Rob

Er is een security lek gevonden in libkvm.
[quote]
[b]FreeBSD-SA-02:39.libkvm: “Applications using libkvm may leak sensitive descriptors”[/b]

FreeBSD-SA-02:39.libkvm Security Advisory
The FreeBSD Project

Topic: Applications using libkvm may leak sensitive descriptors

Category: core
Module: libkvm
Announced: 2002-09-16
Credits: David Endler ‚

Affects: All releases prior to and including 4.6.2-RELEASE.
Security branch releases prior to 4.4-RELEASE-p27‚
4.5-RELEASE-p20‚ and 4.6.2-RELEASE-p2.
Corrected: 2002-09-13 14:53:43 UTC (RELENG_4)
2002-09-13 15:04:22 UTC (RELENG_4_6)
2002-09-13 15:07:26 UTC (RELENG_4_5)
2002-09-13 15:09:07 UTC (RELENG_4_4)
FreeBSD only: NO

I. Background

The kvm(3) library provides a uniform interface for accessing kernel
virtual memory images‚ including live systems and crash dumps. Access
to live systems is via /dev/ mem and /dev/ kmem. Memory can be read and written‚ kernel symbol addresses can be looked up efficiently‚ and
information about user processes can be gathered.

The kvm_openfiles(3) function opens the special device files /dev/ mem
and /dev/ kmem‚ and returns an opaque handle that must be passed
to the other library functions.

II. Problem Description

Applications that wish to present system information such as swap
utilization‚ virtual memory utilization‚ CPU utilization‚ and
so on may use the kvm(3) library to read kernel memory directly
and gather this information. Such applications typically must
be run set-group-ID kmem so that the call to kvm_openfiles(3)
can access /dev/ mem and /dev/kmem.
If the application then uses exec(2) to start another application‚
the new application will continue to have open file descriptors to
/dev/ mem and /dev/kmem. This is usually avoided by marking file
descriptors as close-on-exec‚ but since the handle returned by
kvm_openfiles(3) is opaque‚ there is no direct way for the application
to determine what file descriptors have been opened by the library.
As a result‚ application writers may neglect to take these file
descriptors into account.

III. Impact

Set-group-ID kmem applications which use kvm(3) and start other
applications may leak /dev/ mem and /dev/kmem file descriptors. If
those applications can be specified by a local user‚ they may be
used to read kernel memory‚ resulting in disclosure of sensitive
information such as file‚ network‚ and tty buffers‚ authentication
tokens‚ and so on.

Several applications in the FreeBSD Ports Collection were identified
that are affected: asmon‚ ascpu‚ bubblemon‚ wmmon‚ and wmnet2. There
may be other applications as well.

IV. Workaround

Remove the set-group-ID bit on affected applications. This will
result in the applications losing some functionality.

V. Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6‚
RELENG_4_5‚ or RELENG_4_4 security branch dated after the correction
date (4.6.2-RELEASE-p2‚ 4.5-RELEASE-p20‚ or 4.4-RELEASE-p27).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4‚ FreeBSD
4.5‚ FreeBSD 4.6‚ and FreeBSD 4.6.2 systems.

a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch # cd /usr/src/lib/libkvm # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libkvm/kvm.c RELENG_4 1.12.2.3 RELENG_4_6 1.12.2.2.8.1 RELENG_4_5 1.12.2.2.6.1 RELENG_4_4 1.12.2.2.4.1 src/sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.19 RELENG_4_5 1.44.2.20.2.21 RELENG_4_4 1.44.2.17.2.26 - ------------------------------------------------------------------------- [/quote]

Na een aantal RC’s is hij er dan eindelijk de nieuwe versie van NetBSD.

