From owner-freebsd-security@FreeBSD.ORG Wed Dec 17 15:32:49 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CEAD622F for ; Wed, 17 Dec 2014 15:32:49 +0000 (UTC) Received: from smtp05.citynetwork.se (mail.citynetwork.se [IPv6:2a00:16d8:0:4::200]) (using TLSv1.1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 6F833DF2 for ; Wed, 17 Dec 2014 15:32:48 +0000 (UTC) Received: from localhost (smtp05.citynetwork.se [127.0.0.1]) by smtp05.citynetwork.se (Postfix) with ESMTP id 0AB6F8018EA for ; Wed, 17 Dec 2014 16:32:37 +0100 (CET) X-Virus-Scanned: amavisd-new at citynetwork.se Received: from smtp05.citynetwork.se ([127.0.0.1]) by localhost (smtp05.citynetwork.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ATTIgOXGSNXs for ; Wed, 17 Dec 2014 16:32:35 +0100 (CET) Received: from mba.lan (h-148-89.a328.priv.bahnhof.se [81.170.148.89]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: pasi@kanalje.se) by smtp05.citynetwork.se (Postfix) with ESMTPSA id 5F2D5800806 for ; Wed, 17 Dec 2014 16:32:35 +0100 (CET) From: Pasi Koivisto Message-Id: <1C981B17-2014-446E-8DDB-266385C871A8@kanalje.se> Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) Subject: Re: FreeBSD Security Advisory FreeBSD-SA-14:30.unbound Date: Wed, 17 Dec 2014 16:32:34 +0100 References: <20141217083643.F0027421F@nine.des.no> To: freebsd-security@freebsd.org In-Reply-To: <20141217083643.F0027421F@nine.des.no> X-Mailer: Apple Mail (2.1993) X-Mailman-Approved-At: Wed, 17 Dec 2014 16:06:47 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Dec 2014 15:32:49 -0000 Hi, I am curios why the installer wants to delete "/". This is from when I ran the update: [root@seed ~]# freebsd-update fetch Looking up update.FreeBSD.org mirrors... none found. Fetching metadata signature for 10.1-RELEASE from update.FreeBSD.org... = done. Fetching metadata index... done. Fetching 2 metadata patches.. done. Applying metadata patches... done. Inspecting system... done. Preparing to download files... done. Fetching 5 patches... done. Applying patches... done. Fetching 10 files... done. The following files will be removed as part of updating to = 10.1-RELEASE-p2: / The following files will be updated as part of updating to = 10.1-RELEASE-p2: /bin/freebsd-version /usr/lib/private/libunbound.a /usr/lib/private/libunbound.so.5 /usr/lib/private/libunbound_p.a /usr/lib32/libc.a /usr/lib32/libc.so.7 /usr/lib32/libc_p.a /usr/lib32/libc_pic.a /usr/lib32/libmagic.a /usr/lib32/libmagic.so.4 /usr/lib32/libmagic_p.a /usr/lib32/private/libunbound.a /usr/lib32/private/libunbound.so.5 /usr/lib32/private/libunbound_p.a /usr/sbin/unbound [root@seed ~]# freebsd-update install Installing updates...rmdir: ///: Is a directory done. On a consequent reboot and running freebsd-update fetch again [root@seed ~]# freebsd-version=20 10.1-RELEASE-p2 [root@seed ~]# freebsd-update fetch Looking up update.FreeBSD.org mirrors... none found. Fetching metadata signature for 10.1-RELEASE from update.FreeBSD.org... = done. Fetching metadata index... done. Inspecting system... done. Preparing to download files... done. The following files will be removed as part of updating to = 10.1-RELEASE-p2: / [root@seed ~]#=20 > On 17 Dec 2014, at 09:36, FreeBSD Security Advisories = wrote: >=20 > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 >=20 > = =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D > FreeBSD-SA-14:30.unbound Security = Advisory > The FreeBSD = Project >=20 > Topic: unbound remote denial of service vulnerability >=20 > Category: contrib > Module: unbound > Announced: 2014-12-17 > Affects: FreeBSD 10.0-RELEASE and later > Credits: Florian Maury (ANSSI) > Corrected: 2014-12-17 06:58:00 UTC (stable/10, 10.1-STABLE) > 2014-12-17 06:59:47 UTC (releng/10.1, 10.1-RELEASE-p2) > 2014-12-17 06:59:47 UTC (releng/10.0, 10.0-RELEASE-p14) > CVE Name: CVE-2014-8602 >=20 > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . >=20 > I. Background >=20 > Unbound is a validating, recursive, and caching DNS resolver. >=20 > II. Problem Description >=20 > By causing queries to be made against a maliciously-constructed zone = or > against a malicious DNS server, an attacker who is able to cause > specific queries to be sent to a nameserver can trick unbound(8) = resolver > into following an endless series of delegations, which consumes a lot = of > resources. >=20 > III. Impact >=20 > Unbound will spend a lot of resources on this query, and this will = impact > unbound's CPU and network resources. Unbound may therefore lose some > ability or timelines for the service of customer queries (a denial of > service). Unbound will continue to respond normally for cached = queries. >=20 > IV. Workaround >=20 > No workaround is available, but hosts not running unbound(8) are not > vulnerable. >=20 > V. Solution >=20 > Perform one of the following: >=20 > 1) Upgrade your vulnerable system to a supported FreeBSD stable or > release / security branch (releng) dated after the correction date. >=20 > 2) To update your vulnerable system via a binary patch: >=20 > Systems running a RELEASE version of FreeBSD on the i386 or amd64 > platforms can be updated via the freebsd-update(8) utility: >=20 > # freebsd-update fetch > # freebsd-update install >=20 > 3) To update your vulnerable system via a source code patch: >=20 > The following patches have been verified to apply to the applicable > FreeBSD release branches. >=20 > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. >=20 > [FreeBSD 10.x] > # fetch https://security.FreeBSD.org/patches/SA-14:30/unbound.patch > # fetch = https://security.FreeBSD.org/patches/SA-14:30/unbound.patch.asc > # gpg --verify unbound.patch.asc >=20 > b) Apply the patch. Execute the following commands as root: >=20 > # cd /usr/src > # patch < /path/to/patch >=20 > c) Recompile the operating system using buildworld and installworld as > described in . >=20 > Restart the unbound(8) daemons, or reboot the system. >=20 > VI. Correction details >=20 > The following list contains the correction revision numbers for each > affected branch. >=20 > Branch/path = Revision > - = ------------------------------------------------------------------------- > stable/10/ = r275853 > releng/10.0/ = r275854 > releng/10.1/ = r275854 > - = ------------------------------------------------------------------------- >=20 > To see which files were modified by a particular revision, run the > following command, replacing NNNNNN with the revision number, on a > machine with Subversion installed: >=20 > # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base >=20 > Or visit the following URL, replacing NNNNNN with the revision number: >=20 > >=20 > VII. References >=20 > >=20 > >=20 > The latest revision of this advisory is available at > = = > -----BEGIN PGP SIGNATURE----- >=20 > iQIcBAEBCgAGBQJUkTg1AAoJEO1n7NZdz2rn+iUP/3RP0KKn8B2SnSpSLbXws/eY > GEOTYEsZJpGTtCyIg5eKmJ/AU7dKiD34da2uaL41Lt4hWa/Icyk13CtV6cK9TfN4 > oSrrgDCbqErrFh74lhQX3v3bYHNMhZRVnaM9tHXHmpa9NAKhyTP+eyo+Ss7iK/am > lVBW2xPv92OKyjo0Onp5h3o5QT6DHpPgW91f9He4GygYfShMXtOb+VhGpllxwbeM > aS59yPkhGJLVhxQn2QtFpj67QxS5GIhK6iccwrRKo8Okij2mlRfR4fuD5Ol4L9TK > sZKMGtgESPLGmfW1Pj/BRobyCWcs+cYLchZkxbomQBcH7ybpOMW+SqTB0FkZcscU > ODMzvum2VZuSl5fAlu3F6V0/k+8cFiE4B/Xyioqa8aRsfYNfWjoETmfE7ld+zXqX > 8cPizwGYdsuO4g6mNS0HFuuexkJem9qviRfnQUQ/EJQPNfXB33GYBoFquE0mvFUO > WN5QiietSnNp4/TF+BjXlaeo/PtO+Q8xIdqgdSzouslx95a4j3N127k8Yoz55Nx+ > 3mEeqvZRf5/7ieIgyHti/v/xKZOyGCs6NwlZ6xN+0kanNqMDfjpKnfzTJnnSTbj6 > z6FCzXn986EqL8kpJisKZEJfntvZu4ft/KUo4qzZAtuNgnoUGFYXv5DfQrM75ZJ/ > 9PFQzCA+8snPiCyUhAaC > =3Dfkvr > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-security-notifications@freebsd.org mailing list > = http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications > To unsubscribe, send any mail to = "freebsd-security-notifications-unsubscribe@freebsd.org"