From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 00:41:15 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6CA8B1065670 for ; Sun, 25 Sep 2011 00:41:15 +0000 (UTC) (envelope-from rpsfa@rit.edu) Received: from fast.rit.edu (fast.rit.edu [129.21.182.30]) by mx1.freebsd.org (Postfix) with ESMTP id 287268FC08 for ; Sun, 25 Sep 2011 00:41:14 +0000 (UTC) Received: from fast.rit.edu (localhost.rit.edu [127.0.0.1]) by fast.rit.edu (Postfix) with ESMTP id F20E91D141; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) X-Virus-Scanned: by amavisd-new at fast.rit.edu Received: from fast.rit.edu ([127.0.0.1]) by fast.rit.edu (fast.rit.edu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id k07SKlkdydJq; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) Received: from syn.rit.edu (syn.rit.edu [129.21.182.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by fast.rit.edu (Postfix) with ESMTPS id 12D491D138; Sat, 24 Sep 2011 20:12:59 -0400 (EDT) Received: from syn.rit.edu (localhost.rit.edu [127.0.0.1]) by syn.rit.edu (8.14.4/8.14.3) with ESMTP id p8P0CwwD076986; Sat, 24 Sep 2011 20:12:58 -0400 (EDT) (envelope-from rpsfa@rit.edu) Received: (from zi@localhost) by syn.rit.edu (8.14.4/8.14.3/Submit) id p8P0Cw1m076762; Sat, 24 Sep 2011 20:12:58 -0400 (EDT) (envelope-from rpsfa@rit.edu) Date: Sat, 24 Sep 2011 20:12:58 -0400 From: Ryan Steinmetz To: "Hartmann, O." Message-ID: <20110925001258.GA28508@fast.rit.edu> References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20110917135341.GA23643@fast.rit.edu> User-Agent: Mutt/1.5.21 (2010-09-15) Cc: freebsd-security@freebsd.org, Mike Carlson Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 00:41:15 -0000 On (09/17/11 14:30), Hartmann, O. wrote: > On 09/16/11 23:36, Mike Carlson wrote: > > On 09/16/2011 08:05 AM, Dag-Erling Sm??rgrav wrote: > >> We currently have a number of PAM modules in ports, and while some of > >> them are specific to certain third-party software, many aren't. I > >> believe we would benefit from importing at least some of these into > >> base. My question is: which ones? > >> > >> DES > > LDAP support out of the box would be fantastic. > > > > Mike C > > _______________________________________________ > > freebsd-security@freebsd.org mailing list > > http://lists.freebsd.org/mailman/listinfo/freebsd-security > > To unsubscribe, send any mail to > > "freebsd-security-unsubscribe@freebsd.org" > > Also a strong vote for LDAP support. LDAP is our backend for several > server systems and it is a kind of pain > having to think first for the ports to be installed. Also I suspect and > hope a better integration if LDAP gets > part of the core system. > > Regards, > Oliver > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" I think some caution should be used whenever we discuss merging things into the base system. There may be other ways of achieving the same functionality, without the challenges that come with merging things directly into the base system. Ports tend to be easier to update (in terms of version bumps/features additions) when compared to things that become part of base. I think an interesting concept would be something that gave us the ability to (easily) tie certain ports into software from the base system. Something that would allow the software to be more easily kept current. Perhaps this could be done via some sort of base-integrated ports category that require extra-special care/controls when being updated. Using the above idea, perhaps we could have ISOs or the like available that include these 'base-integrated' ports pre-installed, thus giving users the ability to (effectively) have an out-of-the-box solution that included LDAP support, etc., while still having these 'base-integrated' ports loosely coupled with the base OS. The concept could keep the base system lean, but provide the flexibility that users desire. Obviously there are some complexities associated with implementing the framework and details that would need to be worked out, but this could address: -The desire to keep the base system lean -The desire to provide certain features out-of-the-box -The ability to keep these 'base-integrated' ports more current in terms of features/functionality -r -- Ryan Steinmetz PGP: EF36 D45A 5CA9 28B1 A550 18CD A43C D111 7AD7 FAF2 From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 03:14:01 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 6AF2E106566B for ; Sun, 25 Sep 2011 03:14:01 +0000 (UTC) (envelope-from kaduk@mit.edu) Received: from dmz-mailsec-scanner-8.mit.edu (DMZ-MAILSEC-SCANNER-8.MIT.EDU [18.7.68.37]) by mx1.freebsd.org (Postfix) with ESMTP id 1B4AB8FC0A for ; Sun, 25 Sep 2011 03:14:00 +0000 (UTC) X-AuditID: 12074425-b7bf1ae000000a2a-79-4e7e9c3f0c44 Received: from mailhub-auth-2.mit.edu ( [18.7.62.36]) by dmz-mailsec-scanner-8.mit.edu (Symantec Messaging Gateway) with SMTP id 49.1B.02602.F3C9E7E4; Sat, 24 Sep 2011 23:13:03 -0400 (EDT) Received: from outgoing.mit.edu (OUTGOING-AUTH.MIT.EDU [18.7.22.103]) by mailhub-auth-2.mit.edu (8.13.8/8.9.2) with ESMTP id p8P3E0WL032382; Sat, 24 Sep 2011 23:14:00 -0400 Received: from multics.mit.edu (MULTICS.MIT.EDU [18.187.1.73]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.6/8.12.4) with ESMTP id p8P3Dwmd001265 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Sat, 24 Sep 2011 23:13:59 -0400 (EDT) Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id p8P3Dvto012302; Sat, 24 Sep 2011 23:13:57 -0400 (EDT) Date: Sat, 24 Sep 2011 23:13:57 -0400 (EDT) From: Benjamin Kaduk To: Ryan Steinmetz In-Reply-To: <20110925001258.GA28508@fast.rit.edu> Message-ID: References: <86boukbk8s.fsf@ds4.des.no> <4E73C163.9040601@llnl.gov> <4E7492FE.2090506@zedat.fu-berlin.de> <20110917135341.GA23643@fast.rit.edu> <20110925001258.GA28508@fast.rit.edu> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNIsWRmVeSWpSXmKPExsUixG6noms/p87PoPu6uUXPpidsFpOOv2F3 YPKY8Wk+i8fhx32sAUxRXDYpqTmZZalF+nYJXBkHD55jL1gtVrHq2zqmBsYfgl2MnBwSAiYS q4+/ZoWwxSQu3FvPBmILCexjlJiwOaaLkQvI3sAoce/SDWYI5wCTxJbbi1ggnAZGiX1NU8Ha WQS0Je4tPMECYrMJqEjMfLMRaBQHh4iAksT0zSYgYWYBBYn3j08ygYSFBRQlOi4FgYQ5BYwk Xq3eyARi8wrYS+z41cQCccRWRonGxxIgtqiAjsTq/VNYIGoEJU7OfMICMdJS4tyf62wTGAVn IUnNQpJawMi0ilE2JbdKNzcxM6c4NVm3ODkxLy+1SNdCLzezRC81pXQTIzhMXVR3ME44pHSI UYCDUYmH91NCnZ8Qa2JZcWXuIUZJDiYlUV7F2UAhvqT8lMqMxOKM+KLSnNTiQ4wSHMxKIrzV jUA53pTEyqrUonyYlDQHi5I47+sdDn5CAumJJanZqakFqUUwWRkODiUJ3gUgQwWLUtNTK9Iy c0oQ0kwcnCDDeYCG94PU8BYXJOYWZ6ZD5E8xKkqJQyQEQBIZpXlwvbA08opRHOgVYd7ZIFU8 wBQE1/0KaDAT0OCcmlqQwSWJCCmpBsYjc5MP+yk9SPucvzn8+aZPIrIP+Ld+eRv5xOGVe9Va Vqk5Syfs35aqqjFTqKHSztZGXV72IMvmFoFupgWPLHbPFl9dfNzFeluc6ZHAuucadsv/LPsg 9L9sStTLu4fmO57i/FIVx1/5fruCq/w5gaNxqzuzX00+/ezjiwsPGiOPpJVPDdzcu8hEiaU4 I9FQi7moOBEA6Vm0zv4CAAA= Cc: freebsd-security@freebsd.org Subject: Re: PAM modules -> LDAP! X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 03:14:01 -0000 On Sat, 24 Sep 2011, Ryan Steinmetz wrote: > > I think an interesting concept would be something that gave us the > ability to (easily) tie certain ports into software from the base system. > Something that would allow the software to be more easily kept current. > Perhaps this could be done via some sort of base-integrated ports > category that require extra-special care/controls when being updated. I would very much love a way to tie certain ports into the base system, by which I mean have the base system utilities link against libraries provided by a port. (My particular example at hand would be to link ssh and friends against MIT kerberos from ports, but there are a goodly number of other examples.) Yet, in order for the benefits of ports to work, there would need to be a way to hook into the base system to get these utilities updated with port updates, and probably a way to disable the base system version of the libraries but still have utilities link against them (from ports). I do not think this is possible without a great deal of build infrastructure work; certainly just a special category of port is insufficient, as it sould still have the update problem. Though perhaps my vision is not exactly what you are aiming for ... > > Using the above idea, perhaps we could have ISOs or the like available > that include these 'base-integrated' ports pre-installed, thus giving > users the ability to (effectively) have an out-of-the-box solution that > included LDAP support, etc., while still having these 'base-integrated' > ports loosely coupled with the base OS. The concept could keep the base > system lean, but provide the flexibility that users desire. People seem to have concerns about the ability of (some) mirrors to cope with huge piles of data, particularly in the context of regularly updated package sets from ports. Those concerns would seem to apply to this as well, as it would apply a scaling factor to the number of isos involved. Now, having an extra option in the installer "Do you want to install the LDAP package? (y/n)" is