by Rob
Kerneltrap heeft een interview met Jordan Hubbard gepubliceerd. Deze mede oprichter van het FreeBSD project en momenteel werkzaam bij Apple. Niet zo lang geleden is hij gestopt met het werken aan het FreeBSD project.
In dit interview vertelt hij over zijn huidige werk en over zijn vroegere werk als FreeBSD developer.
[url=http://kerneltrap.org/node.php?id=278]Het interview[/url]
[url=http://daily.daemonnews.org/view_story.php3?story_id=2837]Zijn reden om te stoppen met FreeBSD[/url]
by Rob
De nieuwe FreeBSD release is dan echt een feit‚ er zijn wat onechte berichten geweest o.a. op /. maar nu trof ik toch echt een pgp signed message in mijn mailbox aan dat 4.6 gereleased is.
Voor de release notes: [url=http://www.FreeBSD.org/releases/4.6R/relnotes.html]klik hier[/url]
Dus cvsup je sources en maak die wereld opnieuw.
Een quote van de announce mail:
[quote]
I am happy to announce the availability of FreeBSD 4.6-RELEASE‚ the
very latest release on the FreeBSD -STABLE development branch. Since
FreeBSD 4.5-RELEASE in January 2002‚ we have made hundreds of fixes‚
updated many system components‚ and addressed a wide variety of
security issues.
One of the most significant changes in FreeBSD 4.6 is the adoption of
XFree86 4.2.0 as the default version of the X Windows System. We
encourage users (particularly those upgrading from older installations
of XFree86) to consult the relevant section of the FreeBSD Handbook
for information on installing and configuring XFree86 4.2.0. This
information can be found on-line at:
[url]http://www.FreeBSD.org/handbook/x11.html[/url]
On systems with the doc distribution installed‚ it can also be found
at:
/usr/share/doc/en_US.ISO8859-1/books/handbook/x11.html
A number of enhancements to network device drivers have been made‚ as
well as updates to the ATA storage subsystem.
Some contributed programs have been updated‚ such as sendmail
(updated to 8.12.3) and the ISC DHCP client (updated to 3.0.1RC8).
For more information about the most significant changes with this
release of FreeBSD‚ please see the release notes:
[url]http://www.FreeBSD.org/releases/4.6R/relnotes.html[/url]
It is also useful to peruse the errata file‚ as it contains
late-breaking news about the release:
[url]http://www.FreeBSD.org/releases/4.6R/errata.html[/url]
For more information about FreeBSD release engineering activities
(including a schedule of upcoming releases)‚ please see:
[url]http://www.FreeBSD.org/releng/[/url]
Availability
————
FreeBSD 4.6-RELEASE supports the i386 and alpha architectures and can
be installed directly over the net using the boot floppies or copied
to a local NFS/FTP server. Distributions for the i386 are available
now. Final builds for the alpha architecture are in progress and will
be made available shortly.
We can’t promise that all the mirror sites will carry the larger ISO
images‚ but they will at least be available from:
ftp://ftp.FreeBSD.org/pub/FreeBSD/
ftp://ftp2.FreeBSD.org/pub/FreeBSD/
ftp://ftp.au.FreeBSD.org/pub/FreeBSD/
ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/
ftp://ftp.lt.FreeBSD.org/pub/FreeBSD/
ftp://ftp.nctu.edu.tw/FreeBSD/
If you can’t afford FreeBSD on media‚ are impatient‚ or just want to
use it for evangelism purposes‚ then by all means download the ISO
images‚ otherwise please continue to support the FreeBSD Project by
purchasing media from one of our supporting vendors. The following
companies have contributed substantially to the development of
FreeBSD:
FreeBSD Mall‚ Inc. http://www.freebsdmall.com/
FreeBSD Services Ltd. http://www.freebsd-services.com/
Daemon News http://www.bsdmall.com/freebsd1.html
Each CD or DVD set contains the FreeBSD installation and application
package bits for the i386 (“PC”) architecture. For a set of distfiles
used to build ports in the ports collection‚ please see the FreeBSD
Toolkit‚ a 6 CD set containing extra bits which no longer fit on the 4
CD set‚ or the DVD distribution from FreeBSD Services Ltd.
