Nabble - freebsd-security-notifications

FreeBSD Security Advisory FreeBSD-SA-09:14.devfs

2009-10-02T13:12:05Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:14.devfs Security Advisory
The FreeBSD Project

Topic: Devfs / VFS NULL pointer race condition

Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
Affects: FreeBSD 6.x and 7.x
Corrected: 2009-05-18 10:41:59 UTC (RELENG_7, 7.2-STABLE)
2009-10-02 18:09:56 UTC (RELENG_7_2, 7.2-RELEASE-p4)
2009-10-02 18:09:56 UTC (RELENG_7_1, 7.1-RELEASE-p8)
2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The device file system (devfs) provides access to system devices, such as
storage devices and serial ports, via the file system namespace.

VFS is the Virtual File System, which abstracts file system operations in
the kernel from the actual underlying file system.

II. Problem Description

Due to the interaction between devfs and VFS, a race condition exists
where the kernel might dereference a NULL pointer.

III. Impact

Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.

IV. Workaround

An errata note, FreeBSD-EN-09:05.null has been released simultaneously to
this advisory, and contains a kernel patch implementing a workaround for a
more broad class of vulnerabilities. However, prior to those changes, no
workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs6.patch.asc

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch
# fetch http://security.FreeBSD.org/patches/SA-09:14/devfs7.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/fs/devfs/devfs_vnops.c 1.114.2.17
RELENG_6_4
src/UPDATING 1.416.2.40.2.11
src/sys/conf/newvers.sh 1.69.2.18.2.13
src/sys/fs/devfs/devfs_vnops.c 1.114.2.16.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.18
src/sys/conf/newvers.sh 1.69.2.15.2.17
src/sys/fs/devfs/devfs_vnops.c 1.114.2.15.2.1
RELENG_7
src/sys/fs/devfs/devfs_vnops.c 1.149.2.9
RELENG_7_2
src/UPDATING 1.507.2.23.2.7
src/sys/conf/newvers.sh 1.72.2.11.2.8
src/sys/fs/devfs/devfs_vnops.c 1.149.2.8.2.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.11
src/sys/conf/newvers.sh 1.72.2.9.2.12
src/sys/fs/devfs/devfs_vnops.c 1.149.2.4.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r197715
releng/6.4/ r197715
releng/6.3/ r197715
stable/7/ r192301
releng/7.2/ r197715
releng/7.1/ r197715
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:14.devfs.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFKxltlFdaIBMps37IRAp4zAJwJEwIySGqxH4EXwc0wjkDXlcTb1wCfTltO
Syds53GSM0YbsMNUVMGsLaU=
=exPZ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:13.pipe

2009-10-02T13:11:57Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:13.pipe Security Advisory
The FreeBSD Project

Topic: kqueue pipe race conditions
Category: core
Module: kern
Announced: 2009-10-02
Credits: Przemyslaw Frasunek
Affects: FreeBSD 6.x
Corrected: 2009-10-02 18:09:56 UTC (RELENG_6, 6.4-STABLE)
2009-10-02 18:09:56 UTC (RELENG_6_4, 6.4-RELEASE-p7)
2009-10-02 18:09:56 UTC (RELENG_6_3, 6.3-RELEASE-p13)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

Pipes are a form of inter-process communication (IPC) provided by the
FreeBSD kernel. kqueue is an event management API that applications can
use to monitor pipes and other kernel services.

II. Problem Description

A race condition exists in the pipe close() code relating to kqueues,
causing use-after-free for kernel memory, which may lead to an
exploitable NULL pointer vulnerability in the kernel, kernel memory
corruption, and other unpredictable results.

III. Impact

Successful exploitation of the race condition can lead to local kernel
privilege escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code on
the target system.

IV. Workaround

An errata notice, FreeBSD-EN-09:05.null has been released simultaneously to
this advisory, and contains a kernel patch implementing a workaround for a
more broad class of vulnerabilities. However, prior to those changes, no
workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or to the RELENG_6_4, or
RELENG_6_3 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and 6.4.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch
# fetch http://security.FreeBSD.org/patches/SA-09:13/pipe.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/kern/kern_event.c 1.93.2.7
src/sys/kern/kern_fork.c 1.252.2.8
src/sys/kern/sys_pipe.c 1.184.2.6
src/sys/sys/event.h 1.32.2.1
src/sys/sys/pipe.h 1.29.2.1
RELENG_6_4
src/UPDATING 1.416.2.40.2.11
src/sys/conf/newvers.sh 1.69.2.18.2.13
src/sys/kern/kern_event.c 1.93.2.6.6.2
src/sys/kern/kern_fork.c 1.252.2.7.4.2
src/sys/kern/sys_pipe.c 1.184.2.4.2.3
src/sys/sys/event.h 1.32.12.2
src/sys/sys/pipe.h 1.29.16.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.18
src/sys/conf/newvers.sh 1.69.2.15.2.17
src/sys/kern/kern_event.c 1.93.2.6.4.1
src/sys/kern/kern_fork.c 1.252.2.7.2.1
src/sys/kern/sys_pipe.c 1.184.2.2.6.3
src/sys/sys/event.h 1.32.10.1
src/sys/sys/pipe.h 1.29.12.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r197715
releng/6.4/ r197715
releng/6.3/ r197715
- -------------------------------------------------------------------------

VII. References

http://svn.freebsd.org/viewvc/base?view=revision&revision=179243

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:13.pipe.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (FreeBSD)

iD8DBQFKxlthFdaIBMps37IRAlk2AJ9mUrNPd1RMztbzO4w7g+AxosqJzgCgmr5l
FKxrbF0G4v9P6SyyfAdVOFY=
=TWhC
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:12.bind

2009-07-28T17:48:35Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:12.bind Security Advisory
The FreeBSD Project

Topic: BIND named(8) dynamic update message remote DoS

Category: contrib
Module: bind
Announced: 2009-07-29
Credits: Matthias Urlichs
Affects: All supported versions of FreeBSD
Corrected: 2009-07-28 23:59:22 UTC (RELENG_7, 7.2-STABLE)
2009-07-29 00:14:14 UTC (RELENG_7_2, 7.2-RELEASE-p3)
2009-07-29 00:14:14 UTC (RELENG_7_1, 7.1-RELEASE-p7)
2009-07-29 00:13:47 UTC (RELENG_6, 6.4-STABLE)
2009-07-29 00:14:14 UTC (RELENG_6_4, 6.4-RELEASE-p6)
2009-07-29 00:14:14 UTC (RELENG_6_3, 6.3-RELEASE-p12)
CVE Name: CVE-2009-0696

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

NOTE: Due to this issue being accidentally disclosed early, updated
binaries are yet not available via freebsd-update at the time this
advisory is being published. Email will be sent to the freebsd-security
mailing list when the binaries are available via freebsd-update.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

Dynamic update messages may be used to update records in a master zone
on a nameserver.

II. Problem Description

When named(8) receives a specially crafted dynamic update message an
internal assertion check is triggered which causes named(8) to exit.

To trigger the problem, the dynamic update message must contains a
record of type "ANY" and at least one resource record set (RRset) for
this fully qualified domain name (FQDN) must exist on the server.

III. Impact

An attacker which can send DNS requests to a nameserver can cause it to
exit, thus creating a Denial of Service situation.

IV. Workaround

No generally applicable workaround is available, but some firewalls
may be able to prevent nsupdate DNS packets from reaching the
nameserver.

NOTE WELL: Merely configuring named(8) to ignore dynamic updates is NOT
sufficient to protect it from this vulnerability.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:12/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/bind9/bin/named/update.c 1.1.1.2.2.5
RELENG_6_4
src/UPDATING 1.416.2.40.2.10
src/sys/conf/newvers.sh 1.69.2.18.2.12
src/contrib/bind9/bin/named/update.c 1.1.1.2.2.3.2.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.17
src/sys/conf/newvers.sh 1.69.2.15.2.16
src/contrib/bind9/bin/named/update.c 1.1.1.2.2.2.2.1
RELENG_7
src/contrib/bind9/bin/named/update.c 1.1.1.5.2.3
RELENG_7_2
src/UPDATING 1.507.2.23.2.6
src/sys/conf/newvers.sh 1.72.2.11.2.7
src/contrib/bind9/bin/named/update.c 1.1.1.5.2.2.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.10
src/sys/conf/newvers.sh 1.72.2.9.2.11
src/contrib/bind9/bin/named/update.c 1.1.1.5.2.1.4.1
HEAD
src/contrib/bind9/bin/named/update.c 1.4
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
head/ r195936
stable/6/ r195934
releng/6.4/ r195935
releng/6.3/ r195935
stable/7/ r195933
releng/7.2/ r195935
releng/7.1/ r195935
- -------------------------------------------------------------------------

VII. References

https://www.isc.org/node/474
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:12.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFKb5koFdaIBMps37IRAglLAKCFGXI+MAsksnK5TZB/8L3UFhPS1gCgl7q5
6fCpOeBcf7f83dVfKRDVF0I=
=akJW
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:09.pipe

2009-06-10T03:41:55Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:09.pipe Security Advisory
The FreeBSD Project

Topic: Local information disclosure via direct pipe writes

Category: core
Module: kern
Announced: 2009-06-10
Credits: Pieter de Boer
Affects: All supported versions of FreeBSD.
Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE)
2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1)
2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6)
2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE)
2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5)
2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

One of the most commonly used forms of interprocess communication on
FreeBSD and other UNIX-like systems is the (anonymous) pipe. In this
mechanism, a pair of file descriptors is created, and data written to
one descriptor can be read from the other.

FreeBSD's pipe implementation contains an optimization known as "direct
writes". In this optimization, rather than copying data into kernel
memory when the write(2) system call is invoked and then copying the
data again when the read(2) system call is invoked, the FreeBSD kernel
takes advantage of virtual memory mapping to allow the data to be copied
directly between processes.

II. Problem Description

An integer overflow in computing the set of pages containing data to be
copied can result in virtual-to-physical address lookups not being
performed.

III. Impact

An unprivileged process can read pages of memory which belong to other
processes or to the kernel. These may contain information which is
sensitive in itself; or may contain passwords or cryptographic keys
which can be indirectly exploited to gain sensitive information or
access.

IV. Workaround

No workaround is available, but systems without untrusted local users
are not vulnerable. System administrators are reminded that even if a
system is not intended to have untrusted local users, it may be possible
for an attacker to exploit some other vulnerability to obtain local user
access to a system.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch
# fetch http://security.FreeBSD.org/patches/SA-09:09/pipe.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/kern/sys_pipe.c 1.184.2.5
RELENG_6_4
src/UPDATING 1.416.2.40.2.9
src/sys/conf/newvers.sh 1.69.2.18.2.11
src/sys/kern/sys_pipe.c 1.184.2.4.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.16
src/sys/conf/newvers.sh 1.69.2.15.2.15
src/sys/kern/sys_pipe.c 1.184.2.2.6.2
RELENG_7
src/sys/kern/sys_pipe.c 1.191.2.5
RELENG_7_2
src/UPDATING 1.507.2.23.2.4
src/sys/conf/newvers.sh 1.72.2.11.2.5
src/sys/kern/sys_pipe.c 1.191.2.3.4.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.9
src/sys/conf/newvers.sh 1.72.2.9.2.10
src/sys/kern/sys_pipe.c 1.191.2.3.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r193893
releng/6.4/ r193893
releng/6.3/ r193893
stable/7/ r193893
releng/7.2/ r193893
releng/7.1/ r193893
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:09.pipe.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkovjN0ACgkQFdaIBMps37JkXwCgmLcEMOMAEIXRoJ220zwZhMKn
f+gAn1bZyLMhfZU7TI0xxhizwetDwMVI
=J37B
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:10.ipv6

2009-06-10T03:41:49Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:10.ipv6 Security Advisory
The FreeBSD Project

Topic: Missing permission check on SIOCSIFINFO_IN6 ioctl

Category: core
Module: netinet6
Announced: 2009-06-10
Credits: Hiroki Sato
Affects: All supported versions of FreeBSD.
Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE)
2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1)
2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6)
2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE)
2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5)
2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

IPv6 is a new Internet Protocol, designed to replace (and avoid many of
the problems with) the current Internet Protocol (version 4). Many
properties of the FreeBSD IPv6 network stack can be configured via the
ioctl(2) interface.

II. Problem Description

The SIOCSIFINFO_IN6 ioctl is missing a necessary permissions check.

III. Impact

Local users, including non-root users and users inside jails, can set
some IPv6 interface properties. These include changing the link MTU
and disabling interfaces entirely. Note that this affects IPv6 only;
IPv4 functionality cannot be affected by exploiting this vulnerability.

IV. Workaround

No workaround is available, but systems without local untrusted users
are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6-6.patch.asc

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:10/ipv6.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/in6.c 1.51.2.13
RELENG_6_4
src/UPDATING 1.416.2.40.2.9
src/sys/conf/newvers.sh 1.69.2.18.2.11
src/sys/netinet6/in6.c 1.51.2.12.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.16
src/sys/conf/newvers.sh 1.69.2.15.2.15
src/sys/netinet6/in6.c 1.51.2.11.2.1
RELENG_7
src/sys/netinet6/in6.c 1.73.2.7
RELENG_7_2
src/UPDATING 1.507.2.23.2.4
src/sys/conf/newvers.sh 1.72.2.11.2.5
src/sys/netinet6/in6.c 1.73.2.6.2.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.9
src/sys/conf/newvers.sh 1.72.2.9.2.10
src/sys/netinet6/in6.c 1.73.2.4.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r193893
releng/6.4/ r193893
releng/6.3/ r193893
stable/7/ r193893
releng/7.2/ r193893
releng/7.1/ r193893
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:10.ipv6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkovjOUACgkQFdaIBMps37IFxwCgj0o1r4IQMIEvp3y4oIqhQwxe
cI8AoIlxweqjakKxu/A/Z4+xjoGmqUdF
=/kNi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:11.ntpd

2009-06-10T03:41:45Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:11.ntpd Security Advisory
The FreeBSD Project

Topic: ntpd stack-based buffer-overflow vulnerability

Category: contrib
Module: ntpd
Announced: 2009-06-10
Credits: Chris Ries
Affects: All supported versions of FreeBSD.
Corrected: 2009-06-10 10:31:11 UTC (RELENG_7, 7.2-STABLE)
2009-06-10 10:31:11 UTC (RELENG_7_2, 7.2-RELEASE-p1)
2009-06-10 10:31:11 UTC (RELENG_7_1, 7.1-RELEASE-p6)
2009-06-10 10:31:11 UTC (RELENG_6, 6.4-STABLE)
2009-06-10 10:31:11 UTC (RELENG_6_4, 6.4-RELEASE-p5)
2009-06-10 10:31:11 UTC (RELENG_6_3, 6.3-RELEASE-p11)
CVE Name: CVE-2009-1252

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP)
used to synchronize the time of a computer system to a reference time
source.

