-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:07.amd64 Security Advisory
The FreeBSD Project
Topic: amd64 swapgs local privilege escalation
Category: core
Module: sys_amd64_amd64
Announced: 2008-09-03
Credits: Nate Eldredge
Affects: All supported FreeBSD/amd64 versions.
Corrected: 2008-08-21 09:58:18 UTC (RELENG_7, 7.0-STABLE)
2008-09-03 19:09:47 UTC (RELENG_7_0, 7.0-RELEASE-p4)
2008-09-03 19:09:47 UTC (RELENG_6, 6.4-PRERELEASE)
2008-09-03 19:09:47 UTC (RELENG_6_3, 6.3-RELEASE-p4)
CVE Name: CVE-2008-3890
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD/amd64 is commonly used on 64bit systems with AMD and Intel
CPU's. For Intel CPU's this architecture is known as EM64T or Intel
64.
The gs segment CPU register is used by both user processes and the
kernel to convieniently access state data. User processes use it to
manage per-thread data, and the kernel uses it to manage per-processor
data. As the processor enters and leaves the kernel it uses the
'swapgs' instruction to toggle between the kernel and user values for
the gs register.
The kernel stores critical information in its per-processor data
block. This includes the currently executing process and its
credentials.
As the processor switches between user and kernel level, a number of
checks are performed in order to implement the privilege protection
system. If the processor detects a problem while attempting to switch
privilege levels it generates a trap - typically general protection
fault (GPF). In that case, the processor aborts the ret...-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello Everyone, The branches supported by the FreeBSD Security Officer have been updated to reflect recent EoL (end-of-life) events. The new list is below and at <URL: http://security.freebsd.org/ >. FreeBSD 5.5, FreeBSD 6.1, and FreeBSD 6.2 have `expired' and are no longer supported effective June 1, 2008. Users of these releases are advised to upgrade promptly to FreeBSD 6.3 or FreeBSD 7.0, either by downloading an updated source tree and building updates manually, or (for i386 and amd64 systems) using the FreeBSD Update utility as described in the FreeBSD 6.3 and FreeBSD 7.0 release announcements. This marks the end of support by the FreeBSD Security Team for the FreeBSD 5-STABLE branch, and at this time support for running software from the ports tree on FreeBSD 5.x is also ceasing: Packages for binary installations will no longer be built for FreeBSD 5.5, building ports from source on FreeBSD 5.x will no longer be supported, and the ports INDEX will no longer be built and made available via portsnap or the 'make fetchindex' target. Patches for individual ports specific for their functioning on FreeBSD 5.5 may still be accepted at the discretion of the port maintainer. [Excerpt from http://security.freebsd.org/ follows] FreeBSD Security Advisories The FreeBSD Security Officer provides security advisories for several branches of FreeBSD development. These are the -STABLE Branches and the Security Branches. (Advisories are not issued for the -CURRENT Branch.) * There is usually only a single -STABLE branch, although during the transition from one major development line to another (such as from FreeBSD 5.x to 6.x), there is a time span in which there are two -STABLE branches. The -STABLE branch tags have names like RELENG_6. The corresponding builds have names like FreeBSD 6.1-STABLE. * Each FreeBSD Release has an associated Security Branch. The ...
-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:19 Security Advisory
FreeBSD, Inc.
Topic: squid heap buffer overflow in DNS handling
Category: ports
Module: squid24
Announced: 2002-03-26
Credits: zen-parse <zen-parse@gmx.net>
Affects: squid port prior to version 2.4_9
Corrected: 2002-03-22 00:19:55 UTC
FreeBSD only: NO
I. Background
The Squid Internet Object Cache is a web proxy/cache.
II. Problem Description
Incorrect handling of compressed DNS responses could result in a
heap buffer overflow.
The squid port is not installed by default, nor is it "part of
FreeBSD" as such: it is part of the FreeBSD ports collection, which
contains thousands of third- party applications in a ready-to-install
format. The ports collection shipped with FreeBSD 4.5 contains this
problem since it was discovered after the release.
FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.
III. Impact
A malicious DNS server (or an attacker spoofing a DNS server) could
respond to DNS requests from squid with a specially crafted answer
that would trigger the heap buffer overflow bug. This could crash the
squid process. This bug is not known to be exploitable.
IV. Workaround
1) Deinstall the squid port/package if you have it installed.
V. Solution
One of the following:
1) Upgrade your entire ports collection and rebuild the port.
2) Deinstall the old package and install a new package dated after the
correction date, obtained from the following directories:
[i386]
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/
ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/
[alpha]
...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SN-02:02 Security Notice
The FreeBSD Project
Topic: security issues in ports
Announced: 2002-05-13
I. Introduction
Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.
These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.
II. Ports
+------------------------------------------------------------------------+
Port name: analog
Affected: versions < analog-5.22
Status: Fixed
Cross-site scripting attack.
<URL:http://www.analog.cx/security4.html>
+------------------------------------------------------------------------+
Port name: ascend-radius, freeradius-devel, icradius, radius-basic,
radiusclient, radiusd-cistron, xtradius
Affected: versions < radiusd-cistron-1.6.6
all versions of ascend-radius, freeradius-devel, icradius,
radius-basic, radiusclient
Status: Fixed: radiusd-cistron
Not fixed: all others
Digest Calculation buffer overflow and/or insufficient validation of
attribute lengths.
<URL:http://www.security.nnov.ru/advisories>
+------------------------------------------------------------------------+
Port name: dnews
Affected: versions < dnews-...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SN-02:04 Security Notice
The FreeBSD Project
Topic: security issues in ports
Announced: 2002-06-19
I. Introduction
Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.
These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.
II. Ports
+------------------------------------------------------------------------+
Port name: apache13, apache13-modssl, apache13-ssl,
apache13+ipv6, apache13-fp, apache2
Affected: versions < apache-2.0.39 (apache2)
versions < apache-1.3.26 (apache13)
versions < apache+mod_ssl-1.3.26+2.8.9 (apache13-modssl)
All versions (others)
Status: Fixed (apache2, apache13, apache13-modssl)
Not fixed (others)
Denial-of-service involving chunked encoding.
<URL:http://httpd.apache.org/info/security_bulletin_20020617.txt>
<URL:http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20502>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0392>
+------------------------------------------------------------------------+
Port name: bind9
Affected: versions < bind9-9.2.1
Status: Fixed
Denial-of-service vulnerability in named.
<...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:29 Security Advisory
The FreeBSD Project
Topic: Buffer overflow in tcpdump when handling NFS packets
Category: contrib
Module: tcpdump
Announced: 2002-07-12
Credits: dwmw2@redhat.com
Affects: All releases prior to and including 4.6-RELEASE
FreeBSD 4.6-STABLE prior to the correction date
Corrected: 2002-07-05 13:24:57 UTC (RELENG_4)
2002-07-12 13:29:47 UTC (RELENG_4_6)
2002-07-12 13:31:10 UTC (RELENG_4_5)
2002-07-12 13:31:44 UTC (RELENG_4_4)
FreeBSD only: NO
I. Background
The tcpdump utility is used to capture and examining network traffic.
II. Problem Description
Versions of tcpdump up to and including 3.7.1 contain a buffer
overflow that may be triggered by badly formed NFS packets, and
possibly other types of packets.
