Rather than subject someone's server (like mine!) to a slashdotting, here's the full text of the announcement (slightly mangled to sneak past the lameness filter).
Subject: OpenSSH 3.7 released Date: Tue, 16 Sep 2003 14:07:00 +0200 From: Markus Friedl To: openssh-unix-dev _at_ mindrot.org
OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.
We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18
For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Security Changes:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
OpenSSH 3.7 fixes this bug.
Changes since OpenSSH 3.6.1:
* The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.
* Rhosts authentication has been removed in ssh(1) and sshd(8).
* Changes in Kerberos support:
- KerberosV password support now uses a file cache instead of a memory cache.
- KerberosIV and AFS support has been removed.
- KerberosV support has been removed from SSH protocol 1.
- KerberosV password authentication support remains for SSH protocols 1 and 2.
- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.
* Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:
1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file
This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.
* SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).
* Removed implementation barriers to operation of SSH over SCTP.
* sftp(1) client can now transfer files with quote characters in their filenames.
* Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.
* Fix a number of memory leaks.
* Support for sending tty BREAK over SSH protocol 2.
* Workaround for other vendor bugs in KEX guess handling.
* Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).
* Automatic re-keying based on amount of data sent over connection.
* New AddressFamily option on client to select protocol to use (IPv4 or IPv6).
* Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.
* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.
* Portable OpenSSH:
- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.
- PAM support may now be enabled/disabled at runtime using the UsePAM directive.
- Many improvements to the OpenSC smartcard support.
- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in t
A software engineer, and hardware engineer and a network engineer are driving along when, while driving down a hill, the car veers out of control and crashes into a post. Miraculously, they survive.
The hardware engineer sizes up the situation and says, "There's some tools in the car, I can have it repaired in an hour."
The network engineer says, "I've got my phone, I can call for help."
The software engineer says, "No, no, what we need to do is push the car back up to the top of this hill and see if it crashes again!"
"The PDP-8/X is a reimplementation of the PDP-8/I, with 32K words of memory (all the memory you can put on a PDP-8/I), an extended memory control, an
interface to an RS-232 terminal, and an interface to an IDE disk, which I built just for fun.
I consider this machine to be a new model compatible with something from the past, as opposed to a clone of the past, so I feel no shame in introducing new
model-specific variations. The PDP-8/X, therefore, uses IDE disks with a new disk interface, because I thought that it would not be unreasonable for a new model
to come out with a new disk controller, especially considering that customer-written PDP-8 device handlers were both common and encouraged."
PNG files are compressed using the LZH algorithm first used in... gzip
Speaking of gzip, there's also the Apache module mod_gzip which will transparently compress your HTML (or text) on the fly to most browsers. Trade CPU for bandwidth.
No, it's still needed. By itself, the kernel can only log to its ring buffer in memory. To send kernel messages to a remote syslog server, you need klogd to grab them and send them to syslogd, which sends them to the remote server.
It's probably possible to add this functionality to the kernel, but it's not there now.
> Therefore we must point it to our central syslog
That still won't work because the firewall won't have syslogd/klogd running.
The kernel has no concept of log files or syslog servers, it (and this includes ipchains/iptables) writes it to a ring buffer in memory. Klogd grabs it from there and sends it to syslogd for logging (or sending to another syslog server).
If you have no klogd or syslogd (which are user processes, all which we've killed) then you have no remote logging.
Apparently some syslogd's have the klogd functionality built-in (although I can't remember seeing one) but the problem remains.
One of the examples (quoted in one of the FSF philosophy essays) is that Xerox wouldn't give them the source code to fix some problems they were having with their printer.
I always found it funny that, in a backhanded way, the GNU project is just one more thing Xerox invented.
The cost of the call-outs is just as important as the the compensation it provides to the employees, because it provides a feedback mechanism to the employers that provides incentive to fix the underlying problems.
ie "Why are these call-outs costing me a fortune?"
Unfortunately, the knee-jerk reaction seems to be to find a way to not pay the callees rather than reducing the call-outs, either by instituting a second shift, if appropriate, or fixing minor resourcing problems.
I realise that's not always possible to reduce the number of calls, but in a lot of cases I've seen, it certainly is.
I worked for an outsourcing organisation where a particular customer's servers were chronically short of disk space. They wouldn't spend the money to install more, so we were constantly struggling with it. Our company *did* pay extra to be on call but *didn't* pay per call. As a result, the problems never showed up on any bottom line and were still a problem when I left.
