Re: ksh, csh same vulnerability as bash
On Wed, Oct 8, 2014, at 01:05 AM, Jason Adams wrote: On 09/29/2014 05:00 AM, Peter Hessler wrote: You tested bash. All 3 shells are behaving correctly by passing the env variable to the bash command you are running. the bash command you are running is behaving incorrectly by parsing the variable as a function. So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable. This is not really a general OBSD question because it's not part of base. Ask the maintainer of the bash package why it hasn't been updated. Maybe the ports list? Or you could do it yourself.
Re: ksh, csh same vulnerability as bash
mtier have had at least two updates of bash that I know of. Regards
Re: ksh, csh same vulnerability as bash
On Tue, Oct 07, 2014 at 10:05:57PM -0700, Jason Adams wrote:
[...]
So the question is, for those of us that have added the bash package,
why is bash still vulnerable after all these weeks, when everyone else has
fixed
their bash packages?
Just checked for updated pkg, today, and its still vulnerable.
[...]
I'm running current here, with bash-4.3.28 from packages. The error
seems fixed:
$ env x=() { :; }; echo fnord bash -c 'echo whee'
whee
$
Looks good to me. Are you running 5.5? Then the mtier packages are
probably a good idea.
--
Gregor Best
Re: ksh, csh same vulnerability as bash
On Wed, 8 Oct 2014, Gregor Best wrote: From: Gregor Best g...@unobtanium.de To: Jason Adams adams...@gmail.com Cc: misc@openbsd.org Date: Wed, 8 Oct 2014 08:57:53 Subject: Re: ksh, csh same vulnerability as bash On Tue, Oct 07, 2014 at 10:05:57PM -0700, Jason Adams wrote: [...] So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable. [...] I'm running current here, with bash-4.3.28 from packages. The error seems fixed: ... There's been a couple of extra patches released: bash43-029 bash43-030. For my sins I'm still on OpenBSD5.3 on a couple of antique laptops. Yes, I know OpenBSD5.3 isn't supported and I should upgrade. However I've tweaked the port for bash to include all the recent patches. So I'm now running: GNU bash, version 4.2.53(1)-release (i386-unknown-openbsd5.3) -- Dennis Davis dennisda...@fastmail.fm
Re: ksh, csh same vulnerability as bash
On 2014-10-08, Jason Adams adams...@gmail.com wrote: On 09/29/2014 05:00 AM, Peter Hessler wrote: You tested bash. All 3 shells are behaving correctly by passing the env variable to the bash command you are running. the bash command you are running is behaving incorrectly by parsing the variable as a function. So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable. Release packages (e.g. in $mirror/pub/OpenBSD/5.5/packages/amd64) do not get updated after the release is built. (Yes this means 5.6 too - the cut-off point was around early August). There are updates in the 5.5-stable ports tree that you can build yourself (see the faq), or see https://stable.mtier.org/ (third-party).
OpenBSD don't recoginize Android Phone (Alcatel OneTouch 993D with Android 4.0.4) as USB Modem
Synopsis:OpenBSD don't recoginize Android Phone (Alcatel OneTouch 993D with Android 4.0.4) as USB Modem Category:Kernel, URNDIS (probably) Environment: System : OpenBSD 5.6 Details : OpenBSD 5.6-current (GENERIC.MP) #403: Tue Oct 7 18:24:37 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP Architecture: OpenBSD.amd64 Machine : amd64 Description: OpenBSD don't recoginize Android Phone (Alcatel OneTouch 993D) as USB Modem. How-To-Repeat: Boot OpenBSD 5.6. Plug USB into machine and to the phone. In Access Point set USB Modem mode as ON. In short time USB Modem mode is off by self Fix: NONE SENDBUG: dmesg, pcidump, acpidump and usbdevs are attached. SENDBUG: Feel free to delete or use the -D flag if they contain sensitive information. dmesg: OpenBSD 5.6-current (GENERIC.MP) #403: Tue Oct 7 18:24:37 MDT 2014 dera...