another matter, and potentially doable. (Though given that perl was pulled *out* of this near-base status in the fairly recent past does give one pause ...) > > Obviously there are some complexities associated with implementing the > framework and details that would need to be worked out, but this could > address: > -The desire to keep the base system lean > -The desire to provide certain features out-of-the-box > -The ability to keep these 'base-integrated' ports more current in terms > of features/functionality My main concern is with respect to the third point, in making sure that there do not creep in interdependencies that make updating the port components complicated or fragile. -Ben Kaduk From owner-freebsd-security@FreeBSD.ORG Sun Sep 25 21:17:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 20B681065678 for ; Sun, 25 Sep 2011 21:17:29 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id A20AF8FC0C for ; Sun, 25 Sep 2011 21:17:28 +0000 (UTC) Received: by gyf2 with SMTP id 2so4746553gyf.13 for ; Sun, 25 Sep 2011 14:17:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; bh=688UaVY6pQo0+XMa29AP0Xwzr7urh/8+6bOoaL8U7LQ=; b=WfVF36L2F299nkmNoakYjBNqiuqzhrImXdno4E1PACPmLUrTXPM0znd7byrDMqzYPN HC2ED9Bnfi0kKaW3NLQWWiOgebrWLMNe84XM8GLP6TpnMGmkVQS3yVt9nMeMo/Boh1XB +RbjEPT/9WiZgzN7rLVe8/PN8VG+BC3/AsGvo= MIME-Version: 1.0 Received: by 10.101.170.20 with SMTP id x20mr5158869ano.115.1316985447914; Sun, 25 Sep 2011 14:17:27 -0700 (PDT) Received: by 10.100.191.14 with HTTP; Sun, 25 Sep 2011 14:17:27 -0700 (PDT) Date: Sun, 25 Sep 2011 17:17:27 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Which AES to use? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 25 Sep 2011 21:17:29 -0000 I've been reading on Bruce Schneier's blog about key diffusion and the key schedule in AES 256 being poor. Including this, for use in a geli encrypted provider, what are the pros and cons of selecting AES 128, 192, or 256? From owner-freebsd-security@FreeBSD.ORG Mon Sep 26 07:00:16 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D80E21065670 for ; Mon, 26 Sep 2011 07:00:13 +0000 (UTC) (envelope-from webmaster@n-o-x.org) Received: from bsdmail.vps001.root-1.eu (mpkfa.info [188.40.228.60]) by mx1.freebsd.org (Postfix) with ESMTP id 2B9218FC0A for ; Mon, 26 Sep 2011 07:00:12 +0000 (UTC) Received: from bsdmail.vps001.root-1.eu (bsdmail [10.0.0.4]) by bsdmail.vps001.root-1.eu (Postfix) with ESMTP id 6623822848F for ; Mon, 26 Sep 2011 08:40:19 +0200 (CEST) Received: by bsdmail.vps001.root-1.eu (Postfix, from userid 65534) id 48AF3229535; Mon, 26 Sep 2011 08:40:19 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on bsdmail.dyndns.org X-Spam-Level: X-Spam-Status: No, score=-1.0 required=4.0 tests=ALL_TRUSTED autolearn=ham version=3.3.2 Received: from [192.168.2.115] (p54A8CECE.dip.t-dialin.net [84.168.206.206]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: webmaster@n-o-x.org) by bsdmail.vps001.root-1.eu (Postfix) with ESMTPSA id 1A98522848F for ; Mon, 26 Sep 2011 08:40:17 +0200 (CEST) Message-ID: <4E801E4F.8040202@n-o-x.org> Date: Mon, 26 Sep 2011 08:40:15 +0200 From: webmaster User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV Subject: Re: Which AES to use? X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 07:00:16 -0000 I don't know cryptopgraphics very well but the data throughput would be a little better with lower keysize. However with a powerful CPU (maybe AES-NI instructions included) this wouldn't matter anymore. As compromise you could choose AES-192 if you need it more secure than 128 bit. Finally quoted from Bruce Schneiers Blog: "And for new applications I suggest that people don't use AES-256. AES-128 provides more than enough security margin for the forseeable future. But if you're already using AES-256, there's no reason to change." Best regards Robert Am 25.09.2011 23:17, schrieb Robert Simmons: > I've been reading on Bruce Schneier's blog about key diffusion and the > key schedule in AES 256 being poor. Including this, for use in a geli > encrypted provider, what are the pros and cons of selecting AES 128, > 192, or 256? > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Mon Sep 26 11:21:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 45BB5106564A for ; Mon, 26 Sep 2011 11:21:32 +0000 (UTC) (envelope-from rene@canyon.xs4all.nl) Received: from smtp-vbr1.xs4all.nl (smtp-vbr1.xs4all.nl [194.109.24.21]) by mx1.freebsd.org (Postfix) with ESMTP id CA19E8FC14 for ; Mon, 26 Sep 2011 11:21:31 +0000 (UTC) Received: from canyon.xs4all.nl (canyon.xs4all.nl [80.101.124.54]) by smtp-vbr1.xs4all.nl (8.13.8/8.13.8) with ESMTP id p8QB781h047596 for ; Mon, 26 Sep 2011 13:07:08 +0200 (CEST) (envelope-from rene@canyon.xs4all.nl) Received: by canyon.xs4all.nl (Postfix, from userid 126) id B44CBFB5; Mon, 26 Sep 2011 13:07:10 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on bryce.canyon.xs4all.nl X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00, RP_MATCHES_RCVD autolearn=ham version=3.3.1 Received: from canyon.xs4all.nl (canyon.xs4all.nl [192.168.1.1]) by canyon.xs4all.nl (Postfix) with ESMTP id 1016EFB3 for ; Mon, 26 Sep 2011 13:07:10 +0200 (CEST) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Date: Mon, 26 Sep 2011 13:07:09 +0200 From: Rene de Vries To: In-Reply-To: <86r5369mgb.fsf@ds4.des.no> References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> <86r5369mgb.fsf@ds4.des.no> Message-ID: X-Sender: rene@canyon.xs4all.nl User-Agent: RoundCube Webmail/0.5.2 X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Mon, 26 Sep 2011 11:29:17 +0000 Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 11:21:32 -0000 Why not have /etc/group be authoritive for wheel (an thus have a list of local superusers). And use sudo with an ldap based group for everything else. René On Sat, 24 Sep 2011 14:03:32 +0200, Dag-Erling Smørgrav wrote: > Lev Serebryakov writes: >> Dag-Erling writes: >> > Did you try changing the priority in /etc/nsswitch.conf? >> It gives very long boot time, as nss_ldap waits for answer from >> non-started server, again and again, etc. > > The only solution I can think of is to try to figure out how to > reduce > or eliminate this delay, because the system is doing exactly what you > asked it to, i.e. treating /etc/group as authoritative and using LDAP > only for groups it can't find there. > > DES -- René de Vries rene@canyon.xs4all.nl From owner-freebsd-security@FreeBSD.ORG Mon Sep 26 15:44:35 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3B33E106564A for ; Mon, 26 Sep 2011 15:44:35 +0000 (UTC) (envelope-from lev@FreeBSD.org) Received: from onlyone.friendlyhosting.spb.ru (onlyone.friendlyhosting.spb.ru [IPv6:2a01:4f8:131:60a2::2]) by mx1.freebsd.org (Postfix) with ESMTP id F3ED78FC08 for ; Mon, 26 Sep 2011 15:44:34 +0000 (UTC) Received: from lion.home.serebryakov.spb.ru (unknown [IPv6:2001:470:923f:1:d578:b545:b004:4d]) (Authenticated sender: lev@serebryakov.spb.ru) by onlyone.friendlyhosting.spb.ru (Postfix) with ESMTPA id 2BD554AC1C; Mon, 26 Sep 2011 19:44:34 +0400 (MSD) Date: Mon, 26 Sep 2011 19:44:32 +0400 From: Lev Serebryakov X-Priority: 3 (Normal) Message-ID: <122856284.20110926194432@serebryakov.spb.ru> To: Rene de Vries In-Reply-To: References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> <86r5369mgb.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 26 Sep 2011 15:44:35 -0000 Hello, Rene. You wrote 26 =D1=81=D0=B5=D0=BD=D1=82=D1=8F=D0=B1=D1=80=D1=8F 2011 =D0=B3.,= 15:07:09: > Why not have /etc/group be authoritive for wheel (an thus have a list=20 > of local superusers). Idea is to have no local users (but root) at all :) --=20 // Black Lion AKA Lev Serebryakov From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 00:55:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4C166106566B for ; Tue, 27 Sep 2011 00:55:51 +0000 (UTC) (envelope-from mnorwick@centurytel.net) Received: from mail963c35.nsolutionszone.com (mail963c35.nsolutionszone.com [209.235.152.153]) by mx1.freebsd.org (Postfix) with ESMTP id F32A38FC0C for ; Tue, 27 Sep 2011 00:55:50 +0000 (UTC) X-Authenticated-User: mnorwick.centurytel.net Received: from bucksnort.norwickhouse.net (174-124-9-3.dyn.centurytel.net [174.124.9.3]) (authenticated bits=0) by mail963c35.nsolutionszone.com (8.13.6/8.13.1) with ESMTP id p8R0da08004471 for ; Tue, 27 Sep 2011 00:39:37 GMT Message-ID: <4E811B47.8040006@centurytel.net> Date: Mon, 26 Sep 2011 19:39:35 -0500 From: "Michael D. Norwick" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110829 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CSC: 0 X-CHA: v=1.1 cv=bTL4Ajo6uswVZnuhsvfrLWC3P238fErHFeNpWfZvXqY= c=1 sm=1 a=_tW4y8GFV1YA:10 a=hxmksA-X7JIA:10 a=3WPTVEtZbjMA:10 a=8nJEP1OIZ-IA:10 a=sN1ymm187tx0Nq4bb7dXQQ==:17 a=wVmefGLtAAAA:8 a=cTmhGeUdhAszQa00ijIA:9 a=0cWOH28d4KhrVSH19AwA:7 a=wPNLvfGTeEIA:10 a=9xu485WUS9gA:10 a=sN1ymm187tx0Nq4bb7dXQQ==:117 Subject: Cannot build or