III. Impact
It is not currently known whether this buffer overflow is exploitable.
If it were, an attacker could inject specially crafted packets into
the network which, when processed by tcpdump, could lead to arbitrary
code execution with the privileges of the user running tcpdump
(typically `root').
IV. Workaround
There is no workaround, other than not using tcpdump.
V. Solution
Do one of the following:
1) Upgrade your vulnerable system to 4.6-STABLE; or to the RELENG_4_6,
RELENG_4_5, or RELENG_4_4 security branch dated after the correction
date (4.6-RELEASE-p2, 4.5-RELEASE-p8, or 4.4-RELEASE-p15).
2) To patch your present system:
The following patch has been verified to apply to FreeBSD 4.4, 4.5, and
4.6 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch [ message continues ]-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:08.openssl Security Advisory
The FreeBSD Project
Topic: Buffer overflow in OpenSSL SSL_get_shared_ciphers()
Category: contrib
Module: openssl
Announced: 2007-10-03
Credits: Moritz Jodeit
Affects: All FreeBSD releases.
Corrected: 2007-10-03 21:39:43 UTC (RELENG_6, 6.2-STABLE)
2007-10-03 21:40:35 UTC (RELENG_6_2, 6.2-RELEASE-p8)
2007-10-03 21:41:22 UTC (RELENG_6_1, 6.1-RELEASE-p20)
2007-10-03 21:42:00 UTC (RELENG_5, 5.5-STABLE)
2007-10-03 21:42:32 UTC (RELENG_5_5, 5.5-RELEASE-p16)
CVE Name: CVE-2007-5135
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured,
and Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
A buffer overflow addressed in FreeBSD-SA-06:23.openssl has been found
to be incorrectly fixed.
III. Impact
For applications using the SSL_get_shared_ciphers() function, the
buffer overflow could allow an attacker to crash or potentially
execute arbitrary code with the permissions of the user running the
application.
IV. Workaround
No workaround is available, but only applications using the
SSL_get_shared_ciphers() function are affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 5-STABLE,...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:39.libkvm Security Advisory
The FreeBSD Project
Topic: Applications using libkvm may leak sensitive descriptors
Category: core
Module: libkvm
Announced: 2002-09-16
Credits: David Endler <DEndler@iDefense.com>,
<badc0ded@badc0ded.com>
Affects: All releases prior to and including 4.6.2-RELEASE.
Security branch releases prior to 4.4-RELEASE-p27,
4.5-RELEASE-p20, and 4.6.2-RELEASE-p2.
Corrected: 2002-09-13 14:53:43 UTC (RELENG_4)
2002-09-13 15:04:22 UTC (RELENG_4_6)
2002-09-13 15:07:26 UTC (RELENG_4_5)
2002-09-13 15:09:07 UTC (RELENG_4_4)
FreeBSD only: NO
I. Background
The kvm(3) library provides a uniform interface for accessing kernel
virtual memory images, including live systems and crash dumps. Access
to live systems is via /dev/mem and /dev/kmem. Memory can be read and
written, kernel symbol addresses can be looked up efficiently, and
information about user processes can be gathered.
The kvm_openfiles(3) function opens the special device files /dev/mem
and /dev/kmem, and returns an opaque handle that must be passed
to the other library functions.
II. Problem Description
Applications that wish to present system information such as swap
utilization, virtual memory utilization, CPU utilization, and
so on may use the kvm(3) library to read kernel memory directly
and gather this information. Such applications typically must
be run set-group-ID kmem so that the call to kvm_openfiles(3)
can access /dev/mem and /dev/kmem.
If the application then uses exec(2) to start another application,
the new application will continue to have open file descriptors to
/dev/mem and /dev/kmem. This is usua...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SN-02:06 Security Notice
The FreeBSD Project
Topic: security issues in ports
Announced: 2002-10-10
I. Introduction
Several ports in the FreeBSD Ports Collection are affected by security
issues. These are listed below with references and affected versions.
All versions given refer to the FreeBSD port/package version numbers.
The listed vulnerabilities are not specific to FreeBSD unless
otherwise noted.
These ports are not installed by default, nor are they ``part of
FreeBSD'' as such. The FreeBSD Ports Collection contains thousands of
third-party applications in a ready-to-install format. FreeBSD makes
no claim about the security of these third-party applications. See
<URL:http://www.freebsd.org/ports/> for more information about the
FreeBSD Ports Collection.
II. Ports
+------------------------------------------------------------------------+
Port name: apache13, apache13+ipv6, apache13-fp, apache13-modssl and
apache13-ssl
Status: Fixed (apache13, apache13+ipv6, apache13-fp and apache13-modssl)
Not fixed (apache13-ssl)
Affected: versions < apache+ipv6-1.3.27
versions < apache+mod_ssl-1.3.27+2.8.11
versions < apache-1.3.27
versions < apache_fp-1.3.27
versions < ru-apache-1.3.27.30.16
Attackers can cause httpd to spawn new processes, or can kill other
processes, resulting in denial of service.
<URL:http://www.apache.org/dist/httpd/Announcement.html>
<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2002-0839>
+------------------------------------------------------------------------+
Port name: gaim
Affected: versions < gaim-0.59.1
Status: Fixed
The UR...-----BEGIN PGP SIGNED MESSAGE-----
=============================================================================
FreeBSD-SA-02:40.kadmind Security Advisory
The FreeBSD Project
Topic: Buffer overflow in kadmind daemon
Category: core, ports
Module: crypto_heimdal, crypto_kerberosIV, heimdal, krb5
Announced: 2002-11-12
Credits: Johan Danielsson <joda@pdc.kth.se>,
Sam Hartman <hartmans@mit.edu>,
Love Hoernquist-Astrand <lha@stacken.kth.se>,
Tom Yu <tlyu@mit.edu>
Affects: All releases prior to and including FreeBSD 4.7-RELEASE.
Corrected: 2002-10-23 13:07:44 UTC (RELENG_4)
2002-10-23 13:21:32 UTC (RELENG_4_7)
2002-10-23 13:21:02 UTC (RELENG_4_6)
2002-10-23 13:20:19 UTC (RELENG_4_5)
2002-10-23 13:19:46 UTC (RELENG_4_4)
2002-10-24 02:52:00 UTC (RELENG_3)
2002-10-23 22:30:39 UTC (krb5 port, krb5-1.2.6_1)
2002-10-24 15:01:11 UTC (heimdal port, heimdal-0.5.1)
FreeBSD only: NO
I. Background
The Kerberos 4 administrative server, kadmind, runs on the Kerberos
Key Distribution Center (KDC) and provides administrative access to
the Kerberos database. It is part of the KTH Kerberos 4
implementation. The Kerberos 5 administrative server, k5admind,
provides the same function in the Heimdal Kerberos 5 implementation,
and includes a Kerberos 4 compatibility feature.
The k5admind server is installed as part of the `krb5' distribution,
or when building from source with MAKE_KERBEROS5 set. The kadmind
server is installed as part of the `krb4' distribution, or when
building from source with MAKE_KERBEROS4 set. Neither is installed by
default.