How many callouts are due to inadequate disk space?
Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook
Atlanta, Ga. (SatireWire.com)
Scientists at the Centers for Disease
Control and Symantec's AntiVirus Research Center today confirmed that
foot-and-mouth disease cannot be spread by Microsoft's Outlook email
application, believed to be the first time the program has ever failed to
propagate a major virus.
"Frankly, we've never heard of a virus that couldn't spread through
Microsoft Outlook, so our findings were, to say the least, unexpected,"
said Clive Sarnow, director of the CDC's infectious disease unit.
The study was immediately hailed by British officials, who said it will
save millions of pounds and thousands of man hours. "Up until now we have,
quite naturally, assumed that both foot-and-mouth and mad cow were spread
by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By
eliminating it, we can focus our resources elsewhere."
However, researchers in the Netherlands, where foot-and-mouth has recently
appeared, said they are not yet prepared to disqualify Outlook, which has
been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna
Kournikova," and "Naked Wife," to name but a few.
Said Nils Overmars, director of the Molecular Virology Lab at Leiden
University: "It's not that we don't trust the research, it's just that as
scientists, we are trained to be skeptical of any finding that flies in the
face of established truth. And this one flies in the face like a blind
drunk sparrow."
Executives at Microsoft, meanwhile, were equally skeptical, insisting that
Outlook's patented Virus Transfer Protocol (VTP) has proven virtually
pervious to any virus. The company, however, will issue a free VTP patch if
it turns out the application is not vulnerable to foot-and-mouth.
Such an admission would be embarrassing for the software giant, but
Symantec virologist Ariel Kologne insisted that no one is more humiliated
by the study than she is. "Only last week, I had a reporter ask if the
foot-and-mouth virus spreads through Microsoft Outlook, and I told him,
'Doesn't everything?'" she recalled. "Who would've thought?"
It would be interesting to see how effective a registry could be if its address space has ended up in a few BGP black-holes. (Is this still done? It's been a while since I checked.) If the.st nameservers became unreachable, then the whole top-level domain could effectively get black-holed....
The author claims RFC-1122 (host requirements) compliance and telnet and web servers in 1K 12-bit words.
Having said that, I suspect a simple, application specific protocol would be more effective in this case.
Re:Apparently, you've never actually made a Q3 mod
on
New Q3A Patch And Mods
·
· Score: 1
It might help to check out CVS (no pun intended). You can use it to track external (ie "vendor") branches of the code, and help integrate their changes with your own. It can probably be used retroactively by importing your starting point, committing your changes and importing the new release.
It obviously won't help with the protocol restrictions but might be useful.
Classic Unix traceroute used UDP packets to a random, high-numbered ports. It sends the first with a TTL of 1, which causes the first router to respond with an ICMP "time exceeded" message. This continues until the TTL high enough to actually reach the target; in that case the target sends back an ICMP "port unreachable".
Now having said that, Win95/NT (dunno about W2K, never checked) use ICMP "echo requests" (ie pings) instead of UDP packets to high-numbered ports.
In summary: Both varieties require ICMP time exceeded to actually trace the path. Classic Unix traceroutes use UDP probes and rely on port unreachables to know they've hit their target, while MS-type tracert's use ICMP echo requests and get an echo reply when they've hit their target.
It's not a comment as such but I'm building Enlightement in another window and caught sight of the following (from configure):
checking for XF86VidModeQueryExtension in -lXxf86vm... yes checking for mass_quantities_of_bass_ale in -lFridge... no checking for mass_quantities_of_any_ale in -lFridge... no Warning: No ales were found in your refrigerator. We highly suggest that you rectify this situation immediately. updating cache./config.cache
Obviously I should have used "configure --without-ads".......
I disagree that proxies are a poor security solution (they can be very effective if set up correctly).
I do agree that msproxy is (ahem) a non-optimal solution. I've run across MS Proxy twice in customer environments due to reported problems. In both cases, the MS proxy was the problem.
In the first case, the box was going catatonic requiring a reboot almost daily. No amount of MCSE's or service packs could fix it. We eventually rebuilt it with Linux and Squid. It's given one problem in the six months since installation when the cache disk ran out of inodes.....
In the second case, it was due to the proxy not handling HTTP/1.1 requests correctly for virtually-hosted sites. We chained the msproxy to an upstream netscape proxy which did.
