From owner-freebsd-security@FreeBSD.ORG Wed Jan 6 22:54:51 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44CDC106568B; Wed, 6 Jan 2010 22:54:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 311978FC12; Wed, 6 Jan 2010 22:54:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06MspYV089048; Wed, 6 Jan 2010 22:54:51 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MspkT089047; Wed, 6 Jan 2010 22:54:51 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:54:51 GMT Message-Id: <201001062254.o06MspkT089047@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:54:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:01.bind Security Advisory The FreeBSD Project Topic: BIND named(8) cache poisoning with DNSSEC validation Category: contrib Module: bind Announced: 2010-01-06 Credits: Michael Sinatra Affects: All supported versions of FreeBSD. Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-4022 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag. III. Impact If a client can send such queries to a server, it can exploit this problem to mount a cache poisoning attack, seeding the cache with unvalidated information. IV. Workaround Disabling DNSSEC validation will prevent BIND from caching unvalidated records, but also prevent DNSSEC authentication of records. Systems not using DNSSEC validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc [FreeBSD 6.4] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc [FreeBSD 7.1] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc [FreeBSD 7.2] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get a more recent BIND version with more complete DNSSEC support. This can be done either by upgrading to FreeBSD 7.x or later, or installing BIND for the FreeBSD Ports Collection. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 RELENG_6_4 src/UPDATING 1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1 RELENG_7 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1 RELENG_8 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2 src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2 src/contrib/bind9/lib/dns/resolver.c 1.6.2.2 src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2 src/contrib/bind9/lib/dns/validator.c 1.4.2.2 src/contrib/bind9/bin/named/query.c 1.3.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1 src/contrib/bind9/lib/dns/resolver.c 1.6.4.1 src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1 src/contrib/bind9/lib/dns/validator.c 1.4.4.1 src/contrib/bind9/bin/named/query.c 1.3.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r200394 releng/6.4/ r201679 releng/6.3/ r201679 stable/7/ r200393 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r200383 releng/8.0/ r201679 head/ r199958 - ------------------------------------------------------------------------- VII. References https://www.isc.org/node/504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K RUb5Kn+O1qc/FUzEQ12AmrA= =Pfoo -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 6 22:55:36 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A6E7010657CA; Wed, 6 Jan 2010 22:55:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 9461A8FC21; Wed, 6 Jan 2010 22:55:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06MtafG089124; Wed, 6 Jan 2010 22:55:36 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MtaOL089123; Wed, 6 Jan 2010 22:55:36 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:55:36 GMT Message-Id: <201001062255.o06MtaOL089123@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:55:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:02.ntpd Security Advisory The FreeBSD Project Topic: ntpd mode 7 denial of service Category: contrib Module: ntpd Announced: 2010-01-06 Affects: All supported versions of FreeBSD. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-3563 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response. III. Impact If an attacker can spoof such a packet from a source IP of an affected ntpd to the same or a different affected ntpd, the host(s) will endlessly send error responses to each other and log each event, consuming network bandwidth, CPU and possibly disk space. IV. Workaround Proper filtering of mode 7 NTP packets by a firewall can limit the number of systems used to attack your resources. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj && make depend && make && make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1 RELENG_7 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1 RELENG_8 src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r201679 releng/6.4/ r201679 releng/6.3/ r201679 stable/7/ r201679 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r201679 releng/8.0/ r201679 head/ r200576 - ------------------------------------------------------------------------- VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode https://support.ntp.org/bugs/show_bug.cgi?id=1331 http://www.kb.cert.org/vuls/id/568372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRQ9gFdaIBMps37IRAuH1AJ9eOII8McK5332jhuBHEMxAUbWKNQCghYfs y66+ElAr2uZrrXwerlVETPc= =yJm1 -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Wed Jan 6 22:55:56 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CEBEC1065A8F; Wed, 6 Jan 2010 22:55:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id BC18F8FC17; Wed, 6 Jan 2010 22:55:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06Mtucp089190; Wed, 6 Jan 2010 22:55:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MtuSD089189; Wed, 6 Jan 2010 22:55:56 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:55:56 GMT Message-Id: <201001062255.o06MtuSD089189@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-10:03.zfs X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:55:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:03.zfs Security Advisory The FreeBSD Project Topic: ZFS ZIL playback with insecure permissions Category: contrib Module: zfs Announced: 2010-01-06 Credits: Pawel Jakub Dawidek Affects: FreeBSD 7.0 and later. Corrected: 2009-11-14 11:59:59 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ZFS is a file-system originally developed by Sun Microsystems. The ZFS Intent Log ("ZIL") is a mechanism that gathers together in memory transactions of writes, and is flushed onto disk when synchronous semantics is necessary. In the event of crash or power failure, the log is examined and the uncommitted transaction would be replayed to maintain the synchronous semantics. II. Problem Description When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes. III. Impact A system crash or power fail would leave some file with mode set to 07777. This could leak sensitive information or cause privilege escalation. IV. Workaround No workaround is available, but systems not using ZFS are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) Examine the system and look for affected files. These files can be identified with the following command: # find / -perm -7777 -print0 | xargs -0 ls -ld The system administrator will have to correct these problems if there is any files with such permission modes. For example: # find / -perm -7777 -print0 | xargs -0 chmod u=rwx,go= Will reset access mode bits to be readable, writable and executable by the owner only. The system administrator should determine the appropriate mode bits wisely. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.2.1 RELENG_8 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r201679 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r199266 releng/8.0/ r201679 head/ r199157 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:03.zfs.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRRILFdaIBMps37IRAnI3AJ9ioK1Bbg++DpPYW/RX9wnujAeJxACff+Ph oEIfaiJ5y/DoGhklcAJdXTU= =JPje -----END PGP SIGNATURE----- From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 00:37:41 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 26FFD1065698 for ; Thu, 7 Jan 2010 00:37:41 +0000 (UTC) (envelope-from Harlan.Stenn@pfcs.com) Received: from gwc.pfcs.com (gwc.pfcs.com [70.88.151.226]) by mx1.freebsd.org (Postfix) with ESMTP id EE0468FC19 for ; Thu, 7 Jan 2010 00:37:40 +0000 (UTC) Received: from spike.pfcs.com (localhost.pfcs.com [127.0.0.1]) by gwc.pfcs.com (Postfix) with ESMTP id 36C8128438; Wed, 6 Jan 2010 19:18:20 -0500 (EST) To: freebsd-security@freebsd.org From: Harlan Stenn In-Reply-To: FreeBSD Security Advisories's (security-advisories@freebsd.org) message dated Wed, 06 Jan 2010 22:55:36. <201001062255.o06MtanW089116@freefall.freebsd.org> X-Face: "csXK}xnnsH\h_ce`T#|pM]tG, 6Xu.{3Rb\]&XJgVyTS'w{E+|-(}n:c(Cc* $cbtusxDP6T)Hr'k&zrwq0.3&~bAI~YJco[r.mE+K|(q]F=ZNXug:s6tyOk{VTqARy0#axm6BWti9C d X-Mailer: MH-E 7.4.2; nmh 1.2; XEmacs 21.4 (patch 22) Mime-Version: 1.0 (generated by tm-edit 1.8) Content-Type: text/plain; charset=US-ASCII Date: Wed, 06 Jan 2010 19:18:20 -0500 Sender: Harlan.Stenn@pfcs.com Message-Id: <20100107001820.36C8128438@gwc.pfcs.com> X-Mailman-Approved-At: Thu, 07 Jan 2010 00:49:29 +0000 Cc: stenn@ntp.