Hieronder de belangrijkste veranderingen sinds 1.5
[quote]
Major Changes Between 1.5 and 1.6
It is difficult to completely summarize the extensive development between the 1.5 and 1.6 releases. Some highlights include:

Kernel

* Ports to new platforms including: algor‚ dreamcast‚ evbarm‚ hpcarm‚ hpcsh‚ newsmips‚ sandpoint‚ sgimips‚ sun2‚ and walnut.
* Unified Buffer Cache (UBC) removes size restriction of the file system’s buffer cache to use all available RAM (if not otherwise used!) and improves overall system performance.
* Round-robin page colouring implemented for various ports for better cache utilisation‚ more deterministic run-time behaviour‚ and faster program execution.
* A rewritten SCSI middle layer to provide a cleaner interface between the different kernel layers‚ including a kernel thread to handle error recovery outside of the interrupt context. See scsipi(9).
* A new pipe implementation with significantly higher performance due to lower overheads‚ which uses the UVM Page Loan facility.
* Linux binary emulation has been greatly improved with the addition of arm‚ alpha‚ m68k and powerpc support‚ and now supports kernel version 2.4.18.
* Booting from RAIDframe devices is now supported on some ports.
* New boot loader flags -v (bootverbose) and -q (bootquiet)‚ to be used by kernel code to optionally print information during boot.
* An in-kernel boot time device configuration manager userconf(4)‚ activated with the -c boot loader flag.
* A work-in-progress snapshot of ACPI support‚ based on the 20010831 snapshot of the Intel ACPICA reference implementation.
* USB 2.0 support‚ in the form of a preliminary driver for the ehci(4) host controller.
* Basic kernel support for IrDA in the form of the irframe(4) IrDA frame level driver. Serial dongles and the oboe(4) driver are currently supported.
* Kernel configuration files can be embedded into the kernel for later retrieval. Refer to INCLUDE_CONFIG_FILE in options(4) for more information.
* Many more kernel tunable variables added to sysctl(8).

Networking

* Hardware assisted IPv4 TCP and UDP checksumming and caching of the IPv6 TCP pseudo header. Support for checksum offloading on the DP83820 Gigabit Ethernet‚ 3Com 3c90xB‚ 3Com 3c90xC‚ and Alteon Tigon/Tigon2 Gigabit Ethernet cards.
* Zero-Copy for TCP and UDP transmit path achieved through page loaning code for sosend().
* In-kernel ISDN support‚ from the ISDN4BSD project.
* 802.1Q VLAN (virtual LAN) support. See vlan(4).
* IPFilter now supports IPv6 filtering.
* ndbootd(8) added; used to netboot NetBSD/sun2 machines.
* racoon(8) added; IKE key management daemon for IPsec key negotiation‚ from the KAME project.
* WEP encryption supported in ifconfig(8) and awi(4) driver.
* wi(4) and wiconfig(8) now support scanning for access points‚ and defaults to BSS instead of ad-hoc mode.
* Bridging support; currently only for ethernet. See bridge(4).
* In-kernel PPP over Ethernet (PPPoE) – RFC 2516‚ with much lower overhead than user-land PPPoE clients. See pppoe(4).
* ifwatchd(8) added; invokes up-script and down-script when a network interface goes up and down. Used by pppoe(4).

File Systems

* Enhanced stability of LFS version 2‚ the BSD log-structured file system.
* dump(8)‚ dumpfs(8)‚ fsck_ffs(8)‚ fsirand(8)‚ newfs(8)‚ and tunefs(8) support a -F option to manipulate file system images in regular files.
* makefs(8) added; creates file system images from a directory tree. (Currently ffs only.)
* Enhanced ffs_dirpref() by Grigoriy Orlov‚ which noticeably improves performance on FFS file systems when creating directories‚ and subsequently manipulating them.
* Fixes for free block tracking and directory block allocation in FFS softdeps.
* Correctly support FFS file systems with a large number of cylinder groups.
* Fix the endian independant FFS (FFS_EI) support.
* newfs(8) calculates default block size from the file system size‚ and uses the largest possible cylinders/group (cpg) value if -c isn’t given.
* dpti(4) driver added; an implementation of the DPT/Adaptec SCSI/I2O RAID management interface. Allows the use of the Linux versions of dptmgr‚ raidutil‚ dptelog‚ (etc).
* Support for Windows 2000 ‘NTFS’ (NTFS5‚ read-only).
* Tagged queueing support for SCSI drivers based on the ncr53c9x controller.

