FreeBSD Security Advisory FreeBSD-SA-15:10.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:10.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-06-12 Affects:All supported versions of FreeBSD. Corrected: 2015-06-11 19:07:45 UTC (stable/10, 10.1-STABLE) 2015-06-12 07:23:55 UTC (releng/10.1, 10.1-RELEASE-p12) 2015-06-11 19:39:27 UTC (stable/9, 9.3-STABLE) 2015-06-12 07:23:55 UTC (releng/9.3, 9.3-RELEASE-p16) 2015-06-11 19:39:27 UTC (stable/8, 8.4-STABLE) 2015-06-12 07:23:55 UTC (releng/8.4, 8.4-RELEASE-p30) CVE Name: CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791 CVE-2015-1792, CVE-2015-4000 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A vulnerability in the TLS protocol would allow a man-in-the-middle attacker to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. This vulnerability is also known as Logjam [CVE-2015-4000]. When processing an ECParameters structure OpenSSL enters an infinite loop if the curve specified is over a specially malformed binary polynomial field. [CVE-2015-1788] X509_cmp_time does not properly check the length of the ASN1_TIME string and can read a few bytes out of bounds. In addition, X509_cmp_time accepts an arbitrary number of fractional seconds in the time string. [CVE-2015-1789] The PKCS#7 parsing code does not handle missing inner EncryptedContent correctly. [CVE-2015-1790] When verifying a signedData message the CMS code can enter an infinite loop if presented with an unknown hash function OID. [CVE-2015-1792] If a NewSessionTicket is received by a multi-threaded client when attempting to reuse a previous ticket then a race condition can occur, potentially leading to a double free of the ticket data. [CVE-2015-1791] The OpenSSL advisory also describes a problem that is identified as CVE-2014-8176, which is already fixed by an earlier FreeBSD Errata Notice, FreeBSD-EN-15:02.openssl. III. Impact A man-in-the-middle attacker may be able to downgrade vulnerable TLS connections using ephemeral Diffie-Hellman key exchange to 512-bit export-grade cryptography. [CVE-2015-4000]. On FreeBSD 10.1, the patch contains a countermeasure for clients by rejecting handshakes with DH parameters shorter than 768 bits. An attacker who is able to use a certificate to authenticate with a remote system perform denial of service against any system which processes public keys, certificate requests or certificates. [CVE-2015-1788]. This affects FreeBSD 10.1 only, as the problem was no longer exist in OpenSSL 0.9.8 series since July 2012. An attacker can use the CVE-2015-1789 issue by using specifically crafted certificates and CRLs of various sizes and potentially cause a segmentation fault, resulting in a DoS on applications that verify certificates or CRLs. An attacker who can create specifically crafted malformed ASN.1-encoded PKCS#7 blobs with missing content and trigger a NULL pointer dereference on parsing. [CVE-2015-1790]. Applications that decrypt PKCS#7 data or otherwise parse PKCS#7 structures from untrusted sources are affected. OpenSSL clients and servers are not affected. An attacker can perform denial of service against any system which verifies signedData messages using the CMS code. [CVE-2015-1792] An attacker may be able to crash multi-thread applications that supports resumed TLS handshakes. [CVE-2015-1791] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached
FreeBSD Security Advisory FreeBSD-SA-15:08.bsdinstall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:08.bsdinstall Security Advisory The FreeBSD Project Topic: Insecure default GELI keyfile permissions Category: core Module: bsdinstall Announced: 2015-04-07 Credits:Pierre Kim Affects:FreeBSD 10.1. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) CVE Name: CVE-2015-1415 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The GEOM ELI class, or geli(8) implements encryption on GEOM providers which supports various cryptographic encryption and authentication methods as well as hardware acceleration. Each geli(8) provider has two key slots, and each slot holds a copy of its master key encrypted by a keyfile and/or a passphrase chosen by the system administrator. The bsdinstall(8) installer is the default system installer of FreeBSD since FreeBSD 10.0-RELEASE. II. Problem Description The default permission set by bsdinstall(8) installer when configuring full disk encrypted ZFS is too open. III. Impact A local attacker may be able to get a copy of the geli(8) provider's keyfile which is located at a fixed location. IV. Solution Note well: due to the nature of this issue, there is no way to fix this issue for already installed systems without human intervention. System administrators are advised to assume that the keyfile have already been leaked and a new keyfile is necessary. The system administrator can create a new keyfile with the correct permissions, and change the key slot that holds the master key encrypted with the old keyfile. For example, if the GELI provider is /dev/ada0, the system administrator can do the following: # umask 077 # dd if=/dev/random of=/boot/encryption.key.new bs=4096 count=1 # umask 022 # geli setkey -K /boot/encryption.key.new /dev/ada0p3 Enter new passphrase: Reenter new passphrase: (Repeat the geli setkey command if multiple providers are used) # mv /boot/encryption.key.new /boot/encryption.key # ls -l /boot/encryption.key Make sure that the new /boot/encryption.key can only be read by root. The FreeBSD stable and security branch (releng) and the changes are mainly intended for system integrators who build their own installation image for new installations. V. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r281230 releng/10.1/ r281232 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VI. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1415 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:08.bsdinstall.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD4CAAoJEO1n7NZdz2rntF0P/0vVZ6W5xpIAm5K7eS184GaJ TuQ0E5XdqH1i6smYxAwUHtINFmAJ11cv+KwAbwFwazdB9jy4def6kwBZ/PE1y1M9 OGi/JD3RghL0RrrrIzADVz5Z4Hi401BmLN7aOW9REX75/o82XqGXTRlDmow5z22D /B4NRNQ0p6cwmwh179HHuJPgQsDmL3mBkgn4oMv1036q9VjP5V/b+i2Ja/I6oCa/ ZJhdEg17P9ek6GBna/fV7yo1Cr+A7v9aSUFcN9E8VqoWGn06jO0sLjWCC9Lrc6sZ KAgFbxNuPW/eZOE447DIu9jrgE8xxBFn6skeW81jsPsT4FsF/7KWG+dxBOa9XxOH XQTzc9sx3tsRVUzEBUGHRpPh/ZbkqtqQ5MYrAYk66NJ1NFqbrhY08mqzOd4+Sr7a CUMV/1vD0pCRME8bgIVupKciIw9y6QYWo2Gm+BJIqAw7L8EaEhaN7nnBxDbRehlj PdRYxHO4aQLIxdaV4dtDx3SX+njRxyVP/0OOSVQz1laiKadsRO2YQe+IhVoFhU5v fLSoBI+8mX8Sc65UasqsuNXC3G2c6XXKkLBCYzmL90R2pwPtxbQRTDVGMmG9fyyc b4w+yindLcwKXxKJryQWswAbv6hBQunAoCaVsqiIdF2N9Psrlr3FhkU//JbvrxA1 COcciZEksTS0JwEpOGi5 =wg1b -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-15:07.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:07.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities of ntp Category: contrib Module: ntp Announced: 2015-04-07 Credits:Network Time Foundation Affects:All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2014-9297, CVE-2015-1798, CVE-2015-1799 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The vallen packet value is not validated in several code paths in ntp_crypto.c. [CVE-2014-9297] When ntpd(8) is configured to use a symmetric key to authenticate a remote NTP server/peer, it checks if the NTP message authentication code (MAC) in received packets is valid, but not that there actually is any MAC included, and packets without a MAC are accepted as if they had a valid MAC. [CVE-2015-1798] NTP state variables are updated prior to validating the received packets. [CVE-2015-1799] III. Impact A remote attacker who can send specifically crafted packets may be able to reveal memory contents of ntpd(8) or cause it to crash, when ntpd(8) is configured to use autokey. [CVE-2014-9297] A man-in-the-middle (MITM) attacker can send specially forged packets that would be accepted by the client/peer without having to know the symmetric key. [CVE-2015-1798] An attacker knowing that NTP hosts A and B are peering with each other (symmetric association) can periodically send a specially crafted or replayed packet which will break the synchronization between the two peers due to transmit timestamp mismatch, preventing the two nodes from synchronizing with each other, even when authentication is enabled. [CVE-2015-1799] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-15:07/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/r281230 releng/10.1/ r281232 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII
FreeBSD Security Advisory FreeBSD-SA-15:04.igmp [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol Category: core Module: igmp Announced: 2015-02-25; Last revised on 2015-04-07 Credits:Mateusz Kocielski, Logicaltrust, Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Affects:All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2015-1414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. 0. Revision history v1.0 2015-02-25 Initial release. v1.1 2015-04-07 Revised patch to address a potential overflow issue. I. Background IGMP is a control plane protocol used by IPv4 hosts and routers to propagate multicast group membership information. IGMP version 3 is implemented on FreeBSD. II. Problem Description An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. III. Impact An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. IV. Workaround Block incoming IGMP packets by protecting your host/networks with a firewall. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # gpg --verify igmp.patch.asc # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp-errata.patch.asc # gpg --verify igmp-errata.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/r281230 releng/10.1/ r281232 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1414 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.2 (FreeBSD) iQIcBAEBCgAGBQJVJD39AAoJEO1n7NZdz2rnewwQAN9xI01nzOO71Q7qP7xDq+wu RW2C+2A4viIZIId1od6GiDY7Qpigy1CMwHsae6qJ62R+D5F2x9vANV4U6AS44oNy 2jDwbrByM7QQ3qeCh8NzCUvOwPuXyKsAGKV73t3QPk0leKdbqUyjTooWJtZAv0dN VgQ4VCQh+2ZlxjMT0igUScmCVqOncRUm33xKBLeTif5LZHi/afkR6CToMlACOvl3 syJNhEeM+zYU9XLzb90hAjvqn1xLDkoS4qJNbrekj0/dI0jkgZdk18QAualwWgeZ
FreeBSD Security Advisory FreeBSD-SA-15:09.ipv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:09.ipv6 Security Advisory The FreeBSD Project Topic: Denial of Service with IPv6 Router Advertisements Category: core Module: ipv6 Announced: 2015-04-07 Credits:Dennis Ljungmark Affects:All supported versions of FreeBSD. Corrected: 2015-04-07 20:20:24 UTC (stable/10, 10.1-STABLE) 2015-04-07 20:21:01 UTC (releng/10.1, 10.1-RELEASE-p9) 2015-04-07 20:20:44 UTC (stable/9, 9.3-STABLE) 2015-04-07 20:21:23 UTC (releng/9.3, 9.3-RELEASE-p13) 2015-04-07 20:20:44 UTC (stable/8, 8.4-STABLE) 2015-04-07 20:21:23 UTC (releng/8.4, 8.4-RELEASE-p27) CVE Name: CVE-2015-2923 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer address of other nodes, find routers, and maintain reachability information. Routers advertise their presence together with various link and Internet parameters either periodically, or in response to a Router Solicitation message, using Router Advertisement (ICMPv6 type 134). II. Problem Description The Neighbor Discover Protocol allows a local router to advertise a suggested Current Hop Limit value of a link, which will replace Current Hop Limit on an interface connected to the link on the FreeBSD system. III. Impact When the Current Hop Limit (similar to IPv4's TTL) is small, IPv6 packets may get dropped before they reached their destinations. By sending specifically crafted Router Advertisement packets, an attacker on the local network can cause the FreeBSD system to lose the ability to communicate with another IPv6 node on a different network. IV. Workaround Only systems that are manually configured to use accept_rtadv ifconfig(8) flag on an interface are affected. The system administrator may decide to disable acceptance of Router Advertisements from untrusted network in a per-interface basis, by removing accept_rtadv flag at run time using ifconfig(8): ifconfig em0 inet6 -accept_rtadv Note that an interface does not accept Router Advertisement messages by default even if an IPv6 address is configured. One can know whether an interface is accepting Router Advertisement message or not from existence of ACCEPT_RTADV in nd6 options line in an output of ifconfig(8): nd6 options=23PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch # fetch https://security.FreeBSD.org/patches/SA-15:09/ipv6.patch.asc # gpg --verify ipv6.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r281231 releng/8.4/ r281233 stable/9/ r281231 releng/9.3/ r281233 stable/10/r281230 releng/10.1/ r281232 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https
FreeBSD Security Advisory FreeBSD-SA-15:06.openssl [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:06.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-03-19; Last revised on 2015-03-20. Affects:All supported versions of FreeBSD. Corrected: 2015-03-20 07:11:20 UTC (stable/10, 10.1-STABLE) 2015-03-20 07:12:02 UTC (releng/10.1, 10.1-RELEASE-p8) 2015-03-20 07:11:20 UTC (stable/9, 9.3-STABLE) 2015-03-20 07:12:02 UTC (releng/9.3, 9.3-RELEASE-p12) 2015-03-20 07:11:20 UTC (stable/8, 8.4-STABLE) 2015-03-20 07:12:02 UTC (releng/8.4, 8.4-RELEASE-p26) CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. 0. Revision history v1.0 2015-03-19 Initial release. v1.1 2015-03-20 Reverted a portion of change that should not belong to the advisory and did not end up in the final OpenSSL release. The patch is also revised to include fixes for CVE-2015-0209 and CVE-2015-0288. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking, which enables representation of objects that are independent of machine-specific encoding technique. II. Problem Description A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209] An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286] Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287] The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288] The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293] III. Impact A malformed elliptic curve private key file can cause server daemons using OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] A remote attacker who is able to send specifically crafted certificates may be able to crash an OpenSSL client or server. [CVE-2015-0286] An attacker who can cause invalid writes with applications that parse structures containing CHOICE or ANY DEFINED BY components and reusing the structures may be able to cause them to crash. Such reuse is believed to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] An attacker may be able to crash applications that create a new certificate request with subject name the same as in an existing, specifically crafted certificate. This usage is rare in practice. [CVE-2015-0288] An attacker may be able to crash applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically crafted certificates. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and FreeBSD-EN-15:02.openssl. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified
FreeBSD Security Advisory FreeBSD-SA-15:06.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:06.opensslSecurity Advisory The FreeBSD Project Topic: Multiple OpenSSL vulnerabilities Category: contrib Module: openssl Announced: 2015-03-19 Affects:All supported versions of FreeBSD. Corrected: 2015-03-19 17:40:43 UTC (stable/10, 10.1-STABLE) 2015-03-19 17:42:38 UTC (releng/10.1, 10.1-RELEASE-p7) 2015-03-19 17:40:43 UTC (stable/9, 9.3-STABLE) 2015-03-19 17:42:38 UTC (releng/9.3, 9.3-RELEASE-p11) 2015-03-19 17:40:43 UTC (stable/8, 8.4-STABLE) 2015-03-19 17:42:38 UTC (releng/8.4, 8.4-RELEASE-p25) CVE Name: CVE-2015-0209, CVE-2015-0286, CVE-2015-0287, CVE-2015-0288, CVE-2015-0289, CVE-2015-0293 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. Abstract Syntax Notation One (ASN.1) is a standard and notation that describes rules and structures for representing, encoding, transmitting, and decoding data in telecommunications and computer networking, which enables representation of objects that are independent of machine-specific encoding technique. II. Problem Description A malformed elliptic curve private key file could cause a use-after-free condition in the d2i_ECPrivateKey function. [CVE-2015-0209] An attempt to compare ASN.1 boolean types will cause the ASN1_TYPE_cmp function to crash with an invalid read. [CVE-2015-0286] Reusing a structure in ASN.1 parsing may allow an attacker to cause memory corruption via an invalid write. [CVE-2015-0287] The function X509_to_X509_REQ will crash with a NULL pointer dereference if the certificate key is invalid. [CVE-2015-0288] The PKCS#7 parsing code does not handle missing outer ContentInfo correctly. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a specially crafted SSLv2 CLIENT-MASTER-KEY message. [CVE-2015-0293] III. Impact A malformed elliptic curve private key file can cause server daemons using OpenSSL to crash, resulting in a Denial of Service. [CVE-2015-0209] A remote attacker who is able to send specifically crafted certificates may be able to crash an OpenSSL client or server. [CVE-2015-0286] An attacker who can cause invalid writes with applications that parse structures containing CHOICE or ANY DEFINED BY components and reusing the structures may be able to cause them to crash. Such reuse is believed to be rare. OpenSSL clients and servers are not affected. [CVE-2015-0287] An attacker may be able to crash applications that create a new certificate request with subject name the same as in an existing, specifically crafted certificate. This usage is rare in practice. [CVE-2015-0288] An attacker may be able to crash applications that verify PKCS#7 signatures, decrypt PKCS#7 data or otherwise parse PKCS#7 structures with specifically crafted certificates. [CVE-2015-0289] A malicious client can trigger an OPENSSL_assert in servers that both support SSLv2 and enable export cipher suites by sending a carefully crafted SSLv2 CLIENT-MASTER-KEY message, resulting in a Denial of Service. [CVE-2015-0293] Note that two issues in the original OpenSSL advisory, CVE-2015-0204 and CVE-2015-0292, were already addressed by FreeBSD-SA-15:01.openssl and FreeBSD-EN-15:02.openssl. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.4 and FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch # fetch https://security.FreeBSD.org/patches/SA-15:06/openssl-0.9.8.patch.asc
FreeBSD Security Advisory FreeBSD-SA-15:05.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:05.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2015-02-25 Credits:ISC Affects:FreeBSD 8.x and FreeBSD 9.x. Corrected: 2015-02-18 22:20:19 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-02-18 22:29:52 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) CVE Name: CVE-2015-1349 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description BIND servers which are configured to perform DNSSEC validation and which are using managed keys (which occurs implicitly when using dnssec-validation auto; or dnssec-lookaside auto;) may exhibit unpredictable behavior due to the use of an improperly initialized variable. III. Impact A remote attacker can trigger a crash of a name server that is configured to use managed keys under specific and limited circumstances. However, the complexity of the attack is very high unless the attacker has a specific network relationship to the BIND server which is targeted. IV. Workaround Only systems that runs BIND, including recursive resolvers and authoritative servers that performs DNSSEC validation and using managed-keys are affected. This issue can be worked around by not using auto for the dnssec-validation or dnssec-lookaside options and do not configure a managed-keys statement. Note that in order to do DNSSEC validation with this workaround one would have to configure an explicit trusted-keys statement with the appropriate keys. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch # fetch https://security.FreeBSD.org/patches/SA-15:05/bind.patch.asc # gpg --verify bind.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r278973 releng/8.4/ r279265 stable/9/ r278972 releng/9.3/ r279265 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://kb.isc.org/article/AA-01235 URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1349 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:05.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnKkgP/3vUBO8o5ofQFMUYSS1siPxZ 63OeeRlMabEgiWZaQ+V2O7/CPrHDIgJHQABx9kNoiutWD9TC3c5f7Yh4nfaXmbKe Ncu3EjF1Zw/uGbu3cXjboX0CYnBDYrPNJnzIvSG0UlTY5hEIi3FgN4v2Q3gzuU/2 3aUlFHyZb4GVzK+lA+wD0unOc6+il6LHPpSzwRbLpNxCB2J582HoCuw9i5NfMiOB KP8axZeNZLMpE90s3H/VD+7UIoe6eOC0kykH/DpuUIUxxlExK9c8f9QurpoCnOrV
FreeBSD Security Advisory FreeBSD-SA-15:04.igmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:04.igmp Security Advisory The FreeBSD Project Topic: Integer overflow in IGMP protocol Category: core Module: igmp Announced: 2015-02-25 Credits:Mateusz Kocielski, Logicaltrust, Marek Kroemeke, and 22733db72ab3ed94b5f8a1ffcde850251fe6f466 Affects:All supported versions of FreeBSD. Corrected: 2015-02-25 05:43:02 UTC (stable/10, 10.1-STABLE) 2015-02-25 05:56:16 UTC (releng/10.1, 10.1-RELEASE-p6) 2015-02-25 05:56:16 UTC (releng/10.0, 10.0-RELEASE-p18) 2015-02-25 05:43:02 UTC (stable/9, 9.3-STABLE) 2015-02-25 05:56:54 UTC (releng/9.3, 9.3-RELEASE-p10) 2015-02-25 05:43:02 UTC (stable/8, 8.4-STABLE) 2015-02-25 05:56:54 UTC (releng/8.4, 8.4-RELEASE-p24) CVE Name: CVE-2015-1414 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background IGMP is a control plane protocol used by IPv4 hosts and routers to propagate multicast group membership information. IGMP version 3 is implemented on FreeBSD. II. Problem Description An integer overflow in computing the size of IGMPv3 data buffer can result in a buffer which is too small for the requested operation. III. Impact An attacker who can send specifically crafted IGMP packets could cause a denial of service situation by causing the kernel to crash. IV. Workaround Block incoming IGMP packets by protecting your host/networks with a firewall. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch # fetch https://security.FreeBSD.org/patches/SA-15:04/igmp.patch.asc # gpg --verify igmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r279263 releng/8.4/ r279265 stable/9/ r279263 releng/9.3/ r279265 stable/10/r279263 releng/10.0/ r279264 releng/10.1/ r279264 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1414 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:04.igmp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJU7WjDAAoJEO1n7NZdz2rnjr8QAL0J0+4lRtPXRyDRX2xFSnzw sc3OpfmlTiD3pCFkebTYy3/+EK86iAL1ZELqlJe5mm2+pzhCQB13C4/exc0l1U6b tyiGXxhVi2/4SBrs6n9lmB/YhXkgtqaOQAcNaOD6sVbS1e5cBtjnG86oOq8tQ2qG c7Dvh3HTp9M5fDJtsI40SIpqy3FcKORBfpjYd8jONfSqMnLM2kM8xzwHSv4/X23e GlDKHtIi+1ylD/Qu7Z3S7hqXDTSYjZb1QHc7axDFB6X6nj2Rz3aWS2hPPTypFd3T zTj5DZjgiP7U2LhR40sWW68RYi21yzNUwbe0w5LeDah6Ymc5CDO2ujdm3HDQbQGH pA9QIOjzpgR64nWLIJfZ7jMxL3rCCaCW3NCB/iRXni2Ib/wt3ZDkJyEk/SF4K82H 72U2u2qVjAsnhmwWK8gksBi9bEXk3TnX778bkrwm4rt1xOjACq8k66LAernoE4tB DkE0pO4QR+6XwFb5sJMG
FreeBSD Security Advisory FreeBSD-SA-15:02.kmem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:02.kmem Security Advisory The FreeBSD Project Topic: SCTP SCTP_SS_VALUE kernel memory corruption and disclosure Category: core Module: sctp Announced: 2015-01-27 Credits:Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies Affects:All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. SCTP allows the user to choose between multiple scheduling algorithms to optimize the sending behavior of SCTP in scenarios with different requirements. II. Problem Description Due to insufficient validation of the SCTP stream ID, which serves as an array index, a local unprivileged attacker can read or write 16-bits of kernel memory. III. Impact An unprivileged process can read or modify 16-bits of memory which belongs to the kernel. This smay lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:02/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/r277807 releng/10.0/ r277808 releng/10.1/ r277808 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References We would like to acknowledge Clement LECIGNE from Google Security Team and Francisco Falcon from Core Security Technologies who discovered the issue independently and reported to the FreeBSD Security Team. URL:http://www.coresecurity.com/content/freebsd-kernel-multiple-vulnerabilities URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8612 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:02.kmem.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx
FreeBSD Security Advisory FreeBSD-SA-15:03.sctp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:03.sctp Security Advisory The FreeBSD Project Topic: SCTP stream reset vulnerability Category: core Module: sctp Announced: 2015-01-27 Credits:Gerasimos Dimitriadis Affects:All supported versions of FreeBSD. Corrected: 2015-01-27 19:36:08 UTC (stable/10, 10.1-STABLE) 2015-01-27 19:37:02 UTC (releng/10.1, 10.1-RELEASE-p5) 2015-01-27 19:37:02 UTC (releng/10.0, 10.0-RELEASE-p17) 2015-01-27 19:36:08 UTC (stable/9, 9.3-STABLE) 2015-01-27 19:37:02 UTC (releng/9.3, 9.3-RELEASE-p9) 2015-01-27 19:36:08 UTC (stable/8, 8.4-STABLE) 2015-01-27 19:37:02 UTC (releng/8.4, 8.4-RELEASE-p23) CVE Name: CVE-2014-8613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. II. Problem Description The input validation of received SCTP RE_CONFIG chunks is insufficient, and can result in a NULL pointer deference later. III. Impact A remote attacker who can send a malformed SCTP packet to a FreeBSD system that serves SCTP can cause a kernel panic, resulting in a Denial of Service. IV. Workaround On FreeBSD 10.1 or later systems, the system administrator can set net.inet.sctp.reconfig_enable to 0 to disable processing of RE_CONFIG chunks. This workaround is not available on earlier FreeBSD releases, but systems that do not serve SCTP connections are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch # fetch https://security.FreeBSD.org/patches/SA-15:03/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:https://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r277807 releng/8.4/ r277808 stable/9/ r277807 releng/9.3/ r277808 stable/10/r277807 releng/10.0/ r277808 releng/10.1/ r277808 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8613 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-15:03.sctp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.1.1 (FreeBSD) iQIcBAEBCgAGBQJUx+qbAAoJEO1n7NZdz2rnR98QAOWIIf7+akuopMxuVnppZKub DKCgVAJznitKoxnBtYMAOTcKdf65dQqaAgznAWBRo+USue5LIOI0jjgLuQgepoG6 eIosPiRXqvMQL6Qqx8ydwM3xiVQd+b9pMiLkh3cfljr1Oh6OV+YSRXC+HBKZXaR6 sn5kHRR7xFiwV/HsX4RoSik3qPbDl1x66jeN5jL0Wqg2qjCagK6OxGOtkIlt3pDj QrYNX/l20hXmvPjRojSEPhY+52X29/nlQjfJg/pwpsmiZJe3cqmfsh1aceUOH1Tu BOVxwE3oYWrJ8NZBa2cKReU1Sdvl1FxtlaXwkE+sRBzh1/vA7AZU6jWL7fEV1wv0
FreeBSD Security Advisory FreeBSD-SA-15:01.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-15:01.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2015-01-14 Affects:All supported versions of FreeBSD. Corrected: 2015-01-09 00:58:20 UTC (stable/10, 10.1-STABLE) 2015-01-14 21:27:46 UTC (releng/10.1, 10.1-RELEASE-p4) 2015-01-14 21:27:46 UTC (releng/10.0, 10.0-RELEASE-p16) 2015-01-09 01:11:43 UTC (stable/9, 9.3-STABLE) 2015-01-14 21:27:46 UTC (releng/9.3, 9.3-RELEASE-p8) 2015-01-09 01:11:43 UTC (stable/8, 8.4-STABLE) 2015-01-14 21:27:46 UTC (releng/8.4, 8.4-RELEASE-p22) CVE Name: CVE-2014-3571, CVE-2015-0206, CVE-2014-3569, CVE-2014-3572 CVE-2015-0204, CVE-2015-0205, CVE-2014-8275, CVE-2014-3570 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A carefully crafted DTLS message can cause a segmentation fault in OpenSSL due to a NULL pointer dereference. [CVE-2014-3571] A memory leak can occur in the dtls1_buffer_record function under certain conditions. [CVE-2015-0206] When OpenSSL is built with the no-ssl3 option and a SSL v3 ClientHello is received the ssl method would be set to NULL which could later result in a NULL pointer dereference. [CVE-2014-3569] This does not affect FreeBSD's default build. An OpenSSL client will accept a handshake using an ephemeral ECDH ciphersuite using an ECDSA certificate if the server key exchange message is omitted. [CVE-2014-3572] An OpenSSL client will accept the use of an RSA temporary key in a non-export RSA key exchange ciphersuite. [CVE-2015-0204] An OpenSSL server will accept a DH certificate for client authentication without the certificate verify message. [CVE-2015-0205] OpenSSL accepts several non-DER-variations of certificate signature algorithm and signature encodings. OpenSSL also does not enforce a match between the signature algorithm between the signed and unsigned portions of the certificate. [CVE-2014-8275] Bignum squaring (BN_sqr) may produce incorrect results on some platforms, including x86_64. [CVE-2014-3570] III. Impact An attacker who can send a carefully crafted DTLS message can cause server daemons that uses OpenSSL to crash, resulting a Denial of Service. [CVE-2014-3571] An attacker who can send repeated DTLS records with the same sequence number but for the next epoch can exhaust the server's memory and result in a Denial of Service. [CVE-2015-0206] A server can remove forward secrecy from the ciphersuite. [CVE-2014-3572] A server could present a weak temporary key and downgrade the security of the session. [CVE-2015-0204] A client could authenticate without the use of a private key. This only affects servers which trust a client certificate authority which issues certificates containing DH keys, which is extremely rare. [CVE-2015-0205] By modifying the contents of the signature algorithm or the encoding of the signature, it is possible to change the certificate's fingerprint. This does not allow an attacker to forge certificates, and does not affect certificate verification or OpenSSL servers/clients in any other way. It also does not affect common revocation mechanisms. Only custom applications that rely on the uniqueness of the fingerprint (e.g. certificate blacklists) may be affected. [CVE-2014-8275] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.4 and FreeBSD 9.3] # fetch https://security.FreeBSD.org/patches/SA-15:01/openssl-9.3.patch