For the problem at hand, check out Dante. It's a socks package that has beta support for acting as a msproxy client. From the README:
This is the first version of Dante that attempts to support the msproxy protocol. This is a protocol not described in any publicly known document and it was implemented based on watching networkpackets crossing the wire and guessing their meaning.
This prerelease is made public in order to get feedback on the msproxy stuff. Current status:
TCP connect(2) is expected to work.
TCP bind(2) is expected to work.
hostnames are resolved (via the proxy).
sometimes the server returns a unexpected response to our connect request. MS clients understand when the response means "wait a little, then continue or retry", we currently don't.
We appreciate any feedback at all, does it work, does it not. That will determine whether Inferno Nettverk will continue to support work on this.
Code for UDP support will probably be added later if there is demand for it.
If you're a UNIX user trapped behind a msproxy server, here's to you.
They also warn you that it may crash your msproxy, but that was just a matter of time anyway, right:-?
You're probably thinking of Nyx (nyx.cs.du.edu, "The spirit of the night!"). My vague memory suggests that it might have been a Pyramid box, however I could be wrong.
I don't know if it was around in '83, though.
(A quick stroll over to altavista tells me that it's still around as nyx.net. You can read the history. It started in '87 on a PDP11 and later migrated to a Pyramid.)
In my previous job, we'd regularly (once every few weeks) see portscans on 80 and 8080 of our public address space originating from China. At the time I suspected people were looking for apache's with mod_proxy enabled or unsecured caches. The description of the filtering method contained in the article reinforces that belief.
I also believe that posessing cryptographic software is a criminal offense in some countries. Is China one of them?
Slashdot Mirror
Rather than subject someone's server (like mine!) to a slashdotting, here's the full text of the announcement (slightly mangled to sneak past the lameness filter).
Subject: OpenSSH 3.7 released
Date: Tue, 16 Sep 2003 14:07:00 +0200
From: Markus Friedl
To: openssh-unix-dev _at_ mindrot.org
OpenSSH 3.7 has just been released. It will be available from the mirrors listed at http://www.openssh.com/ shortly.
OpenSSH is a 100% complete SSH protocol version 1.3, 1.5 and 2.0 implementation and includes sftp client and server support.
We would like to thank the OpenSSH community for their continued support to the project, especially those who contributed source and bought T-shirts or posters.
We have a new design of T-shirt available, more info on http://www.openbsd.org/tshirts.html#18
For international orders use http://https.openbsd.org/cgi-bin/order and for European orders, use http://https.openbsd.org/cgi-bin/order.eu
Security Changes:
All versions of OpenSSH's sshd prior to 3.7 contain a buffer management error. It is uncertain whether this error is potentially exploitable, however, we prefer to see bugs fixed proactively.
OpenSSH 3.7 fixes this bug.
Changes since OpenSSH 3.6.1:
* The entire OpenSSH code-base has undergone a license review. As a result, all non-ssh1.x code is under a BSD-style license with no advertising requirement. Please refer to README in the source distribution for the exact license terms.
* Rhosts authentication has been removed in ssh(1) and sshd(8).
* Changes in Kerberos support:
- KerberosV password support now uses a file cache instead of a memory cache.
- KerberosIV and AFS support has been removed.
- KerberosV support has been removed from SSH protocol 1.
- KerberosV password authentication support remains for SSH protocols 1 and 2.
- This release contains some GSSAPI user authentication support to replace legacy KerberosV authentication support. At present this code is still considered experimental and SHOULD NOT BE USED.
* Changed order that keys are tried in public key authentication. The ssh(1) client tries the keys in the following order:
1. ssh-agent(1) keys that are found in the ssh_config(5) file
2. remaining ssh-agent(1) keys
3. keys that are only listed in the ssh_config(5) file
This helps when an ssh-agent(1) has many keys, where the sshd(8) server might close the connection before the correct key is tried.
* SOCKS5 support has been added to the dynamic forwarding mode in ssh(1).
* Removed implementation barriers to operation of SSH over SCTP.
* sftp(1) client can now transfer files with quote characters in their filenames.
* Replaced sshd(8)'s VerifyReverseMapping with UseDNS option. When UseDNS option is on, reverse hostname lookups are always performed.
* Fix a number of memory leaks.
* Support for sending tty BREAK over SSH protocol 2.
* Workaround for other vendor bugs in KEX guess handling.
* Support for generating KEX-GEX groups (/etc/moduli) in ssh-keygen(1).
* Automatic re-keying based on amount of data sent over connection.
