855.GN73279@isnic.is> Mail-Followup-To: Nielsen , freebsd-security@freebsd.org References: <3F68FE17.5050700@memberwebs.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="61jdw2sOBCFtR2d/" Content-Disposition: inline In-Reply-To: <3F68FE17.5050700@memberwebs.com> User-Agent: Mutt/1.3.28i X-Spam-Status: No, hits=-107.5 required=5.9 tests=EMAIL_ATTRIBUTION,IN_REP_TO,PGP_SIGNATURE_2, QUOTED_EMAIL_TEXT,REFERENCES,REPLY_WITH_QUOTES, USER_AGENT_MUTT,USER_IN_WHITELIST version=2.55-isnic X-Spam-Checker-Version: SpamAssassin 2.55-isnic (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 10:09:00 -0000 --61jdw2sOBCFtR2d/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Nielsen, On Thu, 18 Sep 2003, Nielsen wrote: > It seems (at least for me) the patches on ftp.freebsd.org are out of=20 > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has=20 > them fine. >=20 > I'm wondering if this is a mirror issue or perhaps round-robin DNS proble= m? This has to do with the fact that ftp.freebsd.org is a mirror like all the other ftp*.freebsd.org servers and they sync at different intervals. > What compounds the issue is that right now the old openssh 3.7 patches=20 > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be= =20 > found on ftp2.freebsd.org). This could conceivably cause someone to miss= =20 > a patch. >=20 > Am i doing something wrong? If not, then this is just a little heads up.= =20 > Perhaps it would be better to include ftp2.freebsd.org links in the=20 > security advisories. If you are going to do that you might as well add all the mirrors to the advisories as next time you might have the patch on ftp9 first and not the others untill later. /Oli --=20 Olafur Osvaldsson Systems Administrator Internet a Islandi hf. Tel: +354 525-5291 Email: oli@isnic.is --61jdw2sOBCFtR2d/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.2 (FreeBSD) iD8DBQE/aYQ28xNRBRknOFwRAuk7AJ4+0fK9CmfKUCw9wBgASqDPPdgrtwCfW1Gk yB0uhWiu66lcstn74NOU1EM= =glQU -----END PGP SIGNATURE----- --61jdw2sOBCFtR2d/-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 04:19:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5241C16A4B3 for ; Thu, 18 Sep 2003 04:19:53 -0700 (PDT) Received: from plusmx2.polkomtel.com.pl (plusmx2.polkomtel.com.pl [212.2.96.52]) by mx1.FreeBSD.org (Postfix) with ESMTP id BC9DE43FBD for ; Thu, 18 Sep 2003 04:19:51 -0700 (PDT) (envelope-from jaroslaw.nozderko@polkomtel.com.pl) Received: from mswwaw2.corp.plusnet (plus-96-119.polkomtel.com.pl [212.2.96.119]) by plusmx2.polkomtel.com.pl (Postfix) with ESMTP id 1BDAA57D4C for ; Thu, 18 Sep 2003 13:19:50 +0200 (CEST) Received: from E2K2.corp.plusnet (unverified) by mswwaw2.corp.plusnet for ; Thu, 18 Sep 2003 13:19:51 +0200 X-MimeOLE: Produced By Microsoft Exchange V6.0.6249.0 content-class: urn:content-classes:message MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Date: Thu, 18 Sep 2003 13:19:24 +0200 Message-ID: <2A857CE92C11FE40858689CAEC7BED4905D7BF5B@E2K2.corp.plusnet> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: MAC problems Thread-Index: AcNyhOGaYEjllsGmR9e4V6BnG8+IyQJtVA2Q From: "Jaroslaw Nozderko" To: Subject: RE: MAC problems X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 11:19:53 -0000 Hi, one more question: is there any detailed information on how to configure per-user MAC labels ? I've tried to put it in login.conf, as mentioned in man pages,=20 but it had no effect. The most likely explanation is that I made=20 something wrong, but I think nothing was reported in system logs. Thanks in advance for any help, Jarek > -----Original Message----- > From: Robert Watson [mailto:rwatson@freebsd.org] > Sent: Thursday, September 04, 2003 3:35 AM > To: Jaros=B3aw Nozderko > Cc: freebsd-security@freebsd.org > Subject: Re: MAC problems >=20 >=20 >=20 > On Wed, 3 Sep 2003, [iso-8859-2] Jaros=B3aw Nozderko wrote: >=20 > > I'm quite new to FreeBSD. I've check list archives and=20 > read a handbook, > > but I didn't find solution to my problem and I hope this is not > > off-topic. I've installed 5.1-RELEASE, enabled ACLs on the=20 > filesystems > > and I wanted to test MAC features. I'm also new to MAC, so=20 > perhaps this > > is some my mistake. When I enable mac_biba or mac_lomac (in > > loader.conf) without any configuration, it seems to block=20 > networking:=20 > > =20 > > jarek@skorpion jarek> ping 192.168.65.100 > > PING 192.168.65.100 (192.168.65.100): 56 data bytes > > ping: sendto: Permission denied > > ping: sendto: Permission denied > > ping: sendto: Permission denied > > ^C > > --- 192.168.65.100 ping statistics --- > > 3 packets transmitted, 0 packets received, 100% packet loss >=20 > The default process label when you haven't configured=20 > per-user labels is a > high integrity label in the Biba policy. The default label on network > interfaces is low integrity. The result is generally a=20 > failure to be able > to send on the network interfaces, although the failure mode=20 > varies a bit > depending on the socket type, etc. For experimentation=20 > purposes, you'll > probably want to set the following flag in loader.conf: >=20 > security.mac.biba.trust_all_interfaces=3D"1" >=20 > This will tell mac_biba that you want interfaces to be labeled as high > integrity by default. You can also selectively change the=20 > security labels > on interfaces using ifconfig: >=20 > paprika# ifconfig wi0 maclabel 'biba/high(low-high)' > paprika# ifconfig wi0 > wi0: flags=3D8843 mtu 1500 > inet6 fe80::209:5bff:fe31:27a4%wi0 prefixlen 64 scopeid 0x4=20 > inet 192.168.5.3 netmask 0xffffff00 broadcast 192.168.5.255 > ether 00:09:5b:31:27:a4 > media: IEEE 802.11 Wireless Ethernet autoselect (DS/11Mbps) > status: associated > ssid more-80211-in-bethesda 1:more-80211-in-bethesda > stationname "FreeBSD WaveLAN/IEEE node" > channel 3 authmode OPEN powersavemode OFF powersavesleep 100 > wepmode MIXED weptxkey 1 > wepkey 1:128-bit > maclabel biba/high(low-high) >=20 > In the Biba policy, network interface labels have three=20 > elements: a single > (effective) label, and low and high ends of a range. The=20 > single element > is the default label for packets sourced from the interface;=20 > the low and > high range elements place a bound on data allowed out the=20 > interface. The > above labels incoming packets as high, and permits packets of=20 > any labels > out the interface. >=20 > > On the other side, when mac_mls is loaded, networking works, but > > starting X server fails with message "Couldn't mmap=20 > /dev/vga" (I don't > > see /dev/vga device regardless of MAC policy loaded) >=20 > I seem to recall that the error message given by X is=20 > actually inaccurate:=20 > it reports a failure to mmap /dev/vga, but it's actually=20 > failing to mmap > system memory. The default MLS label on user processes is mls/low -- > since direct access to hardware of your system may leak=20 > information about > higher confidentiality processes or data. As a result, the policy > prevents you from doing so, which breaks X11. There are several > approaches to resolving this: >=20 > (1) Assign bypass labels to the special devices X accesses, so that > processes can access the resources regardless of the=20 > label. This is a > security hole, but for experimentation purposes, can be=20 > quite useful.=20 > I generally run the following script at boot on systems where this > approach is used:=20 >=20 > # Configure multilabel md-backed /tmp > mdconfig -a -t swap -s 30m -u 10 > newfs /dev/md10 > tunefs -l enable /dev/md10 > mount /dev/md10 /tmp > mkdir /tmp/.X11-unix /tmp/.ICE-unix > chmod 01777 /tmp /tmp/.X11-unix /tmp/.ICE-unix > setfmac biba/equal,mls/equal /tmp /tmp/.X11-unix=20 > /tmp/.ICE-unix > # Relabel entries in /dev so that X11 works (bypass=20 > protections) > setpmac biba/equal,mls/equal setfmac=20 > biba/equal,mls/equal /dev/pci \ > /dev/io /dev/mem /dev/kmem /dev/sysmouse=20 > /dev/agpgart \ > /dev/dri >=20 > This assigns an "equal" (bypass) label to a bunch of device nodes > accessed by X11. It also sets up /tmp with bypass labels=20 > so that X11 > can dump its sockets there. >=20 > (2) Assign a bypass label to the X server, so that it can access these > resources while communicating with arbitrary user processes. >=20 > To do this, the X server has to be started using: >=20 > setpmac mls/equal /usr/X11R6/bin/startx >=20 > Note that this also has the effect of bypassing MLS=20 > protection, but > has different properties than (1). Your system resources=20 > are still > protected by MLS, but the X server can now communicate=20 > with arbitrary > processes, which might allow for information flow via the=20 > X server. > Also, if your X server is compromised, the exploit code=20 > runs with a > high level of privilege -- of course, that applies to (1) as well. >=20 > (3) Only use the X server when running as mls/high, which=20 > will allow X to > do what it needs to, but will limit what processes can talk to X, > effectively meaning you can only X apps at mls/high. >=20 > Currently, there is no open source multi-level X server that=20 > I know of, so > if you run X on the machine, you do have to either play by=20 > the rules of > MLS by running at a single level, or by bypassing the MLS policy > selectively. I think it would be great to have open source=20 > MLS X server > support, but it would be a fair amount of work. >=20 > > Is it normal, or is something wrong ? Is any additional=20 > documentation > > about MAC available, more than papers at=20 > http://www.trustedbsd.org ? I'd > > like to learn a bit more.=20 >=20 > There are man pages for each policy, a brief section in the FreeBSD > Handbook summarizing the MAC policies, and several=20 > implementation papers. > Currently, there are no tutorials for getting a system up and=20 > running -- > these features are still considered experimental, and we've=20 > placed most of > our focus on getting the features productionable and=20 > complete. However, > we'd be happy to answer questions and fix bugs, as well as=20 > work towards > having better documentation as we go along :-).=20 >=20 > Robert N M Watson FreeBSD Core Team, TrustedBSD Projects > robert@fledge.watson.org Network Associates Laboratories >=20 >=20 From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 04:47:13 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8DD1616A4B3 for ; Thu, 18 Sep 2003 04:47:13 -0700 (PDT) Received: from www.beco.hu (mail.beco.hu [212.108.197.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 989FC43F85 for ; Thu, 18 Sep 2003 04:47:11 -0700 (PDT) (envelope-from berta@beco.hu) Received: from nt (x1.beco.hu [81.182.58.17]) by www.beco.hu (8.11.6/8.11.6) with SMTP id h8IBgLZ12894 for ; Thu, 18 Sep 2003 13:42:21 +0200 (CEST) (envelope-from berta@beco.hu) Message-ID: <009101c37dda$b7d97450$05e3a8c0@nt> From: "berta" To: Date: Thu, 18 Sep 2003 13:48:02 +0200 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 11:47:13 -0000 Is there a solution for the patch on freebsd boxes where I do not keep any sources eg. the /usr/src is empty? best regards Sandor Berta From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 06:27:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A768F16A4B3 for ; Thu, 18 Sep 2003 06:27:24 -0700 (PDT) Received: from bunrab.catwhisker.org (adsl-63-193-123-122.dsl.snfc21.pacbell.net [63.193.123.122]) by mx1.FreeBSD.org (Postfix) with ESMTP id DB42843F85 for ; Thu, 18 Sep 2003 06:27:21 -0700 (PDT) (envelope-from david@catwhisker.org) Received: from bunrab.catwhisker.org (localhost [127.0.0.1]) by bunrab.catwhisker.org (8.12.9/8.12.9) with ESMTP id h8IDRHnt017791; Thu, 18 Sep 2003 06:27:17 -0700 (PDT) (envelope-from david@bunrab.catwhisker.org) Received: (from david@localhost) by bunrab.catwhisker.org (8.12.9/8.12.9/Submit) id h8IDRD5F017790; Thu, 18 Sep 2003 06:27:13 -0700 (PDT) (envelope-from david) Date: Thu, 18 Sep 2003 06:27:13 -0700 (PDT) From: David Wolfskill Message-Id: <200309181327.h8IDRD5F017790@bunrab.catwhisker.org> To: berta@beco.hu, freebsd-security@freebsd.org In-Reply-To: <009101c37dda$b7d97450$05e3a8c0@nt> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 13:27:24 -0000 >From: "berta" >To: >Date: Thu, 18 Sep 2003 13:48:02 +0200 >Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh >Is there a solution for the patch on freebsd boxes where >I do not keep any sources eg. the /usr/src is empty? Certainly. My "production" FreeBSD boxes here at home do not have sources. I build the software for them on a separate ("build") machine, then do NFS installs. As far as what is suitable for your environment, much depends on how you installed on those machines, and how you designed your environment to accomodate subsequent updates. Peace, david -- David H. Wolfskill david@catwhisker.org If you want true virus-protection for your PC, install a non-Microsoft OS on it. Plausible candidates include FreeBSD, Linux, NetBSD, OpenBSD, and Solaris (in alphabetical order). From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 06:28:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D21E216A4B3; Thu, 18 Sep 2003 06:28:39 -0700 (PDT) Received: from bewilderbeast.blackhelicopters.org (bewilderbeast.blackhelicopters.org [198.22.63.43]) by mx1.FreeBSD.org (Postfix) with ESMTP id B7F7E43FB1; Thu, 18 Sep 2003 06:28:38 -0700 (PDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: from bewilderbeast.blackhelicopters.org (mwlucas@localhost.blackhelicopters.org [127.0.0.1])h8IDalLw002261; Thu, 18 Sep 2003 09:36:47 -0400 (EDT) (envelope-from mwlucas@bewilderbeast.blackhelicopters.org) Received: (from mwlucas@localhost)h8IDalb2002260; Thu, 18 Sep 2003 09:36:47 -0400 (EDT) (envelope-from mwlucas) Date: Thu, 18 Sep 2003 09:36:47 -0400 From: "Michael W. Lucas" To: Bill Swingle Message-ID: <20030918133647.GA2188@bewilderbeast.blackhelicopters.org> References: <20030805104309.X21076@seekingfire.com> <20030917215819.GA64833@dub.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030917215819.GA64833@dub.net> User-Agent: Mutt/1.4.1i X-Spam-Status: No, hits=-5.0 required=4.