Autokey is a security model for authenticating Network Time Protocol
(NTP) servers to clients, using public key cryptography.

II. Problem Description

The ntpd(8) daemon is prone to a stack-based buffer-overflow when it is
configured to use the 'autokey' security model.

III. Impact

This issue could be exploited to execute arbitrary code in the context of
the service daemon, or crash the service daemon, causing denial-of-service
conditions.

IV. Workaround

Use IP based restrictions in ntpd(8) itself or in IP firewalls to
restrict which systems can send NTP packets to ntpd(8).

Note that systems will only be affected if they have the "autokey" option
set in /etc/ntp.conf; FreeBSD does not ship with a default ntp.conf file,
so will not be affected unless this option has been explicitly enabled by
the system administrator.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd63.patch.asc

[FreeBSD 6.4 and 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:11/ntpd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.3
RELENG_6_4
src/UPDATING 1.416.2.40.2.9
src/sys/conf/newvers.sh 1.69.2.18.2.11
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.16
src/sys/conf/newvers.sh 1.69.2.15.2.15
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.2
RELENG_7
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.3
RELENG_7_2
src/UPDATING 1.507.2.23.2.4
src/sys/conf/newvers.sh 1.72.2.11.2.5
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.9
src/sys/conf/newvers.sh 1.72.2.9.2.10
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.2
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r193893
releng/6.4/ r193893
releng/6.3/ r193893
stable/7/ r193893
releng/7.2/ r193893
releng/7.1/ r193893
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:11.ntpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkovjOwACgkQFdaIBMps37KRpwCfaQF9q8KhElv6LqgFv3DX2h9c
hbEAn2Q0X8Qv8r5OySnhlAw2pMxlxkXK
=Mh2u
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD supported branches update

2009-05-01T19:22:48Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone,

The branches supported by the FreeBSD Security Officer have been updated
to reflect the EoL (end-of-life) of FreeBSD 7.0. The new list is below
and at <URL: http://security.freebsd.org/ >. Please note that FreeBSD
7.0 was originally announced with an EoL date of February 28, 2009, but
the EoL was delayed by two months in order to allow a 3 month window for
systems to be upgraded to FreeBSD 7.1.

Users of FreeBSD 7.0 are advised to upgrade promptly to FreeBSD 7.1,
either by downloading an updated source tree and building updates manually,
or (for i386 and amd64 systems) using the FreeBSD Update utility as
described in the FreeBSD 7.1 release announcement. Some users may wish to
wait for the upcoming FreeBSD 7.2-RELEASE; however, they should be aware
that FreeBSD 7.2-RELEASE will only receive "normal" support (i.e., support
for 12 months) and consequently it will not be supported for as long as
FreeBSD 7.1.

[Excerpt from http://security.freebsd.org/ follows]

FreeBSD Security Advisories

~ The FreeBSD Security Officer provides security advisories for
~ several branches of FreeBSD development. These are the -STABLE
~ Branches and the Security Branches. (Advisories are not issued for
~ the -CURRENT Branch.)

~ * The -STABLE branch tags have names like RELENG_7. The
~ corresponding builds have names like FreeBSD 7.0-STABLE.

~ * Each FreeBSD Release has an associated Security Branch. The
~ Security Branch tags have names like RELENG_7_0. The
~ corresponding builds have names like FreeBSD 7.0-RELEASE-p1.

~ Isses affecting the FreeBSD Ports Collection are covered in the
~ FreeBSD VuXML document.

~ Each branch is supported by the Security Officer for a limited
~ time only, and is designated as one of `Early adopter', `Normal',
~ or `Extended'. The designation is used as a guideline for
~ determining the lifetime of the branch as follows.

~ Early adopter
~ Releases which are published from the -CURRENT branch will be
~ supported by the Security Officer for a minimum of 6 months
~ after the release.

~ Normal
~ Releases which are published from a -STABLE branch will be
~ supported by the Security Officer for a minimum of 12 months
~ after the release, and for sufficient additional time (if
~ needed) to ensure that there is a newer release for at least
~ 3 months before the older Normal release expires.

~ Extended
~ Selected releases (normally every second release plus the last
~ release from each -STABLE branch) will be supported by the
~ Security Officer for a minimum of 24 months after the release,
~ and for sufficient additional time (if needed) to ensure that
~ there is a newer Extended release for at least 3 months before
~ the older Extended release expires.

~ The current designation and estimated lifetimes of the currently
~ supported branches are given below. The Estimated EoL (end-of-life)
~ column gives the earliest date on which that branch is likely to be
~ dropped. Please note that these dates may be extended into the
~ future, but only extenuating circumstances would lead to a branch's
~ support being dropped earlier than the date listed.

~ +--------------------------------------------------------------------+
~ | Branch | Release | Type | Release date | Estimated EoL |
~ |-----------+-----------+--------+-----------------+-----------------|
~ |RELENG_6 |n/a |n/a |n/a |November 30, 2010|
~ |-----------+-----------+--------+-----------------+-----------------|
~ |RELENG_6_3 |6.3-RELEASE|Extended|January 18, 2008 |January 31, 2010 |
~ |-----------+-----------+--------+-----------------+-----------------|
~ |RELENG_6_4 |6.4-RELEASE|Extended|November 28, 2008|November 30, 2010|
~ |-----------+-----------+--------+-----------------+-----------------|
~ |RELENG_7 |n/a |n/a |n/a |last release + 2y|
~ |-----------+-----------+--------+-----------------+-----------------|
~ |RELENG_7_1 |7.1-RELEASE|Extended|January 4, 2009 |January 31, 2011 |
~ +--------------------------------------------------------------------+

[End excerpt]

- --
Colin Percival
Security Officer, FreeBSD | freebsd.org | The power to serve
Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkn7rngACgkQFdaIBMps37IFxACgm/W0s1RMwBtYKHGGa3kk1FSi
dwEAn1WIK57UMysjjrj304IySPnxLca9
=veRi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:07.libc

2009-04-22T07:19:12Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:07.libc Security Advisory
The FreeBSD Project

Topic: Information leak in db(3)

Category: core
Module: libc
Announced: 2009-04-22
Credits: Jaakko Heinonen, Xin LI
Affects: All supported versions of FreeBSD.
Corrected: 2009-04-11 15:19:26 UTC (RELENG_7, 7.2-PRERELEASE)
2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5)
2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12)
2009-04-11 15:21:11 UTC (RELENG_6, 6.4-STABLE)
2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4)
2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD's C library (libc) contains code for creating and accessing
Berkeley DB 1.85 database files. Such databases are used extensively
in FreeBSD; for example, the system password files (/etc/passwd and
/etc/master.passwd) are normally accessed via their database files
(/etc/pwd.db and /etc/spwd.db).

II. Problem Description

Some data structures used by the database interface code are not properly
initialized when allocated.

III. Impact

Programs using the db(3) interface to create Berkeley database files may
"leak" sensitive information into database files. If those files can be
read by other users, this may result in the disclosure of sensitive
information such as login credentials.

IV. Workaround

No workaround is available, but systems without untrusted local users are
probably not affected (since remote attackers will in most cases not be
able to read such database files).

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch
# fetch http://security.FreeBSD.org/patches/SA-09:07/libc.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libc
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

NOTE: System administrators may wish to rebuild any system database files
which were created prior to applying this patch in case they contain
sensitive information.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/lib/libc/db/btree/bt_split.c 1.7.2.1
src/lib/libc/db/btree/bt_open.c 1.11.14.1
src/lib/libc/db/hash/hash_buf.c 1.7.14.1
src/lib/libc/db/mpool/mpool.c 1.12.2.1
src/lib/libc/db/README 1.1.40.1
RELENG_6_4
src/UPDATING 1.416.2.40.2.8
src/sys/conf/newvers.sh 1.69.2.18.2.10
src/lib/libc/db/btree/bt_split.c 1.7.12.2
src/lib/libc/db/hash/hash_buf.c 1.7.26.2
src/lib/libc/db/mpool/mpool.c 1.12.12.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.15
src/sys/conf/newvers.sh 1.69.2.15.2.14
src/lib/libc/db/btree/bt_split.c 1.7.10.1
src/lib/libc/db/hash/hash_buf.c 1.7.24.1
src/lib/libc/db/mpool/mpool.c 1.12.10.1
RELENG_7
src/lib/libc/db/btree/bt_split.c 1.8.2.1
src/lib/libc/db/btree/bt_open.c 1.12.2.1
src/lib/libc/db/hash/hash_buf.c 1.8.2.1
src/lib/libc/db/mpool/mpool.c 1.13.2.1
src/lib/libc/db/README 1.1.50.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.8
src/sys/conf/newvers.sh 1.72.2.9.2.9
src/lib/libc/db/btree/bt_split.c 1.8.6.2
src/lib/libc/db/hash/hash_buf.c 1.8.6.2
src/lib/libc/db/mpool/mpool.c 1.13.6.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.16
src/sys/conf/newvers.sh 1.72.2.5.2.16
src/lib/libc/db/btree/bt_split.c 1.8.4.1
src/lib/libc/db/hash/hash_buf.c 1.8.4.1
src/lib/libc/db/mpool/mpool.c 1.13.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r190940
releng/6.4/ r191381
releng/6.3/ r191381
stable/7/ r190939
releng/7.1/ r191381
releng/7.0/ r191381
- -------------------------------------------------------------------------

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:07.libc.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAknvJlkACgkQFdaIBMps37JcyACggmDk96JTy3G5gGlzMlNuVsV7
s5wAoIT2G2c3T6bYa7GeftWLpGGFo2Rp
=rdqD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:08.openssl

2009-04-22T07:19:08Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:08.openssl Security Advisory
The FreeBSD Project

Topic: Remotely exploitable crash in OpenSSL

Category: contrib
Module: openssl
Announced: 2009-04-22
Affects: All supported versions of FreeBSD.
Corrected: 2009-04-22 14:07:14 UTC (RELENG_7, 7.2-PRERELEASE)
2009-04-22 14:07:14 UTC (RELENG_7_2, 7.2-RC2)
2009-04-22 14:07:14 UTC (RELENG_7_1, 7.1-RELEASE-p5)
2009-04-22 14:07:14 UTC (RELENG_7_0, 7.0-RELEASE-p12)
2009-04-22 14:07:14 UTC (RELENG_6, 6.4-STABLE)
2009-04-22 14:07:14 UTC (RELENG_6_4, 6.4-RELEASE-p4)
2009-04-22 14:07:14 UTC (RELENG_6_3, 6.3-RELEASE-p10)
CVE Name: CVE-2009-0590

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

The function ASN1_STRING_print_ex is often used to print the contents of
an SSL certificate.

II. Problem Description

The function ASN1_STRING_print_ex does not properly validate the lengths
of BMPString or UniversalString objects before attempting to print them.

III. Impact

An application which attempts to print a BMPString or UniversalString
which has an invalid length will crash as a result of OpenSSL accessing
invalid memory locations. This could be used by an attacker to crash a
remote application.

IV. Workaround

No workaround is available, but applications which do not use the
ASN1_STRING_print_ex function (either directly or indirectly) are not
affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_2, RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security
branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, 7.1, and 7.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:08/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-09:08/openssl.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:08/openssl6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:08/openssl6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make includes && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.4.12.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.2
src/crypto/openssl/crypto/asn1/asn1.h 1.1.1.7.10.1
RELENG_6_4
src/UPDATING 1.416.2.40.2.8
src/sys/conf/newvers.sh 1.69.2.18.2.10
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.4.24.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.1.6.1
src/crypto/openssl/crypto/asn1/asn1.h 1.1.1.7.22.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.15
src/sys/conf/newvers.sh 1.69.2.15.2.14
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.4.22.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.2.10.1.4.1
src/crypto/openssl/crypto/asn1/asn1.h 1.1.1.7.20.1
RELENG_7
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.6.2.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.5.2.1
src/crypto/openssl/crypto/asn1/asn1.h 1.2.2.1
RELENG_7_2
src/UPDATING 1.507.2.23.2.2
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.6.8.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.5.8.1
src/crypto/openssl/crypto/asn1/asn1.h 1.2.8.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.8
src/sys/conf/newvers.sh 1.72.2.9.2.9
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.6.6.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.5.6.1
src/crypto/openssl/crypto/asn1/asn1.h 1.2.6.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.16
src/sys/conf/newvers.sh 1.72.2.5.2.16
src/crypto/openssl/crypto/asn1/asn1_err.c 1.1.1.6.4.1
src/crypto/openssl/crypto/asn1/tasn_dec.c 1.1.1.5.4.1
src/crypto/openssl/crypto/asn1/asn1.h 1.2.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r191381
releng/6.4/ r191381
releng/6.3/ r191381
stable/7/ r191381
releng/7.2/ r191381
releng/7.1/ r191381
releng/7.0/ r191381
- -------------------------------------------------------------------------

VII. References

http://openssl.org/news/secadv_20090325.txt
[Note that two of the issues mentioned in the OpenSSL advisory do
not affect FreeBSD.]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0590

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:08.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAknvJegACgkQFdaIBMps37LB4gCffpTTOSdqyLK6ravrv6h8LqWE
MDcAn2SIjNmRL8Oktk0l9hLz0mhtcxWP
=Q7Zz
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:06.ktimer

2009-03-22T17:09:12Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:06.ktimer Security Advisory
The FreeBSD Project

Topic: Local privilege escalation

Category: core
Module: kern
Announced: 2009-03-23
Affects: FreeBSD 7.x
Corrected: 2009-03-23 00:00:50 UTC (RELENG_7, 7.2-PRERELEASE)
2009-03-23 00:00:50 UTC (RELENG_7_1, 7.1-RELEASE-p4)
2009-03-23 00:00:50 UTC (RELENG_7_0, 7.0-RELEASE-p11)
CVE Name: CVE-2009-1041

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

In FreeBSD 7.0, support was introduced for per-process timers as defined
in the POSIX realtime extensions. This allows a process to have a limited
number of timers running at once, with various actions taken when each
timer reaches zero.