[/quote]
by Rob
Bron: [url=http://www.bsdforums.org/forums/showthread.php?threadid=1126]BSDForums[/url]
Luigi Rizzo heeft de ipfw code( userland + kernel ) uitgebreid herscheven hiermee te pogen de code sneller en flexibeler te maken.
[quote]Date: Sat‚ 8 Jun 2002 20:19:09 -0700
From: Luigi Rizzo
To: ipfw@freebsd.org
Subject: New ipfw code available
Message-ID: <20020608201909.A41807@iguana.icir.org>
[Bcc to -current because it is relevant there as well — sorry for the
crosspost]
Hi‚
over the past 2-3 weeks I have done an extensive rewrite of the
ipfw code (userland + kernel) in an attempt to make it faster and
more flexible.
The idea (which I discussed a few times on the mailing lists) was
to replace the current ipfw rules (macroinstructions) with a set
of microinstructions‚ each of them performing a single operation
such as matching an address‚ or a port range‚ or a protocol flag‚
etc. — much in the spirit of BPF and derivatives — and to let
the userland front-end compile ipfw(8) commands into an appropriate
set of microinstructions.
There are several advantages in using this technique: first of all‚
instructions are typically shorter and faster‚ because the former
code had to check for the presence of all the possible options in
a rule‚ whereas the new one can simply do just the things that are
required — e.g. an instruction like
allow ip from 1.2.3.0/24 to any
translates to a couple of microinstructions (whose complete
implementation is below the instructions themselves):
O_IP_DST
if (((ipfw_insn_ip *)cmd)->addr.s_addr ==
(dst_ip.s_addr & ((ipfw_insn_ip *)cmd)->mask.s_addr))
goto cmd_match;
goto cmd_fail;
O_ACCEPT:
retval = 0; /* accept */
goto accept;
But there is a lot more — the instruction set is easily extensible‚
and without backward compatibility problems. Furthermore‚ you can
build (and I have already implemented them) more complex rules by
assembling microinstructions with OR and NOT operands. I.e. you can write
something like:
pipe 10 tcp from 1.2.3.4 or 1.2.3.7 or not 1.2.3.0/28 21-25‚1024-4095
to any in recv ed0 or recv fxp1 or recv dc0 uid 35 or uid 50
You get the idea…
I have a fairly complete version of the above code at the moment‚
which is only missing a small set of functionalities
(ip/tcp flags matching‚ “log” and fixing hooks to the stateful
code). However the glue to implement all the missing pieces is
already there‚ it is just a matter of adding a few lines of code
and testing things.
Other than that‚ the code is meant to be fully compatible with the
old syntax so you will not have to rewrite your existing rulesets.
I have put a preliminary snapshot of this code (for CURRENT) at
http://info.iet.unipi.it/~luigi/ipfw5.20020609.tgz
It replaces the following files from a recent (2002/05/14) version of -current.
sys/netinet/ip_dummynet.c
sys/netinet/ip_fw.c
sys/netinet/ip_fw.h
sbin/ipfw/ipfw.c
I would be very grateful if someone could have a look at the
code‚ maybe give it a try‚ and see e.g. how it compiles your
typical ruleset and whether the new extensions can make your
ipfw rulesets simpler.
Feedback welcome‚ both on the architecture and on the implementation.
NOTE: if people wonder why I did not use BPF and reinvented the wheel:
the keyword is “backward compatiblity” — i thought it was a bit too
complex to compile the existent ipfw syntax into BPF‚ especially because
BPF at least as far as i know does not handle UIDs‚ and GIDs and
interface matches and different “actions” than match or not match‚
so i would have had to extend the code anyways‚ at which point i
thought I could as well write my own microinstruction set…
cheers
luigi
———————————–+————————————-
Luigi RIZZO‚ luigi@iet.unipi.it . Dip. di Ing. dell’Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2‚ 56126 PISA (Italy)
Mobile +39-347-0373137
———————————–+————————————-
to
thanks
luigi
[/quote]
by Rob
Bron: [url=http://daily.daemonnews.org/]FreeBSD Diary[/url]
[url=http://www.freshports.org]Freshports[/url] 2 is vorige week online gegaan. De [url=http://www.freshports.org]site[/url] bestaat al 2 jaar en heeft sindsdien al 2800 geregisteerde gebruikers. Voor iedereen die FreshPorts niet kent‚ je kan een lijst van ports selecteren waarin je geinteresseerd bent en zodra er een update is wordt je via email getipt.