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_MUTT version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: FreeBSD-Security cc: doc@freebsd.org Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 13:28:40 -0000 Bill, If you wander over to doc@ and repeat that statement, you will be mobbed by hordes of people with DocBook clue but no Kerberos clue. Hey, tell you what; I'll copy doc@ on this and save you the trouble. Brace yourself. :-) ==ml On Wed, Sep 17, 2003 at 02:58:19PM -0700, Bill Swingle wrote: > I've done a lot of work in the past year with heimdal krb5 on freebsd > and would love to help get this part of hte handbook updated. I'm > docbook-ignorant so I'm only good for content. If you or others are > interested, let's work together to get this chapter up to date. > > -Bill > > On Tue, Aug 05, 2003 at 10:43:09AM -0600, Tillman wrote: > > Is anyone currently working on updating the Kerberos documentation in > > the Handbook? if so, I'd like to help. If not, I'm hoping to find > > someone who can get me up to speed on the FreeBSD docbook extensions :-) > > > > -T > > > > > > -- > > "The truly paranoid administrator may wish to place motion detectors in > > the air ducts." > > - Practical UNIX & Internet Security, 2nd Edition > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > -- > -=| Bill Swingle - > -=| Every message PGP signed > -=| PGP Fingerprint: C1E3 49D1 EFC9 3EE0 EA6E 6414 5200 1C95 8E09 0223 > -=| "Computers are useless. They can only give you answers" Pablo Picasso > > > -- Michael Lucas mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org Today's chance of throwing it all away to start a goat farm: 41.8% http://www.BlackHelicopters.org/~mwlucas/ Absolute OpenBSD: http://www.AbsoluteOpenBSD.com/ From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 07:31:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B0D3016A4B3 for ; Thu, 18 Sep 2003 07:31:12 -0700 (PDT) Received: from konvergencia.hu (konvergencia.hu [195.228.254.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id D681643F75 for ; Thu, 18 Sep 2003 07:31:11 -0700 (PDT) (envelope-from mkenyeres@konvergencia.hu) Received: from [127.0.0.25] (helo=localhost) by konvergencia.hu with esmtp (Exim 4.10) id 19zzsb-000AnM-00; Thu, 18 Sep 2003 14:35:33 +0000 Received: from konvergencia.hu ([127.0.0.25]) by localhost (kavegep.konvergencia.hu [127.0.0.25]) (amavisd-new, port 10024) with ESMTP id 40226-08; Thu, 18 Sep 2003 16:35:32 +0200 (CEST) Received: from 57.66-182-adsl-pool.axelero.hu ([81.182.66.57] helo=nerd.kvg.hu) by konvergencia.hu with asmtp (TLSv1:RC4-MD5:128) (Exim 4.10) id 19zzsa-000AnH-00; Thu, 18 Sep 2003 14:35:32 +0000 From: Marton Kenyeres Organization: KVG Konvergencia Kft. To: "berta" Date: Thu, 18 Sep 2003 16:31:09 +0200 User-Agent: KMail/1.5.2 References: <009101c37dda$b7d97450$05e3a8c0@nt> In-Reply-To: <009101c37dda$b7d97450$05e3a8c0@nt> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309181631.09442.mkenyeres@konvergencia.hu> X-Virus-Scanned: by amavisd-new at konvergencia.hu cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 14:31:12 -0000 On Thursday 18 September 2003 13.48, berta wrote: > Is there a solution for the patch on freebsd boxes where > I do not keep any sources eg. the /usr/src is empty? > If you track RELENG_4_8 or RELENG_4_7 the security/freebsd-update port may be an option. Note that AFAIK you can only use this, if you did a binary install of the system and did NOT recompile it since. (Someone please correct me if I'm wrong, I've never used freebsd-update myself.) Cheerz, m. -- Marton Kenyeres - mkenyeres@konvergencia.hu KVG Konvergencia Kft. From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 07:37:41 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D0C9C16A4B3; Thu, 18 Sep 2003 07:37:41 -0700 (PDT) Received: from mail.seekingfire.com (coyote.seekingfire.com [24.72.10.212]) by mx1.FreeBSD.org (Postfix) with ESMTP id CFFD743F3F; Thu, 18 Sep 2003 07:37:40 -0700 (PDT) (envelope-from tillman@seekingfire.com) Received: from blues.seekingfire.prv (blues.seekingfire.prv [192.168.23.211]) by mail.seekingfire.com (Postfix) with ESMTP id DD30886; Thu, 18 Sep 2003 08:37:39 -0600 (CST) Received: (from tillman@localhost) by blues.seekingfire.prv (8.11.6/8.11.6) id h8IEbds13167; Thu, 18 Sep 2003 08:37:39 -0600 Date: Thu, 18 Sep 2003 08:37:39 -0600 From: Tillman Hodgson To: FreeBSD-Security Message-ID: <20030918083739.D12797@seekingfire.com> References: <20030805104309.X21076@seekingfire.com> <20030917215819.GA64833@dub.net> <20030918133647.GA2188@bewilderbeast.blackhelicopters.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <20030918133647.GA2188@bewilderbeast.blackhelicopters.org>; from mwlucas@blackhelicopters.org on Thu, Sep 18, 2003 at 09:36:47AM -0400 X-Urban-Legend: There is lots of hidden information in headers cc: doc@freebsd.org Subject: Re: Kerberos in the handbook X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 14:37:42 -0000 On Thu, Sep 18, 2003 at 09:36:47AM -0400, Michael W. Lucas wrote: > Bill, > > If you wander over to doc@ and repeat that statement, you will be > mobbed by hordes of people with DocBook clue but no Kerberos clue. > > Hey, tell you what; I'll copy doc@ on this and save you the trouble. > Brace yourself. :-) Howdy Michael, This actually occurred a short while ago - the handbook has been updated. I've to do more Kerberos documentation, going more in-depth and covering more than the Heimdal in the base installation, but I don't think that the Handbook is the right vehicle for that. If Bill is interested I'd like to figure out what the right vehicle is do some collaborative work. -T (Loved your _Absolute BSD_ book, BTW. It needs a name tag page though so co-workers will stop "borrowing" it permanently) -- "A computer is like an Old Testament god, with a lot of rules and no mercy." - Joseph Campbell From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 07:50:08 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 97F4A16A4B3 for ; Thu, 18 Sep 2003 07:50:08 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9464843FB1 for ; Thu, 18 Sep 2003 07:50:07 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2160A5482B; Thu, 18 Sep 2003 09:50:07 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id A9FF06D454; Thu, 18 Sep 2003 09:50:06 -0500 (CDT) Date: Thu, 18 Sep 2003 09:50:06 -0500 From: "Jacques A. Vidrine" To: James Raftery Message-ID: <20030918145005.GB32994@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , James Raftery , freebsd-security@freebsd.org References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030918100907.GA85007@bender.kerna.ie> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 14:50:08 -0000 On Thu, Sep 18, 2003 at 11:09:07AM +0100, James Raftery wrote: > On Wed, Sep 17, 2003 at 03:37:56PM -0700, FreeBSD Security Advisories wrote: > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch > [snip] > > The patch above doesn't appear to modify src/crypto/openssh/version.h > > > Branch Version string > > - ------------------------------------------------------------------------- > > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917 > > After patching (on the 4.7 security branch), my version string still > says: > > sshd version OpenSSH_3.4p1 FreeBSD-20020702 > > Would the Security Team mind publishing a version of the patch that > modifies the version string? The patch is crafted specifically to apply to the widest range of FreeBSD versions as possible. In this way we have three patches to distribute instead of 1 per release. (Likewise, there is a single sendmail patch instead of 1 per release.) Use CVSup if you want to actually track the security branches. Use the patch if you just want a quick fix. You can also pull down the ancilliary patches (version.h, newvers.sh, UPDATING, etc) via other mechanisms (e.g. anon CVS, cvsweb) if you like. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 07:57:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5362316A4BF for ; Thu, 18 Sep 2003 07:57:59 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8224543FE1 for ; Thu, 18 Sep 2003 07:57:58 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id 2CC3754861; Thu, 18 Sep 2003 09:57:58 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id BC19D6D454; Thu, 18 Sep 2003 09:57:57 -0500 (CDT) Date: Thu, 18 Sep 2003 09:57:57 -0500 From: "Jacques A. Vidrine" To: Nielsen Message-ID: <20030918145757.GE32994@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , Nielsen , freebsd-security@freebsd.org References: <3F68FE17.5050700@memberwebs.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F68FE17.5050700@memberwebs.com> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 14:57:59 -0000 On Thu, Sep 18, 2003 at 12:39:47AM +0000, Nielsen wrote: > It seems (at least for me) the patches on ftp.freebsd.org are out of > date for the 03:12 security advisory (openssh). ftp2.freebsd.org has > them fine. > > I'm wondering if this is a mirror issue or perhaps round-robin DNS problem? > > What compounds the issue is that right now the old openssh 3.7 patches > are there (on ftp.freebsd.org), but not the 3.7.1 patches (which can be > found on ftp2.freebsd.org). This could conceivably cause someone to miss > a patch. > > Am i doing something wrong? If not, then this is just a little heads up. > Perhaps it would be better to include ftp2.freebsd.org links in the > security advisories. > > Hate to complain. The FreeBSD security team has done a great job, > especially in the midst of this whole openssh mess. I always manually update ftp.freebsd.org (62.243.72.50) and ftp2.freebsd.org. The problem is, it seems, that recently a 2nd ftp.freebsd.org was added to DNS. (Seems like a really bad idea to me, but *shrug*.) I do not have access to this new machine, and indeed I'm not sure exactly who runs it. It is on my TODO list to find out and ask for a means to run manual updates there as well. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 08:01:22 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2B37B16A4B3; Thu, 18 Sep 2003 08:01:22 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 29F8D43FBF; Thu, 18 Sep 2003 08:01:19 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id CED5A5482B; Thu, 18 Sep 2003 10:01:18 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 5FBDF6D454; Thu, 18 Sep 2003 10:01:18 -0500 (CDT) Date: Thu, 18 Sep 2003 10:01:18 -0500 From: "Jacques A. Vidrine" To: "Bruce A. Mah" Message-ID: <20030918150118.GF32994@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , "Bruce A. Mah" , Nielsen , freebsd-security@freebsd.org References: <3F68FE17.5050700@memberwebs.com> <200309180340.h8I3e8Hl042756@intruder.kitchenlab.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200309180340.h8I3e8Hl042756@intruder.kitchenlab.org> X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 cc: freebsd-security@freebsd.org Subject: Re: ftp.freebsd.org out of date? (WRT security advisories) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 15:01:22 -0000 On Wed, Sep 17, 2003 at 08:40:08PM -0700, Bruce A. Mah wrote: > I'm not sure what's a good solution to this. I know that security-team > is aware of the problem, in fact it came up in the security-officer BoF > at BSDCon. I think the end result was that I'm basically willing to manually push updates to any mirrors to which I have access. I have been pushing them to ftp and ftp2, but (as I posted in a recent message), recent events have mucked this up a bit. > (One possibility might be to put the advisories on the Web site and > force an update immediately after an advisory is issued. I do this > during the late stages of a release cycle to push out the release > announcements and release notes. The problem with this, however, is > that everyone is conditioned to look to the FTP sites for advisories.) I wouldn't mind having the advisories and patches live on HTTP also. It is arguably more convenient for more people. I wouldn't want to have to go through CVS first to publish the patches or advisory however. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 08:45:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8BFF16A4BF for ; Thu, 18 Sep 2003 08:45:54 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0EF7943FE1 for ; Thu, 18 Sep 2003 08:45:52 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 908876540B; Thu, 18 Sep 2003 16:45:50 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 25496-03-3; Thu, 18 Sep 2003 16:45:50 +0100 (BST) Received: from saboteur.dek.spc.org (unknown [81.3.72.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id D7C4165407; Thu, 18 Sep 2003 16:45:49 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 0CB29C8; Thu, 18 Sep 2003 13:44:14 +0100 (BST) Date: Thu, 18 Sep 2003 13:44:14 +0100 From: Bruce M Simpson To: berta Message-ID: <20030918124414.GD3431@saboteur.dek.spc.org> Mail-Followup-To: berta , freebsd-security@freebsd.org References: <009101c37dda$b7d97450$05e3a8c0@nt> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <009101c37dda$b7d97450$05e3a8c0@nt> Organization: SPC cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 15:45:55 -0000 On Thu, Sep 18, 2003 at 01:48:02PM +0200, berta wrote: > Is there a solution for the patch on freebsd boxes where > I do not keep any sources eg. the /usr/src is empty? Have you looked at freebsd-update in ports? This is a binary update mechanism. BMS From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 09:59:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5250516A4C2 for ; Thu, 18 Sep 2003 09:59:32 -0700 (PDT) Received: from conure.mail.pas.earthlink.net (conure.mail.pas.earthlink.net [207.217.120.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9EE9043FBD for ; Thu, 18 Sep 2003 09:59:29 -0700 (PDT) (envelope-from vjones62@earthlink.net) Received: from thecount.psp.pas.earthlink.net ([207.217.78.22]) by conure.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1A027s-0006wh-00 for freebsd-security@freebsd.org; Thu, 18 Sep 2003 09:59:28 -0700 Message-ID: <13458237.1063904367933.JavaMail.root@thecount.psp.pas.earthlink.net> Date: Thu, 18 Sep 2003 12:59:27 -0400 (GMT-04:00) From: "V. Jones" To: freebsd-security@freebsd.