|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Nevermind (never
nevermind.kiev.ua)Date: Thu Jan 03 2002 - 12:49:14 CST
Hello, Rob Andrews!
On Wed, Jan 02, 2002 at 01:26:25PM -0600, you wrote:
> and yes I realize libparanoid is in the ports. Note the differences between
> libsafe and libparanoid.. (sorry I've gotten a few replies and yes I know
> about it. but its not similar in _how_ it handles doing the same thing that
> libsafe is doing)
I've talked to Snar(paranoia.ru) few days ago here, and he explained me
why his approach is better then trying to handle "correctly" such
things. I suppose when your app is being attacked with some of buffer
overflow or anything else similar to it, it is better to shutdown to
prevent any further attempts and report failure to administrator rather
then not knowing that app is vulnerable to buf.overflow. Also, you
cannot be absolutely sure of any way of "correct" handling such
situation.
P.S. 2 snar: please, correct me if I wrong.
-- NEVE-RIPETo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Brett Glass (brett
lariat.org)Date: Thu Jan 03 2002 - 13:03:37 CST
At 10:36 AM 1/1/2002, Robert Watson wrote:
>I've run into a related problem with SSH forwarding that occurs when a
>forwarded TCP connection takes a while to connect. The problem is that
>apparently the OpenSSH sshd we ship discards data sent over a forwarded
>connection before all parts are completed. If you're using forwarding
>connecting to a server with high latency, and on a client-driven protocol,
>you may lose some content on the connection.
You may also lose the connection. With older versions of OpenSSH, I frequently
see the client complain of a "truncated packet" (SSH has its own internal
packetized protocol) and drop the session. Sometimes this is just a minor
inconvenience -- for example, if I'm doing POP over the forwarded port I
sometimes find that the mail client becomes confused and/or does not filter
incoming messages properly. It's a bigger concern if I'm doing administration
and am cut off in midstream.
--Brett
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Matthias Schuendehuette (msch
snafu.de)Date: Thu Jan 03 2002 - 14:59:35 CST
Hello,
my machine at work was scanned with the ISS Scanner, Vers. 6.2.1 and it
complained about TCP Sequence Prediction:
'The TCP sequence was found to be predictable.'
I was advised to install FreeBSD 4.1.1-STABLE after 2000-09-28 or later
:-) as listed in FreBSD-SA-00:52.
I looked at the published Patch in FreBSD-SA-00:52 but couldn't find
the Sourcecode Sequence to be patched any more (I wasn't wondering).
But so, what shall I do, who's to blame? Is the ISS lying? Is there any
advice from the FreeBSD Security Officer or the developers how to
proceed further?
TIA - Matthias
-- *************************************************************************** * Matthias Schuendehuette mschTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Mike Silbersack (silby
silby.com)Date: Thu Jan 03 2002 - 15:07:43 CST
On Thu, 3 Jan 2002, Matthias Schuendehuette wrote:
> Hello,
>
> my machine at work was scanned with the ISS Scanner, Vers. 6.2.1 and it
> complained about TCP Sequence Prediction:
>
> 'The TCP sequence was found to be predictable.'
Run tcpdump while a scan is happening so that you can see what is going on
with the sequence numbers. 4.5's TCP initial sequence numbers should not
be predictable.
Mike "Silby" Silbersack
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Joe Clarke (marcus
marcuscom.com)Date: Thu Jan 03 2002 - 15:07:55 CST
On Thu, 2002-01-03 at 15:59, Matthias Schuendehuette wrote:
> Hello,
>
> my machine at work was scanned with the ISS Scanner, Vers. 6.2.1 and it
> complained about TCP Sequence Prediction:
>
> 'The TCP sequence was found to be predictable.'
>
> I was advised to install FreeBSD 4.1.1-STABLE after 2000-09-28 or later
> :-) as listed in FreBSD-SA-00:52.
>
> I looked at the published Patch in FreBSD-SA-00:52 but couldn't find
> the Sourcecode Sequence to be patched any more (I wasn't wondering).
>
> But so, what shall I do, who's to blame? Is the ISS lying? Is there any
> advice from the FreeBSD Security Officer or the developers how to
> proceed further?
Is this what you're looking for:
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00%3A52/tcp-iss.patch
Joe
>
> TIA - Matthias
>
> --
> ***************************************************************************
> * Matthias Schuendehuette mschsnafu.de *
> * Solmsstrasse 44 *
> * D-10961 Berlin Engineering Systems Support and Operation *
> * Germany (Powered by FreeBSD 4.5-PRERELEASE) *
> ***************************************************************************
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Rik (freebsd-security
rikrose.net)Date: Thu Jan 03 2002 - 19:03:08 CST
Hi Darren,
FreeBSD PR kern/27615 has been open since 4.3. I've just been bitten by
it on 4.5-PRERELEASE. Could you commit the patch that's there before
4.5-RELEASE please?
For reference, the problem is to do with ipfiter disallowing rule
changes in securelevel 2, rather than 3.
Thanks in advance,
rik
-- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.netTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Matthew Dillon (dillon
apollo.backplane.com)Date: Thu Jan 03 2002 - 19:15:33 CST
Hmm. It's been open for a long time. It seems reasonable to me.
If the release engineers don't have a problem with this I would like to
make the change in -current and MFC it to -stable. I will also document
it in the 'ipf' manual page (it is already documented in the 'ipfw'
manual page).
-Matt
Matthew Dillon
<dillonbackplane.com>
:Hi Darren,
:
:FreeBSD PR kern/27615 has been open since 4.3. I've just been bitten by
:it on 4.5-PRERELEASE. Could you commit the patch that's there before
:4.5-RELEASE please?
:
:For reference, the problem is to do with ipfiter disallowing rule
:changes in securelevel 2, rather than 3.
