login
Search
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project
Topic: arc4random(9) predictable sequence vulnerability
Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.
II. Problem Description
When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes ...Dear FreeBSD Community, The FreeBSD Foundation is pleased to announce another funded project! Mark Linimon has been awarded a grant to prototype a new problem reporting system for the FreeBSD project. This project will allow Mark to define the features, look-and-feel, and architecture of a future replacement of the project's current GNATs based system. Once the prototype is complete, it will be used to garner input from the FreeBSD community before a production system is implemented. "One of the most frequently requested improvements from the FreeBSD developer community is an improved bug tracking system," said Mark Linimon. He also added, "The design goals of this prototype are to incorporate such features as markedly improved workflow, better categorization, customizable email notifications, and redesigned web pages to make searching and browsing easier." "Once the prototype is completed," Mark added, "it will be circulated amongst the developer community for feedback. I am happy to have the Foundation's support to work on this project." "Problem reporting software is a critical tool for getting feedback from the FreeBSD user community, recording information about defects and missing features in the system, and making our volunteer developers productive," said Justin Gibbs, Founder of the FreeBSD Foundation. "Mark has used manpower and sheer will to overcome the deficiencies in the current problem reporting system, and to make it work for the project. But our GNATs isn't fully utilized because of missing features and a clumsy user interface. We're very excited to help address these problems in a core piece of the FreeBSD project's infrastructure." This project will be completed by the end of June. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
The FreeBSD Foundation is pleased to announce we're kicking off our 2007 Fall Fundraising campaign by auctioning off the first copy of the book Absolute FreeBSD, 2nd Edition. You can be the first one to own this book, while helping the FreeBSD Project and community. This book was generously donated by the author himself and he will include a signed authentic laser-printed Certificate of Authenticity, and a signed bookplate. To bid on this phenomenal guide to FreeBSD go to: http://cgi.ebay.com/ws/eBayISAPI.dll?ViewItem&item=120175384688&ssPageName=ADM... All proceeds will go to the Foundation. We are using eBay's charitable organization called MissionFish to host the auction. MissionFish will deduct a small percentage of the donation to cover their costs. Thank you to Michael Lucas for his donation to the foundation and all you eager bidders who want to help the project and community. The auction started today and will end Nov. 2. Thank You, Deb Goodkin The FreeBSD Foundation _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Introduction
Happy New Year. This Report covers the last quarter of a exciting year
2006 for FreeBSD development. FreeBSD 6.2 is finally out of the door
and work towards FreeBSD 7.0 is gearing up. Some of the projects in
this report will be part of that effort, others are already in the
tree. Many projects need your help with testing and otherwise. Please
see the "Open tasks" sections for more information.
The BSD crowd will meet at AsiaBSDCon March 8-10th in Tokyo and a two
day FreeBSD developer summit will be held at BSDCan May 16-19th in
Ottawa. Finally, EuroBSDCon September 14-15th in Copenhagen is already
looking for papers.
Thanks to all the reporters for the excellent work! We hope you enjoy
reading.
_________________________________________________________________
Projects
* FreeSBIE
* iSCSI Initiator
* Network Stack Virtualization
* New USB Stack
* Past and Future PR Closing Events
* Porting ZFS to FreeBSD
* TrustedBSD Audit
* TrustedBSD MAC Framework
* TrustedBSD priv(9)
=46reeBSD Team Reports
* FreeBSD Bugbusting Team
* FreeBSD Security Officer and Security Team
* Release Engineering
* The FreeBSD Foundation
Network Infrastructure
* Automatic TCP Send and Receive Socket Buffer Sizing
* FAST_IPSEC Upgrade
* ipfw NAT and libalias
* Multi-link PPP daemon (MPD)
* Wireless Networking
Kernel
* Cryptographic Subsystem
* GEOM Multipath
* Interrupt Filtering
* Sound Subsystem Improvements
* Update of the Linux Compatibility Environment in the Kernel
Hardware Drivers
* Bt878 Audio Driver (aka FusionHDTV 5 Lite driver)
* Intel 3945ABG Wireless LAN Driver: wpi
* MPT LSI-Logic Host Adapters: mpt
* QLogic SCSI and Fibre Channel: isp
Documentation
* Hungarian Translation of the Webpages
* The FreeBSD Dutch Documentation Project
Userland Programs