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Earthlink Zoo Mail 1.0 Subject: Patching jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: "V. Jones" List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 16:59:32 -0000 I'm going to apply the ssh patch. Applying it to the "real" server seems straightforward enough, but I'm wondering what the right procedure is to apply this patch to my jailed servers. From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 10:19:30 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C89D316A4B3 for ; Thu, 18 Sep 2003 10:19:30 -0700 (PDT) Received: from pd4mo1so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8FA7D43FD7 for ; Thu, 18 Sep 2003 10:19:29 -0700 (PDT) (envelope-from colin.percival@wadham.ox.ac.uk) Received: from pd2mr1so.prod.shaw.ca (pd2mr1so-ser.prod.shaw.ca [10.0.141.110])2003))freebsd-security@freebsd.org; Thu, 18 Sep 2003 11:19:29 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca (pn2ml9so-qfe0.prod.shaw.ca [10.0.121.7]) 2003))freebsd-security@freebsd.org; Thu, 18 Sep 2003 11:19:29 -0600 (MDT) Received: from piii600.wadham.ox.ac.uk (h24-87-233-42.vc.shawcable.net [24.87.233.42])2003)) freebsd-security@freebsd.org; Thu, 18 Sep 2003 11:19:29 -0600 (MDT) Date: Thu, 18 Sep 2003 10:19:26 -0700 From: Colin Percival In-reply-to: <200309181631.09442.mkenyeres@konvergencia.hu> X-Sender: cperciva@popserver.sfu.ca To: Marton Kenyeres , berta Message-id: <5.0.2.1.1.20030918093454.02e15058@popserver.sfu.ca> MIME-version: 1.0 X-Mailer: QUALCOMM Windows Eudora Version 5.0.2 Content-type: text/plain; charset=us-ascii; format=flowed Content-transfer-encoding: 7BIT References: <009101c37dda$b7d97450$05e3a8c0@nt> <009101c37dda$b7d97450$05e3a8c0@nt> cc: freebsd-security@freebsd.org Subject: FreeBSD Update (was: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 17:19:30 -0000 At 16:31 18/09/2003 +0200, Marton Kenyeres wrote: >If you track RELENG_4_8 or RELENG_4_7 the security/freebsd-update port may be >an option. Note that AFAIK you can only use this, if you did a binary install >of the system and did NOT recompile it since. Another few notes to add: 1. "Binary install" means "binary install of the officially published FTP or ISO image" -- if you ran `make release` on your own, FreeBSD Update won't work. 2. There is a delay between updated source code becoming available and binary updates being online. Anyone who tried to update a 4.8-RELEASE system before about 11AM 18/9/03 GMT, or a 4.7-RELEASE system before about 4AM GMT, will not have the latest patches (in fact, they'll have the first version of the ssh fixes). If this applies to you, run FreeBSD Update again. 3. FreeBSD Update is designed to be run from cron. This is perfectly safe, since it only fetches updates and sends an email to root, and it uses minimal bandwidth. I highly recommend that people do this (but if your clock is set to GMT, please pick a time other than 3AM). Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 12:21:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 163F416A4BF for ; Thu, 18 Sep 2003 12:21:36 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB70D43F3F for ; Thu, 18 Sep 2003 12:21:35 -0700 (PDT) (envelope-from marquis@roble.com) Date: Thu, 18 Sep 2003 12:21:35 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030918192135.744AADACAF@mx7.roble.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 19:21:36 -0000 >>>This can be dangerous if you are ssh'ed in, and the restart kills your >>>connection rather than the daemon. >> >> All the restart target does is basically kill the pid using the pid file >> and then restart the daemon, so it is no more dangerous then the below. > >It's good that the FreeBSD script does not use 'killall' (for instance), but not >every SysV sshd script is as sensible. Of course, if you argued that a NG sshd >RC script might involve dependencies which affected other processes, you'd have >a point. :-) None of these are problems when sshd is run from inetd. The only reasons not to run sshd out of inetd are A) if the server needs to initiate dozens of sessions per minute or B) if it's not running inetd. Advantages to using inetd include connection count limiting, connection rate limiting, tcp_wrappers, address binding, and simplicity (KIS), among others. Back when ssh was originally developed, in the days of 50Mhz processors, key generation time made running sshd out of inetd slow. For the past several years, however, this has not been an issue. Why FreeBSd's default installation still uses a legacy stand-alone ssh daemon is a question many systems administrators are asking. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 12:27:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE98216A4C0 for ; Thu, 18 Sep 2003 12:27:55 -0700 (PDT) Received: from blue.gerhardt-it.com (gw.gerhardt-it.com [204.83.38.103]) by mx1.FreeBSD.org (Postfix) with ESMTP id A301843FBF for ; Thu, 18 Sep 2003 12:27:54 -0700 (PDT) (envelope-from scott@g-it.ca) Received: from [24.78.101.202] (h24-78-101-202.ss.shawcable.net [24.78.101.202]) by blue.gerhardt-it.com (Postfix) with ESMTP id 0C7BDFD96; Thu, 18 Sep 2003 13:27:52 -0600 (CST) User-Agent: Microsoft-Entourage/10.1.1.2418 Date: Thu, 18 Sep 2003 13:27:49 -0600 From: Scott Gerhardt To: Roger Marquis , Message-ID: In-Reply-To: <20030918192135.744AADACAF@mx7.roble.com> Mime-version: 1.0 Content-type: text/plain; charset="US-ASCII" Content-transfer-encoding: 7bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 19:27:56 -0000 On 9/18/03 1:21 PM, "Roger Marquis" wrote: >>>> This can be dangerous if you are ssh'ed in, and the restart kills your >>>> connection rather than the daemon. >>> >>> All the restart target does is basically kill the pid using the pid file >>> and then restart the daemon, so it is no more dangerous then the below. >> >> It's good that the FreeBSD script does not use 'killall' (for instance), but >> not >> every SysV sshd script is as sensible. Of course, if you argued that a NG >> sshd >> RC script might involve dependencies which affected other processes, you'd >> have >> a point. :-) > > None of these are problems when sshd is run from inetd. The only > reasons not to run sshd out of inetd are A) if the server needs to > initiate dozens of sessions per minute or B) if it's not running > inetd. > > Advantages to using inetd include connection count limiting, > connection rate limiting, tcp_wrappers, address binding, and > simplicity (KIS), among others. > > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. Better Yet, what about using xinetd which is much more configurable and robust. I am surprised that FreeBSD's default installation still uses inetd instead of xinetd. -- Scott Gerhardt, P.Geo. Gerhardt Information Technologies [G-IT] From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 12:51:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8B10816A4B3 for ; Thu, 18 Sep 2003 12:51:32 -0700 (PDT) Received: from www.kozubik.com (kozubik.com [65.248.2.130]) by mx1.FreeBSD.org (Postfix) with ESMTP id F282E43FD7 for ; Thu, 18 Sep 2003 12:51:31 -0700 (PDT) (envelope-from john@kozubik.com) Received: from kozubik.com (john@localhost [127.0.0.1]) by www.kozubik.com (8.12.3/8.12.3) with ESMTP id h8IJS9rn065815; Thu, 18 Sep 2003 12:28:09 -0700 (PDT) (envelope-from john@kozubik.com) Received: from localhost (john@localhost) by kozubik.com (8.12.3/8.12.3/Submit) with ESMTP id h8IJS893065812; Thu, 18 Sep 2003 12:28:08 -0700 (PDT) Date: Thu, 18 Sep 2003 12:28:08 -0700 (PDT) From: John Kozubik To: "V. Jones" In-Reply-To: <13458237.1063904367933.JavaMail.root@thecount.psp.pas.earthlink.net> Message-ID: <20030918122317.C82609-100000@kozubik.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Patching jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 19:51:32 -0000 Hello, On Thu, 18 Sep 2003, V. Jones wrote: > I'm going to apply the ssh patch. Applying it to the "real" server > seems straightforward enough, but I'm wondering what the right procedure > is to apply this patch to my jailed servers. No special procedure is necessary. Log into the jail, su to root, and follow the instructions in the SA - they will work just fine. You may or may not have a populated /usr/src/secure though - you can get it with cvsup, however it is faster and easier to simply tar up the /usr/src/secure on the base system and untar it in the jail. I presume this to be safe, as there should never be a version mismatch between the base system and the jails running on it. The procedure in the sendmail SA that was released yesterday will also work fine inside of a jail. Again, make sure you have /usr/src/usr.sbin and /usr/src/lib, and so on in the jail. ----- John Kozubik - john@kozubik.com - http://www.kozubik.com From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 13:37:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A6DFE16A4B3 for ; Thu, 18 Sep 2003 13:37:44 -0700 (PDT) Received: from thesocket.net (shell.thesocket.net [216.146.68.95]) by mx1.FreeBSD.org (Postfix) with ESMTP id A6FAE43FE1 for ; Thu, 18 Sep 2003 13:37:43 -0700 (PDT) (envelope-from macova@thesocket.net) Received: from tomek (unknown [216.146.68.239]) by thesocket.net (Postfix) with ESMTP id 1894C1B6 for ; Thu, 18 Sep 2003 15:37:36 -0500 (CDT) Message-ID: <010401c373fd$f86fc320$ef88d6d8@tomek> From: "Tomasz Makulski" To: References: <20030918122317.C82609-100000@kozubik.com> Date: Fri, 5 Sep 2003 15:35:09 -0700 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Subject: Re: Patching jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 20:37:44 -0000 mount_null -o ro /usr/src /jail/usr/src and then follow follow the regular procedure from inside the jail/chroot. PS you can always use rsync ;> Best Regards Tom ----- Original Message ----- From: "John Kozubik" To: "V. Jones" Cc: Sent: Thursday, September 18, 2003 12:28 PM Subject: Re: Patching jails > > Hello, > > On Thu, 18 Sep 2003, V. Jones wrote: > > > I'm going to apply the ssh patch. Applying it to the "real" server > > seems straightforward enough, but I'm wondering what the right procedure > > is to apply this patch to my jailed servers. > > No special procedure is necessary. Log into the jail, su to root, and > follow the instructions in the SA - they will work just fine. > > You may or may not have a populated /usr/src/secure though - you can get > it with cvsup, however it is faster and easier to simply tar up the > /usr/src/secure on the base system and untar it in the jail. I presume > this to be safe, as there should never be a version mismatch between the > base system and the jails running on it. > > The procedure in the sendmail SA that was released yesterday will also > work fine inside of a jail. Again, make sure you have /usr/src/usr.sbin > and /usr/src/lib, and so on in the jail. > > ----- > John Kozubik - john@kozubik.com - http://www.kozubik.com > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 13:48:36 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 96C4216A4BF for ; Thu, 18 Sep 2003 13:48:36 -0700 (PDT) Received: from mail.praemunio.com (mail.praemunio.com [66.179.47.216]) by mx1.FreeBSD.org (Postfix) with SMTP id A70A243FCB for ; Thu, 18 Sep 2003 13:48:35 -0700 (PDT) (envelope-from frank@knobbe.us) Received: from pcp563961pcs.rthfrd01.tn.comcast.net (HELO mail.knobbe.us) (68.53.41.27) by mail.praemunio.com with SMTP; 18 Sep 2003 15:48:34 -0500 Received: from localhost (HELO frankslaptop) by localhost with SMTP; 18 Sep 2003 15:48:32 -0500 Received: from localhost (HELO ??) by localhost with SMTP; 18 Sep 2003 15:48:23 -0500 From: Frank Knobbe To: John Kozubik In-Reply-To: <20030918122317.C82609-100000@kozubik.com> References: <20030918122317.C82609-100000@kozubik.com> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-+yJsKphIoFAfSF4Zwo+K" Message-Id: <1063918102.463.24.camel@localhost> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4 Date: Thu, 18 Sep 2003 15:48:23 -0500 cc: freebsd-security@freebsd.org Subject: Re: Patching jails X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 20:48:36 -0000 --=-+yJsKphIoFAfSF4Zwo+K Content-Type: text/plain Content-Transfer-Encoding: quoted-printable On Thu, 2003-09-18 at 14:28, John Kozubik wrote: > No special procedure is necessary. Log into the jail, su to root, and > follow the instructions in the SA - they will work just fine. >=20 > You may or may not have a populated /usr/src/secure though - you can get > it with cvsup, however it is faster and easier to simply tar up the > /usr/src/secure on the base system and untar it in the jail. I presume > this to be safe, as there should never be a version mismatch between the > base system and the jails running on it. I would imagine that a /usr/src/secure;make install DESTDIR=3D/usr/jail would work just as well. Or is using DESTDIR not recommended for updating binaries? Regards, Frank --=-+yJsKphIoFAfSF4Zwo+K Content-Type: application/pgp-signature; name=signature.asc Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQA/ahoWpo+MRgtrF98RAu57AKC+2nCzHvXlyUky8Pep/YeksMoh8gCg8bak fexgKtywYVpQxkuonKDuH0Y= =otwc -----END PGP SIGNATURE----- --=-+yJsKphIoFAfSF4Zwo+K-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 16:18:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C8ED216A4B3 for ; Thu, 18 Sep 2003 16:18:12 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 150B343FD7 for ; Thu, 18 Sep 2003 16:18:12 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.20) id 1A082N-000K1s-Iy; Thu, 18 Sep 2003 16:18:11 -0700 Date: Thu, 18 Sep 2003 16:18:11 -0700 From: Avleen Vig To: Roger Marquis Message-ID: <20030918231811.GE527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030918192135.744AADACAF@mx7.roble.com> User-Agent: Mutt/1.5.4i Sender: Avleen Vig cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 18 Sep 2003 23:18:12 -0000 On Thu, Sep 18, 2003 at 12:21:35PM -0700, Roger Marquis wrote: > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. I'm certainly not one of those systems administrators. I manage > 700 systems on a daily basis (not alone, obviosuly, and not all FreeBSD). I don't want one service (ssh) being dependant on anoyher service (inetd). This is bad system design. From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 17:19:57 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D1ED516A4B3 for ; Thu, 18 Sep 2003 17:19:57 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id E76B343F75 for ; Thu, 18 Sep 2003 17:19:56 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 76AE765404; Fri, 19 Sep 2003 01:19:55 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29713-02; Fri, 19 Sep 2003 01:19:54 +0100 (BST) Received: from saboteur.dek.spc.org (unknown [81.3.72.