:
:Thanks in advance,
:
:rik
:--
:PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org
:Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F
:Public key also encoded with outguess on http://rikrose.net
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Дмитрий Подкорытов (podkorytov
mail.ru)Date: Thu Jan 03 2002 - 22:18:55 CST
Maybe this result my paranoya. ;-)
And maybe not. Very posible You can extract use from this.
In Free BSD I'am found, that user with disabled terminal entering has login
shell named 'nologin'.
This is sh script:
====================================================
#!/bin/sh -p
# ...
# ...
echo 'This account is currently not available.'
exit 1
====================================================
My mind about this:
1. In case of breaking this script user has root access to system. (See man
sh, key -p ) 2. Password maybe 'viewed' any network analyser in time of users
pop3 session with server.(As rule password crypting not use in POP3) 3. Also
password maybe hacked bruteforce attack on POP3 daemon. For sucsessful attack
on this manner You can append some code to You telnet/ssh for
manage connection speed on fly.Or try use tcpwrapper for this. Setup connection
speed = 1 boud. Begin telnet/ssh session .Specify user name and password,break
nologin. After succsess setup connection speed as You whishes and work under
root permission. Solution for protect from this attack:install this programm.
For install
just make install. You may use this in silence mode. Then compile with
-DSILENCE_MODE key. Program distributed on GPL as is. Without any guarantees.
At URL: http://org.zaural.ru You can find some usefull programs. My best
wishes. Dmitry Podkorytov.
E-mail:podkorytovmail.ru PS:on FreeBSD v.4.1 ps -x not viewed programms, thats
running code function Exit(), called from atexit(Exit).
It Bug ? I used top command for view PID NoLogin.
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Tim J. Robbins (tim
robbins.dropbear.id.au)Date: Thu Jan 03 2002 - 23:51:19 CST
On Fri, Jan 04, 2002 at 07:18:55AM +0300, ??????? ?????????? wrote:
> 1. In case of breaking this script user has root access to system. (See man
> sh, key -p )
The -p option doesn't magically grant root privileges. It simply tells the
shell not to use environment variables and ~/.profile.
> PS:on FreeBSD v.4.1 ps -x not viewed programms, thats
> running code function Exit(), called from atexit(Exit).
> It Bug ? I used top command for view PID NoLogin.
I can't reproduce this on -CURRENT.
What I can't figure out is why /sbin/nologin is a shell script at all, and
not something like this:
#include <unistd.h>
#include <sysexits.h>
int main (void)
{
#define MSG "This account is currently not available.\n"
write (STDERR_FILENO, MSG, sizeof(MSG) - 1);
exit (EX_UNAVAILABLE);
}
It seems wasteful and possibly dangerous to start a shell.
Tim
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Dominick LaTrappe (seraf
2600.COM)Date: Fri Jan 04 2002 - 03:27:38 CST
> http://www.avayalabs.com/project/libsafe/index.html
> I won't go into details of what this lib does or is since the url above has
> all the information on it. I however was wondering since someone else had
> asked, if there was any type of a lib or such in freebsd which attempts to
> perform some of the functions that this seems to be attempting to do.
No lib I know of, but there is SSP, the "Stack Smashing Protector," which
is a cross-platform patch to GCC.
http://www.trl.ibm.co.jp/projects/security/ssp/
The author in May 2001 completed a FreeBSD-specific patch that lets you
"make world" and even build the kernel with the protection, though I've
only tested the former. Despite this, the FreeBSD camp has seemed
none-too-interested in SSP.
All of my FreeBSD boxes are full-SSP in userland. The patch applies
cleanly to 4.4-STABLE. Everything runs smoothly (in-production coming on
8 months), the performance hit is minimal even with heavy database
crunching, and buffer overflow exploits all seem to fail.
||| Dominick
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: faSty (fasty
i-sphere.com)Date: Fri Jan 04 2002 - 04:54:08 CST
Can the SSP patch work with FreeBSD 4.5-PRERELEASE?
-trev
On Fri, Jan 04, 2002 at 04:27:38AM -0500, Dominick LaTrappe wrote:
> > http://www.avayalabs.com/project/libsafe/index.html
> > I won't go into details of what this lib does or is since the url above has
> > all the information on it. I however was wondering since someone else had
> > asked, if there was any type of a lib or such in freebsd which attempts to
> > perform some of the functions that this seems to be attempting to do.
>
> No lib I know of, but there is SSP, the "Stack Smashing Protector," which
> is a cross-platform patch to GCC.
>
> http://www.trl.ibm.co.jp/projects/security/ssp/
>
> The author in May 2001 completed a FreeBSD-specific patch that lets you
> "make world" and even build the kernel with the protection, though I've
> only tested the former. Despite this, the FreeBSD camp has seemed
> none-too-interested in SSP.
>
> All of my FreeBSD boxes are full-SSP in userland. The patch applies
> cleanly to 4.4-STABLE. Everything runs smoothly (in-production coming on
> 8 months), the performance hit is minimal even with heavy database
> crunching, and buffer overflow exploits all seem to fail.
>
> ||| Dominick
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Double Bucky (Sung to the tune of "Rubber Duckie")Double bucky, you're the one! You make my keyboard lots of fun Double bucky, an additional bit or two: (Vo-vo-de-o!) Control and Meta side by side, Augmented ASCII, nine bits wide! Double bucky, a half a thousand glyphs, plus a few!
Double bucky, left and right OR'd together, outta sight! Double bucky, I'd like a whole word of Double bucky, I'm happy I heard of Double bucky, I'd like a whole word of you!
-- (C) 1978 by Guy L. Steele, Jr.
To Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Darren Reed (avalon
coombs.anu.edu.au)Date: Fri Jan 04 2002 - 06:33:05 CST
-current is patched.