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 00:37:41 -0000 Not quite... > II. Problem Description > > If ntpd receives a mode 7 (MODE_PRIVATE) request or error response it's a *malformed* mode 7 request, or an error response ... Normal mode 7 requests have been (and are) handled just fine and are not logged by default. > from a source address not listed in either a 'restrict ... noquery' > or a 'restrict ... ignore' section it will log the even and send s/even/event/ > a mode 7 error response. > IV. Workaround > > Proper filtering of mode 7 NTP packets by a firewall can limit the > number of systems used to attack your resources. If you can find a firewall that will do this, please lemme know. We haven't found any. Thanks... H From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 08:35:47 2010 Return-Path: Delivered-To: freebsd-security@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1C79C106566C for ; Thu, 7 Jan 2010 08:35:47 +0000 (UTC) (envelope-from uehata@firstserver.co.jp) Received: from fbvrgw.firstserver.ne.jp (fbvrgw.firstserver.ne.jp [164.46.1.51]) by mx1.freebsd.org (Postfix) with ESMTP id A183D8FC14 for ; Thu, 7 Jan 2010 08:35:46 +0000 (UTC) Received: from vrgw9.firstserver.ne.jp (vrgw9.firstserver.ne.jp [164.46.1.107]) by fbvrgw.firstserver.ne.jp (8.14.3/8.13.8/FirstServer) with ESMTP id o078PB5R025469 for ; Thu, 7 Jan 2010 17:25:11 +0900 (JST) (envelope-from uehata@firstserver.co.jp) Received: from fvrsp25.firstserver.ne.jp (fvrsp25.firstserver.ne.jp [203.183.16.3]) by vrgw9.firstserver.ne.jp (8.14.3/8.13.8/FirstServer) with ESMTP id o078PADU016746 for ; Thu, 7 Jan 2010 17:25:10 +0900 (JST) (envelope-from uehata@firstserver.co.jp) Received: from 164.46.1.252 (164.46.1.252) by fvrsp25.firstserver.ne.jp (F-Secure/virusgw_smtp/302/fvrsp25.firstserver.ne.jp); Thu, 7 Jan 2010 17:25:10 +0900 (JST) X-Virus-Status: clean(F-Secure/virusgw_smtp/302/fvrsp25.firstserver.ne.jp) Date: Thu, 07 Jan 2010 17:25:10 +0900 From: Uehata Keiji To: freebsd-security@FreeBSD.org In-Reply-To: <201001062254.o06Msord089040@freefall.freebsd.org> References: <201001062254.o06Msord089040@freefall.freebsd.org> Message-Id: <20100107165933.96D1.1F47C451@firstserver.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset="ISO-2022-JP" Content-Transfer-Encoding: 7bit X-Mailer: Becky! ver. 2.48.01 [ja] Cc: Subject: Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 08:35:47 -0000 お疲れ様です。上畑@技術Gです。 Yライト、おとくフリーセルは dnssec-enable no;で全て統一設定されていた為、問題ありません。 また 9.3.0からは記述がない場合でもdnssec-enable noがデフォルト値となっている ようです。 以上よろしくお願いします。 --------------------------------------- ファーストサーバ株式会社   運用技術部 技術グループ    上畑 圭史  e-mail:uehata@firstserver.co.jp TEL :050-3160-0763 / 06-6261-3332(代表) FAX :06-6125-1733 URL :http://www.fsv.jp/ http://www.firstserver.co.jp/ 住所:〒541-0052 大阪市中央区安土町1丁目8番15号 野村不動産大阪ビル3F --------------------------------------- > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > ============================================================================= > FreeBSD-SA-10:01.bind Security Advisory > The FreeBSD Project > > Topic: BIND named(8) cache poisoning with DNSSEC validation > > Category: contrib > Module: bind > Announced: 2010-01-06 > Credits: Michael Sinatra > Affects: All supported versions of FreeBSD. > Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) > 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) > 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) > 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) > 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) > CVE Name: CVE-2009-4022 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > BIND 9 is an implementation of the Domain Name System (DNS) protocols. > The named(8) daemon is an Internet Domain Name Server. > > DNS Security Extensions (DNSSEC) provides data integrity, origin > authentication and authenticated denial of existence to resolvers. > > II. Problem Description > > If a client requests DNSSEC records with the Checking Disabled (CD) flag > set, BIND may cache the unvalidated responses. These responses may later > be returned to another client that has not set the CD flag. > > III. Impact > > If a client can send such queries to a server, it can exploit this > problem to mount a cache poisoning attack, seeding the cache with > unvalidated information. > > IV. Workaround > > Disabling DNSSEC validation will prevent BIND from caching unvalidated > records, but also prevent DNSSEC authentication of records. Systems not > using DNSSEC validation are not affected. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, 7.2, and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > [FreeBSD 6.3] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc > > [FreeBSD 6.4] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc > > [FreeBSD 7.1] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc > > [FreeBSD 7.2] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc > > [FreeBSD 8.0] > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch > # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/lib/bind > # make obj && make depend && make && make install > # cd /usr/src/usr.sbin/named > # make obj && make depend && make && make install > # /etc/rc.d/named restart > > NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get > a more recent BIND version with more complete DNSSEC support. This > can be done either by upgrading to FreeBSD 7.x or later, or installing > BIND for the FreeBSD Ports Collection. > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > - ------------------------------------------------------------------------- > RELENG_6 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.13 > src/sys/conf/newvers.sh 1.69.2.18.2.15 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.20 > src/sys/conf/newvers.sh 1.69.2.15.2.19 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1 > RELENG_7 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4 > RELENG_7_2 > src/UPDATING 1.507.2.23.2.9 > src/sys/conf/newvers.sh 1.72.2.11.2.10 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.13 > src/sys/conf/newvers.sh 1.72.2.9.2.14 > src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1 > src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1 > src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1 > src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1 > RELENG_8 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2 > src/contrib/bind9/lib/dns/resolver.c 1.6.2.2 > src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2 > src/contrib/bind9/lib/dns/validator.c 1.4.2.2 > src/contrib/bind9/bin/named/query.c 1.3.2.2 > RELENG_8_0 > src/UPDATING 1.632.2.7.2.5 > src/sys/conf/newvers.sh 1.83.2.6.2.5 > src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1 > src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1 > src/contrib/bind9/lib/dns/resolver.c 1.6.4.1 > src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1 > src/contrib/bind9/lib/dns/validator.c 1.4.4.1 > src/contrib/bind9/bin/named/query.c 1.3.4.1 > - ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > - ------------------------------------------------------------------------- > stable/6/ r200394 > releng/6.4/ r201679 > releng/6.3/ r201679 > stable/7/ r200393 > releng/7.2/ r201679 > releng/7.1/ r201679 > stable/8/ r200383 > releng/8.0/ r201679 > head/ r199958 > - ------------------------------------------------------------------------- > > VII. References > > https://www.isc.org/node/504 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (FreeBSD) > > iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K > RUb5Kn+O1qc/FUzEQ12AmrA= > =Pfoo > -----END PGP SIGNATURE----- > _______________________________________________ > freebsd-announce@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-announce > To unsubscribe, send any mail to "freebsd-announce-unsubscribe@freebsd.org" > From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 08:58:46 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4021E1065672 for ; Thu, 7 Jan 2010 08:58:46 +0000 (UTC) (envelope-from jhellenthal@gmail.com) Received: from mail-yx0-f172.google.com (mail-yx0-f172.google.com [209.85.210.172]) by mx1.freebsd.org (Postfix) with ESMTP id D18318FC25 for ; Thu, 7 Jan 2010 08:58:45 +0000 (UTC) Received: by yxe2 with SMTP id 2so3445117yxe.7 for ; Thu, 07 Jan 2010 00:58:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:sender:date:from:to:cc :subject:in-reply-to:message-id:references:user-agent :x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; bh=iN56U+z/Ze9iuOr1wg43p3KL7TWo9Erq7CgJfyceLKk=; b=Fyqw3Mo/yoN5SNurZNovffV4H+S2lC7p6OlAU+0Ka5+Ox5Uk/KGRzMatWY7ZPVXzsI vCCDlvGKxnDZuSCpcDtq1o82e/uGyfsYD54CIG2YncBNtkHR7s+pXDvrdcp44Dz03hwl FZl/ej7ZEM9iy8Yy8TvjY2fddYGhWoOjd8YCE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=sender:date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:x-openpgp-key-id:x-openpgp-key-fingerprint:mime-version :content-type; b=VG5J7LCpPYDFpRtMgiGPY2GzySiXy1vGEXt1BaJZlrARDxQcuFLnCPUJI6BVh8X/aZ nSy8gxcRGma2u8Fy6Z5SQyTjA/cBt2UT2vHGZLPwdVVY4lk3hOgHxNy4DgWTu/SZP9xa T1t7FAPthh91MiwLIO+OiJMK0Ym1ai5IVdUGU= Received: by 10.150.240.13 with SMTP id n13mr2494847ybh.227.1262854720643; Thu, 07 Jan 2010 00:58:40 -0800 (PST) Received: from centel.ttyphoid.local (ppp-21.170.dialinfree.com [209.172.21.170]) by