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 77D80652D3; Fri, 19 Sep 2003 01:19:54 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id E40BB9; Fri, 19 Sep 2003 01:19:51 +0100 (BST) Date: Fri, 19 Sep 2003 01:19:51 +0100 From: Bruce M Simpson To: Avleen Vig Message-ID: <20030919001951.GD2720@saboteur.dek.spc.org> Mail-Followup-To: Avleen Vig , Roger Marquis , freebsd-security@freebsd.org References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030918231811.GE527@silverwraith.com> Organization: SPC cc: freebsd-security@freebsd.org cc: Roger Marquis Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 00:19:58 -0000 On Thu, Sep 18, 2003 at 04:18:11PM -0700, Avleen Vig wrote: > On Thu, Sep 18, 2003 at 12:21:35PM -0700, Roger Marquis wrote: > > Why FreeBSd's default installation still uses a legacy stand-alone > > ssh daemon is a question many systems administrators are asking. > > I'm certainly not one of those systems administrators. > I manage > 700 systems on a daily basis (not alone, obviosuly, and not > all FreeBSD). > I don't want one service (ssh) being dependant on anoyher service > (inetd). This is bad system design. When you run out of inetd to service a single connection, you have to generate a new ephemeral key for every ssh instance. This is a needless waste of precious entropy from /dev/random. I think running sshd out of inetd is a very bad idea indeed, unless Mr Marquis is willing to stay in my datacenter and hammer the keys like a monkey all day, but even then that might be a poor source of entropy. BMS From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 17:28:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 16C5516A4B3 for ; Thu, 18 Sep 2003 17:28:39 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2131A43FCB for ; Thu, 18 Sep 2003 17:28:38 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 531BB65404; Fri, 19 Sep 2003 01:28:37 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 29713-03; Fri, 19 Sep 2003 01:28:36 +0100 (BST) Received: from saboteur.dek.spc.org (unknown [81.3.72.68]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 81B7065339; Fri, 19 Sep 2003 01:28:36 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 0269F9; Fri, 19 Sep 2003 01:28:33 +0100 (BST) Date: Fri, 19 Sep 2003 01:28:33 +0100 From: Bruce M Simpson To: Scott Gerhardt Message-ID: <20030919002833.GE2720@saboteur.dek.spc.org> Mail-Followup-To: Scott Gerhardt , Roger Marquis , freebsd-security@freebsd.org References: <20030918192135.744AADACAF@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: cc: freebsd-security@freebsd.org cc: Roger Marquis Subject: Questionable merits of inetd replacements X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 00:28:39 -0000 [subject change] On Thu, Sep 18, 2003 at 01:27:49PM -0600, Scott Gerhardt wrote: > Better Yet, what about using xinetd which is much more configurable and > robust. I am surprised that FreeBSD's default installation still uses inetd > instead of xinetd. FreeBSD's inetd offers features which are not present in xinetd, support for IPSEC policy settings being one of them. I fail to see how using xinetd would be an improvement -- pardon my ignorance if there are features in xinetd which you feel would somehow benefit the user base enough to justify a change. If inetd is not suitable for your needs, consider installing the xinetd port, or integrating it into your own OS engineering build. BMS From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 17:55:29 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E0C116A4B3 for ; Thu, 18 Sep 2003 17:55:29 -0700 (PDT) Received: from mx2.nersc.gov (mx2.nersc.gov [128.55.6.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48AF843FBD for ; Thu, 18 Sep 2003 17:55:28 -0700 (PDT) (envelope-from dart@nersc.gov) Received: from mx2.nersc.gov (localhost [127.0.0.1]) by localhost.nersc.gov (Postfix) with ESMTP id 8AFC077AC for ; Thu, 18 Sep 2003 17:55:27 -0700 (PDT) Received: from gemini.nersc.gov (gemini.nersc.gov [128.55.16.111]) by mx2.nersc.gov (Postfix) with ESMTP id 481D577A7 for ; Thu, 18 Sep 2003 17:55:27 -0700 (PDT) Received: from gemini.nersc.gov (localhost [127.0.0.1]) by gemini.nersc.gov (Postfix) with ESMTP id 35C4EF8EB for ; Thu, 18 Sep 2003 17:55:27 -0700 (PDT) X-Mailer: exmh version 2.6.3 04/04/2003 with nmh-1.0.4 To: freebsd-security@freebsd.org In-Reply-To: Message from Bruce M Simpson <20030919002833.GE2720@saboteur.dek.spc.org> Mime-Version: 1.0 Content-Type: multipart/signed; boundary="==_Exmh_-525543528P"; micalg=pgp-sha1; protocol="application/pgp-signature" Content-Transfer-Encoding: 7bit Date: Thu, 18 Sep 2003 17:55:27 -0700 From: Eli Dart Message-Id: <20030919005527.35C4EF8EB@gemini.nersc.gov> Subject: Re: Questionable merits of inetd replacements X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 00:55:29 -0000 --==_Exmh_-525543528P Content-Type: text/plain; charset=us-ascii In reply to Bruce M Simpson : > [subject change] > > On Thu, Sep 18, 2003 at 01:27:49PM -0600, Scott Gerhardt wrote: > > Better Yet, what about using xinetd which is much more configurable and > > robust. I am surprised that FreeBSD's default installation still uses inetd > > instead of xinetd. > > FreeBSD's inetd offers features which are not present in xinetd, support > for IPSEC policy settings being one of them. I fail to see how using > xinetd would be an improvement -- pardon my ignorance if there are features > in xinetd which you feel would somehow benefit the user base enough to > justify a change. Note also that the statement that xinetd is "more robust" contradicts recent history. xinetd has had several problems recently, the latest of which was a DoS vulnerability caused by a memory leak. For something that is designed to protect services from DoS, xinetd just doesn't seem ready for prime time.... --eli > > If inetd is not suitable for your needs, consider installing the xinetd port, > or integrating it into your own OS engineering build. > > BMS > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --==_Exmh_-525543528P Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) Comment: Exmh version 2.5 07/13/2001 iD8DBQE/alP/LTFEeF+CsrMRAiH5AJwMaG9LA2NWYrVQk/ewXkldlB5nLQCfbxxU EaVUNnS/VzrEGksqhtpLv2o= =LyIw -----END PGP SIGNATURE----- --==_Exmh_-525543528P-- From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 17:57:00 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 078C316A4B3 for ; Thu, 18 Sep 2003 17:57:00 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 898E943FCB for ; Thu, 18 Sep 2003 17:56:59 -0700 (PDT) (envelope-from marquis@roble.com) Date: Thu, 18 Sep 2003 17:56:59 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20030919001951.GD2720@saboteur.dek.spc.org> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919001951.GD2720@saboteur.dek.spc.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030919005659.4B5A7DACBD@mx7.roble.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 00:57:00 -0000 Bruce M Simpson wrote: > When you run out of inetd to service a single connection, you have to > generate a new ephemeral key for every ssh instance. This is a needless > waste of precious entropy from /dev/random. It takes all of 2 seconds to generate a ssh 2 new session on a 500Mhz cpu (causing less than 20% utilization). Considering that 99% of even the most heavily loaded servers have more than enough cpu for this task I don't really see it as an issue. Also, by generating a different key for each session you get better entropy, which makes for better encryption, especially when you consider that the keys for one session are useless when attempting to decrypt other sessions. For this reason alone it's better to run sshd out of inetd. > I think running sshd out of inetd is a very bad idea indeed, unless > Mr Marquis is willing to stay in my datacenter and hammer the keys like > a monkey all day, but even then that might be a poor source of entropy. I've been using inetd+ssh since 1995, in dozens of data centers, across hundreds of hosts, and millions of sessions without a single problem. I wonder what Bruce Schneier would think of Mr. Simpson's understanding of cryptography? -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:07:11 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7B9EE16A4B3 for ; Thu, 18 Sep 2003 18:07:11 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B99043F75 for ; Thu, 18 Sep 2003 18:07:11 -0700 (PDT) (envelope-from marquis@roble.com) Date: Thu, 18 Sep 2003 18:07:10 -0700 (PDT) From: Roger Marquis To: freebsd-security@freebsd.org In-Reply-To: <20030918231811.GE527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030919010710.D0BA3DACBD@mx7.roble.com> Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:07:11 -0000 > I don't want one service (ssh) being dependant on anoyher service > (inetd). This is bad system design. Inetd was designed for processes exactly like ssh, processes that are not generating connections continuously like sendmail, apache, or named. Duplicating inetd's features increases the total code, increases its complexity, and reduces overall security. Sshd doesn't need to know how to run as a daemon. That code is already in inetd. Sshd also doesn't need to duplicate the connection limiting, process limiting, and tcp_wrappers already built into inetd. This is why all modern unix systems have inetd or xinetd. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:29:46 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DFF816A4B3 for ; Thu, 18 Sep 2003 18:29:46 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8B1A843FBF for ; Thu, 18 Sep 2003 18:29:44 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep12-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030919012943.UHGE2869.amsfep12-int.chello.nl@sitetronics.com> for ; Fri, 19 Sep 2003 03:29:43 +0200 Message-ID: <3F6A5BBF.3020102@sitetronics.com> Date: Fri, 19 Sep 2003 03:28:31 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:29:46 -0000 Roger Marquis wrote: > [snip] > >It takes all of 2 seconds to generate a ssh 2 new session on a >500Mhz cpu (causing less than 20% utilization). Considering that >99% of even the most heavily loaded servers have more than enough >cpu for this task I don't really see it as an issue. > >Also, by generating a different key for each session you get better >entropy, which makes for better encryption, especially when you >consider that the keys for one session are useless when attempting >to decrypt other sessions. For this reason alone it's better to >run sshd out of inetd. > > > >>I think running sshd out of inetd is a very bad idea indeed, unless >>Mr Marquis is willing to stay in my datacenter and hammer the keys like >>a monkey all day, but even then that might be a poor source of entropy. >> >> > >I've been using inetd+ssh since 1995, in dozens of data centers, >across hundreds of hosts, and millions of sessions without a single >problem. I wonder what Bruce Schneier would think of Mr. Simpson's >understanding of cryptography? > If I'm not mistaken, /dev/random is a pseudo-random generator, which means it has a certain period before it begins to repeat numbers (along with that it just isn't truly random). So, please correct me if I'm wrong, but doesn't this mean that when reading from /dev/random, you're 'losing' randomness/entropy/whatever you're calling it? On a related note, the manpage entry for sshd states: -i Specifies that sshd is being run from inetd. sshd is normally not run from inetd because it needs to generate the server key before it can respond to the client, and this may take tens of seconds. Clients would have to wait too long if the key was re- generated every time. However, with small key sizes (e.g., 512) using sshd from inetd may be feasible. This is apparently the 'official' reason for not using it within inetd. What are current times on servers running at 1GHz or whatever's standard for 1Us these days. What are feasible key sizes at the moment? I do not run sshd from inetd and have thus never had said speed issues. But really, please lose the sarcasm. --Devon From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:33:33 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0A64716A4B3 for ; Thu, 18 Sep 2003 18:33:33 -0700 (PDT) Received: from dfmm.org (walter.dfmm.org [209.151.233.240]) by mx1.FreeBSD.org (Postfix) with ESMTP id 72FA243FAF for ; Thu, 18 Sep 2003 18:33:32 -0700 (PDT) (envelope-from freebsd-security@dfmm.org) Received: (qmail 7605 invoked by uid 1000); 19 Sep 2003 01:33:32 -0000 Received: from localhost (sendmail-bs@127.0.0.1) by localhost with SMTP; 19 Sep 2003 01:33:32 -0000 Date: Thu, 18 Sep 2003 18:33:31 -0700 (PDT) From: Jason Stone X-X-Sender: jason@walter To: freebsd-security@freebsd.org In-Reply-To: Message-ID: <20030918175448.E55021@walter> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:33:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > Advantages to using inetd include connection count limiting, > connection rate limiting, tcp_wrappers, address binding, and > simplicity (KIS), among others. > > Back when ssh was originally developed, in the days of 50Mhz > processors, key generation time made running sshd out of inetd slow. > For the past several years, however, this has not been an issue. > Why FreeBSd's default installation still uses a legacy stand-alone > ssh daemon is a question many systems administrators are asking. Uh, you've got it backwards dude - inetd was developed way way back in the day, when having a separate telnetd, ftpd, etc all running all the time consumed too many resources. Most modern daemons (sshd, apache, bind, dhcpd, etc) all run as standalones - the ones that still want inetd are stuff like talkd, fingerd, uucpd - ie, the daemons that no one runs anymore. And how is having two daemons (inetd and sshd), each with their own config files and implementation bogosities _simpler_ that just the one? Uh, I could run inetd _and_ sshd, or just sshd - hmm, which do I think is simpler...? And sshd has all the "advantages of inetd" which you mention. - From a security standpoint, I really think that inetd outght not be used. It's an additional root-running source of complexity and potential bugs, and it is almost never necesary. -Jason -------------------------------------------------------------------------- Freud himself was a bit of a cold fish, and one cannot avoid the suspicion that he was insufficiently fondled when he was an infant. -- Ashley Montagu -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (FreeBSD) Comment: See https://private.idealab.com/public/jason/jason.gpg iD8DBQE/alzsswXMWWtptckRAn7BAJ9L+V4XAgaJCe3cIm40k34RXdkRXQCg1RXm u20B+ZxFFSMyNH2OAnuK3X4= =9Dxo -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 18:36:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CCBA16A4B3 for ; Thu, 18 Sep 2003 18:36:37 -0700 (PDT) Received: from bas.flux.utah.edu (bas.flux.utah.edu [155.98.60.