diff options
Diffstat (limited to 'libexec')
-rw-r--r-- | libexec/tcpd/BLURB | 26 | ||||
-rw-r--r-- | libexec/tcpd/CHANGES | 15 | ||||
-rw-r--r-- | libexec/tcpd/README | 15 |
3 files changed, 35 insertions, 21 deletions
diff --git a/libexec/tcpd/BLURB b/libexec/tcpd/BLURB index cc95cf74285..8d82fa7826f 100644 --- a/libexec/tcpd/BLURB +++ b/libexec/tcpd/BLURB @@ -1,5 +1,5 @@ -$OpenBSD: BLURB,v 1.1 1997/02/26 06:00:30 downsj Exp $ -@(#) BLURB 1.27 97/02/12 02:13:17 +$OpenBSD: BLURB,v 1.2 1997/06/01 05:21:39 downsj Exp $ +@(#) BLURB 1.28 97/03/21 19:27:18 With this package you can monitor and filter incoming requests for the SYSTAT, FINGER, FTP, TELNET, RLOGIN, RSH, EXEC, TFTP, TALK, and other @@ -12,20 +12,18 @@ requested service; the wrappers do not exchange information with the client or server applications, and impose no overhead on the actual conversation between the client and server applications. -This patch upgrades the tcp wrappers version 7.4 source code to version -7.5. Highlights of this release: - - - Support for more UNIX system types. - - - Improved protection against IP spoofing attacks with source-routed - TCP connections, by refusing them. This protection is not enabled by - default. +This patch upgrades the tcp wrappers version 7.5 source code to +version 7.6. The source-routing protection in version 7.5 was not +as strong as it could be. And all this effort was not needed with +modern UNIX systems that can already stop source-routed traffic in +the kernel. Examples are 4.4BSD derivatives, Solaris 2.x, and Linux. This release does not introduce new features. Do not bother applying -this patch when you built your current tcp wrapper without enabling the -KILL_OPTIONS compiler switch. The patch is not useful for obsolete UNIX -versions that pre-date 4.4BSD, such as SunOS 4. Such systems are unable -to receive source-routed connections and are therefore not vulnerable +this patch when you built your version 7.x tcp wrapper without +enabling the KILL_IP_OPTIONS compiler switch; when you can disable +IP source routing options in the kernel; when you run a UNIX version +that pre-dates 4.4BSD, such as SunOS 4. Such systems are unable to +receive source-routed connections and are therefore not vulnerable to IP spoofing attacks with source-routed TCP connections. A complete change log is given in the CHANGES document. As always, diff --git a/libexec/tcpd/CHANGES b/libexec/tcpd/CHANGES index 7b4c3c72368..aa23b243f62 100644 --- a/libexec/tcpd/CHANGES +++ b/libexec/tcpd/CHANGES @@ -1,10 +1,23 @@ -$OpenBSD: CHANGES,v 1.1 1997/02/26 06:00:31 downsj Exp $ +$OpenBSD: CHANGES,v 1.2 1997/06/01 05:21:39 downsj Exp $ Request: after building the programs, please run the `tcpdchk' wrapper configuration checker. See the `tcpdchk.8' manual page (`nroff -man' format) for instructions. `tcpdchk' automatically identifies the most common configuration problems, and will save you and me a lot of time. +Changes per release 7.6 (Mar 1997) +================================== + +- Improved the anti source-routing protection. The code in version +7.5 was not as strong as it could be, because I tried to be compatible +with Linux. That was a mistake. Sorry for the inconvenience. + +- The program no longer terminates case of a source-routed connection, +making the IP-spoofing code more usable for long-running daemons. + +- When syslogging DNS hostname problems, always stop after a limited +number of characters. + Changes per release 7.5 (Feb 1997) ================================== diff --git a/libexec/tcpd/README b/libexec/tcpd/README index 3d3f1f1c65b..1e52463617d 100644 --- a/libexec/tcpd/README +++ b/libexec/tcpd/README @@ -1,7 +1,7 @@ -$OpenBSD: README,v 1.1 1997/02/26 06:00:35 downsj Exp $ -@(#) README 1.29 97/02/12 02:13:20 +$OpenBSD: README,v 1.2 1997/06/01 05:21:40 downsj Exp $ +@(#) README 1.30 97/03/21 19:27:21 -This is the 7.5 version of the TCP/IP daemon wrapper package. +This is the 7.6 version of the TCP/IP daemon wrapper package. Thank you for using this program. If you like it, send me a postcard. My postal address is at the bottom of this file. @@ -329,9 +329,12 @@ very few, if any, UNIX vendors have adopted it. Our site, and many other ones, has been running these enhanced daemons for several years, and without any ill effects. -When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the +When the wrapper programs are compiled with -DKILL_IP_OPTIONS, the programs refuse to service TCP connections with IP source routing -options. +options. -DKILL_IP_OPTIONS is not needed on modern UNIX systems +that can stop source-routed traffic in the kernel. Examples are +4.4BSD derivatives, Solaris 2.x, and Linux. See your system manuals +for details. If you are going to use this feature on SunOS 4.1.x you should apply patch 100804-03+ or 101790-something depending on your SunOS version. @@ -535,7 +538,7 @@ of the noise. A more powerful tool is the Swatch monitoring system by Stephen E. Hansen and E. Todd Atkins. Swatch can process log files in real time and can associate arbitrary actions with patterns; its applications are by no means restricted to security. Swatch is -available from sierra.stanford.edu, directory /pub/sources. +available ftp.stanford.edu, directory /general/security-tools/swatch. Socks, described in the UNIX Security III proceedings, can be used to control network traffic from hosts on an internal network, through a |