Re: Vulnerability

[Jason Birch]

This was announced on security-advisor...@freebsd.org on September 10th,
2013.

The relevant commits, as taken from the announcement, are:

Branch/path  Revision
- -
stable/8/ r255445
releng/8.3/   r255446
releng/8.4/   r255447
stable/9/ r255443
releng/9.1/   r255448
releng/9.2/   r255444
- -


On Tue, Oct 1, 2013 at 12:05 AM, Jerry  wrote:

> Has this been rectified:
> 
>
> --
> Jerry ♔
>
> Disclaimer: off-list followups get on-list replies or get ignored.
> Please do not ignore the Reply-To header.
> __
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "
> freebsd-questions-unsubscr...@freebsd.org"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Vulnerability

[Lowell Gilbert]

Jerry  writes:

> Has this been rectified:
> 

If you read the page at that link, you will find the answer.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Vulnerability

[staticsafe]

On 9/30/2013 10:05, Jerry wrote:

Has this been rectified:



Yes.
http://www.freebsd.org/security/advisories/FreeBSD-SA-13:13.nullfs.asc
http://svnweb.freebsd.org/base?view=revision&revision=255442

--
staticsafe
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
Please don't top post. It is not logical.
Please don't CC me! I'm subscribed to whatever list I just posted on.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Vulnerability

[Jerry]

Has this been rectified:


-- 
Jerry ♔

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: How to handle postgresql82-client vulnerability

[Amitabh Kant]

On Fri, Apr 13, 2012 at 5:41 PM, Matthew Seaman  wrote:

> On 13/04/2012 12:23, Carmel wrote:
> > I am working on an older machine that has "postgresql-client-8.2.23"
> > installed. I have the following information regarding the program:
> >
> > $ pkg_info -R postgresql-client-8.2.23
> > Information for postgresql-client-8.2.23:
> >
> > Required by:
> > koffice-kde4-2.3.3_7
> > postgresql-libpqxx-3.0.2
> >
> > Attempting to build the program produces this error:
> >
> > ===>  postgresql-client-8.2.23 is forbidden: Vulnerable
> http://www.postgresql.org/about/news/1377/.
> > *** Error code 1
> >
> > Stop in /usr/ports/databases/postgresql82-client.
>
> postgresql-8.2 is out of support upstream.  It's only still in the ports
> because no one has realised it's past its expiry date and removed it yet.
>
> Given the unfixed security problems, you should upgrade to a newer
> version ASAP.
>
> > I cannot find anything in the UPDATING or MOVED files that details how
> > to deal with this. Would something like:
> >
> >   portupgrade -o databases/postgresql90-client postgresql82-client
> >
> > be the proper way to handle this problem? Would I then have to rebuild
> > koffice-kde4-2.3.3_7 and postgresql-libpqxx-3.0.2 to insure that
> everything works correctly?
>
> Correct, as far as dealing with the ports goes.  Yes, you will have to
> recompile anything that links against libpq.so.X, which is probably more
> than shows up in the output of 'pkg_info -R' -- you can use the lib_chk
> script from bsdadminscripts to find everything that needs to be rebuilt.
>  Or just 'portmaster -r databases/postgresql90-client'
>
> However, there is no guarantee that you can just start up postgresql90
> and expect it to work with the postgresql82 data directory. (Although
> why not postgresql91 rather than 90? There's no good reason not to use
> the latest release.)
>
> As the ports don't support installing several versions of postgresql
> simultaneously, or encode the postgres version into the PGDATA path
> (which is a fairly standard approach on various other unixoid
> environments) you won't be able to use pg_upgrade easily.
>
> Given that in-place updates are not feasible, you should dump the
> contents of your database cluster and then reload it into a newly
> created cluster using the latest version.  The PG documentation
> recommends using the client from the version you are updating to for
> creating the dumps, or else they may not reload cleanly.  In fact, there
> are changes between 8.x and 9.0 to do with the encoding of non-ascii
> character data which are quite likely to cause difficulties for you.
> Note that you can install an updated client on a different box and dump
> remotely as a relatively simple way of using a new client to access an
> older DB.
>
> Ideally you should create a brand new DB cluster on a separate system,
> so you can have as many goes at pulling the data over from your original
> database as you need to get it right without destroying the originals.
> If you lack the resources to do that, then better make sure you've got
> good backups.
>
>Cheers,
>
>Matthew
>
> --
> Dr Matthew J Seaman MA, D.Phil.
> PGP: http://www.infracaninophile.co.uk/pgpkey
>
>
 You will have to perform a dump & restore to move from 8.2.x to 9.0.x
(might as well move up to 9.1.x). The data directory compatibility is
not guaranteed across major version.

Amitabh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: How to handle postgresql82-client vulnerability

[Matthew Seaman]

On 13/04/2012 12:23, Carmel wrote:
> I am working on an older machine that has "postgresql-client-8.2.23"
> installed. I have the following information regarding the program:
> 
> $ pkg_info -R postgresql-client-8.2.23
> Information for postgresql-client-8.2.23:
> 
> Required by:
> koffice-kde4-2.3.3_7
> postgresql-libpqxx-3.0.2
> 
> Attempting to build the program produces this error:
> 
> ===>  postgresql-client-8.2.23 is forbidden: Vulnerable 
> http://www.postgresql.org/about/news/1377/.
> *** Error code 1
> 
> Stop in /usr/ports/databases/postgresql82-client.

postgresql-8.2 is out of support upstream.  It's only still in the ports
because no one has realised it's past its expiry date and removed it yet.

Given the unfixed security problems, you should upgrade to a newer
version ASAP.

> I cannot find anything in the UPDATING or MOVED files that details how
> to deal with this. Would something like:
> 
>   portupgrade -o databases/postgresql90-client postgresql82-client
> 
> be the proper way to handle this problem? Would I then have to rebuild
> koffice-kde4-2.3.3_7 and postgresql-libpqxx-3.0.2 to insure that everything 
> works correctly?

Correct, as far as dealing with the ports goes.  Yes, you will have to
recompile anything that links against libpq.so.X, which is probably more
than shows up in the output of 'pkg_info -R' -- you can use the lib_chk
script from bsdadminscripts to find everything that needs to be rebuilt.
 Or just 'portmaster -r databases/postgresql90-client'

However, there is no guarantee that you can just start up postgresql90
and expect it to work with the postgresql82 data directory. (Although
why not postgresql91 rather than 90? There's no good reason not to use
the latest release.)

As the ports don't support installing several versions of postgresql
simultaneously, or encode the postgres version into the PGDATA path
(which is a fairly standard approach on various other unixoid
environments) you won't be able to use pg_upgrade easily.

Given that in-place updates are not feasible, you should dump the
contents of your database cluster and then reload it into a newly
created cluster using the latest version.  The PG documentation
recommends using the client from the version you are updating to for
creating the dumps, or else they may not reload cleanly.  In fact, there
are changes between 8.x and 9.0 to do with the encoding of non-ascii
character data which are quite likely to cause difficulties for you.
Note that you can install an updated client on a different box and dump
remotely as a relatively simple way of using a new client to access an
older DB.

Ideally you should create a brand new DB cluster on a separate system,
so you can have as many goes at pulling the data over from your original
database as you need to get it right without destroying the originals.
If you lack the resources to do that, then better make sure you've got
good backups.

Cheers,

Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.
PGP: http://www.infracaninophile.co.uk/pgpkey




signature.asc
Description: OpenPGP digital signature

How to handle postgresql82-client vulnerability

[Carmel]

I am working on an older machine that has "postgresql-client-8.2.23"
installed. I have the following information regarding the program:

$ pkg_info -R postgresql-client-8.2.23
Information for postgresql-client-8.2.23:

Required by:
koffice-kde4-2.3.3_7
postgresql-libpqxx-3.0.2

Attempting to build the program produces this error:

===>  postgresql-client-8.2.23 is forbidden: Vulnerable 
http://www.postgresql.org/about/news/1377/.
*** Error code 1

Stop in /usr/ports/databases/postgresql82-client.

I cannot find anything in the UPDATING or MOVED files that details how
to deal with this. Would something like:

portupgrade -o databases/postgresql90-client postgresql82-client

be the proper way to handle this problem? Would I then have to rebuild
koffice-kde4-2.3.3_7 and postgresql-libpqxx-3.0.2 to insure that everything 
works correctly?

Thanks!

-- 
Carmel
carmel...@hotmail.com

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Matthew Seaman]

On 01/10/2010 21:59:40, Jerry wrote:
> On Fri, 1 Oct 2010 12:14:20 -0500
> Dan Nelson  articulated:
> 
>> You must have missed 
>> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
>> patches for 6, 7, and 8 are available there, and freebsd-update has
>> fixed binaries if you use that.
> 
> Never saw it. So I am assuming that simply using something like:
> 
> csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-supfile"
> 
> Then rebuild Kernel & World is not going to work. Is that correct?

Not correct.  csup(1) /after/ the date that fixes are published will
obtain sources that contain the fixes on all affected and supported
branches, including 8-STABLE and 9-CURRENT which aren't covered by
freebsd-update(8).  This will be documented in the security advisory,
where they list the revision numbers (both SVN and CVS) at which the
fixes were applied.

You don't need to /both/ apply patches and use csup -- csup already
contains the result of applying the patches.  Patches are an alternative
to csup, but the intended audience there is typically people running
either heavily customized variants of the OS or installations with
severely limited bandwidth or restricted internet connectivity.  The
majority of users should be using the standard update mechanisms -- csup
or freebsd-update.

Obviously, you will have to compile[*] and install the fixed software.
Going through a full buildworld cycle will certainly do that, but in
most cases you can achieve the required result by rebuilding and
reinstalling significantly smaller chunks of the system.  Again,
procedures to do this should be described in the security advisory,
together with any other requirements (eg. that you would have to reboot
your system where there are significant changes to the kernel, or even
to ubiquitous bits like libc.so.)

Cheers,

Matthew

[*] Unless you're using freebsd-update, of course.

-- 
Dr Matthew J Seaman MA, D.Phil.   7 Priory Courtyard
  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk   Kent, CT11 9PW



signature.asc
Description: OpenPGP digital signature

Re: Updating bzip2 to remove potential security vulnerability

[Michael Powell]

Jerry wrote:
[snip].
> 
> OK, I just updated my sources; however, this notation from the UPDATING
> file does NOT appear in the UPDATING file on my machine:
> 
> 20100920: p1  FreeBSD-SA-10:08.bzip2
> Fix an integer overflow in RLE length parsing when decompressing
> corrupt bzip2 data.
> 
> I am using this as the tag, which is probably incorrect.
> 
> default release=cvs tag=RELENG_8
> 
> This is the stock standard-supfile. The stock stable-supfile has the
> same tag.
> 

The security tag for a release version is either RELENG_8_0 or RELENG_8_1, 
depending on which one you run. UPDATING has the entry wrt to these.

-Mike


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Bruce Cran]

On Fri, 1 Oct 2010 17:49:29 -0400
Jerry  wrote:

> OK, I just updated my sources; however, this notation from the
> UPDATING file does NOT appear in the UPDATING file on my machine:
> 
> 20100920: p1  FreeBSD-SA-10:08.bzip2
>   Fix an integer overflow in RLE length parsing when
> decompressing corrupt bzip2 data.
> 
> I am using this as the tag, which is probably incorrect.
> 
> default release=cvs tag=RELENG_8
> 
> This is the stock standard-supfile. The stock stable-supfile has the
> same tag.
> 

Sorry, it seems stable/8 UPDATING hasn't been updated. Instead, check
that you have rev 1.1.1.5.2.1 of contrib/bzip2/decompress.c .

I guess that since -stable isn't a release branch that it
doesn't get security issues logged in UPDATING?

-- 
Bruce
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Jerry]

On Fri, 1 Oct 2010 22:23:16 +0100
Bruce Cran  articulated:

> On Fri, 1 Oct 2010 14:00:16 -0700
> Jason  wrote:
> 
> > On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
> > >On Fri, 1 Oct 2010 12:14:20 -0500
> > >Dan Nelson  articulated:
> > >
> > >> You must have missed
> > >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> > >> patches for 6, 7, and 8 are available there, and freebsd-update
> > >> has fixed binaries if you use that.
> > >
> > >Never saw it. So I am assuming that simply using something like:
> > >
> > >csup -L2 -h cvsup.FreeBSD.org
> > >"/usr/src/share/examples/cvsup/standard-supfile"
> > >
> > >Then rebuild Kernel & World is not going to work. Is that correct?
> > 
> > The update instructions are in the announcement. Here is a snippet
> > from it:
> 
> Or yes, you can just update to the latest sources via csup - it's been
> fixed in all supported security branches as well as HEAD (see
> http://svn.freebsd.org/viewvc/base/releng/8.1/UPDATING?view=log for
> example).

OK, I just updated my sources; however, this notation from the UPDATING
file does NOT appear in the UPDATING file on my machine:

20100920:   p1  FreeBSD-SA-10:08.bzip2
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.

I am using this as the tag, which is probably incorrect.

default release=cvs tag=RELENG_8

This is the stock standard-supfile. The stock stable-supfile has the
same tag.

-- 
Jerry ✌
freebsd.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Jerry]

On Fri, 1 Oct 2010 14:00:16 -0700
Jason  articulated:

> On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
> >On Fri, 1 Oct 2010 12:14:20 -0500
> >Dan Nelson  articulated:
> >
> >> You must have missed
> >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> >> patches for 6, 7, and 8 are available there, and freebsd-update has
> >> fixed binaries if you use that.
> >
> >Never saw it. So I am assuming that simply using something like:
> >
> >csup -L2 -h cvsup.FreeBSD.org
> >"/usr/src/share/examples/cvsup/standard-supfile"
> >
> >Then rebuild Kernel & World is not going to work. Is that correct?
> 
> The update instructions are in the announcement. Here is a snippet
> from it:
> 
> a) Download the relevant patch from the location below, and verify the
> detached PGP signature using your PGP utility.
> 
> # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch
> # fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc
> 
> b) Execute the following commands as root:
> 
> # cd /usr/src
> # patch < /path/to/patch
> # cd /usr/src/lib/libbz2
> # make obj && make depend && make && make install
> 
> NOTE: On the amd64 platform, the above procedure will not update the
> lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
> compatibility libraries are used, the operating system should instead
> be recompiled as described in
> http://www.FreeBSD.org/handbook/makeworld.html>
> 
> 3) To update your vulnerable system via a binary patch:
> 
> Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or
> 8.1-RELEASE on the i386 or amd64 platforms can be updated via the
> freebsd-update(8) utility:
> 
> # freebsd-update fetch
> # freebsd-update install

I all ready read that. If you reread my post, I was inquiring about
simply downloading the source tree and then rebuilding world.

The portion regarding amd64 systems pertains to me. Notice: 


On the amd64 platform, the above procedure will not update the
> lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
> compatibility libraries are used, the operating system should instead
> be recompiled as described in
> http://www.FreeBSD.org/handbook/makeworld.html>


Am I to infer that I could simply download the sources and rebuild
world, or do I have to download the patches first? It would appear that
I can simply update the sources and rebuild my kernel & world. Your
post failed to address the question I posed.