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 78A1443FDD for ; Thu, 18 Sep 2003 18:36:36 -0700 (PDT) (envelope-from danderse@flux.utah.edu) Received: from bas.flux.utah.edu (localhost [127.0.0.1]) by bas.flux.utah.edu (8.12.5/8.12.5) with ESMTP id h8J1aaR0023080; Thu, 18 Sep 2003 19:36:36 -0600 (MDT) (envelope-from danderse@bas.flux.utah.edu) Received: (from danderse@localhost) by bas.flux.utah.edu (8.12.5/8.12.5/Submit) id h8J1aaWF023079; Thu, 18 Sep 2003 19:36:36 -0600 (MDT) Date: Thu, 18 Sep 2003 19:36:36 -0600 From: "David G. Andersen" To: "Devon H. O'Dell" Message-ID: <20030918193636.A94860@cs.utah.edu> References: <3F6A5BBF.3020102@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5.1i In-Reply-To: <3F6A5BBF.3020102@sitetronics.com>; from dodell@sitetronics.com on Fri, Sep 19, 2003 at 03:28:31AM +0200 cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 01:36:37 -0000 Devon H. O'Dell just mooed: > > If I'm not mistaken, /dev/random is a pseudo-random generator, which > means it has a certain period before it begins to repeat numbers (along > with that it just isn't truly random). So, please correct me if I'm > wrong, but doesn't this mean that when reading from /dev/random, you're > 'losing' randomness/entropy/whatever you're calling it? You're mistaken. /dev/random stops feeding you random bits when it doesn't have enough. /dev/urandom depletes the entropy pool, but when it starts to run out, it falls back to hashing to generate pseudo-random sequences from the random bits that it can obtain. -Dave -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ I do not accept unsolicited commercial email. Do not spam me. From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 19:44:42 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0AA2816A4B3 for ; Thu, 18 Sep 2003 19:44:42 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id D28B843F75 for ; Thu, 18 Sep 2003 19:44:40 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 6D8BE653D8; Fri, 19 Sep 2003 03:44:39 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 31213-01-3; Fri, 19 Sep 2003 03:44:38 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 333EE6538B; Fri, 19 Sep 2003 03:44:37 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 621553D; Fri, 19 Sep 2003 03:44:33 +0100 (BST) Date: Fri, 19 Sep 2003 03:44:33 +0100 From: Bruce M Simpson To: Roger Marquis Message-ID: <20030919024433.GA1190@saboteur.dek.spc.org> Mail-Followup-To: Roger Marquis , freebsd-security@freebsd.org References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919001951.GD2720@saboteur.dek.spc.org> <20030919005659.4B5A7DACBD@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030919005659.4B5A7DACBD@mx7.roble.com> Organization: SPC cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 02:44:42 -0000 Hello, On Thu, Sep 18, 2003 at 05:56:59PM -0700, Roger Marquis wrote: > It takes all of 2 seconds to generate a ssh 2 new session on a > 500Mhz cpu (causing less than 20% utilization). Considering that > 99% of even the most heavily loaded servers have more than enough > cpu for this task I don't really see it as an issue. I'd be wary of making this the default system behaviour. If you feel strongly about this, consider submitting a convenience port similar to sysutils/comconsole which reconfigures the shipping sshd to run under inetd so that others can benefit from your approach. For occasional use by systems administrators, it may be fine. This still taxes the system entropy pool under load. For a box serving many shell users, or for an embedded target, or for a home user/non-profit organization with older hardware it may not be acceptable. If you're confident that your configured randomness sources are good enough to cope with your use of sshd in this way, good for you -- personally I would feel better about doing it on a 5.x system, where Mark Murray's rewrite of the arc4random system in favour of Yarrow has been committed. > Also, by generating a different key for each session you get better > entropy, which makes for better encryption, especially when you > consider that the keys for one session are useless when attempting > to decrypt other sessions. For this reason alone it's better to > run sshd out of inetd. Not to dismiss the idea of running sshd from inetd out of hand, however. In terms of compartmentalization it is a win in that there is no perpetually running sshd with root privileges to exploit - sshd is launched in stream mode, bound to sockets handed off by inetd to it in the traditional inetd server manner. Compartmentalization of privilege is something which may be addressed in future by other means, though -- the work being done in TrustedBSD just now reflects this. It is something which the privsep feature in sshd is meant to address. Some people might feel uncomfortable with having two daemons running as root instead of just one, though, in the inetd case. > I've been using inetd+ssh since 1995, in dozens of data centers, > across hundreds of hosts, and millions of sessions without a single > problem. I wonder what Bruce Schneier would think of Mr. Simpson's > understanding of cryptography? I haven't met Mr Schneier but am familiar with his work, and have read his books. 'Secrets and Lies' and 'Applied Cryptography' are staple favorites. BMS From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 20:09:53 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1157716A4B3 for ; Thu, 18 Sep 2003 20:09:53 -0700 (PDT) Received: from mail.silverwraith.com (66-214-182-79.la-cbi.charterpipeline.net [66.214.182.79]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6088B43F85 for ; Thu, 18 Sep 2003 20:09:52 -0700 (PDT) (envelope-from avleen@silverwraith.com) Received: from avleen by mail.silverwraith.com with local (Exim 4.20) id 1A0BeZ-000Kq4-GE; Thu, 18 Sep 2003 20:09:51 -0700 Date: Thu, 18 Sep 2003 20:09:51 -0700 From: Avleen Vig To: Roger Marquis Message-ID: <20030919030951.GJ527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919010710.D0BA3DACBD@mx7.roble.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030919010710.D0BA3DACBD@mx7.roble.com> User-Agent: Mutt/1.5.4i Sender: Avleen Vig cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 03:09:53 -0000 On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote: > Duplicating inetd's features increases the total code, increases > its complexity, and reduces overall security. Sshd doesn't need > to know how to run as a daemon. That code is already in inetd. > Sshd also doesn't need to duplicate the connection limiting, process > limiting, and tcp_wrappers already built into inetd. This is why > all modern unix systems have inetd or xinetd. But by the same token, ssh is a security application, and running it through inetd potentially reduces its security effectiveness by introducing code which isn't of the same standard as sshd. Compare all security vulnerabilities in sshd with all security vulnerabilities in inetd. Now, would you prefer to have only the vulnerabilities in sshd present, or both sshd AND inetd? From owner-freebsd-security@FreeBSD.ORG Thu Sep 18 20:14:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CE24916A4B3 for ; Thu, 18 Sep 2003 20:14:54 -0700 (PDT) Received: from mx7.roble.com (mx7.roble.com [206.40.34.7]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5C7D243FDD for ; Thu, 18 Sep 2003 20:14:54 -0700 (PDT) (envelope-from marquis@roble.com) Date: Thu, 18 Sep 2003 20:14:54 -0700 (PDT) From: Roger Marquis To: Avleen Vig In-Reply-To: <20030919030951.GJ527@silverwraith.com> References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919030951.GJ527@silverwraith.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Message-Id: <20030919031454.20CD0DACAF@mx7.roble.com> cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 03:14:54 -0000 On Thu, 18 Sep 2003, Avleen Vig wrote: > On Thu, Sep 18, 2003 at 06:07:10PM -0700, Roger Marquis wrote: > > Duplicating inetd's features increases the total code, increases > > its complexity, and reduces overall security. Sshd doesn't need > > to know how to run as a daemon. That code is already in inetd. > > Sshd also doesn't need to duplicate the connection limiting, process > > limiting, and tcp_wrappers already built into inetd. This is why > > all modern unix systems have inetd or xinetd. > > ... > Compare all security vulnerabilities in sshd with all security > vulnerabilities in inetd. > Now, would you prefer to have only the vulnerabilities in sshd present, > or both sshd AND inetd? Which is why you wouldn't run sshd out of inetd on a server that wasn't already running an inetd. Running sshd as a daemon on a system that's already running inetd IS your second scenario. -- Roger Marquis Roble Systems Consulting http://www.roble.com/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 00:37:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EB0D116A4B3 for ; Fri, 19 Sep 2003 00:37:16 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id BEC3943FDF for ; Fri, 19 Sep 2003 00:37:15 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id 9402578B48; Fri, 19 Sep 2003 09:37:14 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 5A61B99D4F; Fri, 19 Sep 2003 09:37:14 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 6FCF899B49; Fri, 19 Sep 2003 09:37:10 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 365FBB84A; Fri, 19 Sep 2003 09:37:10 +0200 (CEST) To: Roger Marquis References: <20030918192135.744AADACAF@mx7.roble.com> <20030918231811.GE527@silverwraith.com> <20030919001951.GD2720@saboteur.dek.spc.org> <20030919005659.4B5A7DACBD@mx7.roble.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Fri, 19 Sep 2003 09:37:10 +0200 In-Reply-To: <20030919005659.4B5A7DACBD@mx7.roble.com> (Roger Marquis's message of "Thu, 18 Sep 2003 17:56:59 -0700 (PDT)") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 07:37:17 -0000 Roger Marquis writes: > Bruce M Simpson wrote: > > When you run out of inetd to service a single connection, you have to > > generate a new ephemeral key for every ssh instance. This is a needless > > waste of precious entropy from /dev/random. > [...] > Also, by generating a different key for each session you get better > entropy, which makes for better encryption, especially when you > consider that the keys for one session are useless when attempting > to decrypt other sessions. For this reason alone it's better to > run sshd out of inetd. > [...] > I've been using inetd+ssh since 1995, in dozens of data centers, > across hundreds of hosts, and millions of sessions without a single > problem. I wonder what Bruce Schneier would think of Mr. Simpson's > understanding of cryptography? I think you're the one in need of a refresher course, as you obviously do not understand the meaning of the word "entropy" in the context of cryptographic-strength PRNGs. Entropy is a limited resource, and using more of it *reduces* rather than increases its quality. I don't suppose you have a thermal entropy generator in every single machine you administrate, do you? DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 03:39:55 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4AEEB16A4B3 for ; Fri, 19 Sep 2003 03:39:55 -0700 (PDT) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [81.196.201.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1AB2A43FBF for ; Fri, 19 Sep 2003 03:39:53 -0700 (PDT) (envelope-from Vlad.Galu@rdsnet.ro) Received: (qmail 65295 invoked from network); 16 Sep 2003 14:36:03 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (81.196.201.65) by 0 with SMTP; 16 Sep 2003 14:36:03 -0000 Date: Tue, 16 Sep 2003 17:36:03 +0300 From: Vlad Galu To: freebsd-security@freebsd.org In-Reply-To: <20030916134347.GA30359@madman.celabo.org> References: <20030916134347.GA30359@madman.celabo.org> Organization: Romania Data Systems X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20030919103953.1AB2A43FBF@mx1.FreeBSD.org> Subject: Re: OpenSSH heads-up X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 10:39:55 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tue, 16 Sep 2003 08:43:47 -0500 "Jacques A. Vidrine" wrote: > OK, an official OpenSSH advisory was released, see here: > http://www.mindrot.org/pipermail/openssh-unix-announce/2003-September/000063.html > > So what this basically does is: not incrementing buffer->alloc, but using a new integer variable instead, which we compare to 0xa00000. How does this help ? I'm not an expert in off-by-one vulnerabilities. It'd be nice if someone enlightened me a little bit. > > The fix is currently in FreeBSD -CURRENT and -STABLE. It will be > applied to the security branches as well today. Attached are patches: I noticed the patch being commited to the openssh ports. Is it going to be merged in the source tree as well ? I took the liberty of modifying buffer.c myself, like Jacques' patch did. > > buffer46.patch -- For FreeBSD 4.6-RELEASE and later > buffer45.patch -- For FreeBSD 4.5-RELEASE and earlier > > Currently, I don't believe that this bug is actually exploitable for > code execution on FreeBSD, but I reserve the right to be wrong :-) > > Cheers, > -- > Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal > nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se > - ------ Vlad Galu Senior IP Engineer Romania Data Systems NOC in Bucharest Phone: +40 21 30 10 850 Web: http://www.rdsnet.ro PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x53ABCE97 - ----------------------------------------------------------------------- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such a person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Zx/TP5WtpVOrzpcRAkZKAJ4i0nMg+SjVPSo7Kzw2qzHpYk/IhQCdHnmA 7MT6DO9f+vmEpTwWoz3A76w= =zwK5 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 05:28:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3E14A16A4B3 for ; Fri, 19 Sep 2003 05:28:54 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8C8FA43FE1 for ; Fri, 19 Sep 2003 05:28:52 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h8JCSpt1035755; Fri, 19 Sep 2003 13:28:51 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h8JCSoTe035754; Fri, 19 Sep 2003 13:28:50 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h8J82bfq006549; Fri, 19 Sep 2003 09:02:37 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200309190802.h8J82bfq006549@grimreaper.grondar.org> To: "Devon H. O'Dell" From: Mark Murray In-Reply-To: Your message of "Fri, 19 Sep 2003 03:28:31 +0200." <3F6A5BBF.3020102@sitetronics.com> Date: Fri, 19 Sep 2003 09:02:37 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-2.3 required=5.0 tests=EMAIL_ATTRIBUTION,FWD_MSG,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 12:28:54 -0000 X-List-Received-Date: Fri, 19 Sep 2003 12:28:54 -0000 "Devon H. O'Dell" writes: > If I'm not mistaken, /dev/random is a pseudo-random generator, which > means it has a certain period before it begins to repeat numbers (along > with that it just isn't truly random). So, please correct me if I'm > wrong, but doesn't this mean that when reading from /dev/random, you're > 'losing' randomness/entropy/whatever you're calling it? You are very mistaken indeed :-). In FreeBSD-4-*, /dev/random is an "entropy distiller", albeit not a very good one as it is not very conservative. On that system, /dev/urandom is a very complex PRNG, with the added feature of being perturbed by actual entropy. In FreeBSD-5-* there is no separate /dev/urandom, and /dev/random is driven by Yarrow (http://www.counterpane.com/yarrow/). This is a PRNG+entropy-harvester, and it it _very_ conservative. As long as _some_ entropy is being harvested, it is unlikely that either generator wil produce a repeating sequence _ever_. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 05:28:59 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8174D16A4B3 for ; Fri, 19 Sep 2003 05:28:59 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 48D7543FE1 for ; Fri, 19 Sep 2003 05:28:58 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h8JCSpt1035760; Fri, 19 Sep 2003 13:28:51 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h8JCSpLL035759; Fri, 19 Sep 2003 13:28:51 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h8J875fq006577; Fri, 19 Sep 2003 09:07:05 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200309190807.h8J875fq006577@grimreaper.grondar.org> To: "David G. Andersen" From: Mark Murray In-Reply-To: Your message of "Thu, 18 Sep 2003 19:36:36 MDT." <20030918193636.A94860@cs.utah.edu> Date: Fri, 19 Sep 2003 09:07:05 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-2.3 required=5.0 tests=EMAIL_ATTRIBUTION,FWD_MSG,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 12:28:59 -0000 "David G. Andersen" writes: > You're mistaken. /dev/random stops feeding you random bits > when it doesn't have enough. /dev/urandom depletes the entropy > pool, but when it starts to run out, it falls back to hashing > to generate pseudo-random sequences from the random bits that > it can obtain. Mostly correct :-). /dev/urandom (in FreeBSD-4-*) always hashes the pool. It doesn't care whether or not entropy has been harvested first, unlike /dev/random which requires a positive entropy count before suppying output. (This provides a doozy of a DoS, BTW, where "cat /dev/urandom > /dev/null" renders /dev/random useless). M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 05:43:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D8AC616A4B3; Fri, 19 Sep 2003 05:43:24 -0700 (PDT) Received: from amsfep15-int.chello.nl (amsfep15-int.chello.nl [213.46.243.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1514A43F3F; Fri, 19 Sep 2003 05:43:23 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep15-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030919124321.SDPN6169.amsfep15-int.chello.nl@sitetronics.com>; Fri, 19 Sep 2003 14:43:21 +0200 Message-ID: <3F6AF99A.2050607@sitetronics.com> Date: Fri, 19 Sep 2003 14:42:02 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Mark Murray References: <200309190807.h8J875fq006577@grimreaper.grondar.org> In-Reply-To: <200309190807.h8J875fq006577@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 12:43:25 -0000 Mark Murray wrote: >"David G. Andersen" writes: > > >> You're mistaken. /dev/random stops feeding you random bits >>when it doesn't have enough. /dev/urandom depletes the entropy >>pool, but when it starts to run out, it falls back to hashing >>to generate pseudo-random sequences from the random bits that >>it can obtain. >> >> > >Mostly correct :-). > >/dev/urandom (in FreeBSD-4-*) always hashes the pool. It doesn't care >whether or not entropy has been harvested first, unlike /dev/random >which requires a positive entropy count before suppying output. >(This provides a doozy of a DoS, BTW, where "cat /dev/urandom > /dev/null" >renders /dev/random useless). > >M >-- >Mark Murray >iumop ap!sdn w,I idlaH > > Well, I'm glad to have gotten these several comments; I wasn't quite sure how it worked. Nice to see that the Yarrow is being used in 5.x :) --Devon From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 05:55:12 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 062A816A4B3 for ; Fri, 19 Sep 2003 05:55:12 -0700 (PDT) Received: from diaspar.rdsnet.ro (diaspar.rdsnet.ro [81.196.201.65]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0BD5443FD7 for ; Fri, 19 Sep 2003 05:55:10 -0700 (PDT) (envelope-from Vlad.Galu@rdsnet.ro) Received: (qmail 8316 invoked from network); 17 Sep 2003 09:04:40 -0000 Received: from unknown (HELO diaspar.rdsnet.ro) (81.196.201.65) by 0 with SMTP; 17 Sep 2003 09:04:40 -0000 Date: Wed, 17 Sep 2003 12:04:40 +0300 From: Vlad Galu To: freebsd-security@freebsd.org In-Reply-To: <3F6820D9.9040702@sitetronics.com> References: <20030917084415.85385.qmail@web41808.mail.yahoo.com> <3F6820D9.9040702@sitetronics.com> Organization: Romania Data Systems X-Mailer: Sylpheed version 0.9.4 (GTK+ 1.2.10; i386-portbld-freebsd4.8) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Message-Id: <20030919125510.0BD5443FD7@mx1.FreeBSD.org> Subject: Re: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 12:55:12 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wed, 17 Sep 2003 10:52:41 +0200 "Devon H. O'Dell" wrote: > With the default FreeBSD FTP daemon, you can already control the ports used. > > Simply change net.inet.ip.portrange.hifirst and > net.inet.ip.portrange.hilast, which default to the following values: > net.inet.ip.portrange.hifirst: 49152 > net.inet.ip.portrange.hilast: 65535 > I haven't examined the bsdftpd source, does it read the sysctl settings and behave accordingly ? > --Devon > > Cristian Sirbu wrote: > > >Hi, > > > >Could u recommend a secure ftp daemon? I want to be able to control the ports > >it uses.... and not to have to let all of the upper ports open. > > > > > >--------------------------------- > >Do you Yahoo!? > >Yahoo! SiteBuilder - Free, easy-to-use web site design software > >_______________________________________________ > >freebsd-security@freebsd.org mailing list > >http://lists.freebsd.org/mailman/listinfo/freebsd-security > >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > > > > > > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > - ------ Vlad Galu Senior IP Engineer Romania Data Systems NOC in Bucharest Phone: +40 21 30 10 850 Web: http://www.rdsnet.ro PGP: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x53ABCE97 - ----------------------------------------------------------------------- Privileged/Confidential Information may be contained in this message. If you are not the addressee indicated in this message (or responsible for delivery of the message to such a person), you may not copy or deliver this message to anyone. In such a case, you should destroy this message and kindly notify the sender by reply e-mail. - ----------------------------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aCOoP5WtpVOrzpcRAuVnAJ9sfBgCkX76OMSjJC6Orzwd3rYbegCfZZ9t mGIkHRlYMw3+eT2KzChWoAo= =VJV/ -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 06:07:32 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6B39716A4B3 for ; Fri, 19 Sep 2003 06:07:32 -0700 (PDT) Received: from amsfep12-int.chello.nl (amsfep12-int.chello.nl [213.46.243.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0B84643FBD for ; Fri, 19 Sep 2003 06:07:31 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep12-int.chello.nl ESMTP <20030919130729.CXTD22036.amsfep12-int.chello.nl@sitetronics.com>; Fri, 19 Sep 2003 15:07:29 +0200 Message-ID: <3F6AFF42.2010403@sitetronics.com> Date: Fri, 19 Sep 2003 15:06:10 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vlad Galu References: <20030917084415.85385.qmail@web41808.mail.yahoo.com> <3F6820D9.9040702@sitetronics.com> <20030919125510.0BD5443FD7@mx1.FreeBSD.org> In-Reply-To: <20030919125510.0BD5443FD7@mx1.FreeBSD.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:07:32 -0000 Vlad Galu wrote: >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >On Wed, 17 Sep 2003 10:52:41 +0200 "Devon H. O'Dell" >wrote: > > > >>With the default FreeBSD FTP daemon, you can already control the ports used. >> >>Simply change net.inet.ip.portrange.hifirst and >>net.inet.ip.portrange.hilast, which default to the following values: >>net.inet.ip.portrange.hifirst: 49152 >>net.inet.ip.portrange.hilast: 65535 >> >> >> > I haven't examined the bsdftpd source, does it read the sysctl settings and >behave accordingly ? > > Yes, this was my implication here. You can change these MIBs and restart the ftpd. More information is in the manpages on the subject ;) --Devon From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 06:16:44 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D47E216A4B3; Fri, 19 Sep 2003 06:16:44 -0700 (PDT) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0CBA043FAF; Fri, 19 Sep 2003 06:16:41 -0700 (PDT) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6p2/8.12.6) with ESMTP id h8JDGc7t066269; Fri, 19 Sep 2003 16:16:38 +0300 (EEST) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6p2/8.12.6/Submit) id h8JDGa7A066266; Fri, 19 Sep 2003 16:16:36 +0300 (EEST) (envelope-from never) Date: Fri, 19 Sep 2003 16:16:36 +0300 From: Alexandr Kovalenko To: "Jacques A. Vidrine" , James Raftery , freebsd-security@FreeBSD.org Message-ID: <20030919131636.GB63736@nevermind.kiev.ua> References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> <20030918145005.GB32994@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <20030918145005.GB32994@madman.celabo.org> User-Agent: Mutt/1.5.4i Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:16:44 -0000 Hello, Jacques A. Vidrine! On Thu, Sep 18, 2003 at 09:50:06AM -0500, you wrote: > On Thu, Sep 18, 2003 at 11:09:07AM +0100, James Raftery wrote: > > On Wed, Sep 17, 2003 at 03:37:56PM -0700, FreeBSD Security Advisories wrote: > > > # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch > > [snip] > > > > The patch above doesn't appear to modify src/crypto/openssh/version.h > > > > > Branch Version string > > > - ------------------------------------------------------------------------- > > > RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917 > > > > After patching (on the 4.7 security branch), my version string still > > says: > > > > sshd version OpenSSH_3.4p1 FreeBSD-20020702 > > > > Would the Security Team mind publishing a version of the patch that > > modifies the version string? > > The patch is crafted specifically to apply to the widest range of > FreeBSD versions as possible. In this way we have three patches to > distribute instead of 1 per release. (Likewise, there is a single > sendmail patch instead of 1 per release.) > > Use CVSup if you want to actually track the security branches. Use > the patch if you just want a quick fix. You can also pull down the > ancilliary patches (version.h, newvers.sh, UPDATING, etc) via other > mechanisms (e.g. anon CVS, cvsweb) if you like. I've used cvsup to update my sources but I see the same picture in RELENG_4_7. -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 06:23:24 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 94A0E16A4B3; Fri, 19 Sep 2003 06:23:24 -0700 (PDT) Received: from amsfep14-int.chello.nl (amsfep14-int.chello.nl [213.46.243.22]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95E3143F3F; Fri, 19 Sep 2003 06:23:21 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep14-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030919132240.BWXO161.amsfep14-int.chello.nl@sitetronics.com>; Fri, 19 Sep 2003 15:22:40 +0200 Message-ID: <3F6B02D2.2030609@sitetronics.com> Date: Fri, 19 Sep 2003 15:21:22 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Alexandr Kovalenko References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> <20030918145005.GB32994@madman.celabo.org> <20030919131636.GB63736@nevermind.kiev.ua> In-Reply-To: <20030919131636.GB63736@nevermind.kiev.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: "Jacques A. Vidrine" cc: James Raftery cc: freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security AdvisoryFreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:23:24 -0000 Alexandr Kovalenko wrote: > [snip] > >I've used cvsup to update my sources but I see the same picture in >RELENG_4_7. > > As did I using RELENG_5_1 -- the version remains at 3.6.1p1. --Devon From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 06:24:56 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A951A16A4B3; Fri, 19 Sep 2003 06:24:56 -0700 (PDT) Received: from kurush.osdn.org.ua (external.osdn.org.ua [212.40.34.156]) by mx1.FreeBSD.org (Postfix) with ESMTP id 18F0943FE5; Fri, 19 Sep 2003 06:24:50 -0700 (PDT) (envelope-from never@kurush.osdn.org.ua) Received: from kurush.osdn.org.ua (never@localhost [127.0.0.1]) by kurush.osdn.org.ua (8.12.6p2/8.12.6) with ESMTP id h8JDOY7t066698; Fri, 19 Sep 2003 16:24:35 +0300 (EEST) (envelope-from never@kurush.osdn.org.ua) Received: (from never@localhost) by kurush.osdn.org.ua (8.12.6p2/8.12.6/Submit) id h8JDOXTU066695; Fri, 19 Sep 2003 16:24:33 +0300 (EEST) (envelope-from never) Date: Fri, 19 Sep 2003 16:24:33 +0300 From: Alexandr Kovalenko To: "Devon H. O'Dell" Message-ID: <20030919132433.GA66315@nevermind.kiev.ua> References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> <20030918145005.GB32994@madman.celabo.org> <20030919131636.GB63736@nevermind.kiev.ua> <3F6B02D2.2030609@sitetronics.com> Mime-Version: 1.0 Content-Type: text/plain; charset=koi8-r Content-Disposition: inline In-Reply-To: <3F6B02D2.2030609@sitetronics.com> User-Agent: Mutt/1.5.4i cc: "Jacques A. Vidrine" cc: James Raftery cc: freebsd-security@FreeBSD.