From owner-doc-jp@jp.freebsd.org  Wed Nov 22 23:42:31 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id XAA29195;
	Wed, 22 Nov 2000 23:42:31 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from eos.ocn.ne.jp (eos.ocn.ne.jp [210.190.142.171])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id XAA29190
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 23:42:30 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
Received: from mail.hrslab.yi.org (p0189-ip01funabasi.chiba.ocn.ne.jp [211.123.225.189])
	by eos.ocn.ne.jp (8.9.1a/OCN/) with ESMTP id XAA26713
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 23:42:28 +0900 (JST)
Message-Id: <200011221442.XAA26713@eos.ocn.ne.jp>
Received: from localhost (alph.hrslab.yi.org [192.168.0.10])
	by mail.hrslab.yi.org (8.9.3/3.7W/DomainMaster) with ESMTP id WAA59873
	for <doc-jp@jp.freebsd.org>; Wed, 22 Nov 2000 22:57:48 +0900 (JST)
	(envelope-from hrs@eos.ocn.ne.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <wk4s10g6w9.wl@FREYA.hmp.sony.co.jp>
References: <200011192042.FAA03073@eos.ocn.ne.jp>
	<wk4s10g6w9.wl@FREYA.hmp.sony.co.jp>
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Multipart/Mixed;
 boundary="--Next_Part(Wed_Nov_22_22:44:10_2000_809)--"
Content-Transfer-Encoding: 7bit
Date: Wed, 22 Nov 2000 22:57:47 +0900
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
X-Dispatcher: imput version 20000228(IM140)
Lines: 190
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7860
Subject: [doc-jp 7860] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:69.telnetd
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@eos.ocn.ne.jp

----Next_Part(Wed_Nov_22_22:44:10_2000_809)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

 00:69,70,72 $B$K=$@5$rF~$l$^$7$?!#(B


 - 00:69

    * $B8mLu$N=$@5!#(B
      (mho@pobox.com/[doc-jp 7855])

 - 00:70

    * $BLuJ8$N=$@5!#(B
      (mho@pobox.com/[doc-jp 7855])

      incoming $B$N!VE~Ce$9$k!W$r!V30It$+$i!W$KJQ99!#(B

      other types $B$r!V$=$NB>$N0U?^$7$J$$!W$HLu$9$H(B
      other $B$N;X$9=89g$,[#Kf(B ($B2?$KBP$9$k$=$NB>(B?) $B$J$N$G!"(B
      $B6qBNE*$J5-=R$rLuCm$H$7$FDI2C!#(Bdrop $B$5$l$k$Y$-$J$N$K(B
      $B$5$l$J$$%Q%1%C%H$O!"(Blibalias $B$N(B PacketAliasIn() $B$G(B
      PKT_ALIAS_IGNORED $B$HH=CG$5$l$k%Q%1%C%H!#(B
      $B$3$l$K$O30It$+$i$N@\B3MW5a$dG'<1$G$-$J$$(B ICMP
      $B%a%C%;!<%8$,4^$^$l$k!#(B

 - 00:72

    * client-side exploit $B$NLu8l$N=$@5!#(B
      (Melon <melon@orangenetwork.net>)

      client-side $B$r!V%/%i%$%"%s%HB&$+$i!W$HLu$9$H(B
      $B%/%i%$%"%s%H$N%f!<%6(B ($B$D$^$j%m!<%+%k%f!<%6(B) $B$,(B
      exploit $B$9$k$h$&$KFI$a$F$7$^$&$N$G!"(B
      $B%j%b!<%H$+$i%/%i%$%"%s%H$r0-MQ$H$$$&I=8=$KJQ99!#(B

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@eos.ocn.ne.jp>
|
| sato@sekine00.ee.noda.sut.ac.jp (UNIV)
| hrs@FreeBSD.org (FreeBSD Project)

----Next_Part(Wed_Nov_22_22:44:10_2000_809)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="69.diff"
Content-Transfer-Encoding: 7bit

