From owner-freebsd-security@FreeBSD.ORG Tue Sep 5 14:53:46 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 35D9216A4DA for ; Tue, 5 Sep 2006 14:53:46 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id C1BE443D49 for ; Tue, 5 Sep 2006 14:53:45 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k85Eri77057705 for ; Tue, 5 Sep 2006 10:53:44 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id k85Erilm006653 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 5 Sep 2006 10:53:44 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Tue, 05 Sep 2006 10:53:43 -0400 To: freebsd-security@freebsd.org From: Mike Tancsa Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner2 X-Virus-Status: Clean Subject: http://www.openssl.org/news/secadv_20060905.txt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 14:53:46 -0000 Does anyone know the practicality of this attack ? i.e. is this trivial to do ? ---Mike -------------------------------------------------------------------- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, mike@sentex.net Providing Internet since 1994 www.sentex.net Cambridge, Ontario Canada www.sentex.net/mike From owner-freebsd-security@FreeBSD.ORG Tue Sep 5 15:56:35 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7FD9916A4E1; Tue, 5 Sep 2006 15:56:35 +0000 (UTC) (envelope-from mike@sentex.net) Received: from smarthost1.sentex.ca (smarthost1.sentex.ca [64.7.153.18]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0249443D45; Tue, 5 Sep 2006 15:56:31 +0000 (GMT) (envelope-from mike@sentex.net) Received: from lava.sentex.ca (pyroxene.sentex.ca [199.212.134.18]) by smarthost1.sentex.ca (8.13.6/8.13.6) with ESMTP id k85FuU49065679; Tue, 5 Sep 2006 11:56:30 -0400 (EDT) (envelope-from mike@sentex.net) Received: from mdt-xp.sentex.net (simeon.sentex.ca [192.168.43.27]) by lava.sentex.ca (8.13.6/8.13.3) with ESMTP id k85FuUnc006943 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Tue, 5 Sep 2006 11:56:30 -0400 (EDT) (envelope-from mike@sentex.net) Message-Id: <7.0.1.0.0.20060905112743.149f17c8@sentex.net> X-Mailer: QUALCOMM Windows Eudora Version 7.0.1.0 Date: Tue, 05 Sep 2006 11:56:30 -0400 To: freebsd-security@FreeBSD.org From: Mike Tancsa In-Reply-To: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> References: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="=====================_10086109==_" X-Virus-Scanned: ClamAV version 0.88.3, clamav-milter version 0.88.3 on clamscanner2 X-Virus-Status: Clean Cc: Subject: Re: http://www.openssl.org/news/secadv_20060905.txt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 15:56:35 -0000 --=====================_10086109==_ Content-Type: text/plain; charset="us-ascii"; format=flowed At 10:53 AM 9/5/2006, Mike Tancsa wrote: >Does anyone know the practicality of this attack ? i.e. is this >trivial to do ? Also, for RELENG_6, can someone confirm the patch referenced in http://www.openssl.org/news/patch-CVE-2006-4339.txt be applied with the one change of +{ERR_REASON(RSA_R_PKCS1_PADDING_TOO_SHORT),"pkcs1 padding too short"}, to +{RSA_R_PKCS1_PADDING_TOO_SHORT,"pkcs1 padding too short"}, I manually added in the diffs and everything seems to compile and function with some limited testing. I did cd /usr/src/crypton/openssl/crypto/rsa patch < p cd /usr/src/secure make clean make obj make depend make includes make make install > ---Mike > >-------------------------------------------------------------------- >Mike Tancsa, tel +1 519 651 3400 >Sentex Communications, mike@sentex.net >Providing Internet since 1994 www.sentex.net >Cambridge, Ontario Canada www.sentex.net/mike > >_______________________________________________ >freebsd-security@freebsd.org mailing list >http://lists.freebsd.org/mailman/listinfo/freebsd-security >To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" --=====================_10086109==_ Content-Type: application/octet-stream; name="p" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="p" KioqIHJzYS5oLm9sZAlGcmkgRmViIDI1IDAwOjQ5OjQzIDIwMDUKLS0tIHJzYS5oCVR1ZSBTZXAg IDUgMTE6MzU6MTAgMjAwNgoqKioqKioqKioqKioqKioKKioqIDM1MiwzNTcgKioqKgotLS0gMzUy LDM1OCAtLS0tCiAgI2RlZmluZSBSU0FfUl9OX0RPRVNfTk9UX0VRVUFMX1BfUQkJCSAxMjcKICAj ZGVmaW5lIFJTQV9SX09BRVBfREVDT0RJTkdfRVJST1IJCQkgMTIxCiAgI2RlZmluZSBSU0FfUl9Q QURESU5HX0NIRUNLX0ZBSUxFRAkJCSAxMTQKKyAjZGVmaW5lIFJTQV9SX1BLQ1MxX1BBRERJTkdf VE9PX1NIT1JUCQkJIDEwNQogICNkZWZpbmUgUlNBX1JfUF9OT1RfUFJJTUUJCQkJIDEyOAogICNk ZWZpbmUgUlNBX1JfUV9OT1RfUFJJTUUJCQkJIDEyOQogICNkZWZpbmUgUlNBX1JfUlNBX09QRVJB VElPTlNfTk9UX1NVUFBPUlRFRAkJIDEzMAoqKiogcnNhX2VheS5jLm9sZAlUdWUgU2VwICA1IDEx OjM0OjUwIDIwMDYKLS0tIHJzYV9lYXkuYwlUdWUgU2VwICA1IDExOjM2OjAwIDIwMDYKKioqKioq KioqKioqKioqCioqKiA1NjksNTc0ICoqKioKLS0tIDU2OSw1ODQgLS0tLQogIAkJewogIAljYXNl IFJTQV9QS0NTMV9QQURESU5HOgogIAkJcj1SU0FfcGFkZGluZ19jaGVja19QS0NTMV90eXBlXzEo dG8sbnVtLGJ1ZixpLG51bSk7CisgCQkvKiBHZW5lcmFsbHkgc2lnbmF0dXJlcyBzaG91bGQgYmUg YXQgbGVhc3QgMi8zIHBhZGRpbmcsIHRob3VnaAorIAkJICAgdGhpcyBpc24ndCBwb3NzaWJsZSBm b3IgcmVhbGx5IHNob3J0IGtleXMgYW5kIHNvbWUgc3RhbmRhcmQKKyAJCSAgIHNpZ25hdHVyZSBz Y2hlbWVzLCBzbyBkb24ndCBjaGVjayBpZiB0aGUgdW5wYWRkZWQgZGF0YSBpcworIAkJICAgc21h bGwuICovCisgCQlpZihyID4gNDIgJiYgMyo4KnIgPj0gQk5fbnVtX2JpdHMocnNhLT5uKSkKKyAJ CQl7CisgCQkJUlNBZXJyKFJTQV9GX1JTQV9FQVlfUFVCTElDX0RFQ1JZUFQsIFJTQV9SX1BLQ1Mx X1BBRERJTkdfVE9PX1NIT1JUKTsKKyAJCQlnb3RvIGVycjsKKyAJCQl9CisgCiAgCQlicmVhazsK ICAJY2FzZSBSU0FfTk9fUEFERElORzoKICAJCXI9UlNBX3BhZGRpbmdfY2hlY2tfbm9uZSh0byxu dW0sYnVmLGksbnVtKTsKKioqIHJzYV9lcnIuYy5vbGQJVHVlIFNlcCAgNSAxMTozNjowOSAyMDA2 Ci0tLSByc2FfZXJyLmMJVHVlIFNlcCAgNSAxMTozNjozOSAyMDA2CioqKioqKioqKioqKioqKgoq KiogMTIwLDEyNSAqKioqCi0tLSAxMjAsMTI2IC0tLS0KICB7UlNBX1JfTl9ET0VTX05PVF9FUVVB TF9QX1EgICAgICAgICAgICAgICwibiBkb2VzIG5vdCBlcXVhbCBwIHEifSwKICB7UlNBX1JfT0FF UF9ERUNPRElOR19FUlJPUiAgICAgICAgICAgICAgICwib2FlcCBkZWNvZGluZyBlcnJvciJ9LAog IHtSU0FfUl9QQURESU5HX0NIRUNLX0ZBSUxFRCAgICAgICAgICAgICAgLCJwYWRkaW5nIGNoZWNr IGZhaWxlZCJ9LAorIHtSU0FfUl9QS0NTMV9QQURESU5HX1RPT19TSE9SVCAgICAgICAgICAgLCJw a2NzMSBwYWRkaW5nIHRvbyBzaG9ydCJ9LAogIHtSU0FfUl9QX05PVF9QUklNRSAgICAgICAgICAg ICAgICAgICAgICAgLCJwIG5vdCBwcmltZSJ9LAogIHtSU0FfUl9RX05PVF9QUklNRSAgICAgICAg ICAgICAgICAgICAgICAgLCJxIG5vdCBwcmltZSJ9LAogIHtSU0FfUl9SU0FfT1BFUkFUSU9OU19O T1RfU1VQUE9SVEVEICAgICAgLCJyc2Egb3BlcmF0aW9ucyBub3Qgc3VwcG9ydGVkIn0sCioqKiBy c2Ffc2lnbi5jLm9sZAlXZWQgT2N0ICAxIDA4OjMyOjM5IDIwMDMKLS0tIHJzYV9zaWduLmMJVHVl IFNlcCAgNSAxMTozNzoyOSAyMDA2CioqKioqKioqKioqKioqKgoqKiogMTg1LDE5MCAqKioqCi0t LSAxODUsMjA4IC0tLS0KICAJCXNpZz1kMmlfWDUwOV9TSUcoTlVMTCwmcCwobG9uZylpKTsKICAK ICAJCWlmIChzaWcgPT0gTlVMTCkgZ290byBlcnI7CisgCisgCQkvKiBFeGNlc3MgZGF0YSBjYW4g YmUgdXNlZCB0byBjcmVhdGUgZm9yZ2VyaWVzICovCisgCQlpZihwICE9IHMraSkKKyAJCQl7Cisg CQkJUlNBZXJyKFJTQV9GX1JTQV9WRVJJRlksUlNBX1JfQkFEX1NJR05BVFVSRSk7CisgCQkJZ290 byBlcnI7CisgCQkJfQorIAorIAkJLyogUGFyYW1ldGVycyB0byB0aGUgc2lnbmF0dXJlIGFsZ29y aXRobSBjYW4gYWxzbyBiZSB1c2VkIHRvCisgCQkgICBjcmVhdGUgZm9yZ2VyaWVzICovCisgCQlp ZihzaWctPmFsZ29yLT5wYXJhbWV0ZXIKKyAJCSAgICYmIEFTTjFfVFlQRV9nZXQoc2lnLT5hbGdv ci0+cGFyYW1ldGVyKSAhPSBWX0FTTjFfTlVMTCkKKyAJCQl7CisgCQkJUlNBZXJyKFJTQV9GX1JT QV9WRVJJRlksUlNBX1JfQkFEX1NJR05BVFVSRSk7CisgCQkJZ290byBlcnI7CisgCQkJfQorIAor IAogIAkJc2lndHlwZT1PQkpfb2JqMm5pZChzaWctPmFsZ29yLT5hbGdvcml0aG0pOwogIAogIAo= --=====================_10086109==_-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 5 16:09:13 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A168E16A4EA for ; Tue, 5 Sep 2006 16:09:13 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3BE8D43D9D for ; Tue, 5 Sep 2006 16:09:01 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr6so.prod.shaw.ca (pd3mr6so-qfe3.prod.shaw.ca [10.0.141.21]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5400CGGNIBF7F0@l-daemon> for freebsd-security@freebsd.org; Tue, 05 Sep 2006 10:08:35 -0600 (MDT) Received: from pn2ml2so.prod.shaw.ca ([10.0.121.146]) by pd3mr6so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5400FRYNHPJR20@pd3mr6so.prod.shaw.ca> for freebsd-security@freebsd.org; Tue, 05 Sep 2006 10:08:13 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J5400G2CNHO8MD0@l-daemon> for freebsd-security@freebsd.org; Tue, 05 Sep 2006 10:08:13 -0600 (MDT) Received: (qmail 28020 invoked from network); Tue, 05 Sep 2006 16:08:10 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Tue, 05 Sep 2006 16:08:10 +0000 Date: Tue, 05 Sep 2006 09:08:10 -0700 From: Colin Percival In-reply-to: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> To: Mike Tancsa Message-id: <44FDA0EA.5050409@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <7.0.1.0.0.20060905105253.149db9a8@sentex.net> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: http://www.openssl.org/news/secadv_20060905.txt X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 05 Sep 2006 16:09:13 -0000 Mike Tancsa wrote: > Does anyone know the practicality of this attack ? i.e. is this trivial > to do ? I'm as surprised by this as you are -- usually I get advance warning about upcoming OpenSSL issues via vendor-sec -- but on first glance it looks like this attack is indeed trivial. Also, it looks like the attack isn't limited to keys with a public exponent of 3; unless I misunderstand the bug, it affects small exponents generally. An exponent of 17 on a 4096-bit key is almost certainly vulnerable; beyond that I would need to read the ASN code to confirm. Keys with a public exponent of 65537 are absolutely not vulnerable to this attack. Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 21:00:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9322016A4F8; Wed, 6 Sep 2006 21:00:37 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1C09743D6E; Wed, 6 Sep 2006 21:00:22 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id C2428B82C; Wed, 6 Sep 2006 23:00:21 +0200 (CEST) Date: Wed, 6 Sep 2006 23:00:21 +0200 From: Frank Steinborn To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org Mail-Followup-To: freebsd-questions@freebsd.org, freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060906210021.C2428B82C@shodan.nognu.de> Cc: Subject: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 21:00:37 -0000 Hello, i want to encrypt my HDD's with GELI (not the root-fs, though). I want to do the encryption without password, just with a key. The key should be stored in a floppy disk, and the read should be read automatically on boot, from the floppy. There is a problem here, because GELI initializes _before_ mounting the disks from /etc/fstab (for obvious reasons, of course). So GELI is not able to get the keys from the floppy and fails. So, any hints how I could get the floppy mounted _before_ GELI tries to initialize? Thanks in advance, Frank From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 21:28:27 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E92016A4DA for ; Wed, 6 Sep 2006 21:28:27 +0000 (UTC) (envelope-from bvowk@math.ualberta.ca) Received: from 3jane.math.ualberta.ca (3jane.math.ualberta.ca [129.128.206.44]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB03743D67 for ; Wed, 6 Sep 2006 21:28:21 +0000 (GMT) (envelope-from bvowk@math.ualberta.ca) Received: from 3jane.math.ualberta.ca (localhost.math.ualberta.ca [127.0.0.1]) by 3jane.math.ualberta.ca (8.13.6/8.13.6) with ESMTP id k86LSKMB037619; Wed, 6 Sep 2006 15:28:20 -0600 (MDT) (envelope-from bvowk@math.ualberta.ca) Received: from localhost (bvowk@localhost) by 3jane.math.ualberta.ca (8.13.6/8.13.6/Submit) with ESMTP id k86LSKAG037616; Wed, 6 Sep 2006 15:28:20 -0600 (MDT) (envelope-from bvowk@math.ualberta.ca) X-Authentication-Warning: 3jane.math.ualberta.ca: bvowk owned process doing -bs Date: Wed, 6 Sep 2006 15:28:20 -0600 (MDT) From: Barkley Vowk To: Frank Steinborn In-Reply-To: <20060906210021.C2428B82C@shodan.nognu.de> Message-ID: <20060906151041.N37483@3jane.math.ualberta.ca> References: <20060906210021.C2428B82C@shodan.nognu.