* New AddressFamily option on client to select protocol to use (IPv4 or IPv6).
* Experimental support for the "aes128-ctr", "aes192-ctr", and "aes256-ctr" ciphers for SSH protocol 2.
* Experimental support for host keys in DNS (draft-ietf-secsh-dns-xx.txt). Please see README.dns in the source distribution for details.
* Portable OpenSSH:
- Replace PAM password authentication kludge with a more correct PAM challenge-response module from FreeBSD.
- PAM support may now be enabled/disabled at runtime using the UsePAM directive.
- Many improvements to the OpenSC smartcard support.
- Regression tests now work with portable OpenSSH. Please refer to regress/README.regress in t
Amen to that (and no, the sig is not new)
.. is two doors down on the left.
A software engineer, and hardware engineer and a network engineer are driving along when, while driving down a hill, the car veers out of control and crashes into a post. Miraculously, they survive.
The hardware engineer sizes up the situation and says, "There's some tools in the car, I can have it repaired in an hour."
The network engineer says, "I've got my phone, I can call for help."
The software engineer says, "No, no, what we need to do is push the car back up to the top of this hill and see if it crashes again!"
"The PDP-8/X is a reimplementation of the PDP-8/I, with 32K words of memory (all the memory you can put on a PDP-8/I), an extended memory control, an interface to an RS-232 terminal, and an interface to an IDE disk, which I built just for fun.
I consider this machine to be a new model compatible with something from the past, as opposed to a clone of the past, so I feel no shame in introducing new model-specific variations. The PDP-8/X, therefore, uses IDE disks with a new disk interface, because I thought that it would not be unreasonable for a new model to come out with a new disk controller, especially considering that customer-written PDP-8 device handlers were both common and encouraged."
He also did a PDP-4/X.It's not there yet but it's heading that way. Of the platforms I work with regularly:
Redhat have shipped OpenSSH since 7.0
Sun ships a modified OpenSSH with Solaris 9.
IBM ship OpenSSH on the AIX5 bonus pack CD (also downloadable)
HP provide a native OpenSSH package for HP-UX 11+
They're all native packages and they're all supported.
I've gotta say, that's how I feel too.
No, it's still needed. By itself, the kernel can only log to its ring buffer in memory. To send kernel messages to a remote syslog server, you need klogd to grab them and send them to syslogd, which sends them to the remote server.
It's probably possible to add this functionality to the kernel, but it's not there now.
> Therefore we must point it to our central syslog
That still won't work because the firewall won't have syslogd/klogd running.
The kernel has no concept of log files or syslog servers, it (and this includes ipchains/iptables) writes it to a ring buffer in memory. Klogd grabs it from there and sends it to syslogd for logging (or sending to another syslog server).
If you have no klogd or syslogd (which are user processes, all which we've killed) then you have no remote logging.
Apparently some syslogd's have the klogd functionality built-in (although I can't remember seeing one) but the problem remains.
LILO: linux init=/u01/oracle/product/8.1.6./bin/oracle
That's not quite true. Which of those two is a network interface? How about a shared memory segment?
I always found it funny that, in a backhanded way, the GNU project is just one more thing Xerox invented.
--
The cost of the call-outs is just as important as the the compensation it provides to the employees, because it provides a feedback mechanism to the employers that provides incentive to fix the underlying problems.
ie "Why are these call-outs costing me a fortune?"
Unfortunately, the knee-jerk reaction seems to be to find a way to not pay the callees rather than reducing the call-outs, either by instituting a second shift, if appropriate, or fixing minor resourcing problems.
I realise that's not always possible to reduce the number of calls, but in a lot of cases I've seen, it certainly is.
I worked for an outsourcing organisation where a particular customer's servers were chronically short of disk space. They wouldn't spend the money to install more, so we were constantly struggling with it. Our company *did* pay extra to be on call but *didn't* pay per call. As a result, the problems never showed up on any bottom line and were still a problem when I left.
How many callouts are due to inadequate disk space?
--
Foot-And-Mouth Believed To Be First Virus Unable To Spread Through Microsoft Outlook
Atlanta, Ga. (SatireWire.com)
Scientists at the Centers for Disease Control and Symantec's AntiVirus Research Center today confirmed that foot-and-mouth disease cannot be spread by Microsoft's Outlook email application, believed to be the first time the program has ever failed to propagate a major virus.
"Frankly, we've never heard of a virus that couldn't spread through Microsoft Outlook, so our findings were, to say the least, unexpected," said Clive Sarnow, director of the CDC's infectious disease unit.