II. Problem Description

An integer which specifies which timer a process wishes to operate upon is
not properly bounds-checked.

III. Impact

An unprivileged process can overwrite an arbitrary location in kernel
memory. This could be used to change the user ID of the process (in order
to "become root"), to escape from a jail, or to bypass security mechanisms
in other ways.

IV. Workaround

No workaround is available, but systems without untrusted local users are
not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1
or RELENG_7_0 security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 7.0 and 7.1
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch
# fetch http://security.FreeBSD.org/patches/SA-09:06/ktimer.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/kern_time.c 1.142.2.3
RELENG_7_1
src/UPDATING 1.507.2.13.2.7
src/sys/conf/newvers.sh 1.72.2.9.2.8
src/sys/kern/kern_time.c 1.142.2.2.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.15
src/sys/conf/newvers.sh 1.72.2.5.2.15
src/sys/kern/kern_time.c 1.142.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r190301
releng/7.1/ r190301
releng/7.0/ r190301
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1041

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-06:09.ktimer.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAknG0hQACgkQFdaIBMps37JA4gCfaznvIWKB/AU0cv6ojZUhheD4
MuYAnAp3wuz3E7gIX6VK7PeUVnPp/41o
=MPIX
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:05.telnetd

2009-02-16T14:02:33Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:05.telnetd Security Advisory
The FreeBSD Project

Topic: telnetd code execution vulnerability

Category: core
Module: contrib
Announced: 2009-02-16
Affects: FreeBSD 7.x
Corrected: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.

The TELNET protocol allows a connecting client to specify environment
variables which should be set in any created login session; this is used,
for example, to specify terminal settings.

II. Problem Description

In order to prevent environment variable based attacks, telnetd(8) "scrubs"
its environment; however, recent changes in FreeBSD's environment-handling
code rendered telnetd's scrubbing inoperative, thereby allowing potentially
harmful environment variables to be set.

III. Impact

An attacker who can place a specially-constructed file onto a target system
(either by legitimately logging into the system or by exploiting some other
service on the system) can execute arbitrary code with the privileges of
the user running the telnet daemon (usually root).

IV. Workaround

No workaround is available, but systems which are not running the telnet
daemon are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or
RELENG_7_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.0 and 7.1
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/contrib/telnet/telnetd/sys_term.c 1.18.22.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.6
src/sys/conf/newvers.sh 1.72.2.9.2.7
src/contrib/telnet/telnetd/sys_term.c 1.18.30.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.14
src/sys/conf/newvers.sh 1.72.2.5.2.14
src/contrib/telnet/telnetd/sys_term.c 1.18.26.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r188699
releng/7.1/ r188699
releng/7.0/ r188699
- -------------------------------------------------------------------------

VII. References

http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra
aooAn0GU4wBW7jBulFhrSyXtKVlgs18B
=joA6
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:04.bind

2009-01-13T14:33:57Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:04.bind Security Advisory
The FreeBSD Project

Topic: BIND DNSSEC incorrect checks for malformed signatures

Category: contrib
Module: bind
Announced: 2009-01-13
Credits: Google Security Team
Affects: All supported FreeBSD versions
Corrected: 2009-01-10 03:00:21 UTC (RELENG_7, 7.1-STABLE)
2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
2009-01-10 04:30:27 UTC (RELENG_6, 6.4-STABLE)
2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3)
2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9)
CVE Name: CVE-2009-0025

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication as part of responses to DNS queries.

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

II. Problem Description

The DSA_do_verify() function from OpenSSL is used to determine if a
DSA digital signature is valid. When DNSSEC is used within BIND it
uses DSA_do_verify() to verify DSA signatures, but checks the function
return value incorrectly.

III. Impact

It is in theory possible to spoof a DNS reply even though DNSSEC
is set up to validate answers. This could be used by an attacker for
man-in-the-middle or other spoofing attacks.

IV. Workaround

Disable the the DSA algorithm in named.conf. This will cause answers
from zones signed only with DSA to be treated as insecure. Add the
following to the options section of named.conf:

disable-algorithms . { DSA; };

NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup is
not vulnerable to the issue as described in this Security Advisory.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart

c) Install and use a fixed version of BIND from the FreeBSD Ports
Collection.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/bind9/CHANGES 1.1.1.3.2.10
src/contrib/bind9/FAQ 1.1.1.2.2.5
src/contrib/bind9/FAQ.xml 1.1.1.1.2.5
src/contrib/bind9/README 1.1.1.2.2.6
src/contrib/bind9/aclocal.m4 1.1.4.1
src/contrib/bind9/bin/dig/dig.1 1.1.1.1.4.4
src/contrib/bind9/bin/dig/dig.c 1.1.1.2.2.4
src/contrib/bind9/bin/dig/dig.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dig/dig.html 1.1.1.1.4.4
src/contrib/bind9/bin/dig/dighost.c 1.1.1.2.2.5
src/contrib/bind9/bin/dig/host.1 1.1.1.1.4.4
src/contrib/bind9/bin/dig/host.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dig/host.html 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-keygen.8 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-keygen.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dnssec/dnssec-keygen.html 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.8 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.c 1.1.1.2.2.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dnssec/dnssec-signzone.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.7
src/contrib/bind9/bin/named/config.c 1.1.1.2.2.4
src/contrib/bind9/bin/named/controlconf.c 1.1.1.1.4.4
src/contrib/bind9/bin/named/include/named/globals.h 1.1.1.1.4.2
src/contrib/bind9/bin/named/interfacemgr.c 1.1.1.1.4.4
src/contrib/bind9/bin/named/lwresd.8 1.1.1.1.4.4
src/contrib/bind9/bin/named/lwresd.c 1.1.1.1.4.3
src/contrib/bind9/bin/named/lwresd.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/named/lwresd.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/main.c 1.1.1.2.2.3
src/contrib/bind9/bin/named/named.8 1.1.1.1.4.4
src/contrib/bind9/bin/named/named.conf.5 1.1.1.2.2.4
src/contrib/bind9/bin/named/named.conf.docbook 1.1.1.2.2.5
src/contrib/bind9/bin/named/named.conf.html 1.1.1.2.2.4
src/contrib/bind9/bin/named/named.docbook 1.1.1.1.4.4
src/contrib/bind9/bin/named/named.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/query.c 1.1.1.1.4.6
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.6
src/contrib/bind9/bin/named/unix/include/named/os.h 1.1.1.2.2.2
src/contrib/bind9/bin/named/unix/os.c 1.1.1.2.2.4
src/contrib/bind9/bin/named/update.c 1.1.1.2.2.4
src/contrib/bind9/bin/nsupdate/Makefile.in 1.1.1.1.4.2
src/contrib/bind9/bin/nsupdate/nsupdate.1 1.1.4.1
src/contrib/bind9/bin/nsupdate/nsupdate.8 1.1.1.1.4.4
src/contrib/bind9/bin/nsupdate/nsupdate.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/nsupdate/nsupdate.html 1.1.1.1.4.4
src/contrib/bind9/bin/rndc/rndc-confgen.c 1.1.1.2.2.1
src/contrib/bind9/bin/rndc/rndc.c 1.1.1.3.2.3
src/contrib/bind9/config.h.in 1.1.4.1
src/contrib/bind9/configure.in 1.1.1.2.2.6
src/contrib/bind9/lib/bind/aclocal.m4 1.1.1.2.2.2
src/contrib/bind9/lib/bind/api 1.1.1.2.2.4
src/contrib/bind9/lib/bind/bsd/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/bsd/strerror.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/bsd/strtoul.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/config.h.in 1.1.1.2.2.4
src/contrib/bind9/lib/bind/configure.in 1.1.1.2.2.5
src/contrib/bind9/lib/bind/dst/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/dst/dst_api.c 1.1.1.2.2.4
src/contrib/bind9/lib/bind/dst/hmac_link.c 1.1.1.1.4.4
src/contrib/bind9/lib/bind/dst/support.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/include/arpa/nameser.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/isc/assertions.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/isc/misc.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/resolv.h 1.1.1.1.4.2
src/contrib/bind9/lib/bind/inet/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/inet/inet_net_pton.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/irs/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/dns_ho.c 1.1.1.1.4.4
src/contrib/bind9/lib/bind/irs/irp.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/isc/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/assertions.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/bitncmp.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/ctl_clnt.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/isc/ctl_srvr.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/nameser/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/port_after.h.in 1.1.1.2.2.4
src/contrib/bind9/lib/bind/resolv/Makefile.in 1.1.1.1.4.2
src/contrib/bind9/lib/bind/resolv/res_debug.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/resolv/res_mkquery.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/resolv/res_query.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind9/api 1.1.1.2.2.4
src/contrib/bind9/lib/bind9/check.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/adb.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/api 1.1.1.2.2.7
src/contrib/bind9/lib/dns/cache.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.6
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.5
src/contrib/bind9/lib/dns/journal.c 1.1.1.2.2.3
src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/message.c 1.1.1.1.4.5
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/rbt.c 1.1.1.2.2.3
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.h 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/txt_16.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/request.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.10
src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.5
src/contrib/bind9/lib/dns/view.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/xfrin.c 1.1.1.2.2.5
src/contrib/bind9/lib/isc/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/isc/api 1.1.1.2.2.5
src/contrib/bind9/lib/isc/assertions.c 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/assertions.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/mem.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/msgs.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/platform.h.in 1.1.1.1.4.2
src/contrib/bind9/lib/isc/include/isc/portset.h 1.1.4.1
src/contrib/bind9/lib/isc/include/isc/resource.h 1.1.1.1.4.2
src/contrib/bind9/lib/isc/include/isc/socket.h 1.1.1.1.4.3
src/contrib/bind9/lib/isc/include/isc/timer.h 1.1.1.1.4.4
src/contrib/bind9/lib/isc/include/isc/types.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/mem.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/portset.c 1.1.4.1
src/contrib/bind9/lib/isc/print.c 1.1.1.1.4.2
src/contrib/bind9/lib/isc/pthreads/mutex.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/timer.c 1.1.1.1.4.5
src/contrib/bind9/lib/isc/unix/app.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/include/isc/net.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/unix/net.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/resource.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/socket.c 1.1.1.2.2.5
src/contrib/bind9/lib/isc/unix/socket_p.h 1.1.1.1.4.2
src/contrib/bind9/lib/isc/unix/time.c 1.1.1.1.4.1
src/contrib/bind9/lib/isccfg/api 1.1.1.2.2.4
src/contrib/bind9/lib/isccfg/namedconf.c 1.1.1.2.2.5
src/contrib/bind9/version 1.1.1.3.2.10
RELENG_6_4
src/UPDATING 1.416.2.40.2.6
src/sys/conf/newvers.sh 1.69.2.18.2.9
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.2.4.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.2.2.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.14
src/sys/conf/newvers.sh 1.69.2.15.2.13
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.1.2.1
RELENG_7
src/contrib/bind9/CHANGES 1.1.1.10.2.4
src/contrib/bind9/COPYRIGHT 1.1.1.4.2.3
src/contrib/bind9/FAQ 1.1.1.6.2.2
src/contrib/bind9/FAQ.xml 1.1.1.4.2.2
src/contrib/bind9/README 1.1.1.7.2.2
src/contrib/bind9/aclocal.m4 1.1.2.1
src/contrib/bind9/bin/check/check-tool.c 1.1.1.3.2.2
src/contrib/bind9/bin/check/named-checkconf.c 1.1.1.4.2.1
src/contrib/bind9/bin/check/named-checkzone.c 1.1.1.3.2.2
src/contrib/bind9/bin/dig/dig.1 1.1.1.4.2.2
src/contrib/bind9/bin/dig/dig.c 1.1.1.5.2.2
src/contrib/bind9/bin/dig/dig.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dig/dig.html 1.1.1.4.2.2
src/contrib/bind9/bin/dig/dighost.c 1.1.1.5.2.3
src/contrib/bind9/bin/dig/host.1 1.1.1.4.2.2
src/contrib/bind9/bin/dig/host.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dig/host.html 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.8 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.html 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.8 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.c 1.1.1.5.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/client.c 1.1.1.6.2.4
src/contrib/bind9/bin/named/config.c 1.1.1.4.2.3
src/contrib/bind9/bin/named/controlconf.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/include/named/globals.h 1.1.1.3.2.1
src/contrib/bind9/bin/named/interfacemgr.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwaddr.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwdgnba.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwdnoop.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwresd.8 1.1.1.4.2.2
src/contrib/bind9/bin/named/lwresd.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwresd.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwresd.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/main.c 1.1.1.5.2.1
src/contrib/bind9/bin/named/named.8 1.1.1.4.2.2
src/contrib/bind9/bin/named/named.conf.5 1.1.1.5.2.2
src/contrib/bind9/bin/named/named.conf.docbook 1.1.1.5.2.3
src/contrib/bind9/bin/named/named.conf.html 1.1.1.5.2.2
src/contrib/bind9/bin/named/named.docbook 1.1.1.4.2.2
src/contrib/bind9/bin/named/named.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2
src/contrib/bind9/bin/named/server.c 1.1.1.6.2.4
src/contrib/bind9/bin/named/unix/include/named/os.h 1.1.1.3.2.1
src/contrib/bind9/bin/named/unix/os.c 1.1.1.5.2.1
src/contrib/bind9/bin/named/update.c 1.1.1.5.2.2
src/contrib/bind9/bin/nsupdate/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/bin/nsupdate/nsupdate.1 1.1.2.1
src/contrib/bind9/bin/nsupdate/nsupdate.8 1.1.1.4.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.c 1.1.1.5.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.html 1.1.1.4.2.2
src/contrib/bind9/bin/rndc/rndc-confgen.c 1.1.1.3.2.1
src/contrib/bind9/bin/rndc/rndc.8 1.1.1.4.2.2
src/contrib/bind9/bin/rndc/rndc.c 1.1.1.6.2.2
src/contrib/bind9/bin/rndc/rndc.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/rndc/rndc.html 1.1.1.4.2.2
src/contrib/bind9/config.h.in 1.1.2.1
src/contrib/bind9/configure.in 1.1.1.6.2.3
src/contrib/bind9/lib/bind/aclocal.m4 1.1.1.2.10.2
src/contrib/bind9/lib/bind/api 1.1.1.5.2.2
src/contrib/bind9/lib/bind/bsd/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/bsd/strerror.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/bsd/strtoul.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/config.h.in 1.1.1.4.2.3
src/contrib/bind9/lib/bind/configure.in 1.1.1.5.2.3
src/contrib/bind9/lib/bind/dst/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/dst/dst_api.c 1.1.1.5.2.2
src/contrib/bind9/lib/bind/dst/hmac_link.c 1.1.1.4.2.2
src/contrib/bind9/lib/bind/dst/support.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/include/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/arpa/nameser.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/assertions.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/eventlib.h 1.1.1.3.2.1
src/contrib/bind9/lib/bind/include/isc/misc.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/platform.h.in 1.2.2.1
src/contrib/bind9/lib/bind/include/netdb.h 1.1.1.4.2.1
src/contrib/bind9/lib/bind/include/resolv.h 1.1.1.3.2.1
src/contrib/bind9/lib/bind/inet/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/inet/inet_net_pton.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/inet/inet_network.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/Makefile.in 1.1.1.3.2.1
src/contrib/bind9/lib/bind/irs/dns_ho.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind/irs/getnetgrent.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/getnetgrent_r.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind/irs/irp.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/isc/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/assertions.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/bitncmp.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/ctl_clnt.c 1.1.1.2.2.2
src/contrib/bind9/lib/bind/isc/ctl_srvr.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/logging.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/nameser/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/port_after.h.in 1.1.1.4.2.1
src/contrib/bind9/lib/bind/port_before.h.in 1.1.1.4.2.2
src/contrib/bind9/lib/bind/resolv/Makefile.in 1.1.1.3.2.1
src/contrib/bind9/lib/bind/resolv/res_debug.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/resolv/res_mkquery.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/resolv/res_query.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/resolv/res_send.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind9/api 1.1.1.5.2.2
src/contrib/bind9/lib/bind9/check.c 1.1.1.5.2.4
src/contrib/bind9/lib/dns/acache.c 1.1.1.1.2.1
src/contrib/bind9/lib/dns/adb.c 1.1.1.5.2.2
src/contrib/bind9/lib/dns/api 1.1.1.6.2.4
src/contrib/bind9/lib/dns/cache.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.4
src/contrib/bind9/lib/dns/dst_parse.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/dst_parse.h 1.1.1.2.2.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.4
src/contrib/bind9/lib/dns/journal.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/master.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1
src/contrib/bind9/lib/dns/message.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.2
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/rbt.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.h 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/generic/txt_16.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/in_1/apl_42.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/request.c 1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4
src/contrib/bind9/lib/dns/rootns.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/sdb.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/tkey.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/tsig.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.2
src/contrib/bind9/lib/dns/view.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/xfrin.c 1.1.1.5.2.3
src/contrib/bind9/lib/dns/zone.c 1.1.1.5.2.2
src/contrib/bind9/lib/isc/Makefile.in 1.1.1.2.2.2
src/contrib/bind9/lib/isc/api 1.1.1.5.2.3
src/contrib/bind9/lib/isc/assertions.c 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/assertions.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/lex.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/mem.h 1.1.1.3.2.1
src/contrib/bind9/lib/isc/include/isc/msgs.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/platform.h.in 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/portset.h 1.1.2.1
src/contrib/bind9/lib/isc/include/isc/resource.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/socket.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/timer.h 1.1.1.3.2.2
src/contrib/bind9/lib/isc/include/isc/types.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/mem.c 1.1.1.3.2.2
src/contrib/bind9/lib/isc/portset.c 1.1.2.1
src/contrib/bind9/lib/isc/print.c 1.1.1.3.2.1
src/contrib/bind9/lib/isc/pthreads/mutex.c 1.1.1.3.2.1
src/contrib/bind9/lib/isc/timer.c 1.1.1.4.2.3
src/contrib/bind9/lib/isc/unix/app.c 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/include/isc/net.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/unix/net.c 1.1.1.3.2.2
src/contrib/bind9/lib/isc/unix/resource.c 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/socket.c 1.1.1.5.2.3
src/contrib/bind9/lib/isc/unix/socket_p.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/time.c 1.1.1.2.2.1
src/contrib/bind9/lib/isccfg/api 1.1.1.4.2.3
src/contrib/bind9/lib/isccfg/namedconf.c 1.1.1.5.2.2
src/contrib/bind9/lib/lwres/api 1.1.1.5.2.2
src/contrib/bind9/make/rules.in 1.1.1.4.2.2
src/contrib/bind9/version 1.1.1.10.2.4
RELENG_7_1
src/UPDATING 1.507.2.13.2.5
src/sys/conf/newvers.sh 1.72.2.9.2.6
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.6.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.1.4.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.13
src/sys/conf/newvers.sh 1.72.2.5.2.13
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.4.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.1.2.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r187002
releng/6.4/ r187194
releng/6.3/ r187194
stable/7/ r186997
releng/7.1/ r187194
releng/7.0/ r187194
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
https://www.isc.org/node/373

