From owner-freebsd-announce@FreeBSD.ORG Mon Sep 15 18:01:51 2003 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4C91716A4B3 for ; Mon, 15 Sep 2003 18:01:51 -0700 (PDT) Received: from mail.iis.sinica.edu.tw (mail.iis.sinica.edu.tw [140.109.20.50]) by mx1.FreeBSD.org (Postfix) with ESMTP id BB19E43FCB for ; Mon, 15 Sep 2003 18:01:49 -0700 (PDT) (envelope-from keichii@iis.sinica.edu.tw) Received: from infinite (localhost [127.0.0.1]) (authenticated bits=0) by mail.iis.sinica.edu.tw (8.12.9/8.12.9) with ESMTP id h8G11ism095998 for ; Tue, 16 Sep 2003 09:01:45 +0800 (CST) (envelope-from keichii@iis.sinica.edu.tw) Message-ID: <009601c37bee$1a0da2c0$b1e23e80@infinite> From: "Michael C. Wu" To: Date: Mon, 15 Sep 2003 20:01:42 -0500 MIME-Version: 1.0 Content-Type: text/plain; charset="big5" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook Express 6.00.2800.1158 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Mailman-Approved-At: Mon, 15 Sep 2003 18:37:45 -0700 Subject: [FreeBSD-Announce] [AsiaBSDCon] Announcing the USENIX AsiaBSDCon and its Request for Papers X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 01:01:51 -0000 Dear Recipients: We are happy to announce that the USENIX AsiaBSDCon 2004 will take place at Academia Sinica, Taipei, Taiwan between March 13 2004 and March 15 2004. We would like to invite all whom are interested in BSD and their applications (including but not limited to: bioinformatics, scientific computing, e-commerce, operating systems, etc.) to submit papers to the conference. The RFP is at : http://www.asiabsdcon.org/cfp.shtml I am happy to say that we have a great set of invited speakers who will discuss many topics of interest. They will speak at the beautiful activity center of Academia Sinica, the premier research institution of Taiwan. ( http://www.sinica.edu.tw ) Traveling to Taiwan is considered inexpensive at USD$400-800 during that time. With limited space, the conference hotel is approximately USD$25 per single room per night, with free wavelan access on campus. For those that wish to stay in downtown Taipei, we have arranged English-speaking hotels costing from USD$30~USD$100 with convenient subway transportation. There will be no registration fee for people who register early. We also provide food during the conference at no cost to those who register within the early registration deadline. However, we welcome any donations to enable us to do more for the conference. All proceeds not used will be used either towards next year's conference or donated to independent BSD foundations. Should we receive sufficient response, we will organize a touring trip of some parts of Taiwan before or after the conference. Hot springs, beautiful canyons, towering mountains, brilliant nightlife, and white sandy beaches are all part of Taiwan. (You can indicate your willingness to join such a trip as soon as the registration system opens.) We look forward to a great conference with your participation. Regards, Michael C. Wu Program Coordinator, USENIX AsiaBSDCon 2004 From owner-freebsd-announce@FreeBSD.ORG Tue Sep 16 11:17:05 2003 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5CB5B16A4B3; Tue, 16 Sep 2003 11:17:05 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7B00E43FBF; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8GIH1Up072332; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8GIH1rC072329; Tue, 16 Sep 2003 11:17:01 -0700 (PDT) Date: Tue, 16 Sep 2003 11:17:01 -0700 (PDT) Message-Id: <200309161817.h8GIH1rC072329@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 16 Sep 2003 18:17:05 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_1 openssh-portable port prior to openssh-portable-3.6.1p2_1 Corrected: 2003-09-16 16:24:02 UTC (RELENG_4) 2003-09-16 16:27:57 UTC (RELENG_5_1) 2003-09-16 17:34:32 UTC (RELENG_5_0) 2003-09-16 16:24:02 UTC (RELENG_4_8) 2003-09-16 16:45:16 UTC (RELENG_4_7) 2003-09-16 17:44:15 UTC (RELENG_4_6) 2003-09-16 17:45:23 UTC (RELENG_4_5) 2003-09-16 17:46:02 UTC (RELENG_4_4) 2003-09-16 17:46:37 UTC (RELENG_4_3) 2003-09-16 12:43:09 UTC (ports/security/openssh) 