From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:19 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B4EF747; Tue, 14 Jan 2014 20:11:19 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6E7801DFB; Tue, 14 Jan 2014 20:11:19 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKBJIL082699; Tue, 14 Jan 2014 20:11:19 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKBJig082698; Tue, 14 Jan 2014 20:11:19 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:19 GMT Message-Id: <201401142011.s0EKBJig082698@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:04.bind X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:19 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:04.bind Security Advisory The FreeBSD Project Topic: BIND remote denial of service vulnerability Category: contrib Module: bind Announced: 2014-01-14 Credits: ISC Affects: FreeBSD 8.x and FreeBSD 9.x Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2014-0591 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description Because of a defect in handling queries for NSEC3-signed zones, BIND can crash with an "INSIST" failure in name.c when processing queries possessing certain properties. This issue only affects authoritative nameservers with at least one NSEC3-signed zone. Recursive-only servers are not at risk. III. Impact An attacker who can send a specially crafted query could cause named(8) to crash, resulting in a denial of service. IV. Workaround No workaround is available, but systems not running authoritative DNS service with at least one NSEC3-signed zone using named(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc # gpg --verify bind-release.patch.asc [FreeBSD 9.2-STABLE] # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch # fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc # gpg --verify bind-stable-9.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the applicable daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260646 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260646 releng/9.1/ r260647 releng/9.2/ r260647 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG 9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5 fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm 067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq 7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO UWWemqWuz3lAZuORQ9KX =OQzQ -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:16 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 7D18E461; Tue, 14 Jan 2014 20:11:16 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 5F74B1DF5; Tue, 14 Jan 2014 20:11:16 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKBGau082661; Tue, 14 Jan 2014 20:11:16 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKBGS0082660; Tue, 14 Jan 2014 20:11:16 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:16 GMT Message-Id: <201401142011.s0EKBGS0082660@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:03.openssl X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:16 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:03.openssl Security Advisory The FreeBSD Project Topic: OpenSSL multiple vulnerabilities Category: contrib Module: openssl Announced: 2014-01-14 Affects: FreeBSD 10.0 prior to 10.0-RC5 Corrected: 2014-01-07 20:04:41 UTC (stable/10, 10.0-PRERELEASE) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC5) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-07 20:06:20 UTC (releng/10.0, 10.0-RC1-p1) CVE Name: CVE-2013-4353, CVE-2013-6449, CVE-2013-6450 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description A carefully crafted invalid TLS handshake could crash OpenSSL with a NULL pointer exception. [CVE-2013-4353] A flaw in DTLS handling can cause an application using OpenSSL and DTLS to crash. [CVE-2013-6450] A flaw in OpenSSL can cause an application using OpenSSL to crash when using TLS version 1.2. [CVE-2013-6449] III. Impact An attacker can send a specifically crafted packet that could cause an OpenSSL enabled application to crash, resulting in a Denial of Service. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-14:03/openssl.patch.asc # gpg --verify openssl.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart all deamons using the library, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r260404 releng/10.0/ r260405 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZTSAAoJEO1n7NZdz2rnHboP/Ryb4a9ENJ7J/S00E8V1YToh hihrCKssMl6GVltS4oeyAmAW+mDx3DZy+RmAEhgjyAX4gpAxcY/g665j5BMtWAtV LLJTI9D6ynO7+2y8CeD3W7tk28hNtBPWSV+cGi7USQMKijs6euPocgTU7TnAuF/e /jcDTn8Sx/Sq0d3ecTWFBOcPHiq5sm/3pW5B1RVxY9DL+zhQ7T/Rb6pgfp6trssM p8dklzoBReHqs1iPUC4RyhWXOoQoq5VX500b9SHh2X/7eBSq1ab76VF3x+9VOpjj VRxL9sdkmp+iaVfMHxms3vCLSDlmpgYpq5SftL3jgkequPCpU6NFQGFQKw2crdL0 NY7dDPjMuvDzzdG7BZtt1mjpRMMMGmZ7fK0myP0+a3YbXEEZeAGT6k07er/xkGCr uTWyPNM4g3Ulwkfnz60TbFrdMdiCJbRVC9xxOkGEALe882v0WWGPhx9IVbT3dGVw KGFOXM+IqF55JuaHQ0u/B4wrjBfgBSgOt90TDyMJ5rPjiKG9wyUWnn7QziAVJQ0M 0H/82/2cxNX5+efWNi7xhss2fs1zcU3kiyr135mqamgOQyPG8jFOF7RhdpeGfzVk ollQG+y1uwVTAWhmVb4MSaAuJw8ixVuap73Rbyug+MuKRLgR2jSxHFiBeiHLA1eG 1+DWJPX0+/zoNakLiw+r =YOCY -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:08 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8B44F36C; Tue, 14 Jan 2014 20:11:08 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 6B9C21D9A; Tue, 14 Jan 2014 20:11:08 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKB8ZH082593; Tue, 14 Jan 2014 20:11:08 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKB8Zw082592; Tue, 14 Jan 2014 20:11:08 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:08 GMT Message-Id: <201401142011.s0EKB8Zw082592@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:01.bsnmpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:08 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:01.bsnmpd Security Advisory The FreeBSD Project Topic: bsnmpd remote denial of service vulnerability Category: contrib Module: bsnmp Announced: 2014-01-14 Credits: Dirk Meyer Affects: All supported versions of FreeBSD. Corrected: 2014-01-14 19:02:14 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:10:38 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:17:20 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:17:20 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2014-1452 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The bsnmpd is a simple and extensible SNMP daemon serves the Internet SNMP (Simple Network Management Protocol). II. Problem Description The bsnmpd(8) daemon is prone to a stack-based buffer-overflow when it has received a specifically crafted GETBULK PDU request. III. Impact This issue could be exploited to execute arbitrary code in the context of the service daemon, or crash the service daemon, causing a denial-of-service. IV. Workaround No workaround is available, but systems not running bsnmpd(8) are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:01/bsnmpd.patch.asc # gpg --verify bsnmpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the bsnmpd(8) daemons, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260642 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260642 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/ r260638 releng/10.0/ r260640 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZS6AAoJEO1n7NZdz2rnDXwP/1iQmuO8VLjZoD3LMpiHyA/i YgwjX5x9XT2MyVrRmu+nHaCG3ZDC4/IV72/jCzV8udQJ1RF6Aswhuk6mXI7oatol OYF27JnRVAJQjAvXw3zMsp4hLv631TvgO1Az1vK7f1pX8bDC/eBTaiCH7I6QBYGS E4Fsi2MwOWIRyglTjlFSL8Wb2yQmzkKCx/EVFF/6mRC7l3a9pkHf5VKQtut1KYFu 5QF5cG5anur4daP4w45yWsl0qkRDO5mJdpD+S3NtzydluWzz/Dk/0laS5wB+LLzV cXC5/GR/acQhO+MvDIDT4Emra2OXzsheEahOJhLKHsBF8pHBi5IldkVwQmme76/g aR1gLSFJ5LYcpAgBQgeWKXXCAol5zNRCR8v8IBnV2+rYRSrIdl5lstgVmla++xJD +bC7PbTqcLlyFGrMEvd/mAvX1PVa9BVYtaxXA5QZq5EHP7nsKotcAk7/kouVfmao Gdxlt7YjRic6D/WqF8RFiQv9ezpbEnMQ1BwOCSUEJasXlyxJXYA6vva7tyM3OmyD c2I9JLeV8aCUgIf3s+HoGcZhz01kmu9REQ/OEDtiN8kX94WOzpectf8V5g+JnxRd HoOfcvrChohL4nla+3RvG1LJo5KD5N09yHnV2y3LjxTdKu9Hw4ATzFwmPmEUqUfG eF12aO4PVp42wYWNHtGe =xZTc -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:12 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id F1CCA370; Tue, 14 Jan 2014 20:11:12 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id DBE411D9E; Tue, 14 Jan 2014 20:11:12 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKBClI082627; Tue, 14 Jan 2014 20:11:12 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKBCXp082626; Tue, 14 Jan 2014 20:11:12 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:12 GMT Message-Id: <201401142011.s0EKBCXp082626@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:02.ntpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:13 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:02.ntpd Security Advisory The FreeBSD Project Topic: ntpd distributed reflection Denial of Service vulnerability Category: contrib Module: ntpd Announced: 2014-01-14 Affects: All supported versions of FreeBSD. Corrected: 2014-01-14 19:04:33 UTC (stable/10, 10.0-PRERELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RELEASE) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC5-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC4-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC3-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC2-p1) 2014-01-14 19:12:40 UTC (releng/10.0, 10.0-RC1-p1) 2014-01-14 19:20:41 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:20:41 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) CVE Name: CVE-2013-5211 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description The ntpd(8) daemon supports a query 'monlist' which provides a history of recent NTP clients without any authentication. III. Impact An attacker can send 'monlist' queries and use that as an amplification of a reflection attack. IV. Workaround The administrator can implement one of the following possible workarounds to mitigate the attack: 1) Restrict access to ntpd(8). This can be done by adding the following lines to /etc/ntp.conf: restrict -4 default nomodify nopeer noquery notrap restrict -6 default nomodify nopeer noquery notrap restrict 127.0.0.1 restrict -6 ::1 restrict 127.127.1.0 And restart the ntpd(8) daemon. Time service is not affected and the administrator can still perform queries from local host. 2) Use IP based restrictions in ntpd(8) itself or in IP firewalls to restrict which systems can access ntpd(8). 3) Replace the base system ntpd(8) with net/ntp-devel (version 4.2.7p76 or newer) V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-14:02/ntpd.patch.asc # gpg --verify ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the ntpd(8) daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install Note that the patch would disable monitoring features of ntpd(8) daemon by default. If the feature is desirable, the administrator can choose to enable it and firewall access to ntpd(8) service. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260641 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260641 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/ r260639 releng/10.0/ r260641 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZTLAAoJEO1n7NZdz2rnn7YP/2DcBtR4LAlMLqa9t8WsFVrD zrfmitYv5xZ6TUGURfQ3mhF4Xv+vSaYt5AWphBjo/Um+dZLTrX3NXJyjLWenCFZ1 vUgoeT4czdh/sWXBO+BdahswttJ6uPO0ZPeW/TpczHMrfG++r6FZtcavYj1gWUPX rQUEh3IRT5MzzcdiIdQFOpi6OeOP7hem5pNOqYwjyy4L4wrgIUetaMpvqXgi2Wa+ R2vqQNpFAPxKkMkbohLEPRmEK9dXGXejQ7EHFK5jzxInyg32WGFPkJ46bLw3bEsB sIoh+sxQ3J9mxyaykhX6T7U7PUkzBaNSs62bQE5H8695E30obnZqtfon6qBP5UCT /kF1+42RIQIPJUFS22NXaUJVOkpd2zyVhwLxgCHg96PHwd1VAC0bnuB4CQt8lN2C vcOsFcq6CUpMuteURBeiETb0OGWTTT3gyX4T7N4kRKptvmEVUKxZPnmfJCwNHM2I