similar to: Any status on timestamp vulnerability fix for 4.X?

Hello security gurus, yesterday, I mistakenly posted a question on the questions list about this article : http://www.securityfocus.com/bid/13676/info/ which talks about a form of DOS vulnerability. I was curious as to the possibility of FreeBSD 5.x being affected, and if anyone was working on this or not. Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch : in

On May 19, 2005, at 5:53 AM, Christian Brueffer wrote: > Hi, > > fixes for the vulnerability described in http://www.kb.cert.org/ > vuls/id/637934 > were checked in to CURRENT and RELENG_5 by ps in April. > > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/netinet/tcp_input.c > > Revisions 1.270 and 1.252.2.16 > > He didn't commit it to RELENG_5_4 for some

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:08.kmem Security Advisory The FreeBSD Project Topic: Local kernel memory disclosure Category: core Module: sys Announced: 2005-05-06

Hello List, I know FreeBSD 4.x is old..., but we are using on a production system with postgres and apache. The above message is appearing periodically. I googled for the message but found no recommendation for adjusting it. Any suggestions. Thanks, Steve -- "They that give up essential liberty to obtain temporary safety, deserve neither liberty nor safety." (Ben Franklin)

I'm setting up a server where I plan to use Jails to improve security I also have installed and am configuring ipfilter. Here are my questions: Because I'm using Jails, I will have to have multiple ip aliases on the network interface. I will use ipfilter to specify what can go to each of the addresses. (e.g., allow only incoming to port 80 on the jail running apache). Another

Hello I'm a bit confused about the "tcp time stamp validation bug" mentioned in the http://www.kb.cert.org/vuls/id/637934 advisory. FreeBSD has fixed this issue in -current (2005-04-10) and in RELENG_5 (2005-04-19). Is this also already fixed in 5.4? The CVS ID for tcp_input.c does not look like this. But I'm not sure. Regards, Thomas

I'm thinking of using jails to improve security on a server I am setting up. Specifically, I would like to put Apache/PHP in a jail, but I might like to set up 2-3 different jails for different purposes. I've found several examples showing how to set the jails up. My questions involve system requirements. Assuming plenty of disk space, 1GB ram and a dual processor PIII 1.13Ghz

hi i've got the the problem that i can't su -l <someone> an my client machine. $ su -l admin su: no directory i can login locally, login via ssh, su -l root without any problems. SERVER: FreeBSD4.8 stabel (~ 1 week ago last cvs update) runs NIS, NFS, DNS, FTP, SAMBA, NTP CLIENT> FreeBSD5.1 release (rebuild kernel using KERNCONF=SMP) i didn't had problems with have

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-04:04.tcp Security Advisory The FreeBSD Project Topic: many out-of-sequence TCP packets denial-of-service Category: core Module: kernel

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:02.sendfile Security Advisory The FreeBSD Project Topic: sendfile kernel memory disclosure Category: core Module: sys_kern Announced:

I was wondering if there's any non-executable stack patch for FreeBSD's kernel. I searched in google but all I got was some questions in freebsd-security back from 2001 and an answer saying someone heard about a project like this, but no information at all. Is there any patch like PaX or Openwall available for FreeBSD? I dont want to discuss if its useless or not since there're a

hi is there any way to build 4.8 release with this fstack protection? or atleast some ports is there any good info on this? the only page i found was that ibm page but it seemed outdated. //martin

I get the above panic after nfs clients attach to this nfs server and being read/write ops on it after an unclean shutdown. I've fsck'ed the fs, and it marks it as clean, but I get this every time. It's an NFS share of a GEOM stripe (about 2TB). mode = 0100600, inum = 58456203, fs = /mnt panic: ffs_valloc: dup alloc I do have dumps from two crashes so far. This is

Hi , I have posted DTrace script to snoop tcp traffic and also provided a wrapper script for it to filter out unwanted traffic. http://blogs.sun.com/roller/comments/raviswam/Weblog/tcp_snoop_using_dtrace Please let me know if you have any feedback/comments on this. Thanks Ravi

To much of my dissapointment, the uptime on my TxD account does not improve. What alternatives do we have for hosting Rails projects on shared accounts? I would love to keep lighttpd and the level of control I have on TxD but wouldn''t like to spend much more (I am currently on the 25$/month plan). I won''t need much support, but I would love to have subversion

i''m using the following probe to calculate how many bytes are being written by tcp write calls, by process and total: fbt:ip:tcp_output:entry { this->tcpout_size = msgdsize(args[1]); @tcpout_size[execname] = sum(this->tcpout_size); @tcpout_size["TOTAL_TCP_OUT"] = sum(this->tcpout_size); } I run this probe for N seconds. I suppose that if i get the

Box with fresh RELENG_7 panic under heavy network load (more than 50k connections). This panics seems to be senfile(2) related, because when sendfile disabled in nginx, I can't reproduce the problem. Backtrace in all cases like this: # kgdb kernel /spool/crash/vmcore.1 GNU gdb 6.1.1 [FreeBSD] Copyright 2004 Free Software Foundation, Inc. GDB is free software, covered by the GNU General

Hi, I've encountered a strange problem while using FreeBSD 6.0 for our local mirror (mirror.math.uni-bielefeld.de) and thus is providing access via ftp, http, rsync and cvsup (all local and remote). The system crashes periodically with a kernel panic (panic: sbdrop). The uptimes between two crashes are going from a few hours to a few weeks. The system is a i386, Intel Pentium 4 based with

Gang, For months now, we're all seeing repeated bruteforce attempts on SSH. I've configured my pf install to ratelimit TCP connections to port 22 and to automatically add IP-addresses that connect too fast to a table that's filtered: table <lamers> { } block quick from <lamers> to any pass in quick on $ext_if inet proto tcp from any to ($ext_if) port 22 modulate

this is 6.0-STABLE as for Mar 17. KDB: debugger backends: ddb KDB: current backend: ddb Copyright (c) 1992-2006 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD 6.1-PRERELEASE #2: Fri Mar 17 11:05:32 UTC 2006 vlad@host:/usr/src/sys/amd64/compile/DEF_WEB Timecounter