FreeBSD Security Advisory FreeBSD-SA-14:31.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:31.ntpSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NTP suite Category: contrib Module: ntp Announced: 2014-12-23 Affects:All supported versions of FreeBSD. Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description When no authentication key is set in the configuration file, ntpd(8) would generate a random key that uses a non-linear additive feedback random number generator seeded with very few bits of entropy. [CVE-2014-9293] The ntp-keygen(8) utility is also affected by a similar issue. [CVE-2014-9294] When Autokey Authentication is enabled, for example if ntp.conf(5) contains a 'crypto pw' directive, a remote attacker can send a carefully crafted packet that can overflow a stack buffer. [CVE-2014-9295] In ntp_proto.c, the receive() function is missing a return statement in the case when an error is detected. [CVE-2014-9296] III. Impact The NTP protocol uses keys to implement authentication. The weak seeding of the pseudo-random number generator makes it easier for an attacker to brute-force keys, and thus may broadcast incorrect time stamps or masquerade as another time server. [CVE-2014-9293, CVE-2014-9294] An attacker may be able to utilize the buffer overflow to crash the ntpd(8) daemon or potentially run arbitrary code with the privileges of the ntpd(8) process, which is typically root. [CVE-2014-9295] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Because the issue may lead to remote root compromise, the FreeBSD Security Team recommends system administrators to firewall NTP ports, namely tcp/123 and udp/123 when it is not clear that all systems have been patched or have ntpd(8) stopped. V. Solution NOTE WELL: It is advisable to regenerate all keys used for NTP authentication, if configured. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the ntpd(8) daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r276073 releng/8.4/ r276154 stable/9/ r276073 releng/9.1/ r276155 releng/9.2/ r276156 releng/9.3/ r276157 stable/10
FreeBSD Security Advisory FreeBSD-SA-14:30.unbound
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:30.unboundSecurity Advisory The FreeBSD Project Topic: unbound remote denial of service vulnerability Category: contrib Module: unbound Announced: 2014-12-17 Affects:FreeBSD 10.0-RELEASE and later Credits:Florian Maury (ANSSI) Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE) 2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2) 2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14) CVE Name: CVE-2014-8602 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:https://security.FreeBSD.org/. I. Background Unbound is a validating, recursive, and caching DNS resolver. II. Problem Description By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can trick unbound(8) resolver into following an endless series of delegations, which consumes a lot of resources. III. Impact Unbound will spend a lot of resources on this query, and this will impact unbound's CPU and network resources. Unbound may therefore lose some ability or timelines for the service of customer queries (a denial of service). Unbound will continue to respond normally for cached queries. IV. Workaround No workaround is available, but hosts not running unbound(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.x] # fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch # fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc # gpg --verify unbound.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:https://www.FreeBSD.org/handbook/makeworld.html. Restart the unbound(8) daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r275853 releng/10.0/ r275854 releng/10.1/ r275854 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:https://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://unbound.net/downloads/CVE-2014-8602.txt URL:https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8602 The latest revision of this advisory is available at URL:https://security.FreeBSD.org/advisories/FreeBSD-SA-14:30.unbound.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4 oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX 8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+ 3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6 z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/ 9PFQzCA+8snPiCyUhAaC =fkvr -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-14:28.file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:28.file Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in file(1) and libmagic(3) Category: contrib Module: file Announced: 2014-12-10 Affects:All supported versions of FreeBSD. Credits:Thomas Jarosch of Intra2net AG Corrected: 2014-12-10 08:26:53 UTC (stable/10, 10.1-STABLE) 2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1) 2014-12-10 08:36:07 UTC (releng/10.0, 10.0-RELEASE-p13) 2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE) 2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6) 2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16) 2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23) 2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE) 2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20) CVE Name: CVE-2014-3710, CVE-2014-8116, CVE-2014-8117 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The file(1) utility attempts to classify file system objects based on filesystem, magic number and language tests. The libmagic(3) library provides most of the functionality of file(1) and may be used by other applications. II. Problem Description There are a number of denial of service issues in the ELF parser used by file(1). III. Impact An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can cause the application to crash or consume excessive CPU resources, resulting in a denial-of-service. IV. Workaround No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.1] # fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch # fetch http://security.FreeBSD.org/patches/SA-14:28/file-12.patch.asc # gpg --verify file-12.patch.asc [FreeBSD 9.1, 9.2, 9.3 and 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch # fetch http://security.FreeBSD.org/patches/SA-14:28/file-8.patch.asc # gpg --verify file-8.patch.asc [FreeBSD 8.4] # fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch # fetch http://security.FreeBSD.org/patches/SA-14:28/file-7.patch.asc # gpg --verify file-7.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r275669 releng/8.4/ r275672 stable/9/ r275669 releng/9.1/ r275672 releng/9.2/ r275672 releng/9.3/ r275672 stable/10/r275668 releng/10.0/ r275671 releng/10.1/ r275670 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL
FreeBSD Security Advisory FreeBSD-SA-14:29.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:29.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2014-12-10 Credits:ISC Affects:FreeBSD 8.4, 9.1, 9.2 and 9.3. Corrected: 2014-12-10 08:31:41 UTC (stable/9, 9.3-STABLE) 2014-12-10 08:36:40 UTC (releng/9.3, 9.3-RELEASE-p6) 2014-12-10 08:36:40 UTC (releng/9.2, 9.2-RELEASE-p16) 2014-12-10 08:36:40 UTC (releng/9.1, 9.1-RELEASE-p23) 2014-12-10 08:31:41 UTC (stable/8, 8.4-STABLE) 2014-12-10 08:36:40 UTC (releng/8.4, 8.4-RELEASE-p20) CVE Name: CVE-2014-8500 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description By causing queries to be made against a maliciously-constructed zone or against a malicious DNS server, an attacker who is able to cause specific queries to be sent to a nameserver can cause named(8) to crash, leading to a denial of service. All recursive BIND DNS servers are vulnerable to this. Authoritative servers are only vulnerable if the attacker is able to control a delegation traversed by the authoritative server in order to serve the zone. III. Impact An attacker who can cause specific queries to be sent to a nameserver could cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but hosts not running named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.3-RELEASE and 9.3-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch # fetch http://security.FreeBSD.org/patches/SA-14:29/bind995.patch.asc # gpg --verify bind995.patch.asc [FreeBSD 9.2-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch # fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc # gpg --verify bind984.patch.asc [FreeBSD 9.1-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch # fetch http://security.FreeBSD.org/patches/SA-14:29/bind983.patch.asc # gpg --verify bind983.patch.asc [FreeBSD 8.4-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch # fetch http://security.FreeBSD.org/patches/SA-14:29/bind987.patch.asc # gpg --verify bind987.patch.asc [FreeBSD 8.4-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch # fetch http://security.FreeBSD.org/patches/SA-14:29/bind984.patch.asc # gpg --verify bind984.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r275669 releng/8.4/ r275672 stable/9/ r275669 releng/9.1/ r275672 releng/9.2/ r275672 releng/9.3/ r275672 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following
FreeBSD Security Advisory FreeBSD-SA-14:27.stdio
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:27.stdio Security Advisory The FreeBSD Project Topic: Buffer overflow in stdio Category: core Module: libc Announced: 2014-12-10 Credits:Adrian Chadd and Alfred Perlstein, Norse Corporation Affects:FreeBSD 10.1 Corrected: 2014-12-10 08:24:02 UTC (stable/10, 10.1-STABLE) 2014-12-10 08:35:55 UTC (releng/10.1, 10.1-RELEASE-p1) CVE Name: CVE-2014-8611 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The standard I/O library provides a simple and efficient buffered stream I/O interface. The library writes buffered data when it is full or when the application explicitly request so by calling the fflush(3) function. II. Problem Description A programming error in the standard I/O library's __sflush() function could erroneously adjust the buffered stream's internal state even when no write actually occurred in the case when write(2) system call returns an error. III. Impact The accounting mismatch would accumulate, if the caller does not check for stream status and will eventually lead to a heap buffer overflow. Such overflows may lead to data corruption or the execution of arbitrary code at the privilege level of the calling program. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch # fetch http://security.FreeBSD.org/patches/SA-14:27/stdio.patch.asc # gpg --verify stdio.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r275667 releng/10.1/ r275670 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8611 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:27.stdio.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJUiA11AAoJEO1n7NZdz2rnZLMP/ic0j0lykvkZ4x39Th4vUIX7 SCqROB8zxKj8qA3QlXhusaJA9o9hAPX8HA99ZVbDyugz0m4ST0t6JAYL+w3eVYZm RpEszshxi7rwUXaoue99lk0JnP2ssZbNZn5y4Z0XCYvingfP7Um6tOG0XqUs+N45 Mivhuz+JKaFSYG4WwrSIr2pNpn6XnDeGoihtuXOkinBv8Ga3xHyuTY+30vUnEEH+ Vr2MftHMm3Wo87OM1XhrTQS5jYzD8u0xgwKjcf0/+6Q+iXzLDkk8MfCE1W9SP7FE zas1MHxWeV5AICAX0CUI/9R2Zgymi/xJksw4BNZsDyGnOvIRdcMv+0KOWnCn42mk HCm2NTyvUM2Cgjbj5T4yICQBEi5dI6WiTp2yKTKQOiqDsszUW1NyqGQdYPfyjjMS kQA5RTdGVxwxp8FMnJGvYdlVRZgx5BAI8znhlxxqKs25uhbOnn+zKm+rA2XnLLMk sg2V/E906vldjLw8ddvNKm5oy0UkezBj0J1NOgkpN3atvUB8X2H251h2n51+oAbE FSd4qqN70vwHdOmIGNrjWZpOqSJzeGs5JjbaxMpo6MoIWJz2zrK2WLiFVWZGohgh 9TGU6Ubs/yTLLfu1jTDAMl1dbZd1lChmycKRuqTpe56keOlHghquCMxhogWY0PQE nE47N3BP/KCtuQw1uxuK =F9uH -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-14:24.sshd [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:24.sshd Security Advisory The FreeBSD Project Topic: Denial of service attack against sshd(8) Category: contrib Module: openssh Announced: 2014-11-04 Credits:Konstantin Belousov Affects:FreeBSD 9.1, 9.2 and 10.0. Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) CVE Name: CVE-2014-8475 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2014-11-04 Initial release. v1.1 2014-11-06 Corrected Credits which was forgotten in the initial release, and corrected manual patch steps in Solution section. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The sshd(8) daemon is the server side of OpenSSH. Heimdal is an implementation of Kerberos 5, which provides authentication and single sign-on capability for many network services, including OpenSSH. II. Problem Description Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. III. Impact An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process. IV. Workaround Possible workarounds include rebuilding sshd with Kerberos support disabled or installing the security/openssh-portable package from the FreeBSD ports tree or an official package repository. Systems that do not run an OpenSSH server are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc # gpg --verify sshd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/sshd.patch c) Recompile sshd. Execute the following commands as root: # cd /usr/src/secure/usr.sbin/sshd # make clean # make obj make depend make make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service sshd restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r265314 releng/9.1/ r274112 releng/9.2/ r274113 stable/10/r265313 releng/10.0/ r274110 - - To see which files were modified
FreeBSD Security Advisory FreeBSD-SA-14:26.ftp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:26.ftpSecurity Advisory The FreeBSD Project Topic: Remote command execution in ftp(1) Category: core Module: ftp Announced: 2014-11-04 Credits:Jared McNeill, Alistair Crooks Affects:All supported versions of FreeBSD. Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE) 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) CVE Name: CVE-2014-8517 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ftp(1) userland utility is an interactive FTP client. It can also be used non-interactively, by providing a URL on the command line. In this mode, it supports HTTP in addition to FTP. II. Problem Description A malicious HTTP server could cause ftp(1) to execute arbitrary commands. III. Impact When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified. If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine. IV. Workaround No workaround is available. Users are encouraged to replace ftp(1) in non-interactive use by either fetch(1) or a third-party client such as curl or wget. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8] # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc # gpg --verify ftp-8.patch.asc [All other versions] # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc # gpg --verify ftp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile ftp. Execute the following commands as root: # cd /usr/src/usr.bin/ftp # make make install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r274108 releng/8.4/ r274111 stable/9/ r274109 releng/9.1/ r274112 releng/9.2/ r274113 releng/9.3/ r274114 stable/10/r274107 releng/10.0/ r274110 releng/10.1/ r274115 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision
FreeBSD Security Advisory FreeBSD-SA-14:22.namei
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-14:22.namei Security Advisory The FreeBSD Project Topic: memory leak in sandboxed namei lookup Category: core Module: kernel Announced: 2014-10-21 Credits:Mateusz Guzik Affects:FreeBSD 9.1 and later. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) CVE Name: CVE-2014-3711 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The namei kernel facility is responsible for performing and caching translations from path names to file system objects (vnodes). Capsicum is a lightweight capability and sandbox framework using a hybrid capability system model. It is often used to create sandboxes for applications that process data from untrusted sources. II. Problem Description The namei facility will leak a small amount of kernel memory every time a sandboxed process looks up a nonexistent path name. III. Impact A remote attacker that can cause a sandboxed process (for instance, a web server) to look up a large number of nonexistent path names can cause memory exhaustion. IV. Workaround Systems that do not have Capsicum enabled or do not run services that use Capsicum are not vulnerable. On systems that have Capsicum compiled into the kernel, it can be disabled by executing the following command as root: # sysctl kern.features.security_capabilities=0 Services that use Capsicum are usually able to run without it, albeit with reduced security. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.x] # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-9.patch.asc # gpg --verify namei-9.patch.asc [FreeBSD 10.x] # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:22/namei-10.patch.asc # gpg --verify namei-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10/r273411 releng/10.0/ r273415 releng/10.1/ r273414 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3711 The latest revision
FreeBSD Security Advisory FreeBSD-SA-14:20.rtsold
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-14:20.rtsold Security Advisory The FreeBSD Project Topic: rtsold(8) remote buffer overflow vulnerability Category: core Module: rtsold Announced: 2014-10-21 Credits:Florian Obser, Hiroki Sato Affects:FreeBSD 9.1 and later. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) CVE Name: CVE-2014-3954 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background As part of the stateless addess autoconfiguration (SLAAC) mechanism, IPv6 routers periodically broadcast router advertisement messages on attached networks to inform hosts of the correct network prefix, router address and MTU, as well as additional network parameters such as the DNS servers (RDNSS), DNS search list (DNSSL) and whether a stateful configuration service is available. Hosts that have recently joined the network can broadcast a router solicitation message to solicit an immediate advertisement instead of waiting for the next periodic advertisement. The router solicitation daemon, rtsold(8), broadcasts router solicitation messages at startup or when the state of an interface changes from passive to active. Incoming router advertisement messages are first processed by the kernel and then passed on to rtsold(8), which handles the DNS and stateful configuration options. II. Problem Description Due to a missing length check in the code that handles DNS parameters, a malformed router advertisement message can result in a stack buffer overflow in rtsold(8). III. Impact Receipt of a router advertisement message with a malformed DNSSL option, for instance from a compromised host on the same network, can cause rtsold(8) to crash. While it is theoretically possible to inject code into rtsold(8) through malformed router advertisement messages, it is normally compiled with stack protection enabled, rendering such an attack extremely difficult. When rtsold(8) crashes, the existing DNS configuration will remain in force, and the kernel will continue to receive and process periodic router advertisements. IV. Workaround No workaround is available, but systems that do not run rtsold(8) are not affected. As a general rule, SLAAC should not be used on networks where trusted and untrusted hosts coexist in the same broadcast domain. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch # fetch http://security.FreeBSD.org/patches/SA-14:20/rtsold.patch.asc # gpg --verify rtsold.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/rtsold.patch c) Recompile rtsold. Execute the following commands as root: # cd /usr/src/usr.sbin/rtsold # make make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service rtsold restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3
FreeBSD Security Advisory FreeBSD-SA-14:21.routed
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-14:21.routed Security Advisory The FreeBSD Project Topic: routed(8) remote denial of service vulnerability Category: core Module: routed Announced: 2014-10-21 Credits:Hiroki Sato Affects:All supported versions of FreeBSD. Corrected: 2014-10-21 20:20:07 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 20:20:36 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-21 20:20:17 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-21 20:20:26 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3955 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The routing information protocol (RIP) is an older routing protocol which, while not as capable as more recent protocols such as OSPF and BGP, is sometimes preferred for its simplicity and therefore still used as an interior gateway protocol on smaller networks. Routers in a RIP network periodically broadcast their routing table on all enabled interfaces. Neighboring routers and hosts receive these broadcasts and update their routing tables accordingly. The routed(8) daemon is a RIP implementation for FreeBSD. The rtquery(8) utility can be used to send a RIP query to a router and display the result without updating the routing table. II. Problem Description The input path in routed(8) will accept queries from any source and attempt to answer them. However, the output path assumes that the destination address for the response is on a directly connected network. III. Impact Upon receipt of a query from a source which is not on a directly connected network, routed(8) will trigger an assertion and terminate. The affected system's routing table will no longer be updated. If the affected system is a router, its routes will eventually expire from other routers' routing tables, and its networks will no longer be reachable unless they are also connected to another router. IV. Workaround Use a packet filter such as pf(4) or ipfw(4) to block incoming UDP packets with destination port 520 that did not originate on the same subnet as the destination address. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch # fetch http://security.FreeBSD.org/patches/SA-14:21/routed.patch.asc # gpg --verify routed.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/routed.patch c) Recompile routed. Execute the following commands as root: # cd /usr/src/sbin/routed # make make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service routed restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r273413 releng/8.4/ r273416 stable/9/ r273412 releng/9.1/ r273415 releng/9.2/ r273415 releng/9.3/ r273415 stable/10
FreeBSD Security Advisory FreeBSD-SA-14:23.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-14:23.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-10-21 Affects:All supported versions of FreeBSD. Corrected: 2014-10-15 19:59:43 UTC (stable/10, 10.1-PRERELEASE) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC3) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC2-p1) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-RC1-p1) 2014-10-21 19:00:32 UTC (releng/10.1, 10.1-BETA3-p1) 2014-10-21 20:21:10 UTC (releng/10.0, 10.0-RELEASE-p10) 2014-10-15 20:28:31 UTC (stable/9, 9.3-STABLE) 2014-10-21 20:21:10 UTC (releng/9.3, 9.3-RELEASE-p3) 2014-10-21 20:21:10 UTC (releng/9.2, 9.2-RELEASE-p13) 2014-10-21 20:21:10 UTC (releng/9.1, 9.1-RELEASE-p20) 2014-10-15 20:28:31 UTC (stable/8, 8.4-STABLE) 2014-10-21 20:21:27 UTC (releng/8.4, 8.4-RELEASE-p17) CVE Name: CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the DTLS SRTP extension parsing code allows an attacker, who sends a carefully crafted handshake message, to cause OpenSSL to fail to free up to 64k of memory causing a memory leak. [CVE-2014-3513]. When an OpenSSL SSL/TLS/DTLS server receives a session ticket the integrity of that ticket is first verified. In the event of a session ticket integrity check failing, OpenSSL will fail to free memory causing a memory leak. [CVE-2014-3567]. The SSL protocol 3.0, as supported in OpenSSL and other products, supports CBC mode encryption where it could not adequately check the integrity of padding, because of the use of non-deterministic CBC padding. This protocol weakness makes it possible for an attacker to obtain clear text data through a padding-oracle attack. Some client applications (such as browsers) will reconnect using a downgraded protocol to work around interoperability bugs in older servers. This could be exploited by an active man-in-the-middle to downgrade connections to SSL 3.0 even if both sides of the connection support higher protocols. SSL 3.0 contains a number of weaknesses including POODLE [CVE-2014-3566]. OpenSSL has added support for TLS_FALLBACK_SCSV to allow applications to block the ability for a MITM attacker to force a protocol downgrade. When OpenSSL is configured with no-ssl3 as a build option, servers could accept and complete a SSL 3.0 handshake, and clients could be configured to send them. [CVE-2014-3568]. III. Impact A remote attacker can cause Denial of Service with OpenSSL 1.0.1 server implementations for both SSL/TLS and DTLS regardless of whether SRTP is used or configured. [CVE-2014-3513] By sending a large number of invalid session tickets an attacker could exploit this issue in a Denial Of Service attack. [CVE-2014-3567]. An active man-in-the-middle attacker can force a protocol downgrade to SSLv3 and exploit the weakness of SSLv3 to obtain clear text data from the connection. [CVE-2014-3566] [CVE-2014-3568] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-10.0.patch.asc # gpg --verify openssl-10.0.patch.asc [FreeBSD 9.3] # fetch http://security.FreeBSD.org/patches/SA-14:23/openssl-9.3.patch # fetch http://security.FreeBSD.org/patches/SA
FreeBSD Security Advisory FreeBSD-SA-14:19.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:19.tcpSecurity Advisory The FreeBSD Project Topic: Denial of Service in TCP packet processing Category: core Module: inet Announced: 2014-09-16 Credits:Jonathan Looney (Juniper SIRT) Affects:All supported versions of FreeBSD. Corrected: 2014-09-16 09:48:35UTC (stable/10, 10.1-PRERELEASE) 2014-09-16 09:48:35 UTC (stable/10, 10.1-BETA1-p1) 2014-09-16 09:50:19 UTC (releng/10.0, 10.0-RELEASE-p9) 2014-09-16 09:49:11 UTC (stable/9, 9.3-STABLE) 2014-09-16 09:50:19 UTC (releng/9.3, 9.3-RELEASE-p2) 2014-09-16 09:50:19 UTC (releng/9.2, 9.2-RELEASE-p12) 2014-09-16 09:50:19 UTC (releng/9.1, 9.1-RELEASE-p19) 2014-09-16 09:49:11 UTC (stable/8, 8.4-STABLE) 2014-09-16 09:50:19 UTC (releng/8.4, 8.4-RELEASE-p16) CVE Name: CVE-2004-0230 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. New TCP connections are initiated using special SYN flag in a datagram. Sequencing of data is controlled by 32-bit sequence numbers, that start with a random value and are increased using modulo 2**32 arithmetic. TCP endpoints maintain a window of expected, and thus allowed, sequence numbers for a connection. II. Problem Description When a segment with the SYN flag for an already existing connection arrives, the TCP stack tears down the connection, bypassing a check that the sequence number in the segment is in the expected window. III. Impact An attacker who has the ability to spoof IP traffic can tear down a TCP connection by sending only 2 packets, if they know both TCP port numbers. In case one of the two port numbers is unknown, a successful attack requires less than 2**17 packets spoofed, which can be generated within less than a second on a decent connection to the Internet. IV. Workaround It is possible to defend against these attacks with stateful traffic inspection using a firewall. This can be done by enabling pf(4) on the system and creating states for every connection. Even a default ruleset to allow all traffic would be sufficient to mitigate this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch # fetch http://security.FreeBSD.org/patches/SA-14:19/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r271668 releng/8.4/ r271669 stable/9/ r271668 releng/9.1/ r271669 releng/9.2/ r271669 releng/9.3/ r271669 stable/10/r271667 releng/10.0/ r271669 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing
FreeBSD Security Advisory FreeBSD-SA-14:18.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:18.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-09-09 Affects:All supported versions of FreeBSD. Corrected: 2014-08-07 21:04:42 UTC (stable/10, 10.0-STABLE) 2014-09-09 10:09:46 UTC (releng/10.0, 10.0-RELEASE-p8) 2014-08-07 21:06:34 UTC (stable/9, 9.3-STABLE) 2014-09-09 10:13:46 UTC (releng/9.3, 9.3-RELEASE-p1) 2014-09-09 10:13:46 UTC (releng/9.2, 9.2-RELEASE-p11) 2014-09-09 10:13:46 UTC (releng/9.1, 9.1-RELEASE-p18) 2014-08-07 21:06:34 UTC (stable/8, 8.4-STABLE) 2014-09-09 10:13:46 UTC (releng/8.4, 8.4-RELEASE-p15) CVE Name: CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3510, CVE-2014-3509, CVE-2014-3511, CVE-2014-3512, CVE-2014-5139 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The receipt of a specifically crafted DTLS handshake message may cause OpenSSL to consume large amounts of memory. [CVE-2014-3506] The receipt of a specifically crafted DTLS packet could cause OpenSSL to leak memory. [CVE-2014-3507] A flaw in OBJ_obj2txt may cause pretty printing functions such as X509_name_oneline, X509_name_print_ex et al. to leak some information from the stack. [CVE-2014-3508] OpenSSL DTLS clients enabling anonymous (EC)DH ciphersuites are subject to a denial of service attack. [CVE-2014-3510] The following problems affect FreeBSD 10.0-RELEASE and later: If a multithreaded client connects to a malicious server using a resumed session and the server sends an ec point format extension it could write up to 255 bytes to freed memory. [CVE-2014-3509] A flaw in the OpenSSL SSL/TLS server code causes the server to negotiate TLS 1.0 instead of higher protocol versions when the ClientHello message is badly fragmented. [CVE-2014-3511] A malicious client or server can send invalid SRP parameters and overrun an internal buffer. [CVE-2014-3512] A malicious server can crash the client with a NULL pointer dereference by specifying a SRP ciphersuite even though it was not properly negotiated with the client. [CVE-2014-5139] III. Impact A remote attacker may be able to cause a denial of service (application crash, large memory consumption), obtain additional information, cause protocol downgrade. Additionally, a remote attacker may be able to run arbitrary code on a vulnerable system if the application has been set up for SRP. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-10.0.patch.asc # gpg --verify openssl-10.0.patch.asc [FreeBSD 9.3] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.3.patch.asc # gpg --verify openssl-9.3.patch.asc [FreeBSD 9.2, 9.1, 8.4] # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:18/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains
FreeBSD Security Advisory FreeBSD-SA-14:17.kmem
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:17.kmem Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in control messages and SCTP notifications Category: core Module: kern, sctp Announced: 2014-07-08 Credits:Michael Tuexen Affects:All supported versions of FreeBSD. Corrected: 2014-07-08 21:54:50 UTC (stable/10, 10.0-STABLE) 2014-07-08 21:55:27 UTC (releng/10.0, 10.0-RELEASE-p7) 2014-07-08 21:54:50 UTC (stable/9, 9.3-PRERELEASE) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC3-p1) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC2-p1) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-RC1-p2) 2014-07-08 21:55:27 UTC (releng/9.3, 9.3-BETA3-p2) 2014-07-08 21:55:27 UTC (releng/9.2, 9.2-RELEASE-p10) 2014-07-08 21:55:27 UTC (releng/9.1, 9.1-RELEASE-p17) 2014-07-08 21:54:50 UTC (stable/8, 8.4-STABLE) 2014-07-08 21:55:39 UTC (releng/8.4, 8.4-RELEASE-p14) CVE Name: CVE-2014-3952, CVE-2014-3953 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The control message API is used to construct ancillary data objects for use in control messages sent and received across sockets and passed via the recvmsg(2) and sendmsg(2) system calls. II. Problem Description Buffer between control message header and data may not be completely initialized before being copied to userland. [CVE-2014-3952] Three SCTP cmsgs, SCTP_SNDRCV, SCTP_EXTRCV and SCTP_RCVINFO, have implicit padding that may not be completely initialized before being copied to userland. In addition, three SCTP notifications, SCTP_PEER_ADDR_CHANGE, SCTP_REMOTE_ERROR and SCTP_AUTHENTICATION_EVENT, have padding in the returning data structure that may not be completely initialized before being copied to userland. [CVE-2014-3953] III. Impact An unprivileged local process may be able to retrieve portion of kernel memory. For the generic control message, the process may be able to retrieve a maximum of 4 bytes of kernel memory. For SCTP, the process may be able to retrieve 2 bytes of kernel memory for all three control messages, plus 92 bytes for SCTP_SNDRCV and 76 bytes for SCTP_EXTRCV. If the local process is permitted to receive SCTP notification, a maximum of 112 bytes of kernel memory may be returned to userland. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem.patch.asc # gpg --verify kmem.patch.asc [FreeBSD 8.4, 9.2 and 9.3-RC] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-89.patch.asc # gpg --verify kmem.patch.asc [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch # fetch http://security.FreeBSD.org/patches/SA-14:17/kmem-9.1.patch.asc # gpg --verify kmem.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r268432 releng/8.4/ r268435 stable/9/ r268432 releng/9.1
FreeBSD Security Advisory FreeBSD-SA-14:15.iconv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:15.iconv Security Advisory The FreeBSD Project Topic: iconv(3) NULL pointer dereference and out-of-bounds array access Category: core Module: libc/iconv Announced: 2014-06-24 Credits:Manuel Mausz, Tijl Coosemans Affects:FreeBSD 10.0 Corrected: 2014-03-04 12:43:10 UTC (stable/10, 10.0-STABLE) 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) CVE Name: CVE-2014-3951 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The iconv(3) API allows converting text data from one character set encoding to another. Applications first open a converter between two encodings using iconv_open(3) and then convert text using iconv(3). HZ is an encoding of the GB2312 character set used for simplified Chinese characters. VIQR is an encoding for Vietnamese characters. II. Problem Description A NULL pointer dereference in the initialization code of the HZ module and an out of bounds array access in the initialization code of the VIQR module make iconv_open(3) calls involving HZ or VIQR result in an application crash. III. Impact Services where an attacker can control the arguments of an iconv_open(3) call can be caused to crash resulting in a denial-of-service. For example, an email encoded in HZ may cause an email delivery service to crash if it converts emails to a more generic encoding like UTF-8 before applying filtering rules. IV. Workaround No workaround is available, but systems that do not process untrusted Chinese or Vietnamese input are not affected by this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch # fetch http://security.FreeBSD.org/patches/SA-14:15/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r262731 releng/10.0/ r267829 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3951 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:15.iconv.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCgAGBQJTqc+KAAoJEO1n7NZdz2rnmqsP/1VXkGjjBB34Qh43HGxmVofB 8Zfkc19nQtHvQaS+wAUfm10Onu2QJUPPm5OZL+kYYxJs1G4/VLTDTl/7cHBkCoA0 abdDpRbtG6CMHfnaARpMOAkg+uvHl41pjHgr+mi4TRYivzSNp+qfw8BsPJ21DAS6 Om6H6m+ggHjTXrtniBtQ+os2wfxbGGMJQzL94QC+tyzzFTEknIt8lgn6hboh99eV pQb8WnSRCPuyiw+hKHdOOS7er7ZCIy9l0VWWfyJzcZP3/W5q6qSNCdnMUNZsTk0L ruiUrhRjookK6/3VKb+9/YMfpB8xuQad2fk2mbQZkaxdSVJyFIfOI6Y9PJYbx9BP Z7Bp0qyEGs+5/CZhiSwr2E/3k7kNe+30dvbPE0SBw9JNS4T0FyzlRUM4Y8s843Lf GUcacSLcgCv8DUU517GmTL+UvnE+dajppr/vueRTC2T0mj8OX1qukq1Rjs9RpZkc l2ajo3TbMZjwwivEsJEI2706tqv2v7+xON6WrZbUvbXlp4Kw7v01pS2Z3DFIeK8d D9H80XuBIM6ZvMUd3NZHBGBjcxYEHvB5hM26ceCAP/ZvOSa4jp8vVQcPVONwj55n RvX+K66t3yGiRznjhUUL+/8T9ulcI8TomgKL+U3UXasinYU9F4v55yXRugYvgnig jh8e1kgmRt2rt5ZLthe5
FreeBSD Security Advisory FreeBSD-SA-14:16.file
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:16.file Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in file(1) and libmagic(3) Category: contrib Module: file Announced: 2014-06-24 Affects:All supported versions of FreeBSD. Corrected: 2014-06-24 19:04:55 UTC (stable/10, 10.0-STABLE) 2014-06-24 19:05:08 UTC (releng/10.0, 10.0-RELEASE-p6) 2014-06-24 19:04:55 UTC (stable/9, 9.3-PRERELEASE) 2014-06-24 19:05:19 UTC (releng/9.3, 9.3-RC2) 2014-06-24 19:05:36 UTC (releng/9.2, 9.2-RELEASE-p9) 2014-06-24 19:05:36 UTC (releng/9.1, 9.1-RELEASE-p16) 2014-06-24 19:04:55 UTC (stable/8, 8.4-STABLE) 2014-06-24 19:05:47 UTC (releng/8.4, 8.4-RELEASE-p13) CVE Name: CVE-2012-1571, CVE-2013-7345, CVE-2014-1943, CVE-2014-2270 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The file(1) utility attempts to classify file system objects based on filesystem, magic number and language tests. The libmagic(3) library provides most of the functionality of file(1) and may be used by other applications. II. Problem Description A specifically crafted Composite Document File (CDF) file can trigger an out-of-bounds read or an invalid pointer dereference. [CVE-2012-1571] A flaw in regular expression in the awk script detector makes use of multiple wildcards with unlimited repetitions. [CVE-2013-7345] A malicious input file could trigger infinite recursion in libmagic(3). [CVE-2014-1943] A specifically crafted Portable Executable (PE) can trigger out-of-bounds read. [CVE-2014-2270] III. Impact An attacker who can cause file(1) or any other applications using the libmagic(3) library to be run on a maliciously constructed input can the application to crash or consume excessive CPU resources, resulting in a denial-of-service. IV. Workaround No workaround is available, but systems where file(1) and other libmagic(3)-using applications are never run on untrusted input are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.1, 9.2, 9.3, 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch # fetch http://security.FreeBSD.org/patches/SA-14:16/file.patch.asc # gpg --verify file.patch.asc [FreeBSD 8.4] # fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch # fetch http://security.FreeBSD.org/patches/SA-14:16/file-8.4.patch.asc # gpg --verify file.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r267828 releng/8.4/ r267832 stable/9/ r267828 releng/9.1/ r267831 releng/9.2/ r267831 releng/9.3/ r267830 stable/10/r267828 releng/10.0/ r267829 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL
FreeBSD Security Advisory FreeBSD-SA-14:14.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:14.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-06-05 Affects:All supported versions of FreeBSD. Corrected: 2014-06-05 12:32:38 UTC (stable/10, 10.0-STABLE) 2014-06-05 12:33:23 UTC (releng/10.0, 10.0-RELEASE-p5) 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1) 2014-06-05 12:53:06 UTC (stable/9, 9.3-BETA1-p2) 2014-06-05 12:33:23 UTC (releng/9.2, 9.2-RELEASE-p8) 2014-06-05 12:33:23 UTC (releng/9.1, 9.1-RELEASE-p15) 2014-06-05 12:32:38 UTC (stable/8, 8.4-STABLE) 2014-06-05 12:33:23 UTC (releng/8.4, 8.4-RELEASE-p12) CVE Name: CVE-2014-0195, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description Receipt of an invalid DTLS fragment on an OpenSSL DTLS client or server can lead to a buffer overrun. [CVE-2014-0195] Receipt of an invalid DTLS handshake on an OpenSSL DTLS client can lead the code to unnecessary recurse. [CVE-2014-0221] Carefully crafted handshake can force the use of weak keying material in OpenSSL SSL/TLS clients and servers. [CVE-2014-0224] Carefully crafted packets can lead to a NULL pointer deference in OpenSSL TLS client code if anonymous ECDH ciphersuites are enabled. [CVE-2014-3470] III. Impact A remote attacker may be able to run arbitrary code on a vulnerable client or server by sending invalid DTLS fragments to an OpenSSL DTLS client or server. [CVE-2014-0195] A remote attacker who can send an invalid DTLS handshake to an OpenSSL DTLS client can crash the remote OpenSSL DTLS client. [CVE-2014-0221] A remote attacker who can send a carefully crafted handshake can force the use of weak keying material between a vulnerable client and a vulnerable server and decrypt and/or modify traffic from the attacked client and server in a man-in-the-middle (MITM) attack. [CVE-2014-0224] A remote attacker who can send carefully crafted packets can cause OpenSSL TLS client to crash. [CVE-2014-3470] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc [FreeBSD 9.x and 8.x] # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:14/openssl-9.patch.asc # gpg --verify openssl-9.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r267103 releng/8.4/ r267104 stable/9/ r267106 releng/9.1/ r267104 releng/9.2/ r267104 stable/10
FreeBSD Security Advisory FreeBSD-SA-14:13.pam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:13.pamSecurity Advisory The FreeBSD Project Topic: Incorrect error handling in PAM policy parser Category: contrib Module: pam Announced: 2014-06-03 Credits:Peter Wemm, Dag-Erling Smørgrav Affects:FreeBSD 9.2 and later. Corrected: 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1) 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1) 2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7) 2014-06-03 19:02:18 UTC (stable/10, 10.0-STABLE) 2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4) CVE Name: CVE-2014-3879 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/policy name, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/policy name. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description The OpenPAM library searches for policy definitions in several locations. While doing so, the absence of a policy file is a soft failure (handled by searching in the next location) while the presence of an invalid file is a hard failure (handled by returning an error to the caller). The policy parser returns the same error code (ENOENT) when a syntactically valid policy references a non-existent module as when the requested policy file does not exist. The search loop regards this as a soft failure and looks for the next similarly-named policy, without discarding the partially-loaded configuration. A similar issue can arise if a policy contains an include directive that refers to a non-existent policy. III. Impact If a module is removed, or the name of a module is misspelled in the policy file, the PAM library will proceed with a partially loaded configuration. Depending on the exact circumstances, this may result in a fail-open scenario where users are allowed to log in without a password, or with an incorrect password. In particular, if a policy references a module installed by a package or port, and that package or port is being reinstalled or upgraded, there is a brief window of time during which the module is absent and policies that use it may fail open. This can be especially damaging to Internet-facing SSH servers, which are regularly subjected to brute-force scans. IV. Workaround If your system uses customized PAM policies, carefully review your policies to ensure that all module names are spelled correctly. If your system uses third-party authentication modules, either refrain from upgrading those modules until you have patched your system, or shut down the affected services before upgrading. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.2] # fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch # fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd9.patch.asc # gpg --verify pam-freebsd9.patch.asc [FreeBSD 9.3 and 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch # fetch http://security.FreeBSD.org/patches/SA-14:13/pam-freebsd10.patch.asc # gpg --verify pam-freebsd10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision
FreeBSD Security Advisory FreeBSD-SA-14:11.sendmail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:11.sendmail Security Advisory The FreeBSD Project Topic: sendmail improper close-on-exec flag handling Category: contrib Module: sendmail Announced: 2014-06-03 Affects:All supported versions of FreeBSD. Corrected: 2014-05-26 15:35:11 UTC (stable/10, 10.0-STABLE) 2014-06-03 19:02:52 UTC (releng/10.0, 10.0-RELEASE-p4) 2014-05-26 20:10:00 UTC (stable/9, 9.3-PRERELEASE) 2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7) 2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14) 2014-05-26 15:30:27 UTC (stable/8, 8.4-STABLE) 2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). FreeBSD uses file descriptor as an abstract indicator for accessing a file. Upon execve(2), file descriptors open in the calling process image remain open in the new process image, except for those for which the close-on-exec flag is set. II. Problem Description There is a programming error in sendmail(8) that prevented open file descriptors have close-on-exec properly set. Consequently a subprocess will be able to access all open files that the parent process have open. III. Impact A local user who can execute their own program for mail delivery will be able to interfere with an open SMTP connection. IV. Workaround Do not allow untrusted users to specify programs for mail delivery, for instance, procmail. Systems that do not use sendmail(8) MTA are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch # fetch http://security.FreeBSD.org/patches/SA-14:11/sendmail.patch.asc # gpg --verify sendmail.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r266693 releng/8.4/ r267019 stable/9/ r266711 releng/9.1/ r267018 releng/9.2/ r267018 stable/10/r266692 releng/10.0/ r267017 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:11.sendmail.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnMxgP/0N9dTCKztkx92+Er1riKEns k0dfQswsTn2BwKzqIwiuzYcC9YFuBbU/ydfhIy3CGHJoZXd98sl0IZkWok7N7gYb N46aSyMypHh5RtoxtRm7aLhmKSBXiXhygwoeV8HW5fBhgZG544BQ+zs3wDWL/Y4J sfTEV4C254hm8+loCjtg+WIoFDtaYFWTWCUm1Yhxb1puN5scCNNgbvqvmhmrCLtb n/AoWUvqQi8B7tu2YafbG+BE8qaLC+tGpqC4mF3NxtNUX++4HMC6ZhbcOaa2PKrk
FreeBSD Security Advisory FreeBSD-SA-14:12.ktrace
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:12.ktrace Security Advisory The FreeBSD Project Topic: ktrace kernel memory disclosure Category: core Module: kern Announced: 2014-06-03 Credits:Jilles Tjoelker Affects:FreeBSD 8.4, FreeBSD 9.1 and FreeBSD 9.2 Corrected: 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1) 2014-06-03 19:02:33 UTC (stable/9, 9.3-BETA1-p1) 2014-06-03 19:03:11 UTC (releng/9.2, 9.2-RELEASE-p7) 2014-06-03 19:03:11 UTC (releng/9.1, 9.1-RELEASE-p14) 2014-06-03 19:02:42 UTC (stable/8, 8.4-STABLE) 2014-06-03 19:03:23 UTC (releng/8.4, 8.4-RELEASE-p11) CVE Name: CVE-2014-3873 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ktrace utility enables kernel trace logging for the specified processes, commonly used for diagnostic or debugging purposes. The kernel operations that are traced include system calls, namei translations, signal processing, and I/O as well as data associated with these operations. The utility may be used only with a kernel that has been built with the ``KTRACE'' option in the kernel configuration file, which is enabled by default. II. Problem Description Due to an overlooked merge to -STABLE branches, the size for page fault kernel trace entries was set incorrectly. III. Impact A user who can enable kernel process tracing could end up reading the contents of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround The system administrator may set sysctl security.bsd.unprivileged_proc_debug to 0 to prevent non-privileged users from using all process debugging facilities provided by the kernel, that includes ktrace functionality. Please note that this flag have broad effect and may break applications, as some of them may rely on certain debugging facilities to function. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch # fetch http://security.FreeBSD.org/patches/SA-14:12/ktrace.patch.asc # gpg --verify ktrace.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r267016 releng/8.4/ r267019 stable/9/ r267015 releng/9.1/ r267018 releng/9.2/ r267018 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3873 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:12.ktrace.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTjiDaAAoJEO1n7NZdz2rnIfQP/0kHBNvnNUiZ+1OWo5fMDg3N
FreeBSD Security Advisory FreeBSD-SA-14:10.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:10.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL NULL pointer deference vulnerability Category: contrib Module: openssl Announced: 2014-05-13 Affects:FreeBSD 10.x. Corrected: 2014-05-13 23:19:16 UTC (stable/10, 10.0-STABLE) 2014-05-13 23:22:28 UTC (releng/10.0, 10.0-RELEASE-p3) CVE Name: CVE-2014-0198 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The TLS protocol supports an alert protocol which can be used to signal the other party with certain failures in the protocol context that may require immediate termination of the connection. II. Problem Description An attacker can trigger generation of an SSL alert which could cause a null pointer deference. III. Impact An attacker may be able to cause a service process that uses OpenSSL to crash, which can be used in a denial-of-service attack. IV. Workaround No workaround is available, but systems that do not use OpenSSL to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process to handle multiple SSL connections, are not vulnerable. The FreeBSD base system service daemons and utilities do not use the SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this mode to reduce their memory footprint and may therefore be affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:10/openssl.patch.asc # gpg --verify openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r265986 releng/10.0/ r265987 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/005_openssl.patch.sig URL:https://rt.openssl.org/Ticket/Display.html?user=guestpass=guestid=3321 URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0198 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:10.openssl.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTcq5IAAoJEO1n7NZdz2rnNb4QAODp1Pxk3GlTwlptWQkC+DJb bwd2RRtkvkz677JIbdtyM7b5POgUih/NtAF9Yyy/pg8IJcSRiv0f7F5L+maV9nee KGb27zizWOgIqor6HhRAv2OniVN271OfoyCkt0xRmigBR6dQ80iBVuCk6McvxvjL 5Yfw8wtfF8zAo5p1d4V3EEPOIVPwgJ31YnB/sVv+SyV6Ldl5DS0Gp1Cm9KjvaJUI CUIljIaH6AFuzs671V4DpuFPtFPIsvGUhEdpf6+ypVJN1J/D+BNRvoIX1zxou4Kf 34qB6cs/LlyBKCPctK/qLU7UScNsuUItpWrw5ESHFHdgsTr8XA9POxU72wlCRCoQ
FreeBSD Security Advisory FreeBSD-SA-14:07.devfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:07.devfs Security Advisory The FreeBSD Project Topic: devfs rules not applied by default for jails Category: core Module: etc_rc.d Announced: 2014-04-30 Affects:FreeBSD 10.0 Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) CVE Name: CVE-2014-3001 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The device file system, or devfs(5), provides access to kernel's device namespace in the global file system namespace. The devfs(5) rule subsystem provides a way for the administrator of a system to control the attributes of DEVFS nodes. Each DEVFS mount-point has a ``ruleset'', or a list of rules, associated with it, allowing the administrator to change the properties, including the visibility, of certain nodes. II. Problem Description The default devfs rulesets are not loaded on boot, even when jails are used. Device nodes will be created in the jail with their normal default access permissions, while most of them should be hidden and inaccessible. III. Impact Jailed processes can get access to restricted resources on the host system. For jailed processes running with superuser privileges this implies access to all devices on the system. This level of access could lead to information leakage and privilege escalation. IV. Workaround Systems that do not run jails are not affected. The system administrator can do the following to load the default ruleset: /etc/rc.d/devfs onestart Then apply the default ruleset for jails on a devfs mount using: devfs -m ${devfs_mountpoint} rule -s 4 applyset Or, alternatively, the following command will apply the ruleset over all devfs mountpoints except the host one: mount -t devfs | grep -v '^devfs on /dev ' | awk '{print $3;}' | \ xargs -n 1 -J % devfs -m % rule -s 4 applyset After this, the system administrator should add the following configuration to /etc/rc.conf to make it permanent, so the above operations do not have to be done each time the host system reboots. devfs_load_rulesets=YES V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch # fetch http://security.FreeBSD.org/patches/SA-14:07/devfs.patch.asc # gpg --verify devfs.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # install -o root -g wheel -m 444 etc/defaults/rc.conf /etc/defaults/ Follow the steps described in the Workaround section, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r265122 releng/10.0/ r265124 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3001 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:07.devfs.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTYHsGAAoJEO1n7NZdz2rnXsQP/iInaOcBlBDIsZokdpQCgAoF eSKuD5ihYTnlUew9l7lsizOn9se8Lj692FOXWsAjVqodp+A+ew8mUYNBjrOZnPDq HMo/yV7iYHNMUFHOOa7baeUO5M84KIGwTvaWIhMtb7QsRIn3KkJaxBL75LbTjtAa odBrXv+/3K2aG0s7rVGtykmWaWmmo/fln27wtZTo0jzLikw3l/iSNsW7qy3RZWKh
FreeBSD Security Advisory FreeBSD-SA-14:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:08.tcpSecurity Advisory The FreeBSD Project Topic: TCP reassembly vulnerability Category: core Module: inet Announced: 2014-04-30 Credits:Jonathan Looney Affects:All supported versions of FreeBSD. Corrected: 2014-04-30 04:04:20 UTC (stable/8, 8.4-STABLE) 2014-04-30 04:05:47 UTC (releng/8.4, 8.4-RELEASE-p9) 2014-04-30 04:05:47 UTC (releng/8.3, 8.3-RELEASE-p16) 2014-04-30 04:04:20 UTC (stable/9, 9.2-STABLE) 2014-04-30 04:05:47 UTC (releng/9.2, 9.2-RELEASE-p5) 2014-04-30 04:05:47 UTC (releng/9.1, 9.1-RELEASE-p12) 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) CVE Name: CVE-2014-3000 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. When network packets making up a TCP stream (``TCP segments'') are received out-of-sequence, they are maintained in a reassembly queue by the destination system until they can be re-ordered and re-assembled. II. Problem Description FreeBSD may add a reassemble queue entry on the stack into the segment list when the reassembly queue reaches its limit. The memory from the stack is undefined after the function returns. Subsequent iterations of the reassembly function will attempt to access this entry. III. Impact An attacker who can send a series of specifically crafted packets with a connection could cause a denial of service situation by causing the kernel to crash. Additionally, because the undefined on stack memory may be overwritten by other kernel threads, while extremely difficult, it may be possible for an attacker to construct a carefully crafted attack to obtain portion of kernel memory via a connected socket. This may result in the disclosure of sensitive information such as login credentials, etc. before or even without crashing the system. IV. Workaround It is possible to defend to these attacks by doing traffic normalization using a firewall. This can be done by including the following /etc/pf.conf configuration: scrub in all This requires pf(4) to be enabled, and have the mentioned configuration loaded. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch # fetch http://security.FreeBSD.org/patches/SA-14:08/tcp.patch.asc # gpg --verify tcp.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r265123 releng/8.3/ r265125 releng/8.4/ r265125 stable/9/ r265123 releng/9.1/ r265125 releng/9.2/ r265125 stable/10/r265122 releng/10.0/ r265124 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit
FreeBSD Security Advisory FreeBSD-SA-14:09.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:09.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL use-after-free vulnerability Category: contrib Module: openssl Announced: 2014-04-30 Affects:FreeBSD 10.x. Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) CVE Name: CVE-2010-5298 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which requests the library to release the memory it holds when a read or write buffer is no longer needed for the context. II. Problem Description The buffer may be released before the library have finished using it. It is possible that a different SSL connection in the same process would use the released buffer and write data into it. III. Impact An attacker may be able to inject data to a different connection that they should not be able to. IV. Workaround No workaround is available, but systems that do not use OpenSSL to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process to handle multiple SSL connections, are not vulnerable. The FreeBSD base system service daemons and utilities do not use the SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this mode to reduce their memory footprint and may therefore be affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc # gpg --verify openssl.patch.asc Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r265122 releng/10.0/ r265124 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig URL:https://rt.openssl.org/Ticket/Display.html?id=2167user=guestpass=guest URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTYHsHAAoJEO1n7NZdz2rn2EsP+wYlobS4EiYtgspXAFgKLha1 0aeA7UokUs21QRTV9tIiFD0Se5HwdmHdh94bRJMRFraU22QYbAelG5GPsZPdRCt4 0ECLKUBDK6ng2M7UNyKhkstsL0+wBq6y5dzKjpR49QX4Vh2zEUYw5BcC5vrIk+YK Qazq8l1t5bl9ebm9rIDmd2uCv/Qe1MgnMlAczeH9HckfzMiH6NhnAuiYpP7K0mIL By6gpSxsHPeQShgJN/5kJjVGkdQK1/A1q0KnNf5r/itQdSC96NazKpCCpkud6RMm k9aPxI5As5Scl70zuCUDAS6vbNI3dvzCU46k8t65/FTeYQO2lxje0QZpqaDiB3+2 tbN5kDviQdWHlJyygCeNK3jxdv0H3+zUZidjPuo158Zcbhb4ckTEZtMtgTn0fRoY alG8qLn3hLj51fPHQK3Ff96xL+1DrhT+3D18OYIbjx7LKtsJJbnorB3jrbW68Ggr h0bW+8yAm1jDFM4kPQw6gcrmtyjxNhnVRLoeoBPSIkmS9cm
