Syspatch 1-2 available for OpenBSD 6.6

[hitest]

Syspatch 1-2 are available for all architectures for OpenBSD 6.6.

http://www.openbsd.org/errata66.html

[CiotBSD]

The third patch released: now for bgpd(8)!

[hitest]

Quote:

Originally Posted by CiotBSD

The third patch released: now for bgpd(8)!

Thank you!

[CiotBSD]

syspatch for OpenSMTPD : 2 patches, the 2d is very important about security system.

Gilles Chehade wrote:
https://marc.info/?l=openbsd-tech&m=158025543830138&w=2

[ripe]

Thank you.

[CiotBSD]

An interesting review by Openwall team about OpenSMTPD "breaches":

https://www.openwall.com/lists/oss-s...y/2020/01/28/3

[jggimi]

Yep. A logic error in validation, leading to the possibility of arbitrary remote code execution (as root!) when delivering to an mbox. Luckily, none of my OpenSMTPd servers use mbox -- they forward to a central server which uses Maildir -- so I don't need to worry about a previously open attack surface.

[gpatrick]

Quote:

Only two remote holes in the default install, in a heck of a long time!

Since OpenSMTPD is in the OpenBSD base, and this exploit can lead to remote code execution as root, then they will be changing that line?

[jggimi]

The website is maintained with cvs(1). You're welcome to submit a diff(1).

[TronDD]

Quote:

Originally Posted by gpatrick

Since OpenSMTPD is in the OpenBSD base, and this exploit can lead to remote code execution as root, then they will be changing that line?

smtpd does not listen on an external interface in the default installation.

[gpatrick]

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage

Quote:

The delivery agent is invoked by OpenSMTPD executing a shell command

That from an operating system that touts itself as secure, and then allows a shellcode injection attack? This has been hanging out there for at least two years. So much for that careful auditing of all the code.

[victorvas]

Quote:

Originally Posted by gpatrick

Anatomy of OpenBSD's OpenSMTPD hijack hole: How a malicious sender address can lead to remote pwnage


That from an operating system that touts itself as secure, and then allows a shellcode injection attack? This has been hanging out there for at least two years. So much for that careful auditing of all the code.

Human factor. People make mistakes.

[jggimi]

FWIW, gilles@ has published a post mortem on his blog:

https://poolp.org/posts/2020-01-30/o...ory-dissected/

[gpatrick]

Didn't read all of it, but I'm still moving my mail server back to Plan 9 Upas - A Simpler Approach to Network Mail.

Erik Quanstrom also has a paper Scaling Upas about his work on nupas while at Coraid.

[J65nko]

From https://poolp.org/posts/2020-01-30/o...ory-dissected/

Quote:

Since this blew to my face, I had several ideas to tackle this. Some were already discussed and not retained because they had potential for other issues. The current ideas are these:

• switching back mail delivery agents to execle()
• disallowing delivery to root

[snip]

It has been a long time since I used Daniel Bernstein's qmail, but one of the many precautions Bernstein takes to make qmail safe is not delivering any mail to 'root' or any other user with '0' as userid.

In my 'install.site" script I always use the following patch script snippet to configure non-root mail delivery:

Code:

echo --- patch script for: aliases \( generated: Sun 2011-02-20 18:26 CET\) --- BEGIN 

# ---  edit the following line if needed
FILE=/etc/mail/aliases

EXT="$(date "+%Y%m%d_%H%M%S")"

patch -b -z ${EXT} -p0 ${FILE} <<END_OF_PATCH
--- ORIG/aliases        Sun Feb 20 03:20:19 2011
+++ NEW/aliases Sun Feb 20 17:13:19 2011
@@ -69,9 +69,9 @@
 sshd:   /dev/null
 
 # Well-known aliases -- these should be filled in!
-# root:
-# manager:
-# dumper:
+root:          j65nko
+manager:       root
+dumper:                root
 
 # RFC 2142: NETWORK OPERATIONS MAILBOX NAMES
 abuse:         root
END_OF_PATCH

echo  --- patch script for: aliases --- END
# -----------------

[CiotBSD]

We continue with a new patch for OpenSMTPD, on 6.5, 6.6 and all archs.

Quote:

021: SECURITY FIX: February 24, 2020 All architectures
An out of bounds read in smtpd allows an attacker to inject arbitrary commands into the envelope file which are then executed as root. Separately, missing privilege revocation in smtpctl allows arbitrary commands to be run with the _smtpq group.

In FR!

[CiotBSD]

A new patch for sysctl on 6.5, 6.6 and all archs:

Quote:

022: RELIABILITY FIX: March 10, 2020 All architectures
Missing input validation in sysctl(2) can be used to crash the kernel.

in FR!

[CiotBSD]

A new patch for 6.5, and 6.6, for UDP broadcast and multicast socket.

[CiotBSD]

A new patch for the server dhcpd on 6.5, 6.6, into all supported architectures.

[ripe]

On it!