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 21:28:27 -0000 You are a complete madman. You want to protect your data with a key stored on the most completely and utterly unreliable form of data storage still lamentably in use? Its not the 1970's anymore, get a real data storage medium! Get a usb flash drive, from there its a simple matter of changing the geli script to mount a specific usb device before starting. Look in /etc/rc.d/geli and geli2. I'd put your mounting and checks between the kldstat and the "if [ -z" in the geli_start() sub. You'll want to then use "geli -K" to input your key material, so you'll want to make sure your device is present, and that it has the expected key filename on it. You could also use dd and dump the first n sectors to stdout and pipe that into your geli command. Seems like quite a waste if you don't intend to use a passphrase. On Wed, 6 Sep 2006, Frank Steinborn wrote: > Hello, > > i want to encrypt my HDD's with GELI (not the root-fs, though). I want > to do the encryption without password, just with a key. The key should > be stored in a floppy disk, and the read should be read automatically > on boot, from the floppy. > > There is a problem here, because GELI initializes _before_ mounting > the disks from /etc/fstab (for obvious reasons, of course). So GELI is > not able to get the keys from the floppy and fails. > > So, any hints how I could get the floppy mounted _before_ GELI tries > to initialize? > > Thanks in advance, > Frank > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 21:59:35 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ABA7516A4E0; Wed, 6 Sep 2006 21:59:35 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id B3EF343D4C; Wed, 6 Sep 2006 21:59:34 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k86LxYkF041006; Wed, 6 Sep 2006 21:59:34 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k86LxYxx041004; Wed, 6 Sep 2006 21:59:34 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Sep 2006 21:59:34 GMT Message-Id: <200609062159.k86LxYxx041004@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:19.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 21:59:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:19.openssl Security Advisory The FreeBSD Project Topic: Incorrect PKCS#1 v1.5 padding validation in crypto(3) Category: contrib Module: openssl Announced: 2006-09-06 Affects: All FreeBSD releases. Corrected: 2006-09-06 21:18:26 UTC (RELENG_6, 6.1-STABLE) 2006-09-06 21:19:21 UTC (RELENG_6_1, 6.1-RELEASE-p6) 2006-09-06 21:20:08 UTC (RELENG_6_0, 6.0-RELEASE-p11) 2006-09-06 21:20:54 UTC (RELENG_5, 5.5-STABLE) 2006-09-06 21:21:50 UTC (RELENG_5_5, 5.5-RELEASE-p4) 2006-09-06 21:22:39 UTC (RELENG_5_4, 5.4-RELEASE-p18) 2006-09-06 21:23:16 UTC (RELENG_5_3, 5.3-RELEASE-p33) 2006-09-06 21:24:04 UTC (RELENG_4, 4.11-STABLE) 2006-09-06 21:24:54 UTC (RELENG_4_11, 4.11-RELEASE-p21) CVE Name: CVE-2006-4339 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured, and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. PKCS#1 v1.5 is a standard for "padding" data before performing a cryptographic operation using the RSA algorithm. PKCS#1 v1.5 signatures are for example used in X.509 certificates. RSA public keys may use a variety of public exponents, of which 3, 17, and 65537 are most common. As a result of a number of known attacks, most keys generated recently use a public exponent of at least 65537. II. Problem Description When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which follow the cryptographic hash being signed. In a valid signature there will be no such bytes. III. Impact OpenSSL will incorrectly report some invalid signatures as valid. When an RSA public exponent of 3 is used, or more generally when a small public exponent is used with a relatively large modulus (e.g., a public exponent of 17 with a 4096-bit modulus), an attacker can construct a signature which OpenSSL will accept as a valid PKCS#1 v1.5 signature. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, or RELENG_4_11 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.11, 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:19/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-06:19/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. NOTE: Any third-party applications, including those installed from the FreeBSD ports collection, which are statically linked to libcrypto(3) should be recompiled in order to use the corrected code. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.1.2.6 RELENG_4_11 src/UPDATING 1.73.2.91.2.22 src/sys/conf/newvers.sh 1.44.2.39.2.25 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.1.2.5.6.1 RELENG_5 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.4.1 RELENG_5_5 src/UPDATING 1.342.2.35.2.4 src/sys/conf/newvers.sh 1.62.2.21.2.6 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.16.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.27 src/sys/conf/newvers.sh 1.62.2.18.2.23 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.8.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.36 src/sys/conf/newvers.sh 1.62.2.15.2.38 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.6.1 RELENG_6 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.10.1 RELENG_6_1 src/UPDATING 1.416.2.22.2.8 src/sys/conf/newvers.sh 1.69.2.11.2.8 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.14.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.16 src/sys/conf/newvers.sh 1.69.2.8.2.12 src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.12.1 - ------------------------------------------------------------------------- VII. References http://www.openssl.org/news/secadv_20060905.txt http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:19.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE/0FzFdaIBMps37IRApq5AJ9LYe7MpHgG+fGWs9zNaFWrTd5mFQCgj5k8 0lBDO5lDb8jCB5vrjvfhyGY= =ihRT -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 21:59:50 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7E6A916A513; Wed, 6 Sep 2006 21:59:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id CE08843D53; Wed, 6 Sep 2006 21:59:44 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id k86LxisO041048; Wed, 6 Sep 2006 21:59:44 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id k86LxiiM041046; Wed, 6 Sep 2006 21:59:44 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Sep 2006 21:59:44 GMT Message-Id: <200609062159.k86LxiiM041046@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 21:59:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:20.bind Security Advisory The FreeBSD Project Topic: Denial of Service in named(8) Category: contrib Module: bind Announced: 2006-09-06 Credits: The Measurement Factory Affects: FreeBSD 5.3 and later. Corrected: 2006-09-06 21:18:26 UTC (RELENG_6, 6.1-STABLE) 2006-09-06 21:19:21 UTC (RELENG_6_1, 6.1-RELEASE-p6) 2006-09-06 21:20:08 UTC (RELENG_6_0, 6.0-RELEASE-p11) 2006-09-06 21:20:54 UTC (RELENG_5, 5.5-STABLE) 2006-09-06 21:21:50 UTC (RELENG_5_5, 5.5-RELEASE-p4) 2006-09-06 21:22:39 UTC (RELENG_5_4, 5.4-RELEASE-p18) 2006-09-06 21:23:16 UTC (RELENG_5_3, 5.3-RELEASE-p33) CVE Name: CVE-2006-4095, CVE-2006-4096 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet domain name server. DNS Security Extensions (DNSSEC) are additional protocol options that add authentication and integrity to the DNS protocols. II. Problem Description For a recursive DNS server, a remote attacker sending enough recursive queries for the replies to arrive after all the interested clients have left the recursion queue will trigger an INSIST failure in the named(8) daemon. Also for a a recursive DNS server, an assertion failure can occour when processing a query whose reply will contain more than one SIG(covered) RRset. For an authoritative DNS server serving a RFC 2535 DNSSEC zone which is queried for the SIG records where there are multiple SIG(covered) RRsets (e.g. a zone apex), named(8) will trigger an assertion failure when it tries to construct the response. III. Impact An attacker who can perform recursive lookups on a DNS server and is able to send a sufficiently large number of recursive queries, or is able to get the DNS server to return more than one SIG(covered) RRsets can stop the functionality of the DNS service. An attacker querying an authoritative DNS server serving a RFC 2535 DNSSEC zone may be able to crash the DNS server. All of the above issues will result in a Denial of Service situation. IV. Workaround A possible workaround is to only allow trusted clients to perform recursive queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3, 5.4, 5.5, 6.0, and 6.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-06:20/bind.patch # fetch http://security.FreeBSD.org/patches/SA-06:20/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install c) Restart the named application: # /etc/rc.d/named restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/bind9/bin/named/query.c 1.1.1.1.2.3 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.5 RELENG_5_5 src/UPDATING 1.342.2.35.2.4 src/sys/conf/newvers.sh 1.62.2.21.2.6 src/contrib/bind9/bin/named/query.c 1.1.1.1.2.2.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.4.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.27 src/sys/conf/newvers.sh 1.62.2.18.2.23 src/contrib/bind9/bin/named/query.c 1.1.1.1.2.1.4.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.2.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.36 src/sys/conf/newvers.sh 1.62.2.15.2.38 src/contrib/bind9/bin/named/query.c 1.1.1.1.2.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.1.2.1.2.1 RELENG_6 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.3 RELENG_6_1 src/UPDATING 1.416.2.22.2.8 src/sys/conf/newvers.sh 1.69.2.11.2.8 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.2.2.1 RELENG_6_0 src/UPDATING 1.416.2.3.2.16 src/sys/conf/newvers.sh 1.69.2.8.2.12 src/contrib/bind9/bin/named/query.c 1.1.1.1.6.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.1.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4096 http://www.kb.cert.org/vuls/id/697164 http://www.kb.cert.org/vuls/id/915404 http://www.niscc.gov.uk/niscc/docs/re-20060905-00590.pdf?lang=en The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-06:20.