mx.google.com with ESMTPS id 20sm20314390iwn.13.2010.01.07.00.58.30 (version=TLSv1/SSLv3 cipher=RC4-MD5); Thu, 07 Jan 2010 00:58:39 -0800 (PST) Sender: "J. Hellenthal" Date: Thu, 7 Jan 2010 03:58:20 -0500 From: jhell To: FreeBSD Security In-Reply-To: <201001062255.o06Mta8a089129@freefall.freebsd.org> Message-ID: References: <201001062255.o06Mta8a089129@freefall.freebsd.org> User-Agent: Alpine 2.00 (BSF 1167 2008-08-23) X-OpenPGP-Key-Id: 0x89D8547E X-OpenPGP-Key-Fingerprint: 85EF E26B 07BB 3777 76BE B12A 9057 8789 89D8 547E MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: FreeBSD Security Advisories Subject: Re: FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 08:58:46 -0000 With the directions in this message you will receive the following error: make: don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop Should state (minimal) # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/ntp # make obj && make depend && make && make install # /etc/rc.d/ntpd restart Please note this for next time. This is the second time I have counted that this has been overlooked. On Wed, 6 Jan 2010 17:55, security-advisories@ wrote: > ---------------------------- PGP Command Output ---------------------------- > gpg: Signature made Wed Jan 6 17:32:00 2010 EST using DSA key ID CA6CDFB2 > gpg: Good signature from "FreeBSD Security Officer " > ----------- Begin PGP Signed Message Verified 2010-01-07 03:50:19 ---------- > > ============================================================================= > FreeBSD-SA-10:02.ntpd Security Advisory > The FreeBSD Project > > Topic: ntpd mode 7 denial of service > > Category: contrib > Module: ntpd > Announced: 2010-01-06 > Affects: All supported versions of FreeBSD. > Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) > 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) > 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) > 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) > 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) > 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) > CVE Name: CVE-2009-3563 > > For general information regarding FreeBSD Security Advisories, > including descriptions of the fields above, security branches, and the > following sections, please visit . > > I. Background > > The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) > used to synchronize the time of a computer system to a reference time > source. > > II. Problem Description > > If ntpd receives a mode 7 (MODE_PRIVATE) request or error response > from a source address not listed in either a 'restrict ... noquery' > or a 'restrict ... ignore' section it will log the even and send > a mode 7 error response. > > III. Impact > > If an attacker can spoof such a packet from a source IP of an affected > ntpd to the same or a different affected ntpd, the host(s) will endlessly > send error responses to each other and log each event, consuming network > bandwidth, CPU and possibly disk space. > > IV. Workaround > > Proper filtering of mode 7 NTP packets by a firewall can limit the > number of systems used to attack your resources. > > V. Solution > > Perform one of the following: > > 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, > or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or > RELENG_6_3 security branch dated after the correction date. > > 2) To patch your present system: > > The following patches have been verified to apply to FreeBSD 6.3, 6.4, > 7.1, 7.2, and 8.0 systems. > > a) Download the relevant patch from the location below, and verify the > detached PGP signature using your PGP utility. > > # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch > # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc > > b) Execute the following commands as root: > > # cd /usr/src > # patch < /path/to/patch > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj && make depend && make && make install > # /etc/rc.d/ntpd restart > > VI. Correction details > > The following list contains the revision numbers of each file that was > corrected in FreeBSD. > > CVS: > > Branch Revision > Path > ------------------------------------------------------------------------- > RELENG_6 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2 > RELENG_6_4 > src/UPDATING 1.416.2.40.2.13 > src/sys/conf/newvers.sh 1.69.2.18.2.15 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1 > RELENG_6_3 > src/UPDATING 1.416.2.37.2.20 > src/sys/conf/newvers.sh 1.69.2.15.2.19 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1 > RELENG_7 