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:04.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFJbRUmFdaIBMps37IRAonEAJsFQFtZGTz6tXFc5TSRMLhB1hxb6QCeI0Pd
ZFPKsX8/XspOTzRWA1h3QPk=
=dpqG
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:03.ntpd

2009-01-13T14:33:21Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:03.ntpd Security Advisory
The FreeBSD Project

Topic: ntpd cryptographic signature bypass

Category: contrib
Module: ntpd
Announced: 2009-01-13
Credits: Google Security Team
Affects: All FreeBSD releases
Corrected: 2009-01-13 21:19:27 UTC (RELENG_7, 7.1-STABLE)
2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
2009-01-13 21:19:27 UTC (RELENG_6, 6.4-STABLE)
2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3)
2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9)
CVE Name: CVE-2009-0021

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The ntpd daemon is an implementation of the Network Time Protocol
(NTP) used to synchronize the time of a computer system to a reference
time source.

FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.

II. Problem Description

The EVP_VerifyFinal() function from OpenSSL is used to determine if a
digital signature is valid. When ntpd(8) is set to cryptographically
authenticate NTP data it incorrectly checks the return value from
EVP_VerifyFinal().

III. Impact

An attacker which can send NTP packets to ntpd, which uses
cryptographic authentication of NTP data, may be able to inject
malicious time data causing the system clock to be set incorrectly.

IV. Workaround

Use IP based restrictions in ntpd itself or in IP firewalls to
restrict which systems can send NTP packets to ntpd.

NOTE WELL: If ntpd is not explicitly set to use cryptographic
authentication of NTP data the setup is not vulnerable to the issue
as described in this Security Advisory.

V. Solution

NOTE WELL: Due to an error in building the updates, this fix is not
available via freebsd-update at the time of this advisory. We expect
that this will be fixed within the next 48 hours.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.4 and 7.1]
# fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd.patch.asc

[FreeBSD 6.3 and 7.0]
# fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch
# fetch http://security.FreeBSD.org/patches/SA-09:03/ntpd63.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/ntp/ntpd
# make obj && make depend && make && make install
# /etc/rc.d/ntpd restart

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.2
RELENG_6_4
src/UPDATING 1.416.2.40.2.6
src/sys/conf/newvers.sh 1.69.2.18.2.9
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.8.1.2.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.14
src/sys/conf/newvers.sh 1.69.2.15.2.13
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.20.1
RELENG_7
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.5
src/sys/conf/newvers.sh 1.72.2.9.2.6
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.18.1.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.13
src/sys/conf/newvers.sh 1.72.2.5.2.13
src/contrib/ntp/ntpd/ntp_crypto.c 1.1.1.3.22.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r187194
releng/6.4/ r187194
releng/6.3/ r187194
stable/7/ r187194
releng/7.1/ r187194
releng/7.0/ r187194
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0021
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:03.ntpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFJbRUfFdaIBMps37IRAqdjAJ42YSH0bjaAJBEVyMM7/em/tu0xUQCfVPrs
IrH0Qxo4slvboQHsy1PbkN4=
=Q4rn
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:02.openssl

2009-01-07T13:37:18Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:02.openssl Security Advisory
The FreeBSD Project

Topic: OpenSSL incorrectly checks for malformed signatures

Category: contrib
Module: openssl
Announced: 2009-01-07
Credits: Google Security Team
Affects: All FreeBSD releases
Corrected: 2009-01-07 21:03:41 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2)
2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8)
CVE Name: CVE-2008-5077

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

The EVP_VerifyFinal() function from OpenSSL is used to determine if a
digital signature is valid. The SSL layer in OpenSSL uses
EVP_VerifyFinal(), which in several places checks the return value
incorrectly and treats verification errors as a good signature. This
is only a problem for DSA and ECDSA keys.

III. Impact

For applications using OpenSSL for SSL connections, an invalid SSL
certificate may be interpreted as valid. This could for example be
used by an attacker to perform a man-in-the-middle attack.

Other applications which use the OpenSSL EVP API may similarly be
affected.

IV. Workaround

For a server an RSA signed certificate may be used instead of DSA or
ECDSA based certificate.

Note that Mozilla Firefox does not use OpenSSL and thus is not
affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install

NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/crypto/openssl/apps/speed.c 1.13.2.1
src/crypto/openssl/apps/verify.c 1.1.1.5.12.1
src/crypto/openssl/apps/x509.c 1.1.1.10.2.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.12.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.2.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.2
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.2
RELENG_6_4
src/UPDATING 1.416.2.40.2.5
src/sys/conf/newvers.sh 1.69.2.18.2.8
src/crypto/openssl/apps/speed.c 1.13.12.1
src/crypto/openssl/apps/verify.c 1.1.1.5.24.1
src/crypto/openssl/apps/x509.c 1.1.1.10.12.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.24.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.12.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.12.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.1
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.6.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.13
src/sys/conf/newvers.sh 1.69.2.15.2.12
src/crypto/openssl/apps/speed.c 1.13.10.1
src/crypto/openssl/apps/verify.c 1.1.1.5.22.1
src/crypto/openssl/apps/x509.c 1.1.1.10.10.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.22.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.10.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.10.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.1
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.4.1
RELENG_7
src/crypto/openssl/apps/speed.c 1.15.2.1
src/crypto/openssl/apps/verify.c 1.1.1.6.2.1
src/crypto/openssl/apps/x509.c 1.1.1.11.2.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.2.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.2.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.2.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.4
src/sys/conf/newvers.sh 1.72.2.9.2.5
src/crypto/openssl/apps/speed.c 1.15.6.1
src/crypto/openssl/apps/verify.c 1.1.1.6.6.1
src/crypto/openssl/apps/x509.c 1.1.1.11.6.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.6.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.6.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.6.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.6.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.12
src/sys/conf/newvers.sh 1.72.2.5.2.12
src/crypto/openssl/apps/speed.c 1.15.4.1
src/crypto/openssl/apps/verify.c 1.1.1.6.4.1
src/crypto/openssl/apps/x509.c 1.1.1.11.4.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.4.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.4.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.4.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.4.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186873
releng/6.4/ r186872
releng/6.3/ r186872
stable/7/ r186872
releng/7.1/ r186872
releng/7.0/ r186872
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://www.openssl.org/news/secadv_20090107.txt

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFJZR5ZFdaIBMps37IRAofJAJ4lm2jGfsMo28c0W4zRkhZrKmttGwCgmdd9
IvNUwk47W24SwhQAGH5+Ggw=
=UHSl
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-09:01.lukemftpd

2009-01-07T13:36:20Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-09:01.lukemftpd Security Advisory
The FreeBSD Project

Topic: Cross-site request forgery in lukemftpd(8)

Category: core
Module: lukemftpd
Announced: 2009-01-07
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2009-01-07 20:17:55 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2)
2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8)
CVE Name: CVE-2008-4247

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

lukemftpd(8) is a general-purpose implementation of File Transfer Protocol
(FTP) server that is shipped with the FreeBSD base system. It is not enabled
in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.

A cross-site request forgery attack is a type of malicious exploit that is
mainly targeted to a web browser, by tricking a user trusted by the site
into visiting a specially crafted URL, which in turn executes a command
which performs some privileged operations on behalf of the trusted user
on the victim site.

II. Problem Description

The lukemftpd(8) server splits long commands into several requests. This
may result in the server executing a command which is hidden inside
another very long command.

III. Impact

This could, with a specifically crafted command, be used in a
cross-site request forgery attack.

FreeBSD systems running lukemftpd(8) server could act as a point of privilege
escalation in an attack against users using web browser to access trusted
FTP sites.

IV. Workaround

No workaround is available, but systems not running FTP servers are
not vulnerable. Systems not running the FreeBSD lukemftpd(8) server are not
affected, but users of other ftp daemons are advised to take care since
several other ftp daemons are known to have related bugs.

NOTE WELL: lukemftpd(8) is a different implementation of an FTP server
than ftpd(8).

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/lukemftpd
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.2
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.2
src/contrib/lukemftpd/src/ftpd.c 1.4.2.2
RELENG_6_4
src/UPDATING 1.416.2.40.2.5
src/sys/conf/newvers.sh 1.69.2.18.2.8
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.6.1
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.6.1
src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.13
src/sys/conf/newvers.sh 1.69.2.15.2.12
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.4.1
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.4.1
src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.4.1
RELENG_7
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.2.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.2.1
src/contrib/lukemftpd/src/ftpd.c 1.5.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.4
src/sys/conf/newvers.sh 1.72.2.9.2.5
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.6.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.6.1
src/contrib/lukemftpd/src/ftpd.c 1.5.6.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.12
src/sys/conf/newvers.sh 1.72.2.5.2.12
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.4.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.4.1
src/contrib/lukemftpd/src/ftpd.c 1.5.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186872
releng/6.4/ r186872
releng/6.3/ r186872
stable/7/ r186872
releng/7.1/ r186872
releng/7.0/ r186872
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247
http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFJZR5UFdaIBMps37IRApUJAKCEGZggeEjPC67j5Tmxl2fEDJ9sIQCfTAKn
vpOXC5jix3XiB7wxGKrvNJM=
=qPEc
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:12.ftpd

2008-12-22T17:39:29Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:12.ftpd Security Advisory
The FreeBSD Project

Topic: Cross-site request forgery in ftpd(8)

Category: core
Module: ftpd
Announced: 2008-12-23
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2)
2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7)
2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE)
2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1)
2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7)
CVE Name: CVE-2008-4247

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

ftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP)
server that is shipped with the FreeBSD base system. It is not enabled
in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.

