similar to: freebsd-security Digest, Vol 187, Issue 4

Hi! I ran into a problem with programs exec:ed by print/acroread8 picking up Linux libraries and thus failed to run. This includes the print program in the print dialogue and the browser configured in edit/preferences/internet. The reason is that the acroread launch script sets LD_LIBRARY_PATH which is propagated to its childs. See this PR:

On Nov 4, 2006, at 8:30 AM, Wesley Shields <wxs@atarininja.org> wrote: > > On Fri, Nov 03, 2006 at 07:54:59AM -0800, Ricardo A. Reis wrote: > [...] >> In the II COLARIS - Joanna Rutkowska alert the possible >> new technology of Malware's using hardware virtualization, present >> in AMD and INTEL new processor. >> >> I've two questions ...

Hi, during some big discussions in the last monts on various lists, one of the problems was that some people would like to use freebsd-update but can't as they are using a custom kernel. With all the kernel modules we provide, the need for a custom kernel should be small, but on the other hand, we do not provide a small kernel-skeleton where you can load just the modules you need.

Hi Colin! I would like to know, that these following "vulnerabilities" does affect FreeBSD's reliability? If the answer is "yes", what version of FreeBSD affected, when will be fixed, etc. http://projects.info-pull.com/moab/MOAB-12-01-2007.html http://projects.info-pull.com/moab/MOAB-10-01-2007.html Thank you! -- kobi

In my recent security email, I got the following errors: cantona.dnswatchdog.com login failures: Aug 20 02:37:19 cantona sshd[9444]: fatal: Write failed: Operation not permitted Aug 20 04:30:42 cantona sshd[16142]: fatal: Write failed: Operation not permitted Aug 20 21:21:51 cantona sshd[45716]: fatal: Write failed: Operation not permitted So three questions: What is it? Should I be worried?

Hello, I have written this tiny little patch to the jail rc.d script, which allows user to set jail nice value. It doesn't change any default behaviour. Can that make it to the trees? Patch attached. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta -------------- next part

Hello, I have written this tiny little patch to the jail rc.d script, which allows user to set jail nice value. It doesn't change any default behaviour. Can that make it to the trees? Patch attached. -- Jan Srzednicki :: http://wrzask.pl/ "Remember, remember, the fifth of November" -- V for Vendetta -------------- next part

Hello, I think there was already a thread on this. I just want to raise the question again if anyone has successfully booted an gdbe-encrypted filesystem (everything encrypted except the bootloader). The passphrase is entered at the bootloader prompt or embedded in the bootloader. I appreciate any tips. Thanks, - ronnel

Hello, I'm was looking through handbook and wikipedia and it appears FreeBSD doesn't support hardware (nor software) nx bit. There also doesn't seem to be any support for TPM (Trusted Platform Module). I was wondering if it is due to a general lack of interest and/or personal preference (gcc?) or are there other issues. The reason I'm asking is I'm currently doing a MSc degree

I have FreeBSD-6.1 and it appears the default installation has a full complement of Kerberos5. But, /usr/src/kerberos5/README states: This subtree is world-exportable, as it does not contain any cryptographic code. At the time of writing, it did not even contain source code, only Makefiles and headers. Please maintain this "exportable" status quo. Thanks!

Hello. Has anyone here ever successfully set up a jail for X apps, connecting to an external X server? I'm trying an experimental sandbox setup here. I have a jail running on an aliased IP on my local machine and X programs connect out of the jail to my local X server via an SSH tunneled TCP connection. All other packets to and from the jail are denied by the packet filter. The trouble I am

Hi security@ list, In my self written, large ipfw rule set, I had something that passed http to allow me to browse most but not all remote sites. For years I assumed the few sites I had difficulty with were cases pppoed MTU != 1500, from not having installed tcpmssd on my 4.*-RELEASE, but then running 6.1-RELEASE I realised that wasn't the problem. http://www.web.de Still failed, &

Max Okumoto <okumoto@ucsd.edu> wrote: [CC changed to freebsd-security instead of the cvs list] We're talking about replacing the home-grown mkfifo() funktion in make (a modified copy of mkstemp()) with mkdtemp() and creating the fifo in this new directory. Max worries about a possible race with this new approach. > Its not a race between two nice programs :-) The function

http://wiki.freebsd.org/JailResourceLimits Is this anthing people are working on? Is it on its way to RELENG_7? Is there a 7-version of the patch or anything? This would be a _VERY_ useful feature. -- Peter Ankerst?l peter@pean.org

550.ipfwlimit check in /etc/periodic/security takes into account only global/default verbosity limit and does not account for a specific logging limit set for a particular rule e.g.: $ ipfw -a l | fgrep log 65000 *521* 41764 deny log logamount *1000* ip from any to any $ sysctl -n net.inet.ip.fw.verbose_limit *100* >From security run output: ipfw log limit reached: 65000 519

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:01.jail Security Advisory The FreeBSD Project Topic: Jail rc.d script privilege escalation Category: core Module: etc_rc.d Announced:

or "How do I know my copy of FreeBSD is the same as yours?" I have recently been meditating on the issue of validating X.509 root certificates. An obvious extension to that is validating FreeBSD itself. Under "The Cutting Edge", the handbook lists 3 methods of synchronising your personal copy of FreeBSD with the Project's copy: Anonymous CVS, CTM and CVSup. There are

Hello, I've been looking at the different MAC modules available and how they cold help to implement a less insecure than usual shared hosting web server. I've not been able to come up with a suitable configuration, looking at mac_bsdextended, mac_biba and mac_mls, but I think that a MAC module with the following policies could be very useful for such an environment. Have I

Hi, I have tried to enable IPSec support for my FreeBSD( 4.11-RELEASE) system. First, I copied the generic kernel configuration file to a file I called MYKERNEL: #cp /usr/src/sys/i386/conf/GENERIC /usr/src/sys/i386/conf/MYKERNEL Then, I added the following three lines to the options section of /usr/src/sys/i386/conf/MYKERNEL: options IPSEC options IPSEC_ESP options

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On October 31st, FreeBSD 5.3 and FreeBSD 5.4 will have reached their End of Life and will no longer be supported by the FreeBSD Security Team. Users of either of those FreeBSD releases are strongly encouraged to upgrade to FreeBSD 5.5 or FreeBSD 6.1 before that date. In addition, the FreeBSD 6.0 End of Life is presently scheduled