In some mail from Rik, sie said:
> Hi Darren,
>
> FreeBSD PR kern/27615 has been open since 4.3. I've just been bitten by
> it on 4.5-PRERELEASE. Could you commit the patch that's there before
> 4.5-RELEASE please?
>
> For reference, the problem is to do with ipfiter disallowing rule
> changes in securelevel 2, rather than 3.
>
> Thanks in advance,
>
> rik
> --
> PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org
> Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F
> Public key also encoded with outguess on http://rikrose.net
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Michael Lucas (mwlucas
blackhelicopters.org)Date: Fri Jan 04 2002 - 06:43:49 CST
Hello,
I would recommend not using nologin as the users' shell. Instead,
take a look at /etc/login.access.
This makes the shell irrelevant; the user cannot log in, in any shell.
Generally, my sysadmins are in a "sysadmin" group. The "sysadmin"
group is allowed to log in from anywhere. All other users are denied
login.
There's an article on this in my column archives, if you want a
point-by-point walkthrough.
Good luck!
==ml
On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote:
> Maybe this result my paranoya. ;-)
> And maybe not. Very posible You can extract use from this.
> In Free BSD I'am found, that user with disabled terminal entering has login
> shell named 'nologin'.
> This is sh script:
> ====================================================
> #!/bin/sh -p
> # ...
> # ...
> echo 'This account is currently not available.'
> exit 1
> ====================================================
> My mind about this:
> 1. In case of breaking this script user has root access to system. (See man
> sh, key -p ) 2. Password maybe 'viewed' any network analyser in time of users
> pop3 session with server.(As rule password crypting not use in POP3) 3. Also
> password maybe hacked bruteforce attack on POP3 daemon. For sucsessful attack
> on this manner You can append some code to You telnet/ssh for
> manage connection speed on fly.Or try use tcpwrapper for this. Setup connection
> speed = 1 boud. Begin telnet/ssh session .Specify user name and password,break
> nologin. After succsess setup connection speed as You whishes and work under
> root permission. Solution for protect from this attack:install this programm.
> For install
> just make install. You may use this in silence mode. Then compile with
> -DSILENCE_MODE key. Program distributed on GPL as is. Without any guarantees.
> At URL: http://org.zaural.ru You can find some usefull programs. My best
> wishes. Dmitry Podkorytov.
> E-mail:podkorytovmail.ru PS:on FreeBSD v.4.1 ps -x not viewed programms, thats
> running code function Exit(), called from atexit(Exit).
> It Bug ? I used top command for view PID NoLogin.
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
-- Michael Lucas mwlucashttp://www.blackhelicopters.org/~mwlucas/
To Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Nickolay A.Kritsky (nkritsky
internethelp.ru)Date: Fri Jan 04 2002 - 07:00:04 CST
Hello Michael,
Friday, January 04, 2002, 3:43:49 PM, you wrote:
ML> Hello,
ML> I would recommend not using nologin as the users' shell. Instead,
ML> take a look at /etc/login.access.
ML> This makes the shell irrelevant; the user cannot log in, in any shell.
ML> Generally, my sysadmins are in a "sysadmin" group. The "sysadmin"
ML> group is allowed to log in from anywhere. All other users are denied
ML> login.
ML> There's an article on this in my column archives, if you want a
ML> point-by-point walkthrough.
ML> Good luck!
ML> ==ml
the problem is that some versions of SSH do not pay any attention to
/etc/login.access file, so you still may have a need in /sbin/nologin.
;-------------------------------------------
; NKritsky
; SysAdmin InternetHelp.Ru
; http://www.internethelp.ru
; mailto:nkritskyinternethelp.ru
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Michael Lucas (mwlucas
blackhelicopters.org)Date: Fri Jan 04 2002 - 07:04:01 CST
On Fri, Jan 04, 2002 at 04:00:04PM +0300, Nickolay A.Kritsky wrote:
> the problem is that some versions of SSH do not pay any attention to
> /etc/login.access file, so you still may have a need in /sbin/nologin.
Well, you learn something new every day. So much for that bright
idea, then. :)
-- Michael Lucas mwlucashttp://www.blackhelicopters.org/~mwlucas/
To Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Rik (freebsd-security
rikrose.net)Date: Fri Jan 04 2002 - 08:51:54 CST
On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote:
> Maybe this result my paranoya. ;-)
> And maybe not. Very posible You can extract use from this.
> In Free BSD I'am found, that user with disabled terminal entering has login
> shell named 'nologin'.
So use /bin/false instead then. Or /bin/date, etc. Or write your own, as
was suggested.
-- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.netTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Cy Schubert - ITSD Open Systems Group (Cy.Schubert
uumail.gov.bc.ca)Date: Fri Jan 04 2002 - 09:28:45 CST
In message <20020104145154.A15764spoon.pkl.net>, Rik writes:
> On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote:
> > Maybe this result my paranoya. ;-)
> > And maybe not. Very posible You can extract use from this.
> > In Free BSD I'am found, that user with disabled terminal entering has login
> > shell named 'nologin'.
>
> So use /bin/false instead then. Or /bin/date, etc. Or write your own, as
> was suggested.
Or, take a look at the no-login port in the ports collection.
Regards, Phone: (250)387-8437
Cy Schubert Fax: (250)387-5766
Team Leader, Sun/Alpha Team Email: Cy.Schubertosg.gov.bc.ca
Open Systems Group, ITSD
Ministry of Management Services
Province of BC
FreeBSD UNIX: cyFreeBSD.org
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Greg Shenaut (greg
bogslab.ucdavis.edu)Date: Fri Jan 04 2002 - 09:41:17 CST
In message <20020104145154.A15764spoon.pkl.net>, Rik cleopede:
>On Fri, Jan 04, 2002 at 07:18:55AM +0300, Дмитрий Подкорытов wrote:
>> Maybe this result my paranoya. ;-)
>> And maybe not. Very posible You can extract use from this.