A cross-site request forgery attack is a type of malicious exploit that is
mainly targeted to a web browser, by tricking a user trusted by the site
into visiting a specially crafted URL, which in turn executes a command
which performs some privileged operations on behalf of the trusted user
on the victim site.

II. Problem Description

The ftpd(8) server splits long commands into several requests. This
may result in the server executing a command which is hidden inside
another very long command.

III. Impact

This could, with a specifically crafted command, be used in a
cross-site request forgery attack.

FreeBSD systems running ftpd(8) server could act as a point of privilege
escalation in an attack against users using web browser to access trusted
FTP sites.

IV. Workaround

No workaround is available, but systems not running FTP servers are
not vulnerable. Systems not running the FreeBSD ftp(8) server are not
affected, but users of other ftp daemons are advised to take care
since several other ftp daemons are known to have related bugs.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch
# fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/ftpd
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/libexec/ftpd/ftpcmd.y 1.64.2.3
src/libexec/ftpd/extern.h 1.19.14.1
src/libexec/ftpd/ftpd.c 1.206.2.4
RELENG_6_4
src/UPDATING 1.416.2.40.2.4
src/sys/conf/newvers.sh 1.69.2.18.2.7
src/libexec/ftpd/ftpcmd.y 1.64.2.2.4.2
src/libexec/ftpd/extern.h 1.19.30.2
src/libexec/ftpd/ftpd.c 1.206.2.3.4.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.12
src/sys/conf/newvers.sh 1.69.2.15.2.11
src/libexec/ftpd/ftpcmd.y 1.64.2.2.2.1
src/libexec/ftpd/extern.h 1.19.26.1
src/libexec/ftpd/ftpd.c 1.206.2.3.2.1
RELENG_7
src/libexec/ftpd/ftpcmd.y 1.66.2.1
src/libexec/ftpd/extern.h 1.19.24.1
src/libexec/ftpd/ftpd.c 1.212.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.2
src/libexec/ftpd/ftpcmd.y 1.66.6.2
src/libexec/ftpd/extern.h 1.19.32.2
src/libexec/ftpd/ftpd.c 1.212.6.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.11
src/sys/conf/newvers.sh 1.72.2.5.2.11
src/libexec/ftpd/ftpcmd.y 1.66.4.1
src/libexec/ftpd/extern.h 1.19.28.1
src/libexec/ftpd/ftpd.c 1.212.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186405
releng/6.4/ r186405
releng/6.3/ r186405
stable/7/ r186405
releng/7.1/ r186405
releng/7.0/ r186405
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAklQP8wACgkQFdaIBMps37ITvgCePP8oVI6cffvQu229Qg7eNshN
A0kAn3A6kjr+QovEwOVKNzjow1aCtU8K
=sDxD
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:13.protosw

2008-12-22T17:39:23Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:13.protosw Security Advisory
The FreeBSD Project

Topic: netgraph / bluetooth privilege escalation

Category: core
Module: sys_kern
Announced: 2008-12-23
Credits: Christer Oberg
Affects: All FreeBSD releases
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2)
2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7)
2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE)
2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1)
2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7)

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The FreeBSD kernel provides support for a variety of different types of
communications sockets, including IPv4, IPv6, ISDN, ATM, routing protocol,
link-layer, netgraph(4), and bluetooth sockets. As an early form of
object-oriented design, much of the functionality specific to different
types of sockets is abstracted via function pointers.

II. Problem Description

Some function pointers for netgraph and bluetooth sockets are not
properly initialized.

III. Impact

A local user can cause the FreeBSD kernel to execute arbitrary code.
This could be used by an attacker directly; or it could be used to gain
root privilege or to escape from a jail.

IV. Workaround

No workaround is available, but systems without local untrusted users
are not vulnerable. Furthermore, systems are not vulnerable if they
have neither the ng_socket nor ng_bluetooth kernel modules loaded or
compiled into the kernel.

Systems with the security.jail.socket_unixiproute_only sysctl set to
1 (the default) are only vulnerable if they have local untrusted users
outside of jails.

If the command
# kldstat -v | grep ng_
produces no output, the system is not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3, 6.4,
and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch.asc

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/kern/uipc_domain.c 1.44.2.4
RELENG_6_4
src/UPDATING 1.416.2.40.2.4
src/sys/conf/newvers.sh 1.69.2.18.2.7
src/sys/kern/uipc_domain.c 1.44.2.3.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.12
src/sys/conf/newvers.sh 1.69.2.15.2.11
src/sys/kern/uipc_domain.c 1.44.2.3.4.1
RELENG_7
src/sys/kern/uipc_domain.c 1.51.2.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.2
src/sys/kern/uipc_domain.c 1.51.2.1.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.11
src/sys/conf/newvers.sh 1.72.2.5.2.11
src/sys/kern/uipc_domain.c 1.51.4.1
- -------------------------------------------------------------------------

Subversion:

Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186405
releng/6.4/ r186405
releng/6.3/ r186405
stable/7/ r186405
releng/7.1/ r186405
releng/7.0/ r186405
- -------------------------------------------------------------------------

VII. References

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:13.protosw.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAklQP9QACgkQFdaIBMps37KL2gCfRlQ7kTB24DYnDEGRUC+px4bX
214AoJJrJjaeS6ITyk73AL/OK+rNAM4u
=7qyU
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:11.arc4random

2008-11-24T09:47:13Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project

Topic: arc4random(9) predictable sequence vulnerability

Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.

II. Problem Description

When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes before arc4random(9) is
reseeded with secure entropy from the Yarrow random number generator.

III. Impact

All security-related kernel subsystems that rely on a quality random
number generator are subject to a wide range of possible attacks for the
300 seconds after boot or until 64k of random data is consumed. The list
includes:

* GEOM ELI providers with onetime keys. When a provider is configured in
a way so that it gets attached at the same time during boot (e.g. it
uses the rc subsystem to initialize) it might be possible for an
attacker to recover the encrypted data.

* GEOM shsec providers. The GEOM shsec subsytem is used to split a shared
secret between two providers so that it can be recovered when both of
them are present. This is done by writing the random sequence to one
of providers while appending the result of the random sequence on the
other host to the original data. If the provider was created within the
first 300 seconds after booting, it might be possible for an attacker
to extract the original data with access to only one of the two providers
between which the secret data is split.

* System processes started early after boot may receive predictable IDs.

* The 802.11 network stack uses arc4random(9) to generate initial vectors
(IV) for WEP encryption when operating in client mode and WEP
authentication challenges when operating in hostap mode, which may be
insecure.

* The IPv4, IPv6 and TCP/UDP protocol implementations rely on a quality
random number generator to produce unpredictable IP packet identifiers,
initial TCP sequence numbers and outgoing port numbers. During the
first 300 seconds after booting, it may be easier for an attacker to
execute IP session hijacking, OS fingerprinting, idle scanning, or in
some cases DNS cache poisoning and blind TCP data injection attacks.

* The kernel RPC code uses arc4random(9) to retrieve transaction
identifiers, which might make RPC clients vulnerable to hijacking
attacks.

IV. Workaround

No workaround is available for affected systems.

V. Solution

NOTE WELL: Any GEOM shsec providers which were created or written to
during the first 300 seconds after booting should be re-created after
applying this security update.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:11/arc4random6x.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/dev/random/randomdev.c 1.59.2.2
src/sys/dev/random/randomdev_soft.c 1.11.2.3
RELENG_6_4
src/UPDATING 1.416.2.40.2.2
src/sys/dev/random/randomdev.c 1.59.2.1.8.2
src/sys/dev/random/randomdev_soft.c 1.11.2.2.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.11
src/sys/conf/newvers.sh 1.69.2.15.2.10
src/sys/dev/random/randomdev.c 1.59.2.1.6.1
src/sys/dev/random/randomdev_soft.c 1.11.2.2.4.1
RELENG_7
src/sys/dev/random/randomdev.c 1.61.2.1
src/sys/dev/random/randomdev_soft.c 1.15.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.10
src/sys/conf/newvers.sh 1.72.2.5.2.10
src/sys/dev/random/randomdev.c 1.61.4.1
src/sys/dev/random/randomdev_soft.c 1.15.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5162

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:11.arc4random.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkkq550ACgkQFdaIBMps37K3SwCfcj0iiFxH2tljR1N7/qhXWiW1
N/cAoIjgcsh6sZG/upobud4TVme9QJPf
=SKuK
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:10.nd6

2008-10-01T17:39:20Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:10.nd6 Security Advisory
The FreeBSD Project

Topic: IPv6 Neighbor Discovery Protocol routing vulnerability

Category: core
Module: sys_netinet6
Announced: 2008-10-01
Credits: David Miles
Affects: All supported versions of FreeBSD.
Corrected: 2008-10-01 00:32:59 UTC (RELENG_7, 7.1-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_7_0, 7.0-RELEASE-p5)
2008-10-01 00:32:59 UTC (RELENG_6, 6.4-PRERELEASE)
2008-10-01 00:32:59 UTC (RELENG_6_3, 6.3-RELEASE-p5)
CVE Name: CVE-2008-2476

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

IPv6 nodes use the Neighbor Discovery protocol to determine the link-layer
address of other nodes, find routers, and maintain reachability information.
The Neighbor Discovery protocol uses Neighbor Solicitation (ICMPv6 type 135)
to query target nodes for their link-layer addresses.

II. Problem Description

IPv6 routers may allow "on-link" IPv6 nodes to create and update the
router's neighbor cache and forwarding information. A malicious IPv6 node
sharing a common router but on a different physical segment from another
node may be able to spoof Neighbor Discovery messages, allowing it to update
router information for the victim node.

III. Impact

An attacker on a different physical network connected to the same IPv6
router as another node could redirect IPv6 traffic intended for that node.
This could lead to denial of service or improper access to private network
traffic.

IV. Workaround

Firewall packet filters can be used to filter incoming Neighbor
Solicitation messages but may interfere with normal IPv6 operation if not
configured carefully.

Reverse path forwarding checks could be used to make gateways, such as
routers or firewalls, drop Neighbor Solicitation messages from
nodes with unexpected source addresses on a particular interface.

IPv6 router administrators are encouraged to read RFC 3756 for further
discussion of Neighbor Discovery security implications.

V. Solution

NOTE WELL: The solution described below causes IPv6 Neighbor Discovery
Neighbor Solicitation messages from non-neighbors to be ignored.
This can be re-enabled if required by setting the newly added
net.inet6.icmp6.nd6_onlink_ns_rfc4861 sysctl to a non-zero value.

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-6.patch.asc

[FreeBSD 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:10/nd6-7.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/in6.h 1.36.2.10
src/sys/netinet6/in6_proto.c 1.32.2.10
src/sys/netinet6/nd6.h 1.19.2.4
src/sys/netinet6/nd6_nbr.c 1.29.2.11
RELENG_6_3
src/UPDATING 1.416.2.37.2.10
src/sys/conf/newvers.sh 1.69.2.15.2.9
src/sys/netinet6/in6.h 1.36.2.8.2.1
src/sys/netinet6/in6_proto.c 1.32.2.8.2.1
src/sys/netinet6/nd6.h 1.19.2.2.6.1
src/sys/netinet6/nd6_nbr.c 1.29.2.9.2.1
RELENG_7
src/sys/netinet6/in6.h 1.51.2.2
src/sys/netinet6/in6_proto.c 1.46.2.3
src/sys/netinet6/nd6.h 1.21.2.2
src/sys/netinet6/nd6_nbr.c 1.47.2.3
RELENG_7_0
src/UPDATING 1.507.2.3.2.9
src/sys/conf/newvers.sh 1.72.2.5.2.9
src/sys/netinet6/in6.h 1.51.4.1
src/sys/netinet6/in6_proto.c 1.46.4.1
src/sys/netinet6/nd6.h 1.21.4.1
src/sys/netinet6/nd6_nbr.c 1.47.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2476
http://www.kb.cert.org/vuls/id/472363

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:10.nd6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkjkF2cACgkQFdaIBMps37KWWgCZAfug94zPIdkzW0tdIdSDzH/0
j18AnjypvJrRtzeQqhJkRU9wQWozgWvj
=ieTi
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:09.icmp6

2008-09-03T13:13:20Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:09.icmp6 Security Advisory
The FreeBSD Project

Topic: Remote kernel panics on IPv6 connections

Category: core
Module: sys_netinet6
Announced: 2008-09-03
Credits: Tom Parker, Bjoern A. Zeeb
Affects: All supported versions of FreeBSD.
Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3530

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

IPv6 nodes use ICMPv6 amongst other things to report errors encountered
while processing packets. The 'Packet Too Big Message' is sent in
case a node cannot forward a packet because the size of the packet is
larger than the MTU of next-hop link.

II. Problem Description

In case of an incoming ICMPv6 'Packet Too Big Message', there is an
insufficient check on the proposed new MTU for a path to the destination.

III. Impact

When the kernel is configured to process IPv6 packets and has active
IPv6 TCP sockets, a specifically crafted ICMPv6 'Packet Too Big
Message' could cause the TCP stack of the kernel to panic,

IV. Workaround

Systems without INET6 / IPv6 support are not vulnerable and neither
are systems which do not listen on any IPv6 TCP sockets and have no
active IPv6 connections.

Filter ICMPv6 'Packet Too Big Messages' using a firewall, but this
will at the same time break PMTU support for IPv6 connections.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
RELENG_6_3 or RELENG_7_0 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
FreeBSD 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:09/icmp6.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/netinet6/icmp6.c 1.62.2.11
RELENG_6_3
src/UPDATING 1.416.2.37.2.9
src/sys/conf/newvers.sh 1.69.2.15.2.8
src/sys/netinet6/icmp6.c 1.62.2.9.2.1
RELENG_7
src/sys/netinet6/icmp6.c 1.80.2.7
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/netinet6/icmp6.c 1.80.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3530

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:09.icmp6.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFIvu2hFdaIBMps37IRAjxxAJwIIXP+ALAZkvG5m687PC+92BtXTwCfUZdS
AvvrO0r+UAa6bn1H9mFf9So=
=MBB1
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:08.nmount

2008-09-03T13:13:13Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:08.nmount Security Advisory
The FreeBSD Project

Topic: nmount(2) local arbitrary code execution

Category: core
Module: sys_kern
Announced: 2008-09-03
Credits: James Gritton
Affects: FreeBSD 7.0-RELEASE, FreeBSD 7.0-STABLE
Corrected: 2008-09-03 19:09:47 UTC (RELENG_7, 7.1-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
CVE Name: CVE-2008-3531

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The mount(2) and nmount(2) system calls are used by various utilities
in the base system to graft a file system object on to the file system
tree to a given mount point. It is possible to allow unprivileged
users to utililize these system calls by setting the vfs.usermount
sysctl(8) variable.

