28 August 2008

... letters, we get letters

To : (elided)
Cc : CentOS security role account
Subject : vulnerability cache poisoning in bind-9.3.4-6.0.2.P1.el5_2
----- Message Text -----
On Thu, 28 Aug 2008, (elided) wrote:

> I haven't found any update to the bind software in the
> repositories. Is it necessary to download the source of bind
> version 9.5.x and compile it?
> S.O CentOS 5.2

No; CentOS uses the RPM packaging management system, and 'yum' (which itself uses the 'rpm' programs). This issue has been addressed already for people running updates regularly.

You do not mention the CVE you are concerned about. This is
the process to see the most recent updates as to CVE's.

The RPM package manager permits you to view what has been
addressed in recent time thus:

~]$ rpm -q --changelog bind | \
  grep -i cve | tac | tail
- added upstream patch for correct SIG handling - CVE-2006-4095
- added fix for #225229 - CVE-2007-0494 BIND dnssec denial of service
- added fix for #224445 - CVE-2007-0493 BIND might crash after
- fixed cryptographically weak query id generator (CVE-2007-2926)
- CVE-2007-6283 (#419421)
- CVE-2008-0122 (small buffer overflow in inet_network)
- CVE-2008-1447

and then viewing:


Obviously, I used some command line tools to winnow down the
mass of Changelog; one could feed it to '| less' as well.

Placing: 2008-0122 into the: Search Master Copy of CVE, we

(under review)

Learn more at National Vulnerability Database (NVD)
• Severity Rating • Fix Information • Vulnerable Software
Versions • SCAP Mappings

The DNS protocol, as implemented in (1) BIND 8 and 9 before
9.5.0-P1, 9.4.2-P1, and 9.3.5-P1; (2) Microsoft DNS in Windows
2000 SP4, XP SP2 and SP3, and Server 2003 SP1 and SP2; and
other implementations allow remote attackers to spoof DNS
traffic via a birthday attack that uses in-bailiwick referrals
to conduct cache poisoning against recursive resolvers,
related to insufficient randomness of DNS transaction IDs and
source ports, aka "DNS Insufficient Socket Entropy
Vulnerability" or "the Kaminsky bug."


which is the recent Kaminsky bug. As it is mentioned, we see
it was addressed by CentOS in:

~]$ rpm -q bind
~]$ rpm -q bind

Thanks for asking.

22 August 2008

GnuPG -- A few minutes on using detached and clearsigned content

This is a re-formatted [and typo reduced ;) ] version, re-laid for the blogging software, of a post I made to the main CentOS mailing list earlier today. A test copy to verify of this which will properly verify is here, and may be retrieved with wget.

A few minutes on using detached and clearsigned content.

In light of today's CVE-2007-4752 by the CentOS project's upstream:

I issue this brief piece on using GnuPG

1. View a proposed key to use, at the MIT keyserver

from: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x650D5882

2. Copy and create a local instance

[herrold@centos-5 redhat]$ vi rht-key

[herrold@centos-5 redhat]$ gpg --import rht-key
gpg: key 650D5882: duplicated user ID detected - merged
gpg: key 650D5882: public key "Red Hat, Inc. (Security Response Team)
" imported
gpg: Total number processed: 1
gpg: imported: 1
gpg: 3 marginal(s) needed, 1 complete(s) needed, classic trust model
gpg: depth: 0 valid: 2 signed: 5 trust: 0-, 0q, 0n, 0m, 0f, 2u
gpg: depth: 1 valid: 5 signed: 2 trust: 0-, 0q, 0n, 1m, 4f, 0u
gpg: next trustdb check due at 2009-03-14

3. Compute a local fingerprint of the candidate

[herrold@centos-5 redhat]$ gpg --fingerprint 650D5882
pub 1024D/650D5882 2001-11-21
Key fingerprint = 9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882
uid Red Hat, Inc. (Security Response Team)

sub 2048g/7EAB9AFD 2001-11-21

[herrold@centos-5 redhat]$

4. Compare and validate the fingerprint of the candidate against the RHT statement of the same fingerprint:


5. You do NOT need to accept a key permanently to check signed content purportedly with it; consider the Red Hat notice at:

6. We can retrieve the checking script

wget https://www.redhat.com/security/data/openssh-blacklist-1.0.sh

and the (presumptively) signed checksum of that file

wget https://www.redhat.com/security/data/openssh-blacklist-1.0.sh.asc

This is called a detached signature

7. And then we can validate ('--verify') that the signature and the file were signed by a person in possession of the private key.