-- 
Jerry ✌
freebsd.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Bruce Cran]

On Fri, 1 Oct 2010 14:00:16 -0700
Jason  wrote:

> On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:
> >On Fri, 1 Oct 2010 12:14:20 -0500
> >Dan Nelson  articulated:
> >
> >> You must have missed
> >> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> >> patches for 6, 7, and 8 are available there, and freebsd-update has
> >> fixed binaries if you use that.
> >
> >Never saw it. So I am assuming that simply using something like:
> >
> >csup -L2 -h cvsup.FreeBSD.org
> >"/usr/src/share/examples/cvsup/standard-supfile"
> >
> >Then rebuild Kernel & World is not going to work. Is that correct?
> 
> The update instructions are in the announcement. Here is a snippet
> from it:

Or yes, you can just update to the latest sources via csup - it's been
fixed in all supported security branches as well as HEAD (see
http://svn.freebsd.org/viewvc/base/releng/8.1/UPDATING?view=log for
example).

-- 
Bruce Cran
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Jason]

On Fri, Oct 01, 2010 at 04:59:40PM -0400, Jerry thus spake:

On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson  articulated:


You must have missed
http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
patches for 6, 7, and 8 are available there, and freebsd-update has
fixed binaries if you use that.


Never saw it. So I am assuming that simply using something like:

csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-supfile"

Then rebuild Kernel & World is not going to work. Is that correct?


The update instructions are in the announcement. Here is a snippet from
it:

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch
# fetch http://security.FreeBSD.org/patches/SA-10:08/bzip2.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libbz2
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries.  On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
http://www.FreeBSD.org/handbook/makeworld.html>

3) To update your vulnerable system via a binary patch:

Systems running 6.4-RELEASE, 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or
8.1-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Jerry]

On Fri, 1 Oct 2010 12:14:20 -0500
Dan Nelson  articulated:

> You must have missed 
> http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ;
> patches for 6, 7, and 8 are available there, and freebsd-update has
> fixed binaries if you use that.

Never saw it. So I am assuming that simply using something like:

csup -L2 -h cvsup.FreeBSD.org "/usr/src/share/examples/cvsup/standard-supfile"

Then rebuild Kernel & World is not going to work. Is that correct?

-- 
Jerry ✌
freebsd.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__
Last week a cop stopped me in my car.  He asked me if I had a police
record. I said, no, but I have the new DEVO album.  Cops have no sense
of humor.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Updating bzip2 to remove potential security vulnerability

[Dan Nelson]

In the last episode (Oct 01), Jerry said:
> I have seen several notices on other forums regarding the update of bzip2
> to correct a potential security problem.  From the bzip2 web site:
> 
> 
> The current version is 1.0.6, released 20 Sept 2010.
> 
> Version 1.0.6 removes a potential security vulnerability,
> CVE-2010-0405, so all users are recommended to upgrade immediately.
> 
> 
> The version supplied on FreeBSD-8.1/amd64 is version 1.0.5,
> 10-Dec-2007. Are there any plans to update this supplied version?

You must have missed 
http://security.freebsd.org/advisories/FreeBSD-SA-10:08.bzip2.asc ; patches
for 6, 7, and 8 are available there, and freebsd-update has fixed binaries
if you use that.

-- 
Dan Nelson
dnel...@allantgroup.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Updating bzip2 to remove potential security vulnerability

[Jerry]

I have seen several notices on other forums regarding the update of
bzip2 to correct a potential security problem. From the bzip2 web site:


The current version is 1.0.6, released 20 Sept 2010.

Version 1.0.6 removes a potential security vulnerability,
CVE-2010-0405, so all users are recommended to upgrade immediately.


The version supplied on FreeBSD-8.1/amd64 is version 1.0.5,
10-Dec-2007. Are there any plans to update this supplied version?

-- 
Jerry ✌
freebsd.u...@seibercom.net

Disclaimer: off-list followups get on-list replies or get ignored.
Please do not ignore the Reply-To header.
__
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Vulnerability Database,Compile ports under Security Warnings.

[Frank Shute]

On Sun, May 23, 2010 at 10:29:45PM +0100, Luca Renaud wrote:
>
> Krb5-1.8.1 is object of a security warning,and I am not able to compile
> it.It tells me to update the ports tree
> and try again,which I have done several times but the same warning stands.
> Is this port not yet security updated with a security patch?

It sounds like it.

> Is there a way to compile without the security updated/patched tree?

# make DISABLE_VULNERABILITIES=yes install clean

Before doing that, make sure that the vulnerability portaudit reports
isn't going to leave you open to compromise. Portaudit should give you
a URL to visit to check.

Regards,

-- 

 Frank

 Contact info: http://www.shute.org.uk/misc/contact.html


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Vulnerability Database,Compile ports under Security Warnings.

[Luca Renaud]

Krb5-1.8.1 is object of a security warning,and I am not able to compile
it.It tells me to update the ports tree
and try again,which I have done several times but the same warning stands.
Is this port not yet security updated with a security patch?
Is there a way to compile without the security updated/patched tree?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: java/jdk16 vulnerability?

[cpghost]

On Mon, Sep 28, 2009 at 08:48:37PM -0700, Greg Lewis wrote:
> On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
> > Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
> > complains about an old and vulnerable Java version:
> > 
> >   Your installed version of Java is vulnerable to a severe remote
> >   exploit (remote code execution!). You must upgrade to at least Java
> >   5 update 20 or Java 6 update 15 as soon as possible. Freenet has
> >   disabled any plugins handling XML for the time being, but this
> >   includes searching and chat so you should upgrade ASAP!
> 
> We're almost certainly vulnerable.  The jdk16 port is at Update 3.

Ah, I see. Thanks for clarifying.

> >   See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
> >   details.
> > 
> >   Also, please do not use Thaw or Freetalk. The UPnP plugin is
> >   enabled, it might present a risk if you have bad guys on your LAN,
> >   but without it Freenet will not be able to port forward and will
> >   have severe problems.
> > 
> > I'm running java/jdk16:
> > 
> > phenom# java -version
> > java version "1.6.0_03-p4"
> > Java(TM) SE Runtime Environment (build 
> > 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
> > Java HotSpot(TM) 64-Bit Server VM (build 
> > 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)
> > 
> > On 7.2-STABLE:
> > 
> > phenom# uname -a
> > FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 
> > 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  
> > amd64
> > 
> > Is that version of Java really vulnerable? If yes, why doesn't
> >   # portaudit -Fda
> > report it as such, and could you please update the java/jdk16 port?
> 
> We need an entry in the VUXML database I guess.
> 
> Updating java/jdk16 is going to be a slow process.  There are lots of
> changes between Update 3 and Update 15.  I've partially merged Update 4,
> but obviously that still leaves many to go...

Looks like *a lot* of work...

Any chance to see progress here before 8.0-RELEASE? It's not a big deal,
but shipping an updated port without that vuln. would be nice.

> Greg Lewis  Email   : gle...@eyesbeyond.com
> Eyes Beyond Web : http://www.eyesbeyond.com
> Information Technology  FreeBSD : gle...@freebsd.org

Thanks for the great work supporting JDK natively on FreeBSD,

-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: java/jdk16 vulnerability?

[Robert Huff]

Greg Lewis writes:

>  >   Your installed version of Java is vulnerable to a severe remote
>  >   exploit (remote code execution!). You must upgrade to at least Java
>  >   5 update 20 or Java 6 update 15 as soon as possible. Freenet has
>  >   disabled any plugins handling XML for the time being, but this
>  >   includes searching and chat so you should upgrade ASAP!
>  
>  We're almost certainly vulnerable.  The jdk16 port is at Update 3.


>  We need an entry in the VUXML database I guess.
>  
>  Updating java/jdk16 is going to be a slow process.  There are
>  lots of changes between Update 3 and Update 15.  I've partially
>  merged Update 4, but obviously that still leaves many to go...

As someone with zero knowledge of Java internals: what is the
recommended version at the moment? 


Robert Huff

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: java/jdk16 vulnerability?

[Greg Lewis]

On Mon, Sep 28, 2009 at 12:10:48PM +0200, cpghost wrote:
> Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
> complains about an old and vulnerable Java version:
> 
>   Your installed version of Java is vulnerable to a severe remote
>   exploit (remote code execution!). You must upgrade to at least Java
>   5 update 20 or Java 6 update 15 as soon as possible. Freenet has
>   disabled any plugins handling XML for the time being, but this
>   includes searching and chat so you should upgrade ASAP!

We're almost certainly vulnerable.  The jdk16 port is at Update 3.

>   See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
>   details.
> 
>   Also, please do not use Thaw or Freetalk. The UPnP plugin is
>   enabled, it might present a risk if you have bad guys on your LAN,
>   but without it Freenet will not be able to port forward and will
>   have severe problems.
> 
> I'm running java/jdk16:
> 
> phenom# java -version
> java version "1.6.0_03-p4"
> Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
> Java HotSpot(TM) 64-Bit Server VM (build 
> 1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)
> 
> On 7.2-STABLE:
> 
> phenom# uname -a
> FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 
> 10:43:26 CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  
> amd64
> 
> Is that version of Java really vulnerable? If yes, why doesn't
>   # portaudit -Fda
> report it as such, and could you please update the java/jdk16 port?

We need an entry in the VUXML database I guess.

Updating java/jdk16 is going to be a slow process.  There are lots of
changes between Update 3 and Update 15.  I've partially merged Update 4,
but obviously that still leaves many to go...

-- 
Greg Lewis  Email   : gle...@eyesbeyond.com
Eyes Beyond Web : http://www.eyesbeyond.com
Information Technology  FreeBSD : gle...@freebsd.org
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

java/jdk16 vulnerability?

[cpghost]

[Sorry for resending: I didn't get any replies]

Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:

  Your installed version of Java is vulnerable to a severe remote
  exploit (remote code execution!). You must upgrade to at least Java
  5 update 20 or Java 6 update 15 as soon as possible. Freenet has
  disabled any plugins handling XML for the time being, but this
  includes searching and chat so you should upgrade ASAP!

  See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
  details.

  Also, please do not use Thaw or Freetalk. The UPnP plugin is
  enabled, it might present a risk if you have bad guys on your LAN,
  but without it Freenet will not be able to port forward and will
  have severe problems.

I'm running java/jdk16:

phenom# java -version
java version "1.6.0_03-p4"
Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
Java HotSpot(TM) 64-Bit Server VM (build 
1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)

On 7.2-STABLE:

phenom# uname -a
FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 10:43:26 
CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  amd64

Is that version of Java really vulnerable? If yes, why doesn't
  # portaudit -Fda
report it as such, and could you please update the java/jdk16 port?

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

java/jdk16 vulnerability?

[cpghost]

Hi Greg,

Freenet (http://www.freenetproject.org/) on my FreeBSD/amd64 system
complains about an old and vulnerable Java version:

  Your installed version of Java is vulnerable to a severe remote
  exploit (remote code execution!). You must upgrade to at least Java
  5 update 20 or Java 6 update 15 as soon as possible. Freenet has
  disabled any plugins handling XML for the time being, but this
  includes searching and chat so you should upgrade ASAP!

  See http://www.cert.fi/en/reports/2009/vulnerability2009085.html for
  details.

  Also, please do not use Thaw or Freetalk. The UPnP plugin is
  enabled, it might present a risk if you have bad guys on your LAN,
  but without it Freenet will not be able to port forward and will
  have severe problems.

I'm running java/jdk16:

phenom# java -version
java version "1.6.0_03-p4"
Java(TM) SE Runtime Environment (build 1.6.0_03-p4-root_08_sep_2009_17_05-b00)
Java HotSpot(TM) 64-Bit Server VM (build 
1.6.0_03-p4-root_08_sep_2009_17_05-b00, mixed mode)

On 7.2-STABLE:

phenom# uname -a
FreeBSD phenom.cordula.ws 7.2-STABLE FreeBSD 7.2-STABLE #0: Tue Sep  8 10:43:26 
CEST 2009 r...@phenom.cordula.ws:/usr/obj/usr/src/sys/GENERIC  amd64

Is that version of Java really vulnerable? If yes, why doesn't
  # portaudit -Fda
report it as such, and could you please update the java/jdk16 port?

Thanks,
-cpghost.

-- 
Cordula's Web. http://www.cordula.ws/
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Security vulnerability in 7.x

[Jeronimo Calvo]

look for this subject on the maillist "reporter on deadline seeks
comment about reported security bug in FreeBSD"

You will find an almost 50 chained... topic about this...

;o)

btw, yes, it does.

2009/9/18 Alex R :
> Hi All,
>
> I was sent this by a friend, could someone confirm if this exploit is really
> existant?
>
> http://www.vimeo.com/6580991 (requires flash)
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
>
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Security vulnerability in 7.x

[Alex R]

Hi All,

I was sent this by a friend, could someone confirm if this exploit is 
really existant?


http://www.vimeo.com/6580991 (requires flash)

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"

Re: Software Vulnerability Scanner

[Ghirai]

On Thu, 25 Oct 2007 14:29:40 +0330
"Bahman M." <[EMAIL PROTECTED]> wrote:

> Hi all,
> 
> I'm starting my career as a security analyst and I'd like to know if
> there are any vulnerability scanners -Blackbox or Whitebox- available for 
> FreeBSD, in
> particular for Java applications.
> 
> There are some softwares out there, e.g. HailStorm or SourceScope
> however most of them are commercial and AFAIK there are only Windoze
> versions.
> 
> Any suggestion or pointer is highly appreciated.  TIA,
> 

In lack of a more specific question, i'd say
start with /usr/ports/security/nessus.

Generally these tools perform poorly on windows,
mostly because of the crappy network stack.

-- 
Regards,
Ghirai.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Software Vulnerability Scanner

[Bahman M.]

Hi all,

I'm starting my career as a security analyst and I'd like to know if
there are any vulnerability scanners -Blackbox or Whitebox- available for 
FreeBSD, in
particular for Java applications.

There are some softwares out there, e.g. HailStorm or SourceScope
however most of them are commercial and AFAIK there are only Windoze
versions.

Any suggestion or pointer is highly appreciated.  TIA,

-- 
Bahman Movaqar

The Moving Finger writes; and, having writ,
Moves on: nor all your Piety nor Wit
Shall lure it back to cancel half a Line,
Nor all your Tears wash out a Word of it.
-Khayyam
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Hello :Regarding the vulnerability

[Bill Moran]

In response to "darshan na" <[EMAIL PROTECTED]>:
> Hi.
> Thanks for the reply
> I am really sorry It was my mistake for not checking properly
> After reading again I have realised that you specify the impact and
> workaround for FreeBSD releases and you provide links to their
> sources .Please correct me if I am wrong I am new to this field .

You are obviously new, but that's OK.  We all start out new.

First off, [EMAIL PROTECTED] is a mailing list for general discussion
about FreeBSD.  The fact that I responded to you post in no way identifies
me as an expert that should be exclusively consulted for further
information.  As a result, I've added [EMAIL PROTECTED] back to the
CC.

