[15098] in bugtraq
Re: New OpenBSD patches
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Mon May 29 16:45:20 2000
Message-Id: <200005290109.e4T19hD01522@cvs.openbsd.org>
Date: Sun, 28 May 2000 19:09:43 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: trott@SLOWPOISONERS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Sun, 28 May 2000 10:06:20 PDT."
<Pine.BSO.4.10.10005280937060.21758-100000@www>
> Disclaimer: I am not an OpenBSD developer; I'm just a user.
>
> There were two security patches released for OpenBSD 2.6 on May 25. From
> http://www.openbsd.org/errata26.html:
>
> -----
>
> 023: SECURITY FIX: May 25, 2000
> A misuse of ipf(8) keep-state rules can result in firewall rules
> being bypassed. This patch also includes fixes for an unaligned timestamp
> issue, and reliability fixes for ipmon and the in-kernel ftp proxy. A
> jumbo patch exists, which remedies this problem, and updates ipf to
> version 3.3.16.
It's a funny security problem. You have to misconfigure ipf to run
into this problem. This problem has already been talked about on
BUGTRAQ, since it affects many operating systems.
> 022: SECURITY FIX: May 25, 2000
> xlockmore has a localhost attack against it which allows recovery of
> the encrypted hash of the root password. The damage to systems using DES
> passwords from this attack is pretty heavy, but to systems with a
> well-chosen root password under blowfish encoding (see crypt(3)) the
> impact is much reduced. (Aside: We do not consider this a localhost root
> hole in the default install, since we have not seen a fast blowfish
> cracker yet ;-)
> A source code patch exists, which remedies this problem.
This has not been reported yet for a funny reason. It affects a wide
variety of operating systems -- but as I describe, as far as I know
all other system using xlockmore fare worse than we do. I've been
waiting for NAI to publish about it, but in the meantime a patch is
available.. I really did not want to steal their thunder, but we had
this patch quite a while back.
> I have no idea if these issues are present in these programs on other
> operating systems (*BSD, Linux, *nix...) or if they are OpenBSD-specific.
>
> (OpenBSD, to my knowledge, doesn't announce their patches anywhere except
> on their Web page. Users appear to be expected to either check the Web
> page frequently, track the development tree, or use some other mechanism
> to keep abreast of patches. This is not a complaint on my part; this is
> merely an explanation as to why I'm posting this to Bugtraq.)
I agree that we should do something more about it. I have only one
defense. It would be a list we wouldn't need to post to often ;-)