2003-09-16 12:43:10 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693 FreeBSD only: NO I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description When a packet is received that is larger than the space remaining in the currently allocated buffer, OpenSSH's buffer management attempts to reallocate a larger buffer. During this process, the recorded size of the buffer is increased. The new size is then range checked. If the range check fails, then fatal() is called to cleanup and exit. In some cases, the cleanup code will attempt to zero and free the buffer that just had its recorded size (but not actual allocation) increased. As a result, memory outside of the allocated buffer will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 through 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # (. /etc/rc.conf && ${sshd_program:-/usr/bin/sshd} ${sshd_flags}) [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.5 src/crypto/openssh/version.h 1.1.1.1.2.11 RELENG_5_1 src/UPDATING 1.251.2.4 src/crypto/openssh/buffer.c 1.1.1.6.4.1 src/crypto/openssh/version.h 1.20.2.1 src/sys/conf/newvers.sh 1.50.2.5 RELENG_5_0 src/UPDATING 1.229.2.18 src/crypto/openssh/buffer.c 1.1.1.6.2.1 src/crypto/openssh/version.h 1.18.2.1 src/sys/conf/newvers.sh 1.48.2.13 RELENG_4_8 src/UPDATING 1.73.2.80.2.7 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.1 src/sys/conf/newvers.sh 1.44.2.29.2.6 RELENG_4_7 src/UPDATING 1.73.2.74.2.18 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.1 src/sys/conf/newvers.sh 1.44.2.26.2.17 RELENG_4_6 src/UPDATING 1.73.2.68.2.46 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.35 RELENG_4_5 src/UPDATING 1.73.2.50.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.20.2.31 RELENG_4_4 src/UPDATING 1.73.2.43.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.3 src/sys/conf/newvers.sh 1.44.2.17.2.39 RELENG_4_3 src/UPDATING 1.73.2.28.2.35 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.3 src/sys/conf/newvers.sh 1.44.2.14.2.25 [Ports] ports/security/openssh-portable/Makefile 1.73 ports/security/openssh-portable/files/patch-buffer.c 1.1 ports/security/openssh/Makefile 1.120 ports/security/openssh/files/patch-buffer.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030916 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030916 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030916 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030916 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030916 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030916 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2003-0693 to this issue. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/Z1MtFdaIBMps37IRApcyAKCIjophc4e8UGhAlTTiNCunVJSlfgCffMgQ PW0VvEnS7MMUYyekHuz49ro= =vcm1 -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Sep 17 15:38:00 2003 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 850BA16A4BF; Wed, 17 Sep 2003 15:38:00 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 95E5A43FE3; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8HMbuFY078937; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8HMbuvK078935; Wed, 17 Sep 2003 15:37:56 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Sep 2003 15:37:56 -0700 (PDT) Message-Id: <200309172237.h8HMbuvK078935@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:12.openssh [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 22:38:00 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:12 Security Advisory FreeBSD, Inc. Topic: OpenSSH buffer management error Category: core, ports Module: openssh, ports_openssh, openssh-portable Announced: 2003-09-16 Credits: The OpenSSH Project Affects: All FreeBSD releases after 4.0-RELEASE FreeBSD 4-STABLE prior to the correction date openssh port prior to openssh-3.6.1_3 openssh-portable port prior to openssh-portable-3.6.1p2_3 Corrected: 2003-09-17 16:24:02 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 14:46:58 UTC (RELENG_5_1, 5.1-RELEASE-p4) 2003-09-17 14:50:14 UTC (RELENG_5_0, 5.0-RELEASE-p13) 2003-09-17 14:51:09 UTC (RELENG_4_8, 4.8-RELEASE-p6) 2003-09-17 