The FreeBSD project maintains a truckload of mailing lists to facilitate
collaboration within the community:
http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/eresources.html#ERESOURCES-MAIL
Of particular interest to you might be this list:
http://lists.freebsd.org/mailman/listinfo/freebsd-security

Top-posting is also generally frowned apon.

> I also wanted to know what features to you consider when publishing the
> vulnerability

Information about how the security team operates is here:
http://www.freebsd.org/security/

If you have a number of questions, I expect you'll benefit from organizing
them all into a single email and sending them (interview-style) to the
FreeBSD security officer (listed on the previous page).

Hope this helps.

> On 5/3/07, Bill Moran <[EMAIL PROTECTED]> wrote:
> >
> > In response to "darshan na" <[EMAIL PROTECTED]>:
> >
> > >  Hi ,
> > > I am student at one of the German Universtiy and i had a task of
> > > Benchmarking the Vulenrability Providers based on the features they
> > provide
> > > and ,its really nice that you provide vulnerablity information in xml
> > format
> > > and this is really very useful to parse this information for analysis
> > > i was checking your website where advisiories are present and i could
> > not
> > > find any risk level alloted to the vulnerability
> > > It is difficult to analyse them without that , I just wanted to know is
> > > there any particular reason for this
> >
> > Did you miss section III (called "Impact") that appears in every Advisory?
> >
> > --
> > Bill Moran
> > http://www.potentialtech.com
> >
> 


-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Hello :Regarding the vulnerability

[Bill Moran]

In response to "darshan na" <[EMAIL PROTECTED]>:

>  Hi ,
> I am student at one of the German Universtiy and i had a task of
> Benchmarking the Vulenrability Providers based on the features they provide
> and ,its really nice that you provide vulnerablity information in xml format
> and this is really very useful to parse this information for analysis
> i was checking your website where advisiories are present and i could not
> find any risk level alloted to the vulnerability
> It is difficult to analyse them without that , I just wanted to know is
> there any particular reason for this

Did you miss section III (called "Impact") that appears in every Advisory?

-- 
Bill Moran
http://www.potentialtech.com
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Hello :Regarding the vulnerability

[darshan na]

Hi ,
I am student at one of the German Universtiy and i had a task of
Benchmarking the Vulenrability Providers based on the features they provide
and ,its really nice that you provide vulnerablity information in xml format
and this is really very useful to parse this information for analysis
i was checking your website where advisiories are present and i could not
find any risk level alloted to the vulnerability
It is difficult to analyse them without that , I just wanted to know is
there any particular reason for this
Thank you and
Best regards
darshan
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD UFS "vulnerability": Is NIST off its medication, or am I missing something?

[Bill Moran]

In response to Colin Percival <[EMAIL PROTECTED]>:

> Bill Moran wrote:
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
> > 
> > Following the links around, it seems that you would have to mount a 
> > "corrupt" or
> > "malicious" filesystem in order to exploit this "vulnerability".
> > 
> > Yes, NIST claims there is no authentication required to exploit?  Are new 
> > versions
> > of FreeBSD suddenly allowing unauthenticated users to mount filesystems by 
> > default?
> > If so, something's wrong with my 6.1 workstation!
> > 
> > It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been 
> > blown
> > out of proportion by NIST, or am I missing something?
> 
> CVE names are assigned, and NIST creates an entry in its database, whenever
> someone claims that a security problem exists; their purpose is to provide
> a consistent name for whatever people are talking about, not to decide what
> exactly constitutes a security issue (as I explained in my BSDCan'06 paper,
> different vendors have many different policies about what constitute security
> issues).
> 
> In this case (and another very similar bug found by the MoKB people), the
> FreeBSD security team has no intention to handle the bug as a security issue;
> obviously this is a kernel bug and deserves to be fixed, but no more so than
> any other kernel bug, and in fact this bug seems far less important than most.

That was my thought.  In my opinion, anything that requires root access to
exploit doesn't constitute a security issue, since someone with root
privvies can do whatever they want anyway, by definition.

It looks as if MoKB has an axe to grind ... I expect we'll see a lot more
exaggerated "security problems" come out of them before November is over ...

Thanks for the feedback, Colin.

-- 
Bill Moran
Collaborative Fusion Inc.



IMPORTANT: This message contains confidential information and is intended only 
for the individual named. If the reader of this message is not an intended 
recipient (or the individual responsible for the delivery of this message to an 
intended recipient), please be advised that any re-use, dissemination, 
distribution or copying of this message is prohibited.  Please notify the 
sender immediately by e-mail if you have received this e-mail by mistake and 
delete this e-mail from your system.


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: FreeBSD UFS "vulnerability": Is NIST off its medication, or am I missing something?

[Colin Percival]

Bill Moran wrote:
> http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824
> 
> Following the links around, it seems that you would have to mount a "corrupt" 
> or
> "malicious" filesystem in order to exploit this "vulnerability".
> 
> Yes, NIST claims there is no authentication required to exploit?  Are new 
> versions
> of FreeBSD suddenly allowing unauthenticated users to mount filesystems by 
> default?
> If so, something's wrong with my 6.1 workstation!
> 
> It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been 
> blown
> out of proportion by NIST, or am I missing something?

CVE names are assigned, and NIST creates an entry in its database, whenever
someone claims that a security problem exists; their purpose is to provide
a consistent name for whatever people are talking about, not to decide what
exactly constitutes a security issue (as I explained in my BSDCan'06 paper,
different vendors have many different policies about what constitute security
issues).

In this case (and another very similar bug found by the MoKB people), the
FreeBSD security team has no intention to handle the bug as a security issue;
obviously this is a kernel bug and deserves to be fixed, but no more so than
any other kernel bug, and in fact this bug seems far less important than most.

Colin Percival
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

FreeBSD UFS "vulnerability": Is NIST off its medication, or am I missing something?

[Bill Moran]

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-5824

Following the links around, it seems that you would have to mount a "corrupt" or
"malicious" filesystem in order to exploit this "vulnerability".

Yes, NIST claims there is no authentication required to exploit?  Are new 
versions
of FreeBSD suddenly allowing unauthenticated users to mount filesystems by 
default?
If so, something's wrong with my 6.1 workstation!

It seems like this is the 2nd or 3rd "vulnerability" I've seen that's been blown
out of proportion by NIST, or am I missing something?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ruby Vulnerability / portupgrade

[Karol Kwiatkowski]

Hi Jeff,

On 13/11/2006 16:35, Jeff Dickens wrote:
> Regarding the following vulnerabilities as detected by portaudit:
> 
>Affected package: ruby-1.8.4_4,1
>Type of problem: ruby -- cgi.rb library Denial of Service.
>Reference:
>   
> 

From the link:

% Affects:
% *  ruby >=1.8.* <1.8.5_4,1
% *  ruby_static >=1.8.* <1.8.5_4,1

The latest version of ruby in ports is 1.8.5_4,1 which is not affected[1].


>Affected package: ruby-1.8.4_4,1
>Type of problem: ruby - multiple vulnerabilities.
>Reference:
>   
> 

Hmmm... not sure about this one, but if I'm reading CVE-2006-3694[2]
right ruby 1.8.5 is not affected. portaudit is not complaining, too.

HTH,

Karol

[1]
http://www.freebsd.org/cgi/getmsg.cgi?fetch=2891067+0+/usr/local/www/db/text/2006/cvs-all/20061105.cvs-all
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3694

-- 
Karol Kwiatkowski  
OpenPGP: http://www.orchid.homeunix.org/carlos/gpg/0x06E09309.asc



signature.asc
Description: OpenPGP digital signature

ruby Vulnerability / portupgrade

[Jeff Dickens]

Regarding the following vulnerabilities as detected by portaudit:

   Affected package: ruby-1.8.4_4,1
   Type of problem: ruby -- cgi.rb library Denial of Service.
   Reference:
   
<http://www.FreeBSD.org/ports/portaudit/ab8dbe98-6be4-11db-ae91-0012f06707f0.html>

   Affected package: ruby-1.8.4_4,1
   Type of problem: ruby - multiple vulnerabilities.
   Reference:
   
<http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>

I see that ruby is only required by portupgrade.  Anyone know if there going to 
be a fix for this vulnerability any time soon? Anyone asked the ruby guys?

   # pkg_info -R ruby-1.8.4_4,1
   Information for ruby-1.8.4_4,1:

   Required by:
   portupgrade-2.0.1_1,1
   ruby18-bdb1-0.2.2

   # pkg_info -R ruby18-bdb1-0.2.2
   Information for ruby18-bdb1-0.2.2:

   Required by:
   portupgrade-2.0.1_1,1

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Is the vulnerability database up to date?

[Erik Norgaard]

Josh Carroll wrote:

So - what's the point? I mean updating the port to a newer port with the
same or newer known vulnerabilities?


# portaudit
0 problem(s) in your installed packages found.
# pkg_info| grep firefox
firefox-2.0_2,1 Web browser based on the browser portion of Mozilla

Seems ok to me. Which version of firefox is in your ports tree, and
have you run portaudit -F lately?


This is weird. When I wrote yesterday I had updated ports and the vuln 
database just before that. Now I just did


# pkg_info |grep firefox

which gave TWO matches, one was 2.0_r2,1 which I have previously built 
with disabling vuln, later I upgraded to 2.0_1,1. For some reason the 
2.0_2r,1 had not been deleted completely I guess, and after deleting it 
with pkg_delete, there are no longer any warnings.


But it still beats me why this should affect building the newer version, 
building for the 2.0_2,1 version yesterday terminated with a list of 
vulnerabilities. How is this check run for new builds?


Thanks, Erik
--
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Is the vulnerability database up to date?

[Josh Carroll]

So - what's the point? I mean updating the port to a newer port with the
same or newer known vulnerabilities?


# portaudit
0 problem(s) in your installed packages found.
# pkg_info| grep firefox
firefox-2.0_2,1 Web browser based on the browser portion of Mozilla

Seems ok to me. Which version of firefox is in your ports tree, and
have you run portaudit -F lately?

Josh
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Is the vulnerability database up to date?

[Erik Norgaard]

Hi:

I updated my ports tree a few days ago, and again today (right now). The 
firefox port was updated. I then updated the vulnerability database - or 
so I thought with portaudit. But building firefox complain about 
remaining vulnerabilities.


So - what's the point? I mean updating the port to a newer port with the 
same or newer known vulnerabilities?


Or is the vulnerability database not updated yet?

Thanks, Erik
--
Ph: +34.666334818  web: http://www.locolomo.org
X.509 Certificate: http://www.locolomo.org/crt/8D03551FFCE04F0C.crt
Key ID: 69:79:B8:2C:E3:8F:E7:BE:5D:C3:C3:B1:74:62:B8:3F:9F:1F:69:B9
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

portaudit thinks a vulnerability just disappeared

[James Long]

I have a 4.11-RELEASE system.

Prior to doing some minor portupdates, I had this portaudit report:

Checking for packages with security vulnerabilities:

Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>

Affected package: ruby-1.8.4_3,1
Type of problem: ruby - multiple vulnerabilities.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/76562594-1f19-11db-b7d4-0008743bf21a.html>

Affected package: apache+mod_ssl-1.3.34+2.8.25_2
Type of problem: apache -- mod_rewrite buffer overflow vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/dc8c08c7-1e7c-11db-88cf-000c6ec775d9.html>

Affected package: mutt-1.4.2.1_2
Type of problem: mutt -- Remote Buffer Overflow Vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/d2a43243-087b-11db-bc36-0008743bf21a.html>

5 problem(s) in your installed packages found.


I cvsup'ped my ports tree and portupgraded ruby, mutt and portaudit, 
but not any of their dependencies (since version number changes were 
minor).

portaudit -aF now thinks:

www : 17:59:17 /root# portaudit -aF
auditfile.tbz 100% of   38 kB  138 kBps
New database installed.
Affected package: php4-4.4.1_3
Type of problem: php -- open_basedir Race Condition Vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/edabe438-542f-11db-a5ae-00508d6a62df.html>

Affected package: php4-4.4.1_3
Type of problem: php -- multiple vulnerabilities.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/ea09c5df-4362-11db-81e1-000e0c2e438a.html>

2 problem(s) in your installed packages found.


Why does portaudit think the apache+mod_ssl problem went away?  The 
installed version is still:

apache+mod_ssl-1.3.34+2.8.25_2 The Apache 1.3 webserver with SSL/TLS 
functionality


Thanks!

Jim
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

[Bill Moran]

In response to Colin Percival <[EMAIL PROTECTED]>:

> Bill Moran wrote:
> > Colin Percival <[EMAIL PROTECTED]> wrote:
> >> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
>  ^^^
> > That was what I expected.  Section III seems to hint that it could be
> > used by an unprivileged user to crash or lock a system.
> 
> Yes.  An unprivileged user who is able to execute code on an affected system
> can cause a kernel panic.  There are a variety of reasons for not treating
> bugs like this as security issues; the strongest reason imho is that if one
> of your users is making a system crash, you can disable his account and call
> the police.

Thanks for the clarification.

>From my standpoint, this qualifies as a "privilege escalation" and warrants
action.  I see that it's already fixed in RELENG_6_1.  Am I correct that
there is no intention to MFC this back to RELENG_6_0?

And, yes, I can't spell "unprivileged" to save my life, and the spell
checker was turned off on my other computer ...

-- 
Bill Moran
Collaborative Fusion Inc.


IMPORTANT: This message contains confidential information and is
intended only for the individual named. If the reader of this
message is not an intended recipient (or the individual
responsible for the delivery of this message to an intended
recipient), please be advised that any re-use, dissemination,
distribution or copying of this message is prohibited. Please
notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.
E-mail transmission cannot be guaranteed to be secure or
error-free as information could be intercepted, corrupted, lost,
destroyed, arrive late or incomplete, or contain viruses. The
sender therefore does not accept liability for any errors or
omissions in the contents of this message, which arise as a
result of e-mail transmission.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

[Colin Percival]

Bill Moran wrote:
> Colin Percival <[EMAIL PROTECTED]> wrote:
>> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
 ^^^
> That was what I expected.  Section III seems to hint that it could be
> used by an unprivilidged user to crash or lock a system.

Yes.  An unprivileged user who is able to execute code on an affected system
can cause a kernel panic.  There are a variety of reasons for not treating
bugs like this as security issues; the strongest reason imho is that if one
of your users is making a system crash, you can disable his account and call
the police.

> BTW, are you going to be at NYCBSDCon?

No -- I only go to conferences if I have a paper to present.

Colin Percival

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

[Bill Moran]

Colin Percival <[EMAIL PROTECTED]> wrote:

> Bill Moran wrote:
> > This report seems pretty vague.  I'm unsure as to whether the alleged
> > "bug" gives the user any more permissions than he'd already have?  Anyone
> > know any details?
> 
> This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
> and RELENG_6.  There is no opportunity for either remote denial of service
> or any privilege escalation.
> 
> > VI. VENDOR RESPONSE
> > 
> > "The policy of the FreeBSD Security Team is that local denial of service
> > bugs not be treated as security issues; it is possible that this problem
> > will be corrected in a future Erratum."
> 
> If there was any potential for
> (a) privilege escalation,
> (b) disclosure of potentially sensitive information, or
> (c) denial of service by a non-authenticated attacker,
> we would have issued a security advisory.