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE/0NLFdaIBMps37IRApD/AKCczWj2UJ64iVlXWSLaN1BNA52nnQCgkvJY XIxfELRi5H7taKVtMJFK2tU= =4n+j -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 22:26:05 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0BF0E16A4E6 for ; Wed, 6 Sep 2006 22:26:05 +0000 (UTC) (envelope-from SecurityAdmin@hush.com) Received: from smtp2.hushmail.com (smtp2.hushmail.com [65.39.178.134]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7604143DB3 for ; Wed, 6 Sep 2006 22:22:49 +0000 (GMT) (envelope-from SecurityAdmin@hush.com) Received: from smtp2.hushmail.com (localhost [127.0.0.1]) by smtp2.hushmail.com (Postfix) with SMTP id 37A6617044 for ; Wed, 6 Sep 2006 15:22:48 -0700 (PDT) Date: Wed, 6 Sep 2006 15:22:36 -0700 From: Network Security X-Mailer: The Bat! (v3.80.06) Professional X-Priority: 3 (Normal) Message-ID: <1262165672.20060906152236@hush.com> To: Barkley Vowk , freebsd-security@freebsd.org In-Reply-To: <20060906151041.N37483@3jane.math.ualberta.ca> References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: Subject: Re[2]: GELI - FreeBSD Full Disk Encryption X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Network Security List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 22:26:05 -0000 GELI even properly installed has some security problems, so I've linked to a FreeBSD Full Disk Encryption Howto video.. Maybe it will save somebody from loosing their entire file system. It's about an hour long and covers GELI and GBDE and can be viewed (Courtesy of Google Video) here: http://www.zuit.net/freebsd-disk-encryption-video.html -Brian Brian J. Brandon Network Security Consultant Los Angeles, California SecurityAdmin@Hush.com Tel. No. 866.395.1039 Wednesday, September 6, 2006, 2:28:20 PM, you wrote: You are a complete madman. You want to protect your data with a key stored on the most completely and utterly unreliable form of data storage still lamentably in use? Its not the 1970's anymore, get a real data storage medium! Get a usb flash drive, from there its a simple matter of changing the geli script to mount a specific usb device before starting. Look in /etc/rc.d/geli and geli2. I'd put your mounting and checks between the kldstat and the "if [ -z" in the geli_start() sub. You'll want to then use "geli -K" to input your key material, so you'll want to make sure your device is present, and that it has the expected key filename on it. You could also use dd and dump the first n sectors to stdout and pipe that into your geli command. Seems like quite a waste if you don't intend to use a passphrase. On Wed, 6 Sep 2006, Frank Steinborn wrote: > Hello, > > i want to encrypt my HDD's with GELI (not the root-fs, though). I want > to do the encryption without password, just with a key. The key should > be stored in a floppy disk, and the read should be read automatically > on boot, from the floppy. > > There is a problem here, because GELI initializes _before_ mounting > the disks from /etc/fstab (for obvious reasons, of course). So GELI is > not able to get the keys from the floppy and fails. > > So, any hints how I could get the floppy mounted _before_ GELI tries > to initialize? > > Thanks in advance, > Frank > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > _______________________________________________ freebsd-security@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 22:44:37 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3F38516A4E5 for ; Wed, 6 Sep 2006 22:44:37 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd2mo2so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id AD1AB43D5D for ; Wed, 6 Sep 2006 22:44:36 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr8so.prod.shaw.ca (pd3mr8so-qfe3.prod.shaw.ca [10.0.141.24]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J57006D40ICDZ70@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 16:44:36 -0600 (MDT) Received: from pn2ml9so.prod.shaw.ca ([10.0.121.7]) by pd3mr8so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5700C070ICFYJ0@pd3mr8so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 16:44:36 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J57006530IBOZ70@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 16:44:36 -0600 (MDT) Received: (qmail 86976 invoked from network); Wed, 06 Sep 2006 22:44:32 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 06 Sep 2006 22:44:32 +0000 Date: Wed, 06 Sep 2006 15:44:31 -0700 From: Colin Percival In-reply-to: <200609062159.k86LxYxx041004@freefall.freebsd.org> To: freebsd-security@freebsd.org Message-id: <44FF4F4F.5010700@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <200609062159.k86LxYxx041004@freefall.freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Subject: FreeBSD Update [was: Re: FreeBSD Security Advisory FreeBSD-SA-06:19.openssl] X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 22:44:37 -0000 Just a quick heads up: The FreeBSD Update builds for these latest two advisories haven't finished yet -- the OpenSSL issue in particular took us (and everybody else) by surprise. Depending upon the version of FreeBSD you're running, the binary updates will become available at various times later today. Colin Percival FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-06:19.openssl Security Advisory > The FreeBSD Project FreeBSD Security Advisories wrote: > ============================================================================= > FreeBSD-SA-06:20.bind Security Advisory > The FreeBSD Project From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 23:06:49 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E840316A4DA for ; Wed, 6 Sep 2006 23:06:49 +0000 (UTC) (envelope-from eol1@yahoo.com) Received: from web51909.mail.yahoo.com (web51909.mail.yahoo.com [206.190.48.72]) by mx1.FreeBSD.org (Postfix) with SMTP id 2771C43D76 for ; Wed, 6 Sep 2006 23:06:43 +0000 (GMT) (envelope-from eol1@yahoo.com) Received: (qmail 39759 invoked by uid 60001); 6 Sep 2006 23:06:42 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Reply-To:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=zSh1AQwIduVKXJgj5TYmdz4ERfcvP93O70uU/1cxtXCwaeVrtPiVcW+hZF0ghkJTsXcxhtz7856wM2+AJwTLVtyiaW2QTfwyAaJL/DJFSO11GdDApWa5hfHHnl2AMZNtn02kyF3CC7X/JRYoPdf3Mr4VprAMhB0oXQ1S6yK9kZY= ; Message-ID: <20060906230642.39757.qmail@web51909.mail.yahoo.com> Received: from [68.74.171.155] by web51909.mail.yahoo.com via HTTP; Wed, 06 Sep 2006 16:06:42 PDT Date: Wed, 6 Sep 2006 16:06:42 -0700 (PDT) From: Peter Thoenen To: freebsd-security@freebsd.org In-Reply-To: <200609062159.k86LxiiM041046@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: eol1@yahoo.com List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 23:06:50 -0000 Just to verify as not mentioned in the security advisory, if you are using both the BIND and OPENSSL ports with the REPLACE_BASE directive, these don't apply correct? -Peter From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 23:10:58 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DFB9A16A4DD for ; Wed, 6 Sep 2006 23:10:58 +0000 (UTC) (envelope-from kris@obsecurity.org) Received: from elvis.mu.org (elvis.mu.org [192.203.228.196]) by mx1.FreeBSD.org (Postfix) with ESMTP id E586E43D81 for ; Wed, 6 Sep 2006 23:10:55 +0000 (GMT) (envelope-from kris@obsecurity.org) Received: from obsecurity.dyndns.org (elvis.mu.org [192.203.228.196]) by elvis.mu.org (Postfix) with ESMTP id 6A6871A3C1E; Wed, 6 Sep 2006 16:10:55 -0700 (PDT) Received: by obsecurity.dyndns.org (Postfix, from userid 1000) id 312C751569; Wed, 6 Sep 2006 19:10:52 -0400 (EDT) Date: Wed, 6 Sep 2006 19:10:51 -0400 From: Kris Kennaway To: Peter Thoenen Message-ID: <20060906231051.GA31247@xor.obsecurity.org> References: <200609062159.k86LxiiM041046@freefall.freebsd.org> <20060906230642.39757.qmail@web51909.mail.yahoo.com> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="5vNYLRcllDrimb99" Content-Disposition: inline In-Reply-To: <20060906230642.39757.qmail@web51909.mail.yahoo.com> User-Agent: Mutt/1.4.2.2i Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 23:10:59 -0000 --5vNYLRcllDrimb99 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On Wed, Sep 06, 2006 at 04:06:42PM -0700, Peter Thoenen wrote: > Just to verify as not mentioned in the security advisory, if you are > using both the BIND and OPENSSL ports with the REPLACE_BASE directive, > these don't apply correct? The same bugs exist, of course...the fix is to update the port (making sure that it has already been fixed). Kris --5vNYLRcllDrimb99 Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (FreeBSD) iD8DBQFE/1V7Wry0BWjoQKURAqETAKDxkVXLNFKDCQPPTQIM3Jh7AiOhdgCfXFIr hLzTCmyZ5CHsyAL0kxQlpOk= =LdBk -----END PGP SIGNATURE----- --5vNYLRcllDrimb99-- From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 23:32:52 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 24B1B16A4DA for ; Wed, 6 Sep 2006 23:32:52 +0000 (UTC) (envelope-from skk@ht.sfc.keio.ac.jp) Received: from aries.mkg.sfc.keio.ac.jp (aries.mkg.sfc.keio.ac.jp [133.27.187.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 885DE43D45 for ; Wed, 6 Sep 2006 23:32:50 +0000 (GMT) (envelope-from skk@ht.sfc.keio.ac.jp) Received: from aries.mkg.sfc.keio.ac.jp.locahost (localhost [127.0.0.1]) by aries.mkg.sfc.keio.ac.jp (8.13.4/8.13.4) with ESMTP id k86NWn7r073968 for ; Thu, 7 Sep 2006 08:32:49 +0900 (JST) (envelope-from skk@ht.sfc.keio.ac.jp) Date: Thu, 07 Sep 2006 08:32:49 +0900 Message-ID: From: Hiroshi SAKAKIBARA To: freebsd-security@freebsd.org In-Reply-To: <200609062159.k86LxYRY040995@freefall.freebsd.org> References: <200609062159.k86LxYRY040995@freefall.freebsd.org> User-Agent: Wanderlust/2.14.0 (Africa) SEMI/1.14.6 (Maruoka) FLIM/1.14.7 (=?ISO-8859-4?Q?Sanj=F2?=) APEL/10.6 Emacs/21.3 (i386--freebsd) MULE/5.0 (SAKAKI) MIME-Version: 1.0 (generated by SEMI 1.14.6 - "Maruoka") Content-Type: text/plain; charset=ISO-2022-JP Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:19.openssl X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 23:32:52 -0000 skk です. うーん,どんな問題が起きるのか,いまいちピンと来ないので,重要度がわか らないですが,こんなのが出てます. 