The Heimdal Kerberos 5 administrative server is also available as part
of the heimdal port (ports/security/heimdal). The MI...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-02:44.filedesc Security Advisory
The FreeBSD Project
Topic: file descriptor leak in fpathconf
Category: core
Module: kernel
Announced: 2003-01-07
Credits: Joost Pol <joost@pine.nl>
Affects: FreeBSD 4.3-RELEASE and later versions
Corrected: 2002-11-11 01:43:31 UTC (RELENG_4)
2003-01-06 12:37:52 UTC (RELENG_4_7)
2003-01-06 12:38:21 UTC (RELENG_4_6)
2003-01-07 15:17:16 UTC (RELENG_4_5)
2003-01-07 15:17:40 UTC (RELENG_4_4)
2003-01-06 21:20:54 UTC (RELENG_5_0)
FreeBSD only: YES
0. Revision History
2003-01-06 v1.0 Initial release.
2003-01-07 v1.1 Added information regarding bug in FreeBSD 5.x.
Added correction details for RELENG_4_5, RELENG_4_4.
I. Background
The fpathconf system call provides a method for applications to
determine the current value of a configurable system limit or option
variable associated with a pathname or file descriptor.
II. Problem Description
A programming error in the fpathconf system call can result in the
given file descriptor's reference count being erroneously incremented.
A similar problem exists in the developer preview versions of FreeBSD
5.0, affecting the lseek(2), dup(2), and other system calls.
III. Impact
A local attacker may cause the operating system to crash by repeatedly
calling fpathconf on a file descriptor until the reference count wraps
to a negative value, and then calling close on that file descriptor.
Similarly, it may be possible to cause a file descriptor to reference
unallocated kernel memory, but remain valid. If a new file is later
opened and the kernel allocates the new file structure at the same
memory location, then ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:06.bind Security Advisory
The FreeBSD Project
Topic: DNS cache poisoning
Category: contrib
Module: bind
Announced: 2008-07-13
Credits: Dan Kaminsky
Affects: All supported FreeBSD versions.
Corrected: 2008-07-12 10:07:33 UTC (RELENG_6, 6.3-STABLE)
2008-07-13 18:42:38 UTC (RELENG_6_3, 6.3-RELEASE-p3)
2008-07-13 18:42:38 UTC (RELENG_7, 7.0-STABLE)
2008-07-13 18:42:38 UTC (RELENG_7_0, 7.0-RELEASE-p3)
CVE Name: CVE-2008-1447
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS requests
contain a query id which is used to match a DNS request with the response
and to make it harder for anybody but the DNS server which received the
request to send a valid response.
II. Problem Description
The BIND DNS implementation does not randomize the UDP source port when
doing remote queries, and the query id alone does not provide adequate
randomization.
III. Impact
The lack of source port randomization reduces the amount of data the
attacker needs to guess in order to successfully execute a DNS cache
poisoning attack. This allows the attacker to influence or control
the results of DNS queries being returned to users from target systems.
IV. Workaround
Limiting the group of machines that can do recursive queries on the DNS
server will make it more difficult, but not impossible, for this
vulnerability to be exploited.
To limit the machines ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:08.realpath Security Advisory
The FreeBSD Project
Topic: Single byte buffer overflow in realpath(3)
Category: core
Module: libc
Announced: 2003-08-03
Credits: Janusz Niewiadomski <funkysh@isec.pl>,
Wojciech Purczynski <cliph@isec.pl>,
CERT/CC
Affects: All releases of FreeBSD up to and including 4.8-RELEASE
and 5.0-RELEASE
FreeBSD 4-STABLE prior to May 22 17:11:44 2003 UTC
Corrected: 2003-08-03 23:46:24 UTC (RELENG_5_0)
2003-08-03 23:43:43 UTC (RELENG_4_8)
2003-08-03 23:44:12 UTC (RELENG_4_7)
2003-08-03 23:44:36 UTC (RELENG_4_6)
2003-08-03 23:44:56 UTC (RELENG_4_5)
2003-08-03 23:45:41 UTC (RELENG_4_4)
2003-08-03 23:46:03 UTC (RELENG_4_3)
2003-08-03 23:47:39 UTC (RELENG_3)
FreeBSD only: NO
I. Background
The realpath(3) function is used to determine the canonical,
absolute pathname from a given pathname which may contain extra
``/'' characters, references to ``/./'' or ``/../'', or references
to symbolic links. The realpath(3) function is part of the FreeBSD
Standard C Library.
II. Problem Description
An off-by-one error exists in a portion of realpath(3) that computes
the length of the resolved pathname. As a result, if the resolved
path name is exactly 1024 characters long and contains at least
two directory separators, the buffer passed to realpath(3) will be
overwritten by a single NUL byte.
III. Impact
Applications using realpath(3) MAY be vulnerable to denial of service
attacks, remote code execution, and/or privilege escalation. The
impact on an individual application is highly dependent u...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:12 Security Advisory
FreeBSD, Inc.
Topic: OpenSSH buffer management error
Category: core, ports
Module: openssh, ports_openssh, openssh-portable
Announced: 2003-09-16
Credits: The OpenSSH Project <openssh@openssh.org>
Affects: All FreeBSD releases after 4.0-RELEASE
FreeBSD 4-STABLE prior to the correction date
openssh port prior to openssh-3.6.1_1
openssh-portable port prior to openssh-portable-3.6.1p2_1
Corrected: 2003-09-16 16:24:02 UTC (RELENG_4)
2003-09-16 16:27:57 UTC (RELENG_5_1)
2003-09-16 17:34:32 UTC (RELENG_5_0)
2003-09-16 16:24:02 UTC (RELENG_4_8)
2003-09-16 16:45:16 UTC (RELENG_4_7)
2003-09-16 17:44:15 UTC (RELENG_4_6)
2003-09-16 17:45:23 UTC (RELENG_4_5)
2003-09-16 17:46:02 UTC (RELENG_4_4)
2003-09-16 17:46:37 UTC (RELENG_4_3)
2003-09-16 12:43:09 UTC (ports/security/openssh)
2003-09-16 12:43:10 UTC (ports/security/openssh-portable)
CVE: CAN-2003-0693
FreeBSD only: NO
I. Background
OpenSSH is a free version of the SSH protocol suite of network
connectivity tools. OpenSSH encrypts all traffic (including
passwords) to effectively eliminate eavesdropping, connection
hijacking, and other network-level attacks. Additionally, OpenSSH
provides a myriad of secure tunneling capabilities, as well as a
variety of authentication methods. `ssh' is the client application,
while `sshd' is the server.