14:51:37 UTC (RELENG_4_7, 4.7-RELEASE-p16) 2003-09-17 14:52:08 UTC (RELENG_4_6, 4.6-RELEASE-p19) 2003-09-17 14:52:42 UTC (RELENG_4_5, 4.5-RELEASE-p31) 2003-09-17 14:57:32 UTC (RELENG_4_4, 4.4-RELEASE-p41) 2003-09-17 14:58:56 UTC (RELENG_4_3, 4.3-RELEASE-p37) 2003-09-17 16:07:48 UTC (ports/security/openssh) 2003-09-17 16:07:48 UTC (ports/security/openssh-portable) CVE: CAN-2003-0693, CAN-2003-0695, CAN-2003-0682 FreeBSD only: NO 0. Revision History v1.0 2003-09-16 Initial release v1.1 2003-09-17 Typo in instructions for restarting sshd Additional buffer management errors corrected I. Background OpenSSH is a free version of the SSH protocol suite of network connectivity tools. OpenSSH encrypts all traffic (including passwords) to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. Additionally, OpenSSH provides a myriad of secure tunneling capabilities, as well as a variety of authentication methods. `ssh' is the client application, while `sshd' is the server. II. Problem Description Several operations within OpenSSH require dynamic memory allocation or reallocation. Examples are: the receipt of a packet larger than available space in a currently allocated buffer; creation of additional channels beyond the currently allocated maximum; and allocation of new sockets beyond the currently allocated maximum. Many of these operations can fail either due to `out of memory' or due to explicit checks for ridiculously sized requests. However, the failure occurs after the allocation size has already been updated, so that the bookkeeping data structures are in an inconsistent state (the recorded size is larger than the actual allocation). Furthermore, the detection of these failures causes OpenSSH to invoke several `fatal_cleanup' handlers, some of which may then attempt to use these inconsistent data structures. For example, a handler may zero and free a buffer in this state, and as a result memory outside of the allocated area will be overwritten with NUL bytes. III. Impact A remote attacker can cause OpenSSH to crash. The bug is not believed to be exploitable for code execution on FreeBSD. IV. Workaround Do one of the following: 1) Disable the base system sshd by executing the following command as root: # kill `cat /var/run/sshd.pid` Be sure that sshd is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sshd_enable="NO" AND Deinstall the openssh or openssh-portable ports if you have one of them installed. V. Solution Do one of the following: [For OpenSSH included in the base system] 1) Upgrade your vulnerable system to 4-STABLE or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date (5.1-RELEASE-p3, 4.8-RELEASE-p5, or 4.7-RELEASE-p15, respectively). 2) FreeBSD systems prior to the correction date: The following patches have been verified to apply to FreeBSD 4.x and FreeBSD 5.x systems prior to the correction date. Download the appropriate patch and detached PGP signature from the following locations, and verify the signature using your PGP utility. [FreeBSD 4.3 and 4.4] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer44.patch.asc [FreeBSD 4.5] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer45.patch.asc [FreeBSD 4.6 and later, FreeBSD 5.0 and later] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:12/buffer46.patch.asc Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch # cd /usr/src/secure/lib/libssh # make depend && make all install # cd /usr/src/secure/usr.sbin/sshd # make depend && make all install # cd /usr/src/secure/usr.bin/ssh # make depend && make all install Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # /usr/sbin/sshd [For the OpenSSH ports] One of the following: 1) Upgrade your entire ports collection and rebuild the OpenSSH port. 2) Deinstall the old package and install a new package obtained from the following directory: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/security/ [other platforms] Packages are not automatically generated for other platforms at this time due to lack of build resources. 3) Download a new port skeleton for the openssh or openssh-portable port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/Latest/portcheckout.