Index: 00:69
===================================================================
RCS file: /home/cvs/private/hrs/FreeBSD-SA/00:69,v
retrieving revision 1.2
retrieving revision 1.4
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.2 -r1.4
--- 00:69	2000/11/21 16:23:13	1.2
+++ 00:69	2000/11/22 12:05:30	1.4
@@ -93,12 +93,13 @@
 $BFC$KLdBj$H$J$k$N$O(B, $B%j%b!<%H%f!<%6$,(B TERMCAP $B4D6-JQ?t$rEO$7$F(B,
 $B$=$N%7%9%F%`>e$NG$0U$N%U%!%$%k$r(B termcap $B%G!<%?$H$7$F8!:w$5$;$k(B
 $B$3$H$,$G$-$k$H$$$&E@$G$9(B.  telnetd $B%5!<%P%W%m%0%i%`$O(B root $B8"8B$G(B
-$BF0:n$9$k$?$a%m!<%+%k%7%9%F%`>e$NG$0U$N%U%!%$%k$rFI$`$3$H$,$G$-$^$9$,(B, 
-$B%U%!%$%k$NFbMF$,M-8z$J(B termcap $B%(%s%H%j$G$"$k8B$j(B, $B$=$NFbMF$,(B
-$B8+$($k7A$G8=$o$l$k$3$H$O0l@Z$J$/(B, $B$^$?(B, $B$=$NFbMF$KBP1~$9$k(B termcap
-$B@)8fJ8;zNs$O(B, $B%/%i%$%"%s%H$KAw$i$l$k=PNO$N=q<0;XDj$KMxMQ$5$l$^$9(B.
-$B$3$N$?$a(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$K$h$k%G!<%?$NO31L$N4m81@-$O$J$$$H(B
-$B9M$($i$l$F$$$^$9(B.
+$BF0:n$9$k$?$a%m!<%+%k%7%9%F%`>e$NG$0U$N%U%!%$%k$rFI$`$3$H$,$G$-$^$9(B.
+$B$=$7$F%U%!%$%k$NFbMF$KM-8z$J(B termcap $B%(%s%H%j$,B8:_$9$k>l9g(B,
+$B$=$NFbMF$KBP1~$9$k(B termcap $B@)8fJ8;zNs$,%/%i%$%"%s%H$KAw$i$l$k(B
+$B=PNO$N=q<0;XDj$KMxMQ$5$l$^$9(B.  $B$?$@$7(B, $B$b$7M-8z$J(B termcap $B%(%s%H%j$,(B
+$B$=$N%U%!%$%k$KB8:_$7$J$1$l$P(B, $B%U%!%$%k$NFbMF$,%j%b!<%H%f!<%6$K(B
+$BAw$i$l$k$3$H$O$"$j$^$;$s(B.  $B$=$N$?$a(B, $B$3$N%;%-%e%j%F%#>e$N(B
+$B<eE@$K$h$C$F%G!<%?$,O31L$9$k4m81@-$O$J$$$H9M$($i$l$F$$$^$9(B.
 
 However, an attacker who forces the server to search through a large
 file or to read from a device can cause resources to be spent by the

----Next_Part(Wed_Nov_22_22:44:10_2000_809)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="70.diff"
Content-Transfer-Encoding: 7bit

Index: 00:70
===================================================================
RCS file: /home/cvs/private/hrs/FreeBSD-SA/00:70,v
retrieving revision 1.1
retrieving revision 1.2
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 -r1.2
--- 00:70	2000/11/19 20:27:34	1.1
+++ 00:70	2000/11/22 12:10:45	1.2
@@ -78,17 +78,18 @@
 traffic, effectively turning "deny_incoming" into a no-op.
 