II. Problem Description
When a packet is received that is larger than the space remaining in
the currently allocated buffer, OpenSSH's buffer management at...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-03:19.bind Security Advisory
The FreeBSD Project
Topic: bind8 negative cache poison attack
Category: contrib
Module: contrib_bind
Announced: 2003-11-28
Credits: Internet Software Consortium
Affects: FreeBSD versions through 4.9-RELEASE and 5.1-RELEASE
4-STABLE prior to the correction date
Corrected: 2003-11-28 22:13:47 UTC (RELENG_4, 4.9-STABLE)
2003-11-27 00:54:53 UTC (RELENG_5_1, 5.1-RELEASE-p11)
2003-11-27 16:54:01 UTC (RELENG_5_0, 5.0-RELEASE-p19)
2003-11-27 00:56:06 UTC (RELENG_4_9, 4.9-RELEASE-p1)
2003-11-27 16:34:22 UTC (RELENG_4_8, 4.8-RELEASE-p14)
2003-11-27 16:35:06 UTC (RELENG_4_7, 4.7-RELEASE-p24)
2003-11-27 16:37:00 UTC (RELENG_4_6, 4.6.2-RELEASE-p27)
2003-11-27 16:38:36 UTC (RELENG_4_5, 4.5-RELEASE-p37)
2003-11-27 16:40:03 UTC (RELENG_4_4, 4.4-RELEASE-p47)
CVE Name: CAN-2003-0914
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
BIND 8 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server.
II. Problem Description
A programming error in BIND 8 named can result in a DNS message being
incorrectly cached as a negative response.
III. Impact
An attacker may arrange for malicious DNS messages to be delivered
to a target name server, and cause that name server to cache a
negative response for some target domain name. The name server would
thereafter respond negatively to ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-04:01.mksnap_ffs Security Advisory
The FreeBSD Project
Topic: mksnap_ffs clears file system options
Category: core
Module: mksnap_ffs
Announced: 2004-01-30
Credits: Kimura Fuyuki <fuyuki@nigredo.org>
Wiktor Niesiobedzki <bsd@w.evip.pl>
Affects: FreeBSD 5.1-RELEASE
FreeBSD 5.2-RELEASE
Corrected: 2004-01-27 19:33:16 UTC (RELENG_5_1, 5.1-RELEASE-p12)
2004-01-29 22:54:31 UTC (RELENG_5_2, 5.2-RELEASE-p1)
CVE Name: CAN-2004-0099
FreeBSD only: YES
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
Mounted filesystems can have a variety of flags set on them. Some
flags affect performance and reliability, while others enable or
disable particular security-related features such as the ability to
execute a binary stored on the filesystem or the use of access control
lists to complement normal Unix file permissions.
The mksnap_ffs(8) command creates a `snapshot' of a filesystem. A
`snapshot' is a static representation of the state of the filesystem
at a particular point in time. Snapshots have a variety of uses,
but their primary purpose is to make it possible to run fsck(8) and
dump(8) on live filesystems.
II. Problem Description
The kernel interface for creating a snapshot of a filesystem is the
same as that for changing the flags on that filesystem. Due to an
oversight, the mksnap_ffs(8) command called that interface with only
the snapshot flag set, causing all other flags to be reset to the
default value.
III. Impact
A regularly scheduled backup of...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-04:07.cvs Security Advisory
The FreeBSD Project
Topic: CVS path validation errors
Category: contrib
Module: contrib_cvs
Announced: 2004-04-15
Credits: Sebastian Krahmer <krahmer@suse.de>
Derek Robert Price <derek@ximbiot.com>
Affects: All FreeBSD versions prior to 4.10-RELEASE
Corrected: 2004-04-15 15:35:26 UTC (RELENG_4, 4.10-BETA)
2004-04-15 15:42:50 UTC (RELENG_5_2, 5.2.1-RELEASE-p5)
2004-04-15 15:59:05 UTC (RELENG_4_9, 4.9-RELEASE-p18)
2004-04-15 15:59:54 UTC (RELENG_4_8, 4.8-RELEASE-p5)
CVE Name: CAN-2004-0180
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The Concurrent Versions System (CVS) is a version control system. It
may be used to access a repository locally, or to access a `remote
repository' using a number of different methods. When accessing a
remote repository, the target machine runs the CVS server to fulfill
client requests.
II. Problem Description
Two programming errors were discovered in which path names handled by
CVS were not properly validated. In one case, the CVS client accepts
absolute path names from the server when determining which files to
update. In another case, the CVS server accepts relative path names
from the client when determining which files to transmit, including
those containing references to parent directories (`../').
III. Impact
These programming errors generally only have a security impact when
dealing with remote CVS repositories.
A malicious CVS serve...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-04:14.cvs.asc Security Advisory
The FreeBSD Project
Topic: CVS
Category: contrib
Module: cvs
Announced: 2004-09-19
Credits: Stefan Esser, Sebastian Krahmer, Derek Price
iDEFENSE
Affects: All FreeBSD versions
Corrected: 2004-06-29 16:10:50 UTC (RELENG_4)
2004-09-19 22:26:22 UTC (RELENG_4_10, 4.10-RELEASE-p3)
2004-09-19 22:27:36 UTC (RELENG_4_9, 4.9-RELEASE-p12)
2004-09-19 22:28:14 UTC (RELENG_4_8, 4.8-RELEASE-p25)
2004-09-19 22:37:10 UTC (RELENG_5_2, 5.2.1-RELEASE-p10)
CVE Name: CAN-2004-0414, CAN-2004-0416, CAN-2004-0417, CAN-2004-0418,
CAN-2004-0778
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The Concurrent Versions System (CVS) is a version control system. It
may be used to access a repository locally, or to access a `remote
repository' using a number of different methods. When accessing a
remote repository, the target machine runs the CVS server to fulfill
client requests.
II. Problem Description
A number of vulnerabilities were discovered in CVS by Stefan Esser,
Sebastian Krahmer, and Derek Price.
. Insufficient input validation while processing "Entry" lines.
(CAN-2004-0414)
. A double-free resulting from erroneous state handling while
processing "Argumentx" commands. (CAN-2004-0416)
. Integer overflow while processing "Max-dotdot" commands.
(CAN-2004-0417)
. Erroneous handling of empty entries handled while processing
"Notify" commands. (CAN-2004-0418)
....-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-04:16.fetch Security Advisory
The FreeBSD Project
Topic: Overflow error in fetch
Category: core
Module: fetch
Announced: 2004-11-18
Credits: Colin Percival
Affects: All FreeBSD versions.
Corrected: 2004-11-18 12:02:13 UTC (RELENG_5, 5.3-STABLE)
2004-11-18 12:03:05 UTC (RELENG_5_3, 5.3-RELEASE-p1)
2004-11-18 12:04:29 UTC (RELENG_5_2, 5.2.1-RELEASE-p12)
2004-11-18 12:05:36 UTC (RELENG_5_1, 5.1-RELEASE-p18)
2004-11-18 12:05:50 UTC (RELENG_5_0, 5.0-RELEASE-p22)
2004-11-18 12:02:29 UTC (RELENG_4, 4.10-STABLE)
2004-11-18 12:06:06 UTC (RELENG_4_10, 4.10-RELEASE-p4)
2004-11-18 12:06:22 UTC (RELENG_4_9, 4.9-RELEASE-p13)
2004-11-18 12:06:36 UTC (RELENG_4_8, 4.8-RELEASE-p26)
2004-11-18 12:06:52 UTC (RELENG_4_7, 4.7-RELEASE-p28)
FreeBSD only: YES
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The fetch(1) utility is a tool for fetching files via FTP, HTTP, and HTTPS.
II. Problem Description
An integer overflow condition in the processing of HTTP headers can result
in a buffer overflow.
III. Impact
A malicious server or CGI script can respond to an HTTP or HTTPS request in
such a manner as to cause arbitrary portions of the client's memory to be
overwritten, allowing for arbitrary code execution.
