Hi
Are there any known security holes or necessary precautions in using port
forwarding with ipportfw?
I'm planning on forwarding ports from an outer firewall/router (connected
to the Internet) to a host in the DMZ, then on from the DMZ host to the
inner firewall, and finally from the inner firewall to some host on the
inside.
Thanks,
Jens
jph@strengur.is
From mail@mail.redhat.com Wed Aug 5 09:48:30 1998
Received: (qmail 795 invoked from network); 5 Aug 1998 07:48:23 -0000
Received: from 3dyn106.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.106)
by mail2.redhat.com with SMTP; 5 Aug 1998 07:48:22 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA15841
for <linux-security@redhat.com>; Wed, 5 Aug 1998 09:48:30 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id JAA00663
for linux-security@redhat.com; Wed, 5 Aug 1998 09:48:19 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 08:05:22 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id XAA04482
for <wolff@dutepp0.et.tudelft.nl>; Tue, 4 Aug 1998 23:23:14 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id XAA12932 for
<r.e.wolff@BitWizard.nl>; Tue, 4 Aug 1998 23:11:39 +0200
Received: (qmail 23089 invoked by uid 501); 4 Aug 1998 21:19:28 -0000
Received: (qmail 22749 invoked from network); 4 Aug 1998 21:19:19 -0000
Received: from pri.wildapache.net (root@209.141.80.2)
by mail2.redhat.com with SMTP; 4 Aug 1998 21:19:19 -0000
Received: from wildapache.net (ntserv1 [192.168.1.2])
by pri.wildapache.net (8.8.7/8.8.7) with ESMTP id OAA02506
for <linux-security@redhat.com>; Tue, 4 Aug 1998 14:20:26 -0700
Message-ID: <35C77A3F.3F33843D@wildapache.net>
Date: Tue, 04 Aug 1998 14:16:47 -0700
From: Support <support@wildapache.net>
X-Mailer: Mozilla 4.05 [en] (WinNT; U)
MIME-Version: 1.0
To: linux-security@redhat.com
Subject: Webmin Security
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-moderate: yes
We are evaluating Webmin to host on our servers (running RedHat5.1) and
would like to know about any security issues that you are aware of with
Webmin under RedHat.
I have heard that there are some security issues, but am not sure what
they are.
Thank you,
Murrah Boswell
Senior Network Engineer
Wild Apache Net
From mail@mail.redhat.com Wed Aug 5 09:47:54 1998
Received: (qmail 480 invoked from network); 5 Aug 1998 07:48:05 -0000
Received: from 3dyn106.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.106)
by mail2.redhat.com with SMTP; 5 Aug 1998 07:48:05 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id JAA15830
for <linux-security@redhat.com>; Wed, 5 Aug 1998 09:47:54 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id JAA00650
for linux-security@redhat.com; Wed, 5 Aug 1998 09:47:44 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 08:04:56 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id WAA04252
for <wolff@dutepp0.et.tudelft.nl>; Tue, 4 Aug 1998 22:56:26 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id WAA12907 for
<r.e.wolff@BitWizard.nl>; Tue, 4 Aug 1998 22:44:45 +0200
Received: (qmail 30072 invoked by uid 501); 4 Aug 1998 20:55:09 -0000
Received: (qmail 22214 invoked from network); 4 Aug 1998 20:52:13 -0000
Received: from krang.parl.eng.clemson.edu (130.127.210.16)
by mail2.redhat.com with SMTP; 4 Aug 1998 20:52:12 -0000
Received: from hell.parl.eng.clemson.edu by krang.parl.eng.clemson.edu;
(5.65v3.2/1.1.8.2/20Apr98-0933AM)
id AA00740; Tue, 4 Aug 1998 15:45:44 -0400
Date: Tue, 4 Aug 1998 16:54:34 -0400 (EDT)
From: Rob Ross <rbross@parl.eng.clemson.edu>
Reply-To: Rob Ross <rbross@parl.eng.clemson.edu>
To: linux-security@redhat.com
Cc: Jarmo Karvonen <karvonen@dawn.joensuu.fi>,
Emerson Renato Cavallari <emerson@bcrp.pcarp.usp.br>
Subject: summary of responses to "firewalls, a practical question"
Message-Id:
<Pine.LNX.3.95.980804165054.12859E-100000@hell.parl.eng.clemson.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
A little over a week ago I posted asking about setting up a linux box
between an existing router and a switch in order to provide firewall
service to a subnet of machines. I was curious what experience others
had with this type of setup in terms of machines, configurations, and
the appropriateness of using linux in this manner.
There were basically three issues discussed in replies: hardware
requirements, configuration issues, and alternative options. I'll cover
these in that order.
The consensus seems to be that a PPro, P2, alpha, or newer sparc could
do the job. The main concern seems to be in getting the fastest bus
possible. However, Bryan Davis seems to be having great luck using a
P133.
Bryan Davis <davisb@execpc.com> wrote:
> I work at a large midwest ISP, and we have all our internal employee use
> computers running through a SOCKS5 firewall system. There are about 120
> computers that are running on this firewall on a daily basis through 10/100
> mbit network connections. The system it is runing is only a P133 with a
> SCSI hardrive. I run this at home also, and it works very well.
Seifried <seifried@seifried.org> pointed out that the 2.1 kernels seem
to have better network performance. Dave Cinge specifically mentioned
the Linux Router Project (http://www.linuxrouter.org/) and their work
in this area. He points out that traffic characteristics seem to have
a significant impact on the effective throughput:
Dave Cinege <dcinege@psychosis.com> wrote:
> We still don't have any really good network performance benchmark
> figures using LRP [ Linux Router Project ], because we don't have a
good
> net benchmark to use. From what I have seen linux chokes bit on small
> packets, but can do quite well with larger ones. In one example I saw
> the box could only handle 10Mb/s @64bytes, but at 1500byte packets it
> could do 100Mb no problem. I'd say avg traffic is closer to 1500 then
it
> is 64. (to further complicate things any firewalling will effect this)
>
> Without question 200Mb/s is quite demanding and a 'real' firewall
will
> probably give you better performance. Of course we are talking VERY big
> money for such an item, and maybe $400 to build your own. The question
> is will LRP give adequite performance...I don't know. I do know people
> using it in 100Mb apps (myself included) but don't know people doing so
> at very high load.
As far as configuration is concerned, there were a number of approaches
mentioned. I'm basically going to perform IP filtering only for the
time being, no masquerading or proxies. The linux router project, the
firewall HOWTO, the bridging+firewall HOWTO, and the O'Reilly firewall
book were mentioned among others as good sources for information.
FYI I'm going to try to basically use the kernel firewall support in 2.0
and some proxy arp to get the job done. We'll see...
Finally the drawbridge system for FreeBSD was mentioned as an
alternative. Some seem to have had better luck with this than with
with the linux firewall code. Others seem to be very happy with the
linux implementation.
Wietse Venema <wietse@porcupine.org> wrote:
> Have a look at drawbridge, a filtering bridge that runs at fddi speeds.
>
> ftp://coast.cs.purdue.edu/pub/tools/unix/TAMU/
Robert Hardy <rhardy@aurora.carleton.ca> wrote:
> IMHO from what I've seen so far Linux firewalling is still too immature
to
> depend on. You could depend on a firewall based on 2.0.x code however,
> it seems less secure, has a slightly buggy admin tool with a
> difficult interface. A 2.1.x series firewall has more security, a better
> designed system and admin tool but it is based on development code.
