From owner-freebsd-announce@FreeBSD.ORG Sun May 8 05:18:28 2005 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 434F816A4E1; Sun, 8 May 2005 05:18:28 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id F005843D8C; Sun, 8 May 2005 05:18:27 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j485IRbc011478; Sun, 8 May 2005 05:18:27 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j485IRp7011476; Sun, 8 May 2005 05:18:27 GMT (envelope-from security-advisories@freebsd.org) Date: Sun, 8 May 2005 05:18:27 GMT Message-Id: <200505080518.j485IRp7011476@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:06.iir [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 05:18:28 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:06.iir Security Advisory The FreeBSD Project Topic: Incorrect permissions on /dev/iir Category: core Module: sys_dev Announced: 2005-05-06 Credits: Christian S.J. Peron Andre Guibert de Bruet Affects: All FreeBSD 4.x releases since 4.6-RELEASE All FreeBSD 5.x releases prior to 5.4-RELEASE Corrected: 2005-05-06 02:33:46 UTC (RELENG_5, 5.4-STABLE) 2005-05-06 02:34:18 UTC (RELENG_5_4, 5.4-RELEASE) 2005-05-06 02:34:01 UTC (RELENG_5_3, 5.3-RELEASE-p11) 2005-05-06 02:32:54 UTC (RELENG_4, 4.11-STABLE) 2005-05-06 02:33:28 UTC (RELENG_4_11, 4.11-RELEASE-p5) 2005-05-06 02:33:12 UTC (RELENG_4_10, 4.10-RELEASE-p10) CVE Name: CAN-2005-1399 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-06 Initial release. v1.1 2005-05-07 Updated credits to include Andre Guibert de Bruet, who was inadvertantly omitted from the original advisory. I. Background The iir(4) driver provides support for the Intel Integrated RAID controllers and ICP Vortex RAID controllers. II. Problem Description The default permissions on the /dev/iir device node allow unprivileged local users to open the device and execute ioctl calls. III. Impact Unprivileged local users can send commands to the hardware supported by the iir(4) driver, allowing destruction of data and possible disclosure of data. IV. Workaround Systems without hardware supported by the iir(4) driver are not affected by this issue. On systems which are affected, as a workaround, the permissions on /dev/iir can be changed manually. As root, execute the following command: # chmod 0600 /dev/iir* On 5.x, the following commands are also needed to ensure that the correct permissions are used after rebooting. # echo 'perm iir* 0600' >> /etc/devfs.conf # echo 'devfs_enable="YES"' >> /etc/rc.conf If the administrator has created additional device nodes, or mounted additional instances of devfs(5) elsewhere in the file system name space, attention should be paid to ensure that either the iir device node is not visible in those name spaces, or is similarly protected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:06/iir.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/dev/iir/iir_ctrl.c 1.2.2.5 RELENG_4_11 src/UPDATING 1.73.2.91.2.6 src/sys/conf/newvers.sh 1.44.2.39.2.9 src/sys/dev/iir/iir_ctrl.c 1.2.2.4.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.11 src/sys/conf/newvers.sh 1.44.2.34.2.12 src/sys/dev/iir/iir_ctrl.c 1.2.2.4.10.1 RELENG_5 src/sys/dev/iir/iir_ctrl.c 1.15.2.2 RELENG_5_4 src/UPDATING 1.342.2.24.2.5 src/sys/dev/iir/iir_ctrl.c 1.15.2.1.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.14 src/sys/conf/newvers.sh 1.62.2.15.2.16 src/sys/dev/iir/iir_ctrl.c 1.15.4.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:06.iir.