Hopefully that private key is itself protected, as behind one way firewalls, and with a 'pass phrase' which matches a known public (which we retrieved and added earlier). This procedural security process is followed by me [one way firewalls, and pass phrases, and other CentOS team members], along with other measures.

[herrold@centos-5 redhat]$ gpg --verify openssh-blacklist-1.0.sh.asc openssh-blacklist-1.0.sh

gpg: Signature made Fri 22 Aug 2008 05:02:29 AM EDT using DSA key ID
gpg: Good signature from "Red Hat, Inc. (Security Response Team)
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the
Primary key fingerprint: 9273 2337 E5AD 3417 5265 64AB 5E54 8083 650D 5882
[herrold@centos-5 redhat]$

8. As we have not indicated to gpg that we permanently trust this key, gpg adds the WARNING -- this is expected and correct under this outline. The validation checks out.

9. This file can be clearsigned -- the process we will follow is this:

[herrold@centos-5 .gnupg]$ gpg --clearsign import-key-howto.txt

You need a passphrase to unlock the secret key for
user: "R P Herrold "
1024-bit DSA key, ID 9B649644, created 2003-02-09

File `import-key-howto.txt.asc' exists. Overwrite? (y/N) y
[herrold@centos-5 .gnupg]$

10. That is, import-key-howto.txt is clearsigned, and a new file,
import-key-howto.txt.asc, is produced. As I did it twice, to add this text, the warning about Overwriting a file appeared.

11. This is a non-detached (clearsigned, file, and might also be tested by retrieving the indicated key contents, and doing a '--verify'

12. As I have previously certified my own key, I can do it more simply locally:

[herrold@centos-5 .gnupg]$ gpg --verify import-key-howto.txt.asc
gpg: Signature made Fri 22 Aug 2008 12:37:39 PM EDT using DSA key ID
gpg: Good signature from "R P Herrold "
[herrold@centos-5 .gnupg]$

Note that the TIME of the signing will vary, as I have to resign the file after adding this content.

13. Previously (prior to 22 Aug 2008), I have included my PGP details in every piece of email I send. Starting today, as to email originate; I will add another line with my GPG details as well. I will send this document to the main centos mailing list.

Date: Thu, 21 Aug 2008 17:43:28 -0400 (EDT)
From: R P Herrold
To: trading-shim general mailing list
Subject: segmentation faults
In-Reply-To: <1219351509.12150.18.camel@gb07>
References: <200808202117.m7KLH4rf011059@pippin.first.lan>

User-Agent: Alpine 1.999 (LRH 1145 2008-08-19)
X-M: Go Blue
X-OpenPGP-Key-ID: 0x7BFB98B9
MIME-Version: 1.0

In pine (alpine), one does this with Customized X-headers:

Customized Headers = X-M: Go Blue
X-GnuPG-GPG-Key-ID: ox9B649644
X-OpenPGP-Key-ID: 0x7BFB98B9

[hmmm -- a typo: o for 0 in the GnuPG line -- I'll fix that in alpine]

This piece intentionally does not address CentOS response; a preliminary statement on this has been posted in the /topic of the IRC channel #centos on irc.freenode.org, and I have done a blog posting which is up at: http://planet.centos.org/

- -- Russ herrold

CVE-2007-4752 and CentOS

wearing my 'security@centos.org' hat, I have changed the IRC topic temporarily:

11:47 orc_orc changed the topic of #centos to: updated 22 Aug 2008 CentOS acknowledge CVE-2007-4752 and are reviewing our build and signing processes and hosts for signs of tampering subsequent to retrieval of SRPMs. // DO NOT PASTE IN HERE (unless asked; 1 line MAX), use http://pastebin.centos.org/ | See http://centos.org/irc | How to ASK a question: http://tinyurl.com/anel | CentOS mirrors:
http://centos.org/mirrors | Understanding Backporting:

and had to temporarily omit:

Current Releases: CentOS 5.2, 4.6, 3.9, 2.1 | CentOS 5.2 now released

20 August 2008

Let's get rid of disclaimers like this ...

