login
Search
Citing from http://www.dovecot.org/list/dovecot-news/2008-October/000089.html
-----
The invalid message address parsing bug is pretty important since it
allows a remote user to send broken mail headers and prevent the
recipient from accessing the mailbox afterwards, because the process
will always just crash trying to parse the header. This is assuming that
the IMAP client uses FETCH ENVELOPE command, not all do. Note that it
doesn't affect versions older than v1.1.4.
-----Currently, FreeBSD's Dovecot from ports is build from the 1.1.3 release
and I doubt that it will be upgraded to something <= 1.1.6, since 1.1.6Look at
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4907Possibly, the new VuXML entry can be added:
--- dovecot-08.11.2008.xml begins here ---
<vuln vid="">
<topic>dovecot -- invalid message address parsing bug</topic>
<affects>
<package>
<name>dovecot</name>
<name>dovecot-devel</name>
<range><ge>1.1.4</ge><lt>1.1.6</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Dovecot reports:</p>
<blockquote cite="http://www.dovecot.org/list/dovecot-news/2008-October/000089.html">
<p>
The invalid message address parsing bug is pretty
important since it allows a remote user to send broken
mail headers and prevent the recipient from accessing
the mailbox afterwards, because the process will always
just crash trying to parse the header. This is assuming
that the IMAP client uses FETCH ENVELOPE command, not
all do. Note that it doesn't affect versions older than
v1.1.4.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-4907</cvename>
<url>http://www.dovecot.org/list/dovecot-news/2008-October...
According the more complete list at
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4609
the latest rel. (FreeBSD 6.4/7.2, OpenBSD 4.4+) are not a affected.It seems if you run the latest versions of Free/OpenBSD you are fine.
olli
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
FYI.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi,
I am just new to the FreeBSD system and look forward to take active part in
contributing.Can someone please guide where can I find OCF source code in FreeBSD and
also is there IKE implementation and OpenSWAN ?Regards,
Raja
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Thank you so much for your responses. By "predetermined ", i meant the
challenges appear sequentially in decremented fashion, so are we aware of
any security hole with this. I ask this because usually the
challenge/response implementations consider generating random challenges( i
think here they have a weakness where the passphrase need to be in clear
text).My problem is to determine the best challenge/response implementation for
authenticating the clients.Please correct me if i missed something.
Thanks and Regards,
IvanOn Tue, Jul 8, 2008 at 5:00 PM, Peter Jeremy <peterjeremy@optushome.com.au>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi ,
As per suggestion, The following are the logs generated by racoon :
2007-11-17 13:46:19: INFO: @(#)ipsec-tools 0.6.6 (http://ipsec-tools.sourceforge.net)
2007-11-17 13:46:19: INFO: @(#)This product linked OpenSSL 0.9.7e-p1 25 Oct 2004 (http://www.openssl.org/)
2007-11-17 13:46:19: DEBUG: DN: C=XX
2007-11-17 13:46:19: DEBUG: DN: ST=XXX
2007-11-17 13:46:19: DEBUG: DN: L=XXXX
2007-11-17 13:46:19: DEBUG: DN: O=Resident
2007-11-17 13:46:19: DEBUG: DN: OU=Network
2007-11-17 13:46:19: DEBUG: DN: CN=YYY
2007-11-17 13:46:19: DEBUG: Parsed DN: C=XX, ST=XXX, L=XXXX, O=Resident, OU=Network, CN=YYY
2007-11-17 13:46:19: WARNING: racoon.conf:53: "support_mip6" it is obsoleted. use "support_proxy".