IV. Workaround
There is no known workaround for the affected application, although
the ftp(1) application in the FreeBSD base system, and several
applications in the FreeBSD P...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:01.telnet Security Advisory
The FreeBSD Project
Topic: telnet client buffer overflows
Category: contrib
Module: contrib/telnet
Announced: 2005-03-28
Credits: iDEFENSE
Affects: All FreeBSD releases prior to 5.4-RELEASE
Corrected: 2005-03-28 15:50:00 UTC (RELENG_5, 5.4-PRERELEASE)
2005-03-28 15:48:00 UTC (RELENG_4, 4.11-STABLE)
2005-03-28 15:52:00 UTC (RELENG_5_3, 5.3-RELEASE-p6)
2005-03-28 15:57:00 UTC (RELENG_4_11, 4.11-RELEASE-p1)
2005-03-28 15:58:00 UTC (RELENG_4_10, 4.10-RELEASE-p6)
2005-03-28 16:00:00 UTC (RELENG_4_8, 4.8-RELEASE-p28)
CVE Name: CAN-2005-0468 CAN-2005-0469
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The telnet(1) command is a TELNET protocol client, used primarily to
establish terminal sessions across a network.
II. Problem Description
Buffer overflows were discovered in the env_opt_add() and
slc_add_reply() functions of the telnet(1) command. TELNET protocol
commands, options, and data are copied from the network to a
fixed-sized buffer. In the case of env_opt_add (CAN-2005-0468), the
buffer is located on the heap. In the case of slc_add_reply
(CAN-2005-0469), the buffer is global uninitialized data (BSS).
III. Impact
These buffer overflows may be triggered when connecting to a malicious
server, or by an active attacker in the network path between the
client and server. Specially crafted TELNET command sequences may
cause the execution of arbitrary code with the privileges of the user
invokin...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:11.gzip Security Advisory
The FreeBSD Project
Topic: gzip directory traversal and permission race vulnerabilities
Category: contrib
Module: gzip
Announced: 2005-06-09
Credits: Ulf Harnhammar, Imran Ghory
Affects: All FreeBSD releases
Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE)
2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2)
2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE)
2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10)
2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15)
CVE Name: CAN-2005-0988, CAN-2005-1228
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
gzip is a file compression utility.
II. Problem Description
Two problems related to extraction of files exist in gzip:
The first problem is that gzip does not properly sanitize filenames
containing "/" when uncompressing files using the -N command line
option.
The second problem is that gzip does not set permissions on newly
extracted files until after the file has been created and the file
descriptor has been closed.
III. Impact
The first problem can allow an attacker to overwrite arbitrary local
files when uncompressing a file using the -N command line option.
The second problem can allow a local attacker to change the
permissions of arbitrary local files, on the same partition as the one
the user is uncompressing a file on, by removing the file the user is
uncompressing and r...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:20.cvsbug Security Advisory
The FreeBSD Project
Topic: Race condition in cvsbug
Category: contrib
Module: contrib_cvs
Announced: 2005-09-07
Credits: Marcus Meissner
Affects: All FreeBSD releases
Corrected: 2005-09-07 13:43:05 UTC (RELENG_6, 6.0-BETA5)
2005-09-07 13:43:23 UTC (RELENG_5, 5.4-STABLE)
2005-09-07 13:43:36 UTC (RELENG_5_4, 5.4-RELEASE-p7)
2005-09-07 13:43:50 UTC (RELENG_5_3, 5.3-RELEASE-p21)
2005-09-07 13:44:06 UTC (RELENG_4, 4.11-STABLE)
2005-09-07 13:44:20 UTC (RELENG_4_11, 4.11-RELEASE-p12)
2005-09-07 13:44:36 UTC (RELENG_4_10, 4.10-RELEASE-p17)
CVE Name: CAN-2005-2693
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
cvsbug(1) is a utility for reporting problems in the CVS revision
control system. It is based on the GNATS send-pr(1) utility.
II. Problem Description
A temporary file is created, used, deleted, and then re-created with
the same name. This creates a window during which an attacker could
replace the file with a link to another file.
While cvsbug(1) is based on the send-pr(1) utility, this problem does
not exist in the version of send-pr(1) distributed with FreeBSD.
III. Impact
A local attacker could cause data to be written to any file to which
the user running cvsbug(1) has write access. This may cause damage in
itself (e.g., by destroying important system files or documents) or may
be used to obtain elevated privileges.
IV. Workaround
Do not use the cvsbug(1) utility ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-05:21.openssl Security Advisory
The FreeBSD Project
Topic: Potential SSL 2.0 rollback
Category: contrib
Module: openssl
Announced: 2005-10-11
Credits: Yutaka Oiwa
Affects: All FreeBSD releases.
Corrected: 2005-10-11 11:52:46 UTC (RELENG_6, 6.0-STABLE)
2005-10-11 11:53:03 UTC (RELENG_6_0, 6.0-RELEASE)
2005-10-11 11:52:01 UTC (RELENG_5, 5.4-STABLE)
2005-10-11 11:52:28 UTC (RELENG_5_4, 5.4-RELEASE-p8)
2005-10-11 11:52:13 UTC (RELENG_5_3, 5.3-RELEASE-p23)
2005-10-11 11:50:50 UTC (RELENG_4, 4.11-STABLE)
2005-10-11 11:51:45 UTC (RELENG_4_11, 4.11-RELEASE-p13)
2005-10-11 11:51:20 UTC (RELENG_4_10, 4.10-RELEASE-p19)
CVE Name: CAN-2005-2969
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The OpenSSL library implements the Secure Sockets Layer and Transport
Layer Security protocols, as well as providing a large number of basic
cryptographic functions.
The Secure Sockets Layer protocol exists in two versions and includes a
mechanism for negotiating the protocol version to be used. If the
protocol is executed correctly, it is impossible for a client and
server both capable of the newer version of the protocol (SSLv3) to end
up using the older version of the protocol (SSLv2).
II. Problem Description
In order to provide bug-for-bug compatibility with Microsoft Internet
Explorer 3.02, a verification step required by the Secure Sockets Layer
protocol can be disabled by using the SSL_OP_MSIE_SSLV2_RSA_PADDING
o...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:01.texindex Security Advisory
The FreeBSD Project
Topic: Texindex temporary file privilege escalation
Category: contrib
Module: texinfo
Announced: 2006-01-11
Credits: Frank Lichtenheld
Affects: All FreeBSD releases.
Corrected: 2006-01-11 08:02:16 UTC (RELENG_6, 6.0-STABLE)
2006-01-11 08:03:18 UTC (RELENG_6_0, 6.0-RELEASE-p2)
2006-01-11 08:03:55 UTC (RELENG_5, 5.4-STABLE)
2006-01-11 08:04:33 UTC (RELENG_5_4, 5.4-RELEASE-p9)
2006-01-11 08:05:54 UTC (RELENG_5_3, 5.3-RELEASE-p24)
2006-01-11 08:06:47 UTC (RELENG_4, 4.11-STABLE)
2006-01-11 08:07:18 UTC (RELENG_4_11, 4.11-RELEASE-p14)
2006-01-11 08:08:08 UTC (RELENG_4_10, 4.10-RELEASE-p20)
CVE Name: CAN-2005-3011
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
TeX is a document typesetting system which is popular in the mathematics,
physics, and computer science realms because of its ability to typeset
complex mathematical formulas. texindex(1) is a utility which is often
used to generate a sorted index of a TeX file.