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/Latest/portcheckout.tgz Be sure to restart `sshd' after updating. # kill `cat /var/run/sshd.pid` # test -x /usr/local/etc/rc.d/sshd.sh && sh /usr/local/etc/rc.d/sshd.sh start VI. Correction details The following list contains the revision numbers of each file that was corrected in the FreeBSD base system and ports collection. Branch Revision Path - ------------------------------------------------------------------------- [Base system] RELENG_4 src/crypto/openssh/buffer.c 1.1.1.1.2.7 src/crypto/openssh/channels.c 1.1.1.1.2.10 src/crypto/openssh/deattack.c 1.1.1.1.2.5 src/crypto/openssh/misc.c 1.1.1.1.2.3 src/crypto/openssh/session.c 1.4.2.18 src/crypto/openssh/ssh-agent.c 1.2.2.11 src/crypto/openssh/version.h 1.1.1.1.2.12 RELENG_5_1 src/UPDATING 1.251.2.5 src/crypto/openssh/buffer.c 1.1.1.6.4.2 src/crypto/openssh/channels.c 1.15.2.1 src/crypto/openssh/deattack.c 1.1.1.5.4.1 src/crypto/openssh/misc.c 1.1.1.4.2.1 src/crypto/openssh/session.c 1.40.2.1 src/crypto/openssh/ssh-agent.c 1.18.2.1 src/crypto/openssh/version.h 1.20.2.2 src/sys/conf/newvers.sh 1.50.2.6 RELENG_5_0 src/UPDATING 1.229.2.19 src/crypto/openssh/buffer.c 1.1.1.6.2.2 src/crypto/openssh/channels.c 1.13.2.1 src/crypto/openssh/deattack.c 1.1.1.5.2.1 src/crypto/openssh/misc.c 1.1.1.3.2.1 src/crypto/openssh/session.c 1.38.2.1 src/crypto/openssh/ssh-agent.c 1.16.2.1 src/crypto/openssh/version.h 1.18.2.2 src/sys/conf/newvers.sh 1.48.2.14 RELENG_4_8 src/UPDATING 1.73.2.80.2.8 src/crypto/openssh/buffer.c 1.1.1.1.2.4.4.2 src/crypto/openssh/channels.c 1.1.1.1.2.8.2.1 src/crypto/openssh/deattack.c 1.1.1.1.2.4.4.1 src/crypto/openssh/misc.c 1.1.1.1.2.2.4.1 src/crypto/openssh/session.c 1.4.2.17.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.10.2.1 src/crypto/openssh/version.h 1.1.1.1.2.10.2.2 src/sys/conf/newvers.sh 1.44.2.29.2.7 RELENG_4_7 src/UPDATING 1.73.2.74.2.19 src/crypto/openssh/buffer.c 1.1.1.1.2.4.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.7.2.1 src/crypto/openssh/deattack.c 1.1.1.1.2.4.2.1 src/crypto/openssh/misc.c 1.1.1.1.2.2.2.1 src/crypto/openssh/session.c 1.4.2.16.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.8.2.1 src/crypto/openssh/version.h 1.1.1.1.2.9.2.2 src/sys/conf/newvers.sh 1.44.2.26.2.18 RELENG_4_6 src/UPDATING 1.73.2.68.2.47 src/crypto/openssh/buffer.c 1.1.1.1.2.3.4.3 src/crypto/openssh/channels.c 1.1.1.1.2.6.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.3.4.2 src/crypto/openssh/misc.c 1.1.1.1.2.1.4.2 src/crypto/openssh/session.c 1.4.2.12.2.2 src/crypto/openssh/ssh-agent.c 1.2.2.7.4.2 src/crypto/openssh/version.h 1.1.1.1.2.8.2.3 src/sys/conf/newvers.sh 1.44.2.23.2.36 RELENG_4_5 src/UPDATING 1.73.2.50.2.48 src/crypto/openssh/buffer.c 1.1.1.1.2.3.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.5.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.3.2.1 src/crypto/openssh/scp.c 1.1.1.1.2.4.2.1 src/crypto/openssh/session.c 1.4.2.11.2.1 src/crypto/openssh/ssh-agent.c 1.2.2.7.2.1 src/crypto/openssh/version.h 1.1.1.1.2.7.2.3 src/sys/conf/newvers.sh 1.44.2.20.2.32 RELENG_4_4 src/UPDATING 1.73.2.43.2.49 src/crypto/openssh/buffer.c 1.1.1.1.2.2.4.2 src/crypto/openssh/channels.c 1.1.1.1.2.4.4.2 src/crypto/openssh/deattack.c 1.1.1.1.2.2.4.1 src/crypto/openssh/scp.c 1.1.1.1.2.3.4.1 src/crypto/openssh/session.c 1.4.2.8.4.2 src/crypto/openssh/ssh-agent.c 1.2.2.6.4.1 src/crypto/openssh/version.h 1.1.1.1.2.5.2.4 src/sys/conf/newvers.sh 1.44.2.17.2.40 RELENG_4_3 src/UPDATING 1.73.2.28.2.36 src/crypto/openssh/buffer.c 1.1.1.1.2.2.2.2 src/crypto/openssh/channels.c 1.1.1.1.2.4.2.2 src/crypto/openssh/deattack.c 1.1.1.1.2.2.2.1 src/crypto/openssh/scp.c 1.1.1.1.2.3.2.1 src/crypto/openssh/session.c 1.4.2.8.2.2 src/crypto/openssh/ssh-agent.c 1.2.2.6.2.1 src/crypto/openssh/version.h 1.1.1.1.2.4.2.4 src/sys/conf/newvers.sh 1.44.2.14.2.26 [Ports] ports/security/openssh-portable/Makefile 1.75 ports/security/openssh-portable/files/patch-buffer.c 1.2 ports/security/openssh-portable/files/patch-deattack.c 1.1 ports/security/openssh-portable/files/patch-misc.c 