From gunther.mayer at googlemail.com Thu May 1 08:55:50 2008 From: gunther.mayer at googlemail.com (Gunther Mayer) Date: Thu May 1 11:21:37 2008 Subject: validity of php 5.2.1 vulnerability Message-ID: <48197EDD.7030308@gmail.com> Hi there, Some days ago there was an integer overflow vulnerability posted for php 5.2.1 and earlier (http://www.freebsd.org/ports/portaudit/f6377f08-12a7-11dd-bab7-0016179b2dd5.html). I immediately upgraded my php to 5.2.1_1 but portaudit still complains that the vulnerability still exists: [root@myserver ~]# portaudit -a Affected package: php5-5.2.5_1 Type of problem: php -- integer overflow vulnerability. Reference: 1 problem(s) in your installed packages found. You are advised to update or deinstall the affected package(s) immediately. However, I cannot upgrade any further as 5.2.5_1 *is* the version that was supposed to fix this: [root@myserver ~]# portupgrade -nv php5 ---> Session started at: Thu, 01 May 2008 10:19:33 +0200 ** No need to upgrade 'php5-5.2.5_1' (>= php5-5.2.5_1). (specify -f to force) ---> ** Upgrade tasks 1: 0 done, 1 ignored, 0 skipped and 0 failed ---> Listing the results (+:done / -:ignored / *:skipped / !:failed) - lang/php5 (php5-5.2.5_1) ---> Packages processed: 0 done, 1 ignored, 0 skipped and 0 failed ---> Session ended at: Thu, 01 May 2008 10:19:36 +0200 (consumed 00:00:02) Looking closer at the information given in the above URL the vulnerability specifies that all "php5 >0" is affected, which to me means that all php5 versions until all eternity will be marked vulnerable, not only those <= 5.2.1. Can somebody please fix the CVE or tell me what I'm doing wrong? I don't want to get into the habit of ignoring portaudit reports as that's clearly *bad* practise. Gunther From robert at ml.erje.net Thu May 1 18:09:38 2008 From: robert at ml.erje.net (Robert Joosten) Date: Thu May 1 18:09:43 2008 Subject: Anti-virus software for 7.0 In-Reply-To: <682872.257.qm@web83606.mail.sp1.yahoo.com> References: <682872.257.qm@web83606.mail.sp1.yahoo.com> Message-ID: <20080501175436.GB806@iphouse.com> Hi, > Does anyone know where I can find anti-virus software for 7.0? I tried > using Bitdefender's but it says it is not supported by 7.0 during > installation. I installed bitdefender v7.60428 some time ago. I today upgraded that specific box to releng_7_0 and bitdefender runs fine. You say 'installing'. I downloaded a tarball and unpacked that to /opt/bitdefender . Iirc I grabbed a evaluation version from their site. Hth. Cheers, Robert From infofarmer at FreeBSD.org Sat May 3 13:08:22 2008 From: infofarmer at FreeBSD.org (Andrew Pantyukhin) Date: Sat May 3 13:08:27 2008 Subject: validity of php 5.2.1 vulnerability In-Reply-To: <48197EDD.7030308@gmail.com> References: <48197EDD.7030308@gmail.com> Message-ID: <20080503125112.GF92161@amilo.cenkes.org> On Thu, May 01, 2008 at 10:27:09AM +0200, Gunther Mayer wrote: > Hi there, > > Some days ago there was an integer overflow vulnerability posted for php > 5.2.1 and earlier You mean 5.2.5. 5.2.5_1 fixed a different kind of problem. 5.2.6 has just been committed; update your ports tree, please. Yes, there was a time window between the advisory and the commit, when you could do nothing but wait (or get the relevant patch from the PHP project). We're sorry to have kept you waiting. From abi at e-arroyo.net Sun May 18 01:27:17 2008 From: abi at e-arroyo.net (Abiron Arroyo) Date: Sun May 18 01:27:20 2008 Subject: Vulnerability with compromised geli credentials? Message-ID: <39408.75.36.168.192.1211071273.squirrel@209.51.135.2> I'm not really a developer, but was considering if there is a key vulnerability in geli given that when you change a key there isn't a disk update. Consider the scenario where a new file system is created and populated with some files. At a later time the original key is changed because someone has gained access to the key and passphrase. A new key is generated and attached, but none of the files are modified. Furthermore, let's say the thief has access to the system and is able to update the disk to use the previous key and then reattach/mount. Is it then possible for the person