FreeBSD Security Advisory FreeBSD-SA-14:09.openssl [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:09.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL use-after-free vulnerability Category: contrib Module: openssl Announced: 2014-04-30 Affects:FreeBSD 10.x. Corrected: 2014-04-30 04:03:05 UTC (stable/10, 10.0-STABLE) 2014-04-30 04:04:42 UTC (releng/10.0, 10.0-RELEASE-p2) CVE Name: CVE-2010-5298 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2014-04-30 Initial release. v1.1 2014-04-30 Added patch applying step in Solutions section. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. OpenSSL context can be set to a mode called SSL_MODE_RELEASE_BUFFERS, which requests the library to release the memory it holds when a read or write buffer is no longer needed for the context. II. Problem Description The buffer may be released before the library have finished using it. It is possible that a different SSL connection in the same process would use the released buffer and write data into it. III. Impact An attacker may be able to inject data to a different connection that they should not be able to. IV. Workaround No workaround is available, but systems that do not use OpenSSL to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols, or not using SSL_MODE_RELEASE_BUFFERS and use the same process to handle multiple SSL connections, are not vulnerable. The FreeBSD base system service daemons and utilities do not use the SSL_MODE_RELEASE_BUFFERS mode. However, many third party software uses this mode to reduce their memory footprint and may therefore be affected by this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:09/openssl.patch.asc # gpg --verify openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r265122 releng/10.0/ r265124 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://ftp.openbsd.org/pub/OpenBSD/patches/5.5/common/004_openssl.patch.sig URL:https://rt.openssl.org/Ticket/Display.html?id=2167user=guestpass=guest URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-5298 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:09.openssl.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.22 (FreeBSD) iQIcBAEBCgAGBQJTYUi5AAoJEO1n7NZdz2rnk/8QAMUvAUQzbd0PE8QYH2ZlnHuO fhY8xeIxXzK7/e4WOpXDmC68phxLcGQF4YRtX7Wu/yEchIk7cJPocx6kkht8CpCG t7BpgQOyWY7QRHkIg+hzcooWJFK8nS9miXrwI0vOgWNIbI+iNaSZwNcBsrqF45hI U1/Z6EWFqmEq
FreeBSD Security Advisory FreeBSD-SA-14:05.nfsserver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:05.nfsserver Security Advisory The FreeBSD Project Topic: Deadlock in the NFS server Category: core Module: nfsserver Announced: 2014-04-08 Credits:Rick Macklem Affects:All supported versions of FreeBSD. Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE) 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1) 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE) 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4) 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11) 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE) 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8) 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15) CVE Name: CVE-2014-1453 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes both server and client implementations of NFS. II. Problem Description The kernel holds a lock over the source directory vnode while trying to convert the target directory file handle to a vnode, which needs to be returned with the lock held, too. This order may be in violation of normal lock order, which in conjunction with other threads that grab locks in the right order, constitutes a deadlock condition because no thread can proceed. III. Impact An attacker on a trusted client could cause the NFS server become deadlocked, resulting in a denial of service. IV. Workaround Systems that do not provide NFS services are not vulnerable. Neither are systems that do but use the old NFS implementation, which is the default in FreeBSD 8.x. To determine which implementation an NFS server is running, run the following command: # kldstat -v | grep -cw nfsd This will print 1 if the system is running the new NFS implementation, and 0 otherwise. To switch to the old NFS implementation: 1) Append the following lines to /etc/rc.conf: nfsv4_server_enable=no oldnfs_server_enable=yes 2) If the NFS server is compiled into the kernel (which is the case for the stock GENERIC kernel), replace the NFSD option with the NFSSERVER option, then recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html. If the NFS server is not compiled into the kernel, the correct module will be loaded at boot time. 3) Finally, reboot the system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch # fetch http://security.FreeBSD.org/patches/SA-14:05/nfsserver.patch.asc # gpg --verify nfsserver.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r264285 releng/8.3/ r264284 releng/8.4/ r264284 stable/9/ r264285 releng/9.1/ r264284 releng/9.2/ r264284 stable/10/r264266 releng/10.0/ r264267 - - To see which files were modified
FreeBSD Security Advisory FreeBSD-SA-14:06.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:06.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-04-08 Affects:All supported versions of FreeBSD. Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE) 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1) 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE) 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4) 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11) 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE) 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8) 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15) CVE Name: CVE-2014-0076, CVE-2014-0160 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography. OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication in a fixed amount of time, which does not leak any information through timing or power. II. Problem Description The code used to handle the Heartbeat Extension does not do sufficient boundary checks on record length, which allows reading beyond the actual payload. [CVE-2014-0160]. Affects FreeBSD 10.0 only. A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information. [CVE-2014-0076] III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] IV. Workaround No workaround is available, but systems that do not use OpenSSL to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols implementation and do not use the ECDSA implementation from OpenSSL are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.x and FreeBSD 9.x] # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc # gpg --verify openssl.patch.asc [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install IMPORTANT: the update procedure above does not update OpenSSL from the Ports Collection or from a package, known as security/openssl, which has to be updated separately via ports or package. Users who have installed security/openssl should update to at least version 1.0.1_10. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision
FreeBSD Security Advisory FreeBSD-SA-14:06.openssl [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:06.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-04-08 Affects:All supported versions of FreeBSD. Corrected: 2014-04-08 18:27:39 UTC (stable/10, 10.0-STABLE) 2014-04-08 18:27:46 UTC (releng/10.0, 10.0-RELEASE-p1) 2014-04-08 23:16:19 UTC (stable/9, 9.2-STABLE) 2014-04-08 23:16:05 UTC (releng/9.2, 9.2-RELEASE-p4) 2014-04-08 23:16:05 UTC (releng/9.1, 9.1-RELEASE-p11) 2014-04-08 23:16:19 UTC (stable/8, 8.4-STABLE) 2014-04-08 23:16:05 UTC (releng/8.4, 8.4-RELEASE-p8) 2014-04-08 23:16:05 UTC (releng/8.3, 8.3-RELEASE-p15) CVE Name: CVE-2014-0076, CVE-2014-0160 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2014-04-08 Initial release. v1.1 2014-04-08 Added patch applying step in Solutions section. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. The Heartbeat Extension provides a new protocol for TLS/DTLS allowing the usage of keep-alive functionality without performing a renegotiation and a basis for path MTU (PMTU) discovery for DTLS. Elliptic Curve Digital Signature Algorithm (ECDSA) is a variant of the Digital Signature Algorithm (DSA) which uses Elliptic Curve Cryptography. OpenSSL uses the Montgomery Ladder Approach to compute scalar multiplication in a fixed amount of time, which does not leak any information through timing or power. II. Problem Description The code used to handle the Heartbeat Extension does not do sufficient boundary checks on record length, which allows reading beyond the actual payload. [CVE-2014-0160]. Affects FreeBSD 10.0 only. A flaw in the implementation of Montgomery Ladder Approach would create a side-channel that leaks sensitive timing information. [CVE-2014-0076] III. Impact An attacker who can send a specifically crafted packet to TLS server or client with an established connection can reveal up to 64k of memory of the remote system. Such memory might contain sensitive information, including key material, protected content, etc. which could be directly useful, or might be leveraged to obtain elevated privileges. [CVE-2014-0160] A local attacker might be able to snoop a signing process and might recover the signing key from it. [CVE-2014-0076] IV. Workaround No workaround is available, but systems that do not use OpenSSL to implement the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols implementation and do not use the ECDSA implementation from OpenSSL are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.x and FreeBSD 9.x] # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl.patch.asc # gpg --verify openssl.patch.asc [FreeBSD 10.0] # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch # fetch http://security.FreeBSD.org/patches/SA-14:06/openssl-10.patch.asc # gpg --verify openssl-10.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install IMPORTANT: the update procedure above does not update OpenSSL from the Ports Collection or from a package, known as security/openssl, which has to be updated separately via ports or package. Users who have installed security/openssl should update to at least
FreeBSD Security Advisory FreeBSD-SA-14:03.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:03.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-01-14 Affects:FreeBSD 10.0 prior to 10.0-RC5 Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1) CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. [CVE-2013-4353] A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. [CVE-2013-6450] A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. [CVE-2013-6449] III. Impact An attacker can send a specifically crafted packet that could cause an OpenSSL enabled application to crash, resulting in a Denial of Service. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc # gpg --verify openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r260404 releng/10.0/ r260405 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4353 URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6449 URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6450 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:03.openssl.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e /jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0 NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M 0H/82/2cxNX5
FreeBSD Security Advisory FreeBSD-SA-14:04.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:04.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2014-01-14 Credits:ISC Affects:FreeBSD 8.x and FreeBSD 9.x Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2014-0591 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an INSIST failure in name.c when processing queries possessing certain properties. This issue only affects authoritative nameservers with at least one NSEC3-signed zone. Recursive-only servers are not at risk. III. Impact An attacker who can send a specially crafted query could cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running authoritative DNS service with at least one NSEC3-signed zone using named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc # gpg --verify bind-release.patch.asc [FreeBSD 9.2-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc # gpg --verify bind-stable-9.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the applicable daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r260646 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260646 releng/9.1/ r260647 releng/9.2/ r260647 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:https://kb.isc.org/article/AA-01078 URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG
FreeBSD Security Advisory FreeBSD-SA-14:02.ntpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:02.ntpd Security Advisory The FreeBSD Project Topic: ntpd distributed reflection Denial of Service vulnerability Category: contrib Module: ntpd Announced: 2014-01-14 Affects:All supported versions of FreeBSD. Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2013-5211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon supports a query 'monlist' which provides a history of recent NTP clients without any authentication. III. Impact An attacker can send 'monlist' queries and use that as an amplification of a reflection attack. IV. Workaround The administrator can implement one of the following possible workarounds to mitigate the attack: 1) Restrict access to ntpd(8). This can be done by adding the following lines to /etc/ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 And restart the ntpd(8) daemon. Time service is not affected and the administrator can still perform queries from local host. 2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can access ntpd(8). 3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or newer) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc # gpg --verify ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the ntpd(8) daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Note that the patch would disable monitoring features of ntpd(8) daemon by default. If the feature is desirable, the administrator can choose to enable it and firewall access to ntpd(8) service. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r260641 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260641 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/r260639 releng/10.0/ r260641 - - To see which files were
FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-14:01.bsnmpd Security Advisory The FreeBSD Project Topic: bsnmpd remote denial of service vulnerability Category: contrib Module: bsnmp Announced: 2014-01-14 Credits:Dirk Meyer Affects:All supported versions of FreeBSD. Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2014-1452 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP (Simple Network Management Protocol). II. Problem Description The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request. III. Impact This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing a denial-of-service. IV. Workaround No workaround is available, but systems not running bsnmpd(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc # gpg --verify bsnmpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the bsnmpd(8) daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r260642 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260642 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/r260638 releng/10.0/ r260640 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1452 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:01.bsnmpd.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol
FreeBSD Security Advisory FreeBSD-SA-13:14.openssh [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-13:14.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH AES-GCM memory corruption vulnerability Category: contrib Module: openssh Announced: 2013-11-19 Revised:2013-11-28 Affects:FreeBSD 10.0-BETA Corrected: 2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2) CVE Name: CVE-2013-4548 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2013-11-19 Initial release. v1.1 2013-11-28 Corrected path to sshd_config. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels. OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. II. Problem Description A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-...@openssh.com or aes256-...@openssh.com) is selected during key exchange. III. Impact If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account. IV. Workaround Disable AES-GCM in the server configuration. This can be accomplished by adding the following /etc/ssh/sshd_config option, which will disable AES-GCM while leaving other ciphers active: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc Systems not running the OpenSSH server daemon (sshd) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc # gpg --verify openssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the sshd daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r258335 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:14.openssh.asc -BEGIN PGP SIGNATURE- iQIcBAEBCgAGBQJSl+hmAAoJEO1n7NZdz2rnHMYP/3yEQldDKONpQ1zS5YfDyVwO wRBTgxMST7ozg/y7/xBA9FIpdRB8fJOgijKKVQv02MCN5xM5mXexxZAu1X3gcWls v8Tf1YogR0IzLKzFDYYqZ/gWg/5vK1ALzPbHRSmDYivUSOyJftvDNFzPZnFp4DsI U30OGxBfLSOvvX5XNGSixmILzv5DLxe7ThGa36oIZCKUAXSrNm79NfGiI0EvXK2Y R3nTjdd5r5F5/K5S59BMmAmKCGIqsTJ/jeICKe49VUK+YyD+Wmr0gohhU6bmENWM aXAD9em+uKGZnlqBUr5YC4vv8NHWuhOTWfl1CTDH4QhFOP+hiJt2w4EvGYORL1R/ 2VDmFtiiPeebi7ECSTOSudx
FreeBSD Security Advisory FreeBSD-SA-13:14.openssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:14.opensshSecurity Advisory The FreeBSD Project Topic: OpenSSH AES-GCM memory corruption vulnerability Category: contrib Module: openssh Announced: 2013-11-19 Affects:FreeBSD 10.0-BETA Corrected: 2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2) CVE Name: CVE-2013-4548 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels. OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. II. Problem Description A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-...@openssh.com or aes256-...@openssh.com) is selected during key exchange. III. Impact If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account. IV. Workaround Disable AES-GCM in the server configuration. This can be accomplished by adding the following /etc/sshd_config option, which will disable AES-GCM while leaving other ciphers active: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc Systems not running the OpenSSH server daemon (sshd) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc # gpg --verify openssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the sshd daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r258335 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4548 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:14.openssh.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (FreeBSD) iQIcBAEBAgAGBQJSizUhAAoJEO1n7NZdz2rn6VcQALriII/5f2ipZQeOt41p5oBi r3qQ3uoZc705MGhld/Zz/RjmB8N+NSZUCZQP0sjaEUkksykZNQhmlbvJXB0ywDHP ggIpq++7r2igXMwqqj+7SEtOkQc/rP8/pDjAn0CJKDGIItgpYuqB34sEJNNuYjiM f/bdfXN3zU4VOiIjCjfGuOamGPXCyRdEAm9HKMVWuDqXIjBHdOxhkw2TnyrC77Vd IxOEYsD97XYuJF++55uHBMv+jynrlQfJF9s3+rQVGOqs14KXYJ+HeqFwxJkhIzyg BrxotPNcO6i5lFOiZrCcmEkf3SRh3Ok3CFFFdn9EhOTxrfGKRm/7R+WB0NKT4+ll sAWfhCCMHkhE/j/0L/DCGL8wD6zH1bzpFWn6efAlih4N5YXSJfGlZdkPw0zl/ZgD umYiwpr9PMnPtocfpV51HITNf0T+CUUHJ5bI3Do9cKZyr3yt869r2MNH6PLT0Lyl
FreeBSD Security Advisory FreeBSD-SA-13:13.nullfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:13.nullfs Security Advisory The FreeBSD Project Topic: Cross-mount links between nullfs(5) mounts Category: core Module: nullfs Announced: 2013-09-10 Credits:Konstantin Belousov Affects:All supported versions of FreeBSD. Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) CVE Name: CVE-2013-5710 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The nullfs(5) filesystem allows all or a part of an already mounted filesystem to be made available in a different part of the global filesystem namespace. It is commonly used to make a set of files available to multiple chroot(2) or jail(2) environments without replicating the files in each environment. A common idiom, described in the FreeBSD Handbook, is to mount one subtree of a filesystem read-only within a jail's filesystem namespace, and mount a different subtree of the same filesystem read-write. II. Problem Description The nullfs(5) implementation of the VOP_LINK(9) VFS operation does not check whether the source and target of the link are both in the same nullfs instance. It is therefore possible to create a hardlink from a location in one nullfs instance to a file in another, as long as the underlying (source) filesystem is the same. III. Impact If multiple nullfs views into the same filesystem are mounted in different locations, a user with read access to one of these views and write access to another will be able to create a hard link from the latter to a file in the former, even though they are, from the user's perspective, different filesystems. The user may thereby gain write access to files which are nominally on a read-only filesystem. IV. Workaround No workaround is available, but systems which do not use the nullfs(5) filesystem, or do not null-mount different subtrees of the same source filesystem with different permissions, are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch # fetch http://security.FreeBSD.org/patches/SA-13:13/nullfs.patch.asc # gpg --verify nullfs.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r255445 releng/8.3/ r255446 releng/8.4/ r255447 stable/9/ r255443 releng/9.1/ r255448 releng/9.2/ r255444 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http
FreeBSD Security Advisory FreeBSD-SA-13:10.sctp [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:10.sctp Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sctp(4) Category: core Module: sctp Announced: 2013-08-22 Credits:Julian Seward, Michael Tuexen Affects:All supported versions of FreeBSD. Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC1-p1) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-5209 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2013-08-22 Initial release. v1.1 2013-09-07 Binary patch released for 9.2-RC1. I. Background The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer. II. Problem Description When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. III. Impact Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted. This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available, but systems not using the SCTP protocol are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254354 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254352 releng/9.1/ r254631 releng/9.2/ r254355 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5209 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu+g8ACgkQFdaIBMps37JBjgCgkRdb24STra3EjItZymFqU0S8 6rQAn0EQeP1D8BUCIbzR5uNYrrNv9Eo6 =2Ot5
FreeBSD Security Advisory FreeBSD-SA-13:12.ifioctl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:12.ifioctlSecurity Advisory The FreeBSD Project Topic: Insufficient credential checks in network ioctl(2) Category: core Module: sys_netinet6 sys_netatm Announced: 2013-09-10 Credits:Loganaden Velvindron Gleb Smirnoff Affects:All supported versions of FreeBSD. Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC3-p1) 2013-09-10 10:15:33 UTC (releng/9.1, 9.1-RELEASE-p7) 2013-09-10 10:12:09 UTC (stable/8, 8.4-STABLE) 2013-09-10 10:14:19 UTC (releng/8.4, 8.4-RELEASE-p4) 2013-09-10 10:13:14 UTC (releng/8.3, 8.3-RELEASE-p11) CVE Name: CVE-2013-5691 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ioctl(2) system call allows an application to perform device- or protocol-specific operations through a file or socket descriptor associated with a specific device or protocol. The SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK ioctl requests are used to associate a network address, broadcast address, destination address (for point-to-point interfaces) or netmask with an interface. They operate on the assumption that each interface only has one address per protocol, and are therefore of limited use for IPv4, where interfaces may have more than one address. They were never implemented for IPv6, where interfaces nearly always have at least two, and in many cases three, addresses; nor were they ever implemented for ATM. II. Problem Description As is commonly the case, the IPv6 and ATM network layer ioctl request handlers are written in such a way that an unrecognized request is passed on unmodified to the link layer, which will either handle it or return an error code. Network interface drivers, however, assume that the SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR and SIOCSIFNETMASK requests have been handled at the network layer, and therefore do not perform input validation or verify the caller's credentials. Typical link-layer actions for these requests may include marking the interface as up and resetting the underlying hardware. III. Impact An unprivileged user with the ability to run arbitrary code can cause any network interface in the system to perform the link layer actions associated with a SIOCSIFADDR, SIOCSIFBRDADDR, SIOCSIFDSTADDR or SIOCSIFNETMASK ioctl request; or trigger a kernel panic by passing a specially crafted address structure which causes a network interface driver to dereference an invalid pointer. Although this has not been confirmed, the possibility that an attacker may be able to execute arbitrary code in kernel context can not be ruled out. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch # fetch http://security.FreeBSD.org/patches/SA-13:12/ifioctl.patch.asc # gpg --verify ifioctl.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r255445 releng/8.3/ r255446 releng/8.4/ r255447 stable/9/ r255443 releng/9.1/ r255448 releng/9.2
FreeBSD Security Advisory FreeBSD-SA-13:11.sendfile