II. Problem Description
The "sort_offline" function used by texindex(1) employs the "maketempname"
function, which produces predictable file names and fails to validate that
the paths do not exist.
III. Impact
These predictable temporary file names are problematic because they
allow an attacker to take advantage of a race condition in order to
execute a symlink attack, which could enable them to overwrite files
on the system in the c...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:03.sendfile Security Advisory
The FreeBSD Project
Topic: sendfile(2) write-only file permission bypass
Category: core
Module: sys_kern
Announced: 2008-02-14
Credits: Kostik Belousov
Affects: All supported versions of FreeBSD
Corrected: 2008-02-14 11:45:00 UTC (RELENG_7, 7.0-PRERELEASE)
2008-02-14 11:45:41 UTC (RELENG_7_0, 7.0-RELEASE)
2008-02-14 11:46:08 UTC (RELENG_6, 6.3-STABLE)
2008-02-14 11:46:41 UTC (RELENG_6_3, 6.3-RELEASE-p1)
2008-02-14 11:47:06 UTC (RELENG_6_2, 6.2-RELEASE-p11)
2008-02-14 11:47:39 UTC (RELENG_6_1, 6.1-RELEASE-p23)
2008-02-14 11:49:39 UTC (RELENG_5, 5.5-STABLE)
2008-02-14 11:50:28 UTC (RELENG_5_5, 5.5-RELEASE-p19)
CVE Name: CVE-2008-0777
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The sendfile(2) system call allows a server application (such as a
HTTP or FTP server) to transmit the contents of a file over a network
connection without first copying it to application memory. High
performance servers such as the Apache HTTP Server and ftpd use sendfile.
II. Problem Description
When a process opens a file (and other file system objects, such as
directories), it specifies access flags indicating its intent to read,
write, or perform other operations. These flags are checked against
file system permissions, and then stored in the resulting file
descriptor to validate future operations against.
The sendfile(2) system call does not check the file descriptor access
flags before ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:14.fpu Security Advisory
The FreeBSD Project
Topic: FPU information disclosure
Category: core
Module: sys
Announced: 2006-04-19
Credits: Jan Beulich
Affects: All FreeBSD/i386 and FreeBSD/amd64 releases.
Corrected: 2006-04-19 07:00:35 UTC (RELENG_6, 6.1-STABLE)
2006-04-19 07:00:50 UTC (RELENG_6_1, 6.1-RELEASE)
2006-04-19 07:01:12 UTC (RELENG_6_0, 6.0-RELEASE-p7)
2006-04-19 07:01:30 UTC (RELENG_5, 5.5-STABLE)
2006-04-19 07:01:53 UTC (RELENG_5_4, 5.4-RELEASE-p14)
2006-04-19 07:02:23 UTC (RELENG_5_3, 5.3-RELEASE-p29)
2006-04-19 07:02:43 UTC (RELENG_4, 4.11-STABLE)
2006-04-19 07:03:01 UTC (RELENG_4_11, 4.11-RELEASE-p17)
2006-04-19 07:03:14 UTC (RELENG_4_10, 4.10-RELEASE-p23)
CVE Name: CVE-2006-1056
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The floating-point unit (FPU) of i386 and amd64 processors is derived from
the original 8087 floating-point co-processor. As a result, the FPU
contains the same debugging registers FOP, FIP, and FDP which store the
opcode, instruction address, and data address of the instruction most
recently executed by the FPU.
On processors implementing the "SSE" instruction set, a new pair of
instructions fxsave/fxrstor replaces the earlier fsave/frstor pair used
for saving and restoring the FPU state. These new instructions also
save and restore the contents of the additional registers used by SSE
instructions.
II. Problem Description
On "7th gen...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:05.openssh Security Advisory
The FreeBSD Project
Topic: OpenSSH X11-forwarding privilege escalation
Category: contrib
Module: openssh
Announced: 2008-04-17
Credits: Timo Juhani Lindfors
Affects: All supported versions of FreeBSD
Corrected: 2008-04-16 23:58:33 UTC (RELENG_7, 7.0-STABLE)
2008-04-16 23:58:52 UTC (RELENG_7_0, 7.1-RELEASE-p1)
2008-04-16 23:59:35 UTC (RELENG_6, 6.3-STABLE)
2008-04-16 23:59:48 UTC (RELENG_6_3, 6.3-RELEASE-p2)
2008-04-17 00:00:04 UTC (RELENG_6_2, 6.2-RELEASE-p12)
2008-04-17 00:00:28 UTC (RELENG_6_1, 6.1-RELEASE-p24)
2008-04-17 00:00:41 UTC (RELENG_5, 5.5-STABLE)
2008-04-17 00:00:54 UTC (RELENG_5_5, 5.5-RELEASE-p20)
CVE Name: CVE-2008-1483
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
OpenSSH is an implementation of the SSH protocol suite, providing an
encrypted and authenticated transport for a variety of services,
including remote shell access. The OpenSSH server daemon (sshd)
provides support for the X11 protocol by binding to a port on the
server and forwarding any connections which are made to that port.
II. Problem Description
When logging in via SSH with X11-forwarding enabled, sshd(8) fails to
correctly handle the case where it fails to bind to an IPv4 port but
successfully binds to an IPv6 port. In this case, applications which
use X11 will connect to the IPv4 port, even though it had not been
bound by sshd(8) and is therefore not being securely forwarded.
III....-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:15.ypserv Security Advisory
The FreeBSD Project
Topic: Inoperative access controls in ypserv(8)
Category: core
Module: ypserv
Announced: 2006-05-31
Credits: Hokan
Affects: All FreeBSD 5.x and FreeBSD 6.x releases
Corrected: 2006-05-31 22:31:21 UTC (RELENG_6, 6.1-STABLE)
2006-05-31 22:31:42 UTC (RELENG_6_1, 6.1-RELEASE-p1)
2006-05-31 22:32:04 UTC (RELENG_6_0, 6.0-RELEASE-p8)
2006-05-31 22:32:22 UTC (RELENG_5, 5.5-STABLE)
2006-05-31 22:32:49 UTC (RELENG_5_5, 5.5-RELEASE-p1)
2006-05-31 22:33:17 UTC (RELENG_5_4, 5.4-RELEASE-p15)
2006-05-31 22:33:41 UTC (RELENG_5_3, 5.3-RELEASE-p30)
CVE Name: CVE-2006-2655
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
The ypserv(8) utility is a server which distributes NIS databases to client
systems within an NIS domain.
II. Problem Description
There are two documented methods of restricting access to NIS maps through
ypserv(8): through the use of the /var/yp/securenets file, and through the
/etc/hosts.allow file. While both mechanisms are implemented in the server,
a change in the build process caused the "securenets" access restrictions
to be inadvertantly disabled.
III. Impact
ypserv(8) will not load or process any of the networks or hosts specified in
the /var/yp/securenets file, rendering those access controls ineffective.