install Nessus on FreeBSD 9-beta2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 00:55:51 -0000 Good Day; I am trying to install Nessus on a Dell Latitude laptop running FreeBSD 9-beta2. /usr/ports was updated around 09/20/2011 and the current source for the kernel and world were csup'd late last week. I have built a new kernel with debugging disabled to reduce the noise to the terminal. I have - device bpf - uncommented in the config file and I commented out unneeded device drivers. I built a new world yesterday. The build and install went without error. I started this thread on freebsd-questions this morning; Re: Trying to build nessus 4 from ports When trying to install the binary downloaded from tenable.com - Nessus-4.4.1-fbsd8-amd64.tbz using pkg_add it says I need to enable more bpf devices. Deleting the package then attempting to install from /usr/ports/security/nessus results in a successful build but when nessusd is started it errors out on 'libz.so.5 not found'. FreeBSD 9 is at libz.so.6. I really like FreeBSD 9 on this machine but I have a work project that involves port scanning, intrusion detection and forensics. That is why I am attempting to get Nessus working. I would like the company to purchase Nessus for business but I have to get it working on my test network first. I am trying to follow Mr. Richard Bejtlich's book 'The Tao of Network Security Monitoring'. Maybe I need to fall back to FreeBSD 8.2 in order to be successful? Are there other security tools which build without error on FreeBSD 9? Thank You Michael From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 01:29:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C8475106566C for ; Tue, 27 Sep 2011 01:29:32 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-yi0-f54.google.com (mail-yi0-f54.google.com [209.85.218.54]) by mx1.freebsd.org (Postfix) with ESMTP id 75F778FC1D for ; Tue, 27 Sep 2011 01:29:32 +0000 (UTC) Received: by yia13 with SMTP id 13so6145681yia.13 for ; Mon, 26 Sep 2011 18:29:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=jXNT6Ad4e2ZYQ9DXWJ5bbSyWELDolTBDIrd5xxvRRvI=; b=ppNb9YwSkw9QFuhucRIr09lyqKUmatktFyyXZ81vmysKZ8nLsSUWPPequtJUjFq6+f rfa0qqK+rkPJ8qRMQXld+i/6hCQ70XAYP0a7Y7lf0WYahzSlwKPV2EHt2Yxxdi68xOsq Lk/Wd2jH5hm7Vmwgt3JWEx7QpH1zdyrPmsi2k= MIME-Version: 1.0 Received: by 10.101.175.1 with SMTP id c1mr5953846anp.27.1317086970878; Mon, 26 Sep 2011 18:29:30 -0700 (PDT) Received: by 10.100.191.14 with HTTP; Mon, 26 Sep 2011 18:29:30 -0700 (PDT) In-Reply-To: <4E811B47.8040006@centurytel.net> References: <4E811B47.8040006@centurytel.net> Date: Mon, 26 Sep 2011 21:29:30 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: Cannot build or install Nessus on FreeBSD 9-beta2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 01:29:32 -0000 On Mon, Sep 26, 2011 at 8:39 PM, Michael D. Norwick wrote: > When trying to install the binary downloaded from tenable.com - > Nessus-4.4.1-fbsd8-amd64.tbz using pkg_add it says I need to enable more = bpf > devices. =A0Deleting the package then attempting to install from > /usr/ports/security/nessus results in a successful build but when nessusd= is > started it errors out on 'libz.so.5 not found'. =A0FreeBSD 9 is at libz.s= o.6. First, nessus 4 is closed source proprietary software. The version of nessus in ports is version 2 which is open source. I think you may have a square peg round hole problem with nessus 4. If you want to run that, you would need to use fbsd8 as that is what it is compiled against. As for nessus 2 from ports, did you install the package for it, or did you compile it? If you compiled it, there should not be a problem. configure should find zlib just fine. > Security Monitoring'. =A0Maybe I need to fall back to FreeBSD 8.2 in orde= r to > be successful? =A0Are there other security tools which build without erro= r on > FreeBSD 9? Keep in mind that 9 is beta. So, if you are interested in things "just working" use 8.2. If you are willing to spend the time beta testing, then use 9. From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 01:34:36 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B7A7F106566C for ; Tue, 27 Sep 2011 01:34:36 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qy0-f175.google.com (mail-qy0-f175.google.com [209.85.216.175]) by mx1.freebsd.org (Postfix) with ESMTP id 6CF928FC1B for ; Tue, 27 Sep 2011 01:34:36 +0000 (UTC) Received: by qyk10 with SMTP id 10so426473qyk.13 for ; Mon, 26 Sep 2011 18:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=S4hH4QgyXS/kSLygqUOuKU8k1PCB3t7/ll0rks+erug=; b=VBccpkw2b8zleJWtVW82uSZzt8Gct/CzW5jaacCKlJK2NgfSRWrsY7DYuCKvfFu6C1 XCTAXPd90HSBjteBGjb+6+BQfAYSrsoBLy69SQjxpG1oFnr50tnxlWbUeiOZR44oOgHM kPvlg1+HDUvgcy9Cru0LOyxr9jou9Xk+tIvEw= Received: by 10.224.31.201 with SMTP id z9mr953303qac.162.1317085613181; Mon, 26 Sep 2011 18:06:53 -0700 (PDT) Received: from schism.local (c-76-124-49-145.hsd1.pa.comcast.net. [76.124.49.145]) by mx.google.com with ESMTPS id bw6sm15196023qab.16.2011.09.26.18.06.51 (version=SSLv3 cipher=OTHER); Mon, 26 Sep 2011 18:06:52 -0700 (PDT) Message-ID: <4E8121AB.3040502@gmail.com> Date: Mon, 26 Sep 2011 21:06:51 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: "Michael D. Norwick" References: <4E811B47.8040006@centurytel.net> In-Reply-To: <4E811B47.8040006@centurytel.net> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: Cannot build or install Nessus on FreeBSD 9-beta2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 01:34:36 -0000 Hi, This really should be directed to the ports list, but... On 9/26/11 8:39 PM, Michael D. Norwick wrote: > When trying to install the binary downloaded from tenable.com - > Nessus-4.4.1-fbsd8-amd64.tbz using pkg_add it says I need to enable more > bpf devices. Deleting the package then attempting to install from > /usr/ports/security/nessus results in a successful build but when > nessusd is started it errors out on 'libz.so.5 not found'. FreeBSD 9 is > at libz.so.6. > The misc/compat8x port should contain the 8.x-specific libraries you would need. Regards, -- Glen Barber From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 02:00:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2F3631065674 for ; Tue, 27 Sep 2011 02:00:29 +0000 (UTC) (envelope-from mnorwick@centurytel.net) Received: from mail962c35.nsolutionszone.com (mail962c35.nsolutionszone.com [209.235.152.152]) by mx1.freebsd.org (Postfix) with ESMTP id 2201C8FC1C for ; Tue, 27 Sep 2011 02:00:10 +0000 (UTC) X-Authenticated-User: mnorwick.centurytel.net Received: from bucksnort.norwickhouse.net (174-124-9-3.dyn.centurytel.net [174.124.9.3]) (authenticated bits=0) by mail962c35.nsolutionszone.com (8.13.6/8.13.1) with ESMTP id p8R208kC030859 for ; Tue, 27 Sep 2011 02:00:09 GMT Message-ID: <4E812E27.3040300@centurytel.net> Date: Mon, 26 Sep 2011 21:00:07 -0500 From: "Michael D. Norwick" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0) Gecko/20110829 Thunderbird/6.0 MIME-Version: 1.0 To: freebsd-security@freebsd.org References: <4E811B47.8040006@centurytel.net> In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-CSC: 0 X-CHA: v=1.1 cv=CsYOLsIY2139Hz99+cjMbADXbiP8P5wV1SI1AXcb69M= c=1 sm=1 a=_tW4y8GFV1YA:10 a=KIcBTAS2CKsA:10 a=3WPTVEtZbjMA:10 a=8nJEP1OIZ-IA:10 a=sN1ymm187tx0Nq4bb7dXQQ==:17 a=dynt39AsAAAA:8 a=wVmefGLtAAAA:8 a=6I5d2MoRAAAA:8 a=KnwYqW9E-EXAiDOOm-0A:9 a=zOTPb2dm3MaZwtmtcbAA:7 a=wPNLvfGTeEIA:10 a=9xu485WUS9gA:10 a=Jw29t_AgHPoA:10 a=SV7veod9ZcQA:10 a=sN1ymm187tx0Nq4bb7dXQQ==:117 Subject: Re: Cannot build or install Nessus on FreeBSD 9-beta2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 02:00:29 -0000 On 09/26/11 20:29, Robert Simmons wrote: > On Mon, Sep 26, 2011 at 8:39 PM, Michael D. Norwick > wrote: >> When trying to install the binary downloaded from tenable.com - >> Nessus-4.4.1-fbsd8-amd64.tbz using pkg_add it says I need to enable more bpf >> devices. Deleting the package then attempting to install from >> /usr/ports/security/nessus results in a successful build but when nessusd is >> started it errors out on 'libz.so.5 not found'. FreeBSD 9 is at libz.so.6. > First, nessus 4 is closed source proprietary software. The version of > nessus in ports is version 2 which is open source. I think you may > have a square peg round hole problem with nessus 4. If you want to > run that, you would need to use fbsd8 as that is what it is compiled > against. > > As for nessus 2 from ports, did you install the package for it, or did > you compile it? If you compiled it, there should not be a problem. > configure should find zlib just fine. > >> Security Monitoring'. Maybe I need to fall back to FreeBSD 8.2 in order to >> be successful? Are there other security tools which build without error on >> FreeBSD 9? > Keep in mind that 9 is beta. So, if you are interested in things > "just working" use 8.2. If you are willing to spend the time beta > testing, then use 9. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" > > Good Day; I was warned about not posting to freebsd-ports but I had already hit the 'send' button. I am familiar with beta versus production but I wanted to try nessus on FreeBSD 9 because 9-beta2 was already installed, and updated and appears to have such wonderful features. The /usr/ports/misc/compat8 suggestion appears to have been the answer. The daemon is running now. The company will purchase Nessus for Business but I have to prove it first. I am just grateful that tenable has continued to offer it on something other than windows. I will try and make my future posts to the proper mailing list. Thank You, Michael From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 02:06:48 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 328A21065670 for ; Tue, 27 Sep 2011 02:06:48 +0000 (UTC) (envelope-from richo@psych0tik.net) Received: from bedford.accountservergroup.com (bedford.accountservergroup.com [50.22.11.19]) by mx1.freebsd.org (Postfix) with ESMTP id F40F18FC1A for ; Tue, 27 Sep 2011 02:06:47 +0000 (UTC) Received: from boxand.lnk.telstra.net ([203.45.130.125] helo=richh-desktop.boxdice.com.au) by bedford.accountservergroup.com with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from ) id 1R8MCN-0008PO-1v; Mon, 26 Sep 2011 20:11:06 -0500 Date: Tue, 27 Sep 2011 11:10:54 +1000 From: richo To: freebsd-security@freebsd.org Message-ID: <20110927011052.GA27088@richh-desktop.boxdice.com.au> References: <4E811B47.8040006@centurytel.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="bg08WKrSYDhXBjb5" Content-Disposition: inline In-Reply-To: <4E811B47.8040006@centurytel.net> X-PGP-Key: http://natalya.psych0tik.net/~richo/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) X-AntiAbuse: This header was added to track abuse, please include it with any abuse report X-AntiAbuse: Primary Hostname - bedford.accountservergroup.com X-AntiAbuse: Original Domain - freebsd.org X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12] X-AntiAbuse: Sender Address Domain - psych0tik.net X-Source: X-Source-Args: X-Source-Dir: Cc: "Michael D. Norwick" Subject: Re: Cannot build or install Nessus on FreeBSD 9-beta2 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 02:06:48 -0000 --bg08WKrSYDhXBjb5 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable I don't think this is relevant to the -security list. If you've only wasted a few hours since posting the exact same thing to -questions, I think maybe your list etiquette needs reexamination. -- richo On 26/09/11 19:39 -0500, Michael D. Norwick wrote: >Good Day; > >I am trying to install Nessus on a Dell Latitude laptop running=20 >FreeBSD 9-beta2. /usr/ports was updated around 09/20/2011 and the=20 >current source for the kernel and world were csup'd late last week. =20 >I have built a new kernel with debugging disabled to reduce the noise=20 >to the terminal. I have - device bpf - uncommented in the config=20 >file and I commented out unneeded device drivers. I built a new=20 >world yesterday. The build and install went without error. > >I started this thread on freebsd-questions this morning; > >Re: Trying to build nessus 4 from ports > >When trying to install the binary downloaded from tenable.com -=20 >Nessus-4.4.1-fbsd8-amd64.tbz using pkg_add it says I need to enable=20 >more bpf devices. Deleting the package then attempting to install=20 >from /usr/ports/security/nessus results in a successful build but=20 >when nessusd is started it errors out on 'libz.so.5 not found'. =20 >FreeBSD 9 is at libz.so.6. > >I really like FreeBSD 9 on this machine but I have a work project=20 >that involves port scanning, intrusion detection and forensics. That=20 >is why I am attempting to get Nessus working. I would like the=20 >company to purchase Nessus for business but I have to get it working=20 >on my test network first. I am trying to follow Mr. Richard=20 >Bejtlich's book 'The Tao of Network Security Monitoring'. Maybe I=20 >need to fall back to FreeBSD 8.2 in order to be successful? Are=20 >there other security tools which build without error on FreeBSD 9? > >Thank You > >Michael --=20 richo || Today's excuse:=20 electromagnetic radiation from satellite debris --bg08WKrSYDhXBjb5 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJOgSKcAAoJEIKiWz6J5yQVAgcH/0WXFSsRKFcu5XR3RSN5GAnU ymWu3xO7dB3dGPxciWEWQj/ORgh3OkU3Ag8FZImoLPstaDy4tJpBV7oH1cIo/nyH 30GBoVPZowizI9Lv7Uf5wDOyxUfP1lLK9w+ysbw+Q5oFsNwC2j4PeUpNd960YRNa X53szS1cCVGPmRyhukjlnjO3pk5N+lIYadxUh1u78nq5GyQecSmcP7dARvQzhkXo qGC04OqYnk0o2dZ6ujSIMo9TJEqSWD8jPCd61Y6GFdZN/BdAL5T/sth7LSeOYYgu mRUYJnSak46buGBKCOMe16Nx2rdpg9pr7Lk2y55XpC1mVw4Xk990MInPOx+H+bA= =gfH6 -----END PGP SIGNATURE----- --bg08WKrSYDhXBjb5-- From owner-freebsd-security@FreeBSD.ORG Tue Sep 27 14:09:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3408E1065672; Tue, 27 Sep 2011 14:09:32 +0000 (UTC) (envelope-from mail25@bzerk.org) Received: from ei.bzerk.org (tunnel490.ipv6.xs4all.nl [IPv6:2001:888:10:1ea::2]) by mx1.freebsd.org (Postfix) with ESMTP id B21998FC1A; Tue, 27 Sep 2011 14:09:31 +0000 (UTC) Received: from ei.bzerk.org (BOFH@localhost [127.0.0.1]) by ei.bzerk.org (8.14.4/8.14.4) with ESMTP id p8RE9JJC081216 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Tue, 27 Sep 2011 16:09:19 +0200 (CEST) (envelope-from mail25@bzerk.org) Received: (from bulk@localhost) by ei.bzerk.org (8.14.4/8.14.4/Submit) id p8RE9ITO081215; Tue, 27 Sep 2011 16:09:18 +0200 (CEST) (envelope-from mail25@bzerk.org) Date: Tue, 27 Sep 2011 16:09:18 +0200 From: Ruben de Groot To: Lev Serebryakov Message-ID: <20110927140918.GA80848@ei.bzerk.org> References: <679126918.20110922121706@serebryakov.spb.ru> <86d3esy554.fsf@ds4.des.no> <964986730.20110923230802@serebryakov.spb.ru> <86r5369mgb.fsf@ds4.des.no> <122856284.20110926194432@serebryakov.spb.ru> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <122856284.20110926194432@serebryakov.spb.ru> User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on ei.bzerk.org X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.0.1 (ei.bzerk.org [127.0.0.1]); Tue, 27 Sep 2011 16:09:27 +0200 (CEST) X-Mailman-Approved-At: Tue, 27 Sep 2011 15:44:17 +0000 Cc: Rene de Vries , freebsd-security@freebsd.org Subject: Re: pam_ldap and nss_ldap : checken and egg problem with "wheel" group and "su" utility X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Sep 2011 14:09:32 -0000 On Mon, Sep 26, 2011 at 07:44:32PM +0400, Lev Serebryakov typed: > Hello, Rene. > You wrote 26 ???????????????? 2011 ??., 15:07:09: > > > Why not have /etc/group be authoritive for wheel (an thus have a list > > of local superusers). > Idea is to have no local users (but root) at all :) How about creating an ldap group 'su-users' and changing /etc/pam.d/su to have the line: auth requisite pam_group.so no_warn group=su-users root_only fail_safe From owner-freebsd-security@FreeBSD.ORG Wed Sep 28 09:05:51 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5E1D81065673; Wed, 28 Sep 2011 09:05:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3311C8FC15; Wed, 28 Sep 2011 09:05:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8S95pQs098561; Wed, 28 Sep 2011 09:05:51 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8S95pmZ098559; Wed, 28 Sep 2011 09:05:51 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 28 Sep 2011 09:05:51 GMT Message-Id: <201109280905.p8S95pmZ098559@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:03.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 09:05:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:03.bind Security Advisory The FreeBSD Project Topic: Remote packet Denial of Service against named(8) servers Category: contrib Module: bind Announced: 2011-09-28 Credits: Roy Arends Affects: 8.2-STABLE after 2011-05-28 and prior to the correction date Corrected: 2011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE) CVE Name: CVE-2011-2464 Note: This advisory concerns a vulnerability which existed only in the FreeBSD 8-STABLE branch and was fixed over two months prior to the date of this advisory. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash. III. Impact An attacker able to send traffic to the BIND daemon can cause it to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running the BIND name server are not affected. V. Solution Upgrade your vulnerable system to 8-STABLE dated after the correction date. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_8 src/contrib/bind9/lib/dns/message.c 1.3.2.3 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r223815 - ------------------------------------------------------------------------- VII. References http://www.isc.org/software/bind/advisories/cve-2011-2464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6C4CYACgkQFdaIBMps37LwQgCeIDVGsCWOLoVdmWogOOaPC1UG 9G8AoJPlRbNmkEWMg7uoOYrvjWlRRdlK =aUvD -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 28 09:05:58 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 0FA9B1065673; Wed, 28 Sep 2011 09:05:58 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F15B18FC1C; Wed, 28 Sep 2011 09:05:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8S95vRG098604; Wed, 28 Sep 2011 09:05:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8S95vDp098603; Wed, 28 Sep 2011 09:05:57 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 28 Sep 2011 09:05:57 GMT Message-Id: <201109280905.p8S95vDp098603@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:04.compress X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 09:05:58 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:04.compress Security Advisory The FreeBSD Project Topic: Errors handling corrupt compress file in compress(1) and gzip(1) Category: core Module: compress Announced: 2011-09-28 Credits: Tomas Hoger, Joerg Sonnenberger Affects: All supported versions of FreeBSD. Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE) 2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7) 2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE) 2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5) 2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1) CVE Name: CVE-2011-2895 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The compress utility reduces the size of files using adaptive Lempel-Ziv coding, or LZW coding, a lossless data compression algorithm. Both compress(1) and gzip(1) uses code derived from 4.3BSD compress(1). II. Problem Description The code used to decompress a file created by compress(1) does not do sufficient boundary checks on compressed code words, allowing reference beyond the decompression table, which may result in a stack overflow or an infinite loop when the decompressor encounters a corrupted file. III. Impact An attacker who can cause a corrupt archive of his choice to be parsed by uncompress(1) or gunzip(1), can cause these utilities to enter an infinite loop, to core dump, or possibly to execute arbitrary code provided by the attacker. IV. Workaround No workaround is available, but systems not handling adaptive Lempel-Ziv compressed files (.Z) from untrusted source are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch # fetch http://security.FreeBSD.org/patches/SA-11:04/compress.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.bin/compress # make obj && make depend && make && make install # cd /usr/src/usr.bin/gzip # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/usr.bin/compress/zopen.c 1.12.10.1 src/usr.bin/gzip/zuncompress.c 1.1.4.3 RELENG_7_4 src/UPDATING 1.507.2.36.2.5 src/sys/conf/newvers.sh 1.72.2.18.2.8 src/usr.bin/compress/zopen.c 1.12.26.2 src/usr.bin/gzip/zuncompress.c 1.1.4.1.4.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.9 src/sys/conf/newvers.sh 1.72.2.16.2.11 src/usr.bin/compress/zopen.c 1.12.24.2 src/usr.bin/gzip/zuncompress.c 1.1.4.1.2.2 RELENG_8 src/usr.bin/compress/zopen.c 1.12.22.2 src/usr.bin/gzip/zuncompress.c 1.2.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.5 src/sys/conf/newvers.sh 1.83.2.12.2.8 src/usr.bin/compress/zopen.c 1.12.22.1.6.2 src/usr.bin/gzip/zuncompress.c 1.2.2.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.8 src/sys/conf/newvers.sh 1.83.2.10.2.9 src/usr.bin/compress/zopen.c 1.12.22.1.4.2 src/usr.bin/gzip/zuncompress.c 1.2.2.1.4.2 RELENG_9 src/usr.bin/compress/zopen.c 1.16.2.2 src/usr.bin/gzip/zuncompress.c 1.4.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r225827 releng/7.4/ r225827 releng/7.3/ r225827 stable/8/ r225827 releng/8.2/ r225827 releng/8.1/ r225827 stable/9/ r225827 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2895 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:04.compress.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6C4nIACgkQFdaIBMps37LymQCgmW2YYsSqvjxhiuHXt0bCcCgd K5YAnA0/Z8++C6TKtUJ5Bzogd80a9OEd =I+0k -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Sep 28 09:06:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 81DFB106564A; Wed, 28 Sep 2011 09:06:02 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6F8838FC21; Wed, 28 Sep 2011 09:06:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.4/8.14.4) with ESMTP id p8S962eN098642; Wed, 28 Sep 2011 09:06:02 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.4/8.14.4/Submit) id p8S9624x098641; Wed, 28 Sep 2011 09:06:02 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 28 Sep 2011 09:06:02 GMT Message-Id: <201109280906.p8S9624x098641@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Sep 2011 09:06:02 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE) 2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7) 2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE) 2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5) 2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background UNIX-domain sockets, also known as "local" sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges ("gain root"), escape from a jail, or to bypass security mechanisms in other ways. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 RELENG_7_4 src/UPDATING 1.507.2.36.2.5 src/sys/conf/newvers.sh 1.72.2.18.2.8 src/sys/kern/uipc_usrreq.c 1.206.2.11.4.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.9 src/sys/conf/newvers.sh 1.72.2.16.2.11 src/sys/kern/uipc_usrreq.c 1.206.2.11.2.2 RELENG_8 src/sys/kern/uipc_usrreq.c 1.233.2.6 RELENG_8_2 src/UPDATING 1.632.2.19.2.5 src/sys/conf/newvers.sh 1.83.2.12.2.8 src/sys/kern/uipc_usrreq.c 1.233.2.2.2.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.8 src/sys/conf/newvers.sh 1.83.2.10.2.9 src/sys/kern/uipc_usrreq.c 1.233.2.1.4.2 RELENG_9 src/sys/kern/uipc_usrreq.c 1.244.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r225827 releng/7.4/ r225827 releng/7.3/ r225827 stable/8/ r225827 releng/8.2/ r225827 releng/8.1/ r225827 stable/9/ r225827 - ------------------------------------------------------------------------- The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:05.unix.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6C4nUACgkQFdaIBMps37J5lwCgnq8BUBWckn0ZKMcsK5IDKMDV ocgAn0PwSvoKxjGY4dgHlM1M6xVM8OWz =AO92 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Sep 29 15:51:18 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CDD6F1065673; Thu, 29 Sep 2011 15:51:18 +0000 (UTC) (envelope-from bengta@P142.sics.se) Received: from sink.sics.se (sink.sics.se [193.10.64.88]) by mx1.freebsd.org (Postfix) with ESMTP id 554DE8FC18; Thu, 29 Sep 2011 15:51:18 +0000 (UTC) Received: from P142.sics.se (P142.sics.se [193.10.66.253]) by sink.sics.se (8.14.3/8.14.3) with ESMTP id p8TFVFlq004404 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 29 Sep 2011 17:31:16 +0200 (CEST) (envelope-from bengta@P142.sics.se) Received: from P142.sics.se (localhost [127.0.0.1]) by P142.sics.se (8.14.4/8.14.4) with ESMTP id p8TFW8Ug001887; Thu, 29 Sep 2011 17:32:08 +0200 (CEST) (envelope-from bengta@P142.sics.se) Received: (from bengta@localhost) by P142.sics.se (8.14.4/8.14.4/Submit) id p8TFW8o8001886; Thu, 29 Sep 2011 17:32:08 +0200 (CEST) (envelope-from bengta@P142.sics.se) From: Bengt Ahlgren To: freebsd-security@freebsd.org In-Reply-To: <201109280906.p8S962aS098634@freefall.freebsd.org> (FreeBSD Security Advisories's message of "Wed, 28 Sep 2011 09:06:02 GMT") References: <201109280906.p8S962aS098634@freefall.freebsd.org> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.2 (berkeley-unix) Date: Thu, 29 Sep 2011 17:32:08 +0200 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailman-Approved-At: Thu, 29 Sep 2011 15:55:25 +0000 Cc: FreeBSD Security Advisories Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 Sep 2011 15:51:18 -0000 Hello! This patch seems to have broken something in Unix sockets in the Linux ABI. The acroread Linux binary cannot connect to the local X11 unix socket ("cannot open display: :0.0". Setting DISPLAY=:0 works (using a TCP socket instead), and I just verified that it works without the patch. Or can it be a bug in acroread? (I'm running 8.2-REL/i386 on an IBM Thinkpad X40, and I'm using KDE 4.5.5) Bengt From owner-freebsd-security@FreeBSD.ORG Fri Sep 30 10:23:06 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id E670A106568E for ; Fri, 30 Sep 2011 10:23:06 +0000 (UTC) (envelope-from bounces+73574-f30d-freebsd-security=freebsd.org@sendgrid.info) Received: from o3.sendgrid.info (o3.sendgrid.info [67.228.50.51]) by mx1.freebsd.org (Postfix) with SMTP id AF2D88FC0A for ; Fri, 30 Sep 2011 10:23:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:reply-to:mime-version:to:subject :content-type:content-transfer-encoding; s=smtpapi; bh=z0gUR7Tu9 4rQFZBeJSM06HEL04Q=; b=RJcmyaWuprHEPdr4sea8/mn1ZZvIrtLxRBRLZm3uj 85CpEwqlLa0R0jJfD3mD/KJmpL2Q0J8k0v+YkmMOZ2sbJRIAIvO1hMXchw05210Y bzBqj/OHSXSeMRle+ZelJxfH/NwZkwkBtc93nlw76xMxZ6lzBXdp3IMfqnsZHIxe rg= Received: by 10.8.49.96 with SMTP id mf44.8474.4E8577805 Fri, 30 Sep 2011 03:02:08 -0500 (CDT) Received: from mail.tarsnap.com (unknown [10.9.180.5]) by mi11 (SG) with ESMTP id 4e857780.53cf.282d522 for ; Fri, 30 Sep 2011 03:02:08 -0500 (CST) Received: (qmail 76787 invoked from network); 30 Sep 2011 08:00:32 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 30 Sep 2011 08:00:32 -0000 Received: (qmail 31026 invoked from network); 30 Sep 2011 08:00:25 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 30 Sep 2011 08:00:25 -0000 Message-ID: <4E857719.7060306@freebsd.org> Date: Fri, 30 Sep 2011 01:00:25 -0700 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:6.0.2) Gecko/20110914 Thunderbird/6.0.2 MIME-Version: 1.0 To: freebsd-security@freebsd.org, freebsd-emulation@freebsd.org X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: 5qVSvszVOIE6PbdhSmXigMotnDv2KVF2pFB0fKg9JzpPJtIk/1JjUQ0yoXl0YfxWJX4rzqIGoO8QigH3UAxtdv/ZO3LDH/L7/PFLn+5sE60ExxmZzJV1S+kPDekeCxHQ7JKSNGWm4Lnp+R6KIjc2/Mtc2Yetf1W7xF1aY9bVIPw= Cc: Subject: HEADS UP: breakage with linux emulation + SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 10:23:07 -0000 Hi all, It appears that the security fix in SA-11:05.unix exposed a bug in the linux emulation code: Linux has a different size of sockaddr_un than FreeBSD, and the linux emulation code was passing socket addresses through without doing any translation first. This appears to break all X-using Linux code -- both applications and plugins such as the widely-used flash plugin -- and probably other Linux applications too. I am working on a fix for this and will send an updated advisory out as soon as it's ready. -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid From owner-freebsd-security@FreeBSD.ORG Fri Sep 30 23:00:24 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 217B51065674 for ; Fri, 30 Sep 2011 23:00:24 +0000 (UTC) (envelope-from mike@skew.org) Received: from chilled.skew.org (chilled.skew.org [70.90.116.205]) by mx1.freebsd.org (Postfix) with ESMTP id E6B898FC0C for ; Fri, 30 Sep 2011 23:00:23 +0000 (UTC) Received: from chilled.skew.org (localhost [127.0.0.1]) by chilled.skew.org (8.14.4/8.14.4) with ESMTP id p8UMdPDE019931 for ; Fri, 30 Sep 2011 16:39:26 -0600 (MDT) (envelope-from mike@chilled.skew.org) Received: (from mike@localhost) by chilled.skew.org (8.14.4/8.14.4/Submit) id p8UMdPQB019930 for freebsd-security@freebsd.org; Fri, 30 Sep 2011 16:39:25 -0600 (MDT) (envelope-from mike) From: Mike Brown Message-Id: <201109302239.p8UMdPQB019930@chilled.skew.org> In-Reply-To: <201109280906.p8S962AK098648@freefall.freebsd.org> To: freebsd-security@freebsd.org Date: Fri, 30 Sep 2011 16:39:25 -0600 (MDT) X-Whoa: whoa. X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Fri, 30 Sep 2011 23:08:16 +0000 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 23:00:24 -0000 FreeBSD Security Advisories wrote: > FreeBSD-SA-11:05.unix Security Advisory > [...] > 2) To update your vulnerable system via a source code patch: > [...] > c) Recompile your kernel as described in > and reboot the > system. > > 3) To update your vulnerable system via a binary patch: > > Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on > the i386 or amd64 platforms can be updated via the freebsd-update(8) > utility: > > # freebsd-update fetch > # freebsd-update install Quick question: after running freebsd-update install, do I reboot for this one, or not? From owner-freebsd-security@FreeBSD.ORG Fri Sep 30 23:10:55 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 96CD3106566C for ; Fri, 30 Sep 2011 23:10:55 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-qw0-f54.google.com (mail-qw0-f54.google.com [209.85.216.54]) by mx1.freebsd.org (Postfix) with ESMTP id 4EC048FC13 for ; Fri, 30 Sep 2011 23:10:55 +0000 (UTC) Received: by qadz30 with SMTP id z30so919661qad.13 for ; Fri, 30 Sep 2011 16:10:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=K073Rccr0KDpNX/q/B+9N1XzuvuJjxvAoBQxkb/Sw6Y=; b=SGG59ImUQJ/eDjqSM00cthpEU6hkSKTYhZuxnFsSPBF2wI320EvbSKFRLvx5E+f4RA VNDtpKk5cPvLV5bG7IGs3TEcGVhl7dAbqmDP0bIaWJGQvQrEccr03xjubt1yqvsougfB JKwAl3VrpzBxS6hlgst4Joz4JuvYUs+t6zXr8= Received: by 10.224.9.145 with SMTP id l17mr9297433qal.207.1317424254519; Fri, 30 Sep 2011 16:10:54 -0700 (PDT) Received: from schism.local (c-76-124-49-145.hsd1.pa.comcast.net. [76.124.49.145]) by mx.google.com with ESMTPS id ed9sm7004066qab.5.2011.09.30.16.10.53 (version=SSLv3 cipher=OTHER); Fri, 30 Sep 2011 16:10:53 -0700 (PDT) Message-ID: <4E864C7B.8010000@gmail.com> Date: Fri, 30 Sep 2011 19:10:51 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: Mike Brown References: <201109302239.p8UMdPQB019930@chilled.skew.org> In-Reply-To: <201109302239.p8UMdPQB019930@chilled.skew.org> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 30 Sep 2011 23:10:55 -0000 On 9/30/11 6:39 PM, Mike Brown wrote: > FreeBSD Security Advisories wrote: >> FreeBSD-SA-11:05.unix Security Advisory >> [...] >> 2) To update your vulnerable system via a source code patch: >> [...] >> c) Recompile your kernel as described in >> and reboot the >> system. >> >> 3) To update your vulnerable system via a binary patch: >> >> Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on >> the i386 or amd64 platforms can be updated via the freebsd-update(8) >> utility: >> >> # freebsd-update fetch >> # freebsd-update install > > Quick question: after running freebsd-update install, do I reboot for this > one, or not? You should need to, because the patch affects the kernel. -- Glen Barber From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 04:10:57 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35FC91065672 for ; Sat, 1 Oct 2011 04:10:57 +0000 (UTC) (envelope-from mike@skew.org) Received: from chilled.skew.org (chilled.skew.org [70.90.116.205]) by mx1.freebsd.org (Postfix) with ESMTP id BE6558FC08 for ; Sat, 1 Oct 2011 04:10:56 +0000 (UTC) Received: from chilled.skew.org (localhost [127.0.0.1]) by chilled.skew.org (8.14.4/8.14.4) with ESMTP id p914Aqr4001620; Fri, 30 Sep 2011 22:10:52 -0600 (MDT) (envelope-from mike@chilled.skew.org) Received: (from mike@localhost) by chilled.skew.org (8.14.4/8.14.4/Submit) id p914Ap3F001617; Fri, 30 Sep 2011 22:10:51 -0600 (MDT) (envelope-from mike) From: Mike Brown Message-Id: <201110010410.p914Ap3F001617@chilled.skew.org> In-Reply-To: To: Eitan Adler Date: Fri, 30 Sep 2011 22:10:51 -0600 (MDT) X-Whoa: whoa. X-Mailer: ELM [version 2.4ME+ PL125 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="UTF-8" X-Mailman-Approved-At: Sat, 01 Oct 2011 04:20:03 +0000 Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 04:10:57 -0000 Eitan Adler wrote: > > do I reboot for this one, or not? > The kernel is changed, so yes. Thanks. I had guessed a reboot was needed, but the advisory only mentioned a reboot in the context of building the kernel from sources. Hopefully, when a reboot is required, future advisories will mention it in the freebsd-update(8) instructions. From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 04:25:44 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 97C85106566B for ; Sat, 1 Oct 2011 04:25:43 +0000 (UTC) (envelope-from glen.j.barber@gmail.com) Received: from mail-vx0-f182.google.com (mail-vx0-f182.google.com [209.85.220.182]) by mx1.freebsd.org (Postfix) with ESMTP id 5188B8FC0C for ; Sat, 1 Oct 2011 04:25:43 +0000 (UTC) Received: by vcbf13 with SMTP id f13so2534505vcb.13 for ; Fri, 30 Sep 2011 21:25:42 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:cc:subject :references:in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; bh=FXLrrNdX/S688CzDV/a3/cWYvqiH4Qa56oWyLLACC1Y=; b=Q8QFO78JUjwXfNPexxcudcIdDC89BtzIHr2Bba4fjzEYkrFCX1QQjTBr7EOshJNF17 FYn+HMltUuZconwx05+mRVgvOG+WQnRe28nodrCAaf6G66Z5Lgtl+68c8Yv/syvtV+uS ErTmfU3G9gwRa7L6NMlAQNNuBSojBiYoSRtuQ= Received: by 10.220.100.11 with SMTP id w11mr3584528vcn.96.1317443142596; Fri, 30 Sep 2011 21:25:42 -0700 (PDT) Received: from schism.local (c-76-124-49-145.hsd1.pa.comcast.net. [76.124.49.145]) by mx.google.com with ESMTPS id q8sm6156231vdg.9.2011.09.30.21.25.41 (version=SSLv3 cipher=OTHER); Fri, 30 Sep 2011 21:25:41 -0700 (PDT) Message-ID: <4E869644.4020703@gmail.com> Date: Sat, 01 Oct 2011 00:25:40 -0400 From: Glen Barber User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:6.0.2) Gecko/20110902 Thunderbird/6.0.2 MIME-Version: 1.0 To: Mike Brown References: <201110010410.p914Ap3F001617@chilled.skew.org> In-Reply-To: <201110010410.p914Ap3F001617@chilled.skew.org> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Cc: Eitan Adler , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 04:25:44 -0000 On 10/1/11 12:10 AM, Mike Brown wrote: > Eitan Adler wrote: >>> do I reboot for this one, or not? >> The kernel is changed, so yes. > > Thanks. I had guessed a reboot was needed, but the advisory only mentioned a > reboot in the context of building the kernel from sources. Hopefully, when a > reboot is required, future advisories will mention it in the freebsd-update(8) > instructions. They normally do for these cases, but