@amd64.openbsd.org:/usr/src/sys/arch/amd64/compile/GENERIC.MP real mem = 1047068672 (998MB) avail mem = 1010540544 (963MB) mpath0 at root scsibus0 at mpath0: 256 targets mainbus0 at root bios0 at mainbus0: SMBIOS rev. 2.6 @ 0xf0760 (31 entries) bios0: vendor American Megatrends Inc. version 1201 date 02/18/2011 bios0: ASUSTeK Computer INC. 1001PX acpi0 at bios0: rev 2 acpi0: sleep states S0 S3 S4 S5 acpi0: tables DSDT FACP APIC MCFG ECDT OEMB HPET GSCI SSDT SLIC acpi0: wakeup devices P0P1(S4) P0P4(S4) P0P5(S4) P0P6(S4) P0P7(S4) acpitimer0 at acpi0: 3579545 Hz, 24 bits acpimadt0 at acpi0 addr 0xfee0: PC-AT compat cpu0 at mainbus0: apid 0 (boot processor) cpu0: Intel(R) Atom(TM) CPU N450 @ 1.66GHz, 1666.69 MHz cpu0: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF cpu0: 512KB 64b/line 8-way L2 cache cpu0: smt 0, core 0, package 0 mtrr: Pentium Pro MTRR support, 8 var ranges, 88 fixed ranges cpu0: apic clock running at 166MHz cpu0: mwait min=64, max=64, C-substates=0.2.2.0.2, IBE cpu1 at mainbus0: apid 1 (application processor) cpu1: Intel(R) Atom(TM) CPU N450 @ 1.66GHz, 1666.48 MHz cpu1: FPU,VME,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,PBE,SSE3,DTES64,MWAIT,DS-CPL,EST,TM2,SSSE3,CX16,xTPR,PDCM,MOVBE,NXE,LONG,LAHF,PERF cpu1: 512KB 64b/line 8-way L2 cache cpu1: smt 1, core 0, package 0 ioapic0 at mainbus0: apid 2 pa 0xfec0, version 20, 24 pins ioapic0: misconfigured as apic 1, remapped to apid 2 acpimcfg0 at acpi0 addr 0xe000, bus 0-255 acpiec0 at acpi0 acpihpet0 at acpi0: 14318179 Hz acpiprt0 at acpi0: bus 0 (PCI0) acpiprt1 at acpi0: bus 4 (P0P4) acpiprt2 at acpi0: bus 2 (P0P5) acpiprt3 at acpi0: bus -1 (P0P6) acpiprt4 at acpi0: bus 1 (P0P7) acpicpu0 at acpi0: C2, C1, PSS acpicpu1 at acpi0: C2, C1, PSS acpitz0 at acpi0: critical temperature is 98 degC acpibat0 at acpi0: BAT0 model 1001PX serial type LION oem ASUS acpiac0 at acpi0: AC unit online acpiasus0 at acpi0 acpibtn0 at acpi0: LID_ acpibtn1 at acpi0: SLPB acpibtn2 at acpi0: PWRB cpu0: Enhanced SpeedStep 1666 MHz: speeds: 1667, 1333, 1000 MHz pci0 at mainbus0 bus 0 pchb0 at pci0 dev 0 function 0 Intel Pineview DMI rev 0x00 vga1 at pci0 dev 2 function 0 Intel Pineview Video rev 0x00 intagp0 at vga1 agp0 at intagp0: aperture at 0xd000, size 0x1000 inteldrm0 at vga1 drm0 at inteldrm0 inteldrm0: 1024x600 wsdisplay0 at vga1 mux 1: console (std, vt100 emulation) wsdisplay0: screen 1-5 added (std, vt100 emulation) Intel Pineview Video rev 0x00 at pci0 dev 2 function 1 not configured azalia0 at pci0 dev 27 function 0 Intel 82801GB HD Audio rev 0x02: msi azalia0: codecs: Realtek ALC269 audio0 at azalia0 ppb0 at pci0 dev 28 function 0 Intel 82801GB PCIE rev 0x02: msi pci1 at ppb0 bus 4 ppb1 at pci0 dev 28 function 1 Intel 82801GB PCIE rev 0x02: msi pci2 at ppb1 bus 2 athn0 at pci2 dev 0 function 0 Atheros AR9285 rev 0x01: apic 2 int 17 athn0: AR9285 rev 2 (1T1R), ROM rev 13, address 48:5d:60:b1:9b:7d ppb2 at pci0 dev 28 function 3 Intel 82801GB PCIE rev 0x02: msi pci3 at ppb2 bus 1 alc0 at pci3 dev 0 function 0 Attansic Technology L2C rev 0xc0: msi, address bc:ae:c5:17:57:af atphy0 at alc0 phy 0: F1 10/100/1000 PHY, rev. 11 uhci0 at pci0 dev 29 function 0 Intel 82801GB USB rev 0x02: apic 2 int 23 uhci1 at pci0 dev 29 function 1 Intel 82801GB USB rev 0x02: apic 2 int 19 uhci2 at pci0 dev 29 function 2 Intel 82801GB USB rev 0x02: apic 2 int 18 uhci3 at pci0 dev 29 function 3 Intel 82801GB USB rev 0x02: apic 2 int 16 ehci0 at pci0 dev 29 function 7 Intel 82801GB USB rev 0x02: apic 2 int 23 usb0 at ehci0: USB revision 2.0 uhub0 at usb0 Intel EHCI root hub rev 2.00/1.00 addr 1 ppb3 at pci0 dev 30 function 0 Intel 82801BAM Hub-to-PCI rev 0xe2 pci4 at ppb3 bus 5 pcib0 at pci0 dev 31 function 0 Intel NM10 LPC rev 0x02 ahci0 at pci0 dev 31 function 2 Intel 82801GR AHCI rev 0x02: msi, AHCI 1.1 scsibus1 at ahci0: 32 targets sd0 at scsibus1 targ 0 lun
Re: ksh, csh same vulnerability as bash