IV. Workaround
One possible workaround is to use /etc/hosts.allow for access control, as
shown by examples in that file.
Another workaround...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:17.sendmail Security Advisory
The FreeBSD Project
Topic: Incorrect multipart message handling in Sendmail
Category: contrib
Module: contrib_sendmail
Announced: 2006-06-14
Affects: All FreeBSD releases.
Corrected: 2006-06-14 15:58:23 UTC (RELENG_6, 6.1-STABLE)
2006-06-14 15:59:28 UTC (RELENG_6_1, 6.1-RELEASE-p2)
2006-06-14 15:59:37 UTC (RELENG_6_0, 6.0-RELEASE-p9)
2006-06-14 16:00:02 UTC (RELENG_5, 5.5-STABLE)
2006-06-14 16:00:22 UTC (RELENG_5_5, 5.5-RELEASE-p2)
2006-06-14 16:00:42 UTC (RELENG_5_4, 5.4-RELEASE-p16)
2006-06-14 16:00:56 UTC (RELENG_5_3, 5.3-RELEASE-p31)
2006-06-14 16:01:06 UTC (RELENG_4, 4.11-STABLE)
2006-06-14 16:01:21 UTC (RELENG_4_11, 4.11-RELEASE-p19)
CVE Name: CVE-2006-1173
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
FreeBSD includes sendmail(8), a general purpose internetwork mail
routing facility, as the default Mail Transfer Agent (MTA).
II. Problem Description
A suitably malformed multipart MIME message can cause sendmail to exceed
predefined limits on its stack usage.
III. Impact
An attacker able to send mail to, or via, a server can cause queued
messages on the system to not be delivered, by causing the sendmail process
which handles queued messages to crash. Note that this will not stop new
messages from entering the queue (either from local processes, or incoming
via SMTP).
IV. Workaround
No workaround is available, but systems which do not receive e...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:08.ppp Security Advisory
The FreeBSD Project
Topic: Buffer overflow in ppp(4)
Category: core
Module: sys_net
Announced: 2006-08-23
Credits: Martin Husemann, Pavel Cahyna
Affects: All FreeBSD releases.
Corrected: 2006-08-23 22:01:44 UTC (RELENG_6, 6.1-STABLE)
2006-08-23 22:02:25 UTC (RELENG_6_1, 6.1-RELEASE-p4)
2006-08-23 22:02:52 UTC (RELENG_6_0, 6.0-RELEASE-p10)
2006-08-23 22:03:55 UTC (RELENG_5, 5.5-STABLE)
2006-08-23 22:04:28 UTC (RELENG_5_5, 5.5-RELEASE-p3)
2006-08-23 22:04:58 UTC (RELENG_5_4, 5.4-RELEASE-p17)
2006-08-23 22:05:49 UTC (RELENG_5_3, 5.3-RELEASE-p32)
2006-08-23 22:06:08 UTC (RELENG_4, 4.11-STABLE)
2006-08-23 22:06:40 UTC (RELENG_4_11, 4.11-RELEASE-p20)
CVE Name: CVE-2006-4304
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://security.freebsd.org/>.
I. Background
The ppp(4) driver implements the Point-to-Point Protocol for using serial
lines (e.g., modems) as network interfaces.
II. Problem Description
While processing Link Control Protocol (LCP) configuration options received
from the remote host, ppp(4) fails to correctly validate option lengths.
This may result in data being read or written beyond the allocated kernel
memory buffer.
III. Impact
An attacker able to send LCP packets, including the remote end of a ppp(4)
connection, can cause the FreeBSD kernel to panic. Such an attacker may
also be able to obtain sensitive information or gain elevated privileges.
IV. Workaround
No workaroun...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:01.pty Security Advisory
The FreeBSD Project
Topic: pty snooping
Category: core
Module: libc_stdlib / libutil
Announced: 2008-01-14
Credits: John Baldwin
Affects: FreeBSD 5.0 and later.
Corrected: 2008-01-14 22:57:45 UTC (RELENG_7, 7.0-PRERELEASE)
2008-01-14 22:55:54 UTC (RELENG_7_0, 7.0-RC2)
2008-01-14 22:56:05 UTC (RELENG_6, 6.3-PRERELEASE)
2008-01-14 22:56:18 UTC (RELENG_6_3, 6.3-RELEASE)
2008-01-14 22:56:44 UTC (RELENG_6_2, 6.2-RELEASE-p10)
2008-01-14 22:56:56 UTC (RELENG_6_1, 6.1-RELEASE-p22)
2008-01-14 22:57:06 UTC (RELENG_5, 5.5-STABLE)
2008-01-14 22:57:19 UTC (RELENG_5_5, 5.5-RELEASE-p18)
CVE Name: CVE-2008-0216, CVE-2008-0217
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
pt_chown is a setuid root support utility used by grantpt(3) to change
ownership of a tty.
openpty(3) is a support function in libutil which is used to obtain a
pseudo-terminal.
script(1) is a utility which makes a typescript of everything printed
on a terminal.
II. Problem Description
Two issues exist in the FreeBSD pty handling.
If openpty(3) is called as non-root user the newly created
pseudo-terminal is world readable and writeable. While this is
documented to be the case, script(1) still uses openpty(3) and
script(1) may be used by non-root users [CVE-2008-0217].
The ptsname(3) function incorrectly extracts two characters from the
name of a device node in /dev without verifying that it's actually
opera...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-06:24.libarchive Security Advisory
The FreeBSD Project
Topic: Infinite loop in corrupt archives handling in libarchive(3)
Category: core
Module: libarchive
Announced: 2006-11-08
Credits: Rink Springer
Affects: FreeBSD 6-STABLE after 2006-09-05 05:23:51 UTC
Corrected: 2006-11-08 14:05:40 UTC (RELENG_6, 6.2-RC1)
CVE Name: CVE-2006-5680
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The libarchive library provides a flexible interface for reading and
writing streaming archive files such as tar and cpio, and has been the
basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3.
II. Problem Description
If the end of an archive is reached while attempting to "skip" past a
region of an archive, libarchive will enter an infinite loop wherein it
repeatedly attempts (and fails) to read further data.
III. Impact
An attacker able to cause a system to extract (via "tar -x" or another
application which uses libarchive) or list the contents (via "tar -t" or
another libarchive-using application) of an archive provided by the
attacker can cause libarchive to enter an infinite loop and use all
available CPU time.
IV. Workaround
No workaround is available.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to affected systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utili...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08.11.arc4random Security Advisory
The FreeBSD Project
Topic: arc4random(9) predictable sequence vulnerability
Category: core
Module: sys
Announced: 2008-11-24
Credits: Robert Woolley, Mark Murray, Maxim Dounin, Ruslan Ermilov
Affects: All supported versions of FreeBSD.