>
> We have had our best luck using drawbridge running on freebsd. I'm
almost
> certain it will work with FDDI. The card requirements are based on what
> FreeBSD supports.
Jeff Gray <jeffg@provenance.com.au> wrote:
> Definitely. On the grounds of stability, security & cost, it's an
excellent
> solution.
>
> [snip]
>
> I've used Linux as a firewall for various companies for the past 4
> years. I've been very happy with it & never had grounds to feel
unhappy
> with it from a speed or maintenance point of view. I'm not an expert in
> firewall security, but I've read extensively other people's
comments on
> Linux as a firewall & never had grounds to feel that it was insecure
> when properly set up. My system runs essentially forever - I've never
> _had_ to reboot to fix anything & never had it crash.
Thanks to everyone for the responses!
Rob Ross
Parallel Architecture Research Laboratory, Clemson University
mailto:rbross@parl.eng.clemson.edu
http://ece.clemson.edu/parl/rbross/
From mail@mail.redhat.com Wed Aug 5 10:54:55 1998
Received: (qmail 31219 invoked from network); 5 Aug 1998 08:55:36 -0000
Received: from 3dyn106.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.106)
by mail2.redhat.com with SMTP; 5 Aug 1998 08:55:36 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id KAA15959
for <linux-security@redhat.com>; Wed, 5 Aug 1998 10:54:55 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id KAA00836
for linux-security@redhat.com; Wed, 5 Aug 1998 10:54:44 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 10:43:24 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id KAA10316
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 10:42:39 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id KAA13252 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 10:31:03 +0200
Received: (qmail 28772 invoked by uid 501); 5 Aug 1998 08:36:27 -0000
Received: (qmail 16219 invoked from network); 5 Aug 1998 08:30:07 -0000
Received: from dlft2-p84.worldonline.nl (HELO jvelders.tn.tudelft.nl)
(root@195.241.158.84)
by mail2.redhat.com with SMTP; 5 Aug 1998 08:30:07 -0000
Received: from localhost (jpv@localhost [127.0.0.1]) by jvelders.tn.tudelft.nl
(8.8.7/8.8.3) with SMTP id KAA00974; Wed, 5 Aug 1998 10:30:04 +0200
Date: Wed, 5 Aug 1998 10:30:03 +0200 (CEST)
From: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
X-Sender: jpv@jp-gp.vsi.nl
To: linux-security@redhat.com
cc: jpv@aacc.nl
Subject: Problem with TCP_wrappers
Message-ID: <Pine.LNX.3.96.980805102226.960A-100000@jp-gp.vsi.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Hi,
I'm running into something weird here.
I'm using RH5.1 with tcp_wrappers 7.6.
The syntax for hosts.allow and hosts.deny is:
<service list> : <access list> [ : <shell_command> ]
Everything works when I _don't_ use the shell_command.
I used the _exact_ line as in the man-pages utilising "safe_finger"
(comes
with tcp_wrappers), tcpdchk will break on it. And the tcp_wrappers will
"ignore" the line, in my test I used a default deny and opened up ftp
to
all and put the safe_finger line in; result: I can't ftp to localhost or
from any other machine via TCP/IP...
Does anybody know if this is standard behaviour under RH5.1 ?
I do like to use the feature to log all the info tcp_wrappers can obtain
about the remote-side.
The tcp_wrappers also have a special compile-time-option which gives more
functionality with all the rules, but then you have to combine all the rules
into _one_ file "hosts.access" (I think!), and hosts.{allow,deny}
don;t
function. But it doesn't look like it's compiled that way
(-DPROCESS_OPTIONS)...
Can somebody shine a light on this ?
Thanks in advance!
Greetings,
Jan-Philip Velders
<jpv@aacc.nl
<jpv@jvelders.tn.tudelft.nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From mail@mail.redhat.com Wed Aug 5 17:22:22 1998
Received: (qmail 6380 invoked from network); 5 Aug 1998 15:22:52 -0000
Received: from 3dyn106.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.106)
by mail2.redhat.com with SMTP; 5 Aug 1998 15:22:52 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id RAA16597
for <linux-security@redhat.com>; Wed, 5 Aug 1998 17:22:22 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id RAA01483
for linux-security@redhat.com; Wed, 5 Aug 1998 17:22:12 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 16:35:30 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id QAA14116
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 16:34:07 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id QAA13550 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 16:22:25 +0200
Received: (qmail 5833 invoked by uid 501); 5 Aug 1998 14:15:53 -0000
Received: (qmail 5818 invoked from network); 5 Aug 1998 14:15:52 -0000
Received: from aragorn.ics.muni.cz (147.251.4.33)
by mail2.redhat.com with SMTP; 5 Aug 1998 14:15:52 -0000
Received: from anxur.fi.muni.cz (0@anxur.fi.muni.cz [147.251.48.3])
by aragorn.ics.muni.cz (8.8.5/8.8.5) with ESMTP id QAA12364;
Wed, 5 Aug 1998 16:12:07 +0200 (MET DST)
Received: from gloin.fi.muni.cz (root@gloin.fi.muni.cz [147.251.48.201])
by anxur.fi.muni.cz (8.8.5/8.8.5) with ESMTP id QAA10636;
Wed, 5 Aug 1998 16:12:03 +0200 (MET DST)
Received: from gloin.fi.muni.cz (kas@localhost [127.0.0.1]) by gloin.fi.muni.cz
(8.8.7/8.7.3) with ESMTP id QAA02596; Wed, 5 Aug 1998 16:12:01 +0200
Message-Id: <199808051412.QAA02596@gloin.fi.muni.cz>
Mime-version: 1.0
Content-Type: text/plain; charset=iso-8859-2
Content-Transfer-Encoding: 8bit
To: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
Cc: linux-security@redhat.com
Subject: [linux-security] Re: Problem with TCP_wrappers
In-reply-to: Your message of "Wed, 05 Aug 1998 10:30:03 +0200."
<Pine.LNX.3.96.980805102226.960A-100000@jp-gp.vsi.nl>
Date: Wed, 05 Aug 1998 16:11:59 +0200
From: Jan Kasprzak <kas@informatics.muni.cz>
X-moderate: yes
Jan-Philip Velders wrote:
[...]
: I'm using RH5.1 with tcp_wrappers 7.6.
[...]
: The tcp_wrappers also have a special compile-time-option which gives more
: functionality with all the rules, but then you have to combine all the rules
: into _one_ file "hosts.access" (I think!), and hosts.{allow,deny}
don;t
: function. But it doesn't look like it's compiled that way
: (-DPROCESS_OPTIONS)...
I think tcp_wrappers 7.6 was built using -DPROCESS_OPTIONS.
At least the "twist" keyword works for me in hosts.{allow,deny}
(see the hosts_options(5) manpage). I don't know anything about the
hosts.access file, though.
When we are on this topic, I am still having problems with
the "setenv" keyword in the hosts.{allow,deny}. It simply does not
work for me. I have tried to use the "setenv" keyword for qmail's
incoming
mail:
tcp-env: ALL@.local.domain : setenv RELAYCLIENT
The environment variable is not set for the tcp-env.
I have to change this line to the following:
tcp-env: ALL@.local.domain : twist /path/relayclient
where the /path/relayclient is the following script
#!/bin/bash
export RELAYCLIENT
/var/qmail/bin/tcp-env ... ...
It works, but gives me a "twist" syslog message for each connection.