[quote]This new version of FreshPorts has many new features for users‚ and many underlying technology changes to make things easier for me. For example‚ users can add a port to their watch list with a single click. And they can access their favourite ports using the familiar / syntax‚ mirroring the directory structure of the ports tree.
[/quote]
[url=http://daily.daemonnews.org/view_story.php3?story_id=2931]Het artikel[/url]
by Rob
Bron: [url=http://www.sfgate.com/]SFGate.com[/url]
Draadloze netwerken worden steeds populairder en aangezien iedereen op dezelfde frequentie zit is het logisch dat je elkaar gaat storen. In het volgende artikel kan je hier meer over lezen.
[quote]Gary Oglesby thought it was odd that his wireless network at WorldCom Inc. got unusually congested early each morning and again just after quitting time.
Turns out a security gate at a parking lot just outside his group’s offices shared the network’s frequency. To reduce interference‚ Oglesby had to move an antenna away from the window.
[/quote]
[url=http://www.sfgate.com/cgi-bin/article.cgi?file=/news/archive/2002/06/01/national1423EDT0563.DTL&type=printable]Het artikel[/url]
by Rob
Bron: [url=http://www.freebsdforums.org/]FreeBSDForums[/url]
Bruce A. Mah van het FreeBSD Release Engineering team heeft aangekondigd dat door wat “op het laatste moment” problemen FreeBSD 4.6 ongeveer een week later wordt gereleased dan verwacht.
Hier de aankondiging:
[quote]From: bmah@FreeBSD.ORG (bmah@FreeBSD.ORG)
Subject: 4.6-RELEASE delayed
Just a note to say that due to some late-breaking issues‚ 4.6 will be
released about a week later than originally planned. The magic date is
now 8 June 2002…I’ve just updated the release schedule on the Web
site.
We’ll be doing another release candidate (4.6-RC4…for various reasons
there won’t be a 4.6-RC3) on Monday‚ in which we hope to see the major
remaining issues addressed. We encourage you to see the testing page
for this release at:
http://www.freebsd.org/releases/4.6R/qa.html
Note that as we get closer to the release‚ it becomes harder for us to
justify making changes. We always value feedback‚ testing reports‚ and
requests for changes‚ but we also need to balance potential changes
against the risks of instability and more testing.
Thanks for your understanding…we’re looking forward to having a good
release!
Bruce and the rest of the RE team.
[/quote]
[url=http://www.freebsdforums.org/forums/showthread.php?s=069e794eb814e51bd716ba36b82e8d1f&threadid=982]Het orginele artikel[/url]
by Rob
Bron [url=http://www.zdnet.nl]ZDNet[/url]
Klanten van Chello kunnen hinder ondervinden van de ondergang van KPNQwest. Het internetbedrijf maakt deels gebruik van het netwerk van het netwerkbedrijf dat vandaag faillissement heeft aangevraagd. Moedermaatschappij UPC schakelt over op andere leveranciers.
[quote]”UPC verwacht dat deze migratie binnen enkele dagen is voltooid. We werken daar met man en macht aan. Het valt echter niet uit te sluiten dat het internetverkeer in geheel Europa de komende dagen zal vertragen”‚ schrijft het bedrijf in een verklaring aan klanten. Welke bedrijven het deel van KPNQwest overnemen‚ meldt het bedrijf niet.
[/quote]
[url=http://www.zdnet.nl/News.cfm?id=18072]Het hele artikel[/url]
Het volgende mailtje kreeg ik ook net binnen:
[quote][b]Mogelijk hinder internetverkeer[/b]
Geachte klant‚
UPC maakt voor haar internetdienst chello deels gebruik van het netwerk van KPNQwest. Omdat KPNQwest niet langer de goede werking van haar netwerk kan garanderen‚ schakelen we over naar andere leveranciers.