... on mailing lists, as well. Or just subscribe and post from another email account. Or use more than a subject line to ask a question.

Email must be too hard for mere mortals to figure out.

Date: Wed, 20 Aug 2008 08:17:39 -0400
From: Mark T. Kennedy
To: quickfix developers
Subject: quickfix-d] is there a new bug/issue tracker?

QuickFIX Documentation:
QuickFIX Support: http://www.quickfixengine.org/services.html


This communication and any attachments may contain confidential/proprietary
information and is intended for information purposes only. It is not an
invitation or offer to purchase interests from Diamondback. Any
representation to the contrary is unintentional. This communication is
intended only for the person(s) to whom it is addressed. If you are not the
intended recipient you are hereby notified that you have received this
document in error and that any review, dissemination, distribution, or
copying of this message or any attachments is not permitted. If you have
received this in error, please notify the sender immediately by e-mail and
delete this message. All e-mails sent to or received from this address will
be received by Diamondback's company e-mail system and is subject to
archival and possible review by someone other than the recipient. This
notice is automatically appended to each e-mail message leaving Diamondback.

Where is my coffee cup, anyway?

12 August 2008

If a tree falls in the forest, and no one hears it, ...

... does it still make a sound?
-- folk equivalent of a Zen koan

hmmm. No smiley. Clearly sent by someone with a keen perception of the obvious:

Date: Tue, 12 Aug 2008 08:56:29 -0400
From: spamtools-owner @ lists.abuse.net
To: herrold @ owlriver.com
Subject: Spamtools recipient validation for herrold @ owlriver.com

This is a probe message to check the distribution of the spamtools list. Please let me know immediately if you did not receive this message.

John Levine, list meister

I'll hop right on getting that message out, right after another cup of coffee.

11 August 2008

"We're going to need another Timmy!"

Mr. Lizard, Dinosaurs

A running gag on that show, and in IRC, the same.

04:37 msivak> umga9pej
04:37 msivak> hups
04:37 msivak> time to change another password ;)

10 August 2008

score: pen one, orc zero

'Out, damned spot! out, I say.'

-- Lady Macbeth, Macbeth, Act V, Scene 1, Shakespeare

Came back from a trip out of town, and as is my usual custom, had all the dirty clothing on the top of the suitcase [for the TSA to appreciate digging through]. Now I am usually pretty careful to pull stray paper, change, and writing implements out of clothing as I disrobe. I missed a ball point pen this time, and in loading the laundry bin, missed it a second time.

We all know how this comes out, and indeed once the pen moved from the washer to the dryer, it opened up. Spots everywhere. Dr Suess would be proud, but no 'Voom' seems to be in our house. It spotted and gave its distinctive blue-black hue to the good towels, napkins, and other items which went through with a white summer weight cotton shirt in which pocket the pen was riding. There is probably nothing in the future of those towels than promotion to the 'rag box.'

But the issue remained of removing the ink from the dryer drum interior. I consulted Google, and a couple of commercial products were suggested, but it is Sunday, and I am not likely to go out again today. Household agents such as acetone (sometimes found in nail polish remover), denatured alcohol, Comet brand dry bleach powdered abrasive cleaner came to mind. Digging through the garage, I also came across an ether based starting fluid, and WD-40 brand spray lubricant.

Down to the dryer, and spot testing {ahem} began. Bottom line, alcohol on a paper towel and a bit of elbow grease triumphed.

Too late in the day for coffee, not late enough for Scotch. I'll go find a Miller Genuine Draft (bottled) in the 'fridge.