2007-11-17 13:46:19: DEBUG2: lifetime = 1800
2007-11-17 13:46:19: DEBUG2: lifebyte = 0
2007-11-17 13:46:19: DEBUG2: encklen=0
2007-11-17 13:46:19: DEBUG2: p:1 t:1
2007-11-17 13:46:19: DEBUG2: 3DES-CBC(5)
2007-11-17 13:46:19: DEBUG2: SHA(2)
2007-11-17 13:46:19: DEBUG2: 1024-bit MODP group(2)
2007-11-17 13:46:19: DEBUG2: RSA signatures(3)
2007-11-17 13:46:19: DEBUG2:
2007-11-17 13:46:19: DEBUG: hmac(modp1024)
2007-11-17 13:46:19: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2007-11-17 13:46:19: DEBUG2: parse successed.
2007-11-17 13:46:19: DEBUG: my interface: 202.70.87.123 (lnc0)
2007-11-17 13:46:19: DEBUG: my interface: fe80::1%lo0 (lo0)
2007-11-17 13:46:19: DEBUG: my interface: ::1 (lo0)
2007-11-17 13:46:19: DEBUG: my interface: 127.0.0.1 (lo0)
2007-11-17 13:46:19: DEBUG: configuring default isakmp port.
2007-11-17 13:46:19: DEBUG: 4 addrs are configured successfully
2007-11-17 13:46:19: INFO: 127.0.0.1[500] used as isakmp port (fd=4)
2007-11-17 13:46:19: INFO: ::1[500] used as isakmp port (fd=5)
2007-11-17 13:46:19: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2007-11-17 13:46:19: INFO: 202.70.87.123[500] used as isakmp port (fd=7)
2007-11-17 13:46:19: DEBUG: get pfkey X_SPDDUMP message
2007-11-17 13:46:19: DEBUG2:
02120000 170...
There is no way to deduce the next challenge from the current one. This
is documented in the opie(4) man page.Here's the only advisory I could find for OPIE:
OPIE cannot use random challenges, because one of the requirements is
that it should be possible to print a list of pre-generated responses.The advantage of OPIE over traditional passwords is that OPIE is not
vulnerable to replay attacks, but this is not as relevant these days as
it was back when S/Key (on which OPIE is based) was designed. ReplaySystems like OPIE, where the challenge is actually issued to the user
and not just to the user's software, require the user to have access to
a response calculator, or to carry a sheet of precalculated responses.
The former is difficult unless the users always log in from their own
desktop or laptop computer, and the latter is usually a bad idea since
someone might steel the sheet. On the bright side, it should be fairly
easy to write an OTP calculator that run on a cell phone, such as an
S60-based Nokia phones or an iPhone.I'd say that the only advantage of OPIE today is that it's free.
DES
--
Dag-Erling Smørgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Just to clarify, I think you are trying to say the next response from the
current one, since the challenges are generated somehting like otp-md5 60
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Yes.
DES
--
Dag-Erling Smørgrav - des@des.no
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
-----BEGIN PGP SIGNED MESSAGE-----
These already exist for J2ME-enabled mobiles (which is most of them?):
There exist apps (i.e., browsers, FTP clients, mailers, etc) that
integrate OPIE and can transparently respond to challenges. The user just
puts in his password, and he doesn't worry about plaintext or OPIE or
whatever; the app just does the right thing. Fetch, an FTP client for the
Mac, is one such app.One could argue that this encourages users to just punch in their password
and not understand if it's going to go over the wire in the clear or be
used to answer a challenge, but it's very useful when you have users who
are incapable of making such distinction in the first place and you just
need to make sure their password is secure for _your_ service.-Jason
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)
Comment: See https://private.idealab.com/public/jason/jason.gpgiD8DBQFIc7+YswXMWWtptckRAoaAAJkBnis9pNHnwuXCc6zjqESrDh8zGwCfTYWC
41JZRoD12LhIpG3QK7cfhMU=
=w11K
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Thanks all for your valuable response.
Regards,
IvanOn Wed, Jul 9, 2008 at 12:57 AM, Jason Stone <freebsd-security@dfmm.org>
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi,
I don't see detail thing of this thread totally. I just found the
notify message type 0x1c, which is CERTIFICATE-UNAVAILABLE.