II. Problem Description

Various user defined input such as mount points, devices, and mount
options are prepared and passed as arguments to nmount(2) into the
kernel. Under certain error conditions, user defined data will be
copied into a stack allocated buffer stored in the kernel without
sufficient bounds checking.

III. Impact

If the system is configured to allow unprivileged users to mount file
systems, it is possible for a local adversary to exploit this
vulnerability and execute code in the context of the kernel.

IV. Workaround

It is possible to work around this issue by allowing only privileged
users to mount file systems by running the following sysctl(8)
command:

# sysctl vfs.usermount=0

V. Solution

NOTE WELL: Even with this fix allowing users to mount arbitrary media
should not be considered safe. Most of the file systems in FreeBSD
was not built to protect safeguard against malicious devices. While
such bugs in file systems are fixed when found, a complete audit has
not been perfomed on the file system code.

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_0
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch
# fetch http://security.FreeBSD.org/patches/SA-08:08/nmount.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/sys/kern/vfs_mount.c 1.265.2.10
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/kern/vfs_mount.c 1.265.2.1.2.2
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3531

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:08.nmount.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFIvu2eFdaIBMps37IRAl9BAJ9Jnp+agN06pBkzPDwEnOT83MNd6QCghOFX
yvNI1gVmhAQ7MXOUvPoLcLk=
=EsCn
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:07.amd64

2008-09-03T13:13:05Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:07.amd64 Security Advisory
The FreeBSD Project

Topic: amd64 swapgs local privilege escalation

Category: core
Module: sys_amd64_amd64
Announced: 2008-09-03
Credits: Nate Eldredge
Affects: All supported FreeBSD/amd64 versions.
Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3890

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's. For Intel CPU's this architecture is known as EM64T or Intel
64.

The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data. User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data. As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.

The kernel stores critical information in its per-processor data
block. This includes the currently executing process and its
credentials.

As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system. If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF). In that case, the processor aborts the return to the
user level process and re-enters the kernel. The FreeBSD kernel
allows the user process to be notified of such an event by a signal
(SIGSEGV or SIGBUS).

II. Problem Description

If a General Protection Fault happens on a FreeBSD/amd64 system while
it is returning from an interrupt, trap or system call, the swapgs CPU
instruction may be called one extra time when it should not resulting
in userland and kernel state being mixed.

III. Impact

A local attacker can by causing a General Protection Fault while the
kernel is returning from an interrupt, trap or system call while
manipulating stack frames and, run arbitrary code with kernel
privileges.

The vulnerability can be used to gain kernel / supervisor privilege.
This can for example be used by normal users to gain root privileges,
to break out of jails, or bypass Mandatory Access Control (MAC)
restrictions.

IV. Workaround

No workaround is available, but only systems running the 64 bit
FreeSD/amd64 kernels are vulnerable.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch
# fetch http://security.FreeBSD.org/patches/SA-08:07/amd64.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/amd64/amd64/exception.S 1.125.2.3
RELENG_6_3
src/UPDATING 1.416.2.37.2.9
src/sys/conf/newvers.sh 1.69.2.15.2.8
src/sys/amd64/amd64/exception.S 1.125.2.2.2.1
RELENG_7
src/sys/amd64/amd64/exception.S 1.129.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.8
src/sys/conf/newvers.sh 1.72.2.5.2.8
src/sys/amd64/amd64/exception.S 1.129.2.1.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3890

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:07.amd64.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iD8DBQFIvu2TFdaIBMps37IRAqt8AJsGd/2WDuMZYUeOcVKekHEHZWRoMACdGnVs
0JZMykjScj7GbrsOlOW3uQg=
=bs1z
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:06.bind

2008-07-13T12:10:05Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:06.bind Security Advisory
The FreeBSD Project

Topic: DNS cache poisoning

Category: contrib
Module: bind
Announced: 2008-07-13
Credits: Dan Kaminsky
Affects: All supported FreeBSD versions.
Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
CVE Name: CVE-2008-1447

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.

II. Problem Description

The BIND DNS implementation does not randomize the UDP source port when
doing remote queries, and the query id alone does not provide adequate
randomization.

III. Impact

The lack of source port randomization reduces the amount of data the
attacker needs to guess in order to successfully execute a DNS cache
poisoning attack. This allows the attacker to influence or control
the results of DNS queries being returned to users from target systems.

IV. Workaround

Limiting the group of machines that can do recursive queries on the DNS
server will make it more difficult, but not impossible, for this
vulnerability to be exploited.

To limit the machines able to perform recursive queries, add an ACL in
named.conf and limit recursion like the following:

acl example-acl {
192.0.2.0/24;
};

options {
recursion yes;
allow-recursion { example-acl; };
};

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 6-STABLE or 7-STABLE, or to the
RELENG_7_0 or RELENG_6_3 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 6.3 and
7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.3]
# fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch
# fetch http://security.FreeBSD.org/patches/SA-08:06/bind63.patch.asc

[FreeBSD 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:06/bind7.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

NOTE WELL: This update causes BIND to choose a new, random UDP port for
each new query; this may cause problems for some network configurations,
particularly if firewall(s) block incoming UDP packets on particular
ports. The avoid-v4-udp-ports and avoid-v6-udp-ports options should be
used to avoid selecting random port numbers within a blocked range.

NOTE WELL: If a port number is specified via the query-source or
query-source-v6 options to BIND, randomized port selection will not be
used. Consequently it is strongly recommended that these options not
be used to specify fixed port numbers.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.5
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/api 1.1.1.2.2.5
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.3
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.8
RELENG_6_3
src/UPDATING 1.416.2.37.2.8
src/sys/conf/newvers.sh 1.69.2.15.2.7
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3.2.1
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.2.2.1
src/contrib/bind9/lib/dns/api 1.1.1.2.2.3.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.1.2.1
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.1
RELENG_7
src/contrib/bind9/bin/named/client.c 1.1.1.6.2.2
src/contrib/bind9/bin/named/server.c 1.1.1.6.2.2
src/contrib/bind9/lib/dns/api 1.1.1.6.2.2
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.7
src/sys/conf/newvers.sh 1.72.2.5.2.7
src/contrib/bind9/bin/named/client.c 1.1.1.6.2.1.2.1
src/contrib/bind9/bin/named/server.c 1.1.1.6.2.1.2.1
src/contrib/bind9/lib/dns/api 1.1.1.6.2.1.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.1.2.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.1.2.1
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.1.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1447
http://www.kb.cert.org/vuls/id/800113

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:06.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkh6UiMACgkQFdaIBMps37IE5ACfYzpWMhEXgWNdjwVlzd7JTwBS
Eu0AnRIogMIJ3fjQF4hcymtdwR6buRNc
=shnR
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD supported branches update

2008-06-02T20:32:37Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Everyone,

The branches supported by the FreeBSD Security Officer have been updated
to reflect recent EoL (end-of-life) events. The new list is below and
at <URL: http://security.freebsd.org/ >. FreeBSD 5.5, FreeBSD 6.1, and
FreeBSD 6.2 have `expired' and are no longer supported effective June 1,
2008. Users of these releases are advised to upgrade promptly to FreeBSD
6.3 or FreeBSD 7.0, either by downloading an updated source tree and
building updates manually, or (for i386 and amd64 systems) using the
FreeBSD Update utility as described in the FreeBSD 6.3 and FreeBSD 7.0
release announcements.

This marks the end of support by the FreeBSD Security Team for the
FreeBSD 5-STABLE branch, and at this time support for running software
from the ports tree on FreeBSD 5.x is also ceasing: Packages for binary
installations will no longer be built for FreeBSD 5.5, building ports
from source on FreeBSD 5.x will no longer be supported, and the ports
INDEX will no longer be built and made available via portsnap or the
'make fetchindex' target. Patches for individual ports specific for
their functioning on FreeBSD 5.5 may still be accepted at the discretion
of the port maintainer.

[Excerpt from http://security.freebsd.org/ follows]

FreeBSD Security Advisories

The FreeBSD Security Officer provides security advisories for
several branches of FreeBSD development. These are the -STABLE
Branches and the Security Branches. (Advisories are not issued for
the -CURRENT Branch.)

* There is usually only a single -STABLE branch, although during
the transition from one major development line to another
(such as from FreeBSD 5.x to 6.x), there is a time span in
which there are two -STABLE branches. The -STABLE branch tags
have names like RELENG_6. The corresponding builds have names
like FreeBSD 6.1-STABLE.

* Each FreeBSD Release has an associated Security Branch. The
Security Branch tags have names like RELENG_6_1. The
corresponding builds have names like FreeBSD 6.1-RELEASE-p1.

Isses affecting the FreeBSD Ports Collection are covered in the
FreeBSD VuXML document.

Each branch is supported by the Security Officer for a limited
time only, and is designated as one of `Early adopter', `Normal',
or `Extended'. The designation is used as a guideline for
determining the lifetime of the branch as follows.

Early adopter
Releases which are published from the -CURRENT branch will be
supported by the Security Officer for a minimum of 6 months
after the release.

Normal
Releases which are published from a -STABLE branch will be
supported by the Security Officer for a minimum of 12 months
after the release.

Extended
Selected releases will be supported by the Security Officer
for a minimum of 24 months after the release.

The current designation and estimated lifetimes of the currently
supported branches are given below. The Estimated EoL (end-of-life)
column gives the earliest date on which that branch is likely to be
dropped. Please note that these dates may be extended into the
future, but only extenuating circumstances would lead to a branch's
support being dropped earlier than the date listed.

+--------------------------------------------------------------------+
| Branch | Release | Type | Release date | Estimated EoL |
|-----------+-----------+--------+-----------------+-----------------|
|RELENG_6 |n/a |n/a |n/a |January 31, 2010 |
|-----------+-----------+--------+-----------------+-----------------|
|RELENG_6_3 |6.3-RELEASE|Extended|January 18, 2008 |January 31, 2010 |
|-----------+-----------+--------+-----------------+-----------------|
|RELENG_7 |n/a |n/a |n/a |last release + 2y|
|-----------+-----------+--------+-----------------+-----------------|
|RELENG_7_0 |7.0-RELEASE|Normal |February 27, 2008|February 28, 2009|
+--------------------------------------------------------------------+

[End excerpt]

Colin Percival
FreeBSD Security Officer
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)

iEYEARECAAYFAkhEe5MACgkQFdaIBMps37IXoQCbB3RkY/s2CA+o/OFkuC/1YvUV
rY8An1JawL1x8DdUOlVUL0b2+9N4XZ2v
=X+Zm
-----END PGP SIGNATURE-----

_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:05.openssh

2008-04-16T17:14:55Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:05.openssh Security Advisory
The FreeBSD Project

Topic: OpenSSH X11-forwarding privilege escalation

Category: contrib
Module: openssh
Announced: 2008-04-17
Credits: Timo Juhani Lindfors
Affects: All supported versions of FreeBSD
Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE)
2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1)
2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE)
2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)
2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12)
2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24)
2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE)
2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20)
CVE Name: CVE-2008-1483

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access. The OpenSSH server daemon (sshd)
provides support for the X11 protocol by binding to a port on the
server and forwarding any connections which are made to that port.

II. Problem Description

When logging in via SSH with X11-forwarding enabled, sshd(8) fails to
correctly handle the case where it fails to bind to an IPv4 port but
successfully binds to an IPv6 port. In this case, applications which
use X11 will connect to the IPv4 port, even though it had not been
bound by sshd(8) and is therefore not being securely forwarded.

III. Impact

A malicious user could listen for X11 connections on a unused IPv4
port, e.g tcp port 6010. When an unaware user logs in and sets up X11
fowarding the malicious user can capture all X11 data send over the
port, potentially disclosing sensitive information or allowing the
execution of commands with the privileges of the user using the
X11 forwarding.

NOTE WELL: FreeBSD ships with IPv6 enabled by default in the GENERIC
and SMP kernels, so users are vulnerable even they have not explicitly
enabled IPv6 networking.

IV. Workaround

Disable support for IPv6 in the sshd(8) daemon by setting the option
"AddressFamily inet" in /etc/ssh/sshd_config.

Disable support for X11 forwarding in the sshd(8) daemon by setting
the option "X11Forwarding no" in /etc/ssh/sshd_config.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or 7-STABLE,
or to the RELENG_7_0, RELENG_6_3, RELENG_6_2, RELENG_6_1, RELENG_5_5
security branch dated after the correction date.

2) To patch your present system:

The following patch has been verified to apply to FreeBSD 5.5, 6.1,
6.2, 6.3, and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch
# fetch http://security.FreeBSD.org/patches/SA-08:05/openssh.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssh
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.sbin/sshd
# make obj && make depend && make && make install
# /etc/rc.d/sshd restart

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/crypto/openssh/channels.c 1.18.2.1
RELENG_5_5
src/UPDATING 1.342.2.35.2.21
src/sys/conf/newvers.sh 1.62.2.21.2.22
src/crypto/openssh/channels.c 1.18.8.1
RELENG_6
src/crypto/openssh/channels.c 1.20.2.3
RELENG_6_3
src/UPDATING 1.416.2.37.2.6
src/sys/conf/newvers.sh 1.69.2.15.2.5
src/crypto/openssh/channels.c 1.20.2.2.4.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.16
src/sys/conf/newvers.sh 1.69.2.13.2.15
src/crypto/openssh/channels.c 1.20.2.2.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.27
src/sys/conf/newvers.sh 1.69.2.11.2.26
src/crypto/openssh/channels.c 1.20.2.1.4.1
RELENG_7
src/crypto/openssh/channels.c 1.23.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.5
src/sys/conf/newvers.sh 1.72.2.5.2.5
src/crypto/openssh/channels.c 1.23.4.1
- -------------------------------------------------------------------------

VII. References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=463011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1483
http://www.openssh.com/txt/release-5.0

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:05.openssh.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFIBpWTFdaIBMps37IRAomdAJ9hKgp/MG2PbVVojAMjCTtcY6T5HgCeNDxa
iA55tmcA3GXbsXAd/flJZO4=
=joYI
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:04.ipsec

2008-02-14T04:11:31Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:04.ipsec Security Advisory
The FreeBSD Project

Topic: IPsec null pointer dereference panic

Category: core
Module: ipsec
Announced: 2008-02-14
Credits: Takashi Sogabe, Tatuya Jinmei
Affects: FreeBSD 5.5
Corrected: 2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name: CVE-2008-0177

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The IPsec suite of protocols provide network level security for IPv4
and IPv6 packets. FreeBSD includes software originally developed by
the KAME project which implements the various protocols that make up
IPsec.

