Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!news.cs.su.oz.au!floyd.sw.oz.au!usenet From: Peter Clark <pjc@softway.com.au> Newsgroups: comp.unix.bsd.bsdi.misc,comp.unix.bsd.misc,comp.security.unix Subject: Re: *BSD* Security WWW/Mailing List? Date: Mon, 21 Apr 1997 13:15:40 +1000 Organization: Softway Pty Ltd Lines: 107 Message-ID: <335ADBDC.70D7@softway.com.au> References: <3356E1CC.299E@softway.com.au> <335798C2.167EB0E7@FreeBSD.org> <DERAADT.97Apr18181055@zeus.pacifier.com> <5jdgaf$34i@cynic.portal.ca> <DERAADT.97Apr20113509@zeus.pacifier.com> NNTP-Posting-Host: suede.sw.oz.au Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Mailer: Mozilla 3.01 (X11; I; SunOS 5.5.1 sun4m) Xref: euryale.cc.adfa.oz.au comp.unix.bsd.bsdi.misc:6691 comp.unix.bsd.misc:3028 comp.security.unix:33779 Theo de Raadt wrote: > > In article <5jdgaf$34i@cynic.portal.ca> cjs@cynic.portal.ca (Curt Sampson) writes: > > In article <DERAADT.97Apr18181055@zeus.pacifier.com>, > Theo de Raadt <deraadt@theos.com> wrote: > > > >Yeah, FreeBSD has fixed a few holes. > > As has OpenBSD. Although I notice your FTP server still has no way > of doing anonymous uploads that are secure from abuse by warez-traders. > > Oh my, how relevant! > > You've been looking at our ftp server source? We had a lot of fun > fixing problems in there. About 6 people have worked in there. There > were a lot of quirky bugs which might conceivably be used in bad ways. > As well as the obvious security problem here or there, some nasty, > some not. > > Yeah, there are still bugs in our ftpd. Especially that horrible > misuse of yacc and longjmp and the quirky lexer that, well, isn't > really a normal lexer and.. but we think that quirk isn't a real > hole, just a quirky command input bug. We tried to be as careful as > we could be. > > However the NetBSD ftpd and the entire rest of the NetBSD tree still > appears to have NO checks for the ftp bounce problem. Even something > so basic! And the source routing controls in the kernel appear > completely insufficient compared to the threat. I could dump a large > list of undealt problems here simply by listing problems discussed on > bugtraq. > > At this point I could probably bring up some biblical analogy about a > very large piece of wood being stuck in your eye. > > But heck, let's spend our time making snide comments instead of > working to fix security problems and share the information so that > the fixes can be as widely distributed as possible. > > Yes, Curt, that's exactly what you are doing!!! > > I look forward to the day we are able to look at cvs logs for the > NetBSD source tree! So that we can see some sharing of information > from the other side, if you know what I mean. > > In the meantime, anyone who is interested in the OpenBSD ftpd can do: > > setenv CVSROOT anoncvs@anoncvs.openbsd.org:/cvs > setenv CVS_RSH ssh > cvs get src/libexec/ftpd > cd src/libexec/ftpd > cvs log ftpd.c > > Oh my god, there's a lot of fixes in there! Curt, you are > `fictionalizing' when you make statements to suggest that members of > the OpenBSD project are not "working to fix security problems" or do > not "share the information". It's all there, anyone can read the > diffs and logs. The fixes are there, and they are shared with the > world. > > To bea read by ANYONE. EVERYONE. The information is all out there. > > I know for a fact that a lot of crackers are looking at our diffs, > because it often tells them how other systems are vulnerable. If > anyone doesn't like this: Tough. Get with the times. The group you > get your operating system from is being slack. > > If that isn't the exact form of information sharing that you would > like to see, please tell me what kind you want. Perhaps you'd like me > to send mail to the NetBSD core group every day telling them of > another hole they've not fixed. > > "Hello, you've still not fixed port rebinding with less specific > bindings, port 2049 is wide open for reuse and monitoring by any user > -- I sure am glad I don't run your insecure operating system!" > > "Hi! Me again! You wouldn't believe the things you can cause a > portmap to do if you spoof packets. Don't your users run rpc > services?" > > Oh, and about "making snide comments". Oh ok, I'll admit it. > Sometimes a snide comment or two helps to increase awareness. Curt, > have fun fixing your ftpd. It certainly is a good place to start. > And if reading our logs and diffs increases your awareness of the > problems, please remember to give credit to the people who worked on > ours, ok? When we got fixes from other people, we gave credit. > -- > This space not left unintentionally unblank. deraadt@openbsd.org > www.OpenBSD.org -- We're fixing security problems so you can sleep at night. > (If it wasn't so fascinating I might get some sleep myself...) So, the upshot of all of shit is that there isn't a specific NetBSD security mailing list? :-) Thanks Peter -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Peter Clark http://www.softway.com.au Security Engineer Softway Pty Ltd Phone: (+612) 9698 2322 Fax : (+612) 9699 9174 "If I can't be god, I don't wanna play." -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-