BFD 1.4: Important Security Fix

Today I have put up a new release of BFD, version 1.4, that addresses an unsanitized variable issue that is used on the command line. This is a serious issue and should be treated as such, if you currently have BFD installed I would encourage you to update it immediately, the install.sh script in the BFD package will retain all your options and tracking data so the update process is painless.

Current Release:
http://www.rfxn.com/downloads/bfd-current.tar.gz

Change Log:
[Fix] properly sanitized vars passed to the command line
[Fix] ignore.hosts is now updated with system addresses on each bfd run
[Note] thanks to jpetersen@webhostsecurity.com for invaluable input and pointers

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar xvfz bfd-current.tar.gz
cd bfd-1.4/
./install.sh

Although this issue has many mitigating factors that lessen the severity of the potential impact it is nevertheless very serious and best to opt on the side of caution. I need to extend a special thanks to Jeff Petersen of webhostsecurity.com for identifying this issue in a very professional fashion and offering technical input.

bfd, bugs, linux, ssh

Print article

This entry was posted by Ryan M. on May 8, 2010 at 11:53 am, and is filed under Development. Follow any responses to this post through RSS 2.0. You can skip to the end and leave a response. Pinging is currently not allowed.

Related Posts
Comments (2)

#1 written by Ryan M.
about 3 months ago

Quote

Whoops, sure – done and thanks!

init6:

i know its a small thing, but can you change the post so it shows the following

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar xvzf bfd-current.tar.gz
cd bfd-1.4/
./install.sh

thanks
#2 written by init6
about 3 months ago

Quote

i know its a small thing, but can you change the post so it shows the following

wget http://www.rfxn.com/downloads/bfd-current.tar.gz
tar xvzf bfd-current.tar.gz
cd bfd-1.4/
./install.sh

thanks

Linux Malware Detect v1.3.6: Loose Ends

about 3 months ago - No comments

In LMD 1.3.3 there was allot of changes, 29 to be exact, that made LMD much more robust and especially the monitoring component, much more usable. If that release was about making good things better, then this release is about bringing loose ends together. I spent a couple of days running LMD through its paces More >

Let The Rewrites Begin: New Life For PRM

about 3 months ago - No comments

In my last post, I reflected on the last 7-8 years of projects here at rfxn.com, in doing so I also dug up some statistics on project downloads. I not only did this for my own curiosity but to prioritize the mile long to do list I have for the projects, based on downloads. One More >

Better Late Than Never: Linux Malware Detect 1.3

about 3 months ago - 1 comment

Today I have released Linux Malware Detect (LMD) 1.3, the first public stable release of my malware detection tool. The documentation is a little thin but the details are on the project page and the README file should fill you in on anything you need to know, otherwise you can post a comment on the More >

Nginx: Caching Proxy

about 4 months ago - 3 comments

Recently I started to tackle a load problem on one of my personal sites, the issue was that of a poorly written but exceedingly MySQL heavy application and the load it would induce on the SQL server when 400-500 people were hammering the site at once. Further compounding this was Apache’s horrible ability to gracefully More >

Out with the old, In with the new!

about 4 months ago - 1 comment

The old theme was doing my head in, so I ditched it. Keep an eye out in the coming days/weeks for new releases of APF & BFD in addition to a few more howto entries and the release of maldetect with a ATF stats landing page.

IRSYNC & Limiting Passwordless SSH Keys

about 4 months ago - No comments

Anyone who has ever used SSH key-pairs to access more than a couple of servers (or hundreds in my case), will tell you they are an invaluable convenience. It is a natural progression and very common usage that SSH key-pairs are coupled with other common tasks or tools, where having a pass phrase attached to More >

Upgrade CentOS 4.8 to 5.3

about 10 months ago - 10 comments

Traditionally, the dist upgrade path that many were familiar with from the RH8/9->Fedora or similarly Fedora dist upgrades, have applied more or less to RHEL/CentOS but with the release of 4.5 and early releases of 5.0 the actual dist upgrade path was messy or nearly impossible. The early versions of 5.0 (up to 5.2) had More >

Linux Malware Detectection

about 10 months ago - 7 comments

[ UPDATE: Linux Malware Detect has been released ] I have the last few weeks been working on a new project for malware detection on Linux web servers, it is already at a pre-release version in use at work and it has shown phenomenal promise. Right to it, some background… On a daily basis the More >

The Way Forward

about 10 months ago - No comments

It is hard to believe the year is almost done and gone already, it has been busy for me with some life drama earlier in the year then a couple of larger projects keeping me on my toes since then. During the last few weeks I have taken the time to draft a solid road More >

“oops” Wrong Server!

about 1 year ago - No comments

So this past weekend, I did the unthinkable, I accidentally recycled the wrong dedicated server at work. Usually, this is not much of an issue (not that I make a habit of it) with the continuous data protection we have implemented at the data center (cdp r1soft) except that the backup server this particular client More >