II. Problem Description

There is an improper reference to a data structure in the processing of
IPsec packets, which can result in a NULL pointer being dereferenced.

III. Impact

A single specifically crafted IPv6 packet could cause the kernel to panic,
when the kernel had been configured to process IPsec and IPv6 traffic.

This requires IPSEC to be compiled into the kernel, it does not necessarily
have to be configured at that point.

IV. Workaround

No workaround is available, but kernels which does not include IPsec
support are not vulnerable. The GENERIC and SMP kernel configurations
distributed with FreeBSD releases do not include IPsec support.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_5
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:04/ipsec.patch
# fetch http://security.FreeBSD.org/patches/SA-08:04/ipsec.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/netinet6/ipcomp_input.c 1.7.4.2
RELENG_5_5
src/UPDATING 1.342.2.35.2.20
src/sys/conf/newvers.sh 1.62.2.21.2.21
src/sys/netinet6/ipcomp_input.c 1.7.4.1.4.1
- -------------------------------------------------------------------------

VII. References

http://www.kb.cert.org/vuls/id/110947
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0177

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:04.ipsec.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iD8DBQFHtC0HFdaIBMps37IRAt5gAKCGnYEX3r7n0Dsypmfv2m1J9pgICwCfd6uH
Gy2w6OYNovnfrb7EN0jWCjM=
=jHy3
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:03.sendfile

2008-02-14T04:10:42Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:03.sendfile Security Advisory
The FreeBSD Project

Topic: sendfile(2) write-only file permission bypass

Category: core
Module: sys_kern
Announced: 2008-02-14
Credits: Kostik Belousov
Affects: All supported versions of FreeBSD
Corrected: 2008-02-14 11:45:00 UTC (RELENG_7, 7.0-PRERELEASE)
2008-02-14 11:45:41 UTC (RELENG_7_0, 7.0-RELEASE)
2008-02-14 11:46:08 UTC (RELENG_6, 6.3-STABLE)
2008-02-14 11:46:41 UTC (RELENG_6_3, 6.3-RELEASE-p1)
2008-02-14 11:47:06 UTC (RELENG_6_2, 6.2-RELEASE-p11)
2008-02-14 11:47:39 UTC (RELENG_6_1, 6.1-RELEASE-p23)
2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name: CVE-2008-0777

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The sendfile(2) system call allows a server application (such as a
HTTP or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory. High
performance servers such as the Apache HTTP Server and ftpd use sendfile.

II. Problem Description

When a process opens a file (and other file system objects, such as
directories), it specifies access flags indicating its intent to read,
write, or perform other operations. These flags are checked against
file system permissions, and then stored in the resulting file
descriptor to validate future operations against.

The sendfile(2) system call does not check the file descriptor access
flags before sending data from a file.

III. Impact

If a file is write-only, a user process can open the file and use
sendfile to send the content of the file over a socket, even though the
user does not have read access to the file, resulting in possible
disclosure of sensitive information.

IV. Workaround

No workaround is available, but systems are only vulnerable if
write-only files exist, which are not widely used.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or
7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2,
RELENG_6_1, or RELENG_5_5 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
6.2, 6.3, and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 6.2, 6.3, and 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile.patch.asc

[FreeBSD 6.1]
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile61.patch.asc

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch
# fetch http://security.FreeBSD.org/patches/SA-08:03/sendfile55.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/kern/kern_descrip.c 1.243.2.11
RELENG_5_5
src/UPDATING 1.342.2.35.2.20
src/sys/conf/newvers.sh 1.62.2.21.2.21
src/sys/kern/kern_descrip.c 1.243.2.9.2.1
RELENG_6
src/sys/kern/kern_descrip.c 1.279.2.16
src/sys/kern/uipc_syscalls.c 1.221.2.5
RELENG_6_3
src/UPDATING 1.416.2.37.2.5
src/sys/conf/newvers.sh 1.69.2.15.2.4
src/sys/kern/kern_descrip.c 1.279.2.15.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.4.4.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.15
src/sys/conf/newvers.sh 1.69.2.13.2.14
src/sys/kern/kern_descrip.c 1.279.2.9.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.4.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.26
src/sys/conf/newvers.sh 1.69.2.11.2.25
src/sys/kern/kern_descrip.c 1.279.2.6.2.1
src/sys/kern/uipc_syscalls.c 1.221.2.1.2.1
RELENG_7
src/sys/kern/kern_descrip.c 1.313.2.1
src/sys/kern/uipc_syscalls.c 1.259.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.3
src/sys/kern/kern_descrip.c 1.313.4.1
src/sys/kern/uipc_syscalls.c 1.259.4.2
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0777

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:03.sendfile.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (FreeBSD)

iD8DBQFHtC0DFdaIBMps37IRAqp8AJ91+flnCIUSvKoFQyXfD1YTnPnuqgCcDiPJ
SR4X1dNFENsHMq9ROrQhr1c=
=TX1R
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:02.libc

2008-01-14T15:09:43Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:02.libc Security Advisory
The FreeBSD Project

Topic: inet_network() buffer overflow

Category: core
Module: libc
Announced: 2008-01-14
Credits: Bjoern A. Zeeb and Nate Eldredge
Affects: FreeBSD 6.2
Corrected: 2008-01-14 22:57:45 UTC (RELENG_7, 7.0-PRERELEASE)
2008-01-14 22:55:54 UTC (RELENG_7_0, 7.0-RC2)
2008-01-14 22:56:05 UTC (RELENG_6, 6.3-PRERELEASE)
2008-01-14 22:56:18 UTC (RELENG_6_3, 6.3-RELEASE)
2008-01-14 22:56:44 UTC (RELENG_6_2, 6.2-RELEASE-p10)
CVE Name: CVE-2008-0122

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The resolver is the part of libc that resolves hostnames (example.com) to
internet protocol (IP) addresses (192.0.2.1) and vice versa.

The inet_network() function returns an in_addr_t representing the network
address of the IP address given to inet_network() as a character string in
the dot-notation.

II. Problem Description

An off-by-one error in the inet_network() function could lead to memory
corruption with certain inputs.

III. Impact

For programs which passes untrusted data to inet_network(), an
attacker may be able to overwrite a region of memory with user defined
data by causing specially crafted input to be passed to
inet_network().

Depending on the region of memory the attacker is able to overwrite,
this might lead to a denial of service or potentially code execution
in the program using inet_network().

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7.0-PRERELEASE, or 6-STABLE, or
to the, RELENG_7_0, RELENG_6_3, or RELENG_6_2 security branch dated
after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 7.0, 6.3,
or 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch
# fetch http://security.FreeBSD.org/patches/SA-08:02/libc.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/lib/libc/inet/inet_network.c 1.2.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.3
src/sys/conf/newvers.sh 1.69.2.15.2.3
src/lib/libc/inet/inet_network.c 1.2.2.1.4.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.13
src/sys/conf/newvers.sh 1.69.2.13.2.13
src/lib/libc/inet/inet_network.c 1.2.2.1.2.1
RELENG_7
src/lib/libc/inet/inet_network.c 1.4.2.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.1
src/sys/conf/newvers.sh 1.72.2.5.2.2
src/lib/libc/inet/inet_network.c 1.4.4.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0122

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:02.libc.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHi+ntFdaIBMps37IRAr+GAJ9YxPIsD5OeyYkrwo5auWKgQwZRywCdHSrY
NsNxcHsgdo7divn+LEkQ9po=
=3RQQ
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-08:01.pty

2008-01-14T15:09:39Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-08:01.pty Security Advisory
The FreeBSD Project

Topic: pty snooping

Category: core
Module: libc_stdlib / libutil
Announced: 2008-01-14
Credits: John Baldwin
Affects: FreeBSD 5.0 and later.
Corrected: 2008-01-14 22:57:45 UTC (RELENG_7, 7.0-PRERELEASE)
2008-01-14 22:55:54 UTC (RELENG_7_0, 7.0-RC2)
2008-01-14 22:56:05 UTC (RELENG_6, 6.3-PRERELEASE)
2008-01-14 22:56:18 UTC (RELENG_6_3, 6.3-RELEASE)
2008-01-14 22:56:44 UTC (RELENG_6_2, 6.2-RELEASE-p10)
2008-01-14 22:56:56 UTC (RELENG_6_1, 6.1-RELEASE-p22)
2008-01-14 22:57:06 UTC (RELENG_5, 5.5-STABLE)
2008-01-14 22:57:19 UTC (RELENG_5_5, 5.5-RELEASE-p18)
CVE Name: CVE-2008-0216, CVE-2008-0217

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

pt_chown is a setuid root support utility used by grantpt(3) to change
ownership of a tty.

openpty(3) is a support function in libutil which is used to obtain a
pseudo-terminal.

script(1) is a utility which makes a typescript of everything printed
on a terminal.

II. Problem Description

Two issues exist in the FreeBSD pty handling.

If openpty(3) is called as non-root user the newly created
pseudo-terminal is world readable and writeable. While this is
documented to be the case, script(1) still uses openpty(3) and
script(1) may be used by non-root users [CVE-2008-0217].

The ptsname(3) function incorrectly extracts two characters from the
name of a device node in /dev without verifying that it's actually
operating on a valid pty which the calling user owns. pt_chown uses
the bad result from ptsname(3) to change ownership of a pty to the
user calling pt_chown [CVE-2008-0216].

III. Impact

If an unprivileged user is running script(1), or another program which
uses openpty(3), an attacker may snoop text which is printed to the
users terminal.

If a malicious user has read access to a device node with characters
in the device name that match the name of a pty, then the malicious user
can read the content of the pty from another user. The malicious user
can open a lot of tty's resulting in a high probabilty of a new user
obtaining the pty name of a "vulnerable" pty.

NOTE WELL: If a user snoops a pty the snooped text will not be shown
to the real user, which in many cases mean the real owner of the pty
will be able to know the attack is taking place.

IV. Workaround

Do not run script(1) as a non-root user.

The ptsname(3) issue only affects FreeBSD 6.0 and newer.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, 6-STABLE, or
7.0-PRERELEASE, or to the RELENG_7_0, RELENG_6_3, RELENG_6_2,
RELENG_6_1, or RELENG_5_5 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
6.2, 6.3, and 7.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty5.patch.asc

[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty6.patch.asc

[FreeBSD 7.0]
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch
# fetch http://security.FreeBSD.org/patches/SA-08:01/pty7.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

c) Recompile the operating system as described in
<URL: http://www.freebsd.org/handbook/makeworld.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/lib/libutil/pty.c 1.15.4.1
RELENG_5_5
src/UPDATING 1.342.2.35.2.18
src/sys/conf/newvers.sh 1.62.2.21.2.20
src/lib/libutil/pty.c 1.15.16.1
RELENG_6
src/lib/libc/stdlib/grantpt.c 1.4.2.2
src/lib/libutil/pty.c 1.15.10.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.3
src/sys/conf/newvers.sh 1.69.2.15.2.3
src/lib/libc/stdlib/grantpt.c 1.4.10.2
src/lib/libutil/pty.c 1.15.20.2
RELENG_6_2
src/UPDATING 1.416.2.29.2.13
src/sys/conf/newvers.sh 1.69.2.13.2.13
src/lib/libc/stdlib/grantpt.c 1.4.8.1
src/lib/libutil/pty.c 1.15.18.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.24
src/sys/conf/newvers.sh 1.69.2.11.2.24
src/lib/libc/stdlib/grantpt.c 1.4.6.1
src/lib/libutil/pty.c 1.15.14.1
RELENG_7
src/lib/libc/stdlib/grantpt.c 1.7.2.4
src/lib/libutil/pty.c 1.17.2.3
RELENG_7_0
src/UPDATING 1.507.2.3.2.1
src/sys/conf/newvers.sh 1.72.2.5.2.2
src/lib/libc/stdlib/grantpt.c 1.7.2.2.2.2
src/lib/libutil/pty.c 1.17.2.2.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0216
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0217

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:01.pty.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHi+nfFdaIBMps37IRAhtUAJ9GXtRjTIxcbrCOxoMnO50ZLc5mAgCdGSyO
D83MVnUtP9rhzD2JfOPbaOw=
=V/kt
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:10.gtar

2007-11-29T08:31:42Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:10.gtar Security Advisory
The FreeBSD Project

Topic: gtar directory traversal vulnerability

Category: contrib
Module: contrib_tar
Announced: 2007-11-29
Credits: Dmitry V. Levinx
Affects: FreeBSD 5.x releases
Corrected: 2007-11-29 16:08:54 UTC (RELENG_5, 5.5-STABLE)
2007-11-29 16:09:26 UTC (RELENG_5_5, 5.5-RELEASE-p17)
CVE Name: CVE-2007-4131

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

GNU tar (gtar) is a utility to create and extract "tape archives",
commonly known as tar files. GNU tar is included in FreeBSD 5.x as
/usr/bin/gtar.

II. Problem Description

Insufficient sanity checking of paths containing '.' and '..' allows
gtar to overwrite arbitrary files on the system.

III. Impact

An attacker who can convince an user to extract a specially crafted
archive can overwrite arbitrary files with the permissions of the user
running gtar. If that user is root, the attacker can overwrite any
file on the system.