>> In Free BSD I'am found, that user with disabled terminal entering has login
>> shell named 'nologin'.
>
>So use /bin/false instead then. Or /bin/date, etc. Or write your own, as
>was suggested.
What is the downside either of using a completely nonexistent shell,
such as "/bin/sh/nologin", or of using just the string "nologin",
but treating it as a special case so that no shell is started at all?
Greg Shenaut
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Matthias Schuendehuette (msch
snafu.de)Date: Fri Jan 04 2002 - 10:16:13 CST
Hi Joe,
Am Donnerstag, 3. Januar 2002 22:07 schrieben Sie:
> On Thu, 2002-01-03 at 15:59, Matthias Schuendehuette wrote:
> > I looked at the published Patch in FreBSD-SA-00:52 but couldn't
> > find the Sourcecode Sequence to be patched any more (I wasn't
> > wondering).
>
> Is this what you're looking for:
>
> ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00%3A52/tcp-iss.pat
>ch
as I've mentioned above, I *found* that patch but if you look at the
source files to patch you'll recognize that they're completely
different now and that the patch doesn't succeed anymore (which isn't
surprising for noone IMHO).
I think, the point is what ISS states as 'predictable'... I'll wait
what our iss-service declares - I can't imagine that 4.5-PRERELEASE is
worse than 4.1.1-STABLE concerning 'tcp prediction'.
Ciao/BSD - Matthias
-- *************************************************************************** * Matthias Schuendehuette mschTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Rik (rik
spoon.pkl.net)Date: Fri Jan 04 2002 - 10:58:40 CST
On Fri, Jan 04, 2002 at 07:28:45AM -0800, Cy Schubert - ITSD Open Systems Group wrote:
> Or, take a look at the no-login port in the ports collection.
Without further ado, I humbly offer my replacement for /sbin/nologin.
It is backwards compatible, but will send custom messages if:
1) It is called with a specific name
2) There is a special message for that user
If anything fails, it default to print the same default message nologin
does.
The source is attached. Well, it was when I sent it, if it gets stripped
off, it can also be found at http://rikrose.net/nologinmsg.c
There is no pan page, because I don't know how to write them. There is,
however, a plain text descriptio at the top of the code, which is good
enough for a manual.
I'll make it a port, if people want, and someone cares to contribute a
man page.
rik
-- PGP Key: D2729A3F - Keyserver: wwwkeys.uk.pgp.net - rich at rdrose dot org Key fingerprint = 5EB1 4C63 9FAD D87B 854C 3DED 1408 ED77 D272 9A3F Public key also encoded with outguess on http://rikrose.net
- text/plain attachment: nologinmsg.c
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: mf
toplink.netDate: Fri Jan 04 2002 - 11:13:32 CST
unsubscribe
end
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Joe Clarke (marcus
marcuscom.com)Date: Fri Jan 04 2002 - 11:32:29 CST
On Fri, 2002-01-04 at 11:16, Matthias Schuendehuette wrote:
> Hi Joe,
>
> Am Donnerstag, 3. Januar 2002 22:07 schrieben Sie:
> > On Thu, 2002-01-03 at 15:59, Matthias Schuendehuette wrote:
> > > I looked at the published Patch in FreBSD-SA-00:52 but couldn't
> > > find the Sourcecode Sequence to be patched any more (I wasn't
> > > wondering).
> >
> > Is this what you're looking for:
> >
> > ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00%3A52/tcp-iss.pat
> >ch
>
> as I've mentioned above, I *found* that patch but if you look at the
> source files to patch you'll recognize that they're completely
> different now and that the patch doesn't succeed anymore (which isn't
> surprising for noone IMHO).
>
> I think, the point is what ISS states as 'predictable'... I'll wait
> what our iss-service declares - I can't imagine that 4.5-PRERELEASE is
> worse than 4.1.1-STABLE concerning 'tcp prediction'.
Later FreeBSD 4.x's use arc4random for ISS. It get all 9's from nmap,
and is completely unguessable. Upgrading to 4.4-RELEASE or 4.5-PRE will
set you up.
Joe
>
> Ciao/BSD - Matthias
>
> --
> ***************************************************************************
> * Matthias Schuendehuette mschsnafu.de *
> * Solmsstrasse 44 *
> * D-10961 Berlin Engineering Systems Support and Operation *
> * Germany (Powered by FreeBSD 4.5-PRERELEASE) *
> ***************************************************************************
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-stable" in the body of the message
>
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Nate Williams (nate
yogotech.com)Date: Fri Jan 04 2002 - 11:57:01 CST
[ TCP 4.5-PRE uses predictable sequences # according to ISS ]
> > I think, the point is what ISS states as 'predictable'... I'll wait
> > what our iss-service declares - I can't imagine that 4.5-PRERELEASE is
> > worse than 4.1.1-STABLE concerning 'tcp prediction'.
>
> Later FreeBSD 4.x's use arc4random for ISS. It get all 9's from nmap,
> and is completely unguessable. Upgrading to 4.4-RELEASE or 4.5-PRE will
> set you up.
See the subject line. He is using 4.5-PRE.
Nate
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Kris Kennaway (kris
obsecurity.org)Date: Fri Jan 04 2002 - 18:36:11 CST
On Thu, Jan 03, 2002 at 09:59:35PM +0100, Matthias Schuendehuette wrote:
> Hello,
>
> my machine at work was scanned with the ISS Scanner, Vers. 6.2.1 and it
> complained about TCP Sequence Prediction:
>
> 'The TCP sequence was found to be predictable.'
The ISS Scanner is wrong if it says this.