UPC verwacht dat deze migratie binnen enkele dagen is voltooid. We werken daar met man en macht aan. Het valt echter niet uit te sluiten dat het internetverkeer in geheel Europa de komende dagen zal vertragen.
We houden u op de hoogte via de websites [url]http://www.chello.nl[/url] en [url]http://www.upc.nl[/url]‚ alsmede via ons infokanaal op televisie.
Met vriendelijke groet‚
UPC Nederland
Ivo Tempelman
Directeur Marketing
[/quote]
by Rob
Bron: [url=http://www.netbsd.org/Changes/]NetBSD Changes[/url]
NetBSD is naar het PM/PPC platform geport: [url=http://www.artesyncp.com/html/pmppc.html]NetBSD/pmppc‚ Artesyn’s PM/PPC[/url]. Dit zou de 58ste port zijn! [url=http://www.netbsd.org/Ports/pmppc/]Hier[/url] kan je nog meer informatie vinden over het platform.
[img]http://www.bsdfreaks.nl/images/pics/27.gif[/img]
by Rob
Ik kreeg weer 2 mailtjes van de FreeBSD mailinglist:
[b]- Remote denial-of-service when using accept filters[/b]
[quote]Topic: Remote denial-of-service when using accept filters
Category: core
Module: kernel
Announced: 2002-05-29
Credits: Mike Silbersack
Affects: FreeBSD 4.5-RELEASE
FreeBSD 4-STABLE after 2001-11-22 and prior to the
correction date
Corrected: 2002-05-21 18:03:16 UTC (RELENG_4)
2002-05-28 18:27:55 UTC (RELENG_4_5)
FreeBSD only: YES
I. Background
FreeBSD features an accept_filter(9) mechanism which allows an
application to request that the kernel pre-process incoming connections.
For example‚ the accf_http(9) accept filter prevents accept(2) from
returning until a full HTTP request has been buffered.
No accept filters are enabled by default. A system administrator must
either compile the FreeBSD kernel with a particular accept filter
option (such as ACCEPT_FILTER_HTTP) or load the filter using
kldload(8) in order to utilize accept filters.
II. Problem Description
In the process of adding a syncache to FreeBSD‚ mechanisms to remove
entries from the incomplete listen queue were removed‚ as only sockets
undergoing accept filtering now use the incomplete queue.
III. Impact
By simply connecting to a socket using accept filtering and holding a
few hundred sockets open (~190 with the default backlog value)‚ one
may deny access to a service. In addition to malicious users‚ this
affect has also been reported to be caused by worms such as Code Red
which generate URLs that do not meet the http accept filter’s
criteria.
Systems are not affected by this bug unless they have enabled accept
filters in the kernel and are utilizing an application configured to
take advantage of this feature. Apache (versions 1.3.14 and later) is
the only application known to utilize accept filters by default.
IV. Workaround
Do not use accept filters. If you have enabled the ACCEPT_FILTER_DATA
or ACCEPT_FILTER_HTTP options in your kernel‚ remove these options and
recompile your kernel as described in
system. If you have loaded one of the kernel accept filters by using
kldload(8)‚ then you must modify your startup scripts not to load
these modules and reboot your system. You may list loaded kernel
modules by using kldstat(8). If loaded‚ the HTTP accept filter will
be listed as `accf_http.ko’‚ and the Data accept filter will be listed
as `accf_data.ko’.
For affected versions of Apache‚ accept filters may be disabled either
by adding the directive “AcceptFilter off” to your configuration
file‚ or via a compile-time option‚ depending upon the version.
Please see the Apache documentation for details.