IV. Workaround

Use "bsdtar", which has been the default tar implementation since
FreeBSD 5.3.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_5
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:10/gtar.patch
# fetch http://security.FreeBSD.org/patches/SA-07:10/gtar.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/gnu/usr.bin/tar
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/tar/src/misc.c 1.3.8.1
RELENG_5_5
src/UPDATING 1.342.2.35.2.17
src/sys/conf/newvers.sh 1.62.2.21.2.19
src/contrib/tar/src/misc.c 1.3.20.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4131

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:10.gtar.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHTue3FdaIBMps37IRAgzFAKCMswqo5lH2+bb0yGRN+qhPqfBYlACfQ4+j
Dq8Gbv9wz/AwDyAEZq2+1eQ=
=1e8b
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:09.random

2007-11-29T08:31:19Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:09.random Security Advisory
The FreeBSD Project

Topic: Random value disclosure

Category: core
Module: sys_dev_random
Announced: 2007-11-29
Credits: Robert Woolley
Affects: All supported versions of FreeBSD
Corrected: 2007-11-29 16:05:38 UTC (RELENG_7, 7.0-BETA4)
2007-11-29 16:06:12 UTC (RELENG_6, 6.3-PRERELEASE)
2007-11-29 16:06:54 UTC (RELENG_6_3, 6.3-RC2)
2007-11-29 16:07:30 UTC (RELENG_6_2, 6.2-RELEASE-p9)
2007-11-29 16:07:54 UTC (RELENG_6_1, 6.1-RELEASE-p21)
2007-11-29 16:08:54 UTC (RELENG_5, 5.5-STABLE)
2007-11-29 16:09:26 UTC (RELENG_5_5, 5.5-RELEASE-p17)
CVE Name: CVE-2007-6150

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The random(4) and urandom(4) devices return an endless supply of
pseudo-random bytes when read. Cryptographic algorithms often depend
on the secrecy of these pseudo-random values for security.

II. Problem Description

Under certain circumstances, a bug in the internal state tracking on
the random(4) and urandom(4) devices can be exploited to allow replaying
of data distributed during subsequent reads.

III. Impact

This could enable an adversary to determine fragments of random values
previously read, allowing them to defeat certain security mechanisms.
Note that the attacker has to be in close proximity to the source of
the pseudo-randomness, which typically means local access to the system.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:09/random.patch
# fetch http://security.FreeBSD.org/patches/SA-07:09/random.patch.asc

b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/sys/dev/random/yarrow.c 1.44.2.1
RELENG_5_5
src/UPDATING 1.342.2.35.2.17
src/sys/conf/newvers.sh 1.62.2.21.2.19
src/sys/dev/random/yarrow.c 1.44.8.1
RELENG_6
src/sys/dev/random/yarrow.c 1.45.2.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.2
src/sys/dev/random/yarrow.c 1.45.2.1.6.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.12
src/sys/conf/newvers.sh 1.69.2.13.2.12
src/sys/dev/random/yarrow.c 1.45.2.1.4.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.23
src/sys/conf/newvers.sh 1.69.2.11.2.23
src/sys/dev/random/yarrow.c 1.45.2.1.2.1
RELENG_7
src/sys/dev/random/yarrow.c 1.47.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6150

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:09.random.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHTuezFdaIBMps37IRAhp3AJ0UHJiYycOQCEai3Aid2uT6Jf3WZwCfdR65
Ozmn0Qn6Ru54NRriBJG1o4g=
=95t9
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:08.openssl

2007-10-03T15:58:30Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:08.openssl Security Advisory
The FreeBSD Project

Topic: Buffer overflow in OpenSSL SSL_get_shared_ciphers()

Category: contrib
Module: openssl
Announced: 2007-10-03
Credits: Moritz Jodeit
Affects: All FreeBSD releases.
Corrected: 2007-10-03 21:39:43 UTC (RELENG_6, 6.2-STABLE)
2007-10-03 21:40:35 UTC (RELENG_6_2, 6.2-RELEASE-p8)
2007-10-03 21:41:22 UTC (RELENG_6_1, 6.1-RELEASE-p20)
2007-10-03 21:42:00 UTC (RELENG_5, 5.5-STABLE)
2007-10-03 21:42:32 UTC (RELENG_5_5, 5.5-RELEASE-p16)
CVE Name: CVE-2007-5135

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured,
and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.

II. Problem Description

A buffer overflow addressed in FreeBSD-SA-06:23.openssl has been found
to be incorrectly fixed.

III. Impact

For applications using the SSL_get_shared_ciphers() function, the
buffer overflow could allow an attacker to crash or potentially
execute arbitrary code with the permissions of the user running the
application.

IV. Workaround

No workaround is available, but only applications using the
SSL_get_shared_ciphers() function are affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patch have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-07:08/openssl.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.3
RELENG_5_5
src/UPDATING 1.342.2.35.2.16
src/sys/conf/newvers.sh 1.62.2.21.2.18
src/crypto/openssl/ssl/ssl_lib.c 1.1.1.11.2.1.4.2
RELENG_6
src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.2
RELENG_6_2
src/UPDATING 1.416.2.29.2.11
src/sys/conf/newvers.sh 1.69.2.13.2.11
src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.2.1.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.22
src/sys/conf/newvers.sh 1.69.2.11.2.22
src/crypto/openssl/ssl/ssl_lib.c 1.1.1.12.6.2
- -------------------------------------------------------------------------

VII. References

http://marc.info/?l=bugtraq&m=119091888624735
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3738
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5135

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:08.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFHBA+HFdaIBMps37IRAtTQAJ0bFBZt7DVJzhQkUcu7VdNS7Kj8cwCeMQaS
cNFjW3j2eolZhlee83l3blo=
=zwC2
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:07.bind

2007-08-01T15:27:29Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:07.bind Security Advisory
The FreeBSD Project

Topic: Predictable query ids in named(8)

Category: contrib
Module: bind
Announced: 2007-08-01
Credits: Amit Klein
Affects: FreeBSD 5.3 and later.
Corrected: 2007-07-25 08:23:08 UTC (RELENG_6, 6.2-STABLE)
2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7)
2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19)
2007-07-25 08:24:40 UTC (RELENG_5, 5.5-STABLE)
2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15)
CVE Name: CVE-2007-2926

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.

II. Problem Description

When named(8) is operating as a recursive DNS server or sending NOTIFY
requests to slave DNS servers, named(8) uses a predictable query id.

III. Impact

An attacker who can see the query id for some request(s) sent by named(8)
is likely to be able to perform DNS cache poisoning by predicting the
query id for other request(s).

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:07/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-07:07/bind.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/bind9/bin/named/client.c 1.1.1.1.2.5
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.2.3
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.2.2
RELENG_5_5
src/UPDATING 1.342.2.35.2.15
src/sys/conf/newvers.sh 1.62.2.21.2.17
src/contrib/bind9/bin/named/client.c 1.1.1.1.2.3.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.2.1.6.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.2.1.6.1
RELENG_6
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.3
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.10
src/sys/conf/newvers.sh 1.69.2.13.2.10
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.1.4.2
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.10.2
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.10.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.21
src/sys/conf/newvers.sh 1.69.2.11.2.21
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.1.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.8.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.8.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2926
http://www.isc.org/sw/bind/bind-security.php
http://www.trusteer.com/docs/bind9dns_s.html

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:07.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGsPfzFdaIBMps37IRAgIfAJ9cO2LUUc0eb8T+6pltpha91wR2IgCeITpx
H3SHyAkPMSICqnT9nY/UBE8=
=Fop4
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump

2007-08-01T15:27:00Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:06.tcpdump Security Advisory
The FreeBSD Project

Topic: Buffer overflow in tcpdump(1)

Category: contrib
Module: tcpdump
Announced: 2007-08-01
Credits: "mu-b"
Affects: All supported versions of FreeBSD
Corrected: 2007-08-01 20:42:48 UTC (RELENG_6, 6.2-STABLE)
2007-08-01 20:44:58 UTC (RELENG_6_2, 6.2-RELEASE-p7)
2007-08-01 20:45:49 UTC (RELENG_6_1, 6.1-RELEASE-p19)
2007-08-01 20:47:13 UTC (RELENG_5, 5.5-STABLE)
2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15)
CVE Name: CVE-2007-3798

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

Tcpdump is a commonly used network diagnostic utility which decodes packets
received on the wire into human readable format.

II. Problem Description

An un-checked return value in the BGP dissector code can result in an integer
overflow. This value is used in subsequent buffer management operations,
resulting in a stack based buffer overflow under certain circumstances.

III. Impact

By crafting malicious BGP packets, an attacker could exploit this vulnerability
to execute code or crash the tcpdump process on the target system. This
code would be executed in the context of the user running tcpdump(1).
It should be noted that tcpdump(1) requires privileges in order to open live
network interfaces.

IV. Workaround

No workaround is available.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_2, RELENG_6_1, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.1,
and 6.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-07:06/tcpdump.patch
# fetch http://security.FreeBSD.org/patches/SA-07:06/tcpdump.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/usr.sbin/tcpdump/tcpdump
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.2
RELENG_5_5
src/UPDATING 1.342.2.35.2.15
src/sys/conf/newvers.sh 1.62.2.21.2.17
src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.1.2.1
RELENG_6
src/contrib/tcpdump/print-bgp.c 1.1.1.8.2.1
RELENG_6_2
src/UPDATING 1.416.2.29.2.10
src/sys/conf/newvers.sh 1.69.2.13.2.10
src/contrib/tcpdump/print-bgp.c 1.1.1.8.8.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.21
src/sys/conf/newvers.sh 1.69.2.11.2.21
src/contrib/tcpdump/print-bgp.c 1.1.1.8.6.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3798

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:06.tcpdump.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGsPfwFdaIBMps37IRAmK/AJ0adsy8zlOOXaJhJJdcX6A0Uy+bSQCfQYVi
4qk7MNSrKFZotejLEXKMCYI=
=JIZh
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."

FreeBSD Security Advisory FreeBSD-SA-07:01.jail

2007-08-01T15:26:08Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-07:01.jail Security Advisory
The FreeBSD Project

Topic: Jail rc.d script privilege escalation

Category: core
Module: etc_rc.d
Announced: 2007-01-11
Credits: Dirk Engling
Affects: All FreeBSD releases since 5.3
Corrected: 2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE)
2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE)
2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12)
2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17)
2007-08-01 20:47:13 UTC (RELENG_5, 5.5-STABLE)
2007-08-01 20:48:19 UTC (RELENG_5_5, 5.5-RELEASE-p15)
CVE Name: CVE-2007-0166

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

0. Revision History

v1.0 2007-01-11 Initial release.
v1.1 2007-08-01 Corrected patch for FreeBSD 5.5.

I. Background

The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.

The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.

II. Problem Description

In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path. In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.

III. Impact

Due to the lack of handling of potential symbolic links the host's jail
rc.d(8) script is vulnerable to "symlink attacks". By replacing
/var/log/console.log inside the jail with a symbolic link it is
possible for the superuser (root) inside the jail to overwrite files
on the host system outside the jail with arbitrary content. This in
turn can be used to execute arbitrary commands with non-jailed
superuser privileges.

Similarly, by changing directory mount points inside the jail file
system structure into symbolic links, it may be possible for a jailed
attacker to mount file systems which were meant to be mounted inside
the jail at arbitrary points in the host file system structure, or to
unmount arbitrary file systems on the host system.

NOTE WELL: The above vulnerabilities occur only when a jail is being
started or stopped using the host's jail rc.d(8) script; once started
(and until stopped), running jails cannot exploit this.

IV. Workaround

If the sysctl(8) variable security.jail.chflags_allowed is set to 0
(the default), setting the "sunlnk" system flag on /var, /var/log,
/var/log/console.log, and all file system mount points and their
parent directories inside the jail(s) will ensure that the console
log file and mount points are not replaced by symbolic links. If
this is done while jails are running, the administrator must check
that an attacker has not replaced any directories with symlinks
after setting the "sunlnk" flag.

V. Solution

NOTE WELL: The solution described changes the default location of the
"console.log" for jails from /var/log/console.log inside each jail to
/var/log/jail_${jail_name}_console.log on host system. If this is a
problem, it may be possible to create a hard link from the new position
of the console log file to a location inside the jail. A new rc.conf(5)
variable, jail_${jail_name}_consolelog, can be used to change the
location of console.log files on a per-jail basis.

In addition, the solution described below does not fully secure jail
configurations where two jails have overlapping directory trees and a
file system is mounted inside the overlap. Overlapping directory
trees can occur when jails share the same root directory; when a jail
has a root directory which is a subdirectory of another jail's root
directory; or when a part of the file system space of one jail is
mounted inside the file system space of another jail, e.g., using
nullfs or unionfs.

To handle overlapping jails safely the administrator must set the
sysctl(8) variable security.jail.chflags_allowed to 0 (the default)
and manually set the "sunlnk" file/directory flag on all mount points
and all parent directories of mount points. If this is done while
jails are running, the adminstrator must check that an attacker has
not replaced any directories with symlinks after setting the "sunlnk"
flag.

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or 6-STABLE, or to the
RELENG_6_1, RELENG_6_0, or RELENG_5_5 security branch dated after the
correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.5, 6.0,
and 6.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 5.5]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5.patch.asc

[FreeBSD 6.0]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail60.patch.asc

[FreeBSD 6.1]
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail61.patch.asc

NOTE: The patch distributed at the time of the original advisory was
incorrect for FreeBSD 5.5 (both RELENG_5 and RELENG_5_5). Systems to
which the original patch was applied should be patched with the
following corrective patch, which contains only the changes between
the original and updated patch:

# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch
# fetch http://security.FreeBSD.org/patches/SA-07:01/jail5-correction.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# install -o root -g wheel -m 555 etc/rc.d/jail /etc/rc.d

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_5
src/etc/rc.d/jail 1.15.2.7
RELENG_5_5
src/UPDATING 1.342.2.35.2.15
src/sys/conf/newvers.sh 1.62.2.21.2.17
src/etc/rc.d/jail 1.15.2.5.2.2
RELENG_6
src/etc/rc.d/jail 1.23.2.9
RELENG_6_2
src/UPDATING 1.416.2.29.2.2
src/etc/rc.d/jail 1.23.2.7.2.1
RELENG_6_1
src/UPDATING 1.416.2.22.2.14
src/sys/conf/newvers.sh 1.69.2.11.2.14
src/etc/rc.d/jail 1.23.2.3.2.3
RELENG_6_0
src/UPDATING 1.416.2.3.2.22
src/sys/conf/newvers.sh 1.69.2.8.2.18
src/etc/rc.d/jail 1.23.2.2.2.1
- -------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0166

The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-07:01.jail.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (FreeBSD)

iD8DBQFGsPfrFdaIBMps37IRAgksAJ4yGy3zTBcr2N+TbDoTlN3aHUA8QQCgi/8B
It4pOMoA0QMzAp8HxUWo+xU=
=9tTT
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@... mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@..."