Security

* Addition of a chroot(8) hierarchy for services including named(8)‚ ntpd(8)‚ and sshd(8).
* Additional passwd(5) ciphers: MD5‚ and DES with more encryption rounds. See passwd.conf(5).
* Several more code audits were performed.
* /etc/security performs many more checks and is far more flexible in how it monitors changes. See security.conf(5).

System administration and user tools

* sushi(8) added; a menu based system administration tool.
* pgrep(1) and pkill(1) added; find or signal processes by name or other attributes.
* System upgrades are made easier through the etcupdate(8) script which helps updating the /etc config files interactively‚ and the /etc/postinstall script which is provided to check for or fix configuration changes that have occurred in NetBSD.
* stat(1) added; a user interface to the information returned by the stat(2) system call.
* BSD sort(1) replaces GNU sort(1).
* The “stop” operation for rc.d(8) scripts waits until the service terminates before returning. This improves the reliability of “restart” operations as well.
* Swap devices can be removed at system shutdown by enabling swapoff in rc.conf(5).
* An optional watchdog timer which will terminate rc.shutdown(8) after the number of seconds provided in rcshutdown_timeout from rc.conf(5).

Miscellaneous

* Support for multibyte LC_CTYPE locales has been integrated from the Citrus project. Many Chinese‚ Japanese‚ Korean‚ and other encodings are now available.
* Full support for cross-compilation of the base system‚ even as a non-root user! src/build.sh is available for doing arbitrary cross-builds; see src/BUILDING for more information. At least 38 ports for the NetBSD 1.6 release were cross-built on a NetBSD/i386 system using this mechanism.
* Migrated the following CPU platforms to ELF: arm‚ and m68k (including amiga‚ hp300‚ mac68k‚ mvme68k‚ sun2‚ and x68k).
* Updates of most third party packages that are shipped in the base system to the following latest stable releases:

– amd 6.0.6 – BIND 8.3.3 – binutils 2.11.2 – bzip2 1.0.2 – cvs 1.11 – dhcp 3.0.1rc9 – file 3.38 – gcc 2.95.3 – groff 1.16.1 – Heimdal 0.4e – IPfilter 3.4.27 – kerberos4 1.1 – ksh from pdksh 5.2.14p2 – less 374 – nvi 1.79 – OpenSSH 3.4 – OpenSSL 0.9.6g – Postfix 1.1.11 – ppp 2.4.0 – routed 2.24 – sendmail 8.11.6 – tcpdump 3.7.1 – XFree86 4.2.0 (i386 only)
* Many new packages in The NetBSD packages collection‚ including the latest open source desktop KDE3‚ OpenOffice.org‚ as well as the latest Perl‚ Apache and many more. At the time of writing‚ there are over 3000 third party packages available in pkgsrc.
* Added AGP GART driver agp(4) for faster access to graphics boards.
* init(8) will create an mfs (memory based file system) /dev if /dev/console is missing.
* vmstat(8) displays kernel hash statistics with -H and -h hash.
* wscons(4) supports blanking of VGA consoles.[/quote]

Bron: [url=http://www.webwereld.nl]Webwereld[/url]

Kabelbedrijven als UPC en Essent hebben afspraken gemaakt over de openstelling van hun netwerken voor concurrerende internetaanbieders.
De overeenstemming – die behalve voor internet ook gevolgen heeft voor televisie – zou betekenen dat toegang tot de kabel goedkoper wordt voor internetaanbieders. Casema en vooral Essent pleiten al tijden voor concurrentie op de kabel.