Kris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD4DBQE8Nkp6Wry0BWjoQKURAkqfAKCZAQUasAHAwYeIv6ND4UYxmjhNogCXTGiW
j+u6rTOrif7lrb+zu2GB1w==
=LGTF
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Kris Kennaway (kris
obsecurity.org)Date: Fri Jan 04 2002 - 18:38:19 CST
On Fri, Jan 04, 2002 at 02:54:08AM -0800, faSty wrote:
> Can the SSP patch work with FreeBSD 4.5-PRERELEASE?
Yes; let me know if it fails to apply and I'll send you mine, which
might have been slightly changed by CVS over time.
Kris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iD8DBQE8Nkr7Wry0BWjoQKURAh5cAKCbnz6q5ytOR4rubnXefD0ZwoQA7QCdG7Gj
j+I+qK8tgYyyZ64pKWztqiY=
=TTxf
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: faSty (fasty
i-sphere.com)Date: Fri Jan 04 2002 - 18:51:20 CST
the patch i tried on 4.5-PRERELEASE. It was failed.
fetch http://www.trl.ibm.com/projects/security/ssp/freebsd43/protector4.3-2.patch
cd /usr
patch < protector4.3-2.patch
--[snip]--
Hmm... Looks like a new-style context diff to me...
The text leading up to this was:
--------------------------
|? contrib/gcc/protector.h
|? contrib/gcc/protector.c
|? sys/libkern/stack_smash_handler.c
|Index: contrib/gcc/Makefile.in
|===================================================================
|RCS file: /home/ncvs/src/contrib/gcc/Makefile.in,v
|retrieving revision 1.4.2.1
|diff -c -3 -p -r1.4.2.1 Makefile.in
|*** contrib/gcc/Makefile.in 2001/04/10 19:22:57 1.4.2.1
|--- contrib/gcc/Makefile.in 2001/06/28 11:34:25
--------------------------
File to patch:
--end--
On Fri, Jan 04, 2002 at 04:38:19PM -0800, Kris Kennaway wrote:
> On Fri, Jan 04, 2002 at 02:54:08AM -0800, faSty wrote:
> > Can the SSP patch work with FreeBSD 4.5-PRERELEASE?
>
> Yes; let me know if it fails to apply and I'll send you mine, which
> might have been slightly changed by CVS over time.
>
> Kris
-- A bureaucracy is like a septic tank -- all the really big shits float to the top.To Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Scot W. Hetzel (hetzels
westbend.net)Date: Fri Jan 04 2002 - 18:45:51 CST
From: "faSty" <fastyi-sphere.com>
> the patch i tried on 4.5-PRERELEASE. It was failed.
>
>
> fetch
http://www.trl.ibm.com/projects/security/ssp/freebsd43/protector4.3-2.patch
> cd /usr
> patch < protector4.3-2.patch
>
:
> |===================================================================
> |RCS file: /home/ncvs/src/contrib/gcc/Makefile.in,v
> |retrieving revision 1.4.2.1
> |diff -c -3 -p -r1.4.2.1 Makefile.in
> |*** contrib/gcc/Makefile.in 2001/04/10 19:22:57 1.4.2.1
> |--- contrib/gcc/Makefile.in 2001/06/28 11:34:25
> --------------------------
> File to patch:
>
Try patching from /usr/src instead of /usr.
Scot
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: FreeBSD Security Advisories (security-advisories
freebsd.org)Date: Fri Jan 04 2002 - 19:04:13 CST
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:01 Security Advisory
FreeBSD, Inc.
Topic: Directory permission vulnerability in pkg_add
Category: core
Module: pkg_install
Announced: 2002-01-04
Credits: The Anarcat <anarcatanarcat.dyndns.org>
Affects: All versions of FreeBSD prior to the correction date.
Corrected: 2001/11/22 17:40:36 UTC (4.4-STABLE aka RELENG_4)
2001/12/07 20:58:46 UTC (4.4-RELEASEp1 aka RELENG_4_4)
2001/12/07 20:57:19 UTC (4.3-RELEASEp21 aka RELENG_4_3)
FreeBSD only: NO
I. Background
pkg_add is a utility program used to install software package
distributions on FreeBSD systems.
II. Problem Description
pkg_add extracts the contents of the package to a temporary directory,
then moves files from the temporary directory to their ultimate
destination on the system. The temporary directory used in the
extraction was created with world-writable permissions, allowing
arbitrary users to examine the contents of the package as it was
being extracted. This might allow users to attack world-writable
parts of the package during installation.
III. Impact
A local attacker may be able to modify the package contents and
potentially elevate privileges or otherwise compromise the system.
There are no known exploits as of the date of this advisory.
IV. Workaround
1) Remove or discontinue use of the pkg_add binary until it has
been upgraded.
2) When running pkg_add, create a secure temporary directory (such
as /var/tmp/inst) and secure the directory permissions (chmod 700
/var/tmp/inst). Set the TMPDIR environment variable to this
directory before running pkg_add.
V. Solution
1) Upgrade your vulnerable FreeBSD system to 4.4-STABLE, or the
RELENG_4_4 or RELENG_4_3 security branches dated after the respective
correction dates.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD 4.3-RELEASE,
4.4-RELEASE, and 4-STABLE dated prior to the correction date. This
patch may or may not apply to older, unsupported releases of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/pkg_add.patch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:01/pkg_add.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch -p < /path/to/patch
# cd /usr/src/usr.sbin/pkg_install
# make depend && make all install
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
Branch
- -------------------------------------------------------------------------
src/usr.sbin/pkg_install/lib/pen.c
HEAD 1.37
RELENG_4 1.31.2.6
RELENG_4_4 1.31.2.2.2.1
RELENG_4_3 1.31.2.1.2.1
- -------------------------------------------------------------------------
VII. References
<URL:http://www.FreeBSD.org/cgi/query-pr.cgi?pr=32172>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOBlUuHi5z0oilAQEPwwP/ZKTT+30/iNKFVEpxjIr1IgW/YkMI3ViG
G3C12reQQ/QcfGhdxjJesMqeHDhEf2onmZ7ftYRu2Wpg7BC5KAH5rbQ5vDgdVEI0
ym5zPNOR9BgXVuZ9WZ1M6SizHZwngfn/JHjMltd1xcdCwJ93iVq+/NQg1bB5u7op
MPFLhNSwNks=
=cT/W
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: FreeBSD Security Advisories (security-advisories
freebsd.org)Date: Fri Jan 04 2002 - 19:04:21 CST
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:02 Security Advisory
FreeBSD, Inc.