On Wed, Oct 08, 2014 at 09:39:39AM +, Stuart Henderson wrote: On 2014-10-08, Jason Adams adams...@gmail.com wrote: On 09/29/2014 05:00 AM, Peter Hessler wrote: You tested bash. All 3 shells are behaving correctly by passing the env variable to the bash command you are running. the bash command you are running is behaving incorrectly by parsing the variable as a function. So the question is, for those of us that have added the bash package, why is bash still vulnerable after all these weeks, when everyone else has fixed their bash packages? Just checked for updated pkg, today, and its still vulnerable. Release packages (e.g. in $mirror/pub/OpenBSD/5.5/packages/amd64) do not get updated after the release is built. (Yes this means 5.6 too - the cut-off point was around early August). There are updates in the 5.5-stable ports tree that you can build yourself (see the faq), or see https://stable.mtier.org/ (third-party). How affiliate mtier with OpenBSD? Is it safe method/source for update? Who they are?
Re: NAT logging and limits using pf
* Stuart Henderson s...@spacehopper.org [2014-10-05 22:49]: Normal PF logging isn't particularly well-suited to CGNAT-type requirements, in order to record both the internal address and the nat mapping you need to log both the inbound and outbound packets and piece it together from the two separate log entries. nope, pflog has both the original and the rewritten address(es). -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: packet filter: question about parentheses around self
* Harald Dunkel ha...@afaics.de [2014-10-07 13:46]: A related question: I wonder how well (self) and (group) perform, compared to tables listing IP addresses? Is (self) evaluated every time for each rule using it, once per connection, in certain intervals, or only if one of the network interfaces are actually changed? the latter, they are tables internally that get updated on changes. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services GmbH, http://bsws.de, Full-Service ISP Secure Hosting, Mail and DNS. Virtual Dedicated Servers, Root to Fully Managed Henning Brauer Consulting, http://henningbrauer.com/
Re: ksh, csh same vulnerability as bash
On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote: How affiliate mtier with OpenBSD? Is it safe method/source for update? Who they are? It has been pointed to me that one of the ports maintainer/developer, is associated with them. I've been using since 5.4, and had no issues so far. Their packages are signed using their own key, which gets installed when you run openup for the first time. As long as you get the openup script right the first time, I don't see no reasons why you shouldn't use. And, you can keep a copy of the script so you can compare it when it gets updated (which is automatically). Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: ksh, csh same vulnerability as bash
On Wed, Oct 8, 2014 at 9:47 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: On 08-10-2014 15:03, Артур Истомин wrote: How affiliate mtier with OpenBSD? Is it safe method/source for update? Who they are? It has been pointed to me that one of the ports maintainer/developer, is associated with them. not only one, there're several... Ciao, David -- If you try a few times and give up, you'll never get there. But if you keep at it... There's a lot of problems in the world which can really be solved by applying two or three times the persistence that other people will. -- Stewart Nelson
Re: ksh, csh same vulnerability as bash
On 08-10-2014 17:14, David Coppa wrote: On Wed, Oct 8, 2014 at 9:47 PM, Giancarlo Razzolini grazzol...@gmail.com wrote: On 08-10-2014 15:03, ÐÑÑÑÑ ÐÑÑомин wrote: How affiliate mtier with OpenBSD? Is it safe method/source for update? Who they are? It has been pointed to me that one of the ports maintainer/developer, is associated with them. not only one, there're several... Ciao, David Even better then. Trully recomend using it. Cheers [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s]
Re: Firewall: Where is the bottleneck?