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:11.sendfile Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sendfile(2) Category: core Module: sendfile Announced: 2013-09-10 Credits:Ed Maste Affects:FreeBSD 9.2-RC1 and 9.2-RC2 Corrected: 2013-09-10 10:07:21 UTC (stable/9, 9.2-STABLE) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC1-p2) 2013-09-10 10:08:20 UTC (releng/9.2, 9.2-RC2-p2) CVE Name: CVE-2013-5666 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The sendfile(2) system call allows a server application (such as an HTTP or FTP server) to transmit the contents of a file over a network connection without first copying it to application memory. High performance servers such as Apache and ftpd use sendfile. II. Problem Description On affected systems, if the length passed to sendfile(2) is non-zero and greater than the length of the file being transmitted, sendfile(2) will pad the transmission up to the requested length or the next pagesize boundary, whichever is smaller. The content of the additional bytes transmitted in this manner depends on the underlying filesystem, but may potentially include information useful to an attacker. III. Impact An unprivileged user with the ability to run arbitrary code may be able to obtain arbitrary kernel memory contents. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.2-STABLE] # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-stable.patch.asc # gpg --verify sendfile-9.2-stable.patch.asc [FreeBSD 9.2-RC1 and 9.2-RC2] # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch # fetch http://security.FreeBSD.org/patches/SA-13:11/sendfile-9.2-rc.patch.asc # gpg --verify sendfile-9.2-rc.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r255443 releng/9.2/ r255444 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5666 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:11.sendfile.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu8rIACgkQFdaIBMps37K01ACgmwaW3PZhjDqWSlTHusjIPNVy A/YAn3DFUAvlX8sH89taM+sedjbD5In8 =gZwu -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:09.ip_multicast [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:09.ip_multicast Security Advisory The FreeBSD Project Topic: integer overflow in IP_MSFILTER Category: core Module: kernel Announced: 2013-08-22 Credits:Clement Lecigne (Google Security Team) Affects:All supported versions of FreeBSD. Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) 2013-08-22 00:51:43 UTC (releng/9.1, 9.2-RC1-p1) 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-3077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2013-08-22 Initial release. v1.1 2013-09-07 Binary patch released for 9.2-RC1. I. Background IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. II. Problem Description An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. III. Impact An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc # gpg --verify ip_multicast.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254629 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254629 releng/9.1/ r254631 releng/9.2/ r254630 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=NN VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3077 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (FreeBSD) iEYEARECAAYFAlIu+gwACgkQFdaIBMps37L2+QCePwycOYKrh9VJi7Pc2AS+DfsQ UcUAnimJz9bKgDUOEIwefkPbF85yH3aw =tnWM -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:10.sctp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:10.sctp Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in sctp(4) Category: core Module: sctp Announced: 2013-08-22 Credits:Julian Seward, Michael Tuexen Affects:All supported versions of FreeBSD. Corrected: 2013-08-15 04:25:16 UTC (stable/9, 9.2-PRERELEASE) 2013-08-15 05:14:20 UTC (releng/9.2, 9.2-RC2) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-15 04:35:25 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-5209 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The SCTP protocol provides reliable, flow-controlled, two-way transmission of data. It is a message oriented protocol and can support the SOCK_STREAM and SOCK_SEQPACKET abstractions. The SCTP protocol checks the integrity of messages by validating the state cookie information that is returned from the peer. II. Problem Description When initializing the SCTP state cookie being sent in INIT-ACK chunks, a buffer allocated from the kernel stack is not completely initialized. III. Impact Fragments of kernel memory may be included in SCTP packets and transmitted over the network. For each SCTP session, there are two separate instances in which a 4-byte fragment may be transmitted. This memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include an user-entered password. IV. Workaround No workaround is available, but systems not using the SCTP protocol are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch # fetch http://security.FreeBSD.org/patches/SA-13:10/sctp.patch.asc # gpg --verify sctp.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254354 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254352 releng/9.1/ r254631 releng/9.2/ r254355 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5209 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:10.sctp.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlIVY1YACgkQFdaIBMps37L0AQCgh30FZd+f+rmzMabRFkTPVEmX tZgAnRuZptKgvlHkqnEhUj30tH6xLDCO =KJ8k -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:09.ip_multicast
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 FreeBSD-SA-13:09.ip_multicast Security Advisory The FreeBSD Project Topic: integer overflow in IP_MSFILTER Category: core Module: kernel Announced: 2013-08-22 Credits:Clement Lecigne (Google Security Team) Affects:All supported versions of FreeBSD. Corrected: 2013-08-22 00:51:37 UTC (stable/9, 9.2-PRERELEASE) 2013-08-22 00:51:43 UTC (releng/9.2, 9.2-RC2-p1) 2013-08-22 00:51:48 UTC (releng/9.1, 9.1-RELEASE-p6) 2013-08-22 00:51:37 UTC (stable/8, 8.4-STABLE) 2013-08-22 00:51:56 UTC (releng/8.4, 8.4-RELEASE-p3) 2013-08-22 00:51:56 UTC (releng/8.3, 8.3-RELEASE-p10) CVE Name: CVE-2013-3077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background IP multicast is a method of sending Internet Protocol (IP) datagrams to a group of interested receivers in a single transmission. II. Problem Description An integer overflow in computing the size of a temporary buffer can result in a buffer which is too small for the requested operation. III. Impact An unprivileged process can read or write pages of memory which belong to the kernel. These may lead to exposure of sensitive information or allow privilege escalation. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch # fetch http://security.FreeBSD.org/patches/SA-13:09/ip_multicast.patch.asc # gpg --verify ip_multicast.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/8/ r254629 releng/8.3/ r254632 releng/8.4/ r254632 stable/9/ r254629 releng/9.1/ r254631 releng/9.2/ r254630 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3077 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:09.ip_multicast.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.21 (FreeBSD) iEYEARECAAYFAlIVY1YACgkQFdaIBMps37K1cwCeOwXryun/C0EceD7v1se+z8w1 EUYAoJ7Hh/bOjyuD6oR6ZOEqtDVIL5LP =6Ehk -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:06.mmap [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:06.mmap Security Advisory The FreeBSD Project Topic: Privilege escalation via mmap Category: core Module: kernel Announced: 2013-06-18 Credits:Konstantin Belousov Alan Cox Affects:FreeBSD 9.0 and later Corrected: 2013-06-18 07:04:19 UTC (stable/9, 9.1-STABLE) 2013-06-18 07:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) CVE Name: CVE-2013-2171 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2013-06-18 Initial release. v1.1 2013-06-21 Corrected correction date. Added workaround information. I. Background The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access. III. Impact This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation. To exploit this vulnerability, an attacker must be able to run arbitrary code with user privileges on the target system. IV. Workaround Systems that do not allow unprivileged users to use the ptrace(2) system call are not vulnerable, this can be accomplished by setting the sysctl variable security.bsd.unprivileged_proc_debug to zero. Please note that this will also prevent debugging tools, for instance gdb, truss, procstat, as well as some built-in debugging facilities in certain scripting language like PHP, etc., from working for unprivileged users. The following command will set the sysctl accordingly and works until the next reboot of the system: sysctl security.bsd.unprivileged_proc_debug=0 To make this change persistent across reboot, the system administrator should also add the setting into /etc/sysctl.conf: echo 'security.bsd.unprivileged_proc_debug=0' /etc/sysctl.conf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc # gpg --verify mmap.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r251902 releng/9.1/ r251903 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc -BEGIN PGP SIGNATURE
FreeBSD Security Advisory FreeBSD-SA-13:06.mmap
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:06.mmap Security Advisory The FreeBSD Project Topic: Privilege escalation via mmap Category: core Module: kernel Announced: 2013-06-18 Credits:Konstantin Belousov Alan Cox Affects:FreeBSD 9.0 and later Corrected: 2013-06-18 09:04:19 UTC (stable/9, 9.1-STABLE) 2013-06-18 09:05:51 UTC (releng/9.1, 9.1-RELEASE-p4) CVE Name: CVE-2013-2171 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The FreeBSD virtual memory system allows files to be memory-mapped. All or parts of a file can be made available to a process via its address space. The process can then access the file using memory operations rather than filesystem I/O calls. The ptrace(2) system call provides tracing and debugging facilities by allowing one process (the tracing process) to watch and control another (the traced process). II. Problem Description Due to insufficient permission checks in the virtual memory system, a tracing process (such as a debugger) may be able to modify portions of the traced process's address space to which the traced process itself does not have write access. III. Impact This error can be exploited to allow unauthorized modification of an arbitrary file to which the attacker has read access, but not write access. Depending on the file and the nature of the modifications, this can result in privilege escalation. To exploit this vulnerability, an attacker must be able to run arbitrary code with user privileges on the target system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch # fetch http://security.FreeBSD.org/patches/SA-13:06/mmap.patch.asc # gpg --verify mmap.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/9/ r251902 releng/9.1/ r251903 - - To see which files were modified by a particular revision, run the following command, replacing XX with the revision number, on a machine with Subversion installed: # svn diff -cXX --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing XX with the revision number: URL:http://svnweb.freebsd.org/base?view=revisionrevision=XX VII. References other info on vulnerability URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2171 The latest revision of this advisory is available at URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-13:06.mmap.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.13 (FreeBSD) iEYEARECAAYFAlHAB+YACgkQFdaIBMps37IjFACdFSoiYO1YkcPunLh7Zw4TC6MF X9MAnjjVWB2uEl60Rl3K4WOuJ71AVNlP =8309 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:05.nfsserver Security Advisory The FreeBSD Project Topic: Insufficient input validation in the NFS server Category: core Module: nfsserver Announced: 2013-04-29 Credits:Adam Nowacki Affects:All supported versions of FreeBSD. Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) CVE Name: CVE-2013-3266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes server and client implementations of NFS. FreeBSD 8.0 and onward has two NFS implementations: the original CSRG NFSv2 and NFSv3 implementation and a new implementation which also supports NFSv4. FreeBSD 9.0 and onward uses the new NFS implementation by default. II. Problem Description When processing READDIR requests, the NFS server does not check that it is in fact operating on a directory node. An attacker can use a specially modified NFS client to submit a READDIR request on a file, causing the underlying filesystem to interpret that file as a directory. III. Impact The exact consequences of an attack depend on the amount of input validation in the underlying filesystem: - If the file resides on a UFS filesystem on a little-endian server, an attacker can cause random heap corruption with completely unpredictable consequences. - If the file resides on a ZFS filesystem, an attacker can write arbitrary data on the stack. It is believed, but has not been confirmed, that this can be exploited to run arbitrary code in kernel context. Other filesystems may also be vulnerable. IV. Workaround Systems that do not provide NFS service are not vulnerable. Neither are systems that do but use the old NFS implementation, which is the default in FreeBSD 8.x. To determine which implementation an NFS server is running, run the following command: # kldstat -v | grep -cw nfsd This will print 1 if the system is running the new NFS implementation, and 0 otherwise. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc # gpg --verify nfsserver.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/8/ r250058 releng/8.3/ r250059 releng/8.4/ r250062 stable/9/ r250060 releng/9.1/ r250061 - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc -BEGIN PGP SIGNATURE- iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q 9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ =polM -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:05.nfsserver Security Advisory The FreeBSD Project Topic: Insufficient input validation in the NFS server Category: core Module: nfsserver Announced: 2013-04-29 Revised:2013-04-29 Credits:Adam Nowacki Affects:All supported versions of FreeBSD. Corrected: 2013-04-29 21:10:49 UTC (stable/8, 8.4-PRERELEASE) 2013-04-29 21:10:53 UTC (releng/8.3, 8.3-RELEASE-p8) 2013-04-29 21:11:31 UTC (releng/8.4, 8.4-RC1-p1) 2013-04-29 21:11:31 UTC (releng/8.4, 8.4-RC2-p1) 2013-04-29 21:11:01 UTC (stable/9, 9.1-STABLE) 2013-04-29 21:11:05 UTC (releng/9.1, 9.1-RELEASE-p3) CVE Name: CVE-2013-3266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2013-04-29 Initial release. v1.1 2013-04-29 Corrected patch URL. Additional workaround information. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes server and client implementations of NFS. FreeBSD 8.0 and onward has two NFS implementations: the original CSRG NFSv2 and NFSv3 implementation and a new implementation which also supports NFSv4. FreeBSD 9.0 and onward uses the new NFS implementation by default. II. Problem Description When processing READDIR requests, the NFS server does not check that it is in fact operating on a directory node. An attacker can use a specially modified NFS client to submit a READDIR request on a file, causing the underlying filesystem to interpret that file as a directory. III. Impact The exact consequences of an attack depend on the amount of input validation in the underlying filesystem: - If the file resides on a UFS filesystem on a little-endian server, an attacker can cause random heap corruption with completely unpredictable consequences. - If the file resides on a ZFS filesystem, an attacker can write arbitrary data on the stack. It is believed, but has not been confirmed, that this can be exploited to run arbitrary code in kernel context. Other filesystems may also be vulnerable. IV. Workaround Systems that do not provide NFS service are not vulnerable. Neither are systems that do but use the old NFS implementation, which is the default in FreeBSD 8.x. To determine which implementation an NFS server is running, run the following command: # kldstat -v | grep -cw nfsd This will print 1 if the system is running the new NFS implementation, and 0 otherwise. To switch to the old NFS implementation: 1) Append the following lines to /etc/rc.conf: nfsv4_server_enable=no oldnfs_server_enable=yes 2) If the NFS server is compiled into the kernel (which is the case for the stock GENERIC kernel), replace the NFSD option with the NFSSERVER option, then recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html. If the NFS server is not compiled into the kernel, the correct module will be loaded at boot time. 3) Finally, reboot the system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:05/nfsserver.patch # fetch http://security.FreeBSD.org/patches/SA-13:05/nfsserver.patch.asc # gpg --verify nfsserver.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/8/ r250068 releng/8.3
FreeBSD Security Advisory FreeBSD-SA-13:03.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:03.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2013-04-02 Affects:All supported versions of FreeBSD. Corrected: 2013-03-08 17:28:40 UTC (stable/8, 8.3-STABLE) 2013-04-02 17:34:42 UTC (releng/8.3, 8.3-RELEASE-p7) 2013-03-14 17:48:07 UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2) CVE Name: CVE-2013-0166, CVE-2013-0169 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A flaw in the OpenSSL handling of OCSP response verification could be exploited to cause a denial of service attack. [CVE-2013-0166] OpenSSL has a weakness in the handling of CBC ciphersuites in SSL, TLS and DTLS. The weakness could reveal plaintext in a timing attack. [CVE-2013-0169] III. Impact The Denial of Service could be caused in the OpenSSL server application by using an invalid key. [CVE-2013-0166] A remote attacker could recover sensitive information by conducting an attack via statistical analysis of timing data with crafted packets. [CVE-2013-0169] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.3 and 9.0] # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl.patch.asc # gpg --verify openssl.patch.asc [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl-9.1.patch # fetch http://security.FreeBSD.org/patches/SA-13:03/openssl-9.1.patch.asc # gpg --verify openssl-9.1.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the all deamons using the library, or reboot your the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/8/ r248057 releng/8.3/ r249029 stable/9/ r248272 releng/9.0/ r249029 releng/9.1/ r249029 - - VII. References CVE Name: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0169 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0166 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:03.openssl.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlFbGXYACgkQFdaIBMps37ISqACcCovc+NpuH57guiROqIbTfw3P 4RMAn22ppeZnRVfje8up3cyOx/D8CCmI =rQqV -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:04.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:04.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service Category: contrib Module: bind Announced: 2013-04-02 Credits:Matthew Horsfall of Dyn, Inc. Affects:FreeBSD 8.4-BETA1 and FreeBSD 9.x Corrected: 2013-03-28 05:35:46 UTC (stable/8, 8.4-BETA1) 2013-03-28 05:39:45 UTC (stable/9, 9.1-STABLE) 2013-04-02 17:34:42 UTC (releng/9.0, 9.0-RELEASE-p7) 2013-04-02 17:34:42 UTC (releng/9.1, 9.1-RELEASE-p2) CVE Name: CVE-2013-2266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. The libdns library is a library of DNS protocol support functions. II. Problem Description A flaw in a library used by BIND allows an attacker to deliberately cause excessive memory consumption by the named(8) process. This affects both recursive and authoritative servers. III. Impact A remote attacker can cause the named(8) daemon to consume all available memory and crash, resulting in a denial of service. Applications linked with the libdns library, for instance dig(1), may also be affected. IV. Workaround No workaround is available, but systems not running named(8) service and not using base system DNS utilities are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch # fetch http://security.FreeBSD.org/patches/SA-13:04/bind.patch.asc # gpg --verify bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the named daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/8/ r248807 stable/9/ r248808 releng/9.0/ r249029 releng/9.1/ r249029 - - VII. References https://kb.isc.org/article/AA-00871 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2266 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:04.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.19 (FreeBSD) iEYEARECAAYFAlFbGYYACgkQFdaIBMps37J4eACeNzJtWElzKJZCqXdzhrHEB+pu 1eoAn0oD7xcjoPOnB7H3xZbIeHldgGcI =BX1M -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:01.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:01.bind Security Advisory The FreeBSD Project Topic: BIND remote DoS with deliberately crafted DNS64 query Category: contrib Module: bind Announced: 2013-02-19 Affects:FreeBSD 9.x and later Corrected: 2013-01-08 09:05:09 UTC (stable/9, 9.1-STABLE) 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6) 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1) CVE Name: CVE-2012-5688 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS64 is an IPv6 transition mechanism that will return a synthesized response even if there is only an A record available. II. Problem Description Due to a software defect a crafted query can cause named(8) to crash with an assertion failure. III. Impact If named(8) is configured to use DNS64, an attacker who can send it a query can cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not configured to use DNS64 using the dns64 configuration statement are not vulnerable. DNS64 is not enabled in the default configuration on FreeBSD. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart the named(8) daemon, or reboot your system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch # fetch http://security.FreeBSD.org/patches/SA-13:01/bind.patch.asc # gpg --verify bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart the named(8) daemon, or reboot your system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart the named(8) daemon, or reboot your system. 4) Alternatively, install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind98-9.8.4.1 bind99-9.9.2.1 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/9/ r245163 releng/9.0/ r246989 releng/9.1/ r246989 - - VII. References https://kb.isc.org/article/AA-00828 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5688 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:01.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlEjf8MACgkQFdaIBMps37JUigCeIvjGL59H2froSeFqfPvlzM7L XpAAni7nW5GZt4AE3eSDQwE4ivCne6SK =Rxq4 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-13:02.libc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-13:02.libc Security Advisory The FreeBSD Project Topic: glob(3) related resource exhaustion Category: core Module: libc Announced: 2013-02-19 Affects:All supported versions of FreeBSD. Corrected: 2013-02-05 09:53:32 UTC (stable/7, 7.4-STABLE) 2013-02-19 13:27:20 UTC (releng/7.4, 7.4-RELEASE-p12) 2013-02-05 09:53:32 UTC (stable/8, 8.3-STABLE) 2013-02-19 13:27:20 UTC (releng/8.3, 8.3-RELEASE-p6) 2013-02-05 09:53:32 UTC (stable/9, 9.1-STABLE) 2013-02-19 13:27:20 UTC (releng/9.0, 9.0-RELEASE-p6) 2013-02-19 13:27:20 UTC (releng/9.1, 9.1-RELEASE-p1) CVE Name: CVE-2010-2632 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The glob(3) function is a pathname generator that implements the rules for file name pattern matching used by the shell. II. Problem Description GLOB_LIMIT is supposed to limit the number of paths to prevent against memory or CPU attacks. The implementation however is insufficient. III. Impact An attacker that is able to exploit this vulnerability could cause excessive memory or CPU usage, resulting in a Denial of Service. A common target for a remote attacker could be ftpd(8). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch # fetch http://security.FreeBSD.org/patches/SA-13:02/libc.patch.asc # gpg --verify libc.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. Restart all daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart all daemons, or reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - - stable/7/ r246357 releng/7.4/ r246989 stable/8/ r246357 releng/8.3/ r246989 stable/9/ r246357 releng/9.0/ r246989 releng/9.1/ r246989 - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2632 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:02.libc.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (FreeBSD) iEYEARECAAYFAlEjf80ACgkQFdaIBMps37JFUgCfUrw8Ky4U19COja6fna49Calv z/YAn1JSGxzHCo8vLj4XhtXqrQt68or4 =mCPv -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-12:06.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:06.bind Security Advisory The FreeBSD Project Topic: Multiple Denial of Service vulnerabilities with named(8) Category: contrib Module: bind Announced: 2012-11-22 Affects:All supported versions of FreeBSD before 9.1-RC2. Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE) 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11) 2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE) 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) 2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE) 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) CVE Name: CVE-2012-4244, CVE-2012-5166 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description The BIND daemon would crash when a query is made on a resource record with RDATA that exceeds 65535 bytes. The BIND daemon would lock up when a query is made on specific combinations of RDATA. III. Impact A remote attacker can query a resolving name server to retrieve a record whose RDATA is known to be larger than 65535 bytes, thereby causing the resolving server to crash via an assertion failure in named. An attacker who is in a position to add a record with RDATA larger than 65535 bytes to an authoritative name server can cause that server to crash by later querying for that record. The attacker can also cause the server to lock up with specific combinations of RDATA. IV. Workaround No workaround is available, but systems not running the BIND name server are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind96-9.6.3.1.ESV.R7.4 bind97-9.7.6.4 bind98-9.8.3.4 bind99-9.9.1.4 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - - stable/7/ r243418 releng/7.4/ r243417 stable/8/ r241443 releng/8.3/ r243417 stable/9/ r241415 releng/9.0/ r243417 releng/9.1/ r243417 - - VII. References https://kb.isc.org/article/AA-00778 https://kb.isc.org/article/AA-00801 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9
FreeBSD Security Advisory FreeBSD-SA-12:07.hostapd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:07.hostapdSecurity Advisory The FreeBSD Project Topic: Insufficient message length validation for EAP-TLS messages Category: contrib Module: wpa Announced: 2012-11-22 Credits:Timo Warns, Jouni Malinen Affects:FreeBSD 8.0 and later. Corrected: 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE) 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE) 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) CVE Name: CVE-2012-4445 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The hostapd utility is an authenticator for IEEE 802.11 networks. It provides full support for WPA/IEEE 802.11i and can also act as an IEEE 802.1X Authenticator with a suitable backend Authentication Server (typically FreeRADIUS). EAP-TLS is the original, standard wireless LAN EAP authentication protocol defined in RFC 5216. It uses PKI to secure communication to a RADIUS authentication server or another type of authentication server. II. Problem Description The internal authentication server of hostapd does not sufficiently validate the message length field of EAP-TLS messages. III. Impact A remote attacker could cause the hostapd daemon to abort by sending specially crafted EAP-TLS messages, resulting in a Denial of Service. IV. Workaround No workaround is available, but systems not running hostapd are not vulnerable. Note that for FreeBSD 8.x systems, the EAP-TLS authentication method is not enabled by default. Systems running FreeBSD 8.x are only affected when hostapd is built with -DEAP_SERVER and as such, binary installations from the official release are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to the RELENG_8_3, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 8.3 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.x] # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc [FreeBSD 9.x] # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch Recompile the operating system using buildworld and installworld as described in URL:http://www.FreeBSD.org/handbook/makeworld.html. 3) To update your vulnerable system via a binary patch: Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - - stable/8/ rrevision releng/8.3/ rrevision stable/9/ rrevision releng/9.0/ rrevision releng/9.1/ rrevision - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-12:07.hostapd.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 iEYEARECAAYFAlCuu28ACgkQFdaIBMps37JpRwCfVJmZsx+mAF22hqtL3YvcGU2x g9IAoIUfP/8eJjQACi30QVdvjFtGDw7f =SJZf -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-12:08.linux
