News

Er is een security lek gevonden in libkvm.
[quote]
[b]FreeBSD-SA-02:39.libkvm: “Applications using libkvm may leak sensitive descriptors”[/b]

FreeBSD-SA-02:39.libkvm Security Advisory
The FreeBSD Project

Topic: Applications using libkvm may leak sensitive descriptors

Category: core
Module: libkvm
Announced: 2002-09-16
Credits: David Endler ‚

Affects: All releases prior to and including 4.6.2-RELEASE.
Security branch releases prior to 4.4-RELEASE-p27‚
4.5-RELEASE-p20‚ and 4.6.2-RELEASE-p2.
Corrected: 2002-09-13 14:53:43 UTC (RELENG_4)
2002-09-13 15:04:22 UTC (RELENG_4_6)
2002-09-13 15:07:26 UTC (RELENG_4_5)
2002-09-13 15:09:07 UTC (RELENG_4_4)
FreeBSD only: NO

I. Background

The kvm(3) library provides a uniform interface for accessing kernel
virtual memory images‚ including live systems and crash dumps. Access
to live systems is via /dev/ mem and /dev/ kmem. Memory can be read and written‚ kernel symbol addresses can be looked up efficiently‚ and
information about user processes can be gathered.

The kvm_openfiles(3) function opens the special device files /dev/ mem
and /dev/ kmem‚ and returns an opaque handle that must be passed
to the other library functions.

II. Problem Description

Applications that wish to present system information such as swap
utilization‚ virtual memory utilization‚ CPU utilization‚ and
so on may use the kvm(3) library to read kernel memory directly
and gather this information. Such applications typically must
be run set-group-ID kmem so that the call to kvm_openfiles(3)
can access /dev/ mem and /dev/kmem.
If the application then uses exec(2) to start another application‚
the new application will continue to have open file descriptors to
/dev/ mem and /dev/kmem. This is usually avoided by marking file
descriptors as close-on-exec‚ but since the handle returned by
kvm_openfiles(3) is opaque‚ there is no direct way for the application
to determine what file descriptors have been opened by the library.
As a result‚ application writers may neglect to take these file
descriptors into account.

III. Impact

Set-group-ID kmem applications which use kvm(3) and start other
applications may leak /dev/ mem and /dev/kmem file descriptors. If
those applications can be specified by a local user‚ they may be
used to read kernel memory‚ resulting in disclosure of sensitive
information such as file‚ network‚ and tty buffers‚ authentication
tokens‚ and so on.

Several applications in the FreeBSD Ports Collection were identified
that are affected: asmon‚ ascpu‚ bubblemon‚ wmmon‚ and wmnet2. There
may be other applications as well.

IV. Workaround

Remove the set-group-ID bit on affected applications. This will
result in the applications losing some functionality.

V. Solution

Do one of the following:

1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6‚
RELENG_4_5‚ or RELENG_4_4 security branch dated after the correction
date (4.6.2-RELEASE-p2‚ 4.5-RELEASE-p20‚ or 4.4-RELEASE-p27).

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 4.4‚ FreeBSD
4.5‚ FreeBSD 4.6‚ and FreeBSD 4.6.2 systems.

a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-02:39/libkvm.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch # cd /usr/src/lib/libkvm # make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- src/lib/libkvm/kvm.c RELENG_4 1.12.2.3 RELENG_4_6 1.12.2.2.8.1 RELENG_4_5 1.12.2.2.6.1 RELENG_4_4 1.12.2.2.4.1 src/sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.19 RELENG_4_5 1.44.2.20.2.21 RELENG_4_4 1.44.2.17.2.26 - ------------------------------------------------------------------------- [/quote]

Na een aantal RC’s is hij er dan eindelijk de nieuwe versie van NetBSD.

Hieronder de belangrijkste veranderingen sinds 1.5
[quote]
Major Changes Between 1.5 and 1.6
It is difficult to completely summarize the extensive development between the 1.5 and 1.6 releases. Some highlights include:

Kernel

* Ports to new platforms including: algor‚ dreamcast‚ evbarm‚ hpcarm‚ hpcsh‚ newsmips‚ sandpoint‚ sgimips‚ sun2‚ and walnut.
* Unified Buffer Cache (UBC) removes size restriction of the file system’s buffer cache to use all available RAM (if not otherwise used!) and improves overall system performance.
* Round-robin page colouring implemented for various ports for better cache utilisation‚ more deterministic run-time behaviour‚ and faster program execution.
* A rewritten SCSI middle layer to provide a cleaner interface between the different kernel layers‚ including a kernel thread to handle error recovery outside of the interrupt context. See scsipi(9).
* A new pipe implementation with significantly higher performance due to lower overheads‚ which uses the UVM Page Loan facility.
* Linux binary emulation has been greatly improved with the addition of arm‚ alpha‚ m68k and powerpc support‚ and now supports kernel version 2.4.18.
* Booting from RAIDframe devices is now supported on some ports.
* New boot loader flags -v (bootverbose) and -q (bootquiet)‚ to be used by kernel code to optionally print information during boot.
* An in-kernel boot time device configuration manager userconf(4)‚ activated with the -c boot loader flag.
* A work-in-progress snapshot of ACPI support‚ based on the 20010831 snapshot of the Intel ACPICA reference implementation.
* USB 2.0 support‚ in the form of a preliminary driver for the ehci(4) host controller.
* Basic kernel support for IrDA in the form of the irframe(4) IrDA frame level driver. Serial dongles and the oboe(4) driver are currently supported.
* Kernel configuration files can be embedded into the kernel for later retrieval. Refer to INCLUDE_CONFIG_FILE in options(4) for more information.
* Many more kernel tunable variables added to sysctl(8).

Networking

* Hardware assisted IPv4 TCP and UDP checksumming and caching of the IPv6 TCP pseudo header. Support for checksum offloading on the DP83820 Gigabit Ethernet‚ 3Com 3c90xB‚ 3Com 3c90xC‚ and Alteon Tigon/Tigon2 Gigabit Ethernet cards.
* Zero-Copy for TCP and UDP transmit path achieved through page loaning code for sosend().
* In-kernel ISDN support‚ from the ISDN4BSD project.
* 802.1Q VLAN (virtual LAN) support. See vlan(4).
* IPFilter now supports IPv6 filtering.
* ndbootd(8) added; used to netboot NetBSD/sun2 machines.
* racoon(8) added; IKE key management daemon for IPsec key negotiation‚ from the KAME project.
* WEP encryption supported in ifconfig(8) and awi(4) driver.
* wi(4) and wiconfig(8) now support scanning for access points‚ and defaults to BSS instead of ad-hoc mode.
* Bridging support; currently only for ethernet. See bridge(4).
* In-kernel PPP over Ethernet (PPPoE) – RFC 2516‚ with much lower overhead than user-land PPPoE clients. See pppoe(4).
* ifwatchd(8) added; invokes up-script and down-script when a network interface goes up and down. Used by pppoe(4).

File Systems

* Enhanced stability of LFS version 2‚ the BSD log-structured file system.
* dump(8)‚ dumpfs(8)‚ fsck_ffs(8)‚ fsirand(8)‚ newfs(8)‚ and tunefs(8) support a -F option to manipulate file system images in regular files.
* makefs(8) added; creates file system images from a directory tree. (Currently ffs only.)
* Enhanced ffs_dirpref() by Grigoriy Orlov‚ which noticeably improves performance on FFS file systems when creating directories‚ and subsequently manipulating them.
* Fixes for free block tracking and directory block allocation in FFS softdeps.
* Correctly support FFS file systems with a large number of cylinder groups.
* Fix the endian independant FFS (FFS_EI) support.
* newfs(8) calculates default block size from the file system size‚ and uses the largest possible cylinders/group (cpg) value if -c isn’t given.
* dpti(4) driver added; an implementation of the DPT/Adaptec SCSI/I2O RAID management interface. Allows the use of the Linux versions of dptmgr‚ raidutil‚ dptelog‚ (etc).
* Support for Windows 2000 ‘NTFS’ (NTFS5‚ read-only).
* Tagged queueing support for SCSI drivers based on the ncr53c9x controller.

Security

* Addition of a chroot(8) hierarchy for services including named(8)‚ ntpd(8)‚ and sshd(8).
* Additional passwd(5) ciphers: MD5‚ and DES with more encryption rounds. See passwd.conf(5).
* Several more code audits were performed.
* /etc/security performs many more checks and is far more flexible in how it monitors changes. See security.conf(5).

System administration and user tools

* sushi(8) added; a menu based system administration tool.
* pgrep(1) and pkill(1) added; find or signal processes by name or other attributes.
* System upgrades are made easier through the etcupdate(8) script which helps updating the /etc config files interactively‚ and the /etc/postinstall script which is provided to check for or fix configuration changes that have occurred in NetBSD.
* stat(1) added; a user interface to the information returned by the stat(2) system call.
* BSD sort(1) replaces GNU sort(1).
* The “stop” operation for rc.d(8) scripts waits until the service terminates before returning. This improves the reliability of “restart” operations as well.
* Swap devices can be removed at system shutdown by enabling swapoff in rc.conf(5).
* An optional watchdog timer which will terminate rc.shutdown(8) after the number of seconds provided in rcshutdown_timeout from rc.conf(5).