On RH4.2 the tcp_wrappers' setenv worked OK. In 5.0 and 5.1 it does not
work.
-Yenya
--
\ Jan "Yenya" Kasprzak <kas at fi.muni.cz>
http://www.fi.muni.cz/~kas/
\\ PGP: finger kas at aisa.fi.muni.cz 0D99A7FB206605D7 8B35FCDE05B18A5E //
\\\ Czech Linux Homepage: http://www.linux.cz/ ///
If there are race conditions in programs fix them. The "my programs suck
fix
something else" mentality leads you to things like Java. -- Alan
Cox
From mail@mail.redhat.com Thu Aug 6 08:04:07 1998
Received: (qmail 23059 invoked from network); 6 Aug 1998 06:47:56 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 06:47:56 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA18881
for <linux-security@redhat.com>; Thu, 6 Aug 1998 08:04:07 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00397
for linux-security@redhat.com; Thu, 6 Aug 1998 08:03:57 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 20:30:50 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id UAA17149
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 20:26:48 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id UAA13735 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 20:15:02 +0200
Received: (qmail 6691 invoked by uid 501); 5 Aug 1998 18:22:29 -0000
Received: (qmail 5554 invoked from network); 5 Aug 1998 18:22:04 -0000
Received: from gvelders.tn.tudelft.nl (HELO jvelders.tn.tudelft.nl)
(root@130.161.108.37)
by mail2.redhat.com with SMTP; 5 Aug 1998 18:22:04 -0000
Received: from localhost (jpv@localhost [127.0.0.1]) by jvelders.tn.tudelft.nl
(8.8.7/8.8.3) with SMTP id UAA03586 for <linux-security@redhat.com>; Wed,
5 Aug 1998 20:20:52 +0200
Date: Wed, 5 Aug 1998 20:20:51 +0200 (CEST)
From: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
X-Sender: jpv@jp-gp.vsi.nl
To: linux-security@redhat.com
Subject: [linux-security] Re: Problem with TCP_wrappers
In-Reply-To: <Pine.LNX.3.96.980805102226.960A-100000@jp-gp.vsi.nl>
Message-ID: <Pine.LNX.3.96.980805201804.2744F-100000@jp-gp.vsi.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: O
Hi,
I want to thank everyone who was kind enough to mail me things.
Problem was I didn't find "-DPROCESS_OPTIONS" in the Makefile (I
installed
the updated .src.rpm... etc.).
Seems RedHat 5.1 is compiled with it, a notice in the docs, or man-pages
might help...
Anyway, solution is to use this "spawn <shell-command>".
(another option "twist" passes the connection to the
"command" instead of
running the specified daemon)
Again, thanks to everyone!
Greetings,
Jan-Philip Velders
<jpv@jvelders.tn.tudelft.nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From mail@mail.redhat.com Thu Aug 6 08:04:15 1998
Received: (qmail 23245 invoked from network); 6 Aug 1998 06:48:01 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 06:48:01 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA18889
for <linux-security@redhat.com>; Thu, 6 Aug 1998 08:04:15 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00409
for linux-security@redhat.com; Thu, 6 Aug 1998 08:04:05 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 20:16:24 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id UAA17041
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 20:15:40 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id UAA13721 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 20:04:04 +0200
Received: (qmail 21758 invoked by uid 501); 5 Aug 1998 18:14:48 -0000
Received: (qmail 21698 invoked from network); 5 Aug 1998 18:14:46 -0000
Received: from umbilical.porcupine.org (HELO spike.porcupine.org)
(168.100.189.1)
by mail2.redhat.com with SMTP; 5 Aug 1998 18:14:46 -0000
Received: by spike.porcupine.org (VMailer, from userid 100)
id 458BFDA13E; Wed, 5 Aug 1998 14:14:41 -0400 (EDT)
Subject: [linux-security] Re: Problem with TCP_wrappers
To: kas@informatics.muni.cz (Jan Kasprzak)
Date: Wed, 5 Aug 1998 14:14:41 -0400 (EDT)
Cc: jpv@jvelders.tn.tudelft.nl, linux-security@redhat.com
In-Reply-To: <199808051412.QAA02596@gloin.fi.muni.cz> from Jan Kasprzak at
"Aug 5, 98 04:11:59 pm"
Organization: Wietse Venema, White Plains, NY, USA
X-Time-Zone: USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19980805181441.458BFDA13E@spike.porcupine.org>
From: wietse@porcupine.org (Wietse Venema)
X-moderate: yes
Jan Kasprzak:> the "setenv" keyword in the hosts.{allow,deny}. It simply does
not
> work for me. I have tried to use the "setenv" keyword for
qmail's incoming
> mail:
>
> tcp-env: ALL@.local.domain : setenv RELAYCLIENT
In the HOSTS_OPTIONS(5) manual page, I wrote:
setenv name value
Place a (name, value) pair into the process envi-
ronment. The value is subjected to %<letter> expan-
sions and may contain whitespace (but leading and
trailing blanks are stripped off).
Translation: you need to specify a value for the RELAYCLIENT variable.
Wietse
From mail@mail.redhat.com Thu Aug 6 08:06:53 1998
Received: (qmail 23666 invoked from network); 6 Aug 1998 06:48:09 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 06:48:09 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA18933
for <linux-security@redhat.com>; Thu, 6 Aug 1998 08:06:53 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00422
for linux-security@redhat.com; Thu, 6 Aug 1998 08:06:44 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 21:05:17 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id VAA17425
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 21:04:00 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id UAA13759 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 20:52:25 +0200
Received: (qmail 7031 invoked by uid 501); 5 Aug 1998 19:02:33 -0000
Received: (qmail 6973 invoked from network); 5 Aug 1998 19:02:30 -0000
Received: from seifried-gateway.powersurfr.com (24.108.11.202)
by mail2.redhat.com with SMTP; 5 Aug 1998 19:02:30 -0000
Received: from shumira (shumira.seifried.org [10.0.0.20])
by seifried-gateway.powersurfr.com (8.9.1/8.9.1) with SMTP id NAA08677
for <linux-security@redhat.com>; Wed, 5 Aug 1998 13:03:20 -0600
Message-ID: <001b01bdc0a3$9cf8df80$0101a8c0@shumira.seifried.org>
Reply-To: "seifried" <seifried@seifried.org>
From: "seifried" <seifried@seifried.org>
To: <linux-security@redhat.com>
Subject: IP Security for Linux (IPSec)
Date: Wed, 5 Aug 1998 13:02:37 -0600
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 4.72.3115.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.72.3110.3
X-moderate: yes
I've kept this one on the back burner for a while, waiting for it to
mature before attempting to use it, and now having seen OpenBSD
ship with IPSec I'm getting a bit impatient =).
What is the status of IPSec for Linux (and more specifically RedHat)?
By this I mean I just did some www browsing/etc and found about a
half dozen different implimentations, ranging from NRL, to a nist
patch for RedHat 5.1, swan, ipnsec, etc, etc.
Does RedHat have any official word on this? I know including IPSec
would be a pain in the butt, being that they are in the US (OpenBSD
moved their official head end distribution site to the local university,
cared for by the guy who is also head of the local LUG... go fig).
I'm going to be experiementing with the various IPSec packages for
Linux (specifically under RedHat 5.1) and will post any positive results
back to the list, I would also appreciate anyone else who has
experiemented with IPSec under Linux to do likewise. It's rather simplistic
to say but basically true that using IPSec would solve many many security
problems and risks that we currently suffer (have you ever tried
implimenting kerberoes? not fun).
