From owner-freebsd-announce Mon Jan 29 12:35:53 2001 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 6F88237B6A4; Mon, 29 Jan 2001 12:35:14 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd Reply-To: security-advisories@freebsd.org Message-Id: <20010129203514.6F88237B6A4@hub.freebsd.org> Date: Mon, 29 Jan 2001 12:35:14 -0800 (PST) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files Category: core Module: inetd Announced: 2001-01-29 Credits: Discovered during internal auditing Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXTplUuHi5z0oilAQFrhQP/QbPbjKwIlhpT50jDhsjKs0NFH7kznkFi SQJ6ZTYOMEGml5CVc9rLUxmSk+FE7hvZAhVu5+Qc+UHniyQnjOVNXaDvICiN6kMz AEs3UQlVK5Hp8QzXikC9Q4wy//yFC+aNhECVW9u0B3k5sAzqitoI7FWexLpcTMFI 1ZWKYOWLo8o= =0Se/ -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Jan 29 12:51:43 2001 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id B149137B69D; Mon, 29 Jan 2001 12:51:06 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:12.periodic Reply-To: security-advisories@freebsd.org Message-Id: <20010129205106.B149137B69D@hub.freebsd.org> Date: Mon, 29 Jan 2001 12:51:06 -0800 (PST) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:12 Security Advisory FreeBSD, Inc. Topic: periodic uses insecure temporary files Category: core Module: periodic Announced: 2001-01-29 Credits: dynamo Affects: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date. No FreeBSD 3.x versions are affected. Corrected: 2000-11-11 FreeBSD only: Yes I. Background periodic is a program to run periodic system functions. II. Problem Description A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted. By default, periodic is normally called by cron for daily, weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system. FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can cause arbitrary files on the system to be corrupted. IV. Workaround Do not allow periodic to be used in untrusted multi-user environments. Disable the normal periodic system maintenance scripts by either commenting-out or removing the periodic entries in /etc/crontab. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date. 2) Affected FreeBSD 4.x systems prior to the correction date: Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/periodic # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXXDlUuHi5z0oilAQF2ngP6AoaNPtHkCuJwT07dKfayh9GH14G1HXsK SN3LznlLG3CyK4WBVGnx32p5Ct3zP0sO0QS+UAY9hMDMBprkUN6ewfuJ7gjczffv GgVBeWRxOOdH+/wpYkcTsg7sxKFWqg+xSZAzJEDBAqiFigf/xIrrrCtrDiDvGED2 8/9DxH59f0g= =ZUss -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Jan 29 13: 6:58 2001 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 30FE737B402; Mon, 29 Jan 2001 13:06:12 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:12.periodic [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20010129210612.30FE737B402@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:06:12 -0800 (PST) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:12 Security Advisory FreeBSD, Inc. Topic: periodic uses insecure temporary files [REVISED] Category: core Module: periodic Announced: 2001-01-29 Revised: 2001-01-29 Credits: David Lary Affects: FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date. No FreeBSD 3.x versions are affected. Corrected: 2000-11-11 FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter I. Background periodic is a program to run periodic system functions. II. Problem Description A vulnerability was inadvertently introduced into periodic that caused temporary files with insecure file names to be used in the system's temporary directory. This may allow a malicious local user to cause arbitrary files on the system to be corrupted. By default, periodic is normally called by cron for daily, weekly, and monthly maintenance. Because these scripts run as root, an attacker may potentially corrupt any file on the system. FreeBSD 4.1-STABLE after 2000-09-20, 4.1.1-RELEASE, and 4.1.1-STABLE prior to the correction date are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Malicious local users can cause arbitrary files on the system to be corrupted. IV. Workaround Do not allow periodic to be used in untrusted multi-user environments. Disable the normal periodic system maintenance scripts by either commenting-out or removing the periodic entries in /etc/crontab. V. Solution One of the following: 1) Upgrade the vulnerable FreeBSD system to 4.1.1-STABLE after the correction date. 2) Affected FreeBSD 4.x systems prior to the correction date: Download the patch and the detached PGP signature from the following locations, and verify the signature using your PGP utility. ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-01:12/periodic.patch.asc Execute the following commands as root: # cd /usr/src/usr.sbin/periodic # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXa7lUuHi5z0oilAQHW2AP7BP+YRA93Guy+ImRy1O2IHw/6qYBivSA1 fpYrTERUyyBHbe04KypWjloHfzvKIZoYApXdleECkVBPMYwNPNixTYVrU4zR4qbC EjgtF4OhjLjmO/LqbKPiwDC7TEWWi3OtPWwpJlqT7uNoHmg+o6ySTJPPyrpAFuUQ FS8I+DjVESA= =wBFp -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Jan 29 13: 7:38 2001 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 015E137B698; Mon, 29 Jan 2001 13:06:31 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:11.inetd [REVISED] Reply-To: security-advisories@freebsd.org Message-Id: <20010129210631.015E137B698@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:06:31 -0800 (PST) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:11 Security Advisory FreeBSD, Inc. Topic: inetd ident server allows remote users to partially read arbitrary wheel-accessible files [REVISED] Category: core Module: inetd Announced: 2001-01-29 Revised: 2001-01-29 Credits: dynamo Affects: FreeBSD 3.x (all releases) FreeBSD 4.x (all releases) Corrected: 2000-11-25 (FreeBSD 4.2-STABLE) 2001-01-26 (FreeBSD 3.5-STABLE) FreeBSD only: Yes 0. Revision History v1.0 2001-01-29 Initial release v1.1 2001-01-29 Correctly credit original problem reporter I. Background The inetd ident server is an implementation of the RFC1413 identification server which returns the local username of the user connecting to a remote service. II. Problem Description During internal auditing, the internal ident server in inetd was found to incorrectly set group privileges according to the user. Due to ident using root's group permissions, users may read the first 16 (excluding initial whitespace) bytes of wheel-accessible files. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.2 are vulnerable. III. Impact Users can read the first 16 bytes of wheel-accessible files. To determine which may be potentially read, execute the following command as root: # find / -group wheel \( -perm -40 -a \! -perm +4 \) -ls The inetd internal ident server is not enabled by default. If you have not enabled the ident portion of inetd, you are not vulnerable. IV. Workaround Disable the internal ident server, if enabled: comment out all lines beginning with "auth" in /etc/inetd.conf, then restart inetd by sending it a SIGHUP: # killall -HUP inetd V. Solution One of the following: Upgrade the vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.2 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-4.2.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:11/inetd-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/inetd # patch -p < /path/to/patch # make depend && make all install # killall -HUP inetd -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXa9FUuHi5z0oilAQGoPQP+ItWj4ScnyoBGBQw/CMLQN0XHWcEaT777 dY8IL6U6NeSI0g/XAk5mVk2a0AExqimkhZFtaphg49y8XwjgbWGqtWHh0YMHa4k3 ILtpOKQpDiGRda15FQUX+Pij8m3T1UdOmFQgCw2hFWnLh3eSgye7thHJzBjUlxCM WI5aiOcdOk4= =aAJS -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Mon Jan 29 13:20: 6 2001 Delivered-To: freebsd-announce@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 5B75F37B699; Mon, 29 Jan 2001 13:19:19 -0800 (PST) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:13.sort Reply-To: security-advisories@freebsd.org Message-Id: <20010129211919.5B75F37B699@hub.freebsd.org> Date: Mon, 29 Jan 2001 13:19:19 -0800 (PST) Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:13 Security Advisory FreeBSD, Inc. Topic: sort uses insecure temporary files Category: core Module: sort Announced: 2001-01-29 Credits: Discovered during internal auditing Affects: FreeBSD 3.x (all releases), FreeBSD 4.x (all releases prior to 4.2), FreeBSD 3.5-STABLE prior to the correction date. Corrected: 2000-11-11 (FreeBSD 4.1.1-STABLE) 2001-01-01 (FreeBSD 3.5-STABLE) FreeBSD only: NO I. Background sort(1) is a program to sort lines of text. It is externally maintained, contributed software which is included in FreeBSD by default. II. Problem Description During internal auditing, sort(1) was found to use easily predictable temporary file names. It does create these temporary files correctly such that they cannot be "subverted" by a symlink attack, but the program will abort if the temporary filename chosen is already in use. This allows an attacker to cause the sort(1) command to abort, which may have a cascade effect on other scripts which make use of it (such as system management and reporting scripts). For example, it may be possible to use this failure mode to hide the reporting of malicious system activity which would otherwise be detected by a management script. All released versions of FreeBSD prior to the correction date including FreeBSD 3.5.1 and FreeBSD 4.1.1 are vulnerable. The problem was corrected prior to the release of FreeBSD 4.2. III. Impact Attackers can cause the operation of sort(1) to fail, possibly disrupting aspects of system operation. IV. Workaround None appropriate. V. Solution One of the following: Upgrade the vulnerable FreeBSD system to FreeBSD 3.5-STABLE, 4.2-RELEASE, or 4.2-STABLE after the correction date. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: [FreeBSD 4.1.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-4.1.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install [FreeBSD 3.5.1 base system] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:13/sort-3.5.1.patch.asc Verify the detached PGP signature using your PGP utility. # cd /usr/src/gnu/usr.bin/sort # patch -p < /path/to/patch # make depend && make all install -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXd6VUuHi5z0oilAQF0XAP/d2M9nevTRLhEqTzutYfj2Whxxm1P8HgW 1hRPi3n3r9I7m9cBCjree6N33CRJoa0pdKovL5OgC04AWdRSKhfVHsLJYQz41Vi2 tfqfZCTdhCWmwx9TGeVek9Pk3OrUIwhfzg+YBqX+ioQYaenB+25FHK1cigmXdeWp UZWDyGlrmyM= =vOx+ -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Jan 30 1:10:33 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 7327637B4EC; Tue, 30 Jan 2001 01:09:52 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U99qv87528; Tue, 30 Jan 2001 01:09:52 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:09:52 -0800 (PST) Message-Id: <200101300909.f0U99qv87528@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:07.xfree86 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:07 Security Advisory FreeBSD, Inc. Topic: Multiple XFree86 3.3.6 vulnerabilities Category: ports Module: XFree86-3.3.6, XFree86-aoutlibs Announced: 2001-01-23 Credits: Chris Evans Michal Zalewski Affects: Ports collection prior to the correction date. Corrected: 2000-10-24 (XFree86-3.3.6) Vendor status: Fixed in XFree86 4.0.1, no patches released by vendor. FreeBSD only: NO I. Background XFree86 is a popular X server. It exists in three versions in the FreeBSD ports collection: 3.3.6 and 4.0.2, as well as a.out libraries based on XFree86 3.3.3. II. Problem Description The XFree86-3.3.6 port, versions prior to 3.3.6_1, has multiple vulnerabilities that may allow local or remote users to cause a denial of service attack against a vulnerable X server. Additionally, local users may be able to obtain elevated privileges under certain circumstances. X server DoS: Remote users can, by sending a malformed packet to port 6000 TCP, cause the victim's X server to freeze for several minutes. During the freeze, the mouse does not move and the screen does not update in any way. In addition, the keyboard is unresponsive, including console-switch and kill-server key combinations. Non-X processes, such as remote command-line logins and non-X applications, are unaffected by the freeze. Xlib holes: Due to various coding flaws in libX11, privileged (setuid/setgid) programs linked against libX11 may allow local users to obtain elevated privileges. libICE DoS: Due to inadequate bounds checking in libICE, a denial of service exists with any application using libICE to listen on a network port for network services. The XFree86-aoutlibs port contains the XFree86 libraries from the 3.3.3 release of XFree86, in a.out format suitable for use with applications in the legacy a.out binaryformat, most notably being the FreeBSD native version of Netscape. It is unknown whether Netscape is vulnerable to the problems described in this advisory, but it believed that the only potential vulnerability is the libICE denial-of-service condition described above. The XFree86 and XFree86-aoutlibs ports are not installed by default (although XFree86 is available as an installation option in the FreeBSD installer), nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains almost 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.1.1 contain these problem since they were discovered after the releases, but the XFree86 problem was corrected prior to the release of FreeBSD 4.2. At the time of advisory release, the XFree86-aoutlibs port has not been corrected. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Local or remote users may cause a denial of service attack against an X server or certain X applications. Local users may obtain elevated privileges with certain X applications. If you have not chosen to install the XFree86 3.3.6 port/package or the XFree86-aoutlibs port/package, or you are running XFree86 4.0.1 or later, then your system is not vulnerable to this problem. IV. Workaround Deinstall the XFree86-3.3.6 and XFree86-aoutlibs ports/packages, if you you have installed them. Note that any statically linked binaries which make use of the vulnerable XFree86 routines may still be vulnerable to the problems after deinstallation of the port/package. However due to the difficulty of developing a reliable scanning utility for such binaries no such utility is provided. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the XFree86-3.3.6 port. 2) Deinstall the old package and install an XFree86-4.0.2 package obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/x11/XFree86-4.0.2_5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/x11/XFree86-4.0.2_5.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/x11/XFree86-4.0.2_5.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. NOTE: XFree86-3.3.6 packages are no longer made available, only the newer XFree86-4.0.2 packages. Note also that the XFree86-aoutlibs port has not yet been fixed: there is currently no solution to the problem other than removing the port/package and recompiling any dependent software to use ELF libraries, or switching to an ELF-based version of the software, if available (e.g. the BSD/OS or Linux versions of Netscape, as an alternative to the FreeBSD native version). The potential impact of the vulnerabilities to the local environment may be deemed not sufficiently great to warrant this approach, however. 3) download a new port skeleton for the XFree86-3.3.6 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOm3xpFUuHi5z0oilAQF+zQQAiwIQSv6MemATgo6v2/QwMjttGpbMxbh2 s94CK+aAlbtRlsrBZl6DIWwVydc1C3k6EHnM+NHqwhfOq/yrwp7JDKwVUmvi+5Qx 1UAY8QRu45OednLsyT2qUuNrowjMmkdB0EcsqQq2UvLtN2054m6AmpZk1t3TjGTr CCOFX30qIn0= =pI+q -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Jan 30 1:25:44 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5CAA937B4F8; Tue, 30 Jan 2001 01:25:01 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9P1C89113; Tue, 30 Jan 2001 01:25:01 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:01 -0800 (PST) Message-Id: <200101300925.f0U9P1C89113@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:14.micq Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:14 Security Advisory FreeBSD, Inc. Topic: micq remote buffer overflow vulnerability Category: ports Module: micq Announced: 2001-01-29 Credits: recidjvo@pkcrew.org Affects: Ports collection prior to the correction date. Corrected: 2001-01-24 Vendor status: Updated version released FreeBSD only: NO I. Background micq is a text-based ICQ client. II. Problem Description The micq port, versions prior to 0.4.6.1, contains a remote vulnerability: due to a buffer overflow, a malicious remote user sending specially-crafted packets may be able to execute arbitrary code on the local system with the privileges of the micq process. To accomplish this, the attacker must be able to sniff the packets between the micq client and ICQ server in order to gain the session key to cause the client to accept the malicious packets. The micq port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause arbitrary code to be executed with the privileges of the micq process. If you have not chosen to install the micq port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the micq port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the micq port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/micq-0.4.6.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/micq-0.4.6.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/micq-0.4.6.1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the micq port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXfalUuHi5z0oilAQEhPQP/aq4wwNE4IFedgd2Fz8IEZo+cfiu5dsPa P1fNoylanm+TbLBEV+hJwjt5lBQHQoEmMh3efz2x7foj42QMP6YPtw6WPcwbXtVQ uTSra4+3Ck2NdO+5WDju2X0kMbIBWJMCAPrGEpr/EkNbJRu76Ojp6Cw31WBx17X7 BwLriuu9c9I= =Iluh -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Jan 30 1:26:35 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 505AD37B4E0; Tue, 30 Jan 2001 01:25:26 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9POS89150; Tue, 30 Jan 2001 01:25:24 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:24 -0800 (PST) Message-Id: <200101300925.f0U9POS89150@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:15.tinyproxy Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:15 Security Advisory FreeBSD, Inc. Topic: tinyproxy contains remote vulnerabilities Category: ports Module: tinyproxy Announced: 2001-01-29 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-01-22 Vendor status: Updated version released FreeBSD only: NO I. Background tinyproxy is a lightweight http proxy. II. Problem Description The tinyproxy port, versions prior to 1.3.3a, contains remote vulnerabilities: due to a heap overflow, malicious remote users can cause a denial-of-service by crashing the proxy. Additionally, the attacker may potentially cause arbitrary code to be executed as the user running tinyproxy. The tinyproxy port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote users may cause a denial-of-service and potentially cause arbitrary code to be executed. If you have not chosen to install the tinyproxy port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the tinyproxy port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the tinyproxy port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/www/tinyproxy-1.3.3a.