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:24:56 -0000 Hello, Devon H. O'Dell! On Fri, Sep 19, 2003 at 03:21:22PM +0200, you wrote: > > Alexandr Kovalenko wrote: > > >[snip] > > > >I've used cvsup to update my sources but I see the same picture in > >RELENG_4_7. > > > > > As did I using RELENG_5_1 -- the version remains at 3.6.1p1. Not version, but timestamp! -- NEVE-RIPE, will build world for food Ukrainian FreeBSD User Group http://uafug.org.ua/ From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 06:48:17 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 087EA16A4B3 for ; Fri, 19 Sep 2003 06:48:17 -0700 (PDT) Received: from amsfep15-int.chello.nl (amsfep15-int.chello.nl [213.46.243.28]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7281943FE0 for ; Fri, 19 Sep 2003 06:48:15 -0700 (PDT) (envelope-from dodell@sitetronics.com) Received: from sitetronics.com ([213.46.142.207]) by amsfep15-int.chello.nl (InterMail vM.5.01.05.17 201-253-122-126-117-20021021) with ESMTP id <20030919134814.UFYP6169.amsfep15-int.chello.nl@sitetronics.com> for ; Fri, 19 Sep 2003 15:48:14 +0200 Message-ID: <3F6B08D0.7080506@sitetronics.com> Date: Fri, 19 Sep 2003 15:46:56 +0200 From: "Devon H. O'Dell" User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.4) Gecko/20030820 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> <20030918145005.GB32994@madman.celabo.org> <20030919131636.GB63736@nevermind.kiev.ua> <3F6B02D2.2030609@sitetronics.com> <20030919132433.GA66315@nevermind.kiev.ua> In-Reply-To: <20030919132433.GA66315@nevermind.kiev.ua> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [FreeBSD-Announce] FreeBSD Security AdvisoryFreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 13:48:17 -0000 Alexandr Kovalenko wrote: >Hello, Devon H. O'Dell! > >On Fri, Sep 19, 2003 at 03:21:22PM +0200, you wrote: > > > >>Alexandr Kovalenko wrote: >> >> >> >>>[snip] >>> >>>I've used cvsup to update my sources but I see the same picture in >>>RELENG_4_7. >>> >>> >>> >>> >>As did I using RELENG_5_1 -- the version remains at 3.6.1p1. >> >> > >Not version, but timestamp! > > Umm... yeah, that was my implication. Sorry for the poor wording. My version string (generated by ssh -V or sshd --help) remains unchanged. The source is patched/updated and should by all means be invulnerable to that attack. I did not notice version.h or other related files being checked out in my cvsup. --Devon From owner-freebsd-security@FreeBSD.ORG Wed Sep 17 10:52:19 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D391816A4BF for ; Wed, 17 Sep 2003 10:52:19 -0700 (PDT) Received: from horsey.gshapiro.net (horsey.gshapiro.net [64.105.95.154]) by mx1.FreeBSD.org (Postfix) with ESMTP id 13F5843FBD for ; Wed, 17 Sep 2003 10:52:19 -0700 (PDT) (envelope-from gshapiro@gshapiro.net) Received: from horsey.gshapiro.net (localhost [127.0.0.1]) h8HHqIaA020461 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Wed, 17 Sep 2003 10:52:18 -0700 (PDT) Received: (from gshapiro@localhost)h8HHqIHB020460; Wed, 17 Sep 2003 10:52:18 -0700 (PDT) Date: Wed, 17 Sep 2003 10:52:18 -0700 From: Gregory Neil Shapiro To: Mike Tancsa Message-ID: <20030917175218.GX66258@horsey.gshapiro.net> References: <20030917162118.GB4838@madman.celabo.org> <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> User-Agent: Mutt/1.5.4i X-Mailman-Approved-At: Fri, 19 Sep 2003 07:49:25 -0700 cc: freebsd-security@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 17:52:19 -0000 On Wed, Sep 17, 2003 at 01:46:14PM -0400, Mike Tancsa wrote: > > Looks like they have released http://www.sendmail.org/8.12.10.html > > Are their plans to import/mfc this into stable ? No doubt a busy day for > the Sendmail folk as well :-( Import, yes. MFC is up to the RE's. From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 07:57:25 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2AF0016A4B3 for ; Fri, 19 Sep 2003 07:57:25 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 2641743FD7 for ; Fri, 19 Sep 2003 07:57:22 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 98868 invoked from network); 19 Sep 2003 14:57:21 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 19 Sep 2003 14:57:21 -0000 Message-ID: <3F6B1950.8090304@tenebras.com> Date: Fri, 19 Sep 2003 07:57:20 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 Cc: freebsd-security@freebsd.org References: <200309190802.h8J82bfq006549@grimreaper.grondar.org> In-Reply-To: <200309190802.h8J82bfq006549@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 14:57:25 -0000 Mark Murray wrote: > In FreeBSD-5-* there is no separate /dev/urandom, and /dev/random is > driven by Yarrow (http://www.counterpane.com/yarrow/). This is a > PRNG+entropy-harvester, and it it _very_ conservative. As long as > _some_ entropy is being harvested, it is unlikely that either generator > wil produce a repeating sequence _ever_. Oh? I believe that, for any finite binary string, the probability of it appearing again approaches 1 as time goes on. Don't you? Question, since I haven't looked at the code -- does it honor the /dev/crypto interface? Since, if a HW RBG is included in a crypto device, it should be used to help stir the pot. From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 09:15:47 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BF40B16A4B3 for ; Fri, 19 Sep 2003 09:15:47 -0700 (PDT) Received: from ns.anapanet.ru (andial01s.kubtelecom.ru [213.132.66.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id C6BA643F85 for ; Fri, 19 Sep 2003 09:15:44 -0700 (PDT) (envelope-from freebsd@anapanet.ru) Received: from 192.168.2.2 (pool30-mpf.anapanet.ru [213.132.66.126]) by ns.anapanet.ru (8.12.8p1/8.12.8) with ESMTP id h8JGOCUO073720 for ; Fri, 19 Sep 2003 20:24:16 +0400 (MSD) (envelope-from freebsd@anapanet.ru) Date: Fri, 19 Sep 2003 20:17:12 +0400 From: Nickolay Krylov X-Mailer: The Bat! (v1.61) X-Priority: 3 (Normal) Message-ID: <8937649957.20030919201712@anapanet.ru> To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Subject: making 4.8-RELEASE-p7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Nickolay Krylov List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 16:15:47 -0000 Hello, freebsd-security. I'm trying to build 4.8-RELEASE-p7 to distribute it trought my clients. What am I doing: #cd /usr/share/examples/cvsup #cvsup standard-supfile (after I've done necessary changes) #cd /usr/src #make buildworld Thus, I have /usr/obj "populated with the output of ``make buildworld''" as it described in man 7 release. Then, I have read "FreeBSD Release Engineering" by Murray Stokely, but can't understand for what #make release use env variable CVSROOT???!!!! All what I want to do - make 4.8p7 release (FTP version) from sources what I've cvsuped from RELENG_4_8 i.e. ONLY 4.8-RELEASE with security updates. Help me please, my english not perfect, may be therefore I don't understand anything. Thanks in advance, NK. -- Best reqards, Nickolay mailto:freebsd@anapanet.ru From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 10:45:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3105916A4B3 for ; Fri, 19 Sep 2003 10:45:27 -0700 (PDT) Received: from mail.broadpark.no (mail.broadpark.no [217.13.4.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 84E5343FE0 for ; Fri, 19 Sep 2003 10:45:25 -0700 (PDT) (envelope-from des@des.no) Received: from smtp.des.no (37.80-203-228.nextgentel.com [80.203.228.37]) by mail.broadpark.no (Postfix) with ESMTP id AB6D778CC5; Fri, 19 Sep 2003 19:45:24 +0200 (MEST) Received: by smtp.des.no (Pony Express, from userid 666) id 720D099FC9; Fri, 19 Sep 2003 19:45:24 +0200 (CEST) Received: from dwp.des.no (dwp.des.no [10.0.0.4]) by smtp.des.no (Pony Express) with ESMTP id 9523899B49; Fri, 19 Sep 2003 19:45:19 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 2602) id 6BBADB84A; Fri, 19 Sep 2003 19:45:19 +0200 (CEST) To: "Devon H. O'Dell" References: <20030917084415.85385.qmail@web41808.mail.yahoo.com> <3F6820D9.9040702@sitetronics.com> <20030919125510.0BD5443FD7@mx1.FreeBSD.org> <3F6AFF42.2010403@sitetronics.com> From: des@des.no (Dag-Erling =?iso-8859-1?q?Sm=F8rgrav?=) Date: Fri, 19 Sep 2003 19:45:19 +0200 In-Reply-To: <3F6AFF42.2010403@sitetronics.com> (Devon H. O'Dell's message of "Fri, 19 Sep 2003 15:06:10 +0200") Message-ID: User-Agent: Gnus/5.090024 (Oort Gnus v0.24) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, hits=-3.0 required=8.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT,REFERENCES, REPLY_WITH_QUOTES,USER_AGENT_GNUS_UA version=2.55 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org cc: Vlad Galu Subject: Re: ftp X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 17:45:27 -0000 "Devon H. O'Dell" writes: > > > Simply change net.inet.ip.portrange.hifirst and > > > net.inet.ip.portrange.hilast, which default to the following values: > > > net.inet.ip.portrange.hifirst: 49152 > > > net.inet.ip.portrange.hilast: 65535 > > I haven't examined the bsdftpd source, does it read the sysctl settings= and > > behave accordingly ? > Yes, this was my implication here. You can change these MIBs and > restart the ftpd. More information is in the manpages on the subject ;) All ftpd does is set a flag which causes the kernel to pick a port number in the appropriate range, thus there is no need to restart ftpd for the changes to take effect. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 11:28:54 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1BA0616A4B3 for ; Fri, 19 Sep 2003 11:28:54 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 5579A43FE3 for ; Fri, 19 Sep 2003 11:28:53 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 2801 invoked from network); 19 Sep 2003 18:28:52 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 19 Sep 2003 18:28:52 -0000 Message-ID: <3F6B4ADE.7010102@tenebras.com> Date: Fri, 19 Sep 2003 11:28:46 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: Mark Murray References: <200309191819.h8JIJOfq013739@grimreaper.grondar.org> In-Reply-To: <200309191819.h8JIJOfq013739@grimreaper.grondar.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 18:28:54 -0000 Mark Murray wrote: > For a pure PRNG, I believe that. For such a PRNG, such a string > will appear with a predictable period, and for a particular string, > the period is the same length as the string. I'm sorry, I was being both academic and intentionally silly. Strings of length one occur with a certain frequency, strings of length two, etc. If by entropy you mean incompressibility, PRNGs have 8 bits of entropy per byte. If you mean cryptographically useful (non-predictable to the left or to the right no matter how long a string you have) then PRNGs don't produce entropy. But schemes like Yarrow, or my own scheme which is a modified X9.17 with keyed hash functions used in place of DES, produce cryptographically useful random numbers, and limit the risk of prediction due to knowledge of internal state by periodically perturbing the state with "real" random buts. >>Question, since I haven't looked at the code -- does it honor the >>/dev/crypto interface? Since, if a HW RBG is included in a crypto >>device, it should be used to help stir the pot. > > > Yes. Internally. And more is coming. Good. Soekris crypto boards based on Hifn chips are cheap and useful. From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 11:50:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 995D916A4B3 for ; Fri, 19 Sep 2003 11:50:50 -0700 (PDT) Received: from plato.thinkhost.com (mailpipe.plato.thinkhost.com [209.61.191.249]) by mx1.FreeBSD.org (Postfix) with ESMTP id A661A43FD7 for ; Fri, 19 Sep 2003 11:50:49 -0700 (PDT) (envelope-from vladislav@davidzon.com) Received: from MobileCactus (66-234-32-43.nyc.cable.nyct.net [66.234.32.43]) by plato.thinkhost.com (8.12.8p1/8.12.6) with ESMTP id h8JInEo8041874 for ; Fri, 19 Sep 2003 14:49:14 -0400 (EDT) (envelope-from vladislav@davidzon.com) Message-Id: <200309191849.h8JInEo8041874@plato.thinkhost.com> From: "Vladislav Davidzon" To: Date: Fri, 19 Sep 2003 14:50:47 -0400 MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable X-Mailer: Microsoft Outlook, Build 11.0.4920 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 In-Reply-To: <8937649957.20030919201712@anapanet.ru> Thread-Index: AcN+yTNC8AjB4iN+R96DIKiLCh8LCwAFYNzw Subject: RE: CVSUP For FreeBSD 4.8-RELEASE-p7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 18:50:50 -0000 Greetings, I must be confused. I am doing a cvsup with a tag of RELENG_4_8 yet cvsup seems to be fetching p5 instead of p7. Is there a problem that I should be aware of here? Am I just being stupid? This same cvsup file has never done this ever before -- always fetched the latest=20 patch level of the RELEASE without problem (that=92s how we're runing p5 now!). Can someone explain? =20 Sincerely, ))))) Vladislav (=F4 =F4)=20 -------------------------------ooO-(_)-Ooo----------------------------- Vladislav S. Davidzon davidzon@thinkhost.com Executive Director, ThinkHost http://www.thinkhost.com ----------------------------------------------------------------------- "The price of freedom is eternal vigilance" =20 From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 12:41:50 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E5FD16A4B3 for ; Fri, 19 Sep 2003 12:41:50 -0700 (PDT) Received: from monster.schulte.org (monster.schulte.org [209.134.156.193]) by mx1.FreeBSD.org (Postfix) with ESMTP id 8ECB743FBF for ; Fri, 19 Sep 2003 12:41:49 -0700 (PDT) (envelope-from schulte+freebsd@nospam.schulte.org) Received: from localhost (localhost [127.0.0.1]) by monster.schulte.org (Postfix) with ESMTP id 8B0201FB2C; Fri, 19 Sep 2003 14:41:47 -0500 (CDT) Received: from thor (thor.schulte.org [209.134.156.204]) by monster.schulte.org (Postfix) with ESMTP id 9413E1FB2B; Fri, 19 Sep 2003 14:41:46 -0500 (CDT) From: "Christopher Schulte" To: "'Vladislav Davidzon'" , Date: Fri, 19 Sep 2003 14:42:09 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook, Build 11.0.5510 In-Reply-To: <200309191849.h8JInEo8041874@plato.thinkhost.com> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 Thread-Index: AcN+yTNC8AjB4iN+R96DIKiLCh8LCwAFYNzwAAGv1IA= Message-Id: <20030919194146.9413E1FB2B@monster.schulte.org> X-Virus-Scanned: by AMaViS 0.3.12pre8 on monster.schulte.org Subject: RE: CVSUP For FreeBSD 4.8-RELEASE-p7 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 19:41:50 -0000 > -----Original Message----- > From: owner-freebsd-security@freebsd.org > [mailto:owner-freebsd-security@freebsd.org] On Behalf Of > Vladislav Davidzon > Sent: Friday, September 19, 2003 1:51 PM > To: freebsd-security@freebsd.org > Subject: RE: CVSUP For FreeBSD 4.8-RELEASE-p7 > > Greetings, > > I must be confused. I am doing a cvsup with a tag of RELENG_4_8 yet > cvsup seems to be fetching p5 instead of p7. Is there a problem that > I should be aware of here? Am I just being stupid? This same cvsup > file has never done this ever before -- always fetched the latest > patch level of the RELEASE without problem (that's how we're runing p5 > now!). Can someone explain? You might be fetching source from a stale cvsup server. Try one of the others till you get -p7. Then email the stale server's admin and let him/her know there's a problem. --Chris From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 12:50:39 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 76A5516A4BF for ; Fri, 19 Sep 2003 12:50:39 -0700 (PDT) Received: from arginine.spc.org (arginine.spc.org [195.206.69.236]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9742543FBF for ; Fri, 19 Sep 2003 12:50:37 -0700 (PDT) (envelope-from bms@spc.org) Received: from localhost (localhost [127.0.0.1]) by arginine.spc.org (Postfix) with ESMTP id 4E3F5653D8; Fri, 19 Sep 2003 20:50:36 +0100 (BST) Received: from arginine.spc.org ([127.0.0.1]) by localhost (arginine.spc.org [127.0.0.1]) (amavisd-new, port 10024) with LMTP id 38654-03; Fri, 19 Sep 2003 20:50:35 +0100 (BST) Received: from saboteur.dek.spc.org (lardystuffer.demon.co.uk [212.228.40.202]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by arginine.spc.org (Postfix) with ESMTP id 517C6653C6; Fri, 19 Sep 2003 20:50:34 +0100 (BST) Received: by saboteur.dek.spc.org (Postfix, from userid 1001) id 49C6B1D; Fri, 19 Sep 2003 20:50:25 +0100 (BST) Date: Fri, 19 Sep 2003 20:50:25 +0100 From: Bruce M Simpson To: Michael Sierchio Message-ID: <20030919195025.GB3815@saboteur.dek.spc.org> Mail-Followup-To: Michael Sierchio , freebsd-security@freebsd.org References: <200309190802.h8J82bfq006549@grimreaper.grondar.org> <3F6B1950.8090304@tenebras.