that has the stolen credentials to mount the drive and view the files? The man page does not detail how the metadata is written. With that said, if this is possible, what's the best way to update the system? I suspect that moving the file is not enough, using vi in a script is not very practical, and using cat may cause problems with some special characters. From robert.woolley at rwoolley.com Sun May 18 12:30:18 2008 From: robert.woolley at rwoolley.com (Robert Woolley) Date: Sun May 18 12:31:53 2008 Subject: Vulnerability with compromised geli credentials? In-Reply-To: <39408.75.36.168.192.1211071273.squirrel@209.51.135.2> References: <39408.75.36.168.192.1211071273.squirrel@209.51.135.2> Message-ID: <20080518131846.375f85aa@gumby.homeunix.com.> On Sat, 17 May 2008 17:41:13 -0700 (PDT) "Abiron Arroyo" wrote: > > I'm not really a developer, but was considering if there is a key > vulnerability in geli given that when you change a key there isn't a > disk update. > > Consider the scenario where a new file system is created and populated > with some files. At a later time the original key is changed because > someone has gained access to the key and passphrase. A new key is > generated and attached, but none of the files are modified. > The data is encrypted with a random master-key that's generated during the init stage. That key is itself encrypted with a user-key generated from the passphrase and keyfile, and the encrypted masterkey is stored on the disk. The master-key itself is never changed; if the new files were encrypted with a different key you wouldn't be able to read the old ones. From rea-fbsd at codelabs.ru Tue May 20 10:05:13 2008 From: rea-fbsd at codelabs.ru (Eygene Ryabinkin) Date: Tue May 20 10:05:18 2008 Subject: Vulnerability with compromised geli credentials? In-Reply-To: <39408.75.36.168.192.1211071273.squirrel@209.51.135.2> References: <39408.75.36.168.192.1211071273.squirrel@209.51.135.2> Message-ID: Abiron, good day. Sat, May 17, 2008 at 05:41:13PM -0700, Abiron Arroyo wrote: > I'm not really a developer, but was considering if there is a key > vulnerability in geli given that when you change a key there isn't a disk > update. > > Consider the scenario where a new file system is created and populated > with some files. At a later time the original key is changed because > someone has gained access to the key and passphrase. A new key is > generated and attached, but none of the files are modified. There were a simular thread at SecurityFocus, related to the PGP disk encryption products: http://www.securityfocus.com/archive/1/435007/30/0/threaded > Furthermore, let's say the thief has access to the system and is able to > update the disk to use the previous key and then reattach/mount. Is it > then possible for the person that has the stolen credentials to mount the > drive and view the files? If you possess the Master Key that actually used for the encryption, then yes. The passphrase you're entering to attach geli volume is just used to encrypt that master key on the disk. > The man page does not detail how the metadata is written. Probably the manual should be updated to say something about the process of encryption and some neats about it. > With that said, if this is possible, what's the best way to update the > system? I suspect that moving the file is not enough, using vi in a script > is not very practical, and using cat may cause problems with some special > characters. The best way is to get the second, virgin geli volume with uncompromised master key and copy data to that volume. In theory, one can reencrypt the data on the geli volume with the new master key, but this can be error-prone: if process is interrupted, some part of the disk will be encrypted with the old key and one -- with the new one. This can be overriden if geli will be extended to be able to handle two keys at once: try the first one and then the second one. So the scenario for the reencryption with new master key is the following: a. new master key is created, encrypted and saved in some location within the metadata; b. geli starts to reencrypt the disk contents; c. if the process