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/www/tinyproxy-1.3.3a.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the tinyproxy port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXgJ1UuHi5z0oilAQHo6wQAj3xyGIyobs/grdxqowjFMcpE86ZxuguC /FzN9pNGbj2/tRv+5XWALJs4dl5mfqNruxeNlFy7uNZAoLztRd5DxuPa/KLJBh3R NYUFjCBzBbjMDZzSOQSpRWwMrs8o/y5qWgAEdVQXqTmXPrKKnbiIBpAYRX/9pzGW s199naiw8yM= =M4Q1 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Jan 30 1:27:53 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 0FDBA37B69E; Tue, 30 Jan 2001 01:25:43 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9Phr89218; Tue, 30 Jan 2001 01:25:43 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:25:43 -0800 (PST) Message-Id: <200101300925.f0U9Phr89218@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:16.mysql Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:16 Security Advisory FreeBSD, Inc. Topic: mysql may allow remote users to gain increased privileges Category: ports Module: mysql322-server/mysql323-server Announced: 2001-01-29 Credits: Nicolas GREGOIRE Affects: Ports collection prior to the correction date. Corrected: 2001-01-19 Vendor status: Updated version released FreeBSD only: NO I. Background mysql is a high-performance database server. II. Problem Description The mysql323-server port, versions prior to 3.23.22, and all mysql322-server ports contain remote vulerabilities. Due to a buffer overflow, a malicious remote user can cause a denial-of-service by crashing the database. Additionally, the attacker may be able to gain the privileges of the mysqld user, allowing access to all databases and the ability to leverage other local attacks as the mysqld user. In order to accomplish this, the attacker must have a valid mysql account. The mysql322-server and mysql323-server ports are not installed by default, nor are they "part of FreeBSD" as such: they are part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious remote mysql users may cause a denial-of-service and potentially gain access as the mysqld user, allowing access to all databases on the mysql server and the ability to leverage other local attacks as the mysqld user. If you have not chosen to install the mysql322-server or mysql323-server ports/packages, then your system is not vulnerable to this problem. IV. Workaround Deinstall the mysql322-server or mysql323-server port/package, if you have installed it. V. Solution Note: the mysql322-server port has been removed since mysql 3.23 is now the stable mysql branch. People using older mysql322-server ports/packages are urged to update to the mysql323-server port/package. One of the following: 1) Upgrade your entire ports collection and rebuild the mysql323-server port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/databases/mysql-3.23.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/databases/mysql-3.23.32.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/databases/mysql-3.23.32.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the mysql323-server port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXg81UuHi5z0oilAQEIKgP/fLnAPAIJt33PQl6NYnBzivsjX0/w0TGW MVkX3OAz14EZYGEajJJfCf2QboqvDYMMuoYNQS3MF8eTmSNQxpzDpRzFyU8zeiUj UnAzKWk+4vjTRkM8BcQHuXfsuzh/H1KjENjo+gbCrmXitLWjuFSS9l/U91tWeyMM sQevoqqqXQE= =8xko -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Tue Jan 30 1:28:30 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id B93E437B4EC; Tue, 30 Jan 2001 01:26:13 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0U9QD589290; Tue, 30 Jan 2001 01:26:13 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Tue, 30 Jan 2001 01:26:13 -0800 (PST) Message-Id: <200101300926.f0U9QD589290@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory: FreeBSD-SA-01:17.exmh2 Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:17 Security Advisory FreeBSD, Inc. Topic: exmh symlink vulnerability Category: ports Module: exmh2 Announced: 2001-01-29 Credits: Stanley G. Bubrouski Affects: Ports collection prior to the correction date. Corrected: 2001-01-22 Vendor status: Updated version released FreeBSD only: No I. Background exmh is a tcl/tk based interface to the mh mail user agent. II. Problem Description The exmh2 port, versions prior to 2.3.1, contains a local vulnerability: at startup, if exmh detects a problem in its code or configuration an error dialog appears giving the user an option to fill in a bug report and email it to the maintainer. If the user agrees to mail the maintainer a file named /tmp/exmhErrorMsg is created. If the file exists and is a symlink, it will follow the link, allowing local files writable by the user to be overwritten. The exmh2 port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains over 4500 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Malicious local users may cause arbitrary files writable by the user running exmh to be overwritten, in certain restricted situations. If you have not chosen to install the exmh2 port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the exmh2 port/package, if you have installed it. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the exmh2 port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/mail/exmh-2.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/mail/exmh-2.3.1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/mail/exmh-2.3.1.tgz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the exmh2 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOnXiAVUuHi5z0oilAQFN1QP/Y8TNT5P86VCujRk704GXV9Lxw4W6+lgZ s6wmSPnm8BmO/MZo4RZ+snZToo9lZWEbgU490LU7sUjy8ehMiP6F2OpViuFT76ug INFou7NHIAmMre2iFzyy6pcsLttX0emc02qUiEPDCLXrgF0BvhbqC3myXsbUzrpJ srN7OD3Y8l4= =1966 -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message From owner-freebsd-announce Wed Jan 31 13:24:13 2001 Delivered-To: freebsd-announce@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 8E7D837B6A1; Wed, 31 Jan 2001 13:23:21 -0800 (PST) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f0VLNL134920; Wed, 31 Jan 2001 13:23:21 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Wed, 31 Jan 2001 13:23:21 -0800 (PST) Message-Id: <200101312123.f0VLNL134920@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory: FreeBSD-SA-01:18.bind Reply-To: security-advisories@FreeBSD.org Sender: owner-freebsd-announce@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:18 Security Advisory FreeBSD, Inc. Topic: BIND remotely exploitable buffer overflow Category: core, ports Module: bind Announced: 2001-01-31 Credits: COVERT Labs Claudio Musmarra Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Ports collection prior to the correction date. Corrected: 2001-01-30 (FreeBSD 3.5-STABLE) 2001-01-29 (FreeBSD 4.2-STABLE) 2001-01-29 (Ports collection) Vendor status: Updated version released FreeBSD only: NO I. Background BIND is an implementation of the Domain Name Service (DNS) protocols. II. Problem Description An overflowable buffer related to the processing of transaction signatures (TSIG) exists in all versions of BIND prior to 8.2.3-RELEASE. The vulnerability is exploitable regardless of configuration options and affects both recursive and non-recursive DNS servers. Additional vulnerabilities allow the leaking of environment variables and the contents of the program stack. These vulnerabilities may assist the ability of attackers to exploit the primary vulnerability described above, and make provide additional information about the state or configuration of the system. All previous versions of BIND 8, such as the beta versions included in FreeBSD 4.x prior to the correction date (designated the version number BIND 8.2.3-T<#>B) are vulnerable to this problem. Systems running versions of BIND 9.x (available in the FreeBSD ports collection) are unaffected. Further information about the vulnerabilities is contained in the CERT advisory located at: http://www.cert.org/advisories/CA-2001-02.html Note that this advisory also describes vulnerabilities in the BIND 4.x software, which is not included in any recent version of FreeBSD. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run named (this is not enabled by default). In addition, the bind8 port in the ports collection (versions prior to 8.2.3) is also vulnerable. To check whether a DNS server is running a vulnerable version of BIND, perform the following command as any user: % dig @serverip version.bind. CHAOS TXT The following segment of output indicates a non-vulnerable server running BIND 8.2.3-RELEASE: ... ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.2.3-REL" ... III. Impact Malicious remote users can cause arbitrary code to be executed as the user running the named daemon. This is often the root user, although FreeBSD provides built-in support for the execution of named as an unprivileged 'bind' user, which greatly limits the scope of the vulnerability should a successful penetration take place. IV. Workaround There is no known practical workaround to prevent the vulnerability from being exploited, short of upgrading the software. A partial workaround to limit the impact of the vulnerability should it be exploited is to run named as an unprivileged user. Add the following line to /etc/rc.conf: named_flags="-u bind -g bind" # Flags for named Add the following line to your /etc/namedb/named.conf file, in the "options" section: pid-file "/var/named/named.pid"; See the named.conf(5) manual page for more details about configuring named. Perform