Miscellaneous

* Support for multibyte LC_CTYPE locales has been integrated from the Citrus project. Many Chinese‚ Japanese‚ Korean‚ and other encodings are now available.
* Full support for cross-compilation of the base system‚ even as a non-root user! src/build.sh is available for doing arbitrary cross-builds; see src/BUILDING for more information. At least 38 ports for the NetBSD 1.6 release were cross-built on a NetBSD/i386 system using this mechanism.
* Migrated the following CPU platforms to ELF: arm‚ and m68k (including amiga‚ hp300‚ mac68k‚ mvme68k‚ sun2‚ and x68k).
* Updates of most third party packages that are shipped in the base system to the following latest stable releases:

– amd 6.0.6 – BIND 8.3.3 – binutils 2.11.2 – bzip2 1.0.2 – cvs 1.11 – dhcp 3.0.1rc9 – file 3.38 – gcc 2.95.3 – groff 1.16.1 – Heimdal 0.4e – IPfilter 3.4.27 – kerberos4 1.1 – ksh from pdksh 5.2.14p2 – less 374 – nvi 1.79 – OpenSSH 3.4 – OpenSSL 0.9.6g – Postfix 1.1.11 – ppp 2.4.0 – routed 2.24 – sendmail 8.11.6 – tcpdump 3.7.1 – XFree86 4.2.0 (i386 only)
* Many new packages in The NetBSD packages collection‚ including the latest open source desktop KDE3‚ OpenOffice.org‚ as well as the latest Perl‚ Apache and many more. At the time of writing‚ there are over 3000 third party packages available in pkgsrc.
* Added AGP GART driver agp(4) for faster access to graphics boards.
* init(8) will create an mfs (memory based file system) /dev if /dev/console is missing.
* vmstat(8) displays kernel hash statistics with -H and -h hash.
* wscons(4) supports blanking of VGA consoles.[/quote]

Bron: [url=http://www.webwereld.nl]Webwereld[/url]

Kabelbedrijven als UPC en Essent hebben afspraken gemaakt over de openstelling van hun netwerken voor concurrerende internetaanbieders.
De overeenstemming – die behalve voor internet ook gevolgen heeft voor televisie – zou betekenen dat toegang tot de kabel goedkoper wordt voor internetaanbieders. Casema en vooral Essent pleiten al tijden voor concurrentie op de kabel.

[url=http://www.webwereld.nl/nieuws/12372.phtml]Lees het hele artikel[/url]

Bron: [url=http://www.trojanproof.org/]Trojanproof.org[/url]

Deze [url=http://www.trojanproof.org]site[/url] bevat een aantal patches voor de FreeBSD 4.6‚ FreeBSD 4.6.2 en de OpenBSD 3.1 kernel. De TrojanXproof Anti-Trojan en de Trojan Detection kernel patch zijn vrij verkrijgbaar‚ ze zijn worden niet officieel ondersteund door FreeBSD of OpenBSD dus let daar op!

Sinds gisteravond zijn we van de webis server verhuist naar de server van [url=http://www.sebatech.net]Sebatech[/url]. Dit brengt met zich mee dat de site een stukje sneller is geworden voor de breedbanders onder ons 🙂
Dank u Sebatech!!

We wensen jullie nog veel *BSD plezier!!

Er is een handige security checklist verschenen voor FreeBSD‚ hiermee kun je nagaan of jouw FreeBSD installatie een beetje veilig is.
[quote]
This document is intended to be a working checklist of security settings implemented on FreeBSD servers.

There is no question that there are a number of well-written and often brilliant documents providing overviews‚ how-to’s and faqs on FreeBSD security for the practical systems administrator‚ but there is no to-the-point‚ checklist that can be a tool for each time a server is built. While there are no elaborate explanations supplied here‚ you can check out the bibliography at the end of this document. Remember‚ nothing upsets your fellow sysadmins more than not RTFM.

It is not intended to be final document‚ but rather a working‚ regularly updated tool‚ complemented with the input of others and myself.

Ideally‚ this document could be accessed over the internet or printed out and used as a reference when building a server.

This checklist is meant to focus on the actual operating system‚ not individual applications. It does not approach important basics such as firewalling with pf‚ ipf and ipfw‚ nor the various mail transfer agents‚ www servers and their configurations.