-seifried
From mail@mail.redhat.com Thu Aug 6 08:08:36 1998
Received: (qmail 28245 invoked from network); 6 Aug 1998 06:51:28 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 06:51:28 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA18943
for <linux-security@redhat.com>; Thu, 6 Aug 1998 08:08:36 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00434
for linux-security@redhat.com; Thu, 6 Aug 1998 08:08:26 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 08:03:06 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id BAA19751
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 01:23:38 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id BAA13874 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 01:12:02 +0200
Received: (qmail 1554 invoked by uid 501); 5 Aug 1998 23:23:33 -0000
Received: (qmail 1539 invoked from network); 5 Aug 1998 23:23:32 -0000
Received: from elwood.library.arizona.edu (rgwork@128.196.51.8)
by mail2.redhat.com with SMTP; 5 Aug 1998 23:23:32 -0000
Received: from localhost (rgwork@localhost)
by elwood.library.arizona.edu (8.8.7/8.8.7) with SMTP id QAA17235
for <linux-security@redhat.com>; Wed, 5 Aug 1998 16:34:59 -0700
Date: Wed, 5 Aug 1998 16:34:59 -0700 (MST)
From: "R. Grunloh's work mailing list acct."
<rgwork@elwood.library.arizona.edu>
Reply-To: "R. Grunloh's work mailing list acct."
<rgwork@elwood.library.arizona.edu>
To: linux-security@redhat.com
Subject: "mailbox vulnerable" messages
Message-ID:
<Pine.LNX.3.96.980805161407.17020A-100000@elwood.library.arizona.edu>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Hi,
I'm running 2 RH5.0 mailservers here with patches from the errata through
around July 23, including imap-4.1.final-1. Shortly afterinstalling the
latter, we got "mailbox vulnerable, can't create lockfile"
messages only
from clients using an old version of PC-pine.
We can migrate those users, but then I noticed that fetchmail gives the
same error when run with the -v (verbose) flag.
We have quite a few users who have Netscape 4.1 (Windows) imap mail at
work, but also use pine from home. They aren't exactly power users and
often forget to close Netscape before leaving. I have no control over
this client setup.
My question is, under these circumstances, wouldn't allowing the lockfile
creation in /var/spool/mail be a wiser choice than risking inbox problems?
Actually I think the best way would be to set the lockfiles to be created
in /tmp or in their home directory, does anyone know how to do that? Could
it be a compile option (in imap or which pkg?)
I'm trying to be reasonably secure here, and do my homework, but haven't
seen much discussion on this issue. Perhaps I have misconfigured
permissions?
[rgrunloh@elwood /var/spool]$ ls -al
total 9
drwxr-xr-x 9 root root 1024 Mar 24 12:26 .
drwxr-xr-x 15 root root 1024 Jun 9 09:52 ..
drwx------ 3 daemon daemon 1024 Mar 21 15:22 at
drwx------ 2 root root 1024 Jun 17 1997 cron
drwxrwxr-x 3 root daemon 1024 May 11 15:35 lpd
drwxrwxr-x 2 root mail 1024 Aug 5 16:26 mail
drwxr-xr-x 2 root mail 1024 Aug 5 16:26 mqueue
...
[rgrunloh@elwood /var/spool/mail]$ ls -al
total 2386
drwxrwxr-x 2 root mail 1024 Aug 5 16:26 .
drwxr-xr-x 9 root root 1024 Mar 24 12:26 ..
-rw-rw---- 1 dstarkey mail 891 May 20 11:53 dstarkey
-rw-rw---- 1 icsuser mail 0 Mar 24 16:35 icsuser
-rw-rw---- 1 rgrunloh mail 0 Jun 6 07:12 rgrunloh
...
Thanks.
From mail@mail.redhat.com Thu Aug 6 13:26:25 1998
Received: (qmail 32217 invoked from network); 6 Aug 1998 11:26:34 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 11:26:34 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id NAA19486
for <linux-security@redhat.com>; Thu, 6 Aug 1998 13:26:25 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id NAA01023
for linux-security@redhat.com; Thu, 6 Aug 1998 13:26:15 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 12:58:13 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id MAA24935
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 12:55:31 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id MAA14219 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 12:43:54 +0200
Received: (qmail 14743 invoked by uid 501); 6 Aug 1998 10:55:24 -0000
Received: (qmail 14728 invoked from network); 6 Aug 1998 10:55:23 -0000
Received: from ferret.lmh.ox.ac.uk (qmailr@163.1.138.204)
by mail2.redhat.com with SMTP; 6 Aug 1998 10:55:23 -0000
Received: (qmail 14220 invoked by uid 501); 6 Aug 1998 10:55:22 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
by localhost with SMTP; 6 Aug 1998 10:55:22 -0000
Date: Thu, 6 Aug 1998 11:55:21 +0100 (GMT)
From: Chris Evans <chris@ferret.lmh.ox.ac.uk>
To: Wietse Venema <wietse@porcupine.org>
cc: Jan Kasprzak <kas@informatics.muni.cz>, jpv@jvelders.tn.tudelft.nl,
linux-security@redhat.com
Subject: [linux-security] Re: Problem with TCP_wrappers
In-Reply-To: <19980805181441.458BFDA13E@spike.porcupine.org>
Message-ID: <Pine.LNX.3.96.980806115314.14032A-100000@ferret.lmh.ox.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
On Wed, 5 Aug 1998, Wietse Venema wrote:
> Jan Kasprzak:
> > the "setenv" keyword in the hosts.{allow,deny}. It simply
does not
> > work for me. I have tried to use the "setenv" keyword for
qmail's incoming
> > mail:
> >
> > tcp-env: ALL@.local.domain : setenv RELAYCLIENT
>
> In the HOSTS_OPTIONS(5) manual page, I wrote:
>
> setenv name value
> Place a (name, value) pair into the process envi-
> ronment. The value is subjected to %<letter> expan-
> sions and may contain whitespace (but leading and
> trailing blanks are stripped off).
Redhat-5.1 shipped a broken tcp_wrappers in which setenv does not work. We
discovered this the hard way when we upgraded 4.2->5.1.
RedHat released a rapid update when we traced our qmail problem to
tcp_wrappers. Get the tcp_wrappers update and you should be laughing.
Cheers
Chris
From mail@mail.redhat.com Thu Aug 6 15:22:09 1998
Received: (qmail 23823 invoked from network); 6 Aug 1998 13:48:25 -0000
Received: from 3dyn130.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.130)
by mail2.redhat.com with SMTP; 6 Aug 1998 13:48:25 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id PAA19713
for <linux-security@redhat.com>; Thu, 6 Aug 1998 15:22:09 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id PAA01344
for linux-security@redhat.com; Thu, 6 Aug 1998 15:21:59 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 15:16:39 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id PAA27005
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 15:13:27 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id PAA14324 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 15:01:50 +0200
Received: (qmail 22155 invoked by uid 501); 6 Aug 1998 13:13:21 -0000
Received: (qmail 22135 invoked from network); 6 Aug 1998 13:13:20 -0000
Received: from mailserv.mta.ca (138.73.101.5)
by mail2.redhat.com with SMTP; 6 Aug 1998 13:13:20 -0000
Received: from m0336.mta.ca ([138.73.22.226])
by mailserv.mta.ca (8.8.8/8.8.8) with SMTP id KAA16641;
Thu, 6 Aug 1998 10:11:58 -0300 (ADT)
Message-Id: <3.0.5.16.19980806100653.2bffd374@mailserv.mta.ca>
X-Sender: mctaylor@mailserv.mta.ca
X-Mailer: QUALCOMM Windows Eudora Light Version 3.0.5 (16)
Date: Thu, 06 Aug 1998 10:06:53 -0300
To: "seifried" <seifried@seifried.org>,
<linux-security@redhat.com>
From: M Taylor <mctaylor@mta.ca>
Subject: [linux-security] Re: IP Security for Linux (IPSec)
In-Reply-To: <001b01bdc0a3$9cf8df80$0101a8c0@shumira.seifried.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-moderate: yes
At 01:02 PM 8/5/98 -0600, seifried wrote:>What is the status of IPSec for Linux (and more specifically RedHat)?
