From owner-freebsd-announce@FreeBSD.ORG Mon Apr 29 15:10:13 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6EB1C71C for ; Mon, 29 Apr 2013 15:10:13 +0000 (UTC) (envelope-from carpeddiem@gmail.com) Received: from mail-oa0-f42.google.com (mail-oa0-f42.google.com [209.85.219.42]) by mx1.freebsd.org (Postfix) with ESMTP id 429E91ADB for ; Mon, 29 Apr 2013 15:10:12 +0000 (UTC) Received: by mail-oa0-f42.google.com with SMTP id i10so6209542oag.15 for ; Mon, 29 Apr 2013 08:10:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:x-received:sender:date:x-google-sender-auth:message-id :subject:from:to:content-type; bh=INrIh0N4hVv5hlnlAF9ySPkrll71Y41nJYbMKpQNkqQ=; b=WrvzFlOcUbkZPBk3WHpApGkYHtv7XvE0VXiLXkh6lkOSqIZihT/vyBaKcQAppXHXIc A4IUmovMBMabp/9gEq0QYrBpEmhVU9cxkk/eAIqkC5Lrz7ppfSbr0kiXIAUKG1GUiRW5 e+3WPfWxsbxIqjzuxflt7ljUtje9fjPrNWgvj+9Pp3W+L6lO+WXR53ofK0DLLdG2H6TI zfrTU+aJKrL/m5B7iy06kDfTbwd4GUfarMx3TOqiFa/dIVGVlq3pEUd6Gh7OWO7ZpZeF wm2RpfcZ6d9YOZH7xHEINqYQK4zbV3SUpbtlXQFFt2BgzEeUx1QxIjMweNNlxXGnDE+C QzeA== MIME-Version: 1.0 X-Received: by 10.182.112.202 with SMTP id is10mr27882338obb.8.1367248206335; Mon, 29 Apr 2013 08:10:06 -0700 (PDT) Sender: carpeddiem@gmail.com Received: by 10.60.76.229 with HTTP; Mon, 29 Apr 2013 08:10:06 -0700 (PDT) Date: Mon, 29 Apr 2013 11:10:06 -0400 X-Google-Sender-Auth: DPA_vmap5WTpzdRKFFZCB0YF2BM Message-ID: From: Ed Maste To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Mailman-Approved-At: Mon, 29 Apr 2013 15:34:15 +0000 Subject: [FreeBSD-Announce] FreeBSD Foundation announces second technical staff member and iSCSI project X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 15:10:13 -0000 The FreeBSD Foundation is pleased to announce that Edward Tomasz Napierala has joined as its second member of technical staff. This is a continuation of the Foundation's plan to invest in staff in 2013. A FreeBSD committer since 2007, Edward previously completed a number of projects under Foundation grants, including safe device removal with mounted filesystems, growing mounted filesystems, and resource containers. Edward is currently implementing a native in-kernel iSCSI stack (both target and initiator) for this increasingly popular block storage protocol. "Although there are a number of iSCSI target implementations that support FreeBSD, the project lacks a high performance and reliable in-kernel target. As iSCSI gains favor, this stack will be a key element in maintaining FreeBSD's competitive position in enterprise and open-source deployments" said Justin T. Gibbs, president of the FreeBSD Foundation. The project is expected to be completed in October 2013. Another part of Edward's responsibilities will be assisting the FreeBSD Security Team in preparing security advisories and patches. Edward lives in Warsaw, Poland. From owner-freebsd-announce@FreeBSD.ORG Mon Apr 29 20:55:38 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 6C5B8187; Mon, 29 Apr 2013 20:55:38 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4DA891EF1; Mon, 29 Apr 2013 20:55:38 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TKtcB3039953; Mon, 29 Apr 2013 20:55:38 GMT (envelope-from security-advisories@freebsd.org) Received: (from des@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3TKtcrk039951; Mon, 29 Apr 2013 20:55:38 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 29 Apr 2013 20:55:38 GMT Message-Id: <201304292055.r3TKtcrk039951@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: des set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 20:55:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:05.nfsserver Security Advisory The FreeBSD Project Topic: Insufficient input validation in the NFS server Category: core Module: nfsserver Announced: 2013-04-29 Credits: Adam Nowacki Affects: All supported versions of FreeBSD. Corrected: 2013-04-29 20:15:43 UTC (stable/8, 8.4-PRERELEASE) 2013-04-29 20:15:47 UTC (releng/8.3, 8.3-RELEASE-p8) 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC1-p1) 2013-04-29 20:16:25 UTC (releng/8.4, 8.4-RC2-p1) 2013-04-29 20:15:55 UTC (stable/9, 9.1-STABLE) 2013-04-29 20:16:00 UTC (releng/9.1, 9.1-RELEASE-p3) CVE Name: CVE-2013-3266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes server and client implementations of NFS. FreeBSD 8.0 and onward has two NFS implementations: the original CSRG NFSv2 and NFSv3 implementation and a new implementation which also supports NFSv4. FreeBSD 9.0 and onward uses the new NFS implementation by default. II. Problem Description When processing READDIR requests, the NFS server does not check that it is in fact operating on a directory node. An attacker