That was what I expected.  Section III seems to hint that it could be
used by an unprivilidged user to crash or lock a system.  I suspect they
used it as root to crash/lock the OS.  But I don't need any bugs to do
that as root, so it doesn't really count as a security issue.

BTW, are you going to be at NYCBSDCon?  If so, seek me out -- I owe you
a beer at the least.

As always, thanks for the quick response.

-- 
Bill Moran

That seem right to you?

Jubal Early

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

[Colin Percival]

Bill Moran wrote:
> This report seems pretty vague.  I'm unsure as to whether the alleged
> "bug" gives the user any more permissions than he'd already have?  Anyone
> know any details?

This is a local denial of service bug, which was fixed 6 weeks ago in HEAD
and RELENG_6.  There is no opportunity for either remote denial of service
or any privilege escalation.

> VI. VENDOR RESPONSE
> 
> "The policy of the FreeBSD Security Team is that local denial of service
> bugs not be treated as security issues; it is possible that this problem
> will be corrected in a future Erratum."

If there was any potential for
(a) privilege escalation,
(b) disclosure of potentially sensitive information, or
(c) denial of service by a non-authenticated attacker,
we would have issued a security advisory.

Colin Percival

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

iDefense Security Advisory 10.10.06: FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

[Bill Moran]

This report seems pretty vague.  I'm unsure as to whether the alleged
"bug" gives the user any more permissions than he'd already have?  Anyone
know any details?

FreeBSD ptrace PT_LWPINFO Denial of Service Vulnerability

iDefense Security Advisory 10.10.06
http://www.idefense.com/intelligence/vulnerabilities/
Oct 10, 2006

I. BACKGROUND

FreeBSD is a modern operating system for x86, amd64, Alpha, IA-64, PC-98
and SPARC architectures. It's based on the UNIX operating system, BSD,
which was created at the University of California, Berkeley.  More
information can be obtained from the FreeBSD Project web site at
http://www.FreeBSD.org/

II. DESCRIPTION

The PT_LWPINFO ptrace command allows a tracer to get information on a
running thread.

Due to the use of signed integers and a lack of proper input validation,
a situation can occur in the kernel where a panic will cause DoS. The
affected code follows.

953 case PT_LWPINFO:
954 if (data == 0 || data > sizeof(*pl))
955 return (EINVAL);

Since the "data" variable is a signed integer, the check on line 954 can
easily be bypassed. Eventually, the negative value is passed to
copyout(), which will result in a kernel panic or corruption of the user
space memory.

III. ANALYSIS

Exploitation of this vulnerability would result in a denial of service
condition on the affected host. In some cases exploitation resulted in a
hard lock up of the machine, where as other times a kernel panic was
caused leading to reboot.

iDefense considers this a LOW severity vulnerability due to the local
access requirement.

IV. DETECTION

iDefense has confirmed the existence of this problem in FreeBSD version
6.0-RELEASE. FreeBSD 6.1-RELEASE is not affected. It is suspected that
other versions are also affected.

V. WORKAROUND

iDefense is not aware of any workaround for this issue.

VI. VENDOR RESPONSE

"The policy of the FreeBSD Security Team is that local denial of service
bugs
not be treated as security issues; it is possible that this problem will be
corrected in a future Erratum."

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2006-4516 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

08/18/2006  Initial vendor notification
10/06/2006  Initial vendor response
10/10/2006  Public disclosure


-- 
Bill Moran

Sometimes I think I'm stupid.  The rest of the time I'm sure of it.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jdk -- jar directory traversal vulnerability (CVE-2005-1080).

[Andrew Pantyukhin]

On 9/13/06, Jacques Vidrine <[EMAIL PROTECTED]> wrote:


On 2006-09-12, at 13:52:40, Remko Lodder wrote:

> David Robillard wrote:
>> Hi everyone,
>> Are there any workaround or a patch for this security problem?
>> FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for
>> FreeBSD 6.1/i386:
>> Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
>> Type of problem: jdk -- jar directory traversal vulnerability.
>> Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f-
>> ae7c-11d9-837d-000e0c2e438a.html> Many thanks,
>> David
>
> Hello david,
>
> I corrected the entry, it should be fixed within little notice :)

Hey, hold on a second... are you sure this has been fixed?  As far as
I know, Sun has never issues a patch for this vulnerability.  Yay Sun!


http://www.freshports.org/java/jdk15/[EMAIL PROTECTED]

FreeBSD != Sun
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jdk -- jar directory traversal vulnerability (CVE-2005-1080).

[Jacques Vidrine]

On 2006-09-12, at 13:52:40, Remko Lodder wrote:


David Robillard wrote:

Hi everyone,
Are there any workaround or a patch for this security problem?
FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for
FreeBSD 6.1/i386:
Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
Type of problem: jdk -- jar directory traversal vulnerability.
Reference: <http://www.FreeBSD.org/ports/portaudit/18e5428f- 
ae7c-11d9-837d-000e0c2e438a.html> Many thanks,

David


Hello david,

I corrected the entry, it should be fixed within little notice :)


Hey, hold on a second... are you sure this has been fixed?  As far as  
I know, Sun has never issues a patch for this vulnerability.  Yay Sun!


Cheers,
--
Jacques Vidrine <[EMAIL PROTECTED]>


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: jdk -- jar directory traversal vulnerability (CVE-2005-1080).

[Remko Lodder]

David Robillard wrote:

Hi everyone,

Are there any workaround or a patch for this security problem?

FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for
FreeBSD 6.1/i386:

Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
Type of problem: jdk -- jar directory traversal vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html> 



Many thanks,

David


Hello david,

I corrected the entry, it should be fixed within little notice :)

Thanks for the report!

--
Kind regards,

 Remko Lodder   ** [EMAIL PROTECTED]
 FreeBSD** [EMAIL PROTECTED]

 /* Quis custodiet ipsos custodes */
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

jdk -- jar directory traversal vulnerability (CVE-2005-1080).

[David Robillard]

Hi everyone,

Are there any workaround or a patch for this security problem?

FreeBSD Foundation's Java JDK and JRE 5.0 Update 7 binaries for
FreeBSD 6.1/i386:

Affected package: diablo-jdk-freebsd6.i386.1.5.0.07.00
Type of problem: jdk -- jar directory traversal vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/18e5428f-ae7c-11d9-837d-000e0c2e438a.html>

Many thanks,

David
--
David Robillard
UNIX systems administrator & Oracle DBA
CISSP, RHCE & Sun Certified Security Administrator
Montreal: +1 514 966 0122
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portupgrade ruby vulnerability

[jan gestre]

On 8/3/06, Dave <[EMAIL PROTECTED]> wrote:


Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave.

i had these warnings too, just use portupgrade or portmanager to upgrade

your ports, there is a vulnerability in ruby-1.8.4_8,1 and it was fixed with
ruby-1.8.4_9,1. update the portaudit database so you won't see the warning
message again.

HTH
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portupgrade ruby vulnerability

[Frank Shute]

On Thu, Aug 03, 2006 at 09:08:03AM -0400, Dave wrote:
>
> Hello,
>I'm getting an error from ruby whenever i run a portupgrade. Checking 
> portaudit i see this is a vulnerability. Is there a fiix for it?
> Thanks.
> Dave.
> 

cvsup your ports tree and rebuild ruby18. Some patches for ruby18 went
in recently which fixes matters.

-- 

 Frank 


echo "f r a n k @ e s p e r a n c e - l i n u x . c o . u k" | sed 's/ //g'

  --->PGP keyID: 0x10BD6F4B<---  
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portupgrade ruby vulnerability

[Ivailo Tanusheff]

Try to use:

portupgrade -c -C -r -R -v -m DISABLE_VULNERABILITIES="yes" ruby

I hope this will solve the issue, if you are sure you want to updrate this 
version :)

Ivailo Tanusheff
Senior System administrator
ProCredit Bank (Bulgaria) AD




"Dave" <[EMAIL PROTECTED]> 
Sent by: [EMAIL PROTECTED]
03.08.2006 16:08
Please respond to
Dave <[EMAIL PROTECTED]>


To

cc

Subject
portupgrade ruby vulnerability






Hello,
I'm getting an error from ruby whenever i run a portupgrade. Checking 
portaudit i see this is a vulnerability. Is there a fiix for it?
Thanks.
Dave.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to 
"[EMAIL PROTECTED]"

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portupgrade ruby vulnerability

[Michael P. Soulier]

On 03/08/06 Dave said:

> Hello,
>I'm getting an error from ruby whenever i run a portupgrade. Checking 
> portaudit i see this is a vulnerability. Is there a fiix for it?

I believe that the vulnerability is ruby itself, is it not?

Mike

-- 
Michael P. Soulier <[EMAIL PROTECTED]>
"Any intelligent fool can make things bigger and more complex... It
takes a touch of genius - and a lot of courage to move in the opposite
direction." --Albert Einstein


pgpJDbSnzHf5s.pgp
Description: PGP signature

portupgrade ruby vulnerability

[Dave]

Hello,
   I'm getting an error from ruby whenever i run a portupgrade. Checking 
portaudit i see this is a vulnerability. Is there a fiix for it?

Thanks.
Dave.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Samba vulnerability & make problem

[Denny White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On Feb 12 Robert Slade spake forth boldly:


Was trying to setup apsfilter to be able to print to my
winbox printer. Got as far as the follwing:

===>   apsfilter-7.2.6_2 depends on executable: smbclient - not found
===>Verifying install for smbclient in /usr/ports/net/samba
===>  samba-2.2.12_2 has known vulnerabilities:
=> samba -- integer overflow vulnerability.
Reference: 
<http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/net/samba.
*** Error code 1

Stop in /usr/ports/print/apsfilter.
*** Error code 1

Stop in /usr/ports/print/apsfilter.

Script done on Sat Feb 11 20:01:52 2006

I've got portaudit installed & the database was just updated
several days ago, as well as the ports with portsnap & portupgrade.
Have checked the last week or so of the cvs mailing list for samba
& found nothing, so I didn't rerun portsnap & portupgrade. Already
so many dependencies installed for apsfilter, I hated to update
anything else right in the middle of all of this. Tried running the
make command with -DIGNORE_VULNERABILITIES but still no dice. Any
advice, pointers to reading up on it, help, appreciated.
Denny White


Denny,

Samba3 is in the ports try that instead.




Thanks for the advice, Robert. Did it. Found the proper printer
driver & set it up. Took a long time to connect to an ftp server
that had it (in case someone else has to do the same thing, don't
cancel, it'll find a server eventually that has it). Apsfilter
is setup now. Still have to fiddle with Samba settings. Had it
setup once before a long time back when I was running FreeBSD
4.7, I believe, on my old laptop. It'll just take some patience
& tinkering. Thanks again for the help.
Denny White

Please do not CC me. Already subscribed to mailing list.

GnuPG key  : 0x1644E79A  |  http://wwwkeys.nl.pgp.net
Fingerprint: D0A9 AD44 1F10 E09E 0E67  EC25 CB44 F2E5 1644 E79A

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFD8IKPy0Ty5RZE55oRAu1hAJ9ypH21sKLDpQTM/kEAPh7UaybbUQCgumT4
K0x0NSNGaQgPBOoECGHoZz8=
=uPNE
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Samba vulnerability & make problem

[Robert Slade]

On Sat, 2006-02-11 at 20:36, Denny White wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
> 
> 
> Was trying to setup apsfilter to be able to print to my
> winbox printer. Got as far as the follwing:
> 
> ===>   apsfilter-7.2.6_2 depends on executable: smbclient - not found
> ===>Verifying install for smbclient in /usr/ports/net/samba
> ===>  samba-2.2.12_2 has known vulnerabilities:
> => samba -- integer overflow vulnerability.
> Reference: 
> <http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html>
> => Please update your ports tree and try again.
> *** Error code 1
> 
> Stop in /usr/ports/net/samba.
> *** Error code 1
> 
> Stop in /usr/ports/print/apsfilter.
> *** Error code 1
> 
> Stop in /usr/ports/print/apsfilter.
> 
> Script done on Sat Feb 11 20:01:52 2006
> 
> I've got portaudit installed & the database was just updated
> several days ago, as well as the ports with portsnap & portupgrade.
> Have checked the last week or so of the cvs mailing list for samba
> & found nothing, so I didn't rerun portsnap & portupgrade. Already
> so many dependencies installed for apsfilter, I hated to update
> anything else right in the middle of all of this. Tried running the
> make command with -DIGNORE_VULNERABILITIES but still no dice. Any
> advice, pointers to reading up on it, help, appreciated.
> Denny White

Denny,

Samba3 is in the ports try that instead.


> 
> Please do not CC me. Already subscribed to mailing list.
> 

I suggest you set you reply to the list then.

Rob 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Samba vulnerability & make problem

[Denny White]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


Was trying to setup apsfilter to be able to print to my
winbox printer. Got as far as the follwing:

===>   apsfilter-7.2.6_2 depends on executable: smbclient - not found
===>Verifying install for smbclient in /usr/ports/net/samba
===>  samba-2.2.12_2 has known vulnerabilities:
=> samba -- integer overflow vulnerability.
   Reference: 
<http://www.FreeBSD.org/ports/portaudit/3b3676be-52e1-11d9-a9e7-0001020eed82.html>
=> Please update your ports tree and try again.
*** Error code 1

Stop in /usr/ports/net/samba.
*** Error code 1

Stop in /usr/ports/print/apsfilter.
*** Error code 1

Stop in /usr/ports/print/apsfilter.

Script done on Sat Feb 11 20:01:52 2006

I've got portaudit installed & the database was just updated
several days ago, as well as the ports with portsnap & portupgrade.
Have checked the last week or so of the cvs mailing list for samba
& found nothing, so I didn't rerun portsnap & portupgrade. Already
so many dependencies installed for apsfilter, I hated to update
anything else right in the middle of all of this. Tried running the
make command with -DIGNORE_VULNERABILITIES but still no dice. Any
advice, pointers to reading up on it, help, appreciated.
Denny White

Please do not CC me. Already subscribed to mailing list.

GnuPG key  : 0x1644E79A  |  http://wwwkeys.nl.pgp.net
Fingerprint: D0A9 AD44 1F10 E09E 0E67  EC25 CB44 F2E5 1644 E79A

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.1 (OpenBSD)

iD8DBQFD7krBy0Ty5RZE55oRAmQBAJ98IKinB70kHj56nIP9LkyZofhLogCgyHGM
e0fTVOrU1FaXtS7KsJOUWLo=
=rdeN
-END PGP SIGNATURE-
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit reports: how to exclude a specific vulnerability

[Daniel Pittman]

"Michael C. Shultz" <[EMAIL PROTECTED]> writes:
> On Sunday 30 October 2005 22:45, you wrote:
G'day.

[...]

>> I can't work out how to tell portaudit to stop bothering me about 
>> [a single] particular vulnerability, though.
>>
>> Can I ask it to exclude a vulnerability, or (ever better) a
>> vulnerability/package combination, from reports?
>
> I think this will do it, put it in /etc/make.conf
>
> .if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
> DISABLE_VULNERABILITIES="YES"
> .endif

Hrm.  That doesn't exclude it from the command line tool, and a quick
check of the periodic/security file tells me that it won't work in the
periodic runs either.