Topic: pw(8) race condition may allow disclosure of master.passwd
Category: core
Module: pw
Announced: 2002-01-04
Credits: ryan beasley <ryanbgoddamnbastard.org>
Affects: All releases prior to 4.5-RELEASE,
4.4-STABLE prior to the correction date
Corrected: 2001-12-21 15:21:32 UTC (4.4-STABLE aka RELENG_4)
2001-12-21 15:22:55 UTC (4.4-RELEASEp1 aka RELENG_4_4)
2001-12-21 15:23:04 UTC (4.3-RELEASEp21 aka RELENG_4_3)
FreeBSD only: YES
I. Background
The pw(8) utility is used to create, remove, modify, and display system
users and groups.
II. Problem Description
When creating, removing, or modifying system users, the pw utility
modifies the system password file `/etc/master.passwd'. This file
contains the users' encrypted passwords and is normally only readable
by root. During the modification, a temporary copy of the file is
created. However, this temporary file is mistakenly created with
permissions that allow it to be read by any user.
III. Impact
A local attacker can read the temporary file created by pw(8) and
use the encrypted passwords to conduct an off-line dictionary attack.
A successful attack would result in the recovery of one or more
passwords. Because the temporary file is short-lived (it is removed
almost immediately after creation), this can be difficult to exploit:
an attacker must `race' to read the file before it is removed.
IV. Workaround
1) Do not use pw(8) to create, remove, or modify system users.
V. Solution
One of the following:
1) Upgrade your vulnerable FreeBSD system to 4-STABLE (RELENG_4), the
4.4-RELEASE security-fix branch (RELENG_4_4), or the 4.3-RELEASE
security-fix branch (RELENG_4_3), dated after the correction date.
2) FreeBSD 4.x systems prior to the correction date:
The following patch has been verified to apply to FreeBSD 4.3-RELEASE,
4.4-RELEASE, and 4-STABLE dated prior to the correction date. This
patch may or may not apply to older, unsupported releases of FreeBSD.
Download the patch and the detached PGP signature from the following
locations, and verify the signature using your PGP utility.
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-02:02/pw.patch.asc
Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/pw
# make depend && make all install
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
Branch
- -------------------------------------------------------------------------
src/usr.sbin/pw/pwupd.c
HEAD (CURRENT) 1.18
RELENG_4 (4-STABLE) 1.12.2.4
RELENG_4_4 (4.4-RELEASE security branch) 1.12.2.3.4.1
RELENG_4_3 (4.3-RELEASE security branch) 1.12.2.3.2.1
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOB1UuHi5z0oilAQE/FQP/UjSXBA+ntiemKMpvgQfHkvNFjT/L9VC6
j1q7yhuM+JKIeQcAiotvEFmnRjZquJaNTvBRa4TSbr9943smZ7w8wC3lzq4aLBSv
e4L1F/uIUx19hyeEDL8FEdE5hqiltFJVa605pNoyLtLBQx9UfYkdfZo9SqFtAIdl
qNU0wX2XJU0=
=g2Uh
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: FreeBSD Security Advisories (security-advisories
freebsd.org)Date: Fri Jan 04 2002 - 19:04:43 CST
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:04 Security Advisory
FreeBSD, Inc.
Topic: mutt ports contain remotely exploitable buffer overflow
Category: ports
Module: mutt
Announced: 2002-01-04
Credits: Joost Pol <joostcontempt.nl>
Affects: Ports collection prior to the correction date
Corrected: 2002-01-02 13:52:03 UTC (ports/mail/mutt: 1.2.x)
2002-01-02 03:39:01 UTC (ports/mail/mutt-devel: 1.3.x)
FreeBSD only: NO
I. Background
Mutt is a small but very powerful text-based mail client for Unix
operating systems.
II. Problem Description
The mutt ports, versions prior to mutt-1.2.25_1 and
mutt-devel-1.3.24_2, contain a buffer overflow in the handling of
email addresses in headers.
The mutt and mutt-devel ports are not installed by default, nor are
they "part of FreeBSD" as such: they are parts of the FreeBSD ports
collection, which contains over 6000 third-party applications in a
ready-to-install format. The ports collection shipped with FreeBSD 4.4
contains this problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
An attacker may send an email message with a specially crafted email
address in any of several message headers to the victim. When the
victim reads the message using mutt and encounters that email address,
the buffer overflow is triggered and may result in arbitrary code
being executed with the privileges of the victim.
IV. Workaround
1) Deinstall the mutt and mutt-devel ports/packages if you have them
installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the ports.
2) Deinstall the old packages and install news package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-1.2.5_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/mutt-devel-1.3.24_2.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-1.2.5_1.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/mutt-devel-1.3.24_2.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
NOTE: It may be several days before updated packages are available.
