BSDCan 2004 was an enormously successful grass-roots style

conference.  It brought together a great mix of *BSD developers and

users for a nice blend of both developer-centric and user-centric

presentations, food, and activities.  Based upon that accomplishment,

planning for the next event began shortly thereafter.
BSDCan 2005 will be held May 13-14, 2005, in Ottawa.  We are now

requesting proposals for papers.
The papers should be written with a very strong technical content

bias. Papers and proposals of a business development or marketing

nature are not appropriate for this venue.
The schedule is:
19 Dec 2003	Proposals acceptance begins

19 Jan 2003	Proposals acceptance ends

19 Feb 2003	Confirmation of accepted proposals

19 Mar 2004	Abstracts due

19 Apr 2004	Formatted final papers must arrive no later than this

                date
Please submit all proposals to papers@bsdcan.org
NOTE: This is the schedule for formal papers. We are also accepting

submissions for for talks and presentations. If you have a proposal,

please contact us on papers@bsdcan.org.
--

Dan Langille : http://www.langille.org/

BSDCan - The Technical BSD Conference - http://www.bsdcan.org/

April 1, 2002
"Microsoft to base next generation OS on OpenBSD"
In a surprising development Microsoft stated today that it would

not be using the eight year old NT kernel in its next generation

operating system.  The new system, to be called Windows BSD, will

be based around the freely available OpenBSD operating system.
Microsoft's Steve Ballmer had the following to say: "As part of our

new commitment to security, we are developing the next Windows

product based upon OpenBSD.  We feel that OpenBSD's security record

fits well with our new proactive security model.  Furthermore, we

fully approve of the BSD license and encourage developers continue

to write similarly-licensed code and avoid the infernal GNU GPL."

When asked whether the decision to base the new Windows operating

system on OpenBSD had anything to do with the success of Apple's

BSD-based OS X, Ballmer exclaimed "There's nothing those Mac people

can do that we can't do better.  Microsoft has a long history with

Unix-like systems, dating back from our original development of

Xenix.  We are dedicated to providing the Windows experience to

Unix on the desktop."
And it is not just the desktop that is the target of the new OS.

As servers have traditionally been Unix's strong point, Microsoft

sees a bright future for Windows BSD, Server Edition.  One of the

first tests of Windows BSD Server will be running on Microsoft's

Hotmail servers, a trial by fire that always left Windows NT a bit

scorched.  Said de Raadt "We are confident that Windows BSD can

more than hold its own in the server arena.  Indeed, we expect

it to become the benchmark against which all others are judged."
OpenBSD founder and project lead The de Raadt will be relocating

from Calgary, Canada to Redmond, Washington to oversee the new

endeavor.  When asked if he felt he was selling out, de Raadt replied

with characterist aplomb "I've dedicated my life to free software,

it's about time I got something in return."  Other OpenBSD developers

will likely b...
[ message continues ]

1. Versions affected:
        All versions of OpenSSH's sshd between 2.9.9 and 3.3

        contain an input validation error that can result in

        an integer overflow and privilege escalation.
        OpenSSH 3.4 and later are not affected.
        OpenSSH 3.2 and later prevent privilege escalation

        if UsePrivilegeSeparation is enabled in sshd_config.

        OpenSSH 3.3 enables UsePrivilegeSeparation by

        default.
        Although OpenSSH 2.9 and earlier are not affected

        upgrading to OpenSSH 3.4 is recommended, because

        OpenSSH 3.4 adds checks for a class of potential bugs.
2. Impact:
        This bug can be exploited remotely if

        ChallengeResponseAuthentication is enabled in sshd_config.
	Affected are at least systems supporting

	s/key over SSH protocol version 2 (OpenBSD, FreeBSD

	and NetBSD as well as other systems supporting

	s/key with SSH).  Exploitablitly of systems

	using PAM in combination has not been verified.
3. Short-Term Solution:
        Disable ChallengeResponseAuthentication in sshd_config.
	or
        Enable UsePrivilegeSeparation in sshd_config.
4. Solution:
	Upgrade to OpenSSH 3.4 or apply the following patches.
5. Credits:
	ISS.
Appendix:
A:
Index: auth2-chall.c