Unfortunately, portaudit only seems to support the 'portaudit_fixed'
system for marking a problem in the core OS fixed, not for individual
versions.

More searching also shows a comment from the author(s) to the effect
that this would be easy to extend to non-core packages, but that has not
been done yet.

Ah, well.  Either a local patch, or I just cope with the problem, I
guess.
Daniel
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: portaudit reports: how to exclude a specific vulnerability

[Michael C. Shultz]

On Sunday 30 October 2005 22:45, you wrote:
> G'day.  I am relatively new to FreeBSD, but failed to find an answer to
> this question in the handbook, manual pages, or other references about
> portaudit:
>
> At the moment, portaudit is reporting one vulnerability on my system,
> with the 'p5-Crypt-OpenPGP' package.
>
> There isn't, apparently, a release of this package available that
> resolves the issue.
>
> I have checked the advisory and I am quite happy that the specific
> problem is not going to hurt here, so I don't mind that the
> theoretically vulnerable version is installed.[1]
>
> I can't work out how to tell portaudit to stop bothering me about this
> particular vulnerability, though.
>
> Can I ask it to exclude a vulnerability, or (ever better) a
> vulnerability/package combination, from reports?
>
I think this will do it, put it in /etc/make.conf

.if ${.CURDIR:M*/security/p5-Crypt-OpenPGP}
DISABLE_VULNERABILITIES="YES"
.endif

-Mike

>
> I specifically /don't/ want to exclude the package from auditing,
> though, since I want to know if another security issue turns up for it.
>
> Thanks,
>Daniel
>
> Footnotes:
> [1]  The specific issue is a cryptographic weakness that needs a
>  specific and particularly unlikely bit of code written by us before
>  it actually does anything.  Not, as they say, going to happen.
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

portaudit reports: how to exclude a specific vulnerability

[Daniel Pittman]

G'day.  I am relatively new to FreeBSD, but failed to find an answer to
this question in the handbook, manual pages, or other references about
portaudit:

At the moment, portaudit is reporting one vulnerability on my system,
with the 'p5-Crypt-OpenPGP' package.  

There isn't, apparently, a release of this package available that
resolves the issue.

I have checked the advisory and I am quite happy that the specific
problem is not going to hurt here, so I don't mind that the
theoretically vulnerable version is installed.[1]

I can't work out how to tell portaudit to stop bothering me about this
particular vulnerability, though.  

Can I ask it to exclude a vulnerability, or (ever better) a
vulnerability/package combination, from reports?


I specifically /don't/ want to exclude the package from auditing,
though, since I want to know if another security issue turns up for it.

Thanks,
   Daniel

Footnotes: 
[1]  The specific issue is a cryptographic weakness that needs a
 specific and particularly unlikely bit of code written by us before
 it actually does anything.  Not, as they say, going to happen.

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: openssl vulnerability

[Brian A. Seklecki]

And more importantly, does anyone care to start an informal list of quote 
"any statically linked applications that are not part of the

base system (i.e. from the Ports Collection or other 3rd-party sources)
must be recompiled."


~BAS

On Tue, 11 Oct 2005, DW wrote:


Hi,

Does anybody know a command to tell which options I have compiled into my 
openssl?


Is there a way to tell if I have SSL_OP_MSIE_SSLV2_RSA_PADDING in there 
before I go unnecessarily rebuilding and reinstall world on all my servers?


Thanks,

DW
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"



l8*
-lava

x.25 - minix - bitnet - plan9 - 110 bps - ASR 33 - base8
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

openssl vulnerability

[DW]

Hi,

Does anybody know a command to tell which options I have compiled into 
my openssl?


Is there a way to tell if I have SSL_OP_MSIE_SSLV2_RSA_PADDING in there 
before I go unnecessarily rebuilding and reinstall world on all my servers?


Thanks,

DW
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: PAWS security vulnerability

[Tim Traver]

Ted,

I did take it to the security list (freebsd-security@freebsd.org). Since 
I did not actually know if this was an issue yet, I figure I would ask 
it to the appropriate list before sending it directly to the security 
officers. I'd rather not waste their time until I knew it was an issue.


I guess maybe you don't subscribe to that list. At the time, neither did 
I, because I can't subscribe to ALL of the lists...


The answer was that your patch was flawed, and that there was already a 
patch for it in CVS anyway.


I figured from your high chair, that you would have seen the post when 
it was made this morning, and the response back from one of the people 
on the list about it.


I didn't feel the need to update you about it since you've been so 
friendly to me. And since no one else joined in on the conversation, I 
figured I would let that info sit on the security list for people to find.


Tim.


Ted Mittelstaedt wrote:


You STILL haven't taken this to the correct security mailing list, after
being told gently, then yelled at, then told firmly.  What do we have to
do to get you to do this?

Ted

 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
Sent: Friday, May 20, 2005 9:33 AM
To: Ted Mittelstaedt
Cc: bsd
Subject: Re: PAWS security vulnerability


Ted,

you just can't stop being a dickhead, can you ???

I admitted what I did wrong (unlike you), and yes, I posted
this to the
wrong list. Big deal. A lot of things get posted to this list
that are a
thousand times worse.

Get off your high horse, and maybe use some manners instead of barking
orders at everyone. I don't know which is worse. Trolls, or those that
scream troll at the drop of a hat.

Tim.


Ted Mittelstaedt wrote:

   


Tim,

In my first e-mail I said:

"If it works I would submit it to the FreeBSD security list"

OK., so I see how you might have misinterpreted that.  But
 


the sentence "if
   


it works you would submit it to the
FreeBSD security list" isn't grammatically correct.

In my second e-mail I said:

"I told you to post the patch and info to the appropriate
 


FreeBSD security
   


lists, and you aren't the least bit interested in doing what
 


I told you"
   


On the index page of http://www.freebsd.org there is a link
 


called "FAQ"
   


On that page is a link called "Security"

On that page is the text:

"...This point and others are often discussed on the mailing lists,
particularly the FreeBSD security mailing list"

with a link to the appropriate mailing list.

I find it real hard to believe you use FreeBSD on hundreds of
 


servers and
   


are unaware of the appropriate
forum to post security questions.  The general freebsd
 


questions mailing
   


list is not this place.  You should
have known this before you even posted your first question.  Reading
instructions for products that you use
is not optional, it is mandatory, and FreeBSD's instructions
 


are on the
   


website.

You posted your query in the wrong forum, you got a patch in
 


response which
   


is far more than you should have
got, you were directed, hinting at first, forcibly at second,
 


to go to the
   


appropriate forum to post the patch, the results of the
 


patch, and your
   


security questions.  You still, as far as I know, have not done this.

So, OK maybe your not a troll and I assumed wrong.  But I
 


will point out
   


that you said absolutely nothing
in your first post about who you are, what you are doing, why
 


you even give
   


a shit about this issue.  If you
had simply opened your first post with "I was shown this
 


vulnerability by
   


our network security person
and I have to respond to him in some fashion" or something
 


like that, it
   


would have gone a long way towards
establishing credibility as to why you cared about this.  If
 


even better you
   


had done a bit of research and
said "well the vulnerability shows that OpenBSD already
 


patched for this,
   


maybe FreeBSD should" or if
even better than that you had said "I looked at the OpenBSD
 


patch and it's
   


really simple, could we use
it on FreeBSD" that would have done a lot to establishing
 


that you were at
   


least willing to offer help and
assistance.

Instead, reread your second post - you not once offered to do
 


anything, not
   


even apply the patch to see
if it compiled, all you did is ask for yet more research to
 


be done for you.
   


Well we all are busy, you don't have a lock on that, buddy.

Apply the patch.  If the FreeBSD system doesn't panic then
 


the patch isn't
   


grossly wrong.  If you do not
have a test system then don't apply it.  Either way, just
 


take the 

RE: PAWS security vulnerability

[Ted Mittelstaedt]

You STILL haven't taken this to the correct security mailing list, after
being told gently, then yelled at, then told firmly.  What do we have to
do to get you to do this?

Ted

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
> Sent: Friday, May 20, 2005 9:33 AM
> To: Ted Mittelstaedt
> Cc: bsd
> Subject: Re: PAWS security vulnerability
>
>
> Ted,
>
> you just can't stop being a dickhead, can you ???
>
> I admitted what I did wrong (unlike you), and yes, I posted
> this to the
> wrong list. Big deal. A lot of things get posted to this list
> that are a
> thousand times worse.
>
> Get off your high horse, and maybe use some manners instead of barking
> orders at everyone. I don't know which is worse. Trolls, or those that
> scream troll at the drop of a hat.
>
> Tim.
>
>
> Ted Mittelstaedt wrote:
>
> >Tim,
> >
> >In my first e-mail I said:
> >
> >"If it works I would submit it to the FreeBSD security list"
> >
> >OK., so I see how you might have misinterpreted that.  But
> the sentence "if
> >it works you would submit it to the
> >FreeBSD security list" isn't grammatically correct.
> >
> >In my second e-mail I said:
> >
> >"I told you to post the patch and info to the appropriate
> FreeBSD security
> >lists, and you aren't the least bit interested in doing what
> I told you"
> >
> >On the index page of http://www.freebsd.org there is a link
> called "FAQ"
> >
> >On that page is a link called "Security"
> >
> >On that page is the text:
> >
> >"...This point and others are often discussed on the mailing lists,
> >particularly the FreeBSD security mailing list"
> >
> >with a link to the appropriate mailing list.
> >
> >I find it real hard to believe you use FreeBSD on hundreds of
> servers and
> >are unaware of the appropriate
> >forum to post security questions.  The general freebsd
> questions mailing
> >list is not this place.  You should
> >have known this before you even posted your first question.  Reading
> >instructions for products that you use
> >is not optional, it is mandatory, and FreeBSD's instructions
> are on the
> >website.
> >
> >You posted your query in the wrong forum, you got a patch in
> response which
> >is far more than you should have
> >got, you were directed, hinting at first, forcibly at second,
> to go to the
> >appropriate forum to post the patch, the results of the
> patch, and your
> >security questions.  You still, as far as I know, have not done this.
> >
> >So, OK maybe your not a troll and I assumed wrong.  But I
> will point out
> >that you said absolutely nothing
> >in your first post about who you are, what you are doing, why
> you even give
> >a shit about this issue.  If you
> >had simply opened your first post with "I was shown this
> vulnerability by
> >our network security person
> >and I have to respond to him in some fashion" or something
> like that, it
> >would have gone a long way towards
> >establishing credibility as to why you cared about this.  If
> even better you
> >had done a bit of research and
> >said "well the vulnerability shows that OpenBSD already
> patched for this,
> >maybe FreeBSD should" or if
> >even better than that you had said "I looked at the OpenBSD
> patch and it's
> >really simple, could we use
> >it on FreeBSD" that would have done a lot to establishing
> that you were at
> >least willing to offer help and
> >assistance.
> >
> >Instead, reread your second post - you not once offered to do
> anything, not
> >even apply the patch to see
> >if it compiled, all you did is ask for yet more research to
> be done for you.
> >
> >Well we all are busy, you don't have a lock on that, buddy.
> >
> >Apply the patch.  If the FreeBSD system doesn't panic then
> the patch isn't
> >grossly wrong.  If you do not
> >have a test system then don't apply it.  Either way, just
> take the patch to
> >the appropriate FreeBSD security forum
> >and post it with "some asshole on questions told me to apply
> this in results
> >of 
> >is this the right way to fix it?"
> >
> >As I said, IF you are a fucking troll then you WOULDN'T do
> the above.  That
> >means that if you WOULD do the
> >above then you AREN'T a fucking troll.  You still have

Re: PAWS security vulnerability

[Tim Traver]

Ted,
you just can't stop being a dickhead, can you ???
I admitted what I did wrong (unlike you), and yes, I posted this to the 
wrong list. Big deal. A lot of things get posted to this list that are a 
thousand times worse.

Get off your high horse, and maybe use some manners instead of barking 
orders at everyone. I don't know which is worse. Trolls, or those that 
scream troll at the drop of a hat.

Tim.
Ted Mittelstaedt wrote:
Tim,
In my first e-mail I said:
"If it works I would submit it to the FreeBSD security list"
OK., so I see how you might have misinterpreted that.  But the sentence "if
it works you would submit it to the
FreeBSD security list" isn't grammatically correct.
In my second e-mail I said:
"I told you to post the patch and info to the appropriate FreeBSD security
lists, and you aren't the least bit interested in doing what I told you"
On the index page of http://www.freebsd.org there is a link called "FAQ"
On that page is a link called "Security"
On that page is the text:
"...This point and others are often discussed on the mailing lists,
particularly the FreeBSD security mailing list"
with a link to the appropriate mailing list.
I find it real hard to believe you use FreeBSD on hundreds of servers and
are unaware of the appropriate
forum to post security questions.  The general freebsd questions mailing
list is not this place.  You should
have known this before you even posted your first question.  Reading
instructions for products that you use
is not optional, it is mandatory, and FreeBSD's instructions are on the
website.
You posted your query in the wrong forum, you got a patch in response which
is far more than you should have
got, you were directed, hinting at first, forcibly at second, to go to the
appropriate forum to post the patch, the results of the patch, and your
security questions.  You still, as far as I know, have not done this.
So, OK maybe your not a troll and I assumed wrong.  But I will point out
that you said absolutely nothing
in your first post about who you are, what you are doing, why you even give
a shit about this issue.  If you
had simply opened your first post with "I was shown this vulnerability by
our network security person
and I have to respond to him in some fashion" or something like that, it
would have gone a long way towards
establishing credibility as to why you cared about this.  If even better you
had done a bit of research and
said "well the vulnerability shows that OpenBSD already patched for this,
maybe FreeBSD should" or if
even better than that you had said "I looked at the OpenBSD patch and it's
really simple, could we use
it on FreeBSD" that would have done a lot to establishing that you were at
least willing to offer help and
assistance.
Instead, reread your second post - you not once offered to do anything, not
even apply the patch to see
if it compiled, all you did is ask for yet more research to be done for you.
Well we all are busy, you don't have a lock on that, buddy.
Apply the patch.  If the FreeBSD system doesn't panic then the patch isn't
grossly wrong.  If you do not
have a test system then don't apply it.  Either way, just take the patch to
the appropriate FreeBSD security forum
and post it with "some asshole on questions told me to apply this in results
of 
is this the right way to fix it?"
As I said, IF you are a fucking troll then you WOULDN'T do the above.  That
means that if you WOULD do the
above then you AREN'T a fucking troll.  You still have a chance to redeem
yourself. Do it!
FreeBSD is for adults, not kids.  Kids want the adults to do all their
homework for them.  Adults at least
try to do the homework, then call for help when they are stuck.  Look at
your first 2 posts again and
put yourself in my shoes - do those posts make you look like an adult, or a
whiny kid wanting someone
to do his homework for him?
Ted
 -Original Message-
 From: Tim Traver [mailto:[EMAIL PROTECTED]
 Sent: Thursday, May 19, 2005 11:24 PM
 To: Ted Mittelstaedt
 Cc: bsd
 Subject: Re: PAWS security vulnerability
 Ted,
 I don't know your experience lately with people on this or any other list,
but that last personal attack was WAY out of line. I am not a Troll, nor
have I ever been one. I use freeBSD extensively on hundreds of servers, but
I am not a FreeBSD source contributor.
 Yes, I was shown this "vulnerability" by our network security person, read
it over, and thought that it might be a legitimate exploit. I even picked up
on the fact that Microsoft had already patched it in the service pack 2,
which may mean that it was under wraps for a while, and was suspicious. So,
after doing a little research on the net myself and not finding much, I
decided to post something to the list to see if anyone had heard anything
about it, and if the FreeBSD commiters were

RE: PAWS security vulnerability

[Ted Mittelstaedt]

Tim,

In my first e-mail I said:

"If it works I would submit it to the FreeBSD security list"

OK., so I see how you might have misinterpreted that.  But the sentence "if
it works you would submit it to the
FreeBSD security list" isn't grammatically correct.