...Summer of Code - Get Paid to Work on Open Source This Summer Google Summer of Code is an exciting opportunity for students to "intern" with an open source project for a summer. The FreeBSD Project, as one of the most successful and oldest open source projects, is an excellent place to do this internship. Founded in 1993, the project now consists of several hundred "committers" and tens of thousands of contributors. FreeBSD is the foundation for many commercial products, including Apple's Mac OS X, NetApp's OnTap/GX, Juniper's JunOS, as well countless other products, from Cisco anti-spam appliances to Isilon's cluster storage hardware, and is widely used in the Internet Service Provider and corporate IT worlds. Many of these sponsors participate daily in the FreeBSD community, and students have the opportunity to develop software in an exciting environment with many real world applications, and under the mentorship of experienced developers. After the summer ends, many of our students are sponsored by Google or the FreeBSD Foundation to attend operating systems and open source conferences to present on their work, and a significant number go on to become FreeBSD developers. It's also a great job networking opportunity! There are many dozens of example project ideas listed on the FreeBSD web site here: http://www.freebsd.org/projects/summerofcode.html and for many other open source organizations as well: http://code.google.com/soc Some of the example projects include working on embedded operating systems, unix filesystems, network performance and implementing new network protocols, and more. Most sample project ideas include developers you can contact to discuss a proposal, and we recommend doing so in advance of submitting a proposal. Strong C language skills are recommended for most projects. _______________________________________________ freebsd-announce@freebsd.org mailing ...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:24.libarchive Security Advisory
The FreeBSD Project
Topic: Infinite loop in corrupt archives handling in libarchive(3)
Category: core
Module: libarchive
Announced: 2006-11-08
Credits: Rink Springer
Affects: FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC
Corrected: 2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1)
CVE Name: CVE-2006-5680
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The libarchive library provides a flexible interface for reading and
writing streaming archive files such as tar and cpio, and has been the
basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3.
II. Problem Description
If the end of an archive is reached while attempting to "skip" past a
region of an archive, libarchive will enter an infinite loop wherein it
repeatedly attempts (and fails) to read further data.
III. Impact
An attacker able to cause a system to extract (via "tar -x" or another
application which uses libarchive) or list the contents (via "tar -t" or
another libarchive-using application) of an archive provided by the
attacker can cause libarchive to enter an infinite loop and use all
available CPU time.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to affected systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:01.texindex Security Advisory
The FreeBSD Project
Topic: Texindex temporary file privilege escalation
Category: contrib
Module: texinfo
Announced: 2006-01-11
Credits: Frank Lichtenheld
Affects: All FreeBSD releases.
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CAN-2005-3011
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
TeX is a document typesetting system which is popular in the mathematics,
physics, and computer science realms because of its ability to typeset
complex mathematical formulas. texindex(1) is a utility which is often
used to generate a sorted index of a TeX file.
II. Problem Description
The "sort_offline" function used by texindex(1) employs the "maketempname"
function, which produces predictable file names and fails to validate that
the paths do not exist.
III. Impact
These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could enable them to overwrite files
on the system in the ...rsync.net is pleased to announce Code Bounties for 2007: http://www.rsync.net/resources/notices/2007cb.html Two of the five bounties are for FreeBSD related projects. Please take note of the "FreeBSD UFS2 problem resolution and standardized UFS2 stress testing" bounty - we encourage you to contribute. We have a nice list of tested and confirmed PRs that we will be submitting in the next few weeks - things related to snapshots, quotas, full disks, and large filesystems. We are excited to put forth funds toward their resolution. In addition, we would like very much for there to be a standardized filesystem stress test that can be run on FreeBSD builds prior to release. This will help the stability of the filesystem greatly, as many of the problems we have found in quotas and snapshots (for instance) have appeared and disappeared several times in both 5.x and 6.x. As always, many thanks to the entire FreeBSD community for all of their work. --rsync.net _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
FreeBSD Quarterly Status Report
Introduction
This report covers FreeBSD related projects between April and September
2009. During that time a lot of work has been done on wide variety of
projects, including the Google Summer of Code projects. The BSDCan
conference was held in Ottawa, CA, in May. The EuroBSDCon conference
was held in Cambridge, UK, in September. Both events were very
successful. A new major version of FreeBSD, 8.0 is to be released soon.