調べてませんが,多分,他の OS でも同様の問題があるのではないでしょうか. time: Wed, 6 Sep 2006 21:59:34 GMT subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-06:19.openssl message-id: <200609062159.k86LxYRY040995@freefall.freebsd.org> FreeBSD Security Advisories wrote as follows > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > ============================================================================= > FreeBSD-SA-06:19.openssl Security Advisory > The FreeBSD Project > Topic: Incorrect PKCS#1 v1.5 padding validation in crypto(3) > Category: contrib > Module: openssl > Announced: 2006-09-06 > Affects: All FreeBSD releases. > Corrected: 2006-09-06 21:18:26 UTC (RELENG_6, 6.1-STABLE) > 2006-09-06 21:19:21 UTC (RELENG_6_1, 6.1-RELEASE-p6) > 2006-09-06 21:20:08 UTC (RELENG_6_0, 6.0-RELEASE-p11) > 2006-09-06 21:20:54 UTC (RELENG_5, 5.5-STABLE) > 2006-09-06 21:21:50 UTC (RELENG_5_5, 5.5-RELEASE-p4) > 2006-09-06 21:22:39 UTC (RELENG_5_4, 5.4-RELEASE-p18) > 2006-09-06 21:23:16 UTC (RELENG_5_3, 5.3-RELEASE-p33) > 2006-09-06 21:24:04 UTC (RELENG_4, 4.11-STABLE) > 2006-09-06 21:24:54 UTC (RELENG_4_11, 4.11-RELEASE-p21) > CVE Name: CVE-2006-4339 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit > . > I. Background > FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is > a collaborative effort to develop a robust, commercial-grade, full-featured, > and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) > and Transport Layer Security (TLS v1) protocols as well as a full-strength > general purpose cryptography library. > PKCS#1 v1.5 is a standard for "padding" data before performing a > cryptographic operation using the RSA algorithm. PKCS#1 v1.5 signatures > are for example used in X.509 certificates. > RSA public keys may use a variety of public exponents, of which 3, 17, and > 65537 are most common. As a result of a number of known attacks, most keys > generated recently use a public exponent of at least 65537. > II. Problem Description > When verifying a PKCS#1 v1.5 signature, OpenSSL ignores any bytes which > follow the cryptographic hash being signed. In a valid signature there > will be no such bytes. > III. Impact > OpenSSL will incorrectly report some invalid signatures as valid. When > an RSA public exponent of 3 is used, or more generally when a small public > exponent is used with a relatively large modulus (e.g., a public exponent > of 17 with a 4096-bit modulus), an attacker can construct a signature which > OpenSSL will accept as a valid PKCS#1 v1.5 signature. > IV. Workaround > No workaround is available. > V. Solution > Perform one of the following: > 1) Upgrade your vulnerable system to 4-STABLE, 5-STABLE, or 6-STABLE, > or to the RELENG_6_1, RELENG_6_0, RELENG_5_5, RELENG_5_4, RELENG_5_3, > or RELENG_4_11 security branch dated after the correction date. > 2) To patch your present system: > The following patches have been verified to apply to FreeBSD 4.11, 5.3, > 5.4, 5.5, 6.0, and 6.1 systems. > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > # fetch http://security.FreeBSD.org/patches/SA-06:19/openssl.patch > # fetch http://security.FreeBSD.org/patches/SA-06:19/openssl.patch.asc > b) Execute the following commands as root: > # cd /usr/src > # patch < /path/to/patch > c) Recompile the operating system as described in > and reboot the > system. > NOTE: Any third-party applications, including those installed from the > FreeBSD ports collection, which are statically linked to libcrypto(3) > should be recompiled in order to use the corrected code. > VI. Correction details > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_4 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.1.2.6 > RELENG_4_11 > src/UPDATING 1.73.2.91.2.22 > src/sys/conf/newvers.sh 1.44.2.39.2.25 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.1.2.5.6.1 > RELENG_5 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.4.1 > RELENG_5_5 > src/UPDATING 1.342.2.35.2.4 > src/sys/conf/newvers.sh 1.62.2.21.2.6 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.16.1 > RELENG_5_4 > src/UPDATING 1.342.2.24.2.27 > src/sys/conf/newvers.sh 1.62.2.18.2.23 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.8.1 > RELENG_5_3 > src/UPDATING 1.342.2.13.2.36 > src/sys/conf/newvers.sh 1.62.2.15.2.38 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.6.1 > RELENG_6 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.10.1 > RELENG_6_1 > src/UPDATING 1.416.2.22.2.8 > src/sys/conf/newvers.sh 1.69.2.11.2.8 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.14.1 > RELENG_6_0 > src/UPDATING 1.416.2.3.2.16 > src/sys/conf/newvers.sh 1.69.2.8.2.12 > src/crypto/openssl/crypto/rsa/rsa_sign.c 1.1.1.6.12.1 > - ------------------------------------------------------------------------- > VII. References > http://www.openssl.org/news/secadv_20060905.txt > http://www.imc.org/ietf-openpgp/mail-archive/msg14307.html > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339 > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-06:19.openssl.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.5 (FreeBSD) > iD8DBQFE/0FzFdaIBMps37IRApq5AJ9LYe7MpHgG+fGWs9zNaFWrTd5mFQCgj5k8 > 0lBDO5lDb8jCB5vrjvfhyGY= > =ihRT > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 23:48:23 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 675E316A4DE for ; Wed, 6 Sep 2006 23:48:23 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd3mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0468743D49 for ; Wed, 6 Sep 2006 23:48:22 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd4mr2so.prod.shaw.ca (pd4mr2so-qfe3.prod.shaw.ca [10.0.141.213]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J570078K3FNB770@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:47:47 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd4mr2so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5700KHN3FNKD50@pd4mr2so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:47:47 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J57003MV3FNH7X0@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:47:47 -0600 (MDT) Received: (qmail 87122 invoked from network); Wed, 06 Sep 2006 23:47:44 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 06 Sep 2006 23:47:44 +0000 Date: Wed, 06 Sep 2006 16:47:43 -0700 From: Colin Percival In-reply-to: <20060906230642.39757.qmail@web51909.mail.yahoo.com> To: eol1@yahoo.com Message-id: <44FF5E1F.2080607@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20060906230642.39757.qmail@web51909.mail.yahoo.com> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 23:48:23 -0000 Peter Thoenen wrote: > Just to verify as not mentioned in the security advisory, if you are > using both the BIND and OPENSSL ports with the REPLACE_BASE directive, > these don't apply correct? I don't know enough of what the ports do to be certain about the answer to that question, but here are the files in the FreeBSD 6.x base system which are affected by these security advisories: /lib/libcrypto.so.4 /usr/bin/dig /usr/bin/host /usr/bin/nslookup /usr/bin/nsupdate /usr/bin/openssl /usr/lib/libcrypto.a /usr/lib/libssl.so.4 /usr/sbin/dnssec-keygen /usr/sbin/dnssec-signzone /usr/sbin/lwresd /usr/sbin/named-checkconf /usr/sbin/named-checkzone /usr/sbin/named /usr/sbin/rndc-confgen /usr/lib/libcrypto_p.a If the ports replace all of those files, you should be safe (at least on FreeBSD 6.x -- I can give you a list of files modified on FreeBSD 5.x and 4.11 once those FreeBSD Update builds finish). Colin Percival From owner-freebsd-security@FreeBSD.ORG Wed Sep 6 23:54:29 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id C75D216A4ED for ; Wed, 6 Sep 2006 23:54:29 +0000 (UTC) (envelope-from cperciva@freebsd.org) Received: from pd5mo3so.prod.shaw.ca (shawidc-mo1.cg.shawcable.net [24.71.223.10]) by mx1.FreeBSD.org (Postfix) with ESMTP id D83B743D46 for ; Wed, 6 Sep 2006 23:54:25 +0000 (GMT) (envelope-from cperciva@freebsd.org) Received: from pd3mr1so.prod.shaw.ca (pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5700DNW3NUHFC0@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:52:42 -0600 (MDT) Received: from pn2ml10so.prod.shaw.ca ([10.0.121.80]) by pd3mr1so.prod.shaw.ca (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with ESMTP id <0J5700DYJ3NUX330@pd3mr1so.prod.shaw.ca> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:52:42 -0600 (MDT) Received: from hexahedron.daemonology.net ([24.82.18.31]) by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004)) with SMTP id <0J57003TC3NTH7X0@l-daemon> for freebsd-security@freebsd.org; Wed, 06 Sep 2006 17:52:42 -0600 (MDT) Received: (qmail 87136 invoked from network); Wed, 06 Sep 2006 23:52:38 +0000 Received: from unknown (HELO ?127.0.0.1?) (127.0.0.1) by localhost with SMTP; Wed, 06 Sep 2006 23:52:38 +0000 Date: Wed, 06 Sep 2006 16:52:37 -0700 From: Colin Percival In-reply-to: <44FF5E1F.2080607@freebsd.org> To: Colin Percival , eol1@yahoo.com Message-id: <44FF5F45.5020901@freebsd.org> MIME-version: 1.0 Content-type: text/plain; charset=ISO-8859-1 Content-transfer-encoding: 7bit X-Enigmail-Version: 0.94.0.0 References: <20060906230642.39757.qmail@web51909.mail.yahoo.com> <44FF5E1F.2080607@freebsd.org> User-Agent: Thunderbird 1.5 (X11/20060416) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Sep 2006 23:54:29 -0000 I wrote: > I don't know enough of what the ports do to be certain about the answer > to that question, but here are the files in the FreeBSD 6.x base system > which are affected by these security advisories: > ... > If the ports replace all of those files, you should be safe (at least > on FreeBSD 6.x -- I can give you a list of files modified on FreeBSD > 5.x and 4.11 once those FreeBSD Update builds finish). Err, and by "you should be safe" I mean "if you've installed an updated copy of the two ports you should be safe". Obviously the ports had the same security problems as the base system code. Colin Percival From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 02:05:20 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DF1816A4DF for ; Thu, 7 Sep 2006 02:05:20 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.176]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1289143D4C for ; Thu, 7 Sep 2006 02:05:19 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so70842pye for ; Wed, 06 Sep 2006 19:05:19 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=VHa2kkJZjKzgfPFwTxhrQVXqIN8WAbN7Mz43A2wMgwabl2hBAs6wjIlKEMQzGYcz4TldS2CIwzbKSXDNaH9hcaj3Aszn+ZterCF017dD+BHctoClAOXCq/q02wzOrzMrs+400uSUnoiXbch1kAZVLgwgsOHG/MNzTs/MGt98CCo= Received: by 10.35.39.2 with SMTP id r2mr271087pyj; Wed, 06 Sep 2006 19:05:19 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Wed, 6 Sep 2006 19:05:19 -0700 (PDT) Message-ID: Date: Wed, 6 Sep 2006 21:05:19 -0500 From: "Travis H." To: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Mailman-Approved-At: Thu, 07 Sep 2006 02:46:36 +0000 Subject: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 02:05:20 -0000 ``You do not want to overbuild your security or you will interfere with the detection side, and detection is one of the single most important aspects of any security mechanism. For example, it makes little sense to set the schg flag (see chflags(1)) on every system binary because while this may temporarily protect the binaries, it prevents an attacker who has broken in from making an easily detectable change that may result in your security mechanisms not detecting the attacker at all.'' Wouldn't it be better to detect /and/ prevent an attempt to change the system binaries? It seems to me that advising people to focus on detection rather than prevention is wrong-headed. What are you going to do after you detect the attacker? If it's not "prevent him from doing anything", then I question the intelligence of this approach. Root-level compromises don't always get detected immediately, don't always get caught, and once they're in, the playing field is level, and they are very time-consuming to investigate and clean. For example, I know someone with a rootkit that he can install to flash on an add-in card for a device that has DMA access to main memory. For this reason, I usually recommend on prevention as a first priority, and detection as a second priority. For example, Markus Ranum said he once recompiled ls to reboot if it is run by root. Another trick involves recompiling /bin/sh to check to see if it has a tty (shells spawned by network daemons will generally not). Perhaps there is some way to locate any part of the kernel that performs access control and optionally klog the details, so that any actions which are denied also automatically detect possible intrusions? Hmm, I should mention this to elad efrat, who is doing kauth work on NetBSD... -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 04:28:00 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA13E16A4E0 for ; Thu, 7 Sep 2006 04:28:00 