please keep in mind that the security officer had issued three consecutive security advisories. Unfortunately, he's only human, too. :-) -- Glen Barber From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 05:38:02 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 6EF99106567B for ; Sat, 1 Oct 2011 05:38:02 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 49D58B267E; Sat, 1 Oct 2011 05:12:15 +0000 (UTC) Message-ID: <4E86A12E.3070600@FreeBSD.org> Date: Fri, 30 Sep 2011 22:12:14 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20110928 Thunderbird/7.0 MIME-Version: 1.0 To: Mike Brown References: <201110010410.p914Ap3F001617@chilled.skew.org> In-Reply-To: <201110010410.p914Ap3F001617@chilled.skew.org> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Eitan Adler , freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 05:38:02 -0000 On 09/30/2011 21:10, Mike Brown wrote: > Eitan Adler wrote: >>> do I reboot for this one, or not? >> The kernel is changed, so yes. > > Thanks. I had guessed a reboot was needed, but the advisory only mentioned a > reboot in the context of building the kernel from sources. Hopefully, when a > reboot is required, future advisories will mention it in the freebsd-update(8) > instructions. When would a reboot not be needed for a kernel change? -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 06:01:41 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8A27B1065691 for ; Sat, 1 Oct 2011 06:01:41 +0000 (UTC) (envelope-from budiyt@gmail.com) Received: from mail-vw0-f54.google.com (mail-vw0-f54.google.com [209.85.212.54]) by mx1.freebsd.org (Postfix) with ESMTP id 436688FC12 for ; Sat, 1 Oct 2011 06:01:41 +0000 (UTC) Received: by vws11 with SMTP id 11so2576704vws.13 for ; Fri, 30 Sep 2011 23:01:40 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; bh=fSAEMWsRbTSJl/GWf5JUx+xq0gdQBGVolNTS0fdxAiY=; b=WwC3DRwb9UoecFpHF84etj56+t6PvIWuEgcNGZgyZjkTbNK+DzGWHgkG7GGuC3NA5o G/26OVnYpvQ2vIW1Jk5LTjQiM1XLZ2IJw0Dq16ntFUYlgG3n716/wkfkr1ty0+XCjmqG hQt6eLnUi3YU4nR+Y2+g1aKtQPrmUWVVbAd28= MIME-Version: 1.0 Received: by 10.52.90.104 with SMTP id bv8mr9076613vdb.227.1317447308113; Fri, 30 Sep 2011 22:35:08 -0700 (PDT) Received: by 10.52.183.133 with HTTP; Fri, 30 Sep 2011 22:35:08 -0700 (PDT) In-Reply-To: <201109280905.p8S95pmZ098559@freefall.freebsd.org> References: <201109280905.p8S95pmZ098559@freefall.freebsd.org> Date: Sat, 1 Oct 2011 12:35:08 +0700 Message-ID: From: budsz To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:03.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 06:01:41 -0000 On Wed, Sep 28, 2011 at 4:05 PM, FreeBSD Security Advisories wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D > FreeBSD-SA-11:03.bind =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 Security Advisory > =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0The FreeBSD Project > > Topic: =A0 =A0 =A0 =A0 =A0Remote packet Denial of Service against named(8= ) servers > > Category: =A0 =A0 =A0 contrib > Module: =A0 =A0 =A0 =A0 bind > Announced: =A0 =A0 =A02011-09-28 > Credits: =A0 =A0 =A0 =A0Roy Arends > Affects: =A0 =A0 =A0 =A08.2-STABLE after 2011-05-28 and prior to the corr= ection date > Corrected: =A0 =A0 =A02011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE) > CVE Name: =A0 =A0 =A0 CVE-2011-2464 > > Note: This advisory concerns a vulnerability which existed only in > the FreeBSD 8-STABLE branch and was fixed over two months prior to the > date of this advisory. > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. =A0 Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > II. =A0Problem Description > > A logic error in the BIND code causes the BIND daemon to accept bogus > data, which could cause the daemon to crash. > > III. Impact > > An attacker able to send traffic to the BIND daemon can cause it to > crash, resulting in a denial of service. > > IV. =A0Workaround > > No workaround is available, but systems not running the BIND name server > are not affected. > > V. =A0 Solution > > Upgrade your vulnerable system to 8-STABLE dated after the correction > date. > > VI. =A0Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 Revision > =A0Path > - -----------------------------------------------------------------------= -- > RELENG_8 > =A0src/contrib/bind9/lib/dns/message.c =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 = =A0 =A0 =A0 =A0 =A0 =A0 1.3.2.3 > - -----------------------------------------------------------------------= -- > > Subversion: > > Branch/path > Revision > - -----------------------------------------------------------------------= -- > stable/8/ =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 r223815 > - -----------------------------------------------------------------------= -- > > VII. References > > http://www.isc.org/software/bind/advisories/cve-2011-2464 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=3DCVE-2011-2464 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.18 (FreeBSD) > > iEYEARECAAYFAk6C4CYACgkQFdaIBMps37LwQgCeIDVGsCWOLoVdmWogOOaPC1UG > 9G8AoJPlRbNmkEWMg7uoOYrvjWlRRdlK > =3DaUvD > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.or= g" > Only updating to 8.X for solution? there is no patch for this advisory? Thank You --=20 budsz From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 06:21:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 2E52B106566C for ; Sat, 1 Oct 2011 06:21:29 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id 0EB0E14DB7E; Sat, 1 Oct 2011 06:19:36 +0000 (UTC) Message-ID: <4E86B0F7.5050208@FreeBSD.org> Date: Fri, 30 Sep 2011 23:19:35 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20110928 Thunderbird/7.0 MIME-Version: 1.0 To: budsz References: <201109280905.p8S95pmZ098559@freefall.freebsd.org> In-Reply-To: X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:03.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 06:21:29 -0000 On 09/30/2011 22:35, budsz wrote: > On Wed, Sep 28, 2011 at 4:05 PM, FreeBSD Security Advisories > wrote: > Note: This advisory concerns a vulnerability which existed only in > the FreeBSD 8-STABLE branch and was fixed over two months prior to the > date of this advisory. > Only updating to 8.X for solution? there is no patch for this advisory? See above. :) -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 06:30:35 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D201A106566C; Sat, 1 Oct 2011 06:30:35 +0000 (UTC) (envelope-from sean@gothic.net.au) Received: from hosted.gothic.net.au (eth1539.vic.adsl.internode.on.net [150.101.217.2]) by mx1.freebsd.org (Postfix) with ESMTP id 809E28FC17; Sat, 1 Oct 2011 06:30:35 +0000 (UTC) Received: from hosted.gothic.net.au (localhost [127.0.0.1]) by hosted.gothic.net.au (Postfix) with ESMTP id 630F48DF41E; Sat, 1 Oct 2011 16:14:37 +1000 (EST) X-Virus-Scanned: amavisd-new at gothic.net.au Received: from hosted.gothic.net.au ([127.0.0.1]) by hosted.gothic.net.au (hosted.gothic.net.au [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xnyjnJWOnWNf; Sat, 1 Oct 2011 16:14:27 +1000 (EST) Received: from samael.gothic.net.au (eth1540.vic.adsl.internode.on.net [150.101.217.3]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: sean@gothic.net.au) by hosted.gothic.net.au (Postfix) with ESMTPSA id 682D28DF41D; Sat, 1 Oct 2011 16:14:27 +1000 (EST) Mime-Version: 1.0 (Apple Message framework v1244.3) Content-Type: text/plain; charset=iso-8859-1 From: Sean In-Reply-To: <4E86A12E.3070600@FreeBSD.org> Date: Sat, 1 Oct 2011 16:14:27 +1000 Content-Transfer-Encoding: quoted-printable Message-Id: <8AC5D3E0-B0D0-412C-BCDF-D531C0116043@gothic.net.au> References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> To: Doug Barton X-Mailer: Apple Mail (2.1244.3) Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 06:30:35 -0000 On 01/10/2011, at 3:12 PM, Doug Barton wrote: > On 09/30/2011 21:10, Mike Brown wrote: >> Eitan Adler wrote: >>>> do I reboot for this one, or not? >>> The kernel is changed, so yes. >>=20 >> Thanks. I had guessed a reboot was needed, but the advisory only = mentioned a=20 >> reboot in the context of building the kernel from sources. Hopefully, = when a=20 >> reboot is required, future advisories will mention it in the = freebsd-update(8)=20 >> instructions. >=20 > When would a reboot not be needed for a kernel change? >=20 When it's a kernel module either not loaded, not compiled in, or can be = unloaded/reloaded? Not this one though... > --=20 >=20 > Nothin' ever doesn't change, but nothin' changes much. > -- OK Go >=20 > Breadth of IT experience, and depth of knowledge in the DNS. > Yours for the right price. :) http://SupersetSolutions.com/ >=20 > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to = "freebsd-security-unsubscribe@freebsd.org" From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 06:32:29 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 32F4D1065691 for ; Sat, 1 Oct 2011 06:32:29 