TzM2HbHaBv9CMIy5X4iDQxLH3w3tSh+IHU6m9cN5rd6JDTa5DQEuRkhaeVbCGHRt EcSHvUCr+llacITA2rkm1/KPcP97nGgbbM2QbbUVZ/vkdEcImPfrBzrBbaoBzf5p FTplhJ/4bfF0/Kgt5GTNgQXqtIuEQOs+ljNu2HW+cAfX2Hizlo7jjfMxS0y7/fY2 hBdg8zuXs/rBI2LKUcP6 =7q6W -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:51 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 13D4A620; Tue, 14 Jan 2014 20:11:51 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id E75711E4A; Tue, 14 Jan 2014 20:11:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKBoGl082740; Tue, 14 Jan 2014 20:11:50 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKBoi7082738; Tue, 14 Jan 2014 20:11:50 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:50 GMT Message-Id: <201401142011.s0EKBoi7082738@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Errata Notices To: FreeBSD Errata Notices Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:01.random X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-stable@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-14:01.random Errata Notice The FreeBSD Project Topic: /dev/random should not make direct usage of hardware RNG Category: core Module: random Announced: 2014-01-14 Affects: All versions of FreeBSD prior to 10.0-BETA1 Corrected: 2014-01-14 19:27:42 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:27:42 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The random(4) and urandom(4) devices return an endless supply of pseudo-random bytes when read. Cryptographic algorithms often depend on the secrecy of these pseudo-random values for security. Yarrow is a secure pseudo-random number generator that combines entropy from several entropy sources, mitigating a possible attack when someone could predict the output when they are able to intercept one or more of the entropy sources II. Problem Description When a hardware RNG exists, the FreeBSD random(4) and urandom(4) devices would use their output directly. III. Impact Someone who has control over these hardware RNGs would be able to predicate the output from random(4) and urandom(4) devices and may be able to reveal unique keys that are used to encrypt data. IV. Workaround Disable the hardware RNGs by adding the following settings to /boot/loader.conf and reboot the system: hw.nehemiah_rng_enable=0 hw.ivy_rng_enable=0 V. Solution Hardware RNGs would be disabled by default with this errata notice. They can be re-enabled by setting the corresponding loader tunables to non-zero value. Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.2 and 8.4] # fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch # fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.2-8.4.patch.asc # gpg --verify random-9.2-8.4.patch.asc [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch # fetch http://security.FreeBSD.org/patches/EN-14:01/random-9.1.patch.asc # gpg --verify random-9.1.patch.asc [FreeBSD 8.3] # fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch # fetch http://security.FreeBSD.org/patches/EN-14:01/random-8.3.patch.asc # gpg --verify random-8.3.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260644 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260644 releng/9.1/ r260647 releng/9.2/ r260647 - ------------------------------------------------------------------------- VII. References The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-14:01.random.asc -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZSoAAoJEO1n7NZdz2rnZcgP/3ITOg59t4PmOg2vUrlMsf35 jVDZojqeu+XgDepYi37HJVB6pHSWusYoI59YP6O2N1n15W34Bp91Vcthofyr+jgx 7Guz+DXOqZy1yxGMSGkAl0hIrksszqp5kAADy4f1NMkFmvc2+8dXW1xmxYpDHrkG d/alEeK0LuFgWXYnnrea3x/aWqEVVR+/YhCbk8FTD01Q4zqtfacIDfNL+gLf4Mhx gNO1HSHmvS4GEF1gawtHzY4i6rGX9e4LgxKSEKSMUXfl1WUfnD5f62z9FB1UN1Js EfVniP2ZN2ojAzoVWfiX5WDhpMA/KZpdTSLF+zOM1/Tr+7+N7WTYftL6nHy/HSj8 LmsIZnSE4F7F2hFlZu7PPwGzaIj/rYk5tRzw3nTIoIwVoLbvbevzCrl0rIocq2CK