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.177]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2416643D53 for ; Thu, 7 Sep 2006 04:28:00 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so119047pye for ; Wed, 06 Sep 2006 21:27:59 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=RSdF6jQODheCDddhMQDUqW69bdAh3AYO3kFo4rYdkK3qTmtTE8+Nt834U/5NNOGSGC7C9jZfPiMefepCOkBwWq1nQ7eMoF7KQXU4FWMtE18u6EvmeXUJVDecWU3tSDYDj+rIrcLWb4lMgxkQaN7Xd82NNbhsLiXj13btBt8qu8c= Received: by 10.35.78.1 with SMTP id f1mr494985pyl; Wed, 06 Sep 2006 21:27:59 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Wed, 6 Sep 2006 21:27:59 -0700 (PDT) Message-ID: Date: Wed, 6 Sep 2006 23:27:59 -0500 From: "Travis H." To: freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: X-Mailman-Approved-At: Thu, 07 Sep 2006 04:41:22 +0000 Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 04:28:00 -0000 On 9/6/06, Travis H. wrote: > It seems to me that advising people to focus on detection rather > than prevention is wrong-headed. What are you going to do after you detect > the attacker? And, if your answer is "prevent further intrusions by doing foo", allow me to point out that if you had taken that preventative foo step up front, you wouldn't ever have had to think about it. Now, if you're administering a LAN full of Windows hosts, I think that detection may be your only workable option, or maybe the cheaper option. There is a similar debate on monitoring outside vs. inside the firewall. I'd prefer to do both, but if you have to choose one, I'd do inside, because I don't care how long people beat in futility on the outside. Since knowing wouldn't change how I behave, there's no point in spending effort or time to monitor it. Coincidentally I also thought of the NFS-exported file system checked by a remote system. I always thought you could set a trap by placing a file whose purpose was to pique the intruder's interest enough for him to try reading it. You could monitor the inode times via NFS and trigger an alert if it changes. Another thing one could do is build a Live! CD that you boot periodically to check the system for signs of an intrusion. All the tools would basically be unknown to an intruder. Persistent state could be stored on a flash drive or other removable storage. That may well be the only way to be sure that the detection tools are not compromised, or that the intruder is clever enough to trick any remote monitoring. -- "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 11:21:42 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 44E6016A4DA for ; Thu, 7 Sep 2006 11:21:42 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id C53DD43D45 for ; Thu, 7 Sep 2006 11:21:41 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 3C2452094; Thu, 7 Sep 2006 13:21:38 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id 2E6742083; Thu, 7 Sep 2006 13:21:38 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id 10A6CB80E; Thu, 7 Sep 2006 13:21:38 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: "Travis H." References: Date: Thu, 07 Sep 2006 13:21:37 +0200 In-Reply-To: (Travis H.'s message of "Wed, 6 Sep 2006 21:05:19 -0500") Message-ID: <86ejun53cu.fsf@dwp.des.no> User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 11:21:42 -0000 "Travis H." writes: > ``You do not want to overbuild your security or you will interfere > with the detection side, and detection is one of the single most > important aspects of any security mechanism. For example, it makes > little sense to set the schg flag (see chflags(1)) on every system > binary because while this may temporarily protect the binaries, it > prevents an attacker who has broken in from making an easily > detectable change that may result in your security mechanisms not > detecting the attacker at all.'' Uh? Since when do we have crap like that in the handbook? It should be removed with extreme prejudice. DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 07:21:32 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id ADA1D16A503; Thu, 7 Sep 2006 07:21:32 +0000 (UTC) (envelope-from nvass@teledomenet.gr) Received: from matrix.teledomenet.gr (dns1.teledomenet.gr [213.142.128.1]) by mx1.FreeBSD.org (Postfix) with ESMTP id 2C96343D5C; Thu, 7 Sep 2006 07:21:29 +0000 (GMT) (envelope-from nvass@teledomenet.gr) Received: from iris ([192.168.1.71]) by matrix.teledomenet.gr (8.12.10/8.12.10) with ESMTP id k877LREY025029; Thu, 7 Sep 2006 10:21:27 +0300 From: Nikos Vassiliadis To: freebsd-questions@freebsd.org Date: Thu, 7 Sep 2006 10:19:46 +0300 User-Agent: KMail/1.9.1 References: <20060906210021.C2428B82C@shodan.nognu.de> In-Reply-To: <20060906210021.C2428B82C@shodan.nognu.de> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200609071019.46529.nvass@teledomenet.gr> X-Mailman-Approved-At: Thu, 07 Sep 2006 12:08:50 +0000 Cc: freebsd-security@freebsd.org, Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 07:21:32 -0000 On Thursday 07 September 2006 00:00, Frank Steinborn wrote: > Hello, > > i want to encrypt my HDD's with GELI (not the root-fs, though). I want > to do the encryption without password, just with a key. The key should > be stored in a floppy disk, and the read should be read automatically > on boot, from the floppy. Are you sure you want to trust a floppy disk for your keys?? It's not the most safe medium these days... > > There is a problem here, because GELI initializes _before_ mounting > the disks from /etc/fstab (for obvious reasons, of course). So GELI is > not able to get the keys from the floppy and fails. > > So, any hints how I could get the floppy mounted _before_ GELI tries > to initialize? Why don't you use the plain device(/dev/fd0) instead of using a file on a filesystem on the floppy? I think there are examples in the manual page. Anyway, I find this a very very bad idea. If the floppy break in some way you're gonna be in big trouble... From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 11:40:22 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9312716A4DD for ; Thu, 7 Sep 2006 11:40:22 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id EB6FA43D49 for ; Thu, 7 Sep 2006 11:40:21 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (net-ix.gw.ai.net [205.134.160.6] (may be forged)) (authenticated bits=0) by pittgoth.com (8.13.6/8.13.6) with ESMTP id k87BeFwv016577 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 7 Sep 2006 07:40:15 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Thu, 7 Sep 2006 07:40:07 -0400 From: Tom Rhodes To: des@des.no (Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?=) Message-Id: <20060907074007.5bc2c91e.trhodes@FreeBSD.org> In-Reply-To: <86ejun53cu.fsf@dwp.des.no> References: <86ejun53cu.fsf@dwp.des.no> Organization: The FreeBSD Project X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Thu, 07 Sep 2006 12:09:04 +0000 Cc: freebsd-security@FreeBSD.org, solinym@gmail.com Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 11:40:22 -0000 On Thu, 07 Sep 2006 13:21:37 +0200 des@des.no (Dag-Erling Sm=F8rgrav) wrote: > "Travis H." writes: > > ``You do not want to overbuild your security or you will interfere > > with the detection side, and detection is one of the single most > > important aspects of any security mechanism. For example, it makes > > little sense to set the schg flag (see chflags(1)) on every system > > binary because while this may temporarily protect the binaries, it > > prevents an attacker who has broken in from making an easily > > detectable change that may result in your security mechanisms not > > detecting the attacker at all.'' >=20 > Uh? Since when do we have crap like that in the handbook? It should > be removed with extreme prejudice. >=20 Grepping three of these lines, I cannot find it. Tell me Travis, what URL did you read this from? --=20 Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 12:31:09 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5621716A52D; Thu, 7 Sep 2006 12:31:09 +0000 (UTC) (envelope-from steinex@nognu.de) Received: from shodan.nognu.de (shodan.nognu.de [85.14.216.230]) by mx1.FreeBSD.org (Postfix) with ESMTP id D4FBA43E1B; Thu, 7 Sep 2006 12:29:20 +0000 (GMT) (envelope-from steinex@nognu.de) Received: by shodan.nognu.de (Postfix, from userid 1002) id 6205EB82C; Thu, 7 Sep 2006 14:29:01 +0200 (CEST) Date: Thu, 7 Sep 2006 14:29:01 +0200 From: Frank Steinborn To: Nikos Vassiliadis Mail-Followup-To: Nikos Vassiliadis , freebsd-questions@freebsd.org, freebsd-security@freebsd.org References: <20060906210021.C2428B82C@shodan.nognu.de> <200609071019.46529.nvass@teledomenet.gr> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200609071019.46529.nvass@teledomenet.gr> User-Agent: mutt-ng/devel-r804 (FreeBSD) Message-Id: <20060907122901.6205EB82C@shodan.nognu.de> Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 12:31:09 -0000 Nikos Vassiliadis wrote: > Are you sure you want to trust a floppy disk for your keys?? > It's not the most safe medium these days... I'll backup the keys on CD. It's just that I don't want to waste a CD-ROM drive in this server. > > > > There is a problem here, because GELI initializes _before_ mounting > > the disks from /etc/fstab (for obvious reasons, of course). So GELI is > > not able to get the keys from the floppy and fails. > > > > So, any hints how I could get the floppy mounted _before_ GELI tries > > to initialize? > > Why don't you use the plain device(/dev/fd0) instead of using a file on a > filesystem on the floppy? I think there are examples in the manual page. I could use /dev/fd0 directly but then I had to use the same key for all 6 HDD's in the server. I got a solution by hacking /etc/rc.d/geli - I'm just mounting the floppy there before it tries to read the key. Thanks for all the people giving suggestions! Frank From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 12:33:24 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 1A8C116A4FA for ; Thu, 7 Sep 2006 12:33:24 +0000 (UTC) (envelope-from artifact.one@googlemail.com) Received: from wx-out-0506.google.com (wx-out-0506.google.com [66.249.82.233]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1EAF43DB8 for ; Thu, 7 Sep 2006 12:32:26 +0000 (GMT) (envelope-from artifact.one@googlemail.com) Received: by wx-out-0506.google.com with SMTP id i27so220036wxd for ; Thu, 07 Sep 2006 05:32:26 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=googlemail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=qZla+lmXbGPbzmoVBNMw+KXRmfTViH864M7fZ6LtebRYGdel75dtDLnsKh+V3EnUcyaRLvUexuN9BqJhSNHgnUL7gPRbMLX9V4cwp2zcV1GczE+MDaToQUDpmpcAKRQbtT8ancmT8L5T0DewMHrHpHzLbM2uuoV6rURkFXKvqCQ= Received: by 10.90.120.6 with SMTP id s6mr147042agc; Thu, 07 Sep 2006 05:32:26 -0700 (PDT) Received: by 10.90.113.5 with HTTP; Thu, 7 Sep 2006 05:32:26 -0700 (PDT) Message-ID: <8e96a0b90609070532x3e7cde32wa31be4b88fb4bfc@mail.gmail.com> Date: Thu, 7 Sep 2006 13:32:26 +0100 From: "mal content" To: "Tom Rhodes" In-Reply-To: <20060907074007.5bc2c91e.trhodes@FreeBSD.