The point is that he got success with pre-shared key. I think that
the problem is probably that he uses a self-signed certificate,
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Some people should learn that an RFC has been published for NAT-T :-)
Ok, your racoon found "an acceptable proposal", even if DB's lifetime
is really shorter than peer's one.That means you're in CLAIN or OBEY checkmode. Those modes are well
known to generate as much problems as they solve, you should really
consider using exact or at least strict checkmode, and fix your
lifetime in your configuration (on the side you want, but have the
same lifetime on both peers).May be an INITIAL-CONTACT sent a bit too early, or may also be a
negociation related INFORMATIONAL message.
Could you do a network capture of a negociation, and have a look at
that message in a tool like wireshark, to have more details ?Really looks like the peer did not like the answer we sent, so did not
respond to it (or sent an informational which has not been handled).Fix your lifetimes, switch to strict checkmode, fix any other
negociation parameter which may generate an error now you're in strict
checkmode, and if that still don't work, have a look at the
INFORMATIONAL message sent by your peer, and/or have a look at any log
on your peer.Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi,
I have checked with different mode that obey and found error no valid proposal and again i change lifetime too in bsd server. But I can't found where should i have to change those parameter in remote windows ipsec box.
Could you please suggest me.
Thankyou,
Regards,
JohnSome people should learn that an RFC has been published for NAT-T :-)
Ok, your racoon found "an acceptable proposal", even if DB's lifetime
is really shorter than peer's one.That means you're in CLAIN or OBEY checkmode. Those modes are well
known to generate as much problems as they solve, you should really
consider using exact or at least strict checkmode, and fix your
lifetime in your configuration (on the side you want, but have the
same lifetime on both peers).May be an INITIAL-CONTACT sent a bit too early, or may also be a
negociation related INFORMATIONAL message.
Could you do a network capture of a negociation, and have a look at
that message in a tool like wireshark, to have more details ?Really looks like the peer did not like the answer we sent, so did not
respond to it (or sent an informational which has not been handled).Fix your lifetimes, switch to strict checkmode, fix any other
negociation parameter which may generate an error now you're in strict
checkmode, and if that still don't work, have a look at the
INFORMATIONAL message sent by your peer, and/or have a look at any log
on your peer.Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"---------------------------------
Get easy, one-click access to your favorites. Make Yahoo! your homepage.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, s...
You shouldn't have to change setup on both ends: you can just changes
values on one end (the BSD server) to match values of the other end.Acoording to the quick look I had at your previous dump and to my
memory (ok, so that's probably not exact :-), you should just have to
change lifetime to 28800 sec in remote section.Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi,
I have change life time in both side i.e 28800 sec but unlucky again.
the following is the logs after change lifetime. comparision of lifetime is now
28800:288002007-11-20 20:27:12: DEBUG2: lifetime = 28800
2007-11-20 20:27:12: DEBUG2: lifebyte = 0
2007-11-20 20:27:12: DEBUG2: encklen=0
2007-11-20 20:27:12: DEBUG2: p:1 t:1
2007-11-20 20:27:12: DEBUG2: 3DES-CBC(5)
2007-11-20 20:27:12: DEBUG2: SHA(2)
2007-11-20 20:27:12: DEBUG2: 1024-bit MODP group(2)
2007-11-20 20:27:12: DEBUG2: RSA signatures(3)
2007-11-20 20:27:12: DEBUG2:
2007-11-20 20:27:12: DEBUG: hmac(modp1024)
2007-11-20 20:27:12: DEBUG: compression algorithm can not be checked because sadb message doesn't support it.
2007-11-20 20:27:12: DEBUG2: parse successed.
2007-11-20 20:27:12: DEBUG: my interface: 202.70.87.123 (lnc0)
2007-11-20 20:27:12: DEBUG: my interface: fe80::1%lo0 (lo0)
2007-11-20 20:27:12: DEBUG: my interface: ::1 (lo0)
2007-11-20 20:27:12: DEBUG: my interface: 127.0.0.1 (lo0)
2007-11-20 20:27:12: DEBUG: configuring default isakmp port.