Finally‚ although I have tried to be as accurate as possible‚ it should be clear that I’m not responsible for any errors you make using this document.
[/quote]
[url=http://sddi.net/FBSDSecCheckList.html]De checklist[/url]

Vanaf heden veranderd het standaard compressie formaat van FreeBSD in bzipped tarball‚ dit op verzoek van het release engineers.
Ook de ports collection is veranderd in .tbz
[quote]
Date: Sun‚ 1 Sep 2002 13:15:02 -0700
From: Kris Kennaway
To: stable@FreeBSD.org
Subject: HEADS UP: Package compression format changed

–ibTvN161/egqYuK8
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

At the request of the release engineers the default package
compression scheme has been changed from gzipped tarball to bzip2ed
tarball. The package tools have been updated to deal with the new
format (older package tools only had partial support for .tbz
packages).

Additionally‚ the ports collection packages distributed via the FTP
site have been switched to .tbz‚ so if you are a regular user of these
packages you will need to update and rebuild your package tools
(e.g. by doing a complete upgrade).

Kris [/quote]

NetBSD 1.6 is de negende release van NetBSD‚ momenteel zijn ze gevorderd tot Release Candidate 3 (RC3). Als het goed is worden er alleen belangrijke bugfixes gedaan voor de release.
[quote]
NetBSD 1.6 is the ninth major release of the NetBSD operating system‚ and is currently in the pre-release stage. The netbsd-1-6 CVS branch is currently at 1.6_RC3. As this is a release candidate‚ only critical bugs are expected to be fixed before the release. If you’re confident‚ you can build NetBSD from source or use the daily binary snapshots and perform testing on your system(s).

Note: Although the netbsd-1-6 branch is currently very stable‚ it should not be considered to be production quality until the final release. See Personal contributions to NetBSD for information on testing and reporting bugs.[/quote]

De FreeBSD stable branch is bevroren in de voorbereiding op FreeBSD 4.7. Dit zorgt er voor dat wijzigingen in de source tree eerst goedgekeurd dienen te worden door het FreeBSD Release engingeering team.
De verwachte release datum voor 4.7 is 1 oktober 2002.
[url=http://www.freebsd.org/releases/4.7R/schedule.html]Planning voor 4.7[/url]

Er is een security advisory verschenen van de ports‚ hierin staat beschreven welke ports een security probleempje hebben.
[quote]
FreeBSD-SN-02:05 Security Notice
The FreeBSD Project

Topic: security issues in ports
Announced: 2002-08-28

I. Introduction

Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.

These ports are not installed by default‚ nor are they “part of
FreeBSD” as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
for more information about the
FreeBSD Ports Collection.

II. Ports

+————————————————————————+
Port name: acroread5
Affected: versions < acroread-5.06 Status: Fixed Insecure temporary file handling. The acrobatviewer‚ acroread4‚ ghostscript‚ gv‚ mgv and xpdf ports can also display PDF files.

+————————————————————————+
Port name: aide
Affected: versions < aide-0.7_1 Status: Fixed The default aide.conf silently fails to check subdirectories‚ even though it appears to be configured to do so. +------------------------------------------------------------------------+ Port name: apache+mod_ssl Affected: versions < 1.3.26+2.8.10 Status: Fixed A child process of the Apache server can crash if it receives a request for the contents of a directory in which a maliciously constructed .htaccess file has been placed. In the default configuration‚ another child will be spawned‚ and the crash will be logged. Therefore the bug should be insignificant for most users.
+————————————————————————+
Port name: bugzilla
Affected: versions < bugzilla-2.14.2 Status: Fixed "Various security issues of varying importance."
+————————————————————————+
Port name: Canna
Affected: versions < ja-Canna-3.5b2_3 Status: Fixed A remotely exploitable buffer overflow exists in the cannaserver daemon. Although previously corrected‚ the patch containing the correction was inadvertently removed from the port skeleton.


+————————————————————————+
Port name: ethereal
Affected: versions < ethereal-0.9.6 Status: Fixed Buffer overflows in BGP‚ IS-IS‚ and WCP dissectors.

+————————————————————————+
Port name: fam
Affected: versions < fam-2.6.8 Status: Fixed "Unprivileged users can potentially learn names of files that only users in root's group should be able to view."

+————————————————————————+
Port name: isakmpd
Affected: versions < isakmpd-20020403_1 Status: Fixed ``Receiving IKE payloads out of sequence can cause isakmpd(8) to crash.''