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:08.linux Security Advisory The FreeBSD Project Topic: Linux compatibility layer input validation error Category: core Module: kernel Announced: 2012-11-22 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE) 2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11) 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE) 2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5) 2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE) 2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1) 2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1) CVE Name: CVE-2012-4576 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD is binary-compatible with the Linux operating system through a loadable kernel module/optional kernel component. II. Problem Description A programming error in the handling of some Linux system calls may result in memory locations being accessed without proper validation. III. Impact It is possible for a local attacker to overwrite portions of kernel memory, which may result in a privilege escalation or cause a system panic. IV. Workaround No workaround is available, but systems not using the Linux binary compatibility layer are not vulnerable. The following command can be used to test if the Linux binary compatibility layer is loaded: # kldstat -m linuxelf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 9.0, and 9.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch # fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Subversion: Branch/path Revision - - stable/7/ r243418 releng/7.4/ r243417 stable/8/ r243417 releng/8.3/ r243417 stable/9/ r243417 releng/9.0/ r243417 releng/9.1/ r243417 - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP =KVp4 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-12:05.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:05.bind Security Advisory The FreeBSD Project Topic: named(8) DNSSEC validation Denial of Service Category: contrib Module: bind Announced: 2012-08-06 Credits:Einar Lonn of IIS.se Affects:All supported versions of FreeBSD Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE) 2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10) 2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE) 2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4) 2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10) 2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13) 2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE) 2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4) CVE Name: CVE-2012-3817 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description BIND 9 stores a cache of query names that are known to be failing due to misconfigured name servers or a broken chain of trust. Under high query loads, when DNSSEC validation is active, it is possible for a condition to arise in which data from this cache of failing queries could be used before it was fully initialized, triggering an assertion failure. III. Impact A remote attacker that is able to generate high volume of DNSSEC validation enabled queries can trigger the assertion failure that causes it to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running the BIND resolving name server with dnssec-validation enabled are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/bind/dns # make obj make depend make make install # cd /usr/src/usr.sbin/named # make obj make depend make make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind96-9.6.3.1.ESV.R7.2 bind97-9.7.6.2 bind98-9.8.3.2 bind99-9.9.1.2 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11 RELENG_7_4 src/UPDATING1.507.2.36.2.12 src/sys/conf/newvers.sh 1.72.2.18.2.15 src/contrib/bind9/lib/dns/resolver.c1.1.1.9.2.8.2.1 RELENG_8 src/contrib/bind9/CHANGES 1.9.2.15 src/contrib/bind9/lib/dns/resolver.c1.3.2.6 src/contrib/bind9/lib/dns/zone.c 1.6.2.10 src/contrib/bind9/lib/isc/random.c 1.2.2.4 src/contrib/bind9/version 1.9.2.15 RELENG_8_3 src/UPDATING 1.632.2.26.2.6 src/sys/conf/newvers.sh 1.83.2.15.2.8 src/contrib/bind9/lib/dns/resolver.c1.6.2.7.2.1 RELENG_8_2 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-12:04.sysret [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:04.sysret Security Advisory The FreeBSD Project Topic: Privilege escalation when returning from kernel Category: core Module: sys_amd64 Announced: 2012-06-12 Credits:Rafal Wojtczuk, John Baldwin Affects:All supported versions of FreeBSD Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE) 2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9) 2012-06-12 12:10:10 UTC (RELENG_8, 8.3-STABLE) 2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3) 2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9) 2012-06-18 21:00:54 UTC (RELENG_8_1, 8.1-RELEASE-p12) 2012-06-12 12:10:10 UTC (RELENG_9, 9.0-STABLE) 2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3) CVE Name: CVE-2012-0217 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2012-06-12 Initial release. v1.1 2012-06-19 Corrected patch FreeBSD 8.1. I. Background The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. II. Problem Description FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. III. Impact Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system. IV. Workaround No workaround is available. However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this particular problem. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable, nor are systems running on different processor architectures. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [7.4, 8.3, 8.2, 9.0] # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch.asc [8.1] # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81.patch.asc [8.1 if original sysret.patch has been applied] # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81-correction.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret-81-correction.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/amd64/amd64/trap.c 1.319.2.14 RELENG_7_4 src/UPDATING1.507.2.36.2.11 src/sys/conf/newvers.sh 1.72.2.18.2.14 src/sys/amd64/amd64/trap.c 1.319.2.12.2.2 RELENG_8 src/sys/amd64/amd64/trap.c 1.332.2.24 RELENG_8_3 src/UPDATING 1.632.2.26.2.5 src/sys/conf/newvers.sh 1.83.2.15.2.7 src/sys/amd64/amd64/trap.c 1.332.2.21.2.2 RELENG_8_2 src/UPDATING1.632.2.19.2.11 src/sys/conf/newvers.sh
FreeBSD Security Advisory FreeBSD-SA-12:03.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:03.bind Security Advisory The FreeBSD Project Topic: Incorrect handling of zero-length RDATA fields in named(8) Category: contrib Module: bind Announced: 2012-06-12 Credits:Dan Luther, Jeffrey A. Spain Affects:All supported versions of FreeBSD Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE) 2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9) 2012-06-04 22:21:55 UTC (RELENG_8, 8.3-STABLE) 2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3) 2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9) 2012-06-12 12:10:10 UTC (RELENG_8_1, 8.1-RELEASE-p11) 2012-06-04 22:14:33 UTC (RELENG_9, 9.0-STABLE) 2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3) CVE Name: CVE-2012-1667 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description The named(8) server does not properly handle DNS resource records where the RDATA field is zero length, which may cause various issues for the servers handling them. III. Impact Resolving servers may crash or disclose some portion of memory to the client. Authoritative servers may crash on restart after transferring a zone containing records with zero-length RDATA fields. These would result in a denial of service, or leak of sensitive information. IV. Workaround No workaround is available, but systems not running the BIND name server are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, and 8.1-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind.patch.asc [FreeBSD 9.0-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch # fetch http://security.FreeBSD.org/patches/SA-12:03/bind-90.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/bind/ # make obj make depend make make install # cd /usr/src/usr.sbin/named # make obj make depend make make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection are not affected by this vulnerability: bind96-9.6.3.1.ESV.R7.1 bind97-9.7.6.1 bind98-9.8.3.1 bind99-9.9.1.1 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.4 src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.5 RELENG_7_4 src/UPDATING1.507.2.36.2.11 src/sys/conf/newvers.sh 1.72.2.18.2.14 src/contrib/bind9/lib/dns/rdata.c 1.1.1.5.2.1.2.1 src/contrib/bind9/lib/dns/rdataslab.c 1.1.1.2.2.3.2.1 RELENG_8 src/contrib/bind9/lib/dns/rdata.c 1.2.2.4 src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.5 RELENG_8_3 src/UPDATING 1.632.2.26.2.5 src/sys/conf/newvers.sh 1.83.2.15.2.7 src/contrib/bind9/lib/dns/rdata.c 1.2.2.2.2.1 src/contrib/bind9/lib/dns/rdataslab.c 1.2.2.3.2.1 RELENG_8_2 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-12:04.sysret
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:04.sysret Security Advisory The FreeBSD Project Topic: Privilege escalation when returning from kernel Category: core Module: sys_amd64 Announced: 2012-06-12 Credits:Rafal Wojtczuk, John Baldwin Affects:All supported versions of FreeBSD Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE) 2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9) 2012-06-12 12:10:10 UTC (RELENG_8, 8.3-STABLE) 2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3) 2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9) 2012-06-12 12:10:10 UTC (RELENG_8_1, 8.1-RELEASE-p11) 2012-06-12 12:10:10 UTC (RELENG_9, 9.0-STABLE) 2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3) CVE Name: CVE-2012-0217 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The FreeBSD operating system implements a rings model of security, where privileged operations are done in the kernel, and most applications request access to these operations by making a system call, which puts the CPU into the required privilege level and passes control to the kernel. II. Problem Description FreeBSD/amd64 runs on CPUs from different vendors. Due to varying behaviour of CPUs in 64 bit mode a sanity check of the kernel may be insufficient when returning from a system call. III. Impact Successful exploitation of the problem can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system. IV. Workaround No workaround is available. However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this particular problem. Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386 kernel are not vulnerable, nor are systems running on different processor architectures. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/amd64/amd64/trap.c 1.319.2.14 RELENG_7_4 src/UPDATING1.507.2.36.2.11 src/sys/conf/newvers.sh 1.72.2.18.2.14 src/sys/amd64/amd64/trap.c 1.319.2.12.2.2 RELENG_8 src/sys/amd64/amd64/trap.c 1.332.2.24 RELENG_8_3 src/UPDATING 1.632.2.26.2.5 src/sys/conf/newvers.sh 1.83.2.15.2.7 src/sys/amd64/amd64/trap.c 1.332.2.21.2.2 RELENG_8_2 src/UPDATING1.632.2.19.2.11 src/sys/conf/newvers.sh 1.83.2.12.2.14 src/sys/amd64/amd64/trap.c 1.332.2.14.2.2 RELENG_8_1 src/UPDATING1.632.2.14.2.14 src/sys/conf/newvers.sh 1.83.2.10.2.15 src/sys/amd64/amd64/trap.c 1.332.2.10.2.2 RELENG_9 src/sys/amd64/amd64/trap.c1.357.2.9 RELENG_9_0 src/UPDATING 1.702.2.4.2.5
FreeBSD Security Advisory FreeBSD-SA-12:01.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:01.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2012-05-03 Credits:Adam Langley, George Kadianakis, Ben Laurie, Ivan Nestlerode, Tavis Ormandy Affects:All supported versions of FreeBSD. Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE) 2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8) 2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE) 2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2) 2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8) 2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10) 2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE) 2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2) CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109, CVE-2012-0884, CVE-2012-2110 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2012-05-02 Initial release. v1.1 2012-05-30 Updated patch to add SGC and BUF_MEM_grow_clean(3) bug fixes. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description OpenSSL fails to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576] OpenSSL support for handshake restarts for server gated cryptography (SGC) can be used in a denial-of-service attack. [CVE-2011-4619] If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109] A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884] The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110] III. Impact Sensitive contents of the previously freed memory can be exposed when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and therefore have a single write buffer per connection. That write buffer is partially filled with non-sensitive, handshake data at the beginning of the connection and, thereafter, only records which are longer than any previously sent record leak any non-encrypted data. This, combined with the small number of bytes leaked per record, serves to limit to severity of this issue. [CVE-2011-4576] Denial of service can be caused in the OpenSSL server application supporting server gated cryptography by performing multiple handshake restarts. [CVE-2011-4619] The double-free, when an application performs X509 certificate policy checking, can lead to denial of service in that application. [CVE-2011-4109] A weakness in the OpenSSL PKCS #7 code can lead to a successful Bleichenbacher attack. Only users of PKCS #7 decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are not affected. [CVE-2012-0884] The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead to a potentially exploitable attack via buffer overflow. The SSL/TLS code in OpenSSL is not affected by this issue, nor are applications using the memory based ASN.1 functions. There are no applications in FreeBSD base system affected by this issue, though some 3rd party consumers of these functions might be vulnerable when processing untrusted ASN.1 data. [CVE-2012-2110] The patch provided with the initial version of this advisory introduced bug to the Server Gated Cryptography (SGC) handshake code
FreeBSD Security Advisory FreeBSD-SA-12:02.crypt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:02.crypt Security Advisory The FreeBSD Project Topic: Incorrect crypt() hashing Category: core Module: libcrypt Announced: 2012-05-30 Credits:Rubin Xu, Joseph Bonneau, Donting Yu Affects:All supported versions of FreeBSD. Corrected: 2012-05-30 12:01:28 UTC (RELENG_7, 7.4-STABLE) 2012-05-30 12:01:28 UTC (RELENG_7_4, 7.4-RELEASE-p8) 2012-05-30 12:01:28 UTC (RELENG_8, 8.3-STABLE) 2012-05-30 12:01:28 UTC (RELENG_8_3, 8.3-RELEASE-p2) 2012-05-30 12:01:28 UTC (RELENG_8_2, 8.2-RELEASE-p8) 2012-05-30 12:01:28 UTC (RELENG_8_1, 8.1-RELEASE-p10) 2012-05-30 12:01:28 UTC (RELENG_9, 9.0-STABLE) 2012-05-30 12:01:28 UTC (RELENG_9_0, 9.0-RELEASE-p2) CVE Name: CVE-2012-2143 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The crypt(3) function performs password hashing with additional code added to deter key search attempts. II. Problem Description There is a programming error in the DES implementation used in crypt() when handling input which contains characters that can not be represented with 7-bit ASCII. III. Impact When the input contains characters with only the most significant bit set (0x80), that character and all characters after it will be ignored. IV. Workaround No workaround is available, but systems not using crypt(), or which only use it to handle 7-bit ASCII are not vulnerable. Note that, because DES does not have the computational complexity to defeat brute force search on modern computers, it is not recommended for new applications. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 8.3, 8.2, 8.1 and 9.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch # fetch http://security.FreeBSD.org/patches/SA-12:02/crypt.patch.asc # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libcrypt # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE, or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/secure/lib/libcrypt/crypt-des.c 1.16.24.1 RELENG_7_4 src/UPDATING1.507.2.36.2.10 src/sys/conf/newvers.sh 1.72.2.18.2.13 src/secure/lib/libcrypt/crypt-des.c 1.16.40.2 RELENG_8 src/secure/lib/libcrypt/crypt-des.c 1.16.36.2 RELENG_8_3 src/UPDATING 1.632.2.26.2.4 src/sys/conf/newvers.sh 1.83.2.15.2.6 src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.8.2 RELENG_8_2 src/UPDATING1.632.2.19.2.10 src/sys/conf/newvers.sh 1.83.2.12.2.13 src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.6.2 RELENG_8_1 src/UPDATING1.632.2.14.2.13 src/sys/conf/newvers.sh 1.83.2.10.2.14 src/secure/lib/libcrypt/crypt-des.c 1.16.36.1.4.2 RELENG_9 src/secure/lib/libcrypt/crypt-des.c 1.16.42.2 RELENG_9_0 src/UPDATING 1.702.2.4.2.4 src/sys/conf/newvers.sh1.95.2.4.2.6 src
FreeBSD Security Advisory FreeBSD-SA-12:01.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-12:01.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2012-05-03 Credits:Adam Langley, George Kadianakis, Ben Laurie, Ivan Nestlerode, Tavis Ormandy Affects:All supported versions of FreeBSD. Corrected: 2012-05-03 15:25:11 UTC (RELENG_7, 7.4-STABLE) 2012-05-03 15:25:11 UTC (RELENG_7_4, 7.4-RELEASE-p7) 2012-05-03 15:25:11 UTC (RELENG_8, 8.3-STABLE) 2012-05-03 15:25:11 UTC (RELENG_8_3, 8.3-RELEASE-p1) 2012-05-03 15:25:11 UTC (RELENG_8_2, 8.2-RELEASE-p7) 2012-05-03 15:25:11 UTC (RELENG_8_1, 8.1-RELEASE-p9) 2012-05-03 15:25:11 UTC (RELENG_9, 9.0-STABLE) 2012-05-03 15:25:11 UTC (RELENG_9_0, 9.0-RELEASE-p1) CVE Name: CVE-2011-4576, CVE-2011-4619, CVE-2011-4109, CVE-2012-0884, CVE-2012-2110 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description OpenSSL failes to clear the bytes used as block cipher padding in SSL 3.0 records when operating as a client or a server that accept SSL 3.0 handshakes. As a result, in each record, up to 15 bytes of uninitialized memory may be sent, encrypted, to the SSL peer. This could include sensitive contents of previously freed memory. [CVE-2011-4576] OpenSSL support for handshake restarts for server gated cryptograpy (SGC) can be used in a denial-of-service attack. [CVE-2011-4619] If an application uses OpenSSL's certificate policy checking when verifying X509 certificates, by enabling the X509_V_FLAG_POLICY_CHECK flag, a policy check failure can lead to a double-free. [CVE-2011-4109] A weakness in the OpenSSL PKCS #7 code can be exploited using Bleichenbacher's attack on PKCS #1 v1.5 RSA padding also known as the million message attack (MMA). [CVE-2012-0884] The asn1_d2i_read_bio() function, used by the d2i_*_bio and d2i_*_fp functions, in OpenSSL contains multiple integer errors that can cause memory corruption when parsing encoded ASN.1 data. This error can occur on systems that parse untrusted ASN.1 data, such as X.509 certificates or RSA public keys. [CVE-2012-2110] III. Impact Sensitive contents of the previously freed memory can be exposed when communicating with a SSL 3.0 peer. However, FreeBSD OpenSSL version does not support SSL_MODE_RELEASE_BUFFERS SSL mode and therefore have a single write buffer per connection. That write buffer is partially filled with non-sensitive, handshake data at the beginning of the connection and, thereafter, only records which are longer than any previously sent record leak any non-encrypted data. This, combined with the small number of bytes leaked per record, serves to limit to severity of this issue. [CVE-2011-4576] Denial of service can be caused in the OpenSSL server application supporting server gated cryptograpy by performing multiple handshake restarts. [CVE-2011-4619] The double-free, when an application performs X509 certificate policy checking, can lead to denial of service in that application. [CVE-2011-4109] A weakness in the OpenSSL PKCS #7 code can lead to a successful Bleichenbacher attack. Only users of PKCS #7 decryption operations are affected. A successful attack needs on average 2^20 messages. In practice only automated systems will be affected as humans will not be willing to process this many messages. SSL/TLS applications are not affected. [CVE-2012-0884] The vulnerability in the asn1_d2i_read_bio() OpenSSL function can lead to a potentially exploitable attack via buffer overflow. The SSL/TLS code in OpenSSL is not affected by this issue, nor are applications using the memory based ASN.1 functions. There are no applications in FreeBSD base system affected by this issue, though some 3rd party consumers of these functions might be vulnerable when processing untrusted ASN.1 data. [CVE-2012-2110] IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE or 9-STABLE, or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, RELENG_9_0 security branch dated after the correction date. 2
FreeBSD Security Advisory FreeBSD-SA-11:07.chroot
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:07.chroot Security Advisory The FreeBSD Project Topic: Code execution via chrooted ftpd Category: core Module: libc Announced: 2011-12-23 Affects:All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background Chroot is an operation that changes the apparent root directory for the current process and its children. The chroot(2) system call is widely used in many applications as a measure of limiting a process's access to the file system, as part of implementing privilege separation. The nsdispatch(3) API implementation has a feature to reload its configuration on demand. This feature may also load shared libraries and run code provided by the library when requested by the configuration file. II. Problem Description The nsdispatch(3) API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and also uses the nsdispatch(3) API. III. Impact If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code with elevated (root) privileges. IV. Workaround Don't use ftpd with the chroot option. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3 and 7.4] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc [FreeBSD 8.1 and 8.2] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch c) Recompile the operating system as described in URL: http://www.freebsd.org/handbook/makeworld.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode() to the C library, which completely disables loading of shared libraries upon return. Applications doing chroot(2) jails need to be updated to call this API explicitly right after the chroot(2) operation as a safety measure. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/include/unistd.h 1.80.2.4 src/lib/libc/include/libc_private.h1.17.2.4 src/lib/libc/Versions.def 1.3.2.3 src/lib/libc/net/nsdispatch.c 1.14.2.3 src/lib/libc/gen/Symbol.map 1.6.2.7 src/lib/libc/gen/Makefile.inc 1.128.2.6 src/lib/libc/gen/libc_dlopen.c 1.2.2.2 src/libexec/ftpd/popen.c 1.26.10.2 src/libexec/ftpd/ftpd.c 1.212.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/include/unistd.h
FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:08.telnetdSecurity Advisory The FreeBSD Project Topic: telnetd code execution vulnerability Category: core Module: contrib Announced: 2011-12-23 Affects:All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. The TELNET protocol has a mechanism for encryption of the data stream (but it is not cryptographically strong and should not be relied upon in any security-critical applications). II. Problem Description When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. III. Impact An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the root superuser). IV. Workaround No workaround is available, but systems not running the telnet daemon are not vulnerable. Note that the telnet daemon is usually run via inetd, and consequently will not show up in a process listing unless a connection is currently active; to determine if it is enabled, run $ ps ax | grep telnetd | grep -v grep $ grep telnetd /etc/inetd.conf | grep -vE '^#' If any output is produced, your system may be vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2, and 8.1 systems. a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libtelnet # make obj make depend make make install # cd /usr/src/libexec/telnetd # make obj make depend make make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2 RELENG_7_3 src/UPDATING1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2 RELENG_8 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2 RELENG_8_2 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:09.pam_sshSecurity Advisory The FreeBSD Project Topic: pam_ssh improperly grants access when user account has unencrypted SSH private keys Category: contrib Module: pam Announced: 2011-12-23 Credits:Guy Helmer, Dag-Erling Smorgrav Affects:All supported versions of FreeBSD. Corrected: 2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE) 2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/policy name, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/policy name. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A nullok option exists to allow these keys. II. Problem Description The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. III. Impact If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys. IV. Workaround No workaround is available, but systems that do not have the pam_ssh module enabled are not vulnerable. The pam_ssh module is not enabled in any of the default policies provided in the base system. The system administrator can use the following procedure to inspect all PAM policy files to determine whether the pam_ssh module is enabled. If the following command produces any output, the system may be vulnerable: # egrep -r '^[^#].*\pam_ssh\' /etc/pam.* /usr/local/etc/pam.* The following command will disable the pam_ssh module in all PAM policies present in the system: # sed -i '' -e '/^[^#].*pam_ssh/s/^/#/' /etc/pam.conf /etc/pam.d/* \ /usr/local/etc/pam.conf /usr/local/etc/pam.d/* V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libpam/modules/pam_ssh # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS
FreeBSD Security Advisory FreeBSD-SA-11:10.pam
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:10.pamSecurity Advisory The FreeBSD Project Topic: pam_start() does not validate service names Category: contrib Module: pam Announced: 2011-12-23 Credits:Matthias Drochner Affects:All supported versions of FreeBSD. Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/policy name, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/policy name. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules. III. Impact If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges. There are no vulnerable applications in the base system. IV. Workaround No workaround is available, but systems without untrusted users are not vulnerable. Inspect any third-party setuid / setgid binaries which use the PAM library and ascertain whether they allow the user to specify the policy name, then either change the binary's permissions to prevent its use or remove it altogether. The following command will output a non-zero number if a dynamically linked binary uses libpam: # ldd /usr/local/bin/suspicious_binary | grep -c libpam The following command will output a non-zero number if a statically linked binary uses libpam: # grep -acF /etc/pam.d/ /usr/local/bin/suspicious_binary V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libpam # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/contrib/openpam/lib/openpam_configure.c1.1.1.7.20.2 RELENG_7_4 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-11:05.unix [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2011-10-04 19:07:38 UTC (RELENG_7, 7.4-STABLE) 2011-10-04 19:07:38 UTC (RELENG_7_4, 7.4-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_7_3, 7.3-RELEASE-p8) 2011-10-04 19:07:38 UTC (RELENG_8, 8.2-STABLE) 2011-10-04 19:07:38 UTC (RELENG_8_2, 8.2-RELEASE-p4) 2011-10-04 19:07:38 UTC (RELENG_8_1, 8.1-RELEASE-p6) 2011-10-04 19:07:38 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2011-09-28 Initial release. v1.1 2011-10-04 Updated patch to add linux emulation bug fix. I. Background UNIX-domain sockets, also known as local sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. FreeBSD contains linux emulation support via system call translation in order to make it possible to use certain linux applications without recompilation. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. Linux uses a larger socket address structure for UNIX-domain sockets than FreeBSD, and the FreeBSD's linux emulation code did not translate UNIX-domain socket addresses into the correct size of structure. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges (gain root), escape from a jail, or to bypass security mechanisms in other ways. The patch provided with the initial version of this advisory exposed the pre-existing bug in FreeBSD's linux emulation code, resulting in attempts to use UNIX sockets from linux applications failing. The most common instance where UNIX sockets were used by linux applications is in the context of the X windowing system, including the widely used linux flash web browser plugin. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix2.patch.asc NOTE: The patch distributed at the time of the original advisory fixed the security vulnerability but exposed the pre-existing bug in the linux emulation subsystem. Systems to which the original patch was applied should be patched with the following corrective patch, which contains only the additional changes required to fix the newly-exposed linux emulation bug: # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix-linux.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 src/sys/compat/linux/linux_socket.c 1.74.2.15 RELENG_7_4 src/UPDATING
FreeBSD Security Advisory FreeBSD-SA-11:03.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:03.bind Security Advisory The FreeBSD Project Topic: Remote packet Denial of Service against named(8) servers Category: contrib Module: bind Announced: 2011-09-28 Credits:Roy Arends Affects:8.2-STABLE after 2011-05-28 and prior to the correction date Corrected: 2011-07-06 00:50:54 UTC (RELENG_8, 8.2-STABLE) CVE Name: CVE-2011-2464 Note: This advisory concerns a vulnerability which existed only in the FreeBSD 8-STABLE branch and was fixed over two months prior to the date of this advisory. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A logic error in the BIND code causes the BIND daemon to accept bogus data, which could cause the daemon to crash. III. Impact An attacker able to send traffic to the BIND daemon can cause it to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running the BIND name server are not affected. V. Solution Upgrade your vulnerable system to 8-STABLE dated after the correction date. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_8 src/contrib/bind9/lib/dns/message.c 1.3.2.3 - - Subversion: Branch/path Revision - - stable/8/ r223815 - - VII. References http://www.isc.org/software/bind/advisories/cve-2011-2464 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2464 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:03.bind.asc -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk6C4CYACgkQFdaIBMps37LwQgCeIDVGsCWOLoVdmWogOOaPC1UG 9G8AoJPlRbNmkEWMg7uoOYrvjWlRRdlK =aUvD -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-11:05.unix