>
>Does RedHat have any official word on this? I know including IPSec
>would be a pain in the butt, being that they are in the US (OpenBSD
>moved their official head end distribution site to the local university,
Try impossible. RedHat would not be able to export RedHat IPSec from
US/Canada, without a license, which US Dept of Commerce BXA doesn't grant
unless you're a bank (basicly).
But you could expect a rpm from replay.com. :)
The OpenBSD project is based out of Canada, and so is not encumbered by the
US's export laws.
I'm surprised at the lack of excitement over IPSec for Linux, back when I
first read (circa '96) John Gilmore's swan page I figured within a year
it
would be in common usage.
-mctaylor
From mail@mail.redhat.com Fri Aug 7 08:27:13 1998
Received: (qmail 29399 invoked from network); 7 Aug 1998 06:27:06 -0000
Received: from 3dyn62.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.62)
by mail2.redhat.com with SMTP; 7 Aug 1998 06:27:06 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA22296
for <linux-security@redhat.com>; Fri, 7 Aug 1998 08:27:13 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00438
for linux-security@redhat.com; Fri, 7 Aug 1998 08:27:04 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 20:14:44 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id UAA29814
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 20:12:34 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id UAA14521 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 20:00:58 +0200
Received: (qmail 19570 invoked by uid 501); 6 Aug 1998 18:12:04 -0000
Received: (qmail 18887 invoked from network); 6 Aug 1998 18:11:49 -0000
Received: from cardinal.almerco.ca (root@206.186.171.40)
by mail2.redhat.com with SMTP; 6 Aug 1998 18:11:49 -0000
Received: from blackbird (epervier.almerco.ca [206.186.171.4])
by cardinal.almerco.ca (8.8.7/8.8.7) with SMTP id NAA19209
for <linux-security@redhat.com>; Thu, 6 Aug 1998 13:08:47 -0400
Message-Id: <199808061708.NAA19209@cardinal.almerco.ca>
X-Sender: mlist@mail.almerco.ca
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0 Demo
Date: Thu, 06 Aug 1998 14:09:42 -0400
To: linux-security@redhat.com
From: Mailing Lists <mlist@almerco.ca>
Subject: IP Filters and Masq for Linux
In-Reply-To: <001b01bdc0a3$9cf8df80$0101a8c0@shumira.seifried.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
X-moderate: yes
Status: O
Hi, I have some questions concerning the ipfwadm and RedHat.
I'm building a firewall for a small cie, and propose using a bare RedHat
5.1 (without any mean to connect to it, except through sshd) and have it
acting as a firewall between the DMZ and the internal network. I plan to
do this only using the ipfwadm utility (IP filtering + masquerading). No
redirs inside the internal network, and permissions for everyone inside to
contact anyone outside. No java, activex or javascript filtering.
What are the downs/ups of such a config. How could someone gain access to
a computer inside the firewall, is there any way? (most are NT Wks 4.0 in
PDC BDC environment)
Anything I should pay special attention? I'm planning to use a logchecker
and tripwire to report anything unusual.
Any comments will be appreciated.
If someone else is interested, I'll post a resume of all the answers
I'll
be getting to the list.
Thanks!
From mail@mail.redhat.com Fri Aug 7 08:28:58 1998
Received: (qmail 32001 invoked from network); 7 Aug 1998 06:28:58 -0000
Received: from 3dyn62.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.62)
by mail2.redhat.com with SMTP; 7 Aug 1998 06:28:58 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA22310
for <linux-security@redhat.com>; Fri, 7 Aug 1998 08:28:58 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00484
for linux-security@redhat.com; Fri, 7 Aug 1998 08:28:48 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 21:27:11 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id VAA00734
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 21:24:15 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id VAA14556 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 21:12:38 +0200
Received: (qmail 25682 invoked by uid 501); 6 Aug 1998 19:24:09 -0000
Received: (qmail 25670 invoked from network); 6 Aug 1998 19:24:08 -0000
Received: from jvelders.tn.tudelft.nl (root@130.161.48.129)
by mail2.redhat.com with SMTP; 6 Aug 1998 19:24:08 -0000
Received: from localhost (jpv@localhost [127.0.0.1]) by jvelders.tn.tudelft.nl
(8.8.7/8.8.3) with SMTP id VAA03386 for <linux-security@redhat.com>; Thu,
6 Aug 1998 21:19:49 +0200
Date: Thu, 6 Aug 1998 21:19:47 +0200 (CEST)
From: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
X-Sender: jpv@jp-gp.vsi.nl
To: linux-security@redhat.com
Subject: S-98-51: Squid cache corruption alert (fwd)
Message-ID: <Pine.LNX.3.96.980806211841.3360D-100000@jp-gp.vsi.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: RO
Hi everyone,
not exactly security, but might give the wrong impression about the state of
your security...
Greetings,
Jan-Philip Velders
<jpv@jvelders.tn.tudelft.nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
_---------- Forwarded message ----------
_Date: Thu, 06 Aug 1998 13:06:59 +0200 (CDT)
_From: Xander Jansen <Xander.Jansen@sec.nl>
_To: cert-nl-ssc@dl.surfnet.nl
_Subject: S-98-51: Squid cache corruption alert
==============================================================================Security
Advisory CERT-NL
==============================================================================Author/Source
: Xander Jansen Index : S-98-51
Distribution : World Page : 1
Classification: External Version: 1
Subject : Squid cache corruption Date : 6-Aug-98
==============================================================================
By courtesy of AUSCERT we received information on a problem with the 1.NOVM
version of the popular Squid web caching tool. This problem can result in
web pages looking corrupted. CERT-NL agrees with the assesment of AUSCERT
that this is not a security problem per se. However, the corrupted web pages
caused by this problem might be mistakenly regarded as a sign of a possible
intrusion.
CERT-NL therefore strongly recommends that sites running the Squid 1.NOVM
web caching server, apply the patches or workarounds mentioned below as soon
as possible.
==========================================================================A U
S C E R T A L E R T
AL-98.02 -- AUSCERT ALERT
Squid cache corruption
6 August 1998
Last revised: --
==========================================================================
PROBLEM:
Squid is a popular web caching tool. It is used locally by web
clients to maintain static copies of frequently referenced web
pages.
Several sites offering web services have reported to us that they
have been notified by third parties that pages on their web server
appear to have been corrupted. Further investigation has revealed
that the server pages are intact and that the server has not been
compromised.
The problem lies only within version 1.NOVM of the Squid cache
server; it does not lie within the web server, the browser or
other versions of Squid. It occurs when clients are allowed to
request objects from the Squid cache during a fast rebuild when
this version of Squid is restarted.