can use a specially modified NFS client to submit a READDIR request on a file, causing the underlying filesystem to interpret that file as a directory. III. Impact The exact consequences of an attack depend on the amount of input validation in the underlying filesystem: - If the file resides on a UFS filesystem on a little-endian server, an attacker can cause random heap corruption with completely unpredictable consequences. - If the file resides on a ZFS filesystem, an attacker can write arbitrary data on the stack. It is believed, but has not been confirmed, that this can be exploited to run arbitrary code in kernel context. Other filesystems may also be vulnerable. IV. Workaround Systems that do not provide NFS service are not vulnerable. Neither are systems that do but use the old NFS implementation, which is the default in FreeBSD 8.x. To determine which implementation an NFS server is running, run the following command: # kldstat -v | grep -cw nfsd This will print 1 if the system is running the new NFS implementation, and 0 otherwise. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch # fetch http://security.FreeBSD.org/patches/SA-03:15/nfsserver.patch.asc # gpg --verify nfsserver.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r250058 releng/8.3/ r250059 releng/8.4/ r250062 stable/9/ r250060 releng/9.1/ r250061 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlF+18oACgkQFdaIBMps37J1PACgm+zcbGd6xF1hkpvFVJbbwR0Q 9PoAnivbP1R0qXFyTlF/t3+sUYcxBtfQ =polM -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Mon Apr 29 21:56:50 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 64F72FEF; Mon, 29 Apr 2013 21:56:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) by mx1.freebsd.org (Postfix) with ESMTP id 4873A15BE; Mon, 29 Apr 2013 21:56:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TLunbU052339; Mon, 29 Apr 2013 21:56:49 GMT (envelope-from security-advisories@freebsd.org) Received: (from des@localhost) by freefall.freebsd.org (8.14.6/8.14.6/Submit) id r3TLunPJ052337; Mon, 29 Apr 2013 21:56:49 GMT (envelope-from security-advisories@freebsd.org) Date: Mon, 29 Apr 2013 21:56:49 GMT Message-Id: <201304292156.r3TLunPJ052337@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: des set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:05.nfsserver [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 21:56:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:05.nfsserver Security Advisory The FreeBSD Project Topic: Insufficient input validation in the NFS server Category: core Module: nfsserver Announced: 2013-04-29 Revised: 2013-04-29 Credits: Adam Nowacki Affects: All supported versions of FreeBSD. Corrected: 2013-04-29 21:10:49 UTC (stable/8, 8.4-PRERELEASE) 2013-04-29 21:10:53 UTC (releng/8.3, 8.3-RELEASE-p8) 2013-04-29 21:11:31 UTC (releng/8.4, 8.4-RC1-p1) 2013-04-29 21:11:31 UTC (releng/8.4, 8.4-RC2-p1) 2013-04-29 21:11:01 UTC (stable/9, 9.1-STABLE) 2013-04-29 21:11:05 UTC (releng/9.1, 9.1-RELEASE-p3) CVE Name: CVE-2013-3266 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2013-04-29 Initial release. v1.1 2013-04-29 Corrected patch URL. Additional workaround information. I. Background The Network File System (NFS) allows a host to export some or all of its file systems so that other hosts can access them over the network and mount them as if they were on local disks. FreeBSD includes server and client implementations of NFS. FreeBSD 8.0 and onward has two NFS implementations: the original CSRG NFSv2 and NFSv3 implementation and a new implementation which also supports NFSv4. FreeBSD 9.0 and onward uses the new NFS implementation by default. II. Problem Description When processing READDIR requests, the NFS server does not check that it is in fact operating on a directory node. An attacker can use a specially modified NFS client to submit a READDIR request on a file, causing the underlying filesystem to interpret that file as a directory. III. Impact The exact consequences of an attack depend on the amount of input validation in the underlying filesystem: - If the file resides on a UFS filesystem on a little-endian server, an attacker can cause random heap corruption with completely unpredictable consequences. - If the file resides on a ZFS filesystem, an attacker can write arbitrary data on the stack. It is believed, but has not been confirmed, that this can be exploited to run arbitrary code in kernel context. Other filesystems may also be vulnerable. IV. Workaround Systems that do not provide NFS service are not vulnerable. Neither are systems that do but use the old NFS implementation, which is the default in FreeBSD 8.x. To determine which implementation an NFS server is running, run the following command: # kldstat -v | grep -cw nfsd This will print 1 if the system is running the new NFS implementation, and 0 otherwise. To switch to the old NFS implementation: 1) Append the following lines to /etc/rc.conf: nfsv4_server_enable="no" oldnfs_server_enable="yes" 2) If the NFS server is compiled into the kernel (which is the case for the stock GENERIC kernel), replace the NFSD option with the NFSSERVER option, then recompile your kernel as described in . If the NFS server is not compiled into the kernel, the correct module will be loaded at boot time. 3) Finally, reboot the system. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:05/nfsserver.patch # fetch http://security.FreeBSD.org/patches/SA-13:05/nfsserver.patch.asc # gpg --verify nfsserver.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r250068 releng/8.3/ r250069 releng/8.4/ r250073 stable/9/ r250070 releng/9.1/ r250071 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3266 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-13:05.nfsserver.asc -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAlF+7BUACgkQFdaIBMps37I3LACeIFS/wiaA6eDn9F8ByZ6V8CH4 GT4AoIrhX24l+LHxpvtHoaDmKOoBpva5 =bbRm -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Thu May 2 13:05:24 2013 Return-Path: Delivered-To: freebsd-announce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id BFDAD6AE for ; Thu, 2 May 2013 13:05:24 +0000 (UTC) (envelope-from gavin@FreeBSD.org) Received: from mail-gw13.york.ac.uk (mail-gw13.york.ac.uk [144.32.129.163]) by mx1.freebsd.org (Postfix) with ESMTP id 0675D1ABD for ; Thu, 2 May 2013 13:05:23 +0000 (UTC) Received: from buffy-128.york.ac.uk ([144.32.128.160]:63085 helo=buffy.york.ac.uk) by mail-gw13.york.ac.uk with esmtps (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1UXtCG-0005Ym-SA for freebsd-announce@FreeBSD.org; Thu, 02 May 2013 14:05:16 +0100 Received: from [127.0.0.1] (localhost [127.0.0.1]) by buffy.york.ac.uk (8.14.6/8.14.6) with ESMTP id r42D5GXZ042880 for ; Thu, 2 May 2013 14:05:16 +0100 (BST) (envelope-from gavin@FreeBSD.org) From: Gavin Atkinson To: freebsd-announce@FreeBSD.org Content-Type: multipart/signed; micalg="pgp-sha1"; protocol="application/pgp-signature"; boundary="=-wnhEN64r5qZ16HqcXbZ3" Date: Thu, 02 May 2013 14:05:16 +0100 Message-ID: <1367499916.35821.7.camel@buffy.york.ac.uk> Mime-Version: 1.0 X-Mailer: Evolution 2.32.1 FreeBSD GNOME Team Port X-Mailman-Approved-At: Thu, 02 May 2013 16:00:22 +0000 Subject: [FreeBSD-Announce] Google Summer of Code 2013 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list Reply-To: freebsd-hackers@FreeBSD.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 13:05:24 -0000 --=-wnhEN64r5qZ16HqcXbZ3 Content-Type: text/plain; charset="ASCII" Content-Transfer-Encoding: quoted-printable Hi all, A reminder: The deadline for applications is 19:00 UTC Friday May 3rd (tomorrow). FreeBSD is pleased to announce that once again we have been selected to participate in the Google Summer of Code program. This gives University students the opportunity to earn a $5000 USD stipend in exchange for working on Open Source software over their Summer break. Students have around 12 weeks to work on their project, and will be mentored by existing FreeBSD committers. Participating organisations will earn $500 USD per student mentored. Over the past eight years we have hosted over 150 successful projects, and look forward to continuing this trend. FreeBSD's organisation page may be found at http://www.google-melange.com/gsoc/org/google/gsoc2013/freebsd and a list of possible project ideas may be found at https://wiki.freebsd.org/IdeasPage . Please note that projects do not have to come from the ideas list, and indeed students are encouraged to produce their own project ideas - the majority of past projects have been thought up by the particpants themselves. We are encouraging discussion of projects on the freebsd-hackers mailing list and the #freebsd-soc IRC channel on EFNet. Students are also encouraged to visit http://www.google-melange.com/ to view more details of the program, including eligibility requirements, and a list of other participating organisations. If you have administrative questions you can contact the FreeBSD GSoC administration team at soc-admins@FreeBSD.org. Thanks, Gavin --=-wnhEN64r5qZ16HqcXbZ3 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (FreeBSD) iEYEABECAAYFAlGCZIwACgkQk13vRKCTJivhkwCfbAN6GgSDMOrl/lKG9D7EXcL1 wuUAn1ib9ufvZXvkgNkb0IaZPE2Dm8+/ =9A8J -----END PGP SIGNATURE----- --=-wnhEN64r5qZ16HqcXbZ3--