From owner-freebsd-net@FreeBSD.ORG Sun Jun 7 13:18:58 2015 Return-Path: Delivered-To: freebsd-net@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B920633B; Sun, 7 Jun 2015 13:18:58 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: from mail-ie0-x22d.google.com (mail-ie0-x22d.google.com [IPv6:2607:f8b0:4001:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 96208165C; Sun, 7 Jun 2015 13:18:58 +0000 (UTC) (envelope-from jason.unovitch@gmail.com) Received: by iebgx4 with SMTP id gx4so82928832ieb.0; Sun, 07 Jun 2015 06:18:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=7ju4TgEGegflKy/xkxMssV8KMcnbyC9yTUcZcBJHhv4=; b=R9cNDVVtvDff6f465gwPvd6acmZ+4ltm3VGyk5Vk08Ep7KA8m5PPDG8iadWH5BvriI u9qgqnGjgkvALSVfT2KC0lci4l5W4rryHRbTvhNw6h0VbweuCykPFlMpTdWS/7U+rHGs 3K/MNPiXzZYzbZDiwogwFEOBjL8tq+XwyR7fxkwexihWl3PybnuCxbmMNKq4UT8L/vsO Oh+kwGpbkDf/efzYsWzKXKeoP1qW7wh9SlWwmctpV/wKpiVloHJ1dJf/b4oYnu4fHcOS 23KqtgBmUjcHrZAq0wN/bexDJyfd+y6v/q1tAiRe3/cTAEWoBBqECbzk+BIcBVhtqp5W sh2Q== MIME-Version: 1.0 X-Received: by 10.107.35.203 with SMTP id j194mr14929907ioj.45.1433683137696; Sun, 07 Jun 2015 06:18:57 -0700 (PDT) Received: by 10.36.27.13 with HTTP; Sun, 7 Jun 2015 06:18:57 -0700 (PDT) In-Reply-To: <55734E7F.2070308@Plominski.eu> References: <55734E7F.2070308@Plominski.eu> Date: Sun, 7 Jun 2015 09:18:57 -0400 Message-ID: Subject: Re: IPsec-Tools 0-Day Denial of Service From: Jason Unovitch To: "Daniel DP. Plominski" Cc: freebsd-net@freebsd.org, freebsd-security@freebsd.org Content-Type: text/plain; charset=UTF-8 X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 Jun 2015 13:18:58 -0000 On Sat, Jun 6, 2015 at 3:48 PM, Daniel DP. Plominski wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > https://www.altsci.com/ipsec/ipsec-tools-sa.html > > security/ipsec-tools build with gssapi: CRASHED > > (FreeBSD 10.1 + ipsec-tools 0.8.2_1) > > best regards > Daniel > -----BEGIN PGP SIGNATURE----- See https://bugs.freebsd.org/200334. The issue was documented as being fixed here https://svnweb.freebsd.org/ports?view=revision&revision=386793 and documented in VuXML here http://www.vuxml.org/freebsd/35431f79-fe3e-11e4-ba63-000c292ee6b8.html. It seems highly unlikely someone was waiting for you to install ipsec-tools and start sending packets to cause a DoS. Are you sure this isn't just a run time issue? Perhaps with the off by default GSSAPI option? The correct avenue to report that would be via https://bugs.freebsd.org/bugzilla/ vice the mailing list. Jason