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCfEXyFdaIBMps37IRAu6WAJ9qBjsIfH7GGPRiHsvXwlkuau5kswCfXhan YhoUBZ4gHuIXJFM1gOEAyVk= =zRAR -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Sun May 8 22:28:33 2005 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8ACB816A4E7; Sun, 8 May 2005 22:28:33 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 445F343D81; Sun, 8 May 2005 22:28:33 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j48MSX5f067417; Sun, 8 May 2005 22:28:33 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j48MSXdo067415; Sun, 8 May 2005 22:28:33 GMT (envelope-from security-advisories@freebsd.org) Date: Sun, 8 May 2005 22:28:33 GMT Message-Id: <200505082228.j48MSXdo067415@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:08.kmem [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 May 2005 22:28:33 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:08.kmem Security Advisory The FreeBSD Project Topic: Local kernel memory disclosure Category: core Module: sys Announced: 2005-05-06 Credits: Christian S.J. Peron Uwe Doering Affects: All FreeBSD releases prior to 5.4-RELEASE Corrected: 2005-05-08 10:19:37 UTC (RELENG_5, 5.4-STABLE) 2005-05-07 03:58:26 UTC (RELENG_5_4, 5.4-RELEASE) 2005-05-08 10:23:52 UTC (RELENG_5_3, 5.3-RELEASE-p14) 2005-05-08 10:26:42 UTC (RELENG_4, 4.11-STABLE) 2005-05-08 10:29:54 UTC (RELENG_4_11, 4.11-RELEASE-p8) 2005-05-08 10:35:56 UTC (RELENG_4_10, 4.10-RELEASE-p13) CVE Name: CAN-2005-1406 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-06 Initial release. v1.1 2005-05-07 Updated patch to include related issues reported by Uwe Doering. I. Background In many parts of the FreeBSD kernel, names (of mount points, devices, files, etc.) are manipulated as NULL-terminated strings, but are provided to applications within fixed-length buffers. II. Problem Description In several places, variable-length strings were copied into fixed-length buffers without zeroing the unused portion of the buffer. III. Impact The previous contents of part of the fixed-length buffers will be disclosed to applications. Such memory might contain sensitive information, such as portions of the file cache or terminal buffers. This information might be directly useful, or it might be leveraged to obtain elevated privileges in some way. For example, a terminal buffer might include a user-entered password. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, and 5.3 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem4x.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:08/kmem5x.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/kern/uipc_usrreq.c 1.54.2.11 src/sys/kern/vfs_subr.c 1.249.2.32 src/sys/net/if_mib.c 1.8.2.3 src/sys/netinet/ip_divert.c 1.42.2.8 src/sys/netinet/raw_ip.c 1.64.2.20 src/sys/netinet/tcp_subr.c 1.73.2.34 src/sys/netinet/udp_usrreq.c 1.64.2.20 RELENG_4_11 src/UPDATING 1.72.2.91.2.9 src/sys/conf/newvers.sh 1.44.2.39.2.12 src/sys/kern/uipc_usrreq.c 1.54.2.10.8.1 src/sys/kern/vfs_subr.c 1.249.2.31.6.1 src/sys/net/if_mib.c 1.8.2.2.2.1 src/sys/netinet/ip_divert.c 1.42.2.7.2.1 src/sys/netinet/raw_ip.c 1.64.2.19.2.1 src/sys/netinet/tcp_subr.c 1.73.2.33.4.1 src/sys/netinet/udp_usrreq.c 1.64.2.19.6.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.14 src/sys/conf/newvers.sh 1.44.2.34.2.15 src/sys/kern/uipc_usrreq.c 1.54.2.10.6.1 src/sys/kern/vfs_subr.c 1.249.2.31.4.1 src/sys/net/if_mib.c 1.8.2.1.16.2 src/sys/netinet/ip_divert.c 1.42.2.6.6.1 src/sys/netinet/raw_ip.c 1.64.2.18.4.1 src/sys/netinet/tcp_subr.c 1.73.2.33.2.1 src/sys/netinet/udp_usrreq.c 1.64.2.19.4.1 RELENG_5 src/sys/kern/subr_bus.c 1.156.2.7 src/sys/kern/uipc_usrreq.c 1.138.2.14 src/sys/kern/vfs_subr.c 1.522.2.5 src/sys/net/if_mib.c 1.13.4.2 src/sys/netinet/ip_divert.c 1.98.2.3 src/sys/netinet/raw_ip.c 1.142.2.5 src/sys/netinet/tcp_subr.c 1.201.2.18 src/sys/netinet/udp_usrreq.c 1.162.2.8 RELENG_5_4 src/UPDATING 1.342.2.24.2.9 src/sys/kern/subr_bus.c 1.156.2.5.2.1 src/sys/kern/uipc_usrreq.c 1.138.2.13.2.1 src/sys/kern/vfs_subr.c 1.522.2.4.2.1 src/sys/net/if_mib.c 1.13.4.1.2.1 src/sys/netinet/ip_divert.c 1.98.2.2.2.1 src/sys/netinet/raw_ip.c 1.142.2.4.2.1 src/sys/netinet/tcp_subr.c 1.201.2.15.2.1 src/sys/netinet/udp_usrreq.c 1.162.2.7.