1.3 ports/security/openssh-portable/files/patch-session.c 1.16 ports/security/openssh-portable/files/patch-ssh-agent.c 1.1 ports/security/openssh/Makefile 1.122 ports/security/openssh/files/patch-buffer.c 1.2 ports/security/openssh/files/patch-deattack.c 1.1 ports/security/openssh/files/patch-misc.c 1.3 ports/security/openssh/files/patch-session.c 1.15 ports/security/openssh/files/patch-ssh-agent.c 1.1 - ------------------------------------------------------------------------- Branch Version string - ------------------------------------------------------------------------- HEAD OpenSSH_3.6.1p1 FreeBSD-20030917 RELENG_4 OpenSSH_3.5p1 FreeBSD-20030917 RELENG_5_1 OpenSSH_3.6.1p1 FreeBSD-20030917 RELENG_4_8 OpenSSH_3.5p1 FreeBSD-20030917 RELENG_4_7 OpenSSH_3.4p1 FreeBSD-20030917 RELENG_4_6 OpenSSH_3.4p1 FreeBSD-20030917 RELENG_4_5 OpenSSH_2.9 FreeBSD localisations 20030917 RELENG_4_4 OpenSSH_2.3.0 FreeBSD localisations 20030917 RELENG_4_3 OpenSSH_2.3.0 green@FreeBSD.org 20030917 - ------------------------------------------------------------------------- To view the version string of the OpenSSH server, execute the following command: % /usr/sbin/sshd -\? The version string is also displayed when a client connects to the server. To view the version string of the OpenSSH client, execute the following command: % /usr/bin/ssh -V VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aKuVFdaIBMps37IRAj/nAJ9x7UQj1Mp0vTAZBHnjGsp/9LQLlQCfVybJ AVHLwTVUmQXV9S2naBBX14I= =JhlR -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Sep 17 15:38:22 2003 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9847D16A4BF; Wed, 17 Sep 2003 15:38:22 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C4BC43FBF; Wed, 17 Sep 2003 15:38:20 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h8HMcJFY079017; Wed, 17 Sep 2003 15:38:19 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h8HMcJuT079015; Wed, 17 Sep 2003 15:38:19 -0700 (PDT) (envelope-from security-advisories@freebsd.org) Date: Wed, 17 Sep 2003 15:38:19 -0700 (PDT) Message-Id: <200309172238.h8HMcJuT079015@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-03:13.sendmail X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Sep 2003 22:38:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-03:13.sendmail Security Advisory The FreeBSD Project Topic: a third sendmail header parsing buffer overflow Category: contrib Module: contrib_sendmail Announced: 2003-09-17 Credits: Michal Zalewski Todd C. Miller Affects: All releases of FreeBSD FreeBSD 4-STABLE prior to the correction date Corrected: 2003-09-17 15:18:20 UTC (RELENG_4, 4.9-PRERELEASE) 2003-09-17 20:19:00 UTC (RELENG_5_1, 5.1-RELEASE-p5) 2003-09-17 20:19:22 UTC (RELENG_5_0, 5.0-RELEASE-p14) 2003-09-17 20:19:52 UTC (RELENG_4_8, 4.8-RELEASE-p7) 2003-09-17 20:20:08 UTC (RELENG_4_7, 4.7-RELEASE-p17) 2003-09-17 20:20:31 UTC (RELENG_4_6, 4.6-RELEASE-p20) 2003-09-17 20:20:54 UTC (RELENG_4_5, 4.5-RELEASE-p32) 2003-09-17 20:21:15 UTC (RELENG_4_4, 4.4-RELEASE-p42) 2003-09-17 20:21:40 UTC (RELENG_4_3, 4.3-RELEASE-p38) 2003-09-17 20:22:03 UTC (RELENG_3) FreeBSD only: NO I. Background FreeBSD includes sendmail(8), a general purpose internetwork mail routing facility, as the default Mail Transfer Agent (MTA). II. Problem Description A buffer overflow that may occur during header parsing was identified. NOTE WELL: This issue is distinct from the issue described in `FreeBSD-SA-03:04.sendmail' and `FreeBSD-SA-03:07.sendmail', although the impact is very similar. III. Impact An attacker could create a specially crafted message that may cause sendmail to execute arbitrary code with the privileges of the user running sendmail, typically root. The malicious message might be handled (and the vulnerability triggered) by the initial sendmail MTA, by any relaying sendmail MTA, or by the delivering sendmail process. IV. Workaround Disable sendmail by executing the following commands as root: # sh /etc/rc.sendmail stop # chmod 0 /usr/libexec/sendmail/sendmail Be sure that sendmail is not restarted when the system is restarted by adding the following line to the end of /etc/rc.conf: sendmail_enable="NO" sendmail_submit_enable="NO" sendmail_outbound_enable="NO" V. Solution Do one of the following: 1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_1, RELENG_4_8, or RELENG_4_7 security branch dated after the correction date. 2) To patch your present system: The following patch has been verified to apply to FreeBSD 5.1, 4.8, and 4.7 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-03:13/sendmail.