 ppp $B$N%I%-%e%a%s%H$K$h$k$H(B, "nat deny_incoming" $B%3%^%s%I$O(B
-$B!VE~Ce$9$k$9$Y$F$N@\B3$r5qH]$9$k!W$H$J$C$F$$$^$9(B.  $B$3$l$O(B
+$B!V30B&$+$i$N$9$Y$F$N@\B3$r5qH]$9$k!W$H$J$C$F$$$^$9(B.  $B$3$l$O(B
 $B30It$N%f!<%6$,FbIt%M%C%H%o!<%/$N%5!<%S%9$X@\B3$G$-$J$$$h$&$K$7(B,
 ppp $B$r4J0WE*$J%U%!%$%"%&%)!<%k$H$7$FMxMQ$9$k$?$a$KNI$/;H$o$l$k(B
 $B%3%^%s%I$G$9(B.  $B$7$+$7(B, 3.x $B%V%i%s%A$H(B 4.x $B%V%i%s%A$NN>J}$N(B ppp $B$N(B
-$B%3!<%I$O(B FreeBSD 4.1 $B$*$h$S(B 3.5 $B$N%j%j!<%9A0(B (4.x $B$O(B 2000-06-05,
-3.x $B$O(B 2000-06-03) $B$KF0:n$,JQ99$5$l(B, $BG'<1$G$-$J$$%Q%1%C%H(B, $B$?$H$($P(B
+$B%3!<%I$O(B, FreeBSD 4.1 $B$*$h$S(B 3.5 $B$N%j%j!<%9A0(B (4.x $B$O(B 2000-06-05,
+3.x $B$O(B 2000-06-03) $B$N;~4|$K(B, $BG'<1$G$-$J$$%Q%1%C%H(B, $B$?$H$($P(B
 IPSEC $B%Q%1%C%H$dB>$N(B IP $B%W%m%H%3%k$N%Q%1%C%H$J$I(B, ppp $B$N=hM}%3!<%I$G(B
-$B!VE~Ce$7$?@\B3MW5a!W$H$_$J$5$l$J$$%Q%1%C%H$K$D$$$F$O(B, $BDL2a$r5v2D$9$k(B
-$B$h$&$K$J$j$^$7$?(B.  $B$3$l<+BN$b$*$=$i$/@5$7$$F0:n$H$O8@$($J$$$N$G$9$,(B,
-ppp $B$N=hM}%3!<%I$O$5$i$K(B, $B8m$C$FE~Ce$9$k!V$9$Y$F$N!W%Q%1%C%H$NDL2a$b(B
-$B5v2D$7$F$7$^$$(B, "deny_incoming" $B$N5!G=$rL58z$J$b$N$K$7$F$7$^$$$^$9(B.
+$B!V30B&$+$i$N@\B3MW5a!W$H$_$J$5$l$J$$%Q%1%C%H$K$D$$$F$ODL2a$r5v2D$9$k(B
+$B$h$&$KJQ99$5$l$^$7$?(B.  $B$3$l<+BN$b$*$=$i$/@5$7$$F0:n$H$O8@$($J$$$b$N(B
+$B$@$C$?$N$G$9$,(B, ppp $B$N=hM}%3!<%I$O$5$i$KE~Ce$9$k!V$9$Y$F$N!W%Q%1%C%H$N(B
+$BDL2a$b8m$C$F5v2D$9$k$?$a(B, $B7k2LE*$K(B "deny_incoming" $B$N5!G=$rL58z$J$b$N$K(B
+$B$7$F$7$^$$$^$9(B.
 
 Thus, users who are using the deny_incoming functionality in the
 expectation that it provides a "deny by default" firewall which only
@@ -99,7 +100,8 @@
 $B$7$?$,$C$F(B, $B4{B8$N(B NAT $B%;%7%g%s$K4^$^$l$k%Q%1%C%H$N$_$NDL2a$r5v2D$9$k(B,
 $B!V%G%U%)%k%H$G5qH]!W$N%U%!%$%"%&%)!<%k$r<B8=$9$k$?$a$K(B deny_incoming $B$r(B
 $B;H$C$F$$$k%f!<%6$O(B, $B<B:]$K$OFbIt%M%C%H%o!<%/$KBP$7$F(B, $B$"$k<o$N0U?^$7$J$$(B
-IP $B%Q%1%C%H$N?/F~$r5v$7$F$7$^$$$^$9(B.
+IP $B%Q%1%C%H(B ($BLuCm(B: $B?7$7$$30B&$+$i$N@\B3MW5a$d(B ICMP $B$J$I(B) $B$N?/F~$r(B
+$B5v$7$F$7$^$$$^$9(B.
 
 The behaviour of ppp was corrected to only allow incoming packets
 which are known to be part of a valid NAT session, which gives the
@@ -110,12 +112,13 @@
 destination IP addresses and protocol number to pass, but all others
 to be denied.
 
-ppp $B$NF0:n$O0lHLE*$KK>$^$l$k$h$&$J%Q%1%C%H%U%#%k%?$NF0:n$r<B8=$9$k$h$&(B,
-$BM-8z$J(B NAT $B%;%7%g%s$K4^$^$l$kE~Ce%Q%1%C%H$N$_$NDL2a$r5v2D$9$k$h$&$K(B
-$B=$@5$5$l$^$7$?(B.  libalias $B$,G'<1$G$-$J$$308~$-$N(B IP $B%Q%1%C%H(B (VPN $B$K(B
+$BLdBj$H$J$C$F$$$?(B ppp $B$NF0:n$O(B, $BM-8z$J(B NAT $B%;%7%g%s$K4^$^$l$k(B
+$BE~Ce%Q%1%C%H$NDL2a$N$_$r5v2D$9$k$h$&$K=$@5$5$l$^$7$?(B.  $B$=$N$?$a(B,
+$B0lHLE*$KK>$^$l$k$h$&$J%Q%1%C%H%U%#%k%?$NF0:n$r<B8=$9$k$h$&$K(B
+$B$J$C$F$$$^$9(B.  libalias $B$,G'<1$G$-$J$$308~$-$N(B IP $B%Q%1%C%H(B (VPN $B$K(B
 $B;H$o$l$k308~$-$N(B IPSEC $B%Q%1%C%H$J$I(B) $B$O(B, $BBP1~$9$kAw?.85%"%I%l%9(B,
-$BAw?.@h%"%I%l%9(B, $B%W%m%H%3%kHV9f$r;}$DE~Ce%Q%1%C%H$r5v2D$7(B, $B$=$NB>$r(B
-$B5qH]$9$k(B NAT $B%;%7%g%s$r0l$D3NN)$7$^$9(B.
+$BAw?.@h%"%I%l%9$*$h$S%W%m%H%3%kHV9f$r;}$DE~Ce%Q%1%C%H$r5v2D$7(B,
+$B$=$NB>$r5qH]$9$k(B NAT $B%;%7%g%s$r0l$D3NN)$7$^$9(B.
 