Under these conditions, when a client (such as a browser) requests
a page stored within the Squid cache, another page appears at the
browser, thus leading the user to believe that the server's page
has been corrupted. If the client is a peer cache (rather than a
browser), the peer cache is now poisoned and may need manual
flushing. Note that if Squid detects that a bad object has been
passed on that object will be purged from its cache, meaning that
it will not be passed on again.
We do not believe this to be a security problem per se. However,
several sites have reported being affected by this problem. In
the interests of assisting our members in identifying a known
problem, we have prepared this alert.
IMPACT:
Clients using Squid to access a cached web page may view a page
other than the one intended. This may cause the client user and
the server administrator to believe that server pages have been
corrupted when this is not the case.
SOLUTION:
If you are providing web caching services using Squid version
1.NOVM, then we encourage you to consider applying the following
patch. Sites not using Squid, or a version other than 1.NOVM do
not need to take any of the steps below.
The Squid developers have made a patch available. The patch can
be obtained from this URL:
http://squid.nlanr.net/Squid/1.NOVM/1.NOVM.22/squid-1.NOVM.22.rebuild_corruption.patch
Before implementing the patch, sites are advised to consult the
documentation at this URL for further information:
http://squid.nlanr.net/Squid/1.NOVM/patches.html
Sites experiencing this problem who are unable to apply a patch in
the short term may wish to use one of the following workarounds:
(1) Always force Squid to use slow rebuild by removing the
cache/log-last-clean file on restarts.
(2) Don't accept requests while rebuilding the cache by starting
Squid with the -F option.
---------------------------------------------------------------------------
AusCERT would like to thank Henrik Nordstrom, Doron Shikmoni of the
Israeli academic CERT, and several anonymous member sites for their
assistance in the workarounds and solution to this problem.
---------------------------------------------------------------------------
The AusCERT team has made every effort to ensure that the information
contained in this document is accurate at the time of publication. However,
the decision to use the information described is the responsibility of
each user or organisation. The appropriateness of this document for an
organisation or individual system should be considered before application
in conjunction with local policies and procedures. AusCERT takes no
responsibility for the consequences of applying the contents of this
document.
==========================================================================CERT-NL
is the Computer Emergency Response Team for SURFnet customers.
SURFnet is the Dutch network for educational, research and related institutes.
CERT-NL is a member of the Forum of Incident Response and Security Teams
(FIRST).
All CERT-NL material is available under:
http://www.surfnet.nl/surfnet/security/cert-nl.html
ftp://ftp.surfnet.nl/surfnet/net-security
In case of computer or network security problems please contact your
local CERT/security-team or CERT-NL (if your institute is NOT a SURFnet
customer please address the appropriate (local) CERT/security-team).
CERT-NL is one/two hour(s) ahead of UTC (GMT) in winter/summer,
i.e. UTC+0100 in winter and UTC+0200 in summer (DST).
Email: cert-nl@surfnet.nl ATTENDED REGULARLY ALL DAYS
Phone: +31 302 305 305 BUSINESS HOURS ONLY
Fax: +31 302 305 329 BUSINESS HOURS ONLY
Snailmail: SURFnet bv
Attn. CERT-NL
P.O. Box 19035
NL - 3501 DA UTRECHT
The Netherlands
NOODGEVALLEN: 06 52 87 92 82 ALTIJD BEREIKBAAR
EMERGENCIES : +31 6 52 87 92 82 ATTENDED AT ALL TIMES
CERT-NL'S EMERGENCY PHONENUMBER IS ONLY TO BE USED IN CASE OF EMERGENCIES:
THE SURFNET HELPDESK OPERATING THE EMERGENCY NUMBER HAS A *FIXED*
PROCEDURE FOR DEALING WITH YOUR ALERT AND WILL IN REGULAR CASES RELAY IT
TO CERT-NL IN AN APPROPRIATE MANNER. CERT-NL WILL THEN CONTACT YOU.
=============================================================================
From mail@mail.redhat.com Fri Aug 7 08:30:47 1998
Received: (qmail 1612 invoked from network); 7 Aug 1998 06:30:40 -0000
Received: from 3dyn62.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.62)
by mail2.redhat.com with SMTP; 7 Aug 1998 06:30:40 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA22317
for <linux-security@redhat.com>; Fri, 7 Aug 1998 08:30:47 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00523
for linux-security@redhat.com; Fri, 7 Aug 1998 08:30:38 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 22:32:44 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id WAA01509
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 22:29:30 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id WAA14589 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 22:17:53 +0200
Received: (qmail 4009 invoked by uid 501); 6 Aug 1998 20:26:21 -0000
Received: (qmail 738 invoked from network); 6 Aug 1998 20:25:06 -0000
Received: from umbilical.porcupine.org (HELO spike.porcupine.org)
(168.100.189.1)
by mail2.redhat.com with SMTP; 6 Aug 1998 20:25:06 -0000
Received: by spike.porcupine.org (VMailer, from userid 100)
id 4595A4E53F; Thu, 6 Aug 1998 16:25:04 -0400 (EDT)
Subject: [linux-security] Re: Problem with TCP_wrappers
To: kas@informatics.muni.cz (Jan Kasprzak)
Date: Thu, 6 Aug 1998 16:25:04 -0400 (EDT)
Cc: wietse@porcupine.org, linux-security@redhat.com
In-Reply-To: <199808061603.SAA02910@gloin.fi.muni.cz> from Jan Kasprzak at
"Aug 6, 98 06:03:04 pm"
Organization: Wietse Venema, White Plains, NY, USA
X-Time-Zone: USA EST, 6 hours behind central European time
X-Mailer: ELM [version 2.4ME+ PL15 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Message-Id: <19980806202504.4595A4E53F@spike.porcupine.org>
From: wietse@porcupine.org (Wietse Venema)
X-moderate: yes
Status: RO
Wietse Venema:> What is the problem with a non-empty RELAYCLIENT variable?
Jan Kasprzak:> Qmail appends its contents to the envelope destination address,
> so it has to be empty. I hope vmailer will be better :-)
> Again, how can I "setenv" an empty variable in tcp-wrappers?
That would involve two small code changes: one to change the syntax
of the `setenv' option; one change to use an empty string as default.
Untested patch follows; it probably works, but given the structure
of the code it is pretty straightforward to fix if need be.