the following commands as root: Create a directory writable by the bind user where named can store its pid file: # mkdir /var/named # chown bind:bind /var/named Shut down the DNS server: # ndc stop Restart it using the non-privileged user and group: # ndc -p /var/named/named.pid start -u bind -g bind Note that when not running as the root user, named will lose the ability to re-bind to interfaces which change address, or which are added to the system after named has been started. If such an event takes place, named will need to be stopped and restarted in order to re-bind to the interface(s). See the ndc(8) manual page for more information about how to do this. Use of the -t option to named will also increase security when run as a non-privileged user by confining the named process to a chroot environment and thereby partially limiting the access it has to the rest of the system. Configuration of these options is beyond the scope of the advisory. The following website contains information which may be useful to administrators wishing to perform this step: http://www.losurs.org/docs/howto/Chroot-BIND.html Note that this tutorial does not specifically relate to FreeBSD, and the information contained therein may need to be modified for FreeBSD systems. Note that such a penetration of the unprivileged bind user may still allow the attacker to take advantage of a local security vulnerability or misconfiguration to further increase privileges. Therefore this should only be considered a temporary workaround while preparations can be made to upgrade permanently. It is recommended that all affected users upgrade their systems immediately as described in the following section. V. Solution Note that BIND 8.2.3-RELEASE is more strict about invalid zone file syntax than older versions. DNS zones which contain errors may need to be corrected before the new version can be run. [Base system] Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. A binary tarball containing the updated BIND files may be released in a few days, but is being held back for quality assurance reasons. In the meantime an unofficial tarball is available from the following location. Users are advised that the following tarball has not been tested on a production system, and those wishing to perform an upgrade without upgrading the entire OS are advised to use the bind8 port as described below. http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc To fetch and install it, perform the following actions as root: # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz # fetch http://www.freebsd.org/~kris/bind-8.2.3-4.x.tgz.asc Verify the detached PGP signature using your PGP utility. # cd / # tar xvfz /path/to/bind-8.2.3-4.x.tgz Stop and restart the named process as shown: # ndc restart See the note in the previous section about how to restart ndc as a non-privileged user if it has been configued to run that way. [Ports collection] If you have chosen to install BIND from the ports collection and are using it instead of the version in the base system, perform one of the following steps: 1) Update your entire ports collection and rebuild the bind8 port. If you are installing the port for the first time, be sure to edit the named_program variable in /etc/rc.conf to point to the installed location of the named executable. The bind8 port can be configured to install itself in /usr and read configuration data from /etc so that it is drop-in compatible with the system version of BIND. Install the port as follows: # cd /usr/ports/net/bind8 # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \ DESTRUN=/var/run all install clean If you install the BIND port over the top of the system version in this way, be sure to add the following line to /etc/make.conf to prevent the future rebuilding of the system version during 'make world': NO_BIND= true # do not build BIND 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/net/bind-8.2.3.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/net/bind-8.2.3.tgz NOTE: It may be several days before updated packages are available. [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the bind8 port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-3-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOniArlUuHi5z0oilAQGE+AQAiwizuORMqyzOw21QFyap2Z7lv7BkYuiC 9zZ97X3WR+i8AujTfIrhwK1UdO6KFbp5Rjc54f3XHtaMotoRcp3x24xADpGQDP4s Xyw267ZoV7ZYuG6VcAgBzq9pqiCnU9rqRQy2aRn/8iCvcl/G5249B3DuMMtLiMw+ Iuz0OOxWeLM= =hanM -----END PGP SIGNATURE----- This is the moderated mailing list freebsd-announce. The list contains announcements of new FreeBSD capabilities, important events and project milestones. See also the FreeBSD Web pages at http://www.freebsd.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-announce" in the body of the message