===================================================================

RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v

retrieving revision 1.18

diff -u -r1.18 auth2-chall.c

--- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18

+++ auth2-chall.c	26 Jun 2002 09:37:03 -0000

@@ -256,6 +256,8 @@
 	authctxt->postponed = 0;	/* reset */

 	nresp = packet_get_int();

+	if (nresp > 100)

+		fatal("input_userauth_info_response: nresp too big %u", nresp);

 	if (nresp > 0) {

 		response = xmalloc(nresp * sizeof(char*));

 		for (i = 0; i < nresp; i++)
B:
Index: auth2-pam.c

===================================================================

RCS file: /var/cvs/openssh/auth2-pam.c,v

retrieving revision 1.12

diff -u -r...
[ message continues ]

------------------------------------------------------------------------

- OpenBSD 3.3 RELEASED -------------------------------------------------
May 1, 2003.
We are pleased to announce the official release of OpenBSD 3.3.

This is our 13th release on CD-ROM (and 14th via FTP).  We remain

proud of OpenBSD's record of seven years with only a single remote

hole in the default install.  As in our previous releases, 3.3

provides significant improvements, including new features, in nearly

all areas of the system:
- Ever-improving security            (http://www.OpenBSD.org/security.html)
  o Integration of the ProPolice stack protection technology, by

    Hiroaki Etoh, into the system compiler.  This protection is

    enabled by default.  With this change, function prologues are

    modified to rearrange the stack: a random canary is placed

    before the return address, and buffer variables are moved closer

    to the canary so that regular variables are below, and harder

    to smash.  The function epilogue then checks if the canary is

    still intact.  If it is not, the process is terminated.  This

    change makes it very hard for an attacker to modify the return

    address used when returning from a function.
  o W^X (pronounced: "W xor X") on architectures capable of pure

    execute-bit support in the MMU (sparc, sparc64, alpha, hppa).

    This is a fine-grained memory permissions layout, ensuring

    that memory which can be written to by application programs can

    not be executable at the same time and vice versa. This raises

    the bar on potential buffer overflows and other attacks: as a

    result, an attacker is unable to write code anywhere in memory

    where it can be executed. (NOTE: i386 and powerpc do not support

    W^X in 3.3; however, 3.3-current already supports it on i386,

    and both these processors are expected to support this change

    in 3.4.)
  o Further reduction of the number of setuid and setgid binaries

    and more use of chroot(2) th...
[ message continues ]

This is the 1st revision of the Advisory.
This document can be found at:  http://www.openssh.com/txt/buffer.adv
1. Versions affected:
        All versions of OpenSSH's sshd prior to 3.7 contain a buffer

        management error.  It is uncertain whether this error is

        potentially exploitable, however, we prefer to see bugs

        fixed proactively.
2. Solution:
	Upgrade to OpenSSH 3.7 or apply the following patch.
Appendix:
Index: buffer.c

===================================================================

RCS file: /cvs/src/usr.bin/ssh/buffer.c,v

retrieving revision 1.16

retrieving revision 1.17

diff -u -r1.16 -r1.17

--- buffer.c	26 Jun 2002 08:54:18 -0000	1.16

+++ buffer.c	16 Sep 2003 03:03:47 -0000	1.17

@@ -69,6 +69,7 @@

 void *

 buffer_append_space(Buffer *buffer, u_int len)

 {

+	u_int newlen;

 	void *p;
 	if (len > 0x100000)

@@ -98,11 +99,13 @@

 		goto restart;

 	}

 	/* Increase the size of the buffer and retry. */

-	buffer->alloc += len + 32768;

-	if (buffer->alloc > 0xa00000)

+

+	newlen = buffer->alloc + len + 32768;

+	if (newlen > 0xa00000)

 		fatal("buffer_append_space: alloc %u not supported",

-		    buffer->alloc);

-	buffer->buf = xrealloc(buffer->buf, buffer->alloc);

+		    newlen);

+	buffer->buf = xrealloc(buffer->buf, newlen);

+	buffer->alloc = newlen;

 	goto restart;

 	/* NOTREACHED */

 }