2007-11-20 20:27:12: DEBUG: 4 addrs are configured successfully
2007-11-20 20:27:12: INFO: 127.0.0.1[500] used as isakmp port (fd=4)
2007-11-20 20:27:12: INFO: ::1[500] used as isakmp port (fd=5)
2007-11-20 20:27:12: INFO: fe80::1%lo0[500] used as isakmp port (fd=6)
2007-11-20 20:27:12: INFO: 202.70.87.123[500] used as isakmp port (fd=7)
2007-11-20 20:27:12: DEBUG: get pfkey X_SPDDUMP message
2007-11-20 20:27:12: DEBUG2:
02120000 17000100 01000000 ce020000 03000500 ff200000 10020000 cb5b82ad
00000000 00000000 03000600 ff200000 10020000 ca46577b 00000000 00000000
07001200 02000100 04400000 00000000 28003200 02020000 10020000 cb5b82ad
00000000 00000000 10020000 ca46577b 00000000 00000000 04000200 00000000
00000000 00000000 34f14247 00000000 34f14247 00000000 04000300 00000000
00000000 00000000 00000000 00000000 00000000 00000000
2007-11-20 20:27:12: DEBUG: get pfkey X_SPDDUMP message
2007-11-20 20:27:12: DEBUG2:
02120000 17000100 00000000 ce020000 03000500...
Do a tcpdump/wireshark and have a look at what's in that informational
message...Yvan.
--
NETASQ
http://www.netasq.com
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
Hi,
tcpdump shows only isakmp information , there is no information about esp and AH header.
08:05:55.761245 IP 202.70.87.123.isakmp > ws130173.corporate-access.com.isakmp: isakmp: phase 1 ? ident[E]
08:05:55.775403 IP 202.70.87.121 > 202.70.87.123: ICMP redirect ws130173.corporate-access.com to host ws130173.corporate-access.com, length 556
08:05:55.778172 IP 202.70.87.123.isakmp > ws130173.corporate-access.com.isakmp: isakmp: phase 1 ? ident[E]Regards,
JohnDo a tcpdump/wireshark and have a look at what's in that informational
message...Yvan.
--
NETASQ
http://www.netasq.com---------------------------------
Be a better sports nut! Let your teams follow you with Yahoo Mobile. Try it now.
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
I suggest you change the lifetime in racoon's config to 28800 seconds if
you cannot change it at the peer.
Aonther thing I'd check is encryption/hash algorithms. You'll probably
have the best compatibility if you change everything to 3DES-MD5.
--
Viele Gruesse // Best regards
Bjoern Engels
:wq!
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
For IKE have a look at:
http://www.freshports.org/security/ipsec-tools/Regards,
Janos Mohacsi
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
And http://www.freshports.org/security/racoon2/ can be
of interest too.
--
Eygene
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
| Greg KH | [GIT PATCH] driver core patches against 2.6.24 |
| Justin C. Sherrill | Re: pkgsrc bulk build and tiff |
| Jeremy Allison | Re: [RFC] Heads up on sys_fallocate() |
| Roland Dreier | Re: Integration of SCST in the mainstream Linux kernel |
| Matt Thomas | Re: Add a MAP_ALIGNED flag for mmap(2). |
| Vsevolod Stakhov | Unicode support in iso9660. |
| Jaromir Dolecek | Re: Speeding up fork/wait path |
| matthew green | re: merge of freebsd eventhandler |
git: | |
| Petr Janda | KDE and OpenSSL = Broken |
| sam | Re: Loader not found |
| Erick Perez | Re: dragonfly pdf documentation |
| Michel Talon | Re: Compatability with FreeBSD Ports [debian package tools] |