Wietse
*** ./options.c- Thu Aug 6 16:17:52 1998
--- ./options.c Thu Aug 6 16:19:48 1998
***************
*** 116,122 ****
"spawn", spawn_option, NEED_ARG | EXPAND_ARG,
"twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
"rfc931", rfc931_option, OPT_ARG,
! "setenv", setenv_option, NEED_ARG | EXPAND_ARG,
"nice", nice_option, OPT_ARG,
"severity", severity_option, NEED_ARG,
"allow", allow_option, USE_LAST,
--- 116,122 ----
"spawn", spawn_option, NEED_ARG | EXPAND_ARG,
"twist", twist_option, NEED_ARG | EXPAND_ARG | USE_LAST,
"rfc931", rfc931_option, OPT_ARG,
! "setenv", setenv_option, OPT_ARG | EXPAND_ARG,
"nice", nice_option, OPT_ARG,
"severity", severity_option, NEED_ARG,
"allow", allow_option, USE_LAST,
***************
*** 429,434 ****
--- 429,436 ----
{
char *var_value;
+ if (value == 0)
+ value = "";
if (*(var_value = value + strcspn(value, whitespace)))
*var_value++ = 0;
if (setenv(chop_string(value), chop_string(var_value), 1))
From mail@mail.redhat.com Fri Aug 7 08:32:28 1998
Received: (qmail 4303 invoked from network); 7 Aug 1998 06:32:20 -0000
Received: from 3dyn62.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.62)
by mail2.redhat.com with SMTP; 7 Aug 1998 06:32:20 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA22343
for <linux-security@redhat.com>; Fri, 7 Aug 1998 08:32:28 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00613
for linux-security@redhat.com; Fri, 7 Aug 1998 08:32:19 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Wed Aug 5 18:37:21 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id SAA15797
for <wolff@dutepp0.et.tudelft.nl>; Wed, 5 Aug 1998 18:34:01 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id SAA13661 for
<r.e.wolff@BitWizard.nl>; Wed, 5 Aug 1998 18:22:26 +0200
Received: (qmail 3533 invoked by uid 501); 5 Aug 1998 16:07:41 -0000
Received: (qmail 32034 invoked from network); 5 Aug 1998 16:04:42 -0000
Received: from ferret.lmh.ox.ac.uk (qmailr@163.1.138.204)
by mail2.redhat.com with SMTP; 5 Aug 1998 16:04:42 -0000
Received: (qmail 1585 invoked by uid 504); 5 Aug 1998 16:04:40 -0000
Received: from localhost (sendmail-bs@127.0.0.1)
by localhost with SMTP; 5 Aug 1998 16:04:40 -0000
Date: Wed, 5 Aug 1998 17:04:40 +0100 (GMT)
From: Matthew Kirkwood <weejock@ferret.lmh.ox.ac.uk>
To: Jan Kasprzak <kas@informatics.muni.cz>
cc: linux-security@redhat.com
Subject: [linux-security] Re: Problem with TCP_wrappers
In-Reply-To: <199808051412.QAA02596@gloin.fi.muni.cz>
Message-ID: <Pine.LNX.3.96.980805170256.1154A-100000@ferret.lmh.ox.ac.uk>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Status: RO
On Wed, 5 Aug 1998, Jan Kasprzak wrote:
> When we are on this topic, I am still having problems with
> the "setenv" keyword in the hosts.{allow,deny}. It simply does
not
> work for me. I have tried to use the "setenv" keyword for
qmail's incoming
> mail:
>
> tcp-env: ALL@.local.domain : setenv RELAYCLIENT
We had this problem. Turns out to be a bug which RH thought they'd
squished in an update to 5.0, but the patch seemed to have gone astray.
There's an unofficial RPM which fixes this at:
ftp://ftp.uk.linux.org./pub/linux/alan/Security/
Matthew.
From mail@mail.redhat.com Fri Aug 7 08:32:17 1998
Received: (qmail 3969 invoked from network); 7 Aug 1998 06:32:09 -0000
Received: from 3dyn62.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.104.62)
by mail2.redhat.com with SMTP; 7 Aug 1998 06:32:09 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id IAA22334
for <linux-security@redhat.com>; Fri, 7 Aug 1998 08:32:17 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id IAA00601
for linux-security@redhat.com; Fri, 7 Aug 1998 08:32:08 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Thu Aug 6 18:06:46 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id SAA28533
for <wolff@dutepp0.et.tudelft.nl>; Thu, 6 Aug 1998 18:03:09 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id RAA14442 for
<r.e.wolff@BitWizard.nl>; Thu, 6 Aug 1998 17:51:33 +0200
Received: (qmail 19836 invoked by uid 501); 6 Aug 1998 15:58:15 -0000
Received: (qmail 16772 invoked from network); 6 Aug 1998 15:55:57 -0000
Received: from nis.acs.uci.edu (root@128.200.16.34)
by mail2.redhat.com with SMTP; 6 Aug 1998 15:55:57 -0000
Received: from bingy.acs.uci.edu (bingy.acs.uci.edu [128.200.34.36]) by
nis.acs.uci.edu (8.8.8/) with SMTP id IAA24977; Thu, 6 Aug 1998 08:54:53 -0700
(PDT)
Sender: strombrg@hydra.acs.uci.edu
Message-ID: <35C9D1CC.5D86@hydra.acs.uci.edu>
Date: Thu, 06 Aug 1998 08:54:52 -0700
From: Dan Stromberg <strombrg@hydra.acs.uci.edu>
X-Mailer: Mozilla 3.0 (X11; I; SunOS 5.7 sun4u)
MIME-Version: 1.0
To: M Taylor <mctaylor@mta.ca>
CC: seifried <seifried@seifried.org>, linux-security@redhat.com
Subject: [linux-security] Re: IP Security for Linux (IPSec)
References: <3.0.5.16.19980806100653.2bffd374@mailserv.mta.ca>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-moderate: yes
Status: O
M Taylor wrote:>
> At 01:02 PM 8/5/98 -0600, seifried wrote:
> >What is the status of IPSec for Linux (and more specifically RedHat)?
> >
> >Does RedHat have any official word on this? I know including IPSec
> >would be a pain in the butt, being that they are in the US (OpenBSD
> >moved their official head end distribution site to the local
university,
>
> Try impossible. RedHat would not be able to export RedHat IPSec from
> US/Canada, without a license, which US Dept of Commerce BXA doesn't
grant
> unless you're a bank (basicly).
>
> But you could expect a rpm from replay.com. :)
>
> The OpenBSD project is based out of Canada, and so is not encumbered by the
> US's export laws.
>
> I'm surprised at the lack of excitement over IPSec for Linux, back when
I
> first read (circa '96) John Gilmore's swan page I figured within a
year it
> would be in common usage.
IPSEC isn't done being standardized yet. It would be reasonable to
track the standard, but it's also reasonable to wait until you aren't
implementing a moving target.
However, earlier today I saw the "post last call" internet draft
announced, so it shouldn't be long before IPSEC is finally an RFC.
Does Debian have enough volunteers/resources outside the US to fully
integrate an IPSEC implementation?
From mail@mail.redhat.com Sat Aug 8 22:28:21 1998
Received: (qmail 12871 invoked from network); 8 Aug 1998 20:28:34 -0000
Received: from 4dyn60.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.105.60)
by mail2.redhat.com with SMTP; 8 Aug 1998 20:28:34 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id WAA27167
for <linux-security@redhat.com>; Sat, 8 Aug 1998 22:28:21 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id WAA00472
for linux-security@redhat.com; Sat, 8 Aug 1998 22:28:12 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Aug 8 09:34:00 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id JAA20265
for <wolff@dutepp0.et.tudelft.nl>; Sat, 8 Aug 1998 09:28:31 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id JAA15686 for
<r.e.wolff@BitWizard.nl>; Sat, 8 Aug 1998 09:16:53 +0200
Received: (qmail 1076 invoked by uid 501); 8 Aug 1998 07:28:25 -0000
Received: (qmail 1061 invoked from network); 8 Aug 1998 07:28:24 -0000
Received: from dlft1-p87.worldonline.nl (HELO jvelders.tn.tudelft.nl)
(root@195.241.134.87)
by mail2.redhat.com with SMTP; 8 Aug 1998 07:28:24 -0000
Received: from localhost (jpv@localhost [127.0.0.1]) by jvelders.tn.tudelft.nl
(8.8.7/8.8.3) with SMTP id JAA01107; Sat, 8 Aug 1998 09:28:03 +0200
Date: Sat, 8 Aug 1998 09:28:01 +0200 (CEST)
From: Jan-Philip Velders <jpv@jvelders.tn.tudelft.nl>
X-Sender: jpv@jp-gp.vsi.nl
To: linux-security@redhat.com
Subject: Apache bug, eats memory...