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.17 src/sys/conf/newvers.sh 1.62.2.15.2.19 src/sys/kern/subr_bus.c 1.156.2.2.2.1 src/sys/kern/uipc_usrreq.c 1.138.2.2.2.2 src/sys/kern/vfs_subr.c 1.522.2.1.2.1 src/sys/net/if_mib.c 1.13.6.1 src/sys/netinet/ip_divert.c 1.98.4.1 src/sys/netinet/raw_ip.c 1.142.2.2.2.1 src/sys/netinet/tcp_subr.c 1.201.2.1.2.2 src/sys/netinet/udp_usrreq.c 1.162.2.3.2.1 - ------------------------------------------------------------------------- The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:08.kmem.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCfe9TFdaIBMps37IRAoANAJ9SvXgbD8c2Pw4akOWba95PklG1NgCeOPce Ib7DiBQuu7LR2ZG70BP+eKQ= =8wrv -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Mon May 9 21:02:00 2005 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 3756516A4EA for ; Mon, 9 May 2005 21:02:00 +0000 (GMT) Received: from bloom.cse.buffalo.edu (bloom.cse.Buffalo.EDU [128.205.32.88]) by mx1.FreeBSD.org (Postfix) with ESMTP id A176E43D8C for ; Mon, 9 May 2005 21:01:59 +0000 (GMT) (envelope-from kensmith@FreeBSD.org) Received: from bloom.cse.buffalo.edu (localhost.cse.buffalo.edu [127.0.0.1]) by bloom.cse.buffalo.edu (8.13.3/8.12.4) with ESMTP id j49L1weV009881 for ; Mon, 9 May 2005 17:01:58 -0400 (EDT) Received: (from kensmith@localhost) by bloom.cse.buffalo.edu (8.13.3/8.13.1/Submit) id j49L1wI0009880 for freebsd-announce@freebsd.org; Mon, 9 May 2005 17:01:58 -0400 (EDT) (envelope-from kensmith) Date: Mon, 9 May 2005 17:01:58 -0400 From: Ken Smith To: freebsd-announce@freebsd.org Message-ID: <20050509210158.GA9844@bloom.cse.buffalo.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="cWoXeonUoKmBZSoM" Content-Disposition: inline User-Agent: Mutt/1.4.2.1i Subject: [FreeBSD-Announce] FreeBSD 5.4-RELEASE is now available X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 09 May 2005 21:02:00 -0000 --cWoXeonUoKmBZSoM Content-Type: text/plain; charset=us-ascii Content-Disposition: inline The Release Engineering Team is happy to announce the availability of FreeBSD 5.4-RELEASE, the latest release of the FreeBSD Stable development branch. Since FreeBSD 5.3-RELEASE in November 2004 we have made many improvements in functionality, stability, performance, and device driver support for some hardware, as well as dealt with known security issues and made many bugfixes. For a complete list of new features, known problems, and late-breaking news, please see the release notes and errata list, available here: http://www.FreeBSD.org/releases/5.4R/relnotes.html http://www.FreeBSD.org/releases/5.4R/errata.html FreeBSD 5.4 will become an "Errata Branch". In addition to Security fixes other well-tested fixes to basic functionality will be committed to the RELENG_5.4 branch after the release. Both Security Advisories and Errata Notices are announced on the freebsd-announce@freebsd.org mailing list. It is expected there will be at least one more release from the RELENG_5 branch, most likely two. The current plans are for the RELENG_6 branch to be created within the next few months, and an initial 6.0-RELEASE will be made a few months afterwards. There will be a 5.5-RELEASE following a few months after the 6.0-RELEASE. For more information about FreeBSD release engineering activities, please see: http://www.FreeBSD.org/releng/ Dedication ---------- The FreeBSD 5.4 Release is dedicated to the memory of Cameron Grant. Cameron was an active FreeBSD Developer and principal architect of the sound driver subsystem despite his physical handicap. His is a superb example of human spirit dominating over adversity. Cameron was an inspiration to those who met him; he will be fondly remembered and sorely missed. Availability ------------ FreeBSD 5.4-RELEASE supports the i386, amd64, ia64, pc98, sparc64, and alpha architectures and can be installed directly over the net, using bootable media, or copied to a local NFS/FTP server. Distributions for all architectures except alpha are available now. The distribution for alpha should become