In my second e-mail I said:

"I told you to post the patch and info to the appropriate FreeBSD security
lists, and you aren't the least bit interested in doing what I told you"

On the index page of http://www.freebsd.org there is a link called "FAQ"

On that page is a link called "Security"

On that page is the text:

"...This point and others are often discussed on the mailing lists,
particularly the FreeBSD security mailing list"

with a link to the appropriate mailing list.

I find it real hard to believe you use FreeBSD on hundreds of servers and
are unaware of the appropriate
forum to post security questions.  The general freebsd questions mailing
list is not this place.  You should
have known this before you even posted your first question.  Reading
instructions for products that you use
is not optional, it is mandatory, and FreeBSD's instructions are on the
website.

You posted your query in the wrong forum, you got a patch in response which
is far more than you should have
got, you were directed, hinting at first, forcibly at second, to go to the
appropriate forum to post the patch, the results of the patch, and your
security questions.  You still, as far as I know, have not done this.

So, OK maybe your not a troll and I assumed wrong.  But I will point out
that you said absolutely nothing
in your first post about who you are, what you are doing, why you even give
a shit about this issue.  If you
had simply opened your first post with "I was shown this vulnerability by
our network security person
and I have to respond to him in some fashion" or something like that, it
would have gone a long way towards
establishing credibility as to why you cared about this.  If even better you
had done a bit of research and
said "well the vulnerability shows that OpenBSD already patched for this,
maybe FreeBSD should" or if
even better than that you had said "I looked at the OpenBSD patch and it's
really simple, could we use
it on FreeBSD" that would have done a lot to establishing that you were at
least willing to offer help and
assistance.

Instead, reread your second post - you not once offered to do anything, not
even apply the patch to see
if it compiled, all you did is ask for yet more research to be done for you.

Well we all are busy, you don't have a lock on that, buddy.

Apply the patch.  If the FreeBSD system doesn't panic then the patch isn't
grossly wrong.  If you do not
have a test system then don't apply it.  Either way, just take the patch to
the appropriate FreeBSD security forum
and post it with "some asshole on questions told me to apply this in results
of 
is this the right way to fix it?"

As I said, IF you are a fucking troll then you WOULDN'T do the above.  That
means that if you WOULD do the
above then you AREN'T a fucking troll.  You still have a chance to redeem
yourself. Do it!

FreeBSD is for adults, not kids.  Kids want the adults to do all their
homework for them.  Adults at least
try to do the homework, then call for help when they are stuck.  Look at
your first 2 posts again and
put yourself in my shoes - do those posts make you look like an adult, or a
whiny kid wanting someone
to do his homework for him?

Ted

  -Original Message-----
  From: Tim Traver [mailto:[EMAIL PROTECTED]
  Sent: Thursday, May 19, 2005 11:24 PM
  To: Ted Mittelstaedt
  Cc: bsd
  Subject: Re: PAWS security vulnerability


  Ted,

  I don't know your experience lately with people on this or any other list,
but that last personal attack was WAY out of line. I am not a Troll, nor
have I ever been one. I use freeBSD extensively on hundreds of servers, but
I am not a FreeBSD source contributor.

  Yes, I was shown this "vulnerability" by our network security person, read
it over, and thought that it might be a legitimate exploit. I even picked up
on the fact that Microsoft had already patched it in the service pack 2,
which may mean that it was under wraps for a while, and was suspicious. So,
after doing a little research on the net myself and not finding much, I
decided to post something to the list to see if anyone had heard anything
about it, and if the FreeBSD commiters were working on a possible patch.

  Maybe I wrote my post wrong, but it didn't deserve you biting my fucking
head off.

  Now, you'll probably start in on "well, if you run that many servers, then
why don't you know what you're doing?". I do know what I'm doing. I would
very well be able to apply your patch,and compile a new system. Problem is,
I'm afraid I don't quit

Re: PAWS security vulnerability

[Tim Traver]

Ted,
I don't know your experience lately with people on this or any other 
list, but that last personal attack was WAY out of line. I am not a 
Troll, nor have I ever been one. I use freeBSD extensively on hundreds 
of servers, but I am not a FreeBSD source contributor.

Yes, I was shown this "vulnerability" by our network security person, 
read it over, and thought that it might be a legitimate exploit. I even 
picked up on the fact that Microsoft had already patched it in the 
service pack 2, which may mean that it was under wraps for a while, and 
was suspicious. So, after doing a little research on the net myself and 
not finding much, I decided to post something to the list to see if 
anyone had heard anything about it, and if the FreeBSD commiters were 
working on a possible patch.

Maybe I wrote my post wrong, but it didn't deserve you biting my fucking 
head off.

Now, you'll probably start in on "well, if you run that many servers, 
then why don't you know what you're doing?". I do know what I'm doing. I 
would very well be able to apply your patch,and compile a new system. 
Problem is, I'm afraid I don't quite understand the vulnerability enough 
to properly test what it is supposed to fix...

I would first need a way to break it, and then after applying your 
patch, verify that I couldn't break it any longer. If I knew how to 
break it, then I would be a better programmer than you, which I am not, 
and have never claimed to be. From the description of the issue, it 
sounds like a single cleverly made TCP packet with a bogus timestamp on 
it could take down ALL of the TCP commections to that machine.

To quote the article :
"A large value is set by the attacker as the packet timestamp. When the 
target computer processes this packet, the internal timer is updated to 
the large attacker supplied value. This causes all other valid packets 
that are received subsequent to an attack to be dropped as they are 
deemed to be too old, or invalid."

That sounds like it is pretty serious to me. One packet takes down ALL 
TCP services to the machine. You make it sound like its no big deal...Is 
it valid ? I don't know. I never claimed to know. I wasn't crying wolf 
here, just asking...

So, my statement of  "I'm not sure I have the ability to test out your 
patch." should really have been, "I don't have the knowledge enough of 
the vulnerability to test whether or not your patch works."

And I would hardly consider "If it works, I would submit it to the 
security list" as some sort of command that I was supposed to follow. 
After reading that email, I thought that you were going to submit it to 
the security list. After all, its your fucking patch.

I am slowly working my way into the community, and would love to help 
with these kind of things. But, like many other busy sys admins, I don't 
have a whole lot of spare time to work on things like this. Yes, if it 
was a serious problem enough to where I had to have a patch right away, 
I might have to devote some work time and give it a try for the team. 
I'm not sure that I know how serious it is, as I've already stated that 
I don't fully understand the supposed "vulnerability".

I hardly made any kind of desparate demands for someone to quickly make 
me a patch. You might want to go re-read those posts...

I can understand why you may have suspected troll because of the vague 
questions, but man, you flew off the handle awefully quick. Maybe you 
just need a vacation.

You bashed OpenBSD for their knee jerk reactions, and I think you just 
made a big one...

Tim.

Ted Mittelstaedt wrote:
Hi Tim,
 If you don't have the ability to test out the patch then LEARN!
 As the advisory said "no known exploits have been released"  I also
noticed that the only 2 vendors listed as implementing a fix were
Cisco and Microsoft. And Microsoft was NOT on the problem list for
ANY of their patched OSs.  I would therefore assume that the release
of this so-called vulnerability was carefully timed to take place
AFTER Microsoft had got it's ass covered, to make them look good,
and everyone else look bad.  I continue therefore to assume that this
is a political security hole, not an actual security hole.
 OpenBSD is well known for knee-jerk reactions to real and supposed
security holes, so it's not surprising they released a patch right away
- of course, little good that did them since this advisory trashed them
anyway.  But knee jerk reactions don't always take all variables into
account.
 I rewrite their patch because it was simple and easy to apply to the
FreeBSD source - but I did not write the networking code in FreeBSD and
have no idea if it is correct, or if OpenBSD even wrote the fix properly,
or if in fact this is a real vulnerability that anyone needs to be
concerned about.  In theory

RE: PAWS security vulnerability

[Ted Mittelstaedt]

Hi Tim,

  If you don't have the ability to test out the patch then LEARN!

  As the advisory said "no known exploits have been released"  I also
noticed that the only 2 vendors listed as implementing a fix were
Cisco and Microsoft. And Microsoft was NOT on the problem list for
ANY of their patched OSs.  I would therefore assume that the release
of this so-called vulnerability was carefully timed to take place
AFTER Microsoft had got it's ass covered, to make them look good,
and everyone else look bad.  I continue therefore to assume that this
is a political security hole, not an actual security hole.

  OpenBSD is well known for knee-jerk reactions to real and supposed
security holes, so it's not surprising they released a patch right away
- of course, little good that did them since this advisory trashed them
anyway.  But knee jerk reactions don't always take all variables into
account.

  I rewrite their patch because it was simple and easy to apply to the
FreeBSD source - but I did not write the networking code in FreeBSD and
have no idea if it is correct, or if OpenBSD even wrote the fix properly,
or if in fact this is a real vulnerability that anyone needs to be
concerned about.  In theory, any flat-key lock can be picked in less
than a minute (I've seen it done that fast, and done it myself somewhat
more slowly) but that does not stop millions of them from being sold
at Home Depot every year.  If people went to a different type of lock
that was much harder to pick then the burglar might not break in
by picking the lock - but instead by kicking in the door which has
the side effect of destroying the door and frame, and there's a couple
thousand bucks lost right there fixing that - and if all the burgler
does is steal a $200 TV set, then your better off with the pickable lock.
The point is that any change in the networking code
may have side effects that are worse than the problem.

  I posted the patch in order to head off a big long dumbass trashing
discussion, because I suspected you were trolling - but I was willing
to give you the benefit of the doubt.  If you were really
concerned - such as if you worked for some company that had some
stick-up-their-ass security officer that was bigger than his britches,
and you had to have a fix RIGHT NOW - then this would have allowed you
to apply the patch to shut up the bigger-than-britches security officer
so you could continue about your business.  In the meantime then the
networking and security group could have had discussion about the
PROPER way to handle this.  Probably that's this patch, but maybe not.

  Now I find what?  Well, it surely looks to me like I just spoiled
your troll, so your going to pretend it was no big deal, make a lame-ass
excuse about how you really didn't need the patch anyway and can't
apply it because your incompetent, and fade into the woodwork.  I told
you to post the patch and info to the appropriate FreeBSD security lists,
and you aren't the least bit interested in doing what I told you.  Why -
because you were only interested in this silly hypothetical PAWS exploit
as long as nobody could say "FreeBSD has a fix, shut up and apply it",
so you can go urinate on the parade here.  Now I just handed you a
urinal, and your going to run away and pee on someone else.

  I don't want to see a fucking thing more from you unless it's:

"Guys, I DID WHAT I WAS TOLD TO DO and went to the FreeBSD security and
networking
mailing lists and posted what I was given and this is what they said"

  If you aren't willing to lift a finger to do that, your a fucking
troll.  Don't waste anyone else's time here.  Next time you ask for code,
you better check out the going hourly rate for custom programming.

Ted

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
> Sent: Thursday, May 19, 2005 1:27 PM
> To: Ted Mittelstaedt
> Cc: bsd
> Subject: Re: PAWS security vulnerability
> Importance: Low
>
>
> Ted,
>
> thanks for taking a look at this. I'm not sure I have the ability to
> test out your patch. Maybe someone else on this fine list can ?
>
> But this sounds like a pretty severe DOS issue that seems to be
> relatively simple to implement.
>
> Do you know if the 5.x branch is affected by this as well ?
>
> Tim.
>
>
> Ted Mittelstaedt wrote:
>
> >Hi Tim,
> >
> >  Here is a slight mod of the OpenBSD patch for OpenBSD 3.6
> that has been
> >rewritten for FreeBSD 4.11.  YMMV  If it works I would submit
> it to the
> >FreeBSD
> >security list.  The only change I made is OpenBSD defines "tiflags"
> >FreeBSD defines
> >"thflags" I assume they are the same thing.  The file is in
> >/usr/src/sys/netinet
> >
> >Turning off 

Re: PAWS security vulnerability

[Tim Traver]

Ted,
thanks for taking a look at this. I'm not sure I have the ability to 
test out your patch. Maybe someone else on this fine list can ?

But this sounds like a pretty severe DOS issue that seems to be 
relatively simple to implement.

Do you know if the 5.x branch is affected by this as well ?
Tim.
Ted Mittelstaedt wrote:
Hi Tim,
 Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 that has been
rewritten for FreeBSD 4.11.  YMMV  If it works I would submit it to the
FreeBSD
security list.  The only change I made is OpenBSD defines "tiflags"
FreeBSD defines
"thflags" I assume they are the same thing.  The file is in
/usr/src/sys/netinet
Turning off the timestamps would be a good way to make your network go
slow.
*** tcp_input.c.originalThu May 19 11:52:30 2005
--- tcp_input.c Thu May 19 12:00:14 2005
***
*** 976,984 
--- 976,992 
* record the timestamp.
* NOTE that the test is modified according to the latest
* proposal of the [EMAIL PROTECTED] list (Braden
1993/04/26).
+* NOTE2 additional check added as a result of PAWS
vulnerability
+* documented in Cisco security notice
cisco-sn-20050518-tcpts
+* from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
*/
   if ((to.to_flags & TOF_TS) != 0 &&
   SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+   if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
+
+   ((thflags & (TH_SYN|TH_FIN)) != 0)))
+ tp->ts_recent = to.to_tsval;
+   else
+   tp->ts_recent = 0;
   tp->ts_recent_age = ticks;
   tp->ts_recent = to.to_tsval;
   }
Ted
 

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
Sent: Thursday, May 19, 2005 10:09 AM
To: bsd
Subject: PAWS security vulnerability
Hi all,
ok, this article was just published about a PAWS TCP DOS
vulnerability,
and lists freeBSD 4.x as affected.
http://www.securityfocus.com/bid/13676/info/
Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
and is 5.4 affected too ?
Tim.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to
"[EMAIL PROTECTED]"
   

 

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: PAWS security vulnerability

[Ted Mittelstaedt]

Hi Tim,

  Here is a slight mod of the OpenBSD patch for OpenBSD 3.6 that has been
rewritten for FreeBSD 4.11.  YMMV  If it works I would submit it to the
FreeBSD
security list.  The only change I made is OpenBSD defines "tiflags"
FreeBSD defines
"thflags" I assume they are the same thing.  The file is in
/usr/src/sys/netinet

Turning off the timestamps would be a good way to make your network go
slow.