Hi Andy, This morning I have added Priority Queueing (PRIQ) to the ruleset and prefer TCP ACK packets over everything else. I can see the queues with systat queue but the change has no effect on the user experience nor the throughput. I have read something about adjust TCP send and receive window sizes settings, but OpenBSD to this automatically since 2010 [1]. What else can I set? Best Regards, Patrick [1] http://marc.info/?l=openbsd-miscm=128905075911814 On Thu, 2 Oct 2014, jum...@yahoo.de wrote: Hi Andy, Setup some queues and prioritise your ACK's ;) Good idea, I will try to implement a Priority Queueing with the old altq. Best Regards, Patrick On Thu, 2 Oct 2014, Andy wrote: Setup some queues and prioritise your ACK's ;) The box is fine under the load I'm sure, but you'll still need to prioritise those TCP acknowledgments to make things snappy when lots of traffic is going on.. On 02/10/14 17:13, Ville Valkonen wrote: Hello Patrick, On 2 October 2014 17:32, Patrick jum...@yahoo.de wrote: Hi, I use a OpenBSD based firewall (version 5.2, I know I should upgrade but ...) between a 8 host cluster of Linux server and 300 clients which will access this clutser via VNC. Each server is connected with one gigabit port to a dedicated switch and the firewall has on each site one gigabit (dedicated switch and campus network). The users complains about slow VNC response times (if I connect a client system to the dedicated switch, the access is faster, even during peak hours), and the admins of the cluster blame my firewall :(. I use MRTG for traffic monitoring (data retrieves from OpenBSD in one minute interval) and can see average traffic of 160 Mbit/s during office hours and peaks and 280 Mbit/s. With bwm-ng and a five second interval I can see peaks and 580 Mbit/s. The peak packets per second is arround 8 packets (also measured with bwm-ng). The interrupt of CPU0 is in peak 25%. So with this data I don't think the firewall is at the limit, I'm right? The server is a standard Intel Xeon (E3-1220V2, 4 Cores, 3.10 GHz) with 4 GByte of memory and 4 1 Gbit/s ethernet cooper Intel nics (driver em). Where is the problem? Can't the nics handle more packets/second? How can I check for this? If I connect a client system directly to the dedicated system, the response times are better. Thanks for your help, Patrick In addition to dmesg, could you please provide the following information: $ pfctl -si $ sysctl kern.netlivelocks and interrupt statistics (by systat for example) would be helpful. Thanks! -- Regards, Ville
no keyboard during snapshot/amd64 installation on MacBookPro 11,1
Hello list, Trying to install amd64 snapshot on MacBookPro 11,1. Boot process stops on message: scsibus1at softraid0: 256 targets. After minute or more the install program appear. But keyboard do not work. I tried to use another USB keyboard, but its same. In pckbc(4) is written, that device flags should be changed. I can use keyboard to go into boot_config, but in UKC I lost keyboard too…it just blinking… no possibility to write even with external USB keyboard. Thanks much for hint! Jindra
Re: combination of ssh port fowarding and pf redirection
Anyone have any sugestions as to how to make this work? On Tue, Oct 07, 2014 at 07:32:53PM -0400, stan wrote: Sorry that I did not make this clear. Here s what I am tryin to do, I have a DB server behind a OpenbSD firewall that we control. I have a non routable nework behind it that connect outbound doing NAT, and inbound using rt fowarding. I have this wrking so that mahines on the orporate network can cnnect to it by conecting to the apropriate port on the firewall. We have a corporate VPN to access only certain machines on that network. The firewall hapens to NOT be ne of thse, and I need access to this database whiile conected ia the PVPN/ So, what I need to do is set up an ssh tunnell through one of te machines hat are accessiable from the VPN. So what I am tyring to do is set hat tunnell p. But the OpenBSD machine s efusing the conection, as shown. So, hee is a diagram of what I am tryng to do External machine - VPN - our machine - SSH tunnel - FW - DB machine This works already: our machine - FW - DB machine des that make it clearer? On Mon, Oct 06, 2014 at 09:22:52PM -0300, Giancarlo Razzolini wrote: On 06-10-2014 20:59, stan wrote: I have a pf configuration which corectly fowards external conections to port 5432 on a machine on the inside. Iam trying to set up a machine on the outside to use ssh port fowarding to send ackets to port 5432 on the machine runing pf (firewall). Here is my ssh command line: ssh -v -v -v -g -f -L 6030:phfw1:5432 stan@phfw1 -N I keep getting errrs in auth.og about falure to connect on that port. Any idea what I am ding wrong? Very confusing. But if I understood correctly, you are trying to make a tcp port on a machine behind your firewall, available to others, in your internal lan, to others, right? Well, for starters, I wouldn't use dns names on the port forwarding part. It's prone to errors, not to mention the fact that you'll get confused wheter the name is resolved locally or remote. But it's remote, IIRC. In your case, you need to add your ip address to the forwarding. In your case, it would become: -L LOCAL IP:6030:REMOTE SIDE IP:5432 If it's not this that you want, please clarify. Cheers, [demime 1.01d removed an attachment of type application/pkcs7-signature which had a name of smime.p7s] -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail? -- A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? A: Top-posting. Q: What is the most annoying thing in e-mail?