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:05.unix Security Advisory The FreeBSD Project Topic: Buffer overflow in handling of UNIX socket addresses Category: core Module: kern Announced: 2011-09-28 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2011-09-28 08:47:17 UTC (RELENG_7, 7.4-STABLE) 2011-09-28 08:47:17 UTC (RELENG_7_4, 7.4-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_7_3, 7.3-RELEASE-p7) 2011-09-28 08:47:17 UTC (RELENG_8, 8.2-STABLE) 2011-09-28 08:47:17 UTC (RELENG_8_2, 8.2-RELEASE-p3) 2011-09-28 08:47:17 UTC (RELENG_8_1, 8.1-RELEASE-p5) 2011-09-28 08:47:17 UTC (RELENG_9, 9.0-RC1) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background UNIX-domain sockets, also known as local sockets, are a mechanism for interprocess communication. They are similar to Internet sockets (and utilize the same system calls) but instead of relying on IP addresses and port numbers, UNIX-domain sockets have addresses in the local file system address space. II. Problem Description When a UNIX-domain socket is attached to a location using the bind(2) system call, the length of the provided path is not validated. Later, when this address was returned via other system calls, it is copied into a fixed-length buffer. III. Impact A local user can cause the FreeBSD kernel to panic. It may also be possible to execute code with elevated privileges (gain root), escape from a jail, or to bypass security mechanisms in other ways. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch # fetch http://security.FreeBSD.org/patches/SA-11:05/unix.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/kern/uipc_usrreq.c 1.206.2.13 RELENG_7_4 src/UPDATING 1.507.2.36.2.5 src/sys/conf/newvers.sh 1.72.2.18.2.8 src/sys/kern/uipc_usrreq.c 1.206.2.11.4.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.9 src/sys/conf/newvers.sh 1.72.2.16.2.11 src/sys/kern/uipc_usrreq.c 1.206.2.11.2.2 RELENG_8 src/sys/kern/uipc_usrreq.c1.233.2.6 RELENG_8_2 src/UPDATING 1.632.2.19.2.5 src/sys/conf/newvers.sh 1.83.2.12.2.8 src/sys/kern/uipc_usrreq.c1.233.2.2.2.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.8 src/sys/conf/newvers.sh 1.83.2.10.2.9 src/sys/kern/uipc_usrreq.c1.233.2.1.4.2 RELENG_9 src/sys/kern/uipc_usrreq.c1.244.2.2 - - Subversion: Branch/path Revision - - stable/7/ r225827 releng/7.4/ r225827 releng/7.3
FreeBSD Security Advisory FreeBSD-SA-11:02.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:02.bind Security Advisory The FreeBSD Project Topic: BIND remote DoS with large RRSIG RRsets and negative caching Category: contrib Module: bind Announced: 2011-05-28 Credits:Frank Kloeker, Michael Sinatra. Affects:All supported versions of FreeBSD. Corrected: 2011-05-28 00:58:19 UTC (RELENG_7, 7.4-STABLE) 2011-05-28 08:44:39 UTC (RELENG_7_3, 7.3-RELEASE-p6) 2011-05-28 08:44:39 UTC (RELENG_7_4, 7.4-RELEASE-p2) 2011-05-28 00:33:06 UTC (RELENG_8, 8.2-STABLE) 2011-05-28 08:44:39 UTC (RELENG_8_1, 8.1-RELEASE-p4) 2011-05-28 08:44:39 UTC (RELENG_8_2, 8.2-RELEASE-p2) CVE Name: CVE-2011-1910 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description Very large RRSIG RRsets included in a negative response can trigger an assertion failure that will crash named(8) due to an off-by-one error in a buffer size check. III. Impact If named(8) is being used as a recursive resolver, an attacker who controls a DNS zone being resolved can cause named(8) to crash, resulting in a denial of (DNS resolving) service. DNSSEC does not need to be enabled on the resolver for it to be vulnerable. IV. Workaround No workaround is available, but systems not running the BIND DNS server or using it exclusively as an authoritative name server (i.e., not as a caching resolver) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.3, 7.4, 8.1 and 8.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch # fetch http://security.FreeBSD.org/patches/SA-11:02/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/bind # make obj make depend make make install # cd /usr/src/usr.sbin/named # make obj make depend make make install # /etc/rc.d/named restart 3) To update your vulnerable system via a binary patch: Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE, or 8.2-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.3 RELENG_7_4 src/UPDATING 1.507.2.36.2.4 src/sys/conf/newvers.sh 1.72.2.18.2.7 src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.2.2.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.8 src/sys/conf/newvers.sh 1.72.2.16.2.10 src/contrib/bind9/lib/dns/ncache.c 1.1.1.2.10.1 RELENG_8 src/contrib/bind9/lib/dns/ncache.c 1.2.2.4 RELENG_8_2 src/UPDATING 1.632.2.19.2.4 src/sys/conf/newvers.sh 1.83.2.12.2.7 src/contrib/bind9/lib/dns/ncache.c 1.2.2.2.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.7 src/sys/conf/newvers.sh 1.83.2.10.2.8 src/contrib/bind9/lib/dns/ncache.c 1.2.2.1.2.1 - - Subversion: Branch/path Revision - - stable/7/ r222399 releng/7.4
FreeBSD Security Advisory FreeBSD-SA-11:01.mountd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-11:01.mountd Security Advisory The FreeBSD Project Topic: Network ACL mishandling in mountd(8) Category: core Module: mountd Announced: 2011-04-20 Credits:Ruslan Ermilov Affects:All supported versions of FreeBSD Corrected: 2011-04-20 21:00:24 UTC (RELENG_7, 7.4-STABLE) 2011-04-20 21:00:24 UTC (RELENG_7_3, 7.3-RELEASE-p5) 2011-04-20 21:00:24 UTC (RELENG_7_4, 7.4-RELEASE-p1) 2011-04-20 21:00:24 UTC (RELENG_8, 8.2-STABLE) 2011-04-20 21:00:24 UTC (RELENG_8_1, 8.1-RELEASE-p3) 2011-04-20 21:00:24 UTC (RELENG_8_2, 8.2-RELEASE-p1) CVE Name: CVE-2011-1739 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The mountd(8) daemon services NFS mount requests from other client machines. When mountd is started, it loads the export host addresses and options into the kernel using the mount(2) system call. II. Problem Description While parsing the exports(5) table, a network mask in the form of -network=netname/prefixlength results in an incorrect network mask being computed if the prefix length is not a multiple of 8. For example, specifying the ACL for an export as -network 192.0.2.0/23 would result in a netmask of 255.255.127.0 being used instead of the correct netmask of 255.255.254.0. III. Impact When using a prefix length which is not multiple of 8, access would be granted to the wrong client systems. IV. Workaround For IPv4-only systems, using the -netmask option instead of CIDR notion for -network circumvents this bug. A firewall such as pf(4) can (and probably should) be used to restrict access to the NFS server. Systems not providing NFS service, or using a prefix length which is a multiple of 8 in all ACLs, are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.3, 7.4, 8.1 and 8.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch # fetch http://security.FreeBSD.org/patches/SA-11:01/mountd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/mountd # make obj make depend make make install 3) To update your vulnerable system via a binary patch: Systems running 7.3-RELEASE, 7.4-RELEASE, 8.1-RELEASE or 8.2-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/usr.sbin/mountd/mountd.c 1.94.2.3 RELENG_7_4 src/UPDATING 1.507.2.36.2.3 src/sys/conf/newvers.sh 1.72.2.18.2.6 src/usr.sbin/mountd/mountd.c 1.94.2.2.8.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.7 src/sys/conf/newvers.sh 1.72.2.16.2.9 src/usr.sbin/mountd/mountd.c 1.94.2.2.6.2 RELENG_8 src/usr.sbin/mountd/mountd.c 1.105.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.3 src/sys/conf/newvers.sh 1.83.2.12.2.6 src/usr.sbin/mountd/mountd.c 1.105.2.2.4.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.6 src/sys/conf/newvers.sh 1.83.2.10.2.7 src/usr.sbin/mountd/mountd.c 1.105.2.2.2.2 - - Subversion: Branch/path Revision - - stable/7/ r220901 releng/7.3
FreeBSD Security Advisory FreeBSD-SA-10:10.openssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:10.opensslSecurity Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2010-11-29 Credits:Georgi Guninski, Rob Hulswit Affects:FreeBSD 7.0 and later Corrected: 2010-11-26 22:50:58 UTC (RELENG_8, 8.1-STABLE) 2010-11-29 20:43:06 UTC (RELENG_8_1, 8.1-RELEASE-p2) 2010-11-29 20:43:06 UTC (RELENG_8_0, 8.0-RELEASE-p6) 2010-11-28 13:45:51 UTC (RELENG_7, 7.3-STABLE) 2010-11-29 20:43:06 UTC (RELENG_7_3, 7.3-RELEASE-p4) 2010-11-29 20:43:06 UTC (RELENG_7_1, 7.1-RELEASE-p16) CVE Name: CVE-2010-2939, CVE-2010-3864 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A race condition exists in the OpenSSL TLS server extension code parsing when used in a multi-threaded application, which uses OpenSSL's internal caching mechanism. The race condition can lead to a buffer overflow. [CVE-2010-3864] A double free exists in the SSL client ECDH handling code, when processing specially crafted public keys with invalid prime numbers. [CVE-2010-2939] III. Impact For affected server applications, an attacker may be able to utilize the buffer overflow to crash the application or potentially run arbitrary code with the privileges of the application. [CVE-2010-3864]. It may be possible to cause a DoS or potentially execute arbitrary in the context of the user connection to a malicious SSL server. [CVE-2010-2939] IV. Workaround No workaround is available, but CVE-2010-3864 only affects FreeBSD 8.0 and later. It should also be noted that CVE-2010-3864 affects neither the Apache HTTP server nor Stunnel. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl7.patch.asc [FreeBSD 8.x] # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-10:10/openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/secure/lib/libssl # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, 8.0-RELEASE or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7_3 src/UPDATING 1.507.2.34.2.6 src/sys/conf/newvers.sh 1.72.2.16.2.8 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1.4.1 RELENG_7_1 src/UPDATING1.507.2.13.2.19 src/sys/conf/newvers.sh 1.72.2.9.2.20 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.5 src/sys/conf/newvers.sh 1.83.2.10.2.6 src/crypto/openssl/ssl/s3_clnt.c1.3.2.1.2.1 src/crypto/openssl/ssl/t1_lib.c
FreeBSD Security Advisory FreeBSD-SA-10:09.pseudofs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:09.pseudofs Security Advisory The FreeBSD Project Topic: Spurious mutex unlock Category: core Module: pseudofs Announced: 2010-11-10 Credits:Przemyslaw Frasunek Affects:FreeBSD 7.x prior to 7.3-RELEASE, 8.x prior to 8.0-RC1 Corrected: 2009-09-05 13:10:54 UTC (RELENG_8, 8.0-RC1) 2009-09-05 13:31:16 UTC (RELENG_7, 7.2-STABLE) 2010-11-10 23:36:13 UTC (RELENG_7_1, 7.1-RELEASE-p15) CVE Name: CVE-2010-4210 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background pseudofs offers an abstract API for pseudo file systems which is utilized by procfs(5) and linprocfs(5). It provides generic file system services such as ACLs, extended attributes which interface with VFS and which are otherwise onerous to implement. This enables pseudo file system authors to add this functionality to their file systems with minimal effort. II. Problem Description The pfs_getextattr(9) function, used by pseudofs for handling extended attributes, attempts to unlock a mutex which was not previously locked. III. Impact On systems where a pseudofs-using filesystem is mounted and NULL page mapping is allowed, an attacker can overwrite arbitrary memory locations in the kernel with zero, and in certain cases execute arbitrary code in the context of the kernel. On systems which do not allow NULL page mapping, an attacker can cause the FreeBSD kernel to panic. IV. Workaround Exploiting this vulnerability requires that the adversary can open a file on a file system which uses pseudofs. This includes procfs(5) or linprocfs(5). Un-mounting these file systems will mitigate the risk associated with this vulnerability. Providing that the patch associated with the FreeBSD-EN-09:05.null errata notice has been applied, setting the security.bsd.map_at_zero sysctl to 0 will prevent arbitrary code execution (but a kernel panic will still be possible). V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patch has been verified to apply to FreeBSD 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:09/pseudofs.patch # fetch http://security.FreeBSD.org/patches/SA-10:09/pseudofs.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/fs/pseudofs/pseudofs_vnops.c 1.65.2.6 RELENG_7_1 src/UPDATING1.507.2.13.2.17 src/sys/conf/newvers.sh 1.72.2.9.2.18 src/sys/fs/pseudofs/pseudofs_vnops.c 1.65.6.2 RELENG_8 src/sys/fs/pseudofs/pseudofs_vnops.c 1.79.2.2 - - Subversion: Branch/path Revision - - stable/7/ r196860 releng/7.1/ r205103 stable/8/ r196859 - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4210 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:09.pseudofs.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkzbLQ0ACgkQFdaIBMps37JDAgCeMM8ohrCVs0bfTOIMAnK4Hlxc o90An3z5EH6uYuF7Bbt7BUIVQaPgxnhR =+88k -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-10:07.mbuf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:07.mbuf Security Advisory The FreeBSD Project Topic: Lost mbuf flag resulting in data corruption Category: core Module: kern Announced: 2010-07-13 Credits:Ming Fu Affects:FreeBSD 7.x and later. Corrected: 2010-07-13 02:45:17 UTC (RELENG_8, 8.1-PRERELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_1, 8.1-RELEASE) 2010-07-13 02:45:17 UTC (RELENG_8_0, 8.0-RELEASE-p4) 2010-07-13 02:45:17 UTC (RELENG_7, 7.3-STABLE) 2010-07-13 02:45:17 UTC (RELENG_7_3, 7.3-RELEASE-p2) 2010-07-13 02:45:17 UTC (RELENG_7_1, 7.1-RELEASE-p13) CVE Name: CVE-2010-2693 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background An mbuf is a basic unit of memory management in the FreeBSD kernel inter-process communication and networking subsystem. Network packets and socket buffers are dependent on mbufs for their storage. Data can be embedded directly in mbufs, or mbufs can instead reference external buffers. The sendfile(2) system call uses external mbuf storage to directly map the contents of a file into a chain of mbufs for transmission purposes. The mbuf object supports a read-only flag that must be honored to prevent modification or writes to buffer data in cases like these. II. Problem Description The read-only flag is not correctly copied when a mbuf buffer reference is duplicated. When the sendfile(2) system call is used to transmit data over the loopback interface, this can result in the backing pages for the transmitted file being modified, causing data corruption. III. Impact This data corruption can be exploited by an local attacker to escalate their privilege by carefully controlling the corruption of system files. It should be noted that the attacker can corrupt any file they have read access to. NOTE: While systems without untrusted local users are not affected by the security aspects of this issue, the potential for data corruption implies that this should still be treated as a critical erratum. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_1, RELENG_8_0, RELENG_7_3, or RELENG_7_1 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.1, 7.3, 8.0 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch # fetch http://security.FreeBSD.org/patches/SA-10:07/mbuf.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.1-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Now reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/kern/uipc_mbuf.c 1.174.2.4 RELENG_7_3 src/UPDATING 1.507.2.34.2.4 src/sys/conf/newvers.sh 1.72.2.16.2.6 src/sys/kern/uipc_mbuf.c 1.174.2.3.4.2 RELENG_7_1 src/UPDATING1.507.2.13.2.16 src/sys/conf/newvers.sh 1.72.2.9.2.17 src/sys/kern/uipc_mbuf.c 1.174.2.2.2.2 RELENG_8 src/sys/kern/uipc_mbuf.c 1.185.2.3 RELENG_8_1 src/UPDATING 1.632.2.14.2.2 src/sys/conf/newvers.sh 1.83.2.10.2.4 src/sys/kern/uipc_mbuf.c 1.185.2.2.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.7 src/sys/conf/newvers.sh1.83.2.6.2.7 src/sys/kern/uipc_mbuf.c 1.185.2.1.2.2
FreeBSD Security Advisory FreeBSD-SA-10:04.jail
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:04.jail Security Advisory The FreeBSD Project Topic: Insufficient environment sanitization in jail(8) Category: core Module: jail Announced: 2010-05-27 Credits:Aaron D. Gifford Affects:FreeBSD 8.0 Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE) 2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3) CVE Name: CVE-2010-2022 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The jail(2) system call allows a system administrator to lock a process and all of its descendants inside an environment with a very limited ability to affect the system outside that environment, even for processes with superuser privileges. It is an extension of, but far more powerful than, the traditional UNIX chroot(2) system call. By design, neither the chroot(2) nor the jail(2) system call modify existing open file descriptors of the calling process, in order to allow programmers to make fine grained access control and privilege separation. The jail(8) utility creates a new jail or modifies an existing jail, optionally imprisoning the current process (and future descendants) inside it. II. Problem Description The jail(8) utility does not change the current working directory while imprisoning. The current working directory can be accessed by its descendants. III. Impact Access to arbitrary files may be possible if an attacker managed to obtain the descriptor of the current working directory before the jail call. Such descriptor would be inherited by all descendants of the first process that starts the jail, unless an intermediate process changes the current working directory inside the jail. By default, the FreeBSD /etc/rc.d/jail script, which can be enabled using the jail_* rc.conf(5) variables, is not affected by this issue. This is due to the default jail flags (-l -U root) used to start a jail as these flags will result in jail(8) performing a chdir(2) call. If the rc.conf(5) variables jail_flags or jail_jname_flags has been set, and do not include '-l -U root', the jails are affected by the vulnerability. IV. Workaround Include the -l -U root arguments to the jail(8) command when starting the jail. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 8-STABLE, or to the RELENG_8_0 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch # fetch http://security.FreeBSD.org/patches/SA-10:04/jail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/jail # make obj make depend make make install 3) To update your vulnerable system via a binary patch: Systems running 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_8 src/usr.sbin/jail/jail.c 1.33.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.6 src/sys/conf/newvers.sh1.83.2.6.2.6 src/usr.sbin/jail/jail.c 1.33.2.1.2.2 - - Subversion: Branch/path Revision - - stable/8/ r208586 releng/8.0/ r208586 - - VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2022 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:04.jail.asc -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (FreeBSD) iEYEARECAAYFAkv95RAACgkQFdaIBMps37ImPgCfRS7pcslVSb89JluACMlg8ZBa PmAAn0jq693qHOXK+Z2ljpQdc+EpTTja =9o7h -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-10:05.opie
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:05.opie Security Advisory The FreeBSD Project Topic: OPIE off-by-one stack overflow Category: contrib Module: contrib_opie Announced: 2010-05-27 Credits:Maksymilian Arciemowicz and Adam Zabrocki Affects:All supported versions of FreeBSD Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE) 2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3) 2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE) 2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1) 2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8) 2010-05-27 03:15:04 UTC (RELENG_7_1, 7.1-RELEASE-p12) 2010-05-27 03:15:04 UTC (RELENG_6, 6.4-STABLE) 2010-05-27 03:15:04 UTC (RELENG_6_4, 6.4-RELEASE-p10) CVE Name: CVE-2010-1938 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background OPIE is a one-time password system designed to help to secure a system against replay attacks. It does so using a secure hash function and a challenge/response system. OPIE is enabled by default on FreeBSD. II. Problem Description A programming error in the OPIE library could allow an off-by-one buffer overflow to write a single zero byte beyond the end of an on-stack buffer. III. Impact An attacker can remotely crash a service process which uses OPIE when stack protector is enabled. Note that this can happen even if OPIE is not enabled on the system, for instance the base system ftpd(8) is affected by this. Depending on the design and usage of OPIE, this may either affect only the process that handles the user authentication, or cause a Denial of Service condition. It is possible but very unlikely that an attacker could exploit this to gain access to a system. IV. Workaround No workaround is available, but systems without OPIE capable services running are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_3, RELENG_7_2, RELENG_7_1, RELENG_6_4 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 6.4, 7.1, 7.2, 7.3, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10-05/opie.patch # fetch http://security.FreeBSD.org/patches/SA-10-05/opie.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libopie # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html 3) To update your vulnerable system via a binary patch: Systems running 6.4-RELEASE, 7.1-RELEASE, 7.2-RELEASE, 7.3-RELEASE or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/opie/libopie/readrec.c 1.1.1.4.14.1 RELENG_6_4 src/UPDATING1.416.2.40.2.14 src/sys/conf/newvers.sh 1.69.2.18.2.16 src/contrib/opie/libopie/readrec.c 1.1.1.4.26.1 RELENG_7 src/contrib/opie/libopie/readrec.c 1.2.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.3 src/sys/conf/newvers.sh 1.72.2.16.2.5 src/contrib/opie/libopie/readrec.c 1.2.12.2 RELENG_7_2 src/UPDATING1.507.2.23.2.11 src/sys/conf/newvers.sh 1.72.2.11.2.12 src/contrib/opie/libopie/readrec.c 1.2.8.2 RELENG_7_1 src/UPDATING1.507.2.13.2.15 src/sys/conf/newvers.sh 1.72.2.9.2.16 src/contrib/opie
FreeBSD Security Advisory FreeBSD-SA-10:06.nfsclient
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:06.nfsclient Security Advisory The FreeBSD Project Topic: Unvalidated input in nfsclient Category: core Module: nfsclient Announced: 2010-05-27 Credits:Patroklos Argyroudis Affects:FreeBSD 7.2 and later. Corrected: 2010-05-27 03:15:04 UTC (RELENG_8, 8.1-PRERELEASE) 2010-05-27 03:15:04 UTC (RELENG_8_0, 8.0-RELEASE-p3) 2010-05-27 03:15:04 UTC (RELENG_7, 7.3-STABLE) 2010-05-27 03:15:04 UTC (RELENG_7_3, 7.3-RELEASE-p1) 2010-05-27 03:15:04 UTC (RELENG_7_2, 7.2-RELEASE-p8) CVE Name: CVE-2010-2020 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes server and client implementations of NFS. II. Problem Description The NFS client subsystem fails to correctly validate the length of a parameter provided by the user when a filesystem is mounted. III. Impact A user who can mount filesystems can execute arbitrary code in the kernel. On systems where the non-default vfs.usermount feature has been enabled, unprivileged users may be able to gain superuser (root) privileges. IV. Workaround Do not allow untrusted users to mount filesystems. To prevent unprivileged users from mounting filesystems, set the vfs.usermount sysctl variable to zero: # sysctl vfs.usermount=0 Note that the default value of this variable is zero, i.e., FreeBSD is not affected by this vulnerability in its default configuration, and FreeBSD system administrators are strongly encouraged not to change this setting. V. Solution NOTE WELL: Even with this fix allowing users to mount arbitrary media should not be considered safe. Most of the file systems in FreeBSD were not built to protect safeguard against malicious devices. While such bugs in file systems are fixed when found, a complete audit has not been perfomed on the file system code. Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_3, or RELENG_7_2 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.2, 7.3 and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:06/nfsclient.patch # fetch http://security.FreeBSD.org/patches/SA-10:06/nfsclient.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.2-RELEASE, 7.3-RELEASE, or 8.0-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/nfsclient/nfs_vfsops.c1.193.2.7 src/lib/libc/sys/mount.2 1.45.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.3 src/sys/conf/newvers.sh 1.72.2.16.2.5 src/sys/nfsclient/nfs_vfsops.c1.193.2.5.4.2 src/lib/libc/sys/mount.2 1.45.12.2 RELENG_7_2 src/UPDATING1.507.2.23.2.11 src/sys/conf/newvers.sh 1.72.2.11.2.12 src/sys/nfsclient/nfs_vfsops.c1.193.2.5.2.2 src/lib/libc/sys/mount.2 1.45.8.2 RELENG_8 src/sys/nfsclient/nfs_vfsops.c1.226.2.7 src/lib/libc/sys/mount.2 1.45.10.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.6 src/sys/conf/newvers.sh1.83.2.6.2.6 src/sys/nfsclient/nfs_vfsops.c1.226.2.2.2.2 src/lib/libc/sys/mount.2
FreeBSD Security Advisory FreeBSD-SA-10:01.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:01.bind Security Advisory The FreeBSD Project Topic: BIND named(8) cache poisoning with DNSSEC validation Category: contrib Module: bind Announced: 2010-01-06 Credits:Michael Sinatra Affects:All supported versions of FreeBSD. Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-4022 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag. III. Impact If a client can send such queries to a server, it can exploit this problem to mount a cache poisoning attack, seeding the cache with unvalidated information. IV. Workaround Disabling DNSSEC validation will prevent BIND from caching unvalidated records, but also prevent DNSSEC authentication of records. Systems not using DNSSEC validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc [FreeBSD 6.4] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc [FreeBSD 7.1] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc [FreeBSD 7.2] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/bind # make obj make depend make make install # cd /usr/src/usr.sbin/named # make obj make depend make make install # /etc/rc.d/named restart NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get a more recent BIND version with more complete DNSSEC support. This can be done either by upgrading to FreeBSD 7.x or later, or installing BIND for the FreeBSD Ports Collection. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 RELENG_6_4 src/UPDATING1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 src/contrib/bind9/lib/dns
FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:02.ntpd Security Advisory The FreeBSD Project Topic: ntpd mode 7 denial of service Category: contrib Module: ntpd Announced: 2010-01-06 Affects:All supported versions of FreeBSD. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-3563 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response. III. Impact If an attacker can spoof such a packet from a source IP of an affected ntpd to the same or a different affected ntpd, the host(s) will endlessly send error responses to each other and log each event, consuming network bandwidth, CPU and possibly disk space. IV. Workaround Proper filtering of mode 7 NTP packets by a firewall can limit the number of systems used to attack your resources. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj make depend make make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2 RELENG_6_4 src/UPDATING1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1 RELENG_6_3 src/UPDATING1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1 RELENG_7 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1 RELENG_7_1 src/UPDATING1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1 RELENG_8 src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh1.83.2.6.2.5 src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1 - - Subversion: Branch/path Revision - - stable/6/ r201679 releng/6.4/ r201679 releng/6.3