Corrected: 2008-11-24 17:39:39 UTC (RELENG_7, 7.1-PRERELEASE)
2008-11-24 17:39:39 UTC (RELENG_7_0, 7.0-RELEASE-p6)
2008-11-24 17:39:39 UTC (RELENG_6, 6.4-STABLE)
2008-11-24 17:39:39 UTC (RELENG_6_4, 6.4-RELEASE)
2008-11-24 17:39:39 UTC (RELENG_6_3, 6.3-RELEASE-p6)
CVE Name: CVE-2008-5162
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
arc4random(9) is a generic-purpose random number generator based on the
key stream generator of the RC4 cipher. It is expected to be
cryptographically strong, and used throughout the FreeBSD kernel for a
variety of purposes, some of which rely on its cryptographic strength.
arc4random(9) is periodically reseeded with entropy from the FreeBSD
kernel's Yarrow random number generator, which gathers entropy from a
variety of sources including hardware interrupts. During the boot
process, additional entropy is provided to the Yarrow random number
generator from userland, helping to ensure that adequate entropy is
present for cryptographic purposes.
II. Problem Description
When the arc4random(9) random number generator is initialized, there may
be inadequate entropy to meet the needs of kernel systems which rely on
arc4random(9); and it may take up to 5 minutes...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:01.jail Security Advisory
The FreeBSD Project
Topic: Jail rc.d script privilege escalation
Category: core
Module: etc_rc.d
Announced: 2007-01-11
Credits: Dirk Engling
Affects: All FreeBSD releases since 5.3
Corrected: 2007-01-11 18:16:58 UTC (RELENG_6, 6.2-STABLE)
2007-01-11 18:17:24 UTC (RELENG_6_2, 6.2-RELEASE)
2007-01-11 18:18:08 UTC (RELENG_6_1, 6.1-RELEASE-p12)
2007-01-11 18:18:35 UTC (RELENG_6_0, 6.0-RELEASE-p17)
2007-01-11 18:18:57 UTC (RELENG_5, 5.5-STABLE)
2007-01-11 18:19:33 UTC (RELENG_5_5, 5.5-RELEASE-p10)
CVE Name: CVE-2007-0166
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The jail(2) system call allows a system administrator to lock a process
and all of its descendants inside an environment with a very limited
ability to affect the system outside that environment, even for
processes with superuser privileges. It is an extension of, but
far more powerful than, the traditional UNIX chroot(2) system call.
The host's jail rc.d(8) script can be used to start and stop jails
automatically on system boot/shutdown.
II. Problem Description
In multiple situations the host's jail rc.d(8) script does not check if
a path inside the jail file system structure is a symbolic link before
using the path. In particular this is the case when writing the
output from the jail start-up to /var/log/console.log and when
mounting and unmounting file systems inside the jail directory
structure.
III. Impact
Due to the lack of hand...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:03.ipv6 Security Advisory
The FreeBSD Project
Topic: IPv6 Routing Header 0 is dangerous
Category: core
Module: ipv6
Announced: 2007-04-26
Credits: Philippe Biondi, Arnaud Ebalard, Jun-ichiro itojun Hagino
Affects: All FreeBSD releases.
Corrected: 2007-04-24 11:42:42 UTC (RELENG_6, 6.2-STABLE)
2007-04-26 23:42:23 UTC (RELENG_6_2, 6.2-RELEASE-p4)
2007-04-26 23:41:59 UTC (RELENG_6_1, 6.1-RELEASE-p16)
2007-04-24 11:44:23 UTC (RELENG_5, 5.5-STABLE)
2007-04-26 23:41:27 UTC (RELENG_5_5, 5.5-RELEASE-p12)
CVE Name: CVE-2007-2242
I. Background
IPv6 provides a routing header option which allows a packet sender to
indicate how the packet should be routed, overriding the routing knowledge
present in a network. This functionality is roughly equivalent to the
"source routing" option in IPv4. All nodes in an IPv6 network -- both
routers and hosts -- are required by RFC 2640 to process such headers.
II. Problem Description
There is no mechanism for preventing IPv6 routing headers from being used
to route packets over the same link(s) many times.
III. Impact
An attacker can "amplify" a denial of service attack against a link between
two vulnerable hosts; that is, by sending a small volume of traffic the
attacker can consume a much larger amount of bandwidth between the two
vulnerable hosts.
An attacker can use vulnerable hosts to "concentrate" a denial of service
attack against a victim host or network; that is, a set of packets sent
over a period of 30 seconds or more could be constructed such that they
all arrive at the victim within a period of 1 second or less.
Other attacks may also be possible.
IV. Workaround
No ...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:04.file Security Advisory
The FreeBSD Project
Topic: Heap overflow in file(1)
Category: contrib
Module: file
Announced: 2007-05-23
Affects: All FreeBSD releases.
Corrected: 2007-05-23 16:12:51 UTC (RELENG_6, 6.2-STABLE)
2007-05-23 16:13:07 UTC (RELENG_6_2, 6.2-RELEASE-p5)
2007-05-23 16:13:20 UTC (RELENG_6_1, 6.1-RELEASE-p17)
2007-05-23 16:12:10 UTC (RELENG_5, 5.5-STABLE)
2007-05-23 16:12:35 UTC (RELENG_5_5, 5.5-RELEASE-p13)
CVE Name: CVE-2007-1536
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The file(1) utility attempts to classify file system objects based on
filesystem, magic number and language tests.
The libmagic(3) library provides most of the functionality of file(1)
and may be used by other applications.
II. Problem Description
When writing data into a buffer in the file_printf function, the length
of the unused portion of the buffer is not correctly tracked, resulting
in a buffer overflow when processing certain files.
III. Impact
An attacker who can cause file(1) to be run on a maliciously constructed
input can cause file(1) to crash. It may be possible for such an attacker
to execute arbitrary code with the privileges of the user running file(1).
The above also applies to any other applications using the libmagic(3)
library.
IV. Workaround
No workaround is available, but systems where file(1) and other
libmagic(3)-using applications are never run on untrusted input are not
vulnerable.
V. Solution
Perform one of the...-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-07:05.libarchive Security Advisory
The FreeBSD Project
Topic: Errors handling corrupt tar files in libarchive(3)
Category: core
Module: libarchive
Announced: 2007-07-12
Credits: CPNI, CERT-FI, Tim Kientzle, Colin Percival
Affects: FreeBSD 5.3 and later.
Corrected: 2007-07-12 15:00:44 UTC (RELENG_6, 6.2-STABLE)
2007-07-12 15:01:14 UTC (RELENG_6_2, 6.2-RELEASE-p6)
2007-07-12 15:01:32 UTC (RELENG_6_1, 6.1-RELEASE-p18)
2007-07-12 15:01:42 UTC (RELENG_5, 5.5-STABLE)
2007-07-12 15:01:56 UTC (RELENG_5_5, 5.5-RELEASE-p14)
CVE Name: CVE-2007-3641, CVE-2007-3644, CVE-2007-3645
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The libarchive library provides a flexible interface for reading and
writing streaming archive files such as tar and cpio, and has been the
basis for FreeBSD's implementation of the tar(1) utility since FreeBSD 5.3.
II. Problem Description
Several problems have been found in the code used to parse the tar and
pax interchange formats. These include entering an infinite loop if an
archive prematurely ends within a pax extension header or if certain
types of corruption occur in pax extension headers [CVE-2007-3644];
dereferencing a NULL pointer if an archive prematurely ends within a
tar header immediately following a pax extension header or if certain
other types of corruption occur in pax extension headers [CVE-2007-3645];
and miscomputing the length of a buffer resulting in a buffer overflow
if yet another type of corruption occurs in a pax ext...