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from 172-17-198-245.globalsuite.net (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id DF443205779; Sat, 1 Oct 2011 06:32:18 +0000 (UTC) Message-ID: <4E86B3F2.9040108@FreeBSD.org> Date: Fri, 30 Sep 2011 23:32:18 -0700 From: Doug Barton Organization: http://SupersetSolutions.com/ User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:7.0) Gecko/20110928 Thunderbird/7.0 MIME-Version: 1.0 To: Sean References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> <8AC5D3E0-B0D0-412C-BCDF-D531C0116043@gothic.net.au> In-Reply-To: <8AC5D3E0-B0D0-412C-BCDF-D531C0116043@gothic.net.au> X-Enigmail-Version: undefined OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 06:32:29 -0000 On 09/30/2011 23:14, Sean wrote: > > On 01/10/2011, at 3:12 PM, Doug Barton wrote: > >> On 09/30/2011 21:10, Mike Brown wrote: >>> Eitan Adler wrote: >>>>> do I reboot for this one, or not? >>>> The kernel is changed, so yes. >>> >>> Thanks. I had guessed a reboot was needed, but the advisory only mentioned a >>> reboot in the context of building the kernel from sources. Hopefully, when a >>> reboot is required, future advisories will mention it in the freebsd-update(8) >>> instructions. >> >> When would a reboot not be needed for a kernel change? >> > > When it's a kernel module either not loaded, not compiled in, or can be unloaded/reloaded? I didn't say module, I said kernel. -- Nothin' ever doesn't change, but nothin' changes much. -- OK Go Breadth of IT experience, and depth of knowledge in the DNS. Yours for the right price. :) http://SupersetSolutions.com/ From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 15:56:13 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 35A7C106566B for ; Sat, 1 Oct 2011 15:56:13 +0000 (UTC) (envelope-from rsimmons0@gmail.com) Received: from mail-gy0-f182.google.com (mail-gy0-f182.google.com [209.85.160.182]) by mx1.freebsd.org (Postfix) with ESMTP id ED5BF8FC15 for ; Sat, 1 Oct 2011 15:56:12 +0000 (UTC) Received: by gyf2 with SMTP id 2so2978897gyf.13 for ; Sat, 01 Oct 2011 08:56:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=5RWqOxkxqpwfktaA44+luj3h1+teKxEfv1zvVy4mYTs=; b=nHczaUcpFhespRfJSqFjMnr0Po1GoAhQu/RNKHU9BbSg/6+OKUfNxuW/oEM2MaGE8E NLcGMqQis7uskVJC+SIvz/dW2rEw8ShOm9NAYXStXWASlMa8ehEs1aW44kJ3DtRXwCEp nNczcWw/Xq4SdJn9A6IwrI1SnfOKAeRY/xFPw= MIME-Version: 1.0 Received: by 10.101.73.14 with SMTP id a14mr8641534anl.137.1317484570241; Sat, 01 Oct 2011 08:56:10 -0700 (PDT) Received: by 10.100.190.14 with HTTP; Sat, 1 Oct 2011 08:56:10 -0700 (PDT) In-Reply-To: References: <201109280905.p8S95pmZ098559@freefall.freebsd.org> Date: Sat, 1 Oct 2011 11:56:10 -0400 Message-ID: From: Robert Simmons To: freebsd-security@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:03.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 15:56:13 -0000 On Sat, Oct 1, 2011 at 1:35 AM, budsz wrote: > Only updating to 8.X for solution? there is no patch for this advisory? Patches are for RELEASE. For development branches, you update your source tree and build the system from that. All of this is explained in the handbook section 24.5.2.1: STABLE "is simply another engineering development track, not a resource for end-users." http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/current-stable.html From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 20:05:32 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0F04106564A; Sat, 1 Oct 2011 20:05:32 +0000 (UTC) (envelope-from ltning@anduin.net) Received: from mail.anduin.net (mail.anduin.net [213.225.74.249]) by mx1.freebsd.org (Postfix) with ESMTP id 38D5D8FC1D; Sat, 1 Oct 2011 20:05:32 +0000 (UTC) Received: from p549a212b.dip.t-dialin.net ([84.154.33.43] helo=[192.168.178.51]) by mail.anduin.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.73 (FreeBSD)) (envelope-from ) id 1RA5Xn-0000PB-0B; Sat, 01 Oct 2011 21:48:19 +0200 Mime-Version: 1.0 (Apple Message framework v1251) Content-Type: text/plain; charset=iso-8859-1 From: =?iso-8859-1?Q?Eirik_=D8verby?= In-Reply-To: <4E86A12E.3070600@FreeBSD.org> Date: Sat, 1 Oct 2011 21:48:21 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> To: Doug Barton X-Mailer: Apple Mail (2.1251) X-SA-Exim-Connect-IP: 84.154.33.43 X-SA-Exim-Mail-From: ltning@anduin.net X-SA-Exim-Scanned: No (on mail.anduin.net); SAEximRunCond expanded to false Cc: freebsd-security@freebsd.org, Mike Brown , Eitan Adler Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 20:05:32 -0000 On Oct 1, 2011, at 07:12, Doug Barton wrote: > On 09/30/2011 21:10, Mike Brown wrote: >> Eitan Adler wrote: >>>> do I reboot for this one, or not? >>> The kernel is changed, so yes. >>=20 >> Thanks. I had guessed a reboot was needed, but the advisory only = mentioned a=20 >> reboot in the context of building the kernel from sources. Hopefully, = when a=20 >> reboot is required, future advisories will mention it in the = freebsd-update(8)=20 >> instructions. >=20 > When would a reboot not be needed for a kernel change? Try this: When freebsd-update doesn't actually tell you to reboot. I would expect freebsd-update to inform me that I need to reboot if = anything in /boot (or at least /boot/kernel) was touched. In particular = when /boot/kernel/kernel was touched. I know I've been told by = freebsd-update to do a two-stage update in the past (freebsd-update = install, reboot single-user, freebsd-update install again) - I had = expected it to do the same this time, but it didn't on any of the = dozen-and-a-half systems I ran it on. When looking at the list of files changed between 8.2-RELEASE-p2 and = -p3, the /boot/kernel/kernel is easily missed among them. It's easily = concieveable that a system gets patched and then not rebooted for months = in a case like this. /Eirik= From owner-freebsd-security@FreeBSD.ORG Sat Oct 1 22:37:49 2011 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A0A09106564A for ; Sat, 1 Oct 2011 22:37:49 +0000 (UTC) (envelope-from utisoft@gmail.com) Received: from mail-wy0-f182.google.com (mail-wy0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 2DFDF8FC0A for ; Sat, 1 Oct 2011 22:37:48 +0000 (UTC) Received: by wyj26 with SMTP id 26so2863142wyj.13 for ; Sat, 01 Oct 2011 15:37:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:cc:content-type :content-transfer-encoding; bh=zPbk02HFPIzTcuVvHdug/tkjCGGtYU6cT8oC8R4F7CI=; b=ih7KuFodvR+l8uNQVi6twu4EUDG9eOVCnWO3wEJRdrxpbF7iyUE+C7OQ7RCYDDknfp 1CLpnm5Df6RImXrQl0P6WHE5whd4hormPTqm7NWbccA1ZzyneOsTguDa5Yk8KebD8EV6 aWjeuuYwS5it/+8a1P4tD5UCqtpkmivxga1VQ= Received: by 10.216.167.194 with SMTP id i44mr1532286wel.5.1317507189067; Sat, 01 Oct 2011 15:13:09 -0700 (PDT) MIME-Version: 1.0 Sender: utisoft@gmail.com Received: by 10.216.90.12 with HTTP; Sat, 1 Oct 2011 15:12:39 -0700 (PDT) In-Reply-To: <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> References: <201110010410.p914Ap3F001617@chilled.skew.org> <4E86A12E.3070600@FreeBSD.org> <808B16DD-6AC6-438D-B2AE-895C5875EFC5@anduin.net> From: Chris Rees Date: Sat, 1 Oct 2011 23:12:39 +0100 X-Google-Sender-Auth: vwHvdHMT4M-naqqIhGYcoYy2Cmo Message-ID: To: =?ISO-8859-1?Q?Eirik_=D8verby?= Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: freebsd-security@freebsd.org, Doug Barton , Eitan Adler , Mike Brown Subject: Re: FreeBSD Security Advisory FreeBSD-SA-11:05.unix X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 01 Oct 2011 22:37:49 -0000 2011/10/1 Eirik =D8verby : > On Oct 1, 2011, at 07:12, Doug Barton wrote: > >> On 09/30/2011 21:10, Mike Brown wrote: >>> Eitan Adler wrote: >>>>> do I reboot for this one, or not? >>>> The kernel is changed, so yes. >>> >>> Thanks. I had guessed a reboot was needed, but the advisory only mentio= ned a >>> reboot in the context of building the kernel from sources. Hopefully, w= hen a >>> reboot is required, future advisories will mention it in the freebsd-up= date(8) >>> instructions. >> >> When would a reboot not be needed for a kernel change? > > Try this: When freebsd-update doesn't actually tell you to reboot. > > I would expect freebsd-update to inform me that I need to reboot if anyth= ing in /boot (or at least /boot/kernel) was touched. In particular when /bo= ot/kernel/kernel was touched. I know I've been told by freebsd-update to do= a two-stage update in the past (freebsd-update install, reboot single-user= , freebsd-update install again) - I had expected it to do the same this tim= e, but it didn't on any of the dozen-and-a-half systems I ran it on. > > When looking at the list of files changed between 8.2-RELEASE-p2 and -p3,= the /boot/kernel/kernel is easily missed among them. It's easily concievea= ble that a system gets patched and then not rebooted for months in a case l= ike this. > Generally users are expected to pay attention to what is updated-- I know this isn't always the easiest task, but blindly following instructions is not something that is generally advocated in FreeBSD. Chris