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <86ejun53cu.fsf@dwp.des.no> <20060907074007.5bc2c91e.trhodes@FreeBSD.org> Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 12:33:24 -0000 On 07/09/06, Tom Rhodes wrote: > On Thu, 07 Sep 2006 13:21:37 +0200 > des@des.no (Dag-Erling Sm=F8rgrav) wrote: > > > "Travis H." writes: > > > ``You do not want to overbuild your security or you will interfere > > > with the detection side, and detection is one of the single most > > > important aspects of any security mechanism. For example, it makes > > > little sense to set the schg flag (see chflags(1)) on every system > > > binary because while this may temporarily protect the binaries, it > > > prevents an attacker who has broken in from making an easily > > > detectable change that may result in your security mechanisms not > > > detecting the attacker at all.'' > > > > Uh? Since when do we have crap like that in the handbook? It should > > be removed with extreme prejudice. > > > > Grepping three of these lines, I cannot find it. Tell me Travis, > what URL did you read this from? http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/security-intro.ht= ml > > -- > Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 13:02:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2CEB416A4E0 for ; Thu, 7 Sep 2006 13:02:07 +0000 (UTC) (envelope-from cbuisson@nerim.net) Received: from kraid.nerim.net (smtp-104-thursday.nerim.net [62.4.16.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD84943D5E for ; Thu, 7 Sep 2006 13:02:05 +0000 (GMT) (envelope-from cbuisson@nerim.net) Received: from localhost (cbuisson.pck.nerim.net [80.65.227.128]) by kraid.nerim.net (Postfix) with ESMTP id 9104140F5B; Thu, 7 Sep 2006 15:02:03 +0200 (CEST) Message-ID: <4500184B.8010206@nerim.net> Date: Thu, 07 Sep 2006 15:02:03 +0200 From: Claude Buisson User-Agent: Thunderbird 1.5.0.5 (X11/20060729) MIME-Version: 1.0 To: =?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?= References: <86ejun53cu.fsf@dwp.des.no> In-Reply-To: <86ejun53cu.fsf@dwp.des.no> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, "Travis H." Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:02:07 -0000 Dag-Erling Sm=F8rgrav wrote: > "Travis H." writes: >> ``You do not want to overbuild your security or you will interfere >> with the detection side, and detection is one of the single most >> important aspects of any security mechanism. For example, it makes >> little sense to set the schg flag (see chflags(1)) on every system >> binary because while this may temporarily protect the binaries, it >> prevents an attacker who has broken in from making an easily >> detectable change that may result in your security mechanisms not >> detecting the attacker at all.'' >=20 > Uh? Since when do we have crap like that in the handbook? It should > be removed with extreme prejudice. >=20 > DES $FreeBSD: doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v=20 1.28 2000/03/25 00:19:02 jim Exp $ Claude Buisson From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 13:58:04 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3C91116A4E1; Thu, 7 Sep 2006 13:58:04 +0000 (UTC) (envelope-from des@des.no) Received: from tim.des.no (tim.des.no [194.63.250.121]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E3B243D6D; Thu, 7 Sep 2006 13:57:55 +0000 (GMT) (envelope-from des@des.no) Received: from tim.des.no (localhost [127.0.0.1]) by spam.des.no (Postfix) with ESMTP id 1DBEB2086; Thu, 7 Sep 2006 15:57:49 +0200 (CEST) X-Spam-Tests: AWL X-Spam-Learn: disabled X-Spam-Score: 0.0/3.0 X-Spam-Checker-Version: SpamAssassin 3.1.4 (2006-07-25) on tim.des.no Received: from dwp.des.no (des.no [80.203.243.180]) by tim.des.no (Postfix) with ESMTP id 02B842098; Thu, 7 Sep 2006 15:57:48 +0200 (CEST) Received: by dwp.des.no (Postfix, from userid 1001) id D0F5BB80E; Thu, 7 Sep 2006 15:57:48 +0200 (CEST) From: des@des.no (Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?=) To: Tom Rhodes References: <86ejun53cu.fsf@dwp.des.no> <20060907074007.5bc2c91e.trhodes@FreeBSD.org> Date: Thu, 07 Sep 2006 15:57:48 +0200 In-Reply-To: <20060907074007.5bc2c91e.trhodes@FreeBSD.org> (Tom Rhodes's message of "Thu, 7 Sep 2006 07:40:07 -0400") Message-ID: <867j0f4w4j.fsf@dwp.des.no> User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/21.3 (berkeley-unix) MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@FreeBSD.org, solinym@gmail.com Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 13:58:04 -0000 Tom Rhodes writes: > Grepping three of these lines, I cannot find it. Tell me Travis, > what URL did you read this from? des@dwp ~/projects/freebsd/doc% grep -r 'temporarily protect' . ./en_US.ISO8859-1/books/handbook/security/chapter.sgml: while this may= temporarily protect the binaries, it prevents an des@dwp ~/projects/freebsd/doc% dcvs annotate en_US.ISO8859-1/books/handboo= k/security/chapter.sgml | grep 'temporarily protect' Annotations for en_US.ISO8859-1/books/handbook/security/chapter.sgml *************** 1.36 (ben 14-Aug-00): while this may temporarily protect= the binaries, it prevents an DES --=20 Dag-Erling Sm=F8rgrav - des@des.no From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 14:59:28 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id B462D16A4DF for ; Thu, 7 Sep 2006 14:59:28 +0000 (UTC) (envelope-from fbsdlists@gmail.com) Received: from hu-out-0102.google.com (hu-out-0506.google.com [72.14.214.231]) by mx1.FreeBSD.org (Postfix) with ESMTP id 589A743D6D for ; Thu, 7 Sep 2006 14:59:19 +0000 (GMT) (envelope-from fbsdlists@gmail.com) Received: by hu-out-0102.google.com with SMTP id 31so187940huc for ; Thu, 07 Sep 2006 07:59:18 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=L/DfnA7rk3/Vq5tBNlDHCURSRiqoAp8iCGYRc4TciVWazv8nZCrwzw2671VeoJ08IiNWqoJ0boTx9s+2Kn0OC/pZ2jLvlHbuMmiHL97Fsb29crDsPyUC/dtyu/LN5Y1T5nteGwbdINRE2Zw+nsLdUhGELnlf6EFiRsmaWjwFZ4Q= Received: by 10.49.94.20 with SMTP id w20mr2659669nfl; Thu, 07 Sep 2006 07:59:17 -0700 (PDT) Received: by 10.48.230.11 with HTTP; Thu, 7 Sep 2006 07:59:17 -0700 (PDT) Message-ID: <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> Date: Thu, 7 Sep 2006 10:59:17 -0400 From: "Bob Johnson" To: "Barkley Vowk" In-Reply-To: <20060906151041.N37483@3jane.math.ualberta.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> Cc: freebsd-security@freebsd.org, Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 14:59:28 -0000 On 9/6/06, Barkley Vowk wrote: > You are a complete madman. You want to protect your data with a key stored > on the most completely and utterly unreliable form of data storage still > lamentably in use? Its not the 1970's anymore, get a real data storage > medium! > > Get a usb flash drive, from there its a simple matter of changing the geli > script to mount a specific usb device before starting. Look in > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the > kldstat and the "if [ -z" in the geli_start() sub. I have floppies from the 1980s that are still readable, but I have never had a USB flash drive last more than six months when actually in use. For important data, I trust a floppy far more than I trust a flash drive. The big problem with floppies is they don't hold enough data. For that matter, writeable CDs and DVDs have proven to be much less reliable than floppies, too. - Bob From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 15:29:17 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9268816A4DE for ; Thu, 7 Sep 2006 15:29:17 +0000 (UTC) (envelope-from jackbarnett@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.181]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5EC6243D6B for ; Thu, 7 Sep 2006 15:29:05 +0000 (GMT) (envelope-from jackbarnett@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so356531pye for ; Thu, 07 Sep 2006 08:29:04 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:references; b=DeP/AFPN/iWidpT0PJZFPj0C5XkKGl5j1gtK+QvwKO3lqV4YSnAhX4LSQnK+9/rKhYCt31QtE6vgEmeBBhSWDBSZUoaBZBfNlLdb4T9+xqLjHKVEOMlfuztuwYN9JZCgTKW/lVY1wqaOxawbjZHdisn26x8e8geKB3zQJsdNl44= Received: by 10.35.115.18 with SMTP id s18mr890226pym; Thu, 07 Sep 2006 08:29:03 -0700 (PDT) Received: by 10.35.32.20 with HTTP; Thu, 7 Sep 2006 08:29:03 -0700 (PDT) Message-ID: Date: Thu, 7 Sep 2006 10:29:03 -0500 From: "Jack Barnett" To: freebsd-security@freebsd.org In-Reply-To: <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> MIME-Version: 1.0 References: <20060906210021.C2428B82C@shodan.nognu.de> <20060906151041.N37483@3jane.math.ualberta.ca> <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 15:29:17 -0000 That's a really good idea. - Removable media with key (so you can take it out for security reasons) and using a key so don't have to type in a passphrase each time. btw, is there any good document on GELI? One idea is having 1 server with a CD-ROM drive and exporting it via NFS. When a server boots it mounts the remote CD-ROM drive and looks for key "$HOSTNAME.key". CDs are reliable - hold a good amount of data (enough for lots of keys) and can be removed and taken with you. -J On 9/7/06, Bob Johnson wrote: > > On 9/6/06, Barkley Vowk wrote: > > You are a complete madman. You want to protect your data with a key > stored > > on the most completely and utterly unreliable form of data storage still > > lamentably in use? Its not the 1970's anymore, get a real data storage > > medium! > > > > Get a usb flash drive, from there its a simple matter of changing the > geli > > script to mount a specific usb device before starting. Look in > > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the > > kldstat and the "if [ -z" in the geli_start() sub. > > I have floppies from the 1980s that are still readable, but I have > never had a USB flash drive last more than six months when actually in > use. For important data, I trust a floppy far more than I trust a > flash drive. The big problem with floppies is they don't hold enough > data. For that matter, writeable CDs and DVDs have proven to be much > less reliable than floppies, too. > > - Bob > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org > " > From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 15:33:10 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D6D5E16A501 for ; Thu, 7 Sep 2006 15:33:10 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30310.mail.mud.yahoo.com (web30310.mail.mud.yahoo.com [209.191.69.72]) by mx1.FreeBSD.org (Postfix) with SMTP id B71DF43DC3 for ; Thu, 7 Sep 2006 15:31:46 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 53720 invoked by uid 60001); 7 Sep 2006 15:31:23 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=O7JDfWazElzqzCepawpBIm3XG7g2p4rZxMh64m6NSTVxZb+4c89/JyjBvrexbCvarhkZL0nzBCTmEYwR8E4JbRyz+tFTwkHDE870KHw27oBCqdARUWlPFaRq8hCLhhezYk95Pqa2UNnW/4J8Ap+i+GecRSm2oQmMTq+TnGfbgnc= ; Message-ID: <20060907153123.53718.qmail@web30310.mail.mud.yahoo.com> Received: from [213.54.79.79] by web30310.mail.mud.yahoo.com via HTTP; Thu, 07 Sep 2006 08:31:23 PDT Date: Thu, 7 Sep 2006 08:31:23 -0700 (PDT) From: "R. B. Riddick" To: Bob Johnson In-Reply-To: <54db43990609070759u25e58d28t8d08c52c9df3c765@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org, Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 15:33:11 -0000 --- Bob Johnson wrote: > On 9/6/06, Barkley Vowk wrote: > > You are a complete madman. You want to protect your data with a key stored > > on the most completely and utterly unreliable form of data storage still > > lamentably in use? Its not