[url=http://www.webwereld.nl/nieuws/12372.phtml]Lees het hele artikel[/url]

Bron: [url=http://www.trojanproof.org/]Trojanproof.org[/url]

Deze [url=http://www.trojanproof.org]site[/url] bevat een aantal patches voor de FreeBSD 4.6‚ FreeBSD 4.6.2 en de OpenBSD 3.1 kernel. De TrojanXproof Anti-Trojan en de Trojan Detection kernel patch zijn vrij verkrijgbaar‚ ze zijn worden niet officieel ondersteund door FreeBSD of OpenBSD dus let daar op!

Sinds gisteravond zijn we van de webis server verhuist naar de server van [url=http://www.sebatech.net]Sebatech[/url]. Dit brengt met zich mee dat de site een stukje sneller is geworden voor de breedbanders onder ons 🙂
Dank u Sebatech!!

We wensen jullie nog veel *BSD plezier!!

Er is een handige security checklist verschenen voor FreeBSD‚ hiermee kun je nagaan of jouw FreeBSD installatie een beetje veilig is.
[quote]
This document is intended to be a working checklist of security settings implemented on FreeBSD servers.

There is no question that there are a number of well-written and often brilliant documents providing overviews‚ how-to’s and faqs on FreeBSD security for the practical systems administrator‚ but there is no to-the-point‚ checklist that can be a tool for each time a server is built. While there are no elaborate explanations supplied here‚ you can check out the bibliography at the end of this document. Remember‚ nothing upsets your fellow sysadmins more than not RTFM.

It is not intended to be final document‚ but rather a working‚ regularly updated tool‚ complemented with the input of others and myself.

Ideally‚ this document could be accessed over the internet or printed out and used as a reference when building a server.

This checklist is meant to focus on the actual operating system‚ not individual applications. It does not approach important basics such as firewalling with pf‚ ipf and ipfw‚ nor the various mail transfer agents‚ www servers and their configurations.

Finally‚ although I have tried to be as accurate as possible‚ it should be clear that I’m not responsible for any errors you make using this document.
[/quote]
[url=http://sddi.net/FBSDSecCheckList.html]De checklist[/url]

Vanaf heden veranderd het standaard compressie formaat van FreeBSD in bzipped tarball‚ dit op verzoek van het release engineers.
Ook de ports collection is veranderd in .tbz
[quote]
Date: Sun‚ 1 Sep 2002 13:15:02 -0700
From: Kris Kennaway
To: stable@FreeBSD.org
Subject: HEADS UP: Package compression format changed

–ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

At the request of the release engineers the default package
compression scheme has been changed from gzipped tarball to bzip2ed
tarball. The package tools have been updated to deal with the new
format (older package tools only had partial support for .tbz
packages).

Additionally‚ the ports collection packages distributed via the FTP
site have been switched to .tbz‚ so if you are a regular user of these
packages you will need to update and rebuild your package tools
(e.g. by doing a complete upgrade).

Kris [/quote]

NetBSD 1.6 is de negende release van NetBSD‚ momenteel zijn ze gevorderd tot Release Candidate 3 (RC3). Als het goed is worden er alleen belangrijke bugfixes gedaan voor de release.
[quote]
NetBSD 1.6 is the ninth major release of the NetBSD operating system‚ and is currently in the pre-release stage. The netbsd-1-6 CVS branch is currently at 1.6_RC3. As this is a release candidate‚ only critical bugs are expected to be fixed before the release. If you’re confident‚ you can build NetBSD from source or use the daily binary snapshots and perform testing on your system(s).

Note: Although the netbsd-1-6 branch is currently very stable‚ it should not be considered to be production quality until the final release. See Personal contributions to NetBSD for information on testing and reporting bugs.[/quote]

De FreeBSD stable branch is bevroren in de voorbereiding op FreeBSD 4.7. Dit zorgt er voor dat wijzigingen in de source tree eerst goedgekeurd dienen te worden door het FreeBSD Release engingeering team.
De verwachte release datum voor 4.7 is 1 oktober 2002.
[url=http://www.freebsd.org/releases/4.7R/schedule.html]Planning voor 4.7[/url]