If you are wondering what's new in this long-awaited release, read Ivan
Voras' excellent summary.
Thanks to all the reporters for the excellent work! We hope you enjoy
the reading.
Please note that the next deadline for submissions covering reports
between October and December 2009 is January 15th, 2010.
__________________________________________________________________
Google Summer of Code
* About Google Summer of Code 2009
* BSD-licensed iconv (Summer of Code 2009)
* BSD-licensed text-processing tools (Summer of Code 2008)
* Ext2fs Status report (Summer of Code 2009)
* libnetstat(3) - networking statistics (Summer of Code 2009)
* pefs - stacked cryptographic filesystem (Summer of Code 2009)
Projects
* BSD# Project
* Clang replacing GCC in the base system
* FreeBSD TDM Framework
* Grand Central Dispatch - FreeBSD port
* libprocstat(3) - process statistics
* New BSD licensed debugger
* NFSv4 ACLs
* The Newcons project
* VirtualBox on FreeBSD
FreeBSD Team Reports
* FreeBSD Bugbusting Team
* FreeBSD KDE Team
* FreeBSD Ports Management Team
* Release Engineering Status Report
* The FreeBSD Foundation Status Report
Network Infrastructure
* Enhancing the FreeBSD TCP Implementation
* Modular Congestion Control
* Network Stack Virtualization
* Stream Control Transmission Protocol (SCTP)
Kernel
* FreeBSD/ZFS
* hwpmc for ...The registration to EuroBSDcon2007 is open now:
http://2007.eurobsdcon.org/shop.html
300DKK early bird discount until July 1st.
The conference price is 1800 DKK (EUR 240) a bit higher than we
wanted, but we have managed to secure very cheap lodging, Youth
Hostel style, at only 165 DKK, (EUR 22) per night.
Check out the talks and tutorials on our web-page:
http://2007.eurobsdcon.org
See you in Wonderful Copenhagen, september 14-15 2007!
(And don't miss the trip to LEGOLand!)
=============================
EuroBSDcon2007 Poster Session
=============================
EuroBSDcon2007 will not have a "Work In Progress" session, it will have
poster session instead, possibly two, if we get many poster presenters.
The way it works is simple: During the lunch break the poster presenter
gets a place to stand with his poster, and people wander around looking
for stuff that interests them and the poster presenter makes his pitch
to who ever stops by.
Rules of the game:
------------------
Topics:
Any moderately BSD related topic is fair game.
You must be this tall:
Proposals will be accepted or rejected solely on the graphical
quality of the poster.
A number of slots will be reserved for students.
Registration:
To get a slot, send email to <posters@eurobsdcon.dk> with:
Your name & email address
Topic of poster (1 paragraph)
URL to pdf or photo of your poster
Do not attach the pdf or photo to the email, just
include a URL to it!
It's OK to update your poster after I have seen it.
Deadline:
Right before I run out of slots.
Do I get free transportation, entrance to the conference etc ?
Sorry, we can't afford that (unless a sponsor volunteers)
Web-site:
If you want your poster on the web-site with the other conference
material, make sure to send us the final PDF version.
Poster size:
...The FreeBSD Project has begun the switch of its source code management system from CVS to Subversion. At this point in time, FreeBSD's developers are making changes to the base system in the Subversion repository. There is a replication system in place that exports our work to the legacy CVS tree on a continuous basis. People who are using our extensive CVS based distribution network (including anoncvs, CVSup, csup, cvsweb, ftp) will not be interrupted by our work-in-progress. You do not need to change anything if you do not wish to. We are committed to maintaining the existing CVS based distribution system for *at least* the support lifetime of all existing "stable" branches. Security and errata patches will continue to be made available in their usual CVS locations. The rest of the FreeBSD-6 and FreeBSD-7 releases will be built and released from the CVS tree. We expect to make our Subversion based source tree and other supporting infrastructure public very soon. There will be new mailing lists to subscribe to if you wish to receive Subversion commit notifications. Our ports, doc and www trees are not affected at this time. A separate decision will be made regarding the direction of those CVS repositories soon. Many people have contributed to the effort, but I particularly wish to thank Michael Haggerty and the cvs2svn project developers for their assistance with extracting and decrypting our 14 years of CVS history. Yahoo (my employer) donated server hardware and allowed me to spend a considerable amount of time on the preparation, assembling the infrastructure, and the conversion. -- Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com "All of this is for nothing if we don't go to the stars" - JMS/B5 "If Java had true garbage collection, most programs would delete themselves upon execution." -- Robert Sewell _______________________________________________ freebsd-announce@freebsd.org mailing ...