the 1970's anymore, get a real data storage > > medium! > > > I have floppies from the 1980s that are still readable, but I have > never had a USB flash drive last more than six months when actually in > use. For important data, I trust a floppy far more than I trust a > flash drive. The big problem with floppies is they don't hold enough > data. For that matter, writeable CDs and DVDs have proven to be much > less reliable than floppies, too. > Furthermore Frank S. seems to plan to use a second kind of storage medium (mostly optical) as a backup... If he administrates his backup media thoroughly (exchange old media, re-do the backup, ...) he most likely will not have any problems... I personally currently store at least 3 copies of my papers, letters, testimonies and other files on DVD-RW. Furthermore I do a backup from my geom_mirror to a UFS on a regular partition every 10 minutes and from there a copy to DVD-RW every 10 days (I think it is unlikely that both hard disc crash within the same 3 hours (full-backup time), since they are from different manufacturers)... I wonder since several hours what is wrong with Mr. Barkley Vowk. Maybe that canadian university(?) has a security problem? or so? Or a problem with spelling? Mr. S. seems to be a GERman... -Arne --- "DYSLEXIA FOR CURE FOUND" __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 15:35:43 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id BC92516A4DF for ; Thu, 7 Sep 2006 15:35:43 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30314.mail.mud.yahoo.com (web30314.mail.mud.yahoo.com [209.191.69.76]) by mx1.FreeBSD.org (Postfix) with SMTP id 00ED043D93 for ; Thu, 7 Sep 2006 15:35:01 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 49549 invoked by uid 60001); 7 Sep 2006 15:34:29 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=U7i4SA5NY39U8dETpvO4mZc65E8dt0g6nGPB0hS78Ec+zwOP/ko4qNoOH/r9x1julHMd5Z5GF0IZtn+zC/eYDl1tyDyqMvnYJPl2oHwxdY2CG9J4vRgfbxb+wJpM4O1MPkULxsSTVH2KPTdrwtD2DBznMr3Z87h4ff2gjNy3nZE= ; Message-ID: <20060907153429.49547.qmail@web30314.mail.mud.yahoo.com> Received: from [213.54.79.79] by web30314.mail.mud.yahoo.com via HTTP; Thu, 07 Sep 2006 08:34:29 PDT Date: Thu, 7 Sep 2006 08:34:29 -0700 (PDT) From: "R. B. Riddick" To: Jack Barnett , freebsd-security@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: Frank Steinborn Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 15:35:43 -0000 --- Jack Barnett wrote: > One idea is having 1 server with a CD-ROM drive and exporting it via NFS. > When a server boots it mounts the remote CD-ROM drive and looks for key > "$HOSTNAME.key". > But then u would have the problem with network security... > > On 9/6/06, Barkley Vowk wrote: > > > Get a usb flash drive, from there its a simple matter of changing the > > geli > > > script to mount a specific usb device before starting. Look in > > > /etc/rc.d/geli and geli2. I'd put your mounting and checks between the > > > kldstat and the "if [ -z" in the geli_start() sub. > > Oh... I just see Mr. Barkley V. gave an important and helpful hint in this thread, too... I just wanted to point that out, because it is quite astonishing after the first few words... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 17:06:18 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 74FAA16A4DE; Thu, 7 Sep 2006 17:06:18 +0000 (UTC) (envelope-from piechota@argolis.org) Received: from rwcrmhc11.comcast.net (rwcrmhc11.comcast.net [204.127.192.81]) by mx1.FreeBSD.org (Postfix) with ESMTP id B2E5943D49; Thu, 7 Sep 2006 17:06:17 +0000 (GMT) (envelope-from piechota@argolis.org) Received: from acropolis.argolis.org ([71.230.48.23]) by comcast.net (rwcrmhc11) with ESMTP id <20060907170616m1100q331be>; Thu, 7 Sep 2006 17:06:16 +0000 Received: from acropolis.argolis.org (localhost [127.0.0.1]) by acropolis.argolis.org (8.13.6/8.13.6) with ESMTP id k87H6EvW099714; Thu, 7 Sep 2006 13:06:14 -0400 (EDT) (envelope-from piechota@argolis.org) Received: from localhost (piechota@localhost) by acropolis.argolis.org (8.13.6/8.13.6/Submit) with ESMTP id k87H6Dcp099711; Thu, 7 Sep 2006 13:06:14 -0400 (EDT) (envelope-from piechota@argolis.org) X-Authentication-Warning: acropolis.argolis.org: piechota owned process doing -bs Date: Thu, 7 Sep 2006 13:06:12 -0400 (EDT) From: Matt Piechota To: Frank Steinborn In-Reply-To: <20060907122901.6205EB82C@shodan.nognu.de> Message-ID: <20060907125622.G3820@acropolis.argolis.org> References: <20060906210021.C2428B82C@shodan.nognu.de> <200609071019.46529.nvass@teledomenet.gr> <20060907122901.6205EB82C@shodan.nognu.de> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org, freebsd-questions@freebsd.org, Nikos Vassiliadis Subject: Re: Getting GELI Keys from Floppy X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 17:06:18 -0000 On Thu, 7 Sep 2006, Frank Steinborn wrote: > I could use /dev/fd0 directly but then I had to use the same key for > all 6 HDD's in the server. I got a solution by hacking /etc/rc.d/geli > - I'm just mounting the floppy there before it tries to read the key. You could read different parts of the floppy for different keys. Speaking of which, do the keys have any identifiable strings in them? If not, you could fill the floppy with random garbage and 'hide' the key. I'm assuming since you don't want a password you don't want the boot to require interaction so it's not that useful, but if nothing else it would help if someone got access to the floppy (remotely or by physical access). -- Matt Piechota From owner-freebsd-security@FreeBSD.ORG Thu Sep 7 18:28:07 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 399AD16A4E8 for ; Thu, 7 Sep 2006 18:28:07 +0000 (UTC) (envelope-from solinym@gmail.com) Received: from py-out-1112.google.com (py-out-1112.google.com [64.233.166.179]) by mx1.FreeBSD.org (Postfix) with ESMTP id D510C43D66 for ; Thu, 7 Sep 2006 18:27:48 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by py-out-1112.google.com with SMTP id o67so411493pye for ; Thu, 07 Sep 2006 11:27:38 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=Si6RdPBTCEDqKVBzHD6CLbsQgeZ2++hwDgeck55ETOeKUhhqpkkmlsEWgelawShJreRbtBlKJGaUBiaXRScWrJXBszeSXWRdwHM86iYhWTY+nw5mFv+8InOVAoHDY4gYhVyfxycmBkruly2EGwXWo6Ylcq1y4iywP3hkzMAFY1E= Received: by 10.35.19.6 with SMTP id w6mr1183702pyi; Thu, 07 Sep 2006 11:27:38 -0700 (PDT) Received: by 10.35.34.3 with HTTP; Thu, 7 Sep 2006 11:27:37 -0700 (PDT) Message-ID: Date: Thu, 7 Sep 2006 13:27:38 -0500 From: "Travis H." To: "=?ISO-8859-1?Q?Dag-Erling_Sm=F8rgrav?=" In-Reply-To: <86ejun53cu.fsf@dwp.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: <86ejun53cu.fsf@dwp.des.no> X-Mailman-Approved-At: Thu, 07 Sep 2006 19:14:32 +0000 Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Sep 2006 18:28:07 -0000 On 9/7/06, Dag-Erling Sm=F8rgrav wrote: > Uh? Since when do we have crap like that in the handbook? It should > be removed with extreme prejudice. I'm glad I'm not the only one who feels this way :-) --=20 "If you're not part of the solution, you're part of the precipitate." Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/ GPG fingerprint: 9D3F 395A DAC5 5CCC 9066 151D 0A6B 4098 0C55 1484 From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 00:32:07 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 531BA16A4DA for ; Fri, 8 Sep 2006 00:32:07 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from pittgoth.com (ns1.pittgoth.com [216.38.206.188]) by mx1.FreeBSD.org (Postfix) with ESMTP id D712643D49 for ; Fri, 8 Sep 2006 00:32:06 +0000 (GMT) (envelope-from trhodes@FreeBSD.org) Received: from localhost (net-ix.gw.ai.net [205.134.160.6] (may be forged)) (authenticated bits=0) by pittgoth.com (8.13.6/8.13.6) with ESMTP id k880VvOV020819 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 7 Sep 2006 20:31:58 -0400 (EDT) (envelope-from trhodes@FreeBSD.org) Date: Thu, 7 Sep 2006 20:31:49 -0400 From: Tom Rhodes To: des@des.no (Dag-Erling =?ISO-8859-1?Q?Sm=F8rgrav?=) Message-Id: <20060907203149.12040be5.trhodes@FreeBSD.org> In-Reply-To: <867j0f4w4j.fsf@dwp.des.no> References: <86ejun53cu.fsf@dwp.des.no> <20060907074007.5bc2c91e.trhodes@FreeBSD.org> <867j0f4w4j.fsf@dwp.des.no> Organization: The FreeBSD Project X-Mailer: Sylpheed version 1.0.6 (GTK+ 1.2.10; i386-portbld-freebsd7.0) Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Mailman-Approved-At: Fri, 08 Sep 2006 01:14:30 +0000 Cc: freebsd-security@FreeBSD.org, solinym@gmail.com Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 00:32:07 -0000 On Thu, 07 Sep 2006 15:57:48 +0200 des@des.no (Dag-Erling Sm=F8rgrav) wrote: > Tom Rhodes writes: > > Grepping three of these lines, I cannot find it. Tell me Travis, > > what URL did you read this from? >=20 > des@dwp ~/projects/freebsd/doc% grep -r 'temporarily protect' . > ./en_US.ISO8859-1/books/handbook/security/chapter.sgml: while this m= ay temporarily protect the binaries, it prevents an > des@dwp ~/projects/freebsd/doc% dcvs annotate en_US.ISO8859-1/books/handb= ook/security/chapter.sgml | grep 'temporarily protect' >=20 > Annotations for en_US.ISO8859-1/books/handbook/security/chapter.sgml > *************** > 1.36 (ben 14-Aug-00): while this may temporarily prote= ct the binaries, it prevents an Haha, wrong directory. It was reletively early in my morning. Killed. Probably should have went off on a tangent about self inflicted DoS, but that is for another day. --=20 Tom Rhodes From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 05:55:26 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C47B16A534 for ; Fri, 8 Sep 2006 05:55:26 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from mail2.fluidhosting.com (mx24.fluidhosting.com [204.14.89.7]) by mx1.FreeBSD.org (Postfix) with SMTP id 1C6C843D79 for ; Fri, 8 Sep 2006 05:55:19 +0000 (GMT) (envelope-from dougb@FreeBSD.org) Received: (qmail 5439 invoked by uid 399); 8 Sep 2006 05:55:19 -0000 Received: from localhost (HELO ?192.168.0.3?) (dougb@dougbarton.us@127.0.0.1) by localhost with SMTP; 8 Sep 2006 05:55:19 -0000 Message-ID: <450105C4.9050300@FreeBSD.org> Date: Thu, 07 Sep 2006 22:55:16 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Thunderbird 1.5.0.5 (X11/20060729) MIME-Version: 1.0 To: eol1@yahoo.com References: <20060906230642.39757.qmail@web51909.mail.yahoo.com> In-Reply-To: <20060906230642.39757.qmail@web51909.mail.yahoo.com> X-Enigmail-Version: 0.94.1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-06:20.