V. Solution
1) Upgrade your vulnerable system to 4.5-STABLE; or to the RELENG_4_5
(4.5-RELEASE-p6) security branch dated after the respective correction
dates.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.5-RELEASE
and 4.5-STABLE systems.
a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:26/accept.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
– ————————————————————————-
src/sys/kern/uipc_socket.c
RELENG_4 1.68.2.21
RELENG_4_5 1.68.2.17.2.1
src/sys/kern/uipc_socket2.c
RELENG_4 1.55.2.15
RELENG_4_5 1.55.2.10.2.1
src/sys/conf/newvers.sh
RELENG_4_5 1.44.2.20.2.7
– ————————————————————————-
VII. References
[/quote]
[b]- rc uses file globbing dangerously[/b]
[quote]Topic: rc uses file globbing dangerously
Category: core
Module: rc
Announced: XXXX-XX-XX
Credits: lumpy
Affects: FreeBSD 4.4-RELEASE
FreeBSD 4.5-RELEASE
FreeBSD 4-STABLE prior to the correction date
Corrected: 2002-05-09 17:39:01 UTC (RELENG_4)
2002-05-09 17:40:27 UTC (RELENG_4_5)
2002-05-09 17:41:05 UTC (RELENG_4_4)
FreeBSD only: YES
I. Background
rc is the system startup script (/etc/rc). It is run when the FreeBSD
is booted multi-user‚ and performs a multitude of tasks to bring the
system up. One of these tasks is to remove lock files left by X
Windows‚ as their existence could prevent one from restarting the X
Windows server.
II. Problem Description
When removing X Windows lock files‚ rc uses the rm(1) command and
shell globbing:
rm -f /tmp/.X*-lock /tmp/.X11-unix/*
Since /tmp is a world-writable directory‚ a user may create
/tmp/.X11-unix as a symbolic link to an arbitrary directory. The next
time that rc is run (i.e. the next time the system is booted)‚ rc will
then remove all of the files in that directory.
III. Impact
Users may remove the contents of arbitrary directories if the
/tmp/.X11-unix directory does not already exist and the system can
be enticed to reboot (or the user can wait until the next system
maintenance window).
IV. Workaround
Find and remove or comment-out the following line in /etc/rc:
rm -f /tmp/.X*-lock /tmp/.X11-unix/*
The following command executed as root will do this:
/bin/sh -c ‘echo -e “/.X11-unix/s/^/#/nwnqn” | /bin/ed -s /etc/rc’
V. Solution
1) Upgrade your vulnerable system to 4.5-STABLE; or to either of the
RELENG_4_5 (4.5-RELEASE-p6) or RELENG_4_4 (4.4-RELEASE-p13) security
branches dated after the respective correction dates.
2) To patch your present system:
a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:27/rc.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
c) Install the new rc script:
# cd /usr/src/etc
# install -c -o root -g wheel -m 644 rc /etc/rc
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Path Revision
Branch
- -------------------------------------------------------------------------
src/etc/rc
RELENG_4 1.212.2.50
RELENG_4_5 1.212.2.38.2.1
RELENG_4_4 1.212.2.34.2.1
- -------------------------------------------------------------------------
VII. References
[/quote]
by Rob
Bron: [url=http://www.deadly.org]Deadly.org[/url]
Een project om de beveiliging to verbeteren van OpenBSD is kortgeleden toegevoegd aan OpenBSD -current. De systrace voorziening kan ervoor zorgen dat applicaties en gebruikers in een sandbox werken‚ waardoor het beheer veel meer controle heeft over de gang van zaken.
[quote]From the CVS changes list:
List: openbsd-cvs
Subject: CVS: cvs.openbsd.org: src
From: Niels Provos
Date: 2002-05-16 16:16:52
CVSROOT: /cvs
Module name: src
Changes by: provos@cvs.openbsd.org 2002/05/16 10:16:52
Modified files:
sys/kern : kern_exit.c kern_fork.c
sys/conf : files
sys/sys : conf.h file.h proc.h
sys/arch/i386/i386: conf.c trap.c
Added files:
sys/dev : systrace.c systrace.h
Log message:
systrace facility‚ used to enforce and generate policies for system calls
okay deraadt@
With these changes‚ users of -current can extend the security of the system arbitrarily. This seems almost perfect for a multiuser system‚ or a bastion host.
[/quote]
[url=http://www.deadly.org/article.php3?sid=20020528234008]Het orginele artikel[/url]