The study was immediately hailed by British officials, who said it will save millions of pounds and thousands of man hours. "Up until now we have, quite naturally, assumed that both foot-and-mouth and mad cow were spread by Microsoft Outlook," said Nick Brown, Britain's Agriculture Minister. "By eliminating it, we can focus our resources elsewhere."
However, researchers in the Netherlands, where foot-and-mouth has recently appeared, said they are not yet prepared to disqualify Outlook, which has been the progenitor of viruses such as "I Love You," "Bubbleboy," "Anna Kournikova," and "Naked Wife," to name but a few.
Said Nils Overmars, director of the Molecular Virology Lab at Leiden University: "It's not that we don't trust the research, it's just that as scientists, we are trained to be skeptical of any finding that flies in the face of established truth. And this one flies in the face like a blind drunk sparrow."
Executives at Microsoft, meanwhile, were equally skeptical, insisting that Outlook's patented Virus Transfer Protocol (VTP) has proven virtually pervious to any virus. The company, however, will issue a free VTP patch if it turns out the application is not vulnerable to foot-and-mouth.
Such an admission would be embarrassing for the software giant, but Symantec virologist Ariel Kologne insisted that no one is more humiliated by the study than she is. "Only last week, I had a reporter ask if the foot-and-mouth virus spreads through Microsoft Outlook, and I told him, 'Doesn't everything?'" she recalled. "Who would've thought?"
Copyright © 2001, SatireWire
--
Or you can also do this with Squid via its fake_user_agent option.
Mine returns "Mozilla/4.0 [en] (Linux; Vic-20)" :-)
--
It would be interesting to see how effective a registry could be if its address space has ended up in a few BGP black-holes. (Is this still done? It's been a while since I checked.) If the .st nameservers became unreachable, then the whole top-level domain could effectively get black-holed....
--
You need to read about the IPic match-head sized web server.
The author claims RFC-1122 (host requirements) compliance and telnet and web servers in 1K 12-bit words.
Having said that, I suspect a simple, application specific protocol would be more effective in this case.
It obviously won't help with the protocol restrictions but might be useful.
You can find out about CVS at Cyclic's home page. There's also a manual section and a section in the on-line CVS book about vendor branches.
Now having said that, Win95/NT (dunno about W2K, never checked) use ICMP "echo requests" (ie pings) instead of UDP packets to high-numbered ports.
In summary: Both varieties require ICMP time exceeded to actually trace the path. Classic Unix traceroutes use UDP probes and rely on port unreachables to know they've hit their target, while MS-type tracert's use ICMP echo requests and get an echo reply when they've hit their target.
checking for XF86VidModeQueryExtension in -lXxf86vm... yes ./config.cache
checking for mass_quantities_of_bass_ale in -lFridge... no
checking for mass_quantities_of_any_ale in -lFridge... no
Warning: No ales were found in your refrigerator.
We highly suggest that you rectify this situation immediately.
updating cache
Obviously I should have used "configure --without-ads".......
I do agree that msproxy is (ahem) a non-optimal solution. I've run across MS Proxy twice in customer environments due to reported problems. In both cases, the MS proxy was the problem.
In the first case, the box was going catatonic requiring a reboot almost daily. No amount of MCSE's or service packs could fix it. We eventually rebuilt it with Linux and Squid. It's given one problem in the six months since installation when the cache disk ran out of inodes.....
In the second case, it was due to the proxy not handling HTTP/1.1 requests correctly for virtually-hosted sites. We chained the msproxy to an upstream netscape proxy which did.
For the problem at hand, check out Dante. It's a socks package that has beta support for acting as a msproxy client. From the README:
They also warn you that it may crash your msproxy, but that was just a matter of time anyway, rightThe major exceptions that spring to mind are network devices. You can't send a raw ethernet frame using "echo hello >/dev/eth0".
I don't know if it was around in '83, though.
(A quick stroll over to altavista tells me that it's still around as nyx.net. You can read the history. It started in '87 on a PDP11 and later migrated to a Pyramid.)
In my previous job, we'd regularly (once every few weeks) see portscans on 80 and 8080 of our public address space originating from China. At the time I suspected people were looking for apache's with mod_proxy enabled or unsecured caches. The description of the filtering method contained in the article reinforces that belief.
I also believe that posessing cryptographic software is a criminal offense in some countries. Is China one of them?