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 05:55:26 -0000 Peter Thoenen wrote: > Just to verify as not mentioned in the security advisory, if you are > using both the BIND and OPENSSL ports with the REPLACE_BASE directive, > these don't apply correct? Assuming you've updated to the 9.3.2-P1 version (ports version 9.3.2.1) of BIND 9, then yes for the BIND part of the advisory. The BIND ports with REPLACE_BASE will overwrite all the system binaries, and actually install a couple things that the base doesn't (not that I'd expect anyone would need or want them, I just don't like to muck with the ports more than absolutely necessary). For completeness sake, I should note that what I said up there is not 100% accurate in the case where you have BIND 8 in the base (such as in RELENG_4), and try to replace it with BIND 9, or vice versa. In that case, you're better off first doing a build/installworld with the NO_BIND option set in make.conf, removing all the old binaries, libs, and includes; and then installing the port. hth, Doug -- This .signature sanitized for your protection From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 13:28:38 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2D45D16A4DD for ; Fri, 8 Sep 2006 13:28:38 +0000 (UTC) (envelope-from keramida@ceid.upatras.gr) Received: from igloo.linux.gr (igloo.linux.gr [62.1.205.36]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D73B43D49 for ; Fri, 8 Sep 2006 13:28:34 +0000 (GMT) (envelope-from keramida@ceid.upatras.gr) Received: from gothmog.pc (host5.bedc.ondsl.gr [62.103.39.229]) (authenticated bits=128) by igloo.linux.gr (8.13.7/8.13.7/Debian-2) with ESMTP id k88DS3br007526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 8 Sep 2006 16:28:13 +0300 Received: from gothmog.pc (gothmog [127.0.0.1]) by gothmog.pc (8.13.7/8.13.7) with ESMTP id k88DSMJg047329; Fri, 8 Sep 2006 16:28:23 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Received: (from giorgos@localhost) by gothmog.pc (8.13.7/8.13.7/Submit) id k88DSJWg047328; Fri, 8 Sep 2006 16:28:19 +0300 (EEST) (envelope-from keramida@ceid.upatras.gr) Date: Fri, 8 Sep 2006 16:28:19 +0300 From: Giorgos Keramidas To: "Travis H." Message-ID: <20060908132819.GA98674@gothmog.pc> References: <86ejun53cu.fsf@dwp.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Hellug-MailScanner: Found to be clean X-Hellug-MailScanner-SpamCheck: not spam, SpamAssassin (score=-2.806, required 5, autolearn=not spam, AWL -0.21, BAYES_00 -2.60, UNPARSEABLE_RELAY 0.00) X-Hellug-MailScanner-From: keramida@ceid.upatras.gr X-Spam-Status: No Cc: Dag-Erling Sm?rgrav , freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 13:28:38 -0000 On 2006-09-07 13:27, "Travis H." wrote: >On 9/7/06, Dag-Erling Sm?rgrav wrote: >>Uh? Since when do we have crap like that in the handbook? It should >>be removed with extreme prejudice. > > I'm glad I'm not the only one who feels this way :-) This makes three of us, then. Patches are, AFAIK, always welcome to freebsd-doc@ ;-) From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 17:28:33 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AB8016A56F for ; Fri, 8 Sep 2006 17:28:33 +0000 (UTC) (envelope-from bigby@ephemeron.org) Received: from dsl.ephemeron.org (dsl092-035-072.lax1.dsl.speakeasy.net [66.92.35.72]) by mx1.FreeBSD.org (Postfix) with ESMTP id F123F43D5E for ; Fri, 8 Sep 2006 17:28:32 +0000 (GMT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (root@home.fake.net [10.0.2.3]) by dsl.ephemeron.org (8.12.11/8.12.11) with ESMTP id k88HSW4W025364; Fri, 8 Sep 2006 10:28:32 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from home.ephemeron.org (bigby@localhost [127.0.0.1]) by home.ephemeron.org (8.13.6/8.13.6) with ESMTP id k88HSWHV091128; Fri, 8 Sep 2006 10:28:32 -0700 (PDT) (envelope-from bigby@ephemeron.org) Received: from localhost (bigby@localhost) by home.ephemeron.org (8.13.6/8.13.6/Submit) with ESMTP id k88HSVLr091125; Fri, 8 Sep 2006 10:28:31 -0700 (PDT) (envelope-from bigby@ephemeron.org) X-Authentication-Warning: home.ephemeron.org: bigby owned process doing -bs Date: Fri, 8 Sep 2006 10:28:31 -0700 (PDT) From: Bigby Findrake To: "Travis H." In-Reply-To: Message-ID: <20060908101441.V90396@home.ephemeron.org> References: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 17:28:33 -0000 On Wed, 6 Sep 2006, Travis H. wrote: > ``You do not want to overbuild your security or you will interfere > with the detection side, and detection is one of the single most > important aspects of any security mechanism. For example, it makes > little sense to set the schg flag (see chflags(1)) on every system > binary because while this may temporarily protect the binaries, it > prevents an attacker who has broken in from making an easily > detectable change that may result in your security mechanisms not > detecting the attacker at all.'' > > Wouldn't it be better to detect /and/ prevent an attempt to change the system > binaries? That's how I interpret that passage from the handbook - that you should detect *and* prevent. I'm not clear on how anyone is interpreting that passage to suggest that unequal weight should be given to one side or the other (detection vs. prevention). The above passage all but says, "don't do X because that will interfere with Y." I just don't see that advice as advocating imbalance. > It seems to me that advising people to focus on detection rather than > prevention is wrong-headed. What are you going to do after you detect > the attacker? If it's not "prevent him from doing anything", then I > question the intelligence of this approach. I find that extreme examples are good at illustrating points. I think that everyone can agree that we cannot prevent 100% of attacks; if we could, we wouldn't be having this discussion. In the extreme case where we take absolutely every possible preventative security measure, logically, the only attacks that can succeed are those that we didn't know about, that we did not foresee, and thus that we could not prevent against. In those cases, where you're hit by attacks that you didn't know existed, the importance of detection probably rises. In fact, in the case of attacks (and possibly vectors) that you weren't aware of, I would argue that detection can be a prerequisite of prevention. Oh, there are examples where it's not: I can prevent all of the network attacks that I don't know about by unplugging the host from the network. But in the cases where you cannot remove or mitigate the attack vector (eg. because to do so would interfere with availability vs security), it seems to me that prevention needs detection. -- "I don't think they could put him in a mental hospital. On the other hand, if he were already in, I don't think they'd let him out." finger://bigby@home.ephemeron.org http://www.ephemeron.org/~bigby/ irc://irc.ephemeron.org/#the_pub news://news.ephemeron.org/alt.lemurs From owner-freebsd-security@FreeBSD.ORG Fri Sep 8 17:50:54 2006 Return-Path: X-Original-To: freebsd-security@freebsd.org Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A9F1B16A511 for ; Fri, 8 Sep 2006 17:50:54 +0000 (UTC) (envelope-from arne_woerner@yahoo.com) Received: from web30313.mail.mud.yahoo.com (web30313.mail.mud.yahoo.com [209.191.69.75]) by mx1.FreeBSD.org (Postfix) with SMTP id A2BD043D5F for ; Fri, 8 Sep 2006 17:50:47 +0000 (GMT) (envelope-from arne_woerner@yahoo.com) Received: (qmail 71797 invoked by uid 60001); 8 Sep 2006 17:50:46 -0000 DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:Cc:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=P77Af2s7Yf5IZu5Vfg+YSzKnyJEMo+hWaq1RZELfArklkrtEZRfxPZeWA1DFnZ4KVeNZDNtifVZrXU1qNmdhoM3uyldnf1uRY9im916SA7dy2kDxD04EBHwtnabVDqT+F9PNkKVjgOqQHwQRCOuWiFw0H8iXlym1D95vqDTOe9g= ; Message-ID: <20060908175046.71795.qmail@web30313.mail.mud.yahoo.com> Received: from [213.54.83.205] by web30313.mail.mud.yahoo.com via HTTP; Fri, 08 Sep 2006 10:50:45 PDT Date: Fri, 8 Sep 2006 10:50:45 -0700 (PDT) From: "R. B. Riddick" To: Bigby Findrake In-Reply-To: <20060908101441.V90396@home.ephemeron.org> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit Cc: freebsd-security@freebsd.org Subject: Re: comments on handbook chapter X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Sep 2006 17:50:54 -0000 --- Bigby Findrake wrote: > On Wed, 6 Sep 2006, Travis H. wrote: > > Wouldn't it be better to detect /and/ prevent an attempt to change the > > system binaries? > > That's how I interpret that passage from the handbook - that you should > detect *and* prevent. I'm not clear on how anyone is interpreting that > passage to suggest that unequal weight should be given to one side or the > other (detection vs. prevention). The above passage all but says, "don't > do X because that will interfere with Y." I just don't see that advice as > advocating imbalance. > Hmm... I think, this "schg flag"-thing should be done to all files, but invisible to a potential attacker... <-- PROTECTION When some attacker tries to get write access to that file or to move that file around or so, it should result in a log message (like "BAD SU on ...")... <-- DETECTION (I think one of the first messages in this thread suggested that already...) And removing that flag shouldn't be possible so easy, too. Maybe just from the physically safe console... -Arne __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com From owner-freebsd-security@FreeBSD.ORG Sat Sep 9 10:19:22 2006 Return-Path: X-Original-To: freebsd-security@FreeBSD.org Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id EFB1516A403; Sat, 9 Sep 2006 10:19:22 +0000 (UTC) (envelope-from rwatson@FreeBSD.org) Received: from cyrus.watson.org (cyrus.watson.org [209.31.154.42]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5166043D58; Sat, 9 Sep 2006 10:19:22 +0000 (GMT) (envelope-from rwatson@FreeBSD.org) Received: from fledge.watson.org (fledge.watson.org [209.31.154.41]) by cyrus.watson.org (Postfix) with ESMTP id 4121A46CF8; Sat, 9 Sep 2006 06:19:21 -0400 (EDT) Date: Sat, 9 Sep 2006 11:19:21 +0100 (BST) From: Robert Watson X-X-Sender: robert@fledge.watson.org To: stable@FreeBSD.org In-Reply-To: <20060902113521.P84468@fledge.watson.org> Message-ID: <20060909111657.F76453@fledge.watson.org> References: <20060816120709.N45647@fledge.watson.org> <20060902113521.P84468@fledge.watson.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: trustedbsd-audit@TrustedBSD.org, freebsd-security@FreeBSD.org Subject: Re: Warning: MFC of security event audit support RELENG_6 in the next 2-3 weeks X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 09 Sep 2006 10:19:23 -0000 On Sat, 2 Sep 2006, Robert Watson wrote: > After a couple of weeks of settling, polishing, etc, the MFC of audit > support is about to begin. Over the next couple of days, the 6-STABLE build > may be briefly broken as inter-dependent components are merged. I do not > anticipate any serious disruption, but some caution is called for. In > principle, all the potentially tricky kernel ABI dependencies, etc, were > dealt with before 6.0-RELEASE, such as changes in the size of the kernel > system call data structures. The approximate merge plan, run by re@ a few > days ago, is as follows: Just as a status update -- the vast majority of audit code has now been MFC'd to -STABLE. There are a few areas where the merge is not yet complete -- primarily as relates to non-native/emulated/compatibility system calls, and non-i386/amd64 system calls. I anticipate these being merged in the near future. We've also seen a number of problem reports relating to starting the auditd daemon, a problem not seen during testing on -CURRENT, so we're working on debugging that, and we've found some bugs in audit log rotation. I'm currently travelling for a few days, but will follow up when I get back to the UK on Tuesday on where things stand, and what (if any) further changes are in the pipeline. Once these problems are fixed, it sounds like we're well on track to ship with audit as a 6.2 (experimental) feature. thanks, Robert N M Watson Computer Laboratory University of Cambridge