+————————————————————————+
Port name: irssi
Affected: versions < irssi-0.8.5 Status: Fixed Maliciously long topic can crash program remotely.
+————————————————————————+
Port name: kdelibs2 and kdelibs3
Affected: versions < kdelibs2-2.2.2_1 versions < kdelibs3-3.0.2_4 Status: Fixed A man-in-the-middle attack is possible against Konqueror and other KDE applications which use SSL.
+————————————————————————+
Port name: krb5
Affected: versions < krb5-1.2.5_2 Status: Fixed Contains an overflow in Sun RPC XDR decoder.


+————————————————————————+
Port name: linux-netscape6‚ netscape7‚ linux-mozilla‚ and mozilla
Affected: versions < mozilla-1.0_1‚1 (mozilla) versions < linux-mozilla-1.1 (linux-mozilla) All versions (others) Status: Fixed (linux-mozilla and mozilla) Not fixed (others) Malicious Web pages or files can cause loss of X session. When the X server receives a request to display an enormously large scalable font‚ the server exits abruptly‚ killing all its clients. This has been confirmed only with XFree86 4.2.0‚ but there is evidence that XFree86 3.3.6‚ the X font server‚ and Xvnc behave the same way. Unpatched Netscape (major version 6 or 7) and Mozilla browsers do not limit the size of fonts which Web pages or files can specify‚ thus triggering the bug. Scalable fonts may be disabled as a workaround.
+————————————————————————+
Port name: mm
Affected: versions < mm-1.2.0 Status: Fixed May allow the local Apache user to gain privileges via temporary files.
+————————————————————————+
Port name: mpack
Affected: versions < mpack-1.5_2 Status: Fixed Buffer overflow which might be triggered when mpack is used to process data from a remote source (email‚ news‚ and so on).
+————————————————————————+
Port name: mozilla‚ linux-mozilla
Affected: versions < mozilla-1.0.rc1_2‚1 (mozilla) versions < linux-mozilla-1.0_1 (linux-mozilla) Status: Not fixed An overflow exists in the Chatzilla IRC client. It can cause Mozilla to crash even if the demonstration page does not cause the crash. According to Robert Ginda‚ the bug does not allow execution of malicious code.


+————————————————————————+
Port name: newsx
Affected: versions < newsx-1.4.8 Status: Fixed Format string bug reported by Niels Heinen .
+————————————————————————+
Port name: openssh‚ openssh-portable
Affected: versions < openssh-3.4 (openssh) versions < openssh-3.4p1 (openssh-portable) Status: Fixed Buffer overflow can lead to denial of service or root compromise.
+————————————————————————+
Port name: php
Affected: versions mod_php4-4.2.0 and mod_php4-4.2.1
versions php4-4.2.0 and php4-4.2.1
Status: Fixed
On i386 architecture‚ may be remotely crashed; on other architectures‚
may allow execution of arbitrary code with the privileges of the
Web server by anyone who can send HTTP POST requests.


+————————————————————————+
Port name: linux-png and png
Affected: versions < linux-png-1.0.14 versions < png-1.2.4 Status: Fixed Malformed images (for example‚ in Web pages) can cause applications to crash. Execution of malicious code may be possible.





+————————————————————————+
Port name: postgresql7
Affected: versions < postgresql7-7.2.2 Status: Fixed Multiple buffer overruns may allow execution of malicious code. Remote attack is possible only when the server is configured to accept TCP/IP connections‚ which is not the default.



+————————————————————————+
Port name: samba
Affected: versions < samba-2.2.5 Status: Fixed Possible buffer overflow.
+————————————————————————+
Port name: squid24
Affected: versions < squid-2.4_10 Status: Fixed Buffer overflows may allow remote execution of code.
+————————————————————————+
Port name: super
Affected: versions < super-3.20.0 Status: Fixed Local root exploit.
+————————————————————————+
Port name: webmin
Affected: versions < webmin-0.990_3 Status: Fixed "If a webmin user is able to view print jobs‚ he can execute any command as root."
+————————————————————————+
Port name: zmailer
Affected: versions < zmailer-2.99.51_1 Status: Fixed When using IPv6‚ a remote buffer overflow during the processing of the HELO command is possible. Reported by 3APA3A <3APA3A@SECURITY.NNOV.RU>.
+————————————————————————+

III. Upgrading Ports/Packages

To upgrade a fixed port/package‚ perform one of the following:

1) Upgrade your Ports Collection and rebuild and reinstall the port.
Several tools are available in the Ports Collection to make this
easier. See:
/usr/ports/devel/portcheckout
/usr/ports/misc/porteasy
/usr/ports/sysutils/portupgrade

2) Deinstall the old package and install a new package obtained from

[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/All/

Packages are not automatically generated for other architectures at
this time.

[/quote]