Message-ID: <Pine.LNX.3.96.980808091508.1028A-100000@jp-gp.vsi.nl>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-moderate: yes
Hi,
the following pieces of mail came by on BugTraq.
It appears that Apache (1.2.5 and 1.2.6 tested, 1.3 is vulnerable according
to Ben Laurie [Apache member]) doesn't handle the case, when there are
a lot (say 10000) of "User-Agent:"-headers. (other headers could also
work!).
An exploit with source-code was posted on BugTraq.
excerpts from the mail by <finrod@EWOX.ORG>:
| There seems to be a simple way of badly DoSing any Apache server. It
| involved a massive memory leak in the way it handles incoming request
| headers. I based my exploit on the assumption that they use setenv()
| (which they don't) and that the bug occurs when you send a header that
| will end up as an environment variable if you request a CGI script
| (such as User-Agent), but I have since verified that there is no
| connection there. Anyway, you can blow Apache through the roof by
| sending it tons of headers - the server's memory consumption seems to
| be a steep polynomial of the amount of data you send it. Below is a
| snapshot of top(1) about one minute after I sent my server a request
| with 10,000 copies of "User-Agent: sioux\r\n" (totalling 190,016
bytes
| of data)
|---cut---
| last pid: 29187; load averages: 1.82, 1.06, 0.68 18:21:36
| 82 processes: 2 running, 80 sleeping
| CPU states: 93.5% user, 0.0% nice, 6.1% system, 0.4% interrupt, 0.0% idle
| Mem: 82M Active, 5692K Inact, 31M Wired, 4572K Cache, 8349K Buf, 616K Free
| Swap: 512M Total, 402M Used, 110M Free, 79% Inuse, 5412K In, 748K Out
| PID USERNAME PRI NICE SIZE RES STATE TIME WCPU CPU COMMAND
| 29176 www -18 0 392M 85612K swread 0:57 6.83% 6.83% httpd
|---cut---
Ben Laurie (team Apache) <ben@ALGROUP.CO.UK> responded swift:
| And here's a band-aid for 1.3.1 - I'm sure we'll come up with
something
| better soon. This (untested) patch should prevent the worst effects. A
| similar patch should work for 1.2.x.
He posted this band-aid:
Index: http_protocol.c
==================================================================RCS file:
/export/home/cvs/apache-1.3/src/main/http_protocol.c,v
retrieving revision 1.229
diff -u -r1.229 http_protocol.c
--- http_protocol.c 1998/08/06 17:30:30 1.229
+++ http_protocol.c 1998/08/07 23:02:56
@@ -714,6 +714,7 @@
int len;
char *value;
char field[MAX_STRING_LEN];
+ int nheaders=0;
/*
* Read header lines until we get the empty separator line, a read error,
@@ -723,6 +724,11 @@
char *copy = ap_palloc(r->pool, len + 1);
memcpy(copy, field, len + 1);
+ if(++nheaders == 100) {
+ r->status = HTTP_BAD_REQUEST;
+ return;
+ }
+
if (!(value = strchr(copy, ':'))) { /* Find the colon
separator */
r->status = HTTP_BAD_REQUEST; /* or abort the bad request
*/
return;
I think this is worth patching ;-)
No reports so far about people using the is the "wild"...
Greetings,
Jan-Philip Velders
<jpv@jvelders.tn.tudelft.nl>
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
| Nederlandse Linux GebruikersGroep : http://www.nllgg.nl |
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
From mail@mail.redhat.com Sat Aug 8 22:28:50 1998
Received: (qmail 12933 invoked from network); 8 Aug 1998 20:28:52 -0000
Received: from 4dyn60.delft.casema.net (HELO rosie.BitWizard.nl)
(root@195.96.105.60)
by mail2.redhat.com with SMTP; 8 Aug 1998 20:28:52 -0000
Received: from cave.BitWizard.nl (wolff@cave.BitWizard.nl [130.161.127.248])
by rosie.BitWizard.nl (8.8.5/8.8.5) with ESMTP id WAA27177
for <linux-security@redhat.com>; Sat, 8 Aug 1998 22:28:50 +0200
Received: (from wolff@localhost)
by cave.BitWizard.nl (8.8.8/8.8.8) id WAA00484
for linux-security@redhat.com; Sat, 8 Aug 1998 22:28:40 +0200
Received: from dutepp0.et.tudelft.nl
by rosie.BitWizard.nl (fetchmail-4.2.9 POP3 run by wolff)
Approved: R.E.Wolff@BitWizard.nl
for <wolff@localhost> (single-drop); Sat Aug 8 14:20:54 1998
Received: from ferryman.ocn.nl (root@ferryman.ocn.nl [193.78.195.1])
by dutepp0.et.tudelft.nl (8.8.8/8.8.8/CARDIT) with SMTP id OAA21983
for <wolff@dutepp0.et.tudelft.nl>; Sat, 8 Aug 1998 14:18:50 +0200 (MET
DST)
Received: from mail2.redhat.com (mail2.redhat.com [199.183.24.247]) by
ferryman.ocn.nl (8.6.13/8.6.9) with SMTP id OAA15786 for
<r.e.wolff@BitWizard.nl>; Sat, 8 Aug 1998 14:07:13 +0200
Received: (qmail 16237 invoked by uid 501); 8 Aug 1998 12:18:46 -0000
Received: (qmail 16225 invoked from network); 8 Aug 1998 12:18:45 -0000
Received: from nemo.mth.msu.edu (35.8.72.8)
by mail2.redhat.com with SMTP; 8 Aug 1998 12:18:45 -0000
Received: from chaos by nemo.mth.msu.edu (SMI-8.6/SMI-SVR4)
id IAA19363; Sat, 8 Aug 1998 08:18:44 -0400
Received: by chaos (SMI-8.6/Pan-1.0)
id IAA06753; Sat, 8 Aug 1998 08:18:42 -0400
Date: Sat, 8 Aug 1998 08:18:42 -0400
Message-Id: <199808081218.IAA06753@chaos>
From: "Sheldon E. Newhouse" <sen1@math.msu.edu>
To: linux-security@redhat.com
Subject: strange stuff from 'last'
X-moderate: yes
Hi,
Since upgrading from RH-4.2 to RH-5.1, I have regularly noticed the
following strange stuff appearing from last.
ing *4*** ************J\*@ Thu Aug 6 12:46 still logged in
\h*@*** otify ***@ Thu Aug 6 12:46 still logged in
\h*@**** otify ***@ Thu Aug 6 12:46 - 12:46 (00:00)
However notice that 'who' does not report this
lamm tty1 Aug 6 12:46
lamm ttyp2 Aug 6 12:47 (:0.0)
lamm ttyp4 Aug 6 15:05 (:0.0)
lamm ttyp5 Aug 6 14:21 (:0.0)
lamm ttyp9 Aug 6 23:06 (:0.0)
Reboots stop the problem for awhile but then it reappears.
I also read that glibc has sometimes produced corruption in utmp. Do
others notice this strange output of 'last?' Is this a security issue or
more likely just growing pains for utmp and glibc?
Thanks for input,
-sen