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libsm # make obj && make depend && make # cd /usr/src/lib/libsmutil # make obj && make depend && make # cd /usr/src/usr.sbin/sendmail # make obj && make depend && make && make install c) Restart sendmail. Execute the following command as root. # /bin/sh /etc/rc.sendmail restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.14 RELENG_5_1 src/UPDATING 1.251.2.6 src/contrib/sendmail/src/parseaddr.c 1.1.1.17.2.1 src/contrib/sendmail/src/version.c 1.1.1.19.2.1 src/sys/conf/newvers.sh 1.50.2.7 RELENG_5_0 src/UPDATING 1.229.2.20 src/contrib/sendmail/src/parseaddr.c 1.1.1.14.2.3 src/contrib/sendmail/src/version.c 1.1.1.16.2.2 src/sys/conf/newvers.sh 1.48.2.15 RELENG_4_8 src/UPDATING 1.73.2.80.2.9 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.12.2.2 src/contrib/sendmail/src/version.c 1.1.1.3.2.14.2.2 src/sys/conf/newvers.sh 1.44.2.29.2.8 RELENG_4_7 src/UPDATING 1.73.2.74.2.20 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.10.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.12.2.2 src/sys/conf/newvers.sh 1.44.2.26.2.19 RELENG_4_6 src/UPDATING 1.73.2.68.2.48 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.8.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.9.2.2 src/sys/conf/newvers.sh 1.44.2.23.2.37 RELENG_4_5 src/UPDATING 1.73.2.50.2.49 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.4.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.4.2 src/sys/conf/newvers.sh 1.44.2.20.2.33 RELENG_4_4 src/UPDATING 1.73.2.43.2.50 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.6.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.7.2.2 src/sys/conf/newvers.sh 1.44.2.17.2.41 RELENG_4_3 src/UPDATING 1.73.2.28.2.37 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.6.4.2.3 src/contrib/sendmail/src/version.c 1.1.1.3.2.4.2.2 src/sys/conf/newvers.sh 1.44.2.14.2.27 RELENG_3 src/contrib/sendmail/src/parseaddr.c 1.1.1.2.2.3 src/contrib/sendmail/src/version.c 1.1.1.2.2.3 - ------------------------------------------------------------------------- VII. References -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.3 (FreeBSD) iD8DBQE/aOHgFdaIBMps37IRAl09AKCVMKQCzC62EF7vZFnsZVoaGWpIMACfVGq0 0df1GogdqBVYUXzNBdHrwYA= =4xqj -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Sat Sep 20 15:12:20 2003 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7A71916A4B3; Sat, 20 Sep 2003 15:12:20 -0700 (PDT) Received: from grouse.mail.pas.earthlink.net (grouse.mail.pas.earthlink.net [207.217.120.116]) by mx1.FreeBSD.org (Postfix) with ESMTP id D30D643FDD; Sat, 20 Sep 2003 15:12:19 -0700 (PDT) (envelope-from sales@osdisc.com) Received: from h-68-166-245-88.dnvtco56.covad.net ([68.166.245.88]) by grouse.mail.pas.earthlink.net with esmtp (Exim 3.33 #1) id 1A0px4-0007Ho-00; Sat, 20 Sep 2003 15:11:39 -0700 From: "osdisc.com sales dept" Organization: osdisc.com To: sales@osdisc.com Date: Sat, 20 Sep 2003 16:10:45 -0600 User-Agent: KMail/1.5.3 MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Content-Disposition: inline Message-Id: <200309201610.45506.sales@osdisc.com> X-Mailman-Approved-At: Sat, 20 Sep 2003 15:18:53 -0700 Subject: [FreeBSD-Announce] OSDisc.com donating 10% to FreeBSD Foundation X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 20 Sep 2003 22:12:20 -0000 For those of you who would like to support FreeBSD but can't afford the more expensive official sets, OSDisc.com is selling it for $4.95. 10% of the profits will be donated to the FreeBSD Foundation. http://www.osdisc.com/ http://www.osdisc.com/cgi-bin/view.cgi/donations.html http://www.osdisc.com/cgi-bin/view.cgi/products/bsd/freebsd