similar to: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-12:04.sysret Security Advisory The FreeBSD Project Topic: Privilege escalation when returning from kernel Category: core Module: sys_amd64

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.1. The new list of supported branches is below and at < http://security.freebsd.org/ >. Users of FreeBSD 7.1 are advised to upgrade promptly to a newer release (most likely the recently announced FreeBSD 7.4)

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.1. The new list of supported branches is below and at < http://security.freebsd.org/ >. Users of FreeBSD 7.1 are advised to upgrade promptly to a newer release (most likely the recently announced FreeBSD 7.4)

Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 6.4 and FreeBSD 8.0. Since FreeBSD 6.4 was the last remaining supported release from the FreeBSD 6.x stable branch, support for the FreeBSD 6.x stable branch has also ended. The new list of supported branches is below and at < http://security.freebsd.org/ >.

Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 6.4 and FreeBSD 8.0. Since FreeBSD 6.4 was the last remaining supported release from the FreeBSD 6.x stable branch, support for the FreeBSD 6.x stable branch has also ended. The new list of supported branches is below and at < http://security.freebsd.org/ >.

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-EN-12:02.ipv6refcount Errata Notice The FreeBSD Project Topic: Reference count errors in IPv6 code Category: core Modules: sys_netinet sys_netinet6

Hi, This was the commit of SA-12:04.sysret to RELENG_7_4, which makes sense to me: http://svnweb.freebsd.org/base/releng/7.4/sys/amd64/amd64/trap.c?r1=216618&r2=236953 But when it was applied to RELENG_8_1, it looks wrong, as if it was applied in the wrong place. The indentation is broken, and the code inserted looks like it wouldn't be effective:

On a rather full customer web server, I am trying to track down whose web site script is trying to make outbound network connections when they should not be. In /etc/security/audit_control, I added to the flags line dir:/var/audit flags:lo,aa,-nt minfree:5 to log failed network connection. When I try an make an outbound connection to something that is blocked in pf, it seems to sometimes work.

I have a shell user who is able to login to his accounts via sshd on FreeBSD 8.2 using any password. The user had a .ssh/id_rsa and .ssh/id_rsa.pub key pair without a password but nullok was not specified, so I think this should be considered a bug. During diagnosis, /etc/pam.d/sshd was configured for authentication using: ------------- auth required pam_ssh.so

Greetings. Last year I completed a PAM module that provides single sign-on behavior for UNIX using SSH. Users are authenticated by decrypting their SSH private keys with the password provided (probably to XDM). In the PAM session phase, an ssh-agent process is started and any successfully decrypted private keys are added. Hence, users only type their logins and passwords once at the beginning

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is possible by means of "mount -uw /"); - the only way to make

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On June 30th, FreeBSD 7.2 will reach its End of Life and will no longer be supported by the FreeBSD Security Team. Users of this release are strongly encouraged to upgrade to FreeBSD 7.3 before that date; FreeBSD 7.3 will be supported until the end of March 2012. Please note that since FreeBSD 7.1 has been designated for

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On June 30th, FreeBSD 7.2 will reach its End of Life and will no longer be supported by the FreeBSD Security Team. Users of this release are strongly encouraged to upgrade to FreeBSD 7.3 before that date; FreeBSD 7.3 will be supported until the end of March 2012. Please note that since FreeBSD 7.1 has been designated for

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.2. The new list is below and at <URL: http://security.freebsd.org/ >. Users of FreeBSD 7.2 are advised to upgrade promptly to a newer release, either by downloading an updated source tree and building updates

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect the EoL (end-of-life) of FreeBSD 7.2. The new list is below and at <URL: http://security.freebsd.org/ >. Users of FreeBSD 7.2 are advised to upgrade promptly to a newer release, either by downloading an updated source tree and building updates

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-12:08.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer input validation error Category: core Module: kernel

On which versions of FreeBSD is it now possible to un-reserve ports? ( I've been waiting for this since forever ... have spent countless days - $$$ - trying to install workarounds, only to junk them later. I've even been paid a consulting gig to develop this, and declined to deploy it on my own servers :-/ ) iang

yes unless you use the version as of :> 2004-03-02 17:24:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p1) check it out with uname -a if it does not say -p1 it affects you. My guess, you are affected :) cheers -- Kind regards, Remko Lodder Elvandar.org/DSINet.org www.mostly-harmless.nl Dutch community for helping newcomers on the hackerscene -----Oorspronkelijk bericht----- Van:

> What is in the pam.d/dovecot file? (Remember to strip passwords if > included) # cat /etc/pam.d/dovecot passdb { driver = pam # args = failure_show_msg=yes # args = max_requests=12 args = %s } and /etc/pam.d/{imap,pop3} were untouched; both as follows # # $FreeBSD: releng/10.3/etc/pam.d/pop3 170771 2007-06-15 11:33:13Z yar $ # # PAM configuration for the "pop3" service

Hello, last night, my chkrootkit crontab returned an alarm message : > Checking `lkm'... You have 1 process hidden for readdir command > You have 2 process hidden for ps command > Warning: Possible LKM Trojan installed Some research on google make me think it's probably a false positive. I tried few things : re-launching chkrootkit : "Checking `lkm'...