FreeBSD Security Advisory FreeBSD-SA-10:03.zfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-10:03.zfsSecurity Advisory The FreeBSD Project Topic: ZFS ZIL playback with insecure permissions Category: contrib Module: zfs Announced: 2010-01-06 Credits:Pawel Jakub Dawidek Affects:FreeBSD 7.0 and later. Corrected: 2009-11-14 11:59:59 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background ZFS is a file-system originally developed by Sun Microsystems. The ZFS Intent Log (ZIL) is a mechanism that gathers together in memory transactions of writes, and is flushed onto disk when synchronous semantics is necessary. In the event of crash or power failure, the log is examined and the uncommitted transaction would be replayed to maintain the synchronous semantics. II. Problem Description When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes. III. Impact A system crash or power fail would leave some file with mode set to 0. This could leak sensitive information or cause privilege escalation. IV. Workaround No workaround is available, but systems not using ZFS are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. 3) Examine the system and look for affected files. These files can be identified with the following command: # find / -perm - -print0 | xargs -0 ls -ld The system administrator will have to correct these problems if there is any files with such permission modes. For example: # find / -perm - -print0 | xargs -0 chmod u=rwx,go= Will reset access mode bits to be readable, writable and executable by the owner only. The system administrator should determine the appropriate mode bits wisely. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.4.1 RELENG_7_1 src/UPDATING1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.2.1 RELENG_8 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh1.83.2.6.2.5 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.4.1 - - Subversion: Branch/path Revision - - stable/7/ r201679 releng/7.2/ r201679 releng/7.1
FreeBSD Security Advisory FreeBSD-SA-09:15.ssl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:15.sslSecurity Advisory The FreeBSD Project Topic: SSL protocol flaw Category: contrib Module: openssl Announced: 2009-12-03 Credits:Marsh Ray, Steve Dispensa Affects:All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) CVE Name: CVE-2009-3555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols provide a secure communications layer over which other protocols can be utilized. The most widespread use of SSL/TLS is to add security to the HTTP protocol, thus producing HTTPS. FreeBSD includes software from the OpenSSL Project which implements SSL and TLS. II. Problem Description The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters. III. Impact An attacker who can intercept a TCP connection being used for SSL or TLS can cause the initial session negotiation to take the place of a session renegotiation. This can be exploited in several ways, including: * Causing a server to interpret incoming messages as having been sent under the auspices of a client SSL key when in fact they were not; * Causing a client request to be appended to an attacker-supplied request, potentially revealing to the attacker the contents of the client request (including any authentication parameters); and * Causing a client to receive a response to an attacker-supplied request instead of a response to the request sent by the client. IV. Workaround No workaround is available. V. Solution NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate SSL / TLS session parameters. As a result, connections in which the other party attempts to renegotiate session parameters will break. In practice, however, session renegotiation is a rarely-used feature, so disabling this functionality is unlikely to cause problems for most systems. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE, or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/secure/lib/libcrypto # make obj make depend make includes make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/crypto/openssl/ssl/s3_pkt.c1.1.1.10.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.3 src/crypto/openssl/ssl/s3_lib.c1.1.1.10.2.1 RELENG_6_4 src/UPDATING1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.12.1 RELENG_6_3 src/UPDATING1.416.2.37.2.19 src/sys/conf/newvers.sh
FreeBSD Security Advisory FreeBSD-SA-09:16.rtld
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:16.rtld Security Advisory The FreeBSD Project Topic: Improper environment sanitization in rtld(1) Category: core Module: rtld Announced: 2009-12-03 Affects:FreeBSD 7.0 and later. Corrected: 2009-12-01 02:59:22 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-01 03:00:16 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) CVE Name: CVE-2009-4146, CVE-2009-4147 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The run-time link-editor, rtld, links dynamic executable with their needed libraries at run-time. It also allows users to explicitly load libraries via various LD_ environmental variables. II. Problem Description When running setuid programs rtld will normally remove potentially dangerous environment variables. Due to recent changes in FreeBSD environment variable handling code, a corrupt environment may result in attempts to unset environment variables failing. III. Impact An unprivileged user who can execute programs on a system can gain the privileges of any setuid program which he can run. On most systems configurations, this will allow a local attacker to execute code as the root user. IV. Workaround No workaround is available, but systems without untrusted local users, where all the untrusted local users are jailed superusers, and/or where untrusted users cannot execute arbitrary code (e.g., due to use of read only and noexec mount options) are not affected. Note that untrusted local users include users with the ability to upload and execute web scripts (CGI, PHP, Python, Perl etc.), as they may be able to exploit this issue. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld7.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch # fetch http://security.FreeBSD.org/patches/SA-09:16/rtld.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/libexec/rtld-elf # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the ld-elf32.so.1 (i386 compatibility) run-time link-editor (rtld). On amd64 systems where the i386 rtld are installed, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_7 src/libexec/rtld-elf/rtld.c 1.124.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/libexec/rtld-elf/rtld.c 1.124.2.4.2.2 RELENG_7_1 src/UPDATING1.507.2.13.2.12 src/sys/conf/newvers.sh 1.72.2.9.2.13 src/libexec/rtld-elf/rtld.c 1.124.2.3.2.2 RELENG_8 src/libexec/rtld-elf/rtld.c 1.139.2.4 RELENG_8_0 src/UPDATING 1.632.2.7.2.4 src/sys/conf/newvers.sh1.83.2.6.2.4 src/libexec/rtld-elf/rtld.c 1.139.2.2.2.2 - - Subversion: Branch/path Revision - - stable/7/ r199981 releng/7.2/ r200054 releng/7.1
FreeBSD Security Advisory FreeBSD-SA-09:17.freebsd-update
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:17.freebsd-update Security Advisory The FreeBSD Project Topic: Inappropriate directory permissions in freebsd-update(8) Category: core Module: usr.sbin Announced: 2009-12-03 Credits:KAMADA Ken'ichi Affects:All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The freebsd-update(8) utility is used to fetch, install, and rollback updates to the FreeBSD base system, and also to upgrade from one FreeBSD release to another. II. Problem Description When downloading updates to FreeBSD via 'freebsd-update fetch' or 'freebsd-update upgrade', the freebsd-update(8) utility copies currently installed files into its working directory (/var/db/freebsd-update by default) both for the purpose of merging changes to configuration files and in order to be able to roll back installed updates. The default working directory used by freebsd-update(8) is normally created during the installation of FreeBSD with permissions which allow all local users to see its contents, and freebsd-update(8) does not take any steps to restrict access to files stored in said directory. III. Impact A local user can read files which have been updated by freebsd-update(8), even if those files have permissions which would normally not allow users to read them. In particular, on systems which have been upgraded using 'freebsd-update upgrade', local users can read freebsd-update's backed-up copy of the master password file. IV. Workaround Set the permissions on the freebsd-update(8) working directory to not allow unprivileged users to read said directory: # chmod 0700 /var/db/freebsd-update Note that if freebsd-update(8) is run using the '-d workdir' option, the directory which should have its permissions adjusted will be different. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch # fetch http://security.FreeBSD.org/patches/SA-09:17/freebsd-update.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/freebsd-update # make obj make depend make make install # chmod 0700 /var/db/freebsd-update VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.11 src/etc/mtree/BSD.var.dist 1.71.2.4 RELENG_6_4 src/UPDATING1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.10.2.2 src/etc/mtree/BSD.var.dist 1.71.2.3.6.2 RELENG_6_3 src/UPDATING1.416.2.37.2.19 src/sys/conf/newvers.sh 1.69.2.15.2.18 src/usr.sbin/freebsd-update/freebsd-update.sh 1.2.2.8.2.1 src/etc/mtree/BSD.var.dist 1.71.2.3.4.1 RELENG_7 src/usr.sbin/freebsd-update/freebsd-update.sh 1.8.2.5 src/etc/mtree/BSD.var.dist 1.75.2.1 RELENG_7_2 src/UPDATING 1.507.2.23.2.8 src/sys/conf/newvers.sh 1.72.2.11.2.9 src/usr.sbin/freebsd-update/freebsd-update.sh
FreeBSD Security Advisory FreeBSD-SA-09:15.ssl [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:15.sslSecurity Advisory The FreeBSD Project Topic: SSL protocol flaw Category: contrib Module: openssl Announced: 2009-12-03 Credits:Marsh Ray, Steve Dispensa Affects:All supported versions of FreeBSD. Corrected: 2009-12-03 09:18:40 UTC (RELENG_8, 8.0-STABLE) 2009-12-03 09:18:40 UTC (RELENG_8_0, 8.0-RELEASE-p1) 2009-12-03 09:18:40 UTC (RELENG_7, 7.2-STABLE) 2009-12-03 09:18:40 UTC (RELENG_7_2, 7.2-RELEASE-p5) 2009-12-03 09:18:40 UTC (RELENG_7_1, 7.1-RELEASE-p9) 2009-12-03 09:18:40 UTC (RELENG_6, 6.4-STABLE) 2009-12-03 09:18:40 UTC (RELENG_6_4, 6.4-RELEASE-p8) 2009-12-03 09:18:40 UTC (RELENG_6_3, 6.3-RELEASE-p14) CVE Name: CVE-2009-3555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. 0. Revision History v1.0 2009-12-03 Initial release. v1.1 2009-12-03 Corrected instructions in section V.2)b). I. Background The SSL (Secure Sockets Layer) and TLS (Transport Layer Security) protocols provide a secure communications layer over which other protocols can be utilized. The most widespread use of SSL/TLS is to add security to the HTTP protocol, thus producing HTTPS. FreeBSD includes software from the OpenSSL Project which implements SSL and TLS. II. Problem Description The SSL version 3 and TLS protocols support session renegotiation without cryptographically tying the new session parameters to the old parameters. III. Impact An attacker who can intercept a TCP connection being used for SSL or TLS can cause the initial session negotiation to take the place of a session renegotiation. This can be exploited in several ways, including: * Causing a server to interpret incoming messages as having been sent under the auspices of a client SSL key when in fact they were not; * Causing a client request to be appended to an attacker-supplied request, potentially revealing to the attacker the contents of the client request (including any authentication parameters); and * Causing a client to receive a response to an attacker-supplied request instead of a response to the request sent by the client. IV. Workaround No workaround is available. V. Solution NOTE WELL: This update causes OpenSSL to reject any attempt to renegotiate SSL / TLS session parameters. As a result, connections in which the other party attempts to renegotiate session parameters will break. In practice, however, session renegotiation is a rarely-used feature, so disabling this functionality is unlikely to cause problems for most systems. Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE, or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:15/ssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/secure/lib/libssl # make obj make depend make includes make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/crypto/openssl/ssl/s3_pkt.c1.1.1.10.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.3 src/crypto/openssl/ssl/s3_lib.c1.1.1.10.2.1 RELENG_6_4 src/UPDATING1.416.2.40.2.12 src/sys/conf/newvers.sh 1.69.2.18.2.14 src/crypto/openssl/ssl/s3_pkt.c 1.1.1.10.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.2 src/crypto/openssl/ssl/s3_lib.c 1.1.1.10.12.1 RELENG_6_3
FreeBSD Security Advisory FreeBSD-SA-09:13.pipe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:13.pipe Security Advisory The FreeBSD Project Topic: kqueue pipe race conditions Category: core Module: kern Announced: 2009-10-02 Credits:Przemyslaw Frasunek Affects:FreeBSD 6.x Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background Pipes are a form of inter-process communication (IPC) provided by the FreeBSD kernel. kqueue is an event management API that applications can use to monitor pipes and other kernel services. II. Problem Description A race condition exists in the pipe close() code relating to kqueues, causing use-after-free for kernel memory, which may lead to an exploitable NULL pointer vulnerability in the kernel, kernel memory corruption, and other unpredictable results. III. Impact Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code on the target system. IV. Workaround An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3 and 6.4. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch # fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/kern/kern_event.c 1.93.2.7 src/sys/kern/kern_fork.c 1.252.2.8 src/sys/kern/sys_pipe.c 1.184.2.6 src/sys/sys/event.h1.32.2.1 src/sys/sys/pipe.h 1.29.2.1 RELENG_6_4 src/UPDATING1.416.2.40.2.11 src/sys/conf/newvers.sh 1.69.2.18.2.13 src/sys/kern/kern_event.c 1.93.2.6.6.2 src/sys/kern/kern_fork.c 1.252.2.7.4.2 src/sys/kern/sys_pipe.c 1.184.2.4.2.3 src/sys/sys/event.h 1.32.12.2 src/sys/sys/pipe.h1.29.16.2 RELENG_6_3 src/UPDATING1.416.2.37.2.18 src/sys/conf/newvers.sh 1.69.2.15.2.17 src/sys/kern/kern_event.c 1.93.2.6.4.1 src/sys/kern/kern_fork.c 1.252.2.7.2.1 src/sys/kern/sys_pipe.c 1.184.2.2.6.3 src/sys/sys/event.h 1.32.10.1 src/sys/sys/pipe.h1.29.12.1 - - Subversion: Branch/path Revision - - stable/6/ r197715 releng/6.4/ r197715 releng/6.3/ r197715 - - VII. References http://svn.freebsd.org/viewvc/base?view=revisionrevision=179243 The latest revision of this advisory is available at http://security.FreeBSD.org
FreeBSD Security Advisory FreeBSD-SA-09:14.devfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:14.devfs Security Advisory The FreeBSD Project Topic: Devfs / VFS NULL pointer race condition Category: core Module: kern Announced: 2009-10-02 Credits:Przemyslaw Frasunek Affects:FreeBSD 6.x and 7.x Corrected: 2009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE) 2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4) 2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8) 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE) 2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7) 2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The device file system (devfs) provides access to system devices, such as storage devices and serial ports, via the file system namespace. VFS is the Virtual File System, which abstracts file system operations in the kernel from the actual underlying file system. II. Problem Description Due to the interaction between devfs and VFS, a race condition exists where the kernel might dereference a NULL pointer. III. Impact Successful exploitation of the race condition can lead to local kernel privilege escalation, kernel data corruption and/or crash. To exploit this vulnerability, an attacker must be able to run code with user privileges on the target system. IV. Workaround An errata note, FreeBSD-EN-09:05.null has been released simultaneously to this advisory, and contains a kernel patch implementing a workaround for a more broad class of vulnerabilities. However, prior to those changes, no workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch # fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/fs/devfs/devfs_vnops.c 1.114.2.17 RELENG_6_4 src/UPDATING1.416.2.40.2.11 src/sys/conf/newvers.sh 1.69.2.18.2.13 src/sys/fs/devfs/devfs_vnops.c 1.114.2.16.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.18 src/sys/conf/newvers.sh 1.69.2.15.2.17 src/sys/fs/devfs/devfs_vnops.c 1.114.2.15.2.1 RELENG_7 src/sys/fs/devfs/devfs_vnops.c1.149.2.9 RELENG_7_2 src/UPDATING 1.507.2.23.2.7 src/sys/conf/newvers.sh 1.72.2.11.2.8 src/sys/fs/devfs/devfs_vnops.c1.149.2.8.2.2 RELENG_7_1 src/UPDATING1.507.2.13.2.11 src/sys/conf/newvers.sh 1.72.2.9.2.12 src/sys/fs/devfs/devfs_vnops.c1.149.2.4.2.2 - - Subversion: Branch/path Revision - - stable/6/ r197715 releng/6.4/ r197715 releng/6.3/ r197715 stable/7/ r192301 releng/7.2/ r197715 releng/7.1
FreeBSD Security Advisory FreeBSD-SA-09:12.bind
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:12.bind Security Advisory The FreeBSD Project Topic: BIND named(8) dynamic update message remote DoS Category: contrib Module: bind Announced: 2009-07-29 Credits:Matthias Urlichs Affects:All supported versions of FreeBSD Corrected: 2009-07-28 23:59:22 UTC (RELENG_7, 7.2-STABLE) 2009-07-29 00:14:14 UTC (RELENG_7_2, 7.2-RELEASE-p3) 2009-07-29 00:14:14 UTC (RELENG_7_1, 7.1-RELEASE-p7) 2009-07-29 00:13:47 UTC (RELENG_6, 6.4-STABLE) 2009-07-29 00:14:14 UTC (RELENG_6_4, 6.4-RELEASE-p6) 2009-07-29 00:14:14 UTC (RELENG_6_3, 6.3-RELEASE-p12) CVE Name: CVE-2009-0696 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. NOTE: Due to this issue being accidentally disclosed early, updated binaries are yet not available via freebsd-update at the time this advisory is being published. Email will be sent to the freebsd-security mailing list when the binaries are available via freebsd-update. I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. Dynamic update messages may be used to update records in a master zone on a nameserver. II. Problem Description When named(8) receives a specially crafted dynamic update message an internal assertion check is triggered which causes named(8) to exit. To trigger the problem, the dynamic update message must contains a record of type ANY and at least one resource record set (RRset) for this fully qualified domain name (FQDN) must exist on the server. III. Impact An attacker which can send DNS requests to a nameserver can cause it to exit, thus creating a Denial of Service situation. IV. Workaround No generally applicable workaround is available, but some firewalls may be able to prevent nsupdate DNS packets from reaching the nameserver. NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT sufficient to protect it from this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch # fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/bind # make obj make depend make make install # cd /usr/src/usr.sbin/named # make obj make depend make make install # /etc/rc.d/named restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/bind9/bin/named/update.c1.1.1.2.2.5 RELENG_6_4 src/UPDATING1.416.2.40.2.10 src/sys/conf/newvers.sh 1.69.2.18.2.12 src/contrib/bind9/bin/named/update.c1.1.1.2.2.3.2.1 RELENG_6_3 src/UPDATING1.416.2.37.2.17 src/sys/conf/newvers.sh 1.69.2.15.2.16 src/contrib/bind9/bin/named/update.c1.1.1.2.2.2.2.1 RELENG_7 src/contrib/bind9/bin/named/update.c1.1.1.5.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.6 src/sys/conf/newvers.sh 1.72.2.11.2.7 src/contrib/bind9/bin/named/update.c1.1.1.5.2.2.2.1 RELENG_7_1 src/UPDATING1.507.2.13.2.10 src/sys/conf/newvers.sh 1.72.2.9.2.11 src/contrib/bind9/bin/named/update.c1.1.1.5.2.1.4.1 HEAD src/contrib/bind9/bin/named/update.c1.4 - - Subversion: Branch/path Revision - - head
FreeBSD Security Advisory FreeBSD-SA-09:11.ntpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:11.ntpd Security Advisory The FreeBSD Project Topic: ntpd stack-based buffer-overflow vulnerability Category: contrib Module: ntpd Announced: 2009-06-10 Credits:Chris Ries Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) CVE Name: CVE-2009-1252 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. Autokey is a security model for authenticating Network Time Protocol (NTP) servers to clients, using public key cryptography. II. Problem Description The ntpd(8) daemon is prone to a stack-based buffer-overflow when it is configured to use the 'autokey' security model. III. Impact This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing denial-of-service conditions. IV. Workaround Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can send NTP packets to ntpd(8). Note that systems will only be affected if they have the autokey option set in /etc/ntp.conf; FreeBSD does not ship with a default ntp.conf file, so will not be affected unless this option has been explicitly enabled by the system administrator. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch.asc [FreeBSD 6.4 and 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj make depend make make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.3 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.2 RELENG_7 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.2 - - Subversion: Branch/path Revision - - stable/6/ r193893 releng/6.4/ r193893 releng/6.3/ r193893 stable/7
FreeBSD Security Advisory FreeBSD-SA-09:10.ipv6
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:10.ipv6 Security Advisory The FreeBSD Project Topic: Missing permission check on SIOCSIFINFO_IN6 ioctl Category: core Module: netinet6 Announced: 2009-06-10 Credits:Hiroki Sato Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background IPv6 is a new Internet Protocol, designed to replace (and avoid many of the problems with) the current Internet Protocol (version 4). Many properties of the FreeBSD IPv6 network stack can be configured via the ioctl(2) interface. II. Problem Description The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check. III. Impact Local users, including non-root users and users inside jails, can set some IPv6 interface properties. These include changing the link MTU and disabling interfaces entirely. Note that this affects IPv6 only; IPv4 functionality cannot be affected by exploiting this vulnerability. IV. Workaround No workaround is available, but systems without local untrusted users are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch.asc [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch # fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/netinet6/in6.c1.51.2.13 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/sys/netinet6/in6.c1.51.2.12.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/sys/netinet6/in6.c1.51.2.11.2.1 RELENG_7 src/sys/netinet6/in6.c 1.73.2.7 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/sys/netinet6/in6.c 1.73.2.6.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/sys/netinet6/in6.c 1.73.2.4.2.2 - - Subversion: Branch/path Revision - - stable/6/ r193893 releng/6.4/ r193893 releng/6.3/ r193893 stable/7/ r193893 releng/7.2/ r193893 releng/7.1/ r193893 - - VII. References The latest revision of this advisory
FreeBSD Security Advisory FreeBSD-SA-09:09.pipe
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:09.pipe Security Advisory The FreeBSD Project Topic: Local information disclosure via direct pipe writes Category: core Module: kern Announced: 2009-06-10 Credits:Pieter de Boer Affects:All supported versions of FreeBSD. Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE) 2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1) 2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6) 2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE) 2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5) 2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background One of the most commonly used forms of interprocess communication on FreeBSD and other UNIX-like systems is the (anonymous) pipe. In this mechanism, a pair of file descriptors is created, and data written to one descriptor can be read from the other. FreeBSD's pipe implementation contains an optimization known as direct writes. In this optimization, rather than copying data into kernel memory when the write(2) system call is invoked and then copying the data again when the read(2) system call is invoked, the FreeBSD kernel takes advantage of virtual memory mapping to allow the data to be copied directly between processes. II. Problem Description An integer overflow in computing the set of pages containing data to be copied can result in virtual-to-physical address lookups not being performed. III. Impact An unprivileged process can read pages of memory which belong to other processes or to the kernel. These may contain information which is sensitive in itself; or may contain passwords or cryptographic keys which can be indirectly exploited to gain sensitive information or access. IV. Workaround No workaround is available, but systems without untrusted local users are not vulnerable. System administrators are reminded that even if a system is not intended to have untrusted local users, it may be possible for an attacker to exploit some other vulnerability to obtain local user access to a system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, and 7.2 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch # fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch.asc b) Apply the patch. # cd /usr/src # patch /path/to/patch c) Recompile your kernel as described in URL:http://www.FreeBSD.org/handbook/kernelconfig.html and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/sys/kern/sys_pipe.c 1.184.2.5 RELENG_6_4 src/UPDATING 1.416.2.40.2.9 src/sys/conf/newvers.sh 1.69.2.18.2.11 src/sys/kern/sys_pipe.c 1.184.2.4.2.2 RELENG_6_3 src/UPDATING1.416.2.37.2.16 src/sys/conf/newvers.sh 1.69.2.15.2.15 src/sys/kern/sys_pipe.c 1.184.2.2.6.2 RELENG_7 src/sys/kern/sys_pipe.c 1.191.2.5 RELENG_7_2 src/UPDATING 1.507.2.23.2.4 src/sys/conf/newvers.sh 1.72.2.11.2.5 src/sys/kern/sys_pipe.c 1.191.2.3.4.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.9 src/sys/conf/newvers.sh 1.72.2.9.2.10 src/sys/kern/sys_pipe.c 1.191.2.3.2.2 - - Subversion: Branch/path Revision - - stable/6
FreeBSD Security Advisory FreeBSD-SA-09:07.libc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 = FreeBSD-SA-09:07.libc Security Advisory The FreeBSD Project Topic: Information leak in db(3) Category: core Module: libc Announced: 2009-04-22 Credits:Jaakko Heinonen, Xin LI Affects:All supported versions of FreeBSD. Corrected: 2009-04-11 15:19:26 UTC (RELENG_7, 7.2-PRERELEASE) 2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5) 2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12) 2009-04-11 15:21:11 UTC (RELENG_6, 6.4-STABLE) 2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4) 2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit URL:http://security.FreeBSD.org/. I. Background FreeBSD's C library (libc) contains code for creating and accessing Berkeley DB 1.85 database files. Such databases are used extensively in FreeBSD; for example, the system password files (/etc/passwd and /etc/master.passwd) are normally accessed via their database files (/etc/pwd.db and /etc/spwd.db). II. Problem Description Some data structures used by the database interface code are not properly initialized when allocated. III. Impact Programs using the db(3) interface to create Berkeley database files may leak sensitive information into database files. If those files can be read by other users, this may result in the disclosure of sensitive information such as login credentials. IV. Workaround No workaround is available, but systems without untrusted local users are probably not affected (since remote attackers will in most cases not be able to read such database files). V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.0, and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch # fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch.asc b) Execute the following commands as root: # cd /usr/src # patch /path/to/patch # cd /usr/src/lib/libc # make obj make depend make make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in URL:http://www.FreeBSD.org/handbook/makeworld.html NOTE: System administrators may wish to rebuild any system database files which were created prior to applying this patch in case they contain sensitive information. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - RELENG_6 src/lib/libc/db/btree/bt_split.c1.7.2.1 src/lib/libc/db/btree/bt_open.c 1.11.14.1 src/lib/libc/db/hash/hash_buf.c1.7.14.1 src/lib/libc/db/mpool/mpool.c 1.12.2.1 src/lib/libc/db/README 1.1.40.1 RELENG_6_4 src/UPDATING 1.416.2.40.2.8 src/sys/conf/newvers.sh 1.69.2.18.2.10 src/lib/libc/db/btree/bt_split.c 1.7.12.2 src/lib/libc/db/hash/hash_buf.c1.7.26.2 src/lib/libc/db/mpool/mpool.c 1.12.12.2 RELENG_6_3 src/UPDATING1.416.2.37.2.15 src/sys/conf/newvers.sh 1.69.2.15.2.14 src/lib/libc/db/btree/bt_split.c 1.7.10.1 src/lib/libc/db/hash/hash_buf.c1.7.24.1 src/lib/libc/db/mpool/mpool.c 1.12.10.1 RELENG_7 src/lib/libc/db/btree/bt_split.c1.8.2.1 src/lib/libc/db/btree/bt_open.c1.12.2.1 src/lib/libc/db/hash/hash_buf.c 1.8.2.1 src/lib/libc/db/mpool/mpool.c 1.13.2.1 src/lib/libc/db/README