*** tcp_input.c.originalThu May 19 11:52:30 2005
--- tcp_input.c Thu May 19 12:00:14 2005
***
*** 976,984 
--- 976,992 
 * record the timestamp.
 * NOTE that the test is modified according to the latest
 * proposal of the [EMAIL PROTECTED] list (Braden
1993/04/26).
+* NOTE2 additional check added as a result of PAWS
vulnerability
+* documented in Cisco security notice
cisco-sn-20050518-tcpts
+* from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
 */
if ((to.to_flags & TOF_TS) != 0 &&
SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+   if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
+
+   ((thflags & (TH_SYN|TH_FIN)) != 0)))
+ tp->ts_recent = to.to_tsval;
+   else
+   tp->ts_recent = 0;
tp->ts_recent_age = ticks;
tp->ts_recent = to.to_tsval;
}

Ted

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Tim Traver
> Sent: Thursday, May 19, 2005 10:09 AM
> To: bsd
> Subject: PAWS security vulnerability
>
>
> Hi all,
>
> ok, this article was just published about a PAWS TCP DOS
> vulnerability,
> and lists freeBSD 4.x as affected.
>
> http://www.securityfocus.com/bid/13676/info/
>
> Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
>
> and is 5.4 affected too ?
>
> Tim.
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
>

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

PAWS security vulnerability

[Tim Traver]

Hi all,
ok, this article was just published about a PAWS TCP DOS vulnerability, 
and lists freeBSD 4.x as affected.

http://www.securityfocus.com/bid/13676/info/
Does anyone know how to turn the TCP timestamps off on FreeBSD 4.x ?
and is 5.4 affected too ?
Tim.
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Anthony Atkielski]

Bart Silverstrim writes:

> Wouldn't the skew resolution necessary for this tracking technique
> become useless with temperature variations, humidity, etc. that can 
> affect most systems over the course of the day/week/year?

That's one of my questions, too.  A technique that could identify 100
million different computers (as some people have speculated) would need
reliable precision to at least nine decimal places.  That's a pretty
tall order for something like measurement of clock slewing in TCP
packets.

There are other related problems.  So you identify computer A using its
unique clock slew.  How do you prove that in court?  If you move the
machine, or if you change anything about it, the RTC is likely to vary a
bit, changing the slew to a different value.  Just temperature
variations in the room can do that.

-- 
Anthony


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Bart Silverstrim]

On Mar 10, 2005, at 10:44 PM, Anthony Atkielski wrote:
Kris Kennaway writes:
Isn't this a non-problem if you use ntpd?
Unfortunately, no, because the TCP stacks on most systems don't use the
disciplined clock provided by NTP for the timestamps.  Instead they use
a clock based directly on the RTC, which reveals a characteristic skew
that is unique to each machine.
If the stacks used the NTP-disciplined actual time of day, plus perhaps
a randomizing factor to avoid revealing patterns, this technique would
become useless.
Wouldn't the skew resolution necessary for this tracking technique 
become useless with temperature variations, humidity, etc. that can 
affect most systems over the course of the day/week/year?

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

RE: Clock slew vulnerability in FreeBSD?

[Ted Mittelstaedt]

Your talking about this:

http://www.caida.org/outreach/papers/2005/fingerprinting/

>From educatedguesswork.org:

"The basic idea is that you use TCP timestamps to estimate how fast or
slow the remote clock is running. This doesn't give you enough
information to uniquely identify the remote machine, but it does give you
a way to assess whether two given machines are the same. Possible uses
include determining when two machines that have the same address are in
fact different machines (e.g., they're behind a NAT) or whether two
machines with different IP address are actually the same machine (e.g., a
honeypot)."

Anthony, I think your a bit mistaken in your description.  This does not
appear to be
much of a security hole.  NAT's are defacto these days on the Internet
and any cracker
is going to assume that there's a good chance he's attacking a NAT.

Ted

> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Anthony
> Atkielski
> Sent: Thursday, March 10, 2005 6:46 PM
> To: freebsd-questions@freebsd.org
> Subject: Clock slew vulnerability in FreeBSD?
>
>
> How vulnerable is FreeBSD to the recently announced technique for
> individually identifying computers by the clock slew apparent in TCP
> packets?  If it is vulnerable to this, will there be any plans to
> address the vulnerability?
>
> --
> Anthony
>
>
> ___
> freebsd-questions@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-questions
> To unsubscribe, send any mail to
> "[EMAIL PROTECTED]"
>

___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Anthony Atkielski]

Kris Kennaway writes:

> Isn't this a non-problem if you use ntpd?

Unfortunately, no, because the TCP stacks on most systems don't use the
disciplined clock provided by NTP for the timestamps.  Instead they use
a clock based directly on the RTC, which reveals a characteristic skew
that is unique to each machine.

If the stacks used the NTP-disciplined actual time of day, plus perhaps
a randomizing factor to avoid revealing patterns, this technique would
become useless.

-- 
Anthony


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Anthony Atkielski]

Bnonn writes:

> Is this technically a vulnerability, or is it just a side-effect of how
> computers operate?

It's a vulnerability in the sense that it can leak confidential
information about a system's identity.  It's not a side-effect of how
computers operate, but rather a side-effect of how most TCP stacks are
implemented.

> I was of the impression that this is quite an unavoidable issue, given
> how it seems to apply to any computer regardless of OS, but I haven't
> researched the issue much myself. Interesting question.

It seems to be unavoidable only in the sense that most operating systems
are not designed to protect against it (yet).  I think the claims of the
researchers are overly optimistic, but time will tell.

In any case, in the interest of security, it would be nice to see it
addressed.  I read that FreeBSD can be configured to avoid the problem
completely by disabling the timestamps upon which the technique depends,
but I don't remember the details.  And if one still wants to use
timestamps, it would be good if they could be used without leaking any
information.

-- 
Anthony


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Kris Kennaway]

On Fri, Mar 11, 2005 at 03:45:39AM +0100, Anthony Atkielski wrote:
> How vulnerable is FreeBSD to the recently announced technique for
> individually identifying computers by the clock slew apparent in TCP
> packets?  If it is vulnerable to this, will there be any plans to
> address the vulnerability?

Isn't this a non-problem if you use ntpd?

Kris
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Clock slew vulnerability in FreeBSD?

[Bnonn]

Is this technically a vulnerability, or is it just a side-effect of how 
computers operate? I was of the impression that this is quite an 
unavoidable issue, given how it seems to apply to any computer 
regardless of OS, but I haven't researched the issue much myself. 
Interesting question.

Anthony Atkielski wrote:
How vulnerable is FreeBSD to the recently announced technique for
individually identifying computers by the clock slew apparent in TCP
packets?  If it is vulnerable to this, will there be any plans to
address the vulnerability?
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Clock slew vulnerability in FreeBSD?

[Anthony Atkielski]

How vulnerable is FreeBSD to the recently announced technique for
individually identifying computers by the clock slew apparent in TCP
packets?  If it is vulnerable to this, will there be any plans to
address the vulnerability?

-- 
Anthony


___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

SMBFS vulnerability

[Skylar Thompson]

I just read about Linux's vulernability WRT SMBFS. Does FreeBSD suffer 
from the same vulnerability?

--
-- Skylar Thompson ([EMAIL PROTECTED])
-- http://www.os2.dhs.org/~skylar/
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: ports vulnerability check

[Kris Kennaway]

On Sun, Feb 15, 2004 at 01:22:51AM -0500, dave wrote:
> Hello,
> I started seeing this in late 5.1 and now in 5.2 as well. When i am
> compiling a port the first message is get is "Vulnerability check disabled"
> What is this? Should i be worried about it?

See /usr/ports/CHANGES

Kris


pgp0.pgp
Description: PGP signature

ports vulnerability check

[dave]

Hello,
I started seeing this in late 5.1 and now in 5.2 as well. When i am
compiling a port the first message is get is "Vulnerability check disabled"
What is this? Should i be worried about it?
Thanks.
Dave.

___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Vulnerability check disabled

[Ion-Mihai Tetcu]

On Wed, 4 Feb 2004 19:12:57 +
Ceri Davies <[EMAIL PROTECTED]> wrote:

> On Wed, Feb 04, 2004 at 01:25:44PM -0500, Joe Marcus Clarke wrote:
> > On Wed, 2004-02-04 at 13:17, Ion-Mihai Tetcu wrote:
> > > On Wed, 4 Feb 2004 19:31:27 +1100
> > > Gautam Gopalakrishnan <[EMAIL PROTECTED]> wrote:
> > > 
> > > > Hello,
> > > > 
> > > > Hope I'm not missing something obvious, but since today morning, I've
> > > > been getting wierd warnings when running make in the ports:
> > > > 
> > > > [madras!/usr/ports/www/apache13]# make fetch-recursive
> > > > ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> > > > ===>  Vulnerability check disabled

[..]

> > This thread doesn't cover the vulnerability change.  Basically, we now
> > have the ability to keep a dynamic database of ports vulnerabilities
> > which the ports system can check.  If you do not have the database
> > installed, you'll get the benign Vulnerability check disabled message.
> 
> True, but would it be possible to just have the warning emitted once,
> say just before the "build" target?

Yes, please don't break fetching with this. Fetch should mean fetch.
Stop building if necessary, but let fetch go.


-- 
IOnut
Unregistered ;) FreeBSD user
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Vulnerability check disabled

[Ion-Mihai Tetcu]

On Wed, 4 Feb 2004 21:26:01 +0200
Ion-Mihai Tetcu <[EMAIL PROTECTED]> wrote:

[..]

> >>> Type: FEATURE
> 
>  Title: Do not install ports with security vulnerabilities
 
[..]
 
> Now, maybe this could be clarified a little bit in CHANGES ?
> 
> Like:
> __
> 
> For using the new security feature of ports infrastructure, you should:
> cd /usr/ports/security/portaudit; make install

Note that this is a prerelease version, it is mostly usable for
committers that want to contribute to the project, and can currently
not be relied upon as an extensive security auditing tool.

> /usr/local/etc/periodic/daily/330.fetchaudit
> To test:
> cd /usr/ports/security/vulnerability-test-port
> make INSTALLATION_DATE=`date -u -v-14d "+%Y.%m.%d"` install
> 
> A message like this should appear:
>  ===>  vulnerability-test-port-2004.01.14 has known vulnerabilities:
>  >> Not vulnerable, just a test port (database: 2004-01-28).
> Reference: 
> <http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vulnerability-test-port/>
>  >> Please update your ports tree and try again.
>  *** Error code 1
> 
> If you don't install this port, for the majority of make's targtets you
> will get the following message:
> ===>  Vulnerability check disabled
> __
> 
> 
> IMHO, as this is a log desired feature, a news on annouce@ / security /
> security-notifications could be send.
> 
> Now, what is the status of the vulnerabilities database ?

Did I just responded to my question ?

-- 
IOnut
Unregistered ;) FreeBSD user
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Vulnerability check disabled

[Ion-Mihai Tetcu]

On Wed, 04 Feb 2004 13:25:44 -0500
Joe Marcus Clarke <[EMAIL PROTECTED]> wrote:

> On Wed, 2004-02-04 at 13:17, Ion-Mihai Tetcu wrote:
> > On Wed, 4 Feb 2004 19:31:27 +1100
> > Gautam Gopalakrishnan <[EMAIL PROTECTED]> wrote:
> > 
> > > Hello,
> > > 
> > > Hope I'm not missing something obvious, but since today morning, I've
> > > been getting wierd warnings when running make in the ports:
> > > 
> > > [madras!/usr/ports/www/apache13]# make fetch-recursive
> > > ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/apache13]# cd ../mod_php4
> > > [madras!/usr/ports/www/mod_php4]# make fetch
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/mod_php4]# 
> > > 
> > > Happened in www/zope as well.
> > 
> > What about reading 
> > /usr/ports/CHANGES ?
> 
> Yep, that will talk about it.

I hope did get a sleep since freezing the ports ;) ?
 
> > From: Joe Marcus Clarke <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> > Subject: HEADS UP: MAJOR changes to the ports system
> > thread on ports ?
> 
> This thread doesn't cover the vulnerability change.  Basically, we now
> have the ability to keep a dynamic database of ports vulnerabilities
> which the ports system can check.  If you do not have the database
> installed, you'll get the benign Vulnerability check disabled message.

>>> Type: FEATURE

 Title: Do not install ports with security vulnerabilities

 Affects: bsd.port.mk

 Description: A new vulnerabilities database has been added to the
 ports system in order to keep more accurate, up-to-date, track of
 security vulnerabilities.  The ports system now knows how to query
 that database and dynamically prevents the installation of vulnerable
 ports.

 PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=62039

>>> Submitted by: eik

Now, maybe this could be clarified a little bit in CHANGES ?

Like:
__

For using the new security feature of ports infrastructure, you should:
cd /usr/ports/security/portaudit; make install
/usr/local/etc/periodic/daily/330.fetchaudit

To test:
cd /usr/ports/security/vulnerability-test-port
make INSTALLATION_DATE=`date -u -v-14d "+%Y.%m.%d"` install

A message like this should appear:
 ===>  vulnerability-test-port-2004.01.14 has known vulnerabilities:
 >> Not vulnerable, just a test port (database: 2004-01-28).
Reference: 
<http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/vulnerability-test-port/>
 >> Please update your ports tree and try again.
 *** Error code 1

If you don't install this port, for the majority of make's targtets you
will get the following message:
===>  Vulnerability check disabled
__


IMHO, as this is a log desired feature, a news on annouce@ / security /
security-notifications could be send.

Now, what is the status of the vulnerabilities database ?

-- 
IOnut
Unregistered ;) FreeBSD user
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Vulnerability check disabled

[Ceri Davies]

On Wed, Feb 04, 2004 at 01:25:44PM -0500, Joe Marcus Clarke wrote:
> On Wed, 2004-02-04 at 13:17, Ion-Mihai Tetcu wrote:
> > On Wed, 4 Feb 2004 19:31:27 +1100
> > Gautam Gopalakrishnan <[EMAIL PROTECTED]> wrote:
> > 
> > > Hello,
> > > 
> > > Hope I'm not missing something obvious, but since today morning, I've
> > > been getting wierd warnings when running make in the ports:
> > > 
> > > [madras!/usr/ports/www/apache13]# make fetch-recursive
> > > ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/apache13]# cd ../mod_php4
> > > [madras!/usr/ports/www/mod_php4]# make fetch
> > > ===>  Vulnerability check disabled
> > > [madras!/usr/ports/www/mod_php4]# 
> > > 
> > > Happened in www/zope as well.
> > 
> > What about reading 
> > /usr/ports/CHANGES ?
> 
> Yep, that will talk about it.
> 
> > and
> > 
> > From: Joe Marcus Clarke <[EMAIL PROTECTED]>
> > To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> > Subject: HEADS UP: MAJOR changes to the ports system
> > thread on ports ?
> 
> This thread doesn't cover the vulnerability change.  Basically, we now
> have the ability to keep a dynamic database of ports vulnerabilities
> which the ports system can check.  If you do not have the database
> installed, you'll get the benign Vulnerability check disabled message.