Sm5WV2qvMuWB+ZK2ZuzCIxAj6/fuLbUIBHmHd2VFfxWXcSwoK/cW3pFPMDyHKtJJ ccocT7kXeHHtnSqzvSN1j1XFZsWdojbYU7HSU8QmiilG3ESvgrzZAKh7V+hC/aF/ TE0Xhaip8X/sOt1NnjHGs8XzA3w7wUukssz2V7gRdarSS7c/+mU23pajLknQ4eiB l3g8z/iX4jPuL8e0sn9GUCXVtTZIXWGl9hSilWeYk6tEihhlf/gVhY6ldCwSoZjr U6gPf7bQn/NzE7wSUaQD =viar -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Jan 14 20:11:54 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id B03F26B9; Tue, 14 Jan 2014 20:11:54 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 91F2B1E55; Tue, 14 Jan 2014 20:11:54 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.7/8.14.7) with ESMTP id s0EKBs7x082753; Tue, 14 Jan 2014 20:11:54 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.7/8.14.7/Submit) id s0EKBsPE082752; Tue, 14 Jan 2014 20:11:54 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 14 Jan 2014 20:11:54 GMT Message-Id: <201401142011.s0EKBsPE082752@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Errata Notices To: FreeBSD Errata Notices Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:02.mmap X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.17 Reply-To: freebsd-stable@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jan 2014 20:11:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-14:02.mmap Errata Notice The FreeBSD Project Topic: mmap should not coalesce stack entry Category: core Module: kernel Announced: 2014-01-14 Credits: Konstantin Belousov Affects: All supported versions of FreeBSD. Corrected: 2013-12-30 08:57:54 UTC (stable/10, 10.0-PRERELEASE) 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC4) 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC3-p1) 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC2-p1) 2013-12-31 08:02:34 UTC (releng/10.0, 10.0-RC1-p1) 2013-12-30 09:04:06 UTC (stable/9, 9.2-STABLE) 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) 2014-01-14 19:33:28 UTC (stable/8, 8.4-STABLE) 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD virtual memory system allows growing stack by mapping anonymous memory region on top of a stack via mmap(2) system call with MAP_STACK bit enabled in flags parameter. II. Problem Description The FreeBSD virtual memory system tries to coalesce adjacent memory regions into one single object when possible. When growing the stack via mmap(2), it will also try to coalesce the newly allocated memory into the existing object. This would result in a failed assertion later in vm_map_stack(), which expects that a new object is returned. III. Impact The system will panic when this happens. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch # fetch http://security.FreeBSD.org/patches/EN-14:02/mmap.patch.asc # gpg --verify mmap.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r260645 releng/8.3/ r260647 releng/8.4/ r260647 stable/9/ r260082 releng/9.1/ r260647 releng/9.2/ r260647 stable/10/ r260081 releng/10.0/ r260122 - ------------------------------------------------------------------------- VII. References The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-14:02.mmap.asc -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJS1ZSuAAoJEO1n7NZdz2rnsPoQAIFs/URebviZjkMpYJBTahwe Lr50uJSZIlW2nMvi+urLJAB15fJm/WHDdHqp6+WHh5jjCozb45CoIxDFnP5UB4q8 oclsQtKrt4R1dBDEa3RZQoJEm6DIk1YhfAfUtJMhDpROlvWCbBMzZWJbVQec5j3E iyhY1FIl/BD4KWFw/hDhJX5j4HQWA/oZDagx5WZFMsFapq5rOXkC/fq3YHkTJBeW 7YEvAyTuZoj9zBVJ28cEYr7+ULtJMphBdTEzAhFZSEegsM+qyMafTf2c54MdtWR0 pSgoh9i+cSXj444e4eeqLp6LwapW5YGIrKpAmBUwTECBg5F5915i2h8ddCnmJJSM 4Wq7bXJU6PGzFXTDUsAw9HB2HcCMU2EvVNhtM3wp7dSzojLpvrgEoRZKwanu32r1 cuN/awHUGA1fzoUkxMygzT5B44IX+9gyT8lJ4N+PfKGnSO00WY41XkLheDmpgf2b euDrzTSwbupEp70lT45CW6DUlqPXpw0Fn5vyNYBvoaAXineqyvwMkQ6YZwoNmfiU xv2zjY40RkOR8EJKi8L1moBQsfh/i6rtVQhDIHmAU/1VaYBE4zVXS5BYAlUaUJgw 3rc5ho+F2BB+YV+HeaWszjW+NVhiIswpccw4Js7O2HQUA9M2KEq2+DXRtNdEa8/j miG/hWqsuoWjAcrQKjKw =rOvi -----END PGP SIGNATURE-----