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <3F6B1950.8090304@tenebras.com> Organization: SPC cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 19:50:39 -0000 On Fri, Sep 19, 2003 at 07:57:20AM -0700, Michael Sierchio wrote: > Question, since I haven't looked at the code -- does it honor the > /dev/crypto interface? Since, if a HW RBG is included in a crypto > device, it should be used to help stir the pot. Stacy Millions had a driver in the works to support the Intel i8xx FWH HW RNG. As far as I know it hasn't been committed, I'd certainly like to see this code updated. BMS From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 13:09:28 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 81CA616A4B3 for ; Fri, 19 Sep 2003 13:09:28 -0700 (PDT) Received: from smtp3.sentex.ca (smtp3.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3575D43FAF for ; Fri, 19 Sep 2003 13:09:26 -0700 (PDT) (envelope-from damian@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smtp3.sentex.ca (8.12.9/8.12.9p) with ESMTP id h8JK9L03003262 for ; Fri, 19 Sep 2003 16:09:21 -0400 (EDT) (envelope-from damian@sentex.net) Received: from pegmatite.sentex.ca (pegmatite.sentex.ca [192.168.42.92]) by lava.sentex.ca (8.12.9/8.12.8) with ESMTP id h8JK9PIp079768 for ; Fri, 19 Sep 2003 16:09:25 -0400 (EDT) (envelope-from damian@sentex.net) Received: by pegmatite.sentex.ca (Postfix, from userid 1001) id 2068017149; Fri, 19 Sep 2003 16:09:19 -0400 (EDT) Date: Fri, 19 Sep 2003 16:09:19 -0400 From: Damian Gerow To: freebsd-security@freebsd.org Message-ID: <20030919200919.GM16519@sentex.net> Mail-Followup-To: freebsd-security@freebsd.org References: <200309190802.h8J82bfq006549@grimreaper.grondar.org> <3F6B1950.8090304@tenebras.com> <20030919195025.GB3815@saboteur.dek.spc.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030919195025.GB3815@saboteur.dek.spc.org> X-GPG-Key-Id: 0xB841F142 X-GPG-Fingerprint: C7C1 E1D1 EC06 7C86 AF7C 57E6 173D 9CF6 B841 F142 X-Habeas-SWE-1: winter into spring X-Habeas-SWE-2: brightly anticipated X-Habeas-SWE-3: like Habeas SWE (tm) X-Habeas-SWE-4: Copyright 2002 Habeas (tm) X-Habeas-SWE-5: Sender Warranted Email (SWE) (tm). The sender of this X-Habeas-SWE-6: email in exchange for a license for this Habeas X-Habeas-SWE-7: warrant mark warrants that this is a Habeas Compliant X-Habeas-SWE-8: Message (HCM) and not spam. Please report use of this X-Habeas-SWE-9: mark in spam to . User-Agent: Mutt/1.5.4i X-Virus-Scanned: By Sentex Communications (lava/20020517) Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 20:09:28 -0000 Thus spake Bruce M Simpson (bms@spc.org) [19/09/03 15:52]: > Stacy Millions had a driver in the works to support the Intel i8xx FWH > HW RNG. As far as I know it hasn't been committed, I'd certainly like > to see this code updated. On a similar vein, is anyone working on something for the C3 Nehemiah? From owner-freebsd-security@FreeBSD.ORG Fri Sep 19 13:58:16 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 38C6216A4BF for ; Fri, 19 Sep 2003 13:58:16 -0700 (PDT) Received: from tenebras.com (blade.tenebras.com [66.92.188.175]) by mx1.FreeBSD.org (Postfix) with SMTP id 480D643FE9 for ; Fri, 19 Sep 2003 13:58:14 -0700 (PDT) (envelope-from kudzu@tenebras.com) Received: (qmail 5379 invoked from network); 19 Sep 2003 20:58:14 -0000 Received: from sapphire.tenebras.com (HELO tenebras.com) (192.168.188.241) by laptop.tenebras.com with SMTP; 19 Sep 2003 20:58:14 -0000 Message-ID: <3F6B6DE4.5020003@tenebras.com> Date: Fri, 19 Sep 2003 13:58:12 -0700 From: Michael Sierchio User-Agent: Mozilla/5.0 (X11; U; Linux i386; en-US; rv:1.4) Gecko/20030624 X-Accept-Language: en-us, zh-tw, zh-cn, fr, en, de-de MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <200309190802.h8J82bfq006549@grimreaper.grondar.org> <3F6B1950.8090304@tenebras.com> <20030919195025.GB3815@saboteur.dek.spc.org> In-Reply-To: <20030919195025.GB3815@saboteur.dek.spc.org> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 19 Sep 2003 20:58:16 -0000 Bruce M Simpson wrote: >>Question, since I haven't looked at the code -- does it honor the >>/dev/crypto interface? Since, if a HW RBG is included in a crypto >>device, it should be used to help stir the pot. > > Stacy Millions had a driver in the works to support the Intel i8xx FWH > HW RNG. As far as I know it hasn't been committed, I'd certainly like > to see this code updated. Good. On linux, where /dev/random comes from, there is no (or was no) rndcontrol. The standard sources of entropy were keyboard and mouse. Very funny for a rackmount server, you can run out of random bits in a hurry. From owner-freebsd-security@FreeBSD.ORG Sat Sep 20 00:20:14 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74C5716A4B3 for ; Sat, 20 Sep 2003 00:20:14 -0700 (PDT) Received: from Svarun.Gotska.IJP.Si (BSN-77-156-167.dsl.siol.net [193.77.156.167]) by mx1.FreeBSD.org (Postfix) with ESMTP id C151143FF2 for ; Sat, 20 Sep 2003 00:20:12 -0700 (PDT) (envelope-from brodnik@Svarun.Gotska.IJP.Si) Received: from Svarun.Gotska.IJP.Si (localhost.Gotska.IJP.Si [127.0.0.1]) h8K7KAa6030974; Sat, 20 Sep 2003 09:20:10 +0200 (CEST) (envelope-from brodnik@Svarun.Gotska.IJP.Si) Received: (from brodnik@localhost) by Svarun.Gotska.IJP.Si (8.12.3p2/8.12.3/Submit) id h8K7K8qt030973; Sat, 20 Sep 2003 09:20:08 +0200 (CEST) Date: Sat, 20 Sep 2003 09:20:08 +0200 From: "Andrej (Andy) Brodnik" To: Andrew McNaughton Message-ID: <20030920072008.GK7655@Svarun.Gotska.IJP.SI> References: <20030917162118.GB4838@madman.celabo.org> <6.0.0.22.0.20030917134441.08ac86a8@209.112.4.2> <20030918161314.J29876@a2.scoop.co.nz> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030918161314.J29876@a2.scoop.co.nz> User-Agent: Mutt/1.4.1i cc: freebsd-security@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 07:20:14 -0000 On Thu, Sep 18, 2003 at 04:17:07PM +1200, Andrew McNaughton wrote: > > I've been using sendmail from ports for some time. I just upgraded > to sendmail 8.12.10 by changing the version number in the makefile, > then doing `make makesum build deinstall reinstall`. > > Everything built cleanly, started up ok, accepted a delivery and > generally looks oK so far an outgoiand looks ok so far. And this is OK? I mean does this remove the security problem? LPA (= {Lep pozdrav! Andrej}_{Slovene} == {Best Regards, Andrej}) From owner-freebsd-security@FreeBSD.ORG Sat Sep 20 01:15:27 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E301B16A4B3 for ; Sat, 20 Sep 2003 01:15:27 -0700 (PDT) Received: from storm.FreeBSD.org.uk (storm.FreeBSD.org.uk [194.242.157.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id B617C43F85 for ; Sat, 20 Sep 2003 01:15:26 -0700 (PDT) (envelope-from mark@grondar.org) Received: from storm.FreeBSD.org.uk (Ugrondar@localhost [127.0.0.1]) by storm.FreeBSD.org.uk (8.12.9/8.12.9) with ESMTP id h8K8FPKZ095704; Sat, 20 Sep 2003 09:15:25 +0100 (BST) (envelope-from mark@grondar.org) Received: (from Ugrondar@localhost)h8K8FPpL095703; Sat, 20 Sep 2003 09:15:25 +0100 (BST) (envelope-from mark@grondar.org) X-Authentication-Warning: storm.FreeBSD.org.uk: Ugrondar set sender to mark@grondar.org using -f Received: from grondar.org (localhost [127.0.0.1])h8K8Gpfq022340; Sat, 20 Sep 2003 09:16:51 +0100 (BST) (envelope-from mark@grondar.org) Message-Id: <200309200816.h8K8Gpfq022340@grimreaper.grondar.org> To: Damian Gerow From: Mark Murray In-Reply-To: Your message of "Fri, 19 Sep 2003 16:09:19 EDT." <20030919200919.GM16519@sentex.net> Date: Sat, 20 Sep 2003 09:16:51 +0100 Sender: mark@grondar.org X-Spam-Status: No, hits=-2.3 required=5.0 tests=EMAIL_ATTRIBUTION,FWD_MSG,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES version=2.55 X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp) cc: freebsd-security@freebsd.org Subject: Re: [Fwd: Re: FreeBSD Security Advisory FreeBSD-SA-03:12.openssh] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 08:15:28 -0000 Damian Gerow writes: > Thus spake Bruce M Simpson (bms@spc.org) [19/09/03 15:52]: > > Stacy Millions had a driver in the works to support the Intel i8xx FWH > > HW RNG. As far as I know it hasn't been committed, I'd certainly like > > to see this code updated. > > On a similar vein, is anyone working on something for the C3 Nehemiah? Yes. Me. Also the Intel driver. M -- Mark Murray iumop ap!sdn w,I idlaH From owner-freebsd-security@FreeBSD.ORG Sat Sep 20 10:22:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A311216A4B3 for ; Sat, 20 Sep 2003 10:22:48 -0700 (PDT) Received: from worf.kerna.com (worf.kerna.com [194.106.143.118]) by mx1.FreeBSD.org (Postfix) with SMTP id 418D343FE0 for ; Sat, 20 Sep 2003 10:22:47 -0700 (PDT) (envelope-from james@kerna.ie) Received: (qmail 94095 invoked by uid 1001); 20 Sep 2003 17:22:54 -0000 Date: Sat, 20 Sep 2003 18:22:53 +0100 From: James Raftery To: freebsd-security@FreeBSD.org Message-ID: <20030920172253.GA94049@bender.kerna.ie> Mail-Followup-To: freebsd-security@FreeBSD.org References: <200309172237.h8HMbuvK078935@freefall.freebsd.org> <20030918100907.GA85007@bender.kerna.ie> <20030918145005.GB32994@madman.celabo.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20030918145005.GB32994@madman.celabo.org> Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 17:22:48 -0000 On Thu, Sep 18, 2003 at 09:50:06AM -0500, Jacques A. Vidrine wrote: > In this way we have three patches to distribute instead of 1 per > release. (Likewise, there is a single sendmail patch instead of 1 per > release.) I see; I hadn't considered that version.h would need a custom patch on each branch. Updated patch strings probably aren't worth the complication. > You can also pull down the ancilliary patches (version.h, newvers.sh, > UPDATING, etc) via other mechanisms (e.g. anon CVS, cvsweb) if you > like. Indeed - I have already done so. My scanssh output now looks a lot healthier :) Thanks, james From owner-freebsd-security@FreeBSD.ORG Sat Sep 20 20:05:37 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CC83E16A4B3 for ; Sat, 20 Sep 2003 20:05:37 -0700 (PDT) Received: from a2.scoop.co.nz (aurora.scoop.co.nz [203.96.152.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 492FD43FBF for ; Sat, 20 Sep 2003 20:05:36 -0700 (PDT) (envelope-from andrew@scoop.co.nz) Received: from localhost (localhost [127.0.0.1]) by a2.scoop.co.nz (8.12.10/8.12.9) with ESMTP id h8L35YWm056426; Sun, 21 Sep 2003 15:05:34 +1200 (NZST) (envelope-from andrew@scoop.co.nz) Date: Sun, 21 Sep 2003 15:05:34 +1200 (NZST) From: Andrew McNaughton To: "Andrej (Andy) Brodnik" In-Reply-To: <20030920072008.GK7655@Svarun.Gotska.IJP.SI> Message-ID: <20030921145659.B56005@a2.scoop.co.nz> References: <20030917162118.GB4838@madman.celabo.org> <20030918161314.J29876@a2.scoop.co.nz> <20030920072008.GK7655@Svarun.Gotska.IJP.SI> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII cc: freebsd-security@freebsd.org Subject: Re: Sendmail vulnerability X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 21 Sep 2003 03:05:37 -0000 On Sat, 20 Sep 2003, Andrej (Andy) Brodnik wrote: > Date: Sat, 20 Sep 2003 09:20:08 +0200 > From: "Andrej (Andy) Brodnik" > To: Andrew McNaughton > Cc: freebsd-security@freebsd.org > Subject: Re: Sendmail vulnerability > > On Thu, Sep 18, 2003 at 04:17:07PM +1200, Andrew McNaughton wrote: > > > > I've been using sendmail from ports for some time. I just upgraded > > to sendmail 8.12.10 by changing the version number in the makefile, > > then doing `make makesum build deinstall reinstall`. > > > > Everything built cleanly, started up ok, accepted a delivery and > > generally looks oK so far an outgoiand looks ok so far. > > And this is OK? I mean does this remove the security problem? I haven't tested vulnerability directly, but 8.12.10 was brought out after the exploit was reported in order to address the security issue. Since my message to the list, the sendmail port has been updated in the FreeBSD CVS repository in precisely the same way I did it. The CVS update has the message: Security update to 8.12.10 Approved by: marcus (portmgr) You could always check the new sendmail sources yourself. -- No added Sugar. Not tested on animals. May contain traces of Nuts. If irritation occurs, discontinue use. ------------------------------------------------------------------- Andrew McNaughton Currently in Boomer Bay, Tasmania andrew@scoop.co.nz Mobile: +61 422 753 792 http://staff.scoop.co.nz/andrew/cv.doc