is interrupted, then geli will see two keys on the next attachment and will be able to operate and continue the reencryption. d. when reencryption completes, new master key is dropped to the regular place and it is wiped from the secondary location. I thought about adding such functionality to geli some time ago, but I had no time to implement it, so I was stuck to the second, virgin geli volume. I vaguely recall that pjd@ was mentioning some script or program that was able to really reencrypt the disk, changing the master key. But I may be wrong. Pawel, what do you think, will there be a place for a secondary master key? As I understand, the encryption is done with a non-chained mode (counter?), so the disk that is partially encrypted with the new and partially with the old key should not pose any problems with the case of authenticated geli volume (we can check if decryption was working, so we can run two passes on the block with different passwords). With unauthenticated geli one can put the counter of already reencrypted block somewhere to the metadata. Potentially, this is not worse than the authenticated case: if power fails during reencryption and the counter will not be updated for the recent block(s), then it will be the same badness as for authenticated case: blocks can be reencrypted, but the authentication data can not be written to the disk. Though, the complete reencryption will be very error-prone process and can lead to data loss, so I would stick to two different disks and/or volumes to prevent any old data overwrites before the new data will be written and validated. -- Eygene From ipfreak at yahoo.com Tue May 27 07:17:55 2008 From: ipfreak at yahoo.com (gahn) Date: Tue May 27 07:18:01 2008 Subject: freebsd and snort Message-ID: <451466.32114.qm@web52108.mail.re2.yahoo.com> Hello all: I tried to install snort under /usr/ports/security and have some problems. with "make all", I checked every item on the menu but I got error messages: ////////////////////////////// laptop# make all ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not incorporate cleanly. *** Error code 1 Stop in /usr/ports/security/snort. /////////////////////////////// tried "make distclean" and it didn't seem to help to clear the problem. Looked at the timestamps on the files and I don't see any files modified by the command "make all" could anyone help me on this? Thanks From swhetzel at gmail.com Tue May 27 08:25:53 2008 From: swhetzel at gmail.com (Scot Hetzel) Date: Tue May 27 08:25:56 2008 Subject: freebsd and snort In-Reply-To: <451466.32114.qm@web52108.mail.re2.yahoo.com> References: <451466.32114.qm@web52108.mail.re2.yahoo.com> Message-ID: <790a9fff0805270057v2aa0959byac63d5659ae61b8@mail.gmail.com> On 5/27/08, gahn wrote: > Hello all: > > I tried to install snort under /usr/ports/security and have some problems. with "make all", I checked every item on the menu but I got error messages: > > ////////////////////////////// > > laptop# make all > ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not incorporate cleanly. > *** Error code 1 > > Stop in /usr/ports/security/snort. > > /////////////////////////////// > > tried "make distclean" and it didn't seem to help to clear the problem. Looked at the timestamps on the files and I don't see any files modified by the command "make all" > > could anyone help me on this? > Use "make config" to bring up the Options screen, and check FLEXRESP and uncheck FLEXRESP2. Scot From roberto.nunnari at supsi.ch Tue May 27 08:31:57 2008 From: roberto.nunnari at supsi.ch (Roberto Nunnari) Date: Tue May 27 08:32:01 2008 Subject: freebsd and snort In-Reply-To: <451466.32114.qm@web52108.mail.re2.yahoo.com> References: <451466.32114.qm@web52108.mail.re2.yahoo.com> Message-ID: <483BB927.5070004@supsi.ch> Hello gahn. it's exactly as it says.. the FLEXRESP2 option is broken.. try to build without FLEXRESP2 to change your options do a make config Best regards. Robi gahn wrote: > Hello all: > > I tried to install snort under /usr/ports/security and have some problems. with "make all", I checked every item on the menu but I got error messages: > > ////////////////////////////// > > laptop# make all > ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not incorporate cleanly. > *** Error code 1 > > Stop in /usr/ports/security/snort. > > /////////////////////////////// > > tried "make distclean" and it didn't seem to help to clear the problem. Looked at the timestamps on the files and I don't see any files modified by the command "make all" > > could anyone help me on this? > > Thanks > > > > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" From nigel at sourcefire.com Tue May 27 12:41:58 2008 From: nigel at sourcefire.com (Nigel Houghton) Date: Tue May 27 12:42:01 2008 Subject: freebsd and snort In-Reply-To: <451466.32114.qm@web52108.mail.re2.yahoo.com> Message-ID: On 5/27/08 2:51 AM, "gahn" wrote: > Hello all: > > I tried to install snort under /usr/ports/security and have some problems. > with "make all", I checked every item on the menu but I got error messages: > > ////////////////////////////// > > laptop# make all > ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not > incorporate cleanly. > *** Error code 1 > > Stop in /usr/ports/security/snort. > > /////////////////////////////// > > tried "make distclean" and it didn't seem to help to clear the problem. Looked > at the timestamps on the files and I don't see any files modified by the > command "make all" > > could anyone help me on this? 1. This is not a question for FreeBSD Security although, I can see why you might think so 2. Do not cross post 3. Did you try to contact the port maintainer or file a bug report? (the port needs updating anyway) Having said all that, I don't know why flexresp2 is needed for a plain snort build. -- Nigel Houghton Resident Hooligan SF VRT From ipfreak at yahoo.com Tue May 27 18:11:29 2008 From: ipfreak at yahoo.com (gahn) Date: Tue May 27 18:11:37 2008 Subject: freebsd and snort Message-ID: <658053.1394.qm@web52101.mail.re2.yahoo.com> Thanks. greatly appreciated. Best ----- Original Message ---- From: Scot Hetzel To: gahn Cc: freebsd general questions ; freebsd security Sent: Tuesday, May 27, 2008 12:57:38 AM Subject: Re: freebsd and snort On 5/27/08, gahn wrote: > Hello all: > > I tried to install snort under /usr/ports/security and have some problems. with "make all", I checked every item on the menu but I got error messages: > > ////////////////////////////// > > laptop# make all > ===> snort-2.8.1_1 is marked as broken: FLEXRESP2 patch file does not incorporate cleanly. > *** Error code 1 > > Stop in /usr/ports/security/snort. > > /////////////////////////////// > > tried "make distclean" and it didn't seem to help to clear the problem. Looked at the timestamps on the files and I don't see any files modified by the command "make all" > > could anyone help me on this? > Use "make config" to bring up the Options screen, and check FLEXRESP and uncheck FLEXRESP2. Scot From swhetzel at gmail.com Tue May 27 19:14:42 2008 From: swhetzel at gmail.com (Scot Hetzel) Date: Tue May 27 19:14:45 2008 Subject: freebsd and snort In-Reply-To: References: <451466.32114.qm@web52108.mail.re2.yahoo.com> Message-ID: <790a9fff0805271214k4268fffdmaff2b0d3ea29759d@mail.gmail.com> On 5/27/08, Nigel Houghton wrote: > On 5/27/08 2:51 AM, "gahn" wrote: > > > Hello all: > > > > I tried to install snort under /usr/ports/security and have some problems. > > with "make all", I checked every item on the menu but I got error messages: > > > 3. Did you try to contact the port maintainer or file a bug report? (the > port needs updating anyway) > The maintainer knows about the broken state of FLEXSRESP2 patch, as he was the one who submitted the change to mark it broken in revision 1.70 (2006/08/30 04:26:53 clsung) when it was first introduced. It also looks like snort 2.8.1 now incorporates the FLEXRESP2 patch in the main source. I submitted PR 124048 to remove the BROKEN state of FLEXRESP2. http://www.freebsd.org/cgi/query-pr.cgi?pr=124048 > Having said all that, I don't know why flexresp2 is needed for a plain snort > build. > The default state for FLEXRESP2 is OFF. The only OPTION that is enabled is dynamic plugin support (DYNAMIC) for a plain snort build. Scot