True, but would it be possible to just have the warning emitted once,
say just before the "build" target?

Ceri
-- 


pgp0.pgp
Description: PGP signature

Re: Vulnerability check disabled

[Joe Marcus Clarke]

On Wed, 2004-02-04 at 13:17, Ion-Mihai Tetcu wrote:
> On Wed, 4 Feb 2004 19:31:27 +1100
> Gautam Gopalakrishnan <[EMAIL PROTECTED]> wrote:
> 
> > Hello,
> > 
> > Hope I'm not missing something obvious, but since today morning, I've
> > been getting wierd warnings when running make in the ports:
> > 
> > [madras!/usr/ports/www/apache13]# make fetch-recursive
> > ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> > ===>  Vulnerability check disabled
> > ===>  Vulnerability check disabled
> > ===>  Vulnerability check disabled
> > ===>  Vulnerability check disabled
> > [madras!/usr/ports/www/apache13]# cd ../mod_php4
> > [madras!/usr/ports/www/mod_php4]# make fetch
> > ===>  Vulnerability check disabled
> > [madras!/usr/ports/www/mod_php4]# 
> > 
> > Happened in www/zope as well.
> 
> What about reading 
> /usr/ports/CHANGES ?

Yep, that will talk about it.

> and
> 
> From: Joe Marcus Clarke <[EMAIL PROTECTED]>
> To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
> Subject: HEADS UP: MAJOR changes to the ports system
> thread on ports ?

This thread doesn't cover the vulnerability change.  Basically, we now
have the ability to keep a dynamic database of ports vulnerabilities
which the ports system can check.  If you do not have the database
installed, you'll get the benign Vulnerability check disabled message.

Joe

-- 
PGP Key : http://www.marcuscom.com/pgp.asc




signature.asc
Description: This is a digitally signed message part

Re: Vulnerability check disabled

[Ion-Mihai Tetcu]

On Wed, 4 Feb 2004 19:31:27 +1100
Gautam Gopalakrishnan <[EMAIL PROTECTED]> wrote:

> Hello,
> 
> Hope I'm not missing something obvious, but since today morning, I've
> been getting wierd warnings when running make in the ports:
> 
> [madras!/usr/ports/www/apache13]# make fetch-recursive
> ===> Fetching all distfiles for apache-1.3.29_1 and dependencies
> ===>  Vulnerability check disabled
> ===>  Vulnerability check disabled
> ===>  Vulnerability check disabled
> ===>  Vulnerability check disabled
> [madras!/usr/ports/www/apache13]# cd ../mod_php4
> [madras!/usr/ports/www/mod_php4]# make fetch
> ===>  Vulnerability check disabled
> [madras!/usr/ports/www/mod_php4]# 
> 
> Happened in www/zope as well.

What about reading 
/usr/ports/CHANGES ?
and

From: Joe Marcus Clarke <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: HEADS UP: MAJOR changes to the ports system
thread on ports ?



-- 
IOnut
Unregistered ;) FreeBSD user
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: Vulnerability check disabled

[Kris Kennaway]

On Wed, Feb 04, 2004 at 07:31:27PM +1100, Gautam Gopalakrishnan wrote:
> Hello,
> 
> Hope I'm not missing something obvious, but since today morning, I've
> been getting wierd warnings when running make in the ports:

Ports questions should be asked on ports@

Kris


pgp0.pgp
Description: PGP signature

Vulnerability check disabled

[Gautam Gopalakrishnan]

Hello,

Hope I'm not missing something obvious, but since today morning, I've
been getting wierd warnings when running make in the ports:

[madras!/usr/ports/www/apache13]# make fetch-recursive
===> Fetching all distfiles for apache-1.3.29_1 and dependencies
===>  Vulnerability check disabled
===>  Vulnerability check disabled
===>  Vulnerability check disabled
===>  Vulnerability check disabled
[madras!/usr/ports/www/apache13]# cd ../mod_php4
[madras!/usr/ports/www/mod_php4]# make fetch
===>  Vulnerability check disabled
[madras!/usr/ports/www/mod_php4]# 

Happened in www/zope as well.

Thanks
Gautam
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: vulnerability in su?

[krs]

On Sat, Nov 08, 2003 at 10:49:35PM -0800, Derrick Ryalls wrote:
> > 
> > while recently cvsup'ing my box here at home, i had a weird 
> > thing happen...
> > 
> > i had already built world, built and installed the kernel, 
> > installed world (including all 
> > appropriate reboots), and when i brought it back up, but 
> > prior to running mergemaster, i 
> > popped the jumper on the circuit the box is on.  my ups is 
> > somewhat wimpy, and only lasts 
> > a couple minutes (the fuse trips all the time too.. stupid 
> > apartment wiring can't handle 
> > 2 computers and the washer and dryer at once =P ) so i made 
> > it a priority to go ahead and 
> > shut the box down.  after fixing said jumper and bring the 
> > box back up i noticed that i 
> > could now su like a madman, without ever being prompted for 
> > passwords.  i then remembered 
> > that i hadn't run mergemaster yet, so i ran it again and 
> > rebooted for safe measure and su 
> > started asking for passwords again.
> > 
> 
> I think the only time this happens is if the root password is blank.  It
> is possible that one of your mergemaster runs put in the default root
> password (blank).
> 
> 
well, it wasn't just the root password...  for example i was able to login to
one of my non-wheel accounts, su to my personal account (which is in wheel),
and then su right to root as well.  in addition, none of the passwords were
actually blank, because i actually plugged a monitor and keyboard into the box
and logged in locally as root, which required me to put my password in.  all
of my accounts did, in fact.

-kirt
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: vulnerability in su?

[Kris Kennaway]

On Sat, Nov 08, 2003 at 08:23:25PM -0500, kirt wrote:

> is this a known issue?  i didn't search to hard for a fix or anything since i 
> quickly 
> fixed it myself, but i thought that a situation like that could make for some 
> interesting 
> (read *bad*) situations.

It's certainly possible to compromise your system in this way if you
incorrectly update your /etc (e.g. by making a mistake with mergemaster).

Kris


pgp0.pgp
Description: PGP signature

RE: vulnerability in su?

[Derrick Ryalls]

> 
> while recently cvsup'ing my box here at home, i had a weird 
> thing happen...
> 
> i had already built world, built and installed the kernel, 
> installed world (including all 
> appropriate reboots), and when i brought it back up, but 
> prior to running mergemaster, i 
> popped the jumper on the circuit the box is on.  my ups is 
> somewhat wimpy, and only lasts 
> a couple minutes (the fuse trips all the time too.. stupid 
> apartment wiring can't handle 
> 2 computers and the washer and dryer at once =P ) so i made 
> it a priority to go ahead and 
> shut the box down.  after fixing said jumper and bring the 
> box back up i noticed that i 
> could now su like a madman, without ever being prompted for 
> passwords.  i then remembered 
> that i hadn't run mergemaster yet, so i ran it again and 
> rebooted for safe measure and su 
> started asking for passwords again.
> 

I think the only time this happens is if the root password is blank.  It
is possible that one of your mergemaster runs put in the default root
password (blank).


___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

vulnerability in su?

[kirt]

while recently cvsup'ing my box here at home, i had a weird thing happen...

i had already built world, built and installed the kernel, installed world (including 
all 
appropriate reboots), and when i brought it back up, but prior to running mergemaster, 
i 
popped the jumper on the circuit the box is on.  my ups is somewhat wimpy, and only 
lasts 
a couple minutes (the fuse trips all the time too.. stupid apartment wiring can't 
handle 
2 computers and the washer and dryer at once =P ) so i made it a priority to go ahead 
and 
shut the box down.  after fixing said jumper and bring the box back up i noticed that 
i 
could now su like a madman, without ever being prompted for passwords.  i then 
remembered 
that i hadn't run mergemaster yet, so i ran it again and rebooted for safe measure and 
su 
started asking for passwords again.

is this a known issue?  i didn't search to hard for a fix or anything since i quickly 
fixed it myself, but i thought that a situation like that could make for some 
interesting 
(read *bad*) situations.

-kirt
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Re: security vulnerability in dump

[Shaun Dwyer]

Kirk Strauser wrote:

At 2003-01-07T17:35:49Z, Andrew Prewett <[EMAIL PROTECTED]> writes:



Normally the master.passwd is backed up regularly by cron (/var/backups),
so maybe no need to backup it again.



Were you joking?  Surely you're not implying that there's no need to copy
the data to tape (which is the most common use for dump) since it now exists
in two places on the same hard drive - are you?


I do dumps to another HDD on another machine over NFS :)

Must cheaper than an equivelant size and speed tape drive +Media.

--Shaun


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Data vulnerability (Was: security vulnerability in dump)

[Mike Meyer]

In <[EMAIL PROTECTED]>, Andrew Prewett 
<[EMAIL PROTECTED]> typed:
> Today Mike Meyer wrote:
> > In <[EMAIL PROTECTED]>, Andrew Prewett 
><[EMAIL PROTECTED]> typed:
> > > Today Kirk Strauser wrote:
> > > > At 2003-01-07T17:35:49Z, Andrew Prewett <[EMAIL PROTECTED]> writes:
> > > > >  Normally the master.passwd is backed up regularly by cron (/var/backups),
> > > > > so maybe no need to backup it again.
> > > > Were you joking?  Surely you're not implying that there's no need to copy
> > > > the data to tape (which is the most common use for dump) since it now exists
> > > > in two places on the same hard drive - are you?
> > >  If /etc and /var are on the same HD, then it's not a production
> > > machine or the setup is simly wrong.
> > It may not be a machine you'd want to use for what you use production
> > machines for, but there are a fair number of production uses where you
> > only have one hd, or where having /var and /etc on the same file
> > system are acceptable.
>  Yes, it depends. Sure, if it's not a home pc, then backup is a must,
> regardless how many hd's are in the machine. But I wouldn't put / and /var
> on the same fs, even on my home pc.

Even if it *is* a home pc, backup is a must. Any backup that sits on
the same machine is pretty much irrelevant. Sitting on the same disk
is just a worse case of irrelevant. The daily backups of /etc/whatever
are at best a convenience, and nobody competent would depend on them
as the sole backup of those files. Personally, I may have as many as
six current copies of the files in /etc: The one in /etc, the system
backup in /var, the copy I store in perforce, and the backups of each
of those.

I keep / and /var on the same fs on my two of my home machine. That's
because nothing crucial is going on on /var, and they both get the
same treatment for backups. For the non-production machine, it's
storage of the files I touch in perforce. For the machine that sits on
my desktop, it's a daily backup of the root file system, with weekly
backups that go offsite.

There's no universally applicable reason to put /var on a separate
file system. Various reasons may apply to any given production system,
and one or more probably apply to most. But just because you've never
encountered a machine that one of those reasons didn't apply to
doesn't mean that such machines don't exist.

  http://www.mired.org/consulting.html
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: security vulnerability in dump

[Kirk Strauser]

At 2003-01-07T22:50:08Z, Andrew Prewett <[EMAIL PROTECTED]> writes:

>  No, "umgekehrt", ideally / should be on a separate drive and /home, /var,
> /usr on another drive(s). I mean, I wouldn't put my company database,
> fileserver, etc. on a machine with only one drive. So, my wording was
> maybe a little hard in the previous post - english is not my first
> language.

I administer quite a few webservers with exactly that setup.  Why?  Because
at no more than 1-2 hits per second sustained, that single ATA-100 HD is
nowhere near I/O bound.

On the other hand, no machine I have control over goes without backups, down
to my wife's little iMac, and including the terraservers with large mirrored
RAID setups.  Regardless of how many redundant copies of a file I have on
the same machine, there ain't no RAID that can cope gracefully with a fire
or tornado.  *All* machines are dumped to offsite tapes, period.
-- 
Kirk Strauser
In Googlis non est, ergo non est.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: security vulnerability in dump

[Andrew Prewett]

Today Ed Hall wrote:

> > Today Kirk Strauser wrote:
> > > At 2003-01-07T17:35:49Z, Andrew Prewett <[EMAIL PROTECTED]>
> writes:
> > > >  Normally the master.passwd is backed up regularly by cron
> (/var/backups),
> > > > so maybe no need to backup it again.
> >
> > > Were you joking?  Surely you're not implying that there's no need to copy
> > > the data to tape (which is the most common use for dump) since it now
> exists
> > > in two places on the same hard drive - are you?
>
> > If /etc and /var are on the same HD, then it's not a production
> > machine or the setup is simly wrong.
>
> Ri-i-ight...  So I should add a second HD to every server in the rack, hmmm?
> It's standard practice to make /var its own filesystem, but where do you
> get the idea that it should be on its own drive?

 No, "umgekehrt", ideally / should be on a separate drive and /home, /var,
/usr on another drive(s). I mean, I wouldn't put my company database,
fileserver, etc. on a machine with only one drive. So, my wording was maybe
a little hard in the previous post - english is not my first language.

-andrew


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: security vulnerability in dump

[Andrew Prewett]

Today Mike Meyer wrote:

> In <[EMAIL PROTECTED]>, Andrew Prewett 
><[EMAIL PROTECTED]> typed:
> > Today Kirk Strauser wrote:
> > > At 2003-01-07T17:35:49Z, Andrew Prewett <[EMAIL PROTECTED]> writes:
> > > >  Normally the master.passwd is backed up regularly by cron (/var/backups),
> > > > so maybe no need to backup it again.
> > > Were you joking?  Surely you're not implying that there's no need to copy
> > > the data to tape (which is the most common use for dump) since it now exists
> > > in two places on the same hard drive - are you?
> >  If /etc and /var are on the same HD, then it's not a production
> > machine or the setup is simly wrong.
>
> It may not be a machine you'd want to use for what you use production
> machines for, but there are a fair number of production uses where you
> only have one hd, or where having /var and /etc on the same file
> system are acceptable.

 Yes, it depends. Sure, if it's not a home pc, then backup is a must,
regardless how many hd's are in the machine. But I wouldn't put / and /var
on the same fs, even on my home pc.

-andrew

P.S.: sorry for the double post, my sendmail got SIGSEGV after I
hacked a bit, and doesn't checked the queue before reposting the same
article.


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Re: security vulnerability in dump

[Mike Meyer]

In <[EMAIL PROTECTED]>, Andrew Prewett 
<[EMAIL PROTECTED]> typed:
> Today Kirk Strauser wrote:
> > At 2003-01-07T17:35:49Z, Andrew Prewett <[EMAIL PROTECTED]> writes:
> > >  Normally the master.passwd is backed up regularly by cron (/var/backups),
> > > so maybe no need to backup it again.
> > Were you joking?  Surely you're not implying that there's no need to copy
> > the data to tape (which is the most common use for dump) since it now exists
> > in two places on the same hard drive - are you?
>  If /etc and /var are on the same HD, then it's not a production
> machine or the setup is simly wrong.

It may not be a machine you'd want to use for what you use production
machines for, but there are a fair number of production uses where you
only have one hd, or where having /var and /etc on the same file
system are acceptable.

  http://www.mired.org/consulting.html
Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information.

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message