 This behaviour may be sufficient for the security needs of many users,
 although users with advanced filtering or security policy requirements
@@ -123,9 +126,9 @@
 provided by ipfw(8) or ipf(8) which can meet their needs.
 
 $B$3$NF0:n$O(B, $B$[$H$s$I$N%f!<%6$K$H$C$F%;%-%e%j%F%#E*$K==J,$J$b$N$G$"$k$H(B
-$B;W$o$l$^$9$,(B, $BJ#;($J%U%#%k%?$d%;%-%e%j%F%#%]%j%7$,MW5a$5$l$k>l9g$O(B
+$B;W$o$l$^$9(B.  $B$h$jJ#;($J%U%#%k%?$d%;%-%e%j%F%#%]%j%7$,MW5a$5$l$k>l9g$O(B,
 ipfw(8) $B$d(B ipf(8) $B$,Ds6!$7$F$$$k(B, $B>\:Y$J@_Dj$,2DG=$J%Q%1%C%H%U%#%k%?$r(B
-$BMxMQ$7$F$/$@$5$$(B.  $B$3$l$i$OJ#;($JMW5a$K$bBP1~$G$-$^$9(B.
+$BMxMQ$7$F$/$@$5$$(B.  $B$3$l$i$O$=$N$h$&$JMW5a$K$bBP1~$G$-$^$9(B.
 
 The following released versions of FreeBSD are the only releases
 vulnerable to this problem: 3.5, 3.5.1, 4.1, 4.1.1.  It was fixed in

----Next_Part(Wed_Nov_22_22:44:10_2000_809)--
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Disposition: attachment; filename="72.diff"
Content-Transfer-Encoding: 7bit

Index: 00:72
===================================================================
RCS file: /home/cvs/private/hrs/FreeBSD-SA/00:72,v
retrieving revision 1.1
retrieving revision 1.2
diff -d -u -I\$FreeBSD:.*\$ -I\$Id:.*\$ -I\$hrs:.*\$ -r1.1 -r1.2
--- 00:72	2000/11/21 16:31:14	1.1
+++ 00:72	2000/11/22 12:03:19	1.2
@@ -65,10 +65,10 @@
 running the curl client.
 
 curl port $B$N%P!<%8%g%s(B 7.4.1 $B$h$jA0$N$b$N$K$O(B, $B%(%i!<=hM}%3!<%I$K(B
-$B4^$^$l$k%P%C%U%!%*!<%P%U%m!<LdBj$r%/%i%$%"%s%HB&$+$i0-MQ$G$-$k$H$$$&(B
-$B%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  $B$=$N$?$a(B, $B0-0U$N$"$k(B FTP $B%5!<%P$N(B
-$B4IM}<T$O(B, curl $B%/%i%$%"%s%H$r<B9T$7$F$$$k%f!<%6$N8"8B$GG$0U$N%3!<%I$r(B
-$B<B9T$5$;$k$3$H$,2DG=$G$9(B.
+$B4^$^$l$k%P%C%U%!%*!<%P%U%m!<LdBj$r;H$C$F(B ($BLuCm(B: $B%j%b!<%H$+$i(B)
+$B%/%i%$%"%s%H$r0-MQ$G$-$k$H$$$&%;%-%e%j%F%#>e$N<eE@$,B8:_$7$^$9(B.  
+$B$=$N$?$a(B, $B0-0U$N$"$k(B FTP $B%5!<%P$N4IM}<T$O(B, curl $B%/%i%$%"%s%H$r(B
+$B<B9T$7$F$$$k%f!<%6$N8"8B$GG$0U$N%3!<%I$r<B9T$5$;$k$3$H$,2DG=$G$9(B.
 
 The curl port is not installed by default, nor is it "part of FreeBSD"
 as such: it is part of the FreeBSD ports collection, which contains

----Next_Part(Wed_Nov_22_22:44:10_2000_809)----
