*BSD News Article 94013


Return to BSD News archive

Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!floyd.sw.oz.au!usenet
From: Peter Clark <pjc@softway.com.au>
Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix
Subject: Re: *BSD* Security WWW/Mailing List?
Date: Mon, 21 Apr 1997 13:15:40 +1000
Organization: Softway Pty Ltd
Lines: 107
Message-ID: <335ADBDC.70D7@softway.com.au>
References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@FreeBSD.org>
		<DERAADT.97Apr18181055@zeus.pacifier.com> <5jdgaf$34i@cynic.portal.ca> <DERAADT.97Apr20113509@zeus.pacifier.com>
NNTP-Posting-Host: suede.sw.oz.au
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5.1 sun4m)
Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6691 comp.unix.bsd.misc:3028 comp.security.unix:33779

Theo de Raadt wrote:
> 
> In article <5jdgaf$34i@cynic.portal.ca> cjs@cynic.portal.ca (Curt Sampson) writes:
> 
>    In article <DERAADT.97Apr18181055@zeus.pacifier.com>,
>    Theo de Raadt <deraadt@theos.com> wrote:
>    >
>    >Yeah, FreeBSD has fixed a few holes.
> 
>    As has OpenBSD. Although I notice your FTP server still has no way
>    of doing anonymous uploads that are secure from abuse by warez-traders.
> 
> Oh my, how relevant!
> 
> You've been looking at our ftp server source?  We had a lot of fun
> fixing problems in there.  About 6 people have worked in there.  There
> were a lot of quirky bugs which might conceivably be used in bad ways.
> As well as the obvious security problem here or there, some nasty,
> some not.
> 
> Yeah, there are still bugs in our ftpd.  Especially that horrible
> misuse of yacc and longjmp and the quirky lexer that, well, isn't
> really a normal lexer and..  but we think that quirk isn't a real
> hole, just a quirky command input bug.  We tried to be as careful as
> we could be.
> 
> However the NetBSD ftpd and the entire rest of the NetBSD tree still
> appears to have NO checks for the ftp bounce problem.  Even something
> so basic!  And the source routing controls in the kernel appear
> completely insufficient compared to the threat.  I could dump a large
> list of undealt problems here simply by listing problems discussed on
> bugtraq.
> 
> At this point I could probably bring up some biblical analogy about a
> very large piece of wood being stuck in your eye.
> 
>    But heck, let's spend our time making snide comments instead of
>    working to fix security problems and share the information so that
>    the fixes can be as widely distributed as possible.
> 
> Yes, Curt, that's exactly what you are doing!!!
> 
> I look forward to the day we are able to look at cvs logs for the
> NetBSD source tree!  So that we can see some sharing of information
> from the other side, if you know what I mean.
> 
> In the meantime, anyone who is interested in the OpenBSD ftpd can do:
> 
> setenv CVSROOT anoncvs@anoncvs.openbsd.org:/cvs
> setenv CVS_RSH ssh
> cvs get src/libexec/ftpd
> cd src/libexec/ftpd
> cvs log ftpd.c
> 
> Oh my god, there's a lot of fixes in there!  Curt, you are
> `fictionalizing' when you make statements to suggest that members of
> the OpenBSD project are not "working to fix security problems" or do
> not "share the information".  It's all there, anyone can read the
> diffs and logs.  The fixes are there, and they are shared with the
> world.
> 
> To bea read by ANYONE.  EVERYONE.  The information is all out there.
> 
> I know for a fact that a lot of crackers are looking at our diffs,
> because it often tells them how other systems are vulnerable.  If
> anyone doesn't like this: Tough.  Get with the times.  The group you
> get your operating system from is being slack.
> 
> If that isn't the exact form of information sharing that you would
> like to see, please tell me what kind you want.  Perhaps you'd like me
> to send mail to the NetBSD core group every day telling them of
> another hole they've not fixed.
> 
> "Hello, you've still not fixed port rebinding with less specific
> bindings, port 2049 is wide open for reuse and monitoring by any user
> -- I sure am glad I don't run your insecure operating system!"
> 
> "Hi!  Me again!  You wouldn't believe the things you can cause a
> portmap to do if you spoof packets. Don't your users run rpc
> services?"
> 
> Oh, and about "making snide comments".  Oh ok, I'll admit it.
> Sometimes a snide comment or two helps to increase awareness.  Curt,
> have fun fixing your ftpd.  It certainly is a good place to start.
> And if reading our logs and diffs increases your awareness of the
> problems, please remember to give credit to the people who worked on
> ours, ok?  When we got fixes from other people, we gave credit.
> --
> This space not left unintentionally unblank.            deraadt@openbsd.org
> www.OpenBSD.org -- We're fixing security problems so you can sleep at night.
> (If it wasn't so fascinating I might get some sleep myself...)


So, the upshot of all of shit is that there isn't a specific NetBSD
security mailing list? :-)

Thanks
Peter
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Peter Clark                     http://www.softway.com.au
Security Engineer                
Softway Pty Ltd
Phone: (+612) 9698 2322
Fax  : (+612) 9699 9174
"If I can't be god, I don't wanna play."
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-