similar to: Reflections on Trusting Trust

We're being ping-flooded by the Nachi worm, which probes subnets for systems to attack by sending 92-byte ping packets. Unfortunately, IPFW doesn't seem to have the ability to filter packets by length. Assuming that I stick with IPFW, what's the best way to stem the tide? --Brett Glass

Is there any reason why releases have EoL dates after only 12 months? While it's clear that some sort of EoL is important, I can't think of any security advisories recently which weren't accompanied by patches for all the security branches, even those which are no longer officially supported. Colin Percival

It has come to my attention that there are quite a few local exploits circling around in the private sector for GID Games. Several of the games have vanilla stack overflows in them which can lead to elevation of privileges if successfully exploited.

Tobez: no disrespect intended, obviously you saw a problem with the master sites for perl 5.8.7 and did what you could to help, and with your position as a maintainer, I know that the trust we have in you and your patches is well earned, so don't take this question as anything but my well-earned paranoia rearing its ugly head: Yes, building perl5.8.7 did seem like it had a lot of problems

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375452423794&w=2 http://marc.theaimsgroup.com/?l=openbsd-misc&m=106375456923804&w=2 Does this affect FreeBSD? - -Justin -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z7QbdYQBw9Ox1VgRAsb2AJ0eZxI/s3Q5KJQxvgROLM8FnU1kiQCfSsma XcJ/R/6s9yQJwBTYDeWI2+Y= =BoVH

Hello Everyone! It has been my pleasure and privilege to serve as the FreeBSD Security Officer for the past 3+ years. With the crucial support of the FreeBSD Security Team members, a lot has been accomplished: hundreds of security issues have been researched and tracked, with some resulting in security advisories and patches; software in the Ports Collection are updated more quickly

Colleagues, one of my servers had to be rebooted uncleanly and then I have backgrounded fsck locked for more than an our in snaplk: 742 root 1 -4 4 1320K 688K snaplk 0:02 0.00% fsck_ufs File system in question is 200G gmirror on SATA. Usually making a snapshot (e.g., for making dumps) consumes 3-4 minutes for that fs, so it seems to me that filesystem is in a deadlock. Any

Hi, I have strange problem when booting FreeBSD-6.x in HP Proliant ML370 G4. The problem is "-" appears on the screen and it never boots unless somebody hits the "Enter" key. Sometimes even PS2 keyboard doesn't respond during that time. Tried with USB keyboard, same problem. The machine has dual Xeon 3.2 GHz, 1GB of RAM and LSI Logic (mpt-5.0.5.20.00 bios) LSI1030-IT

Why does GCC produce faster code using "-march=pentium2 -mtune=pentium4" on a Pentium 4 chip versus plain -march=pentium4? Try it... CPUTYPE=pentium2 CFLAGS+= -mtune=pentium4 COPTFLAGS+= -mtune=pentium4 -- BSD Podcasts @ http://bsdtalk.blogspot.com/

Seems our current libarchive? That support FreeBSD's tar implementation has a bug where it can create archives it cant read back. This can be seen by simply creating an empty tar.gz file and then trying to expand or list it. In doing the above you get the following error: tar: Unrecognized archive format: Inappropriate file type or format N.B. gtar can list and expand the created file

hi is there any way to build 4.8 release with this fstack protection? or atleast some ports is there any good info on this? the only page i found was that ibm page but it seemed outdated. //martin

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, On October 31st, FreeBSD 5.3 and FreeBSD 5.4 will have reached their End of Life and will no longer be supported by the FreeBSD Security Team. Users of either of those FreeBSD releases are strongly encouraged to upgrade to FreeBSD 5.5 or FreeBSD 6.1 before that date. In addition, the FreeBSD 6.0 End of Life is presently scheduled

currently i'm trying to setup diskless client, which netboots 6.1-PRERELEASE kernel with help of etherboot. i've built custom kernel with `sudo make -j4 buildkernel KERNCONF=DISKLESS CPUTYPE=pentium-mmx -DNO_MODULES' and attached config. kernell loads off tftp server fine, detecting devices, but traps, when trying to mount root fs from nfs server. i've managed to get copy of

Hello! My attempt to build openoffice.org-3 seems to be hanging. Pressing Ctrl-T produces: load: 0.11 cmd: tcsh 79759 [sleeping without queue] 0.00u 0.00s 0% 0k (tcsh is used by OOo's build-script). What is this "sleeping without queue" state, and why is process in it for so long? This is an 4-CPU amd64 system with 4Gb of RAM. Only 16% of the swap is currently in use and

I just updated to RELENG_7 from 6.2 and I'm running into some really annoying issues with jerky mouse movement and skipping sound. This seems to be similar to: Re: SCHED_4BSD in RELENG_7 disturbs workflow This happens both with 4BSD and ULE. I seems to happen when I'm compiling ports and a new cc/bzip2/sh process fires off (I'm just watching top), I'll get the skip/freezeup.

Hello One one of my stable machines I see these messages in /var/log/messages: Mar 3 18:37:41 kg-i82 kernel: 16.011e9e3975b3aa06 too long Mar 3 21:41:42 kg-i82 kernel: 16.016a24cf0742715c too long Mar 3 21:41:58 kg-i82 kernel: 15.feb784aee196608c too short Does anyone know hwat the messages mean, or which part of the kernel they are from? Googling didn't help me. The machine runs FreeBSD

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-07:01.jail Security Advisory The FreeBSD Project Topic: Jail rc.d script privilege escalation Category: core Module: etc_rc.d Announced:

In http://www.freebsd.org/releases/7.0R/announce.html says Updating Existing Systems > An upgrade of any existing system to FreeBSD 7.0-RELEASE constitutes > a major version upgrade, so no matter which method you use to update > an older system you should reinstall any ports you have installed on > the machine. This will avoid binaries becoming linked to inconsistent > sets

Hi there, I'm still running 6.2 on various servers without any tweaks (GENERIC kernel, binary updates via freebsd-update etc.) but lots of ports (apache, postgresql, diablo-jdk etc.) and would like to use stack smashing protection in order to harden my boxes and avoid many potential exploits. I've known about ProPolice/SSP for a while now (from the Gentoo world) and am aware that

We have 10 SuperMicro PDSMi+ 5015M-MTs that are panic'ing every few days. This started shortly after upgrade from 6.2-RELEASE to 6.3-RELEASE with freebsd-update. Other than switching to a debugging kernel, a little sysctl tuning, and patching with freebsd-update, they are stock. The debugging kernel was built from source that is also being patched with freebsd-update. These systems are