The FreeBSD Project is pleased to announce the conclusion of our fourth consecutive democratic election of project leadership. The FreeBSD Core Team constitutes the project's "Board of Directors" and is responsible for vetting new src committers, arbitrating technical disagreements, weighing in on policy and administrative issues, and appointing sub-committees for handling specific duties (security officer, release engineers, port managers, webmasters, etc..). The core team has been democratically elected every 2 years by active FreeBSD committers since 2000. Peter Wemm is rejoining the team after a 2 year hiatus, and Kris Kennaway is joining the team for the first time. The remaining 7 slots were filled with incumbents Wilko Bulte, Brooks Davis, Giorgos Keramidas, George V. Neville-Neil, Hiroki Sato, Murray Stokely, and Robert Watson. The new core team would like to especially thank outgoing members Wes Peters and Warner Losh for their many years of service to FreeBSD, our electioneer Dr. Josef Karthauser for running another election for us, and our returning core secretary Philip Paeps. Murray Stokely On behalf of the (new) Core Team _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
Calling all FreeBSD developers needing assistance with travel expenses to AsiaBSDCon 2008. The FreeBSD Foundation will be providing a limited number of travel grants to individuals requesting assistance. Please fill out and submit the Travel Grant Request Application at www.freebsdfoundation.org/documents/ by MARCH 2, 2008 to apply for this grant. We have increased our travel grant budget for 2008! Now we have the resources to help send more FreeBSD developers to conferences. We still ask you to look to your employers first for sponsorship or cost-splitting. Also, to be considered for the grant, you must provide a detailed justification for attending this conference in the application. Please describe, not only your purpose for attending, but how the FreeBSD project and community will benefit from you attending this conference. Please note, we extended the deadline for the applications because of difficulty getting this message out to this mailing list. We will send our decisions out by March 5. We will not accept applications after March 2, 2008. Thank You, The FreeBSD Foundation _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-EN-08:01.libpthread Errata Notice
The FreeBSD Project
Topic: Problems with fork(2) within threaded programs
Category: core
Module: libpthread
Announced: 2008-04-17
Credits: Julian Elischer, Dan Eischen
Affects: FreeBSD 6.3
Corrected: 2008-02-04 20:05:20 UTC (RELENG_6, 6.3-STABLE)
2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)
For general information regarding FreeBSD Errata Notices and Security
Advisories, including descriptions of the fields above, security
branches, and the following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
POSIX threads are a set of functions that support applications with
requirements for multiple flows of control, called threads, within a
process. The fork(2) system call is used to create a new process.
II. Problem Description
The libpthread threading library on FreeBSD 6.3 fails to properly
reinitialize mutexes when a threaded process invokes fork(2).
III. Impact
After the fork(2) system returns, the newly created child process may
freeze in user space for no apparent reason. This affects any threaded
application that invokes fork(2), most frequently those that call
fork(2) before execve(2) or system(3) to run external programs.
IV. Workaround
On some systems, using libthr instead of libpthread, via the libmap
configuration file libmap.conf(5), may be an acceptable workaround.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE or the RELENG_6_3
security branch dated after the correction date.
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 6.3 systems:
a) Download the relevant patch from the location below, and ...Dear FreeBSD Community, The FreeBSD Foundation is pleased to announce the availability of the Java JDK and JRE 6.0 binary installable packages for FreeBSD 6.x and 7.x on the i386 and amd64 architectures! The binaries are available at http://www.freebsdfoundation.org/downloads/java.shtml. We would like to thank Kurt Miller for his hard work on this project. We would also like to thank Greg Lewis and Jung-uk Kim from the FreeBSD Java Project for their help and support. These releases would not be possible without the help of the volunteers developing Java for FreeBSD, Sun Microsystems, and your donations! We hope you will consider making a donation to help us fund more development projects to improve FreeBSD. Please go to http://www.freebsdfoundation.org/donate/ to find out how to make a donation. Sincerely, The FreeBSD Foundation _______________________________________________ freebsd-announce@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-announce To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org"