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2 > RELENG_7_2 > src/UPDATING 1.507.2.23.2.9 > src/sys/conf/newvers.sh 1.72.2.11.2.10 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1 > RELENG_7_1 > src/UPDATING 1.507.2.13.2.13 > src/sys/conf/newvers.sh 1.72.2.9.2.14 > src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1 > RELENG_8 > src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1 > RELENG_8_0 > src/UPDATING 1.632.2.7.2.5 > src/sys/conf/newvers.sh 1.83.2.6.2.5 > src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1 > ------------------------------------------------------------------------- > > Subversion: > > Branch/path Revision > ------------------------------------------------------------------------- > stable/6/ r201679 > releng/6.4/ r201679 > releng/6.3/ r201679 > stable/7/ r201679 > releng/7.2/ r201679 > releng/7.1/ r201679 > stable/8/ r201679 > releng/8.0/ r201679 > head/ r200576 > ------------------------------------------------------------------------- > > VII. References > > http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode > https://support.ntp.org/bugs/show_bug.cgi?id=1331 > http://www.kb.cert.org/vuls/id/568372 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 > > The latest revision of this advisory is available at > http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc > > ------------ End PGP Signed Message Verified 2010-01-07 03:50:19 ----------- > -- Thu Jan 7 03:50:18 2010 jhell From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 17:11:34 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 857FE1065670 for ; Thu, 7 Jan 2010 17:11:34 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from tower.berklix.org (tower.berklix.org [83.236.223.114]) by mx1.freebsd.org (Postfix) with ESMTP id 705868FC14 for ; Thu, 7 Jan 2010 17:11:29 +0000 (UTC) Received: from park.js.berklix.net (p549A78D3.dip.t-dialin.net [84.154.120.211]) (authenticated bits=0) by tower.berklix.org (8.14.2/8.14.2) with ESMTP id o07HAvMP062657; Thu, 7 Jan 2010 17:11:04 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by park.js.berklix.net (8.13.8/8.13.8) with ESMTP id o07HAuGH024010; Thu, 7 Jan 2010 18:10:56 +0100 (CET) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.3/8.14.3) with ESMTP id o07HAjJT056714; Thu, 7 Jan 2010 18:10:50 +0100 (CET) (envelope-from jhs@fire.js.berklix.net) Message-Id: <201001071710.o07HAjJT056714@fire.js.berklix.net> To: Uehata Keiji From: "Julian H. Stacey" Organization: http://www.berklix.com BSD Unix Linux Consultancy, Munich Germany User-agent: EXMH on FreeBSD http://www.berklix.com/free/ X-URL: http://www.berklix.com In-reply-to: Your message "Thu, 07 Jan 2010 17:25:10 +0900." <20100107165933.96D1.1F47C451@firstserver.co.jp> Date: Thu, 07 Jan 2010 18:10:45 +0100 Sender: jhs@berklix.com Cc: freebsd-security@freebsd.org Subject: Re: ANNOUNCE: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 17:11:34 -0000 Hi, Reference: > From: Uehata Keiji > Date: Thu, 07 Jan 2010 17:25:10 +0900 > Message-id: <20100107165933.96D1.1F47C451@firstserver.co.jp> Uehata Keiji wrote: > > お疲れ様です。上畑@技術Gです。 That displays in Japanese with EXMH 2.7.2. I can't read Japanese. Cheers, Julian -- Julian Stacey: BSD Unix Linux C Sys Eng Consultants Munich http://berklix.com Mail plain text not quoted-printable, HTML or Base64: http://asciiribbon.org From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 19:13:01 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id EF5B2106566C for ; Thu, 7 Jan 2010 19:13:01 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr3.xs4all.nl (smtp-vbr3.xs4all.nl [194.109.24.23]) by mx1.freebsd.org (Postfix) with ESMTP id 80B818FC18 for ; Thu, 7 Jan 2010 19:13:01 +0000 (UTC) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr3.xs4all.nl (8.13.8/8.13.8) with ESMTP id o07Ir61p050726 for ; Thu, 7 Jan 2010 19:53:06 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 5BDD1BA7F; Thu, 7 Jan 2010 19:53:06 +0100 (CET) Date: Thu, 7 Jan 2010 19:53:06 +0100 From: Roland Smith To: freebsd-security@freebsd.org Message-ID: <20100107185306.GA2742@slackbox.xs4all.nl> References: <201001062255.o06MtanW089116@freefall.freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="pWyiEgJYm5f9v55/" Content-Disposition: inline In-Reply-To: <201001062255.o06MtanW089116@freefall.freebsd.org> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Thu, 07 Jan 2010 19:26:43 +0000 Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 19:13:02 -0000 --pWyiEgJYm5f9v55/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable After updating the source to 8.0-RELEASE-p2 (according to /usr/src/UPDATING= ), the build procedure for ntpd failed; # cd /usr/src/usr.sbin/ntp/ntpd # make obj && make depend && make && make install don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/l= ibparse.a. Stop So I changed the procedure as follows, to make it work; # cd /usr/src/usr.sbin/ntp/ntpd # make obj && make depend=20 # cd ../libparse/ # make obj && make depend && make # cd ../libopts/ # make obj && make depend && make # cd ../libntp/ # make obj && make depend && make # cd ../ntpd # make && make install # /etc/rc.d/ntpd restart I do not know what the cause of this problem is, but I suspect a Makefile somewhere. If more people report this, maybe an errata notice should be posted? Hope this helps. Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --pWyiEgJYm5f9v55/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAktGLZIACgkQEnfvsMMhpyWgsgCgirwdp/lGKKfkcGEZ2oZcyYp5 kkIAn0Cg8wtaJ4HKMxDJtefIzZ/Kuxy0 =eFdt -----END PGP SIGNATURE----- --pWyiEgJYm5f9v55/-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 19:42:39 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 18A141065670 for ; Thu, 7 Jan 2010 19:42:39 +0000 (UTC) (envelope-from roberto.nunnari@supsi.ch) Received: from ti-edu.ch (posta.ti-edu.ch [195.176.176.171]) by mx1.freebsd.org (Postfix) with ESMTP id A41E48FC0A for ; Thu, 7 Jan 2010 19:42:37 +0000 (UTC) X-Virus-Scanned: by cgpav Received: from [84.55.231.3] (account roberto.nunnari@supsi.ch HELO [192.168.1.6]) by ti-edu.ch (CommuniGate Pro SMTP 5.2.15) with ESMTPSA id 37871471; Thu, 07 Jan 2010 20:42:35 +0100 Message-ID: <4B463930.5070008@supsi.ch> Date: Thu, 07 Jan 2010 20:42:40 +0100 From: Roberto Nunnari User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Roland Smith References: <201001062255.o06MtanW089116@freefall.freebsd.org> <20100107185306.GA2742@slackbox.xs4all.nl> In-Reply-To: <20100107185306.GA2742@slackbox.xs4all.nl> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 19:42:39 -0000 Roland Smith wrote: > After updating the source to 8.0-RELEASE-p2 (according to /usr/src/UPDATING), > the build procedure for ntpd failed; > > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj && make depend && make && make install > don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop > > So I changed the procedure as follows, to make it work; > > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj && make depend > # cd ../libparse/ > # make obj && make depend && make > # cd ../libopts/ > # make obj && make depend && make > # cd ../libntp/ > # make obj && make depend && make > # cd ../ntpd > # make && make install > # /etc/rc.d/ntpd restart > > I do not know what the cause of this problem is, but I suspect a Makefile > somewhere. If more people report this, maybe an errata notice should be > posted? > > Hope this helps. > > Roland I may be wrong (please correct me if I'm wrong), but I believe the problem comes from wheater you have previously 'make buildworld' and deleted (or not) /usr/obj/* If you have the results of a previous 'make buildworld' under /usr/obj/ then the original post procedure works fine, while if you don't it will fail. In that case, just cd .. and repeat the above steps. From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 20:09:10 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BDEB71065672 for ; Thu, 7 Jan 2010 20:09:10 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) by mx1.freebsd.org (Postfix) with ESMTP id 7C0788FC12 for ; Thu, 7 Jan 2010 20:09:10 +0000 (UTC) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id E46E119E045; Thu, 7 Jan 2010 20:54:00 +0100 (CET) Received: from [192.168.1.2] (r5bb235.net.upc.cz [86.49.61.235]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id 666F719E044; Thu, 7 Jan 2010 20:53:58 +0100 (CET) Message-ID: <4B463BD5.5050703@quip.cz> Date: Thu, 07 Jan 2010 20:53:57 +0100 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.6) Gecko/20091206 SeaMonkey/2.0.1 MIME-Version: 1.0 To: Roland Smith References: <201001062255.o06MtanW089116@freefall.freebsd.org> <20100107185306.GA2742@slackbox.xs4all.nl> In-Reply-To: <20100107185306.GA2742@slackbox.xs4all.nl> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 20:09:10 -0000 Roland Smith wrote: > After updating the source to 8.0-RELEASE-p2 (according to /usr/src/UPDATING), > the build procedure for ntpd failed; > > # cd /usr/src/usr.sbin/ntp/ntpd > # make obj&& make depend&& make&& make install > don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libparse/libparse.a. Stop Try cd /usr/src/usr.sbin/ntp instead of cd /usr/src/usr.sbin/ntp/ntpd Miroslav Lachman From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 22:04:58 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AE618106568B for ; Thu, 7 Jan 2010 22:04:58 +0000 (UTC) (envelope-from rsmith@xs4all.nl) Received: from smtp-vbr11.xs4all.nl (smtp-vbr11.xs4all.nl [194.109.24.31]) by mx1.freebsd.org (Postfix) with ESMTP id 423EA8FC1F for ; Thu, 7 Jan 2010 22:04:58 +0000 (UTC) Received: from slackbox.xs4all.nl (slackbox.xs4all.nl [213.84.242.160]) by smtp-vbr11.xs4all.nl (8.13.8/8.13.8) with ESMTP id o07M4uRl021457; Thu, 7 Jan 2010 23:04:56 +0100 (CET) (envelope-from rsmith@xs4all.nl) Received: by slackbox.xs4all.nl (Postfix, from userid 1001) id 70EFABA98; Thu, 7 Jan 2010 23:04:56 +0100 (CET) Date: Thu, 7 Jan 2010 23:04:56 +0100 From: Roland Smith To: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: <20100107220456.GA8413@slackbox.xs4all.nl> References: <201001062255.o06MtanW089116@freefall.freebsd.org> <20100107185306.GA2742@slackbox.xs4all.nl> <4B463BD5.5050703@quip.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="liOOAslEiF7prFVr" Content-Disposition: inline In-Reply-To: <4B463BD5.5050703@quip.cz> X-GPG-Fingerprint: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 X-GPG-Key: http://www.xs4all.nl/~rsmith/pubkey.txt X-GPG-Notice: If this message is not signed, don't assume I sent it! User-Agent: Mutt/1.5.20 (2009-06-14) X-Virus-Scanned: by XS4ALL Virus Scanner X-Mailman-Approved-At: Thu, 07 Jan 2010 22:09:40 +0000 Cc: freebsd-security@freebsd.org Subject: Re: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 22:04:58 -0000 --liOOAslEiF7prFVr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Thu, Jan 07, 2010 at 08:53:57PM +0100, Miroslav Lachman wrote: > Roland Smith wrote: > > After updating the source to 8.0-RELEASE-p2 (according to /usr/src/UPDA= TING), > > the build procedure for ntpd failed; > > > > # cd /usr/src/usr.sbin/ntp/ntpd > > # make obj&& make depend&& make&& make install > > don't know how to make /usr/obj/usr/src/usr.sbin/ntp/ntpd/../libpa= rse/libparse.a. Stop >=20 > Try > cd /usr/src/usr.sbin/ntp > instead of > cd /usr/src/usr.sbin/ntp/ntpd Ah. I should have thought of that. :-/ That works fine, thanks! Roland --=20 R.F.Smith http://www.xs4all.nl/~rsmith/ [plain text _non-HTML_ PGP/GnuPG encrypted/signed email much appreciated] pgp: 1A2B 477F 9970 BA3C 2914 B7CE 1277 EFB0 C321 A725 (KeyID: C321A725) --liOOAslEiF7prFVr Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.14 (FreeBSD) iEYEARECAAYFAktGWogACgkQEnfvsMMhpyW/iQCdHILEzIlCXsPMr/xpz/81UWT1 RVgAni75/ReeIgYVz7g3jEiXlbDp2y1m =tsX/ -----END PGP SIGNATURE----- --liOOAslEiF7prFVr-- From owner-freebsd-security@FreeBSD.ORG Thu Jan 7 22:07:04 2010 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7ABDA106566C for ; Thu, 7 Jan 2010 22:07:04 +0000 (UTC) (envelope-from wollman@hergotha.csail.mit.edu) Received: from hergotha.csail.mit.edu (hergotha.csail.mit.edu [66.92.79.170]) by mx1.freebsd.org (Postfix) with ESMTP id 307A28FC16 for ; Thu, 7 Jan 2010 22:07:03 +0000 (UTC) Received: from hergotha.csail.mit.edu (localhost [127.0.0.1]) by hergotha.csail.mit.edu (8.14.3/8.14.3) with ESMTP id o07M73TT097017 for ; Thu, 7 Jan 2010 17:07:03 -0500 (EST) (envelope-from wollman@hergotha.csail.mit.edu) Received: (from wollman@localhost) by hergotha.csail.mit.edu (8.14.3/8.14.3/Submit) id o07M72Hi097014; Thu, 7 Jan 2010 17:07:02 -0500 (EST) (envelope-from wollman) MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <19270.23302.826607.888490@hergotha.csail.mit.edu> Date: Thu, 7 Jan 2010 17:07:02 -0500 From: Garrett Wollman To: freebsd-security@freebsd.org X-Mailer: VM 7.17 under 21.4 (patch 22) "Instant Classic" XEmacs Lucid X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.2.3 (hergotha.csail.mit.edu [127.0.0.1]); Thu, 07 Jan 2010 17:07:03 -0500 (EST) X-Spam-Status: No, score=1.9 required=5.0 tests=ALL_TRUSTED, FH_DATE_PAST_20XX autolearn=disabled version=3.2.5 X-Spam-Level: * X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on hergotha.csail.mit.edu X-Mailman-Approved-At: Thu, 07 Jan 2010 22:09:52 +0000 Subject: TLS renegotiation fix approved X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 07 Jan 2010 22:07:04 -0000 The IESG today approved the publication of the fix for the SSL/TLS renegotiation protocol bug as a Proposed Standard. We should expect to see updates from all the major security libraries (OpenSSL, GnuTLS, and NSS) fairly quickly as the developers have all been involved in the process and have already implemented the draft version of the fix. -GAWollman