From matt at ixsystems.com Tue Feb 3 07:44:34 2009 From: matt at ixsystems.com (Matt Olander) Date: Tue Feb 3 08:17:02 2009 Subject: [FreeBSD-Announce] FreeBSD 7.1 CDs/DVDs at FreeBSD Mall Message-ID: <6B79E41E-9EBF-4F1F-AC6E-997EC75F8E07@ixsystems.com> FreeBSD Mall, Inc. is happy to announce the availability of FreeBSD 7.1-based products. The four CD set and DVD are now shipping to subscribers around the world. If you haven't yet placed your order, you may do so at http://www.freebsdmall.com. You may also elect to start your subscription with the latest release. Sit back and relax while each new release of FreeBSD is delivered straight to your door. In addition to CD and DVD products and toolkit, we also have a large collection of FreeBSD shirts, hats, jackets, boxer shorts, stickers, case-plates, mouse pads, and other promotional materials. FYI, during the course of the next few months, the Mall site will be getting a much needed facelift that will include new promotional BSD products. Stay tuned ;-) Thanks and enjoy! -matt From rwatson at FreeBSD.org Mon Feb 9 03:46:25 2009 From: rwatson at FreeBSD.org (Robert Watson) Date: Mon Feb 9 04:26:18 2009 Subject: [FreeBSD-Announce] Announcing EuroBSDcon 2009 - Cambridge, UK Message-ID: EuroBSDCon 2009 - Cambridge, UK 18-20 September 2009 The Berkeley Software Distribution (BSD) family of computer operating systems is derived from software developed at the University of California at Berkeley. The various family members (Dragonfly-, Free-, Net- and OpenBSD, among others) are extensively used both for embedded appliances and for large internet servers and have an excellent reputation for stability and state-of-the- art technology. BSD-derived software is a driving force for IT research and development and is well-received as a building block in commercial software due to its unique license scheme. The ninth European BSD conference is a great opportunity to present new ideas to the community and to meet some of the developers behind the different BSDs. The two day conference program (September 19 - 20) will be complemented by a tutorial day preceding the conference (Sept 18). Call for Papers The Conference is inviting authors to submit innovative and original papers not submitted to other European conferences on the applications, architecture, implementation, performance and security of BSD-derived operating systems. Investigations on economic aspects regarding the operation of BSD systems are also welcome. Topics of interest for the EuroBSD Conference 2009 include, but are not limited to: - embedded application development and deployment - device drivers - security and safe coding practices - methods others should know about - system administration: techniques and tools of the trade - operational and economic aspects Prospective authors of contributions to the technical program are requested to submit an abstract by email to eurobsdcon@ukuug.org All submissions will be acknowledged. Presentations may last from 15 to 45 minutes - please indicate how long you would like. This is the initial call for papers; a more focussed call based on initial accepted submissions will follow in March 2009. We will begin accepting talks early in 2009. Authors of accepted submissions should provide a full paper for publication in the conference proceedings and give permission to the organizers to publish the results in the printed proceedings and on the conference web site. Call for Tutorial Proposals Selected tutorials on practical and problem-solving aspects of BSD-derived operating systems will be offered on the day before the Conference. The tutorials will be presented by speakers who have wide experience in developing and administering the different BSDs. Potential tutorial themes could include, but are not limited to: - Safe coding practices to provide secure solutions - System load testing and tuning - BSD in a large network - Solving sets of problems If you are interested in presenting a tutorial, please contact the organisers on eurobsdcon@ukuug.org with what you're thinking. Initial exploratory conversations are as welcome as full proposals. Sponsorship Opportunities We are seeking companies or institutions to sponsor various elements of the conference in order to keep delegate fees as low as possible. Sponsorship opportunities include: paying for a speaker's travel or accommodation; providing bursaries for delegates who cannot pay the conference fee themselves; sponsoring catering, lunches, or the conference dinner. All sponsors will be listed in the conference proceedings and included on our website with a link back to your site. You will also have the opportunity to provide literature for distribution in delegate packs. Please contact the UKUUG Secretariat (office@ukuug.org) to discuss the possibilities. Important Dates Final abstract deadline: May 31st 2009 Final tutorial deadline: May 31st Final papers due: August 1st Tutorial day: September 18 Conference: September 19 - 20 From deb at freebsdfoundation.org Mon Feb 9 11:50:25 2009 From: deb at freebsdfoundation.org (Deb Goodkin) Date: Mon Feb 9 12:06:20 2009 Subject: [FreeBSD-Announce] The FreeBSD Foundation is Requesting Project Proposals! Message-ID: <499088F9.30307@freebsdfoundation.org> The FreeBSD Foundation is pleased to announce we are soliciting the submission of proposals for work relating to any of the major subsystems or infrastructure within the FreeBSD operating system. A budget of $30,000 was allocated to fund multiple development projects. Proposals will be evaluated based on desirability, technical merit and cost-effectiveness. To find out more about the proposal process please read the attached document. You can also find the document on our website at http://www.freebsdfoundation.org/documents/FreeBSD%20Foundation%20Proposals%20Feb%202009.pdf. We look forward to reading all the interesting project proposals! Sincerely, The FreeBSD Foundation -------------- next part -------------- A non-text attachment was scrubbed... Name: FreeBSD Foundation Proposals Feb 2009.pdf Type: application/pdf Size: 44087 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-announce/attachments/20090209/d1f97821/FreeBSDFoundationProposalsFeb2009.pdf From security-advisories at freebsd.org Mon Feb 16 14:02:34 2009 From: security-advisories at freebsd.org (FreeBSD Security Advisories) Date: Mon Feb 16 14:02:41 2009 Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:05.telnetd Message-ID: <200902162202.n1GM2X12003816@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:05.telnetd Security Advisory The FreeBSD Project Topic: telnetd code execution vulnerability Category: core Module: contrib Announced: 2009-02-16 Affects: FreeBSD 7.x Corrected: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE) 2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. The TELNET protocol allows a connecting client to specify environment variables which should be set in any created login session; this is used, for example, to specify terminal settings. II. Problem Description In order to prevent environment variable based attacks, telnetd(8) "scrubs" its environment; however, recent changes in FreeBSD's environment-handling code rendered telnetd's scrubbing inoperative, thereby allowing potentially harmful environment variables to be set. III. Impact An attacker who can place a specially-constructed file onto a target system (either by legitimately logging into the system or by exploiting some other service on the system) can execute arbitrary code with the privileges of the user running the telnet daemon (usually root). IV. Workaround No workaround is available, but systems which are not running the telnet daemon are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or RELENG_7_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.0 and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch # fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libtelnet # make obj && make depend && make # cd /usr/src/libexec/telnetd # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/telnet/telnetd/sys_term.c 1.18.22.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.6 src/sys/conf/newvers.sh 1.72.2.9.2.7 src/contrib/telnet/telnetd/sys_term.c 1.18.30.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.14 src/sys/conf/newvers.sh 1.72.2.5.2.14 src/contrib/telnet/telnetd/sys_term.c 1.18.26.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r188699 releng/7.1/ r188699 releng/7.0/ r188699 - ------------------------------------------------------------------------- VII. References http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra aooAn0GU4wBW7jBulFhrSyXtKVlgs18B =joA6 -----END PGP SIGNATURE-----