Re: no keyboard during snapshot/amd64 installation on MacBookPro 11,1
On Wed, Oct 08, 2014 at 09:45:59PM +0200, Jind??ich Ka wrote: Hello list, Trying to install amd64 snapshot on MacBookPro 11,1. Boot process stops on message: scsibus1at softraid0: 256 targets. After minute or more the install program appear. But keyboard do not work. I tried to use another USB keyboard, but its same. In pckbc(4) is written, that device flags should be changed. I can use keyboard to go into boot_config, but in UKC I lost keyboard too?it just blinking? no possibility to write even with external USB keyboard. Thanks much for hint! Jindra Some modern systems no longer emulate the legacy i8042 controller, which is fine if there is a USB keyboard. Unfortunately, some newer systems also lack the ehci(4) USB 2.0 controller and it's companions, uhci(4) and ohci(4). Your Apple system may only include USB 3.0, or an xHCI controller, which support is still being worked on. The keyboard works at the boot prompt because boot(8) is using BIOS services which are emulated by Apple's EFI firmware. The future is encroaching, but we're catching up. Hold on! :-) -Bryan.
smtpd smarthost ISP config
Hello Current Sep 25 i386: I want to use shawmail.vc.shawcable.net as smarthost, and i tried smtp:// tls+auth:// and the others with failing results. What could be wrong? Thanks. -- # $OpenBSD: smtpd.conf,v 1.7 2014/03/12 18:21:34 tedu Exp $ # This is the smtpd server system-wide configuration file. # See smtpd.conf(5) for more information. # To accept external mail, replace with: listen on all # #listen on lo0 #listen on rl0 listen on all table aliases db:/etc/mail/aliases.db # Uncomment the following to accept external mail for domain example.org # accept from any for domain example.ca alias aliases deliver to mbox accept for local alias aliases deliver to mbox accept from local for any relay via smtp://shawmail.vc.shawcable.net
Re: smtpd smarthost ISP config
What is the failing result? Does the email bounce? Error in the log? Does your smtp server require authentication and you need to provide a password with the secrets.db?
Route-to with a dynamic 'next hop'
Greetings all - I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. I also read that relayd has become the best option to accomplish this uplink load balancing in current versions of OpenBSD. I wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J
Re: Route-to with a dynamic 'next hop'
I just watched Reyk's youtube. I'm going with relayd. I can see the 'routers' section in the man page for relayd to do what I want. http://www.youtube.com/watch?v=JtMxGslqGbM -Original Message- From: owner-m...@openbsd.org [mailto:owner-m...@openbsd.org] On Behalf Of Justin Mayes Sent: Wednesday, October 8, 2014 10:04 PM To: misc@openbsd.org Subject: Route-to with a dynamic 'next hop' Greetings all - I have 2 internet connections. One of them is static IP, one is dynamic. I want to use both of them on my gateway. From the man pages and other docs I see the use of route-to in the pf.conf including the 'next-hop' that it requires. This is easy enough. Problem is that the next hop is hard coded IP in all examples. I need that next hop to get updated when my one WAN DHCP link is updated. I know about if:peer, if:broadcast, if:network ect but there is no if:gateway. Seems like you could have used dhclient-script to adjust pf config when ip changed but dhclient-script has been removed. I also read that relayd has become the best option to accomplish this uplink load balancing in current versions of OpenBSD. I wanted to check with you all to make sure I'm not missing something basic with the load balanced uplink scenario in OpenBSD. As always, comments and suggestions are much appreciated. J