3) Download a new port skeleton for the mutt or mutt-devel port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
- -------------------------------------------------------------------------
ports/mail/mutt/Makefile 1.110
ports/mail/mutt/files/patch-rfc822.c 1.1
ports/mail/mutt-devel/Makefile 1.141
ports/mail/mutt-devel/files/patch-rfc822-security 1.1
- -------------------------------------------------------------------------
VII. References
<URL:http://www.mutt.org/announce/mutt-1.2.5.1-1.3.25.html>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOB1UuHi5z0oilAQHlkQP/abGNj546AB2YE62V1r3URAXE42c5HCEf
wVRH0draXRFkHBGNlJkV2dSr+wYNFt8XXUw7yfGyyPsbLY6F7z2AmwMbya4kSjP5
8ROGuKHkNdyYp09Kdk93++dDYTKHoR1SfwV9oh9KeJcMho9z64ASPuDlNf4uaLk0
JLEmsVGdCoE=
=hpjv
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: FreeBSD Security Advisories (security-advisories
freebsd.org)Date: Fri Jan 04 2002 - 19:04:50 CST
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:05 Security Advisory
FreeBSD, Inc.
Topic: pine port insecure URL handling
Category: ports
Module: pine
Announced: 2002-01-04
Credits: zen-parse <zen-parsegmx.net>
Affects: Ports collection prior to the correction date
Corrected: 2001-10-05 08:41:39 UTC
FreeBSD only: NO
I. Background
PINE is an application for reading mail and news.
II. Problem Description
The pine port, versions previous to pine-4.40, handles URLs in
messages insecurely. PINE allows users to launch a web browser to
visit a URL embedded in a message. Due to a programming error, PINE
does not properly escape meta-characters in the URL before passing it
to the command shell as an argument to the web browser.
The pine port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
over 6000 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.4 contains this problem since
it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
An attacker can supply commands enclosed in single quotes ('') in a
URL embedded in a message sent to the victim. If the user then
decides to view the URL, PINE will launch a command shell which will
then execute the attacker's commands with the victim's privileges. It
is possible to obfuscate the URL so that it will not necessarily seem
dangerous to the victim.
IV. Workaround
1) Deinstall the pine port/package if you have it installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/pine-4.43.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/pine-4.43.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the pine port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
- -------------------------------------------------------------------------
ports/mail/pine4/Makefile 1.58
ports/mail/pine4/distinfo 1.18
ports/mail/pine4/files/patch-aa 1.4
ports/mail/pine4/files/patch-ac 1.11
ports/mail/pine4/files/patch-af 1.12
ports/mail/pine4/files/patch-ai 1.11
ports/mail/pine4/files/patch-aj 1.5
ports/mail/pine4/files/patch-ak 1.6
ports/mail/pine4/files/patch-al 1.10
ports/mail/pine4/files/patch-am 1.6
ports/mail/pine4/files/patch-an 1.5
ports/mail/pine4/files/patch-ap 1.3
ports/mail/pine4/files/patch-at 1.6
ports/mail/pine4/files/patch-au 1.4
ports/mail/pine4/files/patch-ax 1.4
ports/mail/pine4/files/patch-az 1.3
ports/mail/pine4/files/patch-be 1.1
ports/mail/pine4/files/patch-bf 1.1
ports/mail/pine4/files/patch-bg 1.1
ports/mail/pine4/files/patch-reply.c 1.2
- -------------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOCFUuHi5z0oilAQG65gQAjdGuLydxrCswe9trnfOXIKqTkYll/iP7
7atJipzI+RvYjCzNu/nVItCM+jjGSDvSzF1/OUStAUNM2OZY7hqneSPHed8wTyX8
BU7ZNVlLEDsoZc1nWkUpqBkacPLPq6F7k1YbzMO1xVqIzewmXTpaQzmoKNW/ndIO
T108lLHqDVE=
=Ry2Q
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: FreeBSD Security Advisories (security-advisories
freebsd.org)Date: Fri Jan 04 2002 - 19:04:33 CST
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:03 Security Advisory
FreeBSD, Inc.
Topic: mod_auth_pgsql port authentication bypass
Category: ports
Module: mod_auth_pgsql
Announced: 2002-01-04
Credits: RUS CERT <URL:http://cert.uni-stuttgart.de/>
Affects: Ports collection prior to the correction date
Corrected: 2001-10-02 11:33:49 UTC
FreeBSD only: NO
I. Background
mod_auth_pgsql is an Apache module which allows the Apache web server
to use a PostgreSQL database for user and/or group authentication.
II. Problem Description
The mod_auth_pgsql port, versions prior to mod_auth_pgsql-0.9.9,
contain a vulnerability that may allow a remote user to cause
arbitrary SQL code to be execute. mod_auth_pgsql constructs a SQL
statement to be executed by the PostgreSQL server in order to lookup
user information. The username given by the remote user is inserted
into the SQL statement without any quoting or other safety checks.
The mod_auth_pgsql port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains over 6000 third-party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.4 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
A remote user may insert arbitrary SQL code into the username during
authentication, leading to several exploit opportunities. In
particular, the attacker may cause mod_auth_pgsql to use a known fixed
password hash for user verification, allowing him to authenticate as
any user and obtain unauthorized access to web server data.
IV. Workaround
1) Deinstall the mod_auth_pgsql port/package if you have it installed.
V. Solution
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/mod_auth_pgsql-0.9.9.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/mod_auth_pgsql-0.9.9.tgz
[alpha]
Packages are not automatically generated for the alpha architecture at
this time due to lack of build resources.
3) Download a new port skeleton for the mod_auth_pgsql port from:
and use it to rebuild the port.
4) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz
VI. Correction details
The following list contains the $FreeBSD$ revision numbers of each
file that was corrected in the FreeBSD source
Path Revision
- -------------------------------------------------------------------------
ports/www/mod_auth_pgsql/Makefile 1.3
ports/www/mod_auth_pgsql/distinfo 1.2
- -------------------------------------------------------------------------
VII. References
<URL:http://cert.uni-stuttgart.de/advisories/apache_auth.php>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (FreeBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPDZOBVUuHi5z0oilAQHfNgQAgp9FKI4P0XfSzBdbcdOnqPCBJji4TPLS
gENpCcvT55dWcGjYr0XsJrsk1NhF3Qq0TR8CnN2OmWaxx1ugoqwdc6o0vqzYIQ5H
DAwBK4tbYOBYmram7A+0VBbTxPlHTnTop56i3/w2xaxafMHdlrzB2zCO7pimU83i
2MAKa0dLwS4=
=l5iu
-----END PGP SIGNATURE-----
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: faSty (fasty
i-sphere.com)Date: Fri Jan 04 2002 - 19:19:55 CST
Oh thanks, it works with 4.5-PRERELEASE. I tested recompile the fbsd with
ssp and installed. It works very well.
-trev
On Fri, Jan 04, 2002 at 06:45:51PM -0600, Scot W. Hetzel wrote:
> From: "faSty" <fastyi-sphere.com>
> > the patch i tried on 4.5-PRERELEASE. It was failed.
> >
> >
> > fetch
> http://www.trl.ibm.com/projects/security/ssp/freebsd43/protector4.3-2.patch
> > cd /usr
> > patch < protector4.3-2.patch
> >
> :
> > |===================================================================
> > |RCS file: /home/ncvs/src/contrib/gcc/Makefile.in,v
> > |retrieving revision 1.4.2.1
> > |diff -c -3 -p -r1.4.2.1 Makefile.in
> > |*** contrib/gcc/Makefile.in 2001/04/10 19:22:57 1.4.2.1
> > |--- contrib/gcc/Makefile.in 2001/06/28 11:34:25
> > --------------------------
> > File to patch:
> >
> Try patching from /usr/src instead of /usr.
>
> Scot
-- Suddenly, Professor Liebowitz realizes he has come to the seminar without his duck ...To Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Philip J. Koenig (pjklist
ekahuna.com)Date: Fri Jan 04 2002 - 20:40:00 CST
I got this today:
>=== FreeBSD-SA-02:04 Security Advisory FreeBSD, Inc.
>
> Topic: mutt ports contain remotely exploitable buffer overflow
>
> Category: ports
> Module: mutt
> Announced: 2002-01-04
> Credits: Joost Pol <joostcontempt.nl>
> Affects: Ports collection prior to the correction date
> Corrected: 2002-01-02 13:52:03 UTC (ports/mail/mutt: 1.2.x)
> 2002-01-02 03:39:01 UTC (ports/mail/mutt-devel: 1.3.x)
> FreeBSD only: NO
>
> I. Background
>
> Mutt is a small but very powerful text-based mail client for Unix
> operating systems.
>
> II. Problem Description
>
> The mutt ports, versions prior to mutt-1.2.25_1 and
> mutt-devel-1.3.24_2, contain a buffer overflow in the handling of
> email addresses in headers.
Shall I assume the "1.2.25_1" string above is a typo? Is it really
the versions prior to 1.2.5_1? Because I would think 1.2.2x seems to
be pretty old at this point.
Phil
-- Philip J. Koenig pjklistTo Unsubscribe: send mail to majordomo
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Kerberus (kerberus
microbsd.net)Date: Fri Jan 04 2002 - 20:38:26 CST
Ummm you need to be in /usr/src for the protector patch to apply
correctly, it does apply cleanly i did it today myself, actually the
machine im using is protected with it as of a cvsup from today
On Fri, 2002-01-04 at 19:51, faSty wrote:
> the patch i tried on 4.5-PRERELEASE. It was failed.
>
>
> fetch http://www.trl.ibm.com/projects/security/ssp/freebsd43/protector4.3-2.patch
> cd /usr
> patch < protector4.3-2.patch
>
> --[snip]--
> Hmm... Looks like a new-style context diff to me...
> The text leading up to this was:
> --------------------------
> |? contrib/gcc/protector.h
> |? contrib/gcc/protector.c
> |? sys/libkern/stack_smash_handler.c
> |Index: contrib/gcc/Makefile.in
> |===================================================================
> |RCS file: /home/ncvs/src/contrib/gcc/Makefile.in,v
> |retrieving revision 1.4.2.1
> |diff -c -3 -p -r1.4.2.1 Makefile.in
> |*** contrib/gcc/Makefile.in 2001/04/10 19:22:57 1.4.2.1
> |--- contrib/gcc/Makefile.in 2001/06/28 11:34:25
> --------------------------
> File to patch:
>
> --end--
>
> On Fri, Jan 04, 2002 at 04:38:19PM -0800, Kris Kennaway wrote:
> > On Fri, Jan 04, 2002 at 02:54:08AM -0800, faSty wrote:
> > > Can the SSP patch work with FreeBSD 4.5-PRERELEASE?
> >
> > Yes; let me know if it fails to apply and I'll send you mine, which
> > might have been slightly changed by CVS over time.
> >
> > Kris
>
>
>
> --
> A bureaucracy is like a septic tank -- all the really big shits float
> to the top.
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
From: Tim Zingelman (zingelman
fnal.gov)Date: Fri Jan 04 2002 - 21:07:30 CST
On Fri, 4 Jan 2002, Philip J. Koenig wrote:
> >=== FreeBSD-SA-02:04 Security Advisory FreeBSD, Inc.
> >
> > Topic: mutt ports contain remotely exploitable buffer overflow
> >
> > Category: ports
> > Module: mutt
> > Announced: 2002-01-04
> > Credits: Joost Pol <joostcontempt.nl>
> > Affects: Ports collection prior to the correction date
> > Corrected: 2002-01-02 13:52:03 UTC (ports/mail/mutt: 1.2.x)
> > 2002-01-02 03:39:01 UTC (ports/mail/mutt-devel: 1.3.x)
> > FreeBSD only: NO
> >
> > I. Background
> >
> > Mutt