available within the next day or two. Please continue to support the FreeBSD Project by purchasing media from one of our supporting vendors. The following companies will be offering FreeBSD 5.4 based products: FreeBSD Mall, Inc. http://www.freebsdmall.com/ Daemonnews, Inc. http://www.bsdmall.com/freebsd1.html If you can not afford FreeBSD on media, are impatient, or just want to use it for evangelism purposes, then by all means download the ISO images. We can not promise that all the mirror sites will carry the larger ISO images. At the time of this announcement they are available from the following sites. MD5 checksums for the release images are included at the bottom of this message. Bittorrent ---------- As with the 5.3 release we are experimenting with Bittorrent. A collection of trackers for the release ISO images is available at http://people.freebsd.org/~kensmith/5.4-torrent/ FTP --- At the time of this announcement the following FTP sites have FreeBSD 5.4-RELEASE available. ftp://ftp.FreeBSD.org/pub/FreeBSD/ ftp://ftp2.FreeBSD.org/pub/FreeBSD/ ftp://ftp3.FreeBSD.org/pub/FreeBSD/ ftp://ftp5.FreeBSD.org/pub/FreeBSD/ ftp://ftp.at.FreeBSD.org/pub/FreeBSD/ ftp://ftp2.ch.FreeBSD.org/pub/FreeBSD/ ftp://ftp.cz.FreeBSD.org/pub/FreeBSD/ ftp://ftp.ee.FreeBSD.org/pub/FreeBSD/ ftp://ftp.es.FreeBSD.org/pub/FreeBSD/ ftp://ftp.fi.FreeBSD.org/pub/FreeBSD/ ftp://ftp.fr.FreeBSD.org/pub/FreeBSD/ ftp://ftp2.ie.FreeBSD.org/pub/FreeBSD/ ftp://ftp.is.FreeBSD.org/pub/FreeBSD/ ftp://ftp5.pl.FreeBSD.org/pub/FreeBSD/ ftp://ftp3.ru.FreeBSD.org/pub/FreeBSD/ ftp://ftp.se.FreeBSD.org/pub/FreeBSD/ ftp://ftp.si.FreeBSD.org/pub/FreeBSD/ ftp://ftp2.tw.FreeBSD.org/pub/FreeBSD/ ftp://ftp.uk.FreeBSD.org/pub/FreeBSD/ ftp://ftp2.us.FreeBSD.org/pub/FreeBSD/ ftp://ftp5.us.FreeBSD.org/pub/FreeBSD/ FreeBSD is also available via anonymous FTP from mirror sites in the following countries and territories: Argentina, Australia, Austria, Brazil, Canada, China, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, Iceland, Indonesia, Ireland, Italy, Japan, Korea, Lithuania, Netherlands, New Zealand, Norway, Poland, Portugal, Romania, Russia, Saudi Arabia, Singapore, Slovak Republic, Slovenia, South Africa, Spain, Sweden, Switzerland, Taiwan, Turkey, Ukraine, United Kingdom, and the United States. Before trying the central FTP site, please check your regional mirror(s) first by going to: ftp://ftp..FreeBSD.org/pub/FreeBSD Any additional mirror sites will be labeled ftp2, ftp3 and so on. More information about FreeBSD mirror sites and the current list of all active mirror sites can be found at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html For instructions on installing FreeBSD, please see Chapter 2 of The FreeBSD Handbook. It provides a complete installation walk-through for users new to FreeBSD, and can be found online at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html Acknowledgments --------------- The FreeBSD Developers deserve the most thanks. Without their efforts FreeBSD would not exist. Many companies donated equipment, network access, or man-hours to finance the release engineering activities for FreeBSD 5.4 including The FreeBSD Mall, Hewlett Packard, Yahoo!, Sentex Communications, and NTT/Verio. The release engineering team for 5.4-RELEASE includes: Scott Long Release Engineering Robert Watson Release Engineering, Security John Baldwin Release Engineering Ken Smith Release Engineering, amd64, i386, sparc64 Release Building, Mirror Site Coordination Hiroki Sato Release Engineering, Documentation Doug White Release Engineering Murray Stokely Release Engineering, Documentation Wilko Bulte Alpha Release Building Marcel Moolenaar ia64 Release Building Takahashi Yoshihiro pc98 Release Building Kris Kennaway Package Building Joe Marcus Clarke Package Building Jacques A. Vidrine Security Officer Paul Saab Bittorrent Coordination CD Image Checksums ------------------ MD5 (5.4-RELEASE-amd64-bootonly.iso) = 6882dd5ce59cda1ba4a66ef45f017597 MD5 (5.4-RELEASE-amd64-disc1.iso) = 26bca75d799c0a1690c6ae0bf0886234 MD5 (5.4-RELEASE-amd64-disc2.iso) = 3da9debeae15a49158b01b1d92843fbc MD5 (5.4-RELEASE-i386-bootonly.iso) = 2afe65af7e7b994c3ce87cefda27352e MD5 (5.4-RELEASE-i386-disc1.iso) = 3dbb37485535e129354bc099e24aed99 MD5 (5.4-RELEASE-i386-disc2.iso) = e4b748415ca783fce64cfafd6bd56f57 MD5 (5.4-RELEASE-ia64-bootonly.iso) = 45b032bf952e7ea8b2c42f94c3fa4997 MD5 (5.4-RELEASE-ia64-disc1.iso) = 2b1ad22da2ea0fe86345c99590049ebd MD5 (5.4-RELEASE-ia64-disc2.iso) = 62e589928628453f1813db7402b4f3ad MD5 (5.4-RELEASE-ia64-livefs.iso) = 6c05d71c36d84179923668faddf58e43 MD5 (5.4-RELEASE-pc98-disc1.iso) = 003dee8647e9b2cbca7df0d92011800f MD5 (5.4-RELEASE-sparc64-bootonly.iso) = 91cb2304c2ecbcce0b312738649ba88d MD5 (5.4-RELEASE-sparc64-disc1.iso) = 5f77c9a20e09d5ef66fad9c60e17c2ac MD5 (5.4-RELEASE-sparc64-disc2.iso) = 7da34a32ca8196a34732548fe92d71e6 -ken --cWoXeonUoKmBZSoM Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (FreeBSD) iD8DBQFCf8/D/G14VSmup/YRAjBdAJ9b0k7UTRNk1o+HjFHhDEaNPuqpNwCgh3Gl jvSWO24jgyS89JC0QFNBitI= =rDZp -----END PGP SIGNATURE----- --cWoXeonUoKmBZSoM-- From owner-freebsd-announce@FreeBSD.ORG Fri May 13 00:38:35 2005 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8F21416A4CE; Fri, 13 May 2005 00:38:35 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3962043D46; Fri, 13 May 2005 00:38:35 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4D0cZ6L085973; Fri, 13 May 2005 00:38:35 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4D0cZhc085972; Fri, 13 May 2005 00:38:35 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 13 May 2005 00:38:35 GMT Message-Id: <200505130038.j4D0cZhc085972@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:09.htt X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 00:38:35 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced: 2005-05-13 Revised: 2005-05-13 Credits: Colin Percival Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE) 2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1) 2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15) 2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE) 2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9) 2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14) CVE Name: CAN-2005-0109 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background "Hyper-Threading Technology" is the name used for the implementation of simultaneous multithreading on Intel Pentium 4, Mobile Pentium 4, and Xeon processors. II. Problem Description A security flaw involving operating systems running on Hyper-Threading Technology processors was has been reported. Complete details are not available at the time of this writing. However, a workaround has been issued. It is expected that more details will be available tomorrow, at which time a revised version of this advisory will be published. III. Impact Information may be disclosed to local users, allowing in many cases for privilege escalation. IV. Workaround Systems not using processors with Hyper-Threading support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable: # echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf The system must be rebooted in order for tunables to take effect. Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc [FreeBSD 4.11] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. NOTE: For users that are certain that their environment is not affected by this vulnerability, such as single-user systems, Hyper-Threading Technology may be re-enabled by setting the tunable "machdep.hyperthreading_allowed". VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/i386/mp_machdep.c 1.115.2.23 src/sys/i386/include/cpufunc.h 1.96.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.10 src/sys/conf/newvers.sh 1.44.2.39.2.13 src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.15 src/sys/conf/newvers.sh 1.44.2.34.2.16 src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.10.1 RELENG_5 src/sys/amd64/amd64/mp_machdep.c 1.242.2.11 src/sys/amd64/include/cpufunc.h 1.145.2.1 src/sys/i386/i386/mp_machdep.c 1.235.2.10 src/sys/i386/include/cpufunc.h 1.142.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.10 src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4 src/sys/amd64/include/cpufunc.h 1.145.6.1 src/sys/conf/newvers.sh 1.62.2.18.2.6 src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3 src/sys/i386/include/cpufunc.h 1.142.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.18 src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2 src/sys/amd64/include/cpufunc.h 1.145.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.20 src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2 src/sys/i386/include/cpufunc.h 1.142.4.1 - ------------------------------------------------------------------------- VII. References http://www.daemonology.net/hyperthreading-considered-harmful/ The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc -----BEGIN PGP SIGNATURE----- iD8DBQFCg/RTFdaIBMps37IRAsPSAJ4tjVMklYy1N4QOWlDyVEAORkz+hACgmwMB vDnIfC+nobvQbb6onu7XkBc= =Yawq -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri May 13 15:25:01 2005 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 2731316A4CE; Fri, 13 May 2005 15:25:01 +0000 (GMT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id EFABB43D80; Fri, 13 May 2005 15:25:00 +0000 (GMT) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (nectar@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j4DFP0TM029312; Fri, 13 May 2005 15:25:00 GMT (envelope-from security-advisories@freebsd.org) Received: (from nectar@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j4DFP0pR029309; Fri, 13 May 2005 15:25:00 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 13 May 2005 15:25:00 GMT Message-Id: <200505131525.j4DFP0pR029309@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: nectar set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-05:09.htt [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: security-advisories@freebsd.org List-Id: Project Announcements [moderated] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 May 2005 15:25:01 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:09.htt Security Advisory The FreeBSD Project Topic: information disclosure when using HTT Category: core Module: sys Announced: 2005-05-13 Revised: 2005-05-13 Credits: Colin Percival Affects: All FreeBSD/i386 and FreeBSD/amd64 releases. Corrected: 2005-05-13 00:13:00 UTC (RELENG_5, 5.4-STABLE) 2005-05-13 00:13:00 UTC (RELENG_5_4, 5.4-RELEASE-p1) 2005-05-13 00:13:00 UTC (RELENG_5_3, 5.3-RELEASE-p15) 2005-05-13 00:13:00 UTC (RELENG_4, 4.11-STABLE) 2005-05-13 00:13:00 UTC (RELENG_4_11, 4.11-RELEASE-p9) 2005-05-13 00:13:00 UTC (RELENG_4_10, 4.10-RELEASE-p14) CVE Name: CAN-2005-0109 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2005-05-13 Initial release. v1.1 2005-05-13 Additional details. I. Background Sharing the execution resources of a superscalar processor between multiple execution threads is referred to as "simultaneous multithreading". "Hyper-Threading Technology" or HTT is the name used for the implementation of simultaneous multithreading on Intel Pentium 4, Mobile Pentium 4, and Xeon processors. HTT involves sharing certain CPU resources between multiple threads, including memory caches. FreeBSD supports HTT when using a kernel compiled with the SMP option. II. Problem Description When running on processors supporting Hyper-Threading Technology, it is possible for a malicious thread to monitor the execution of another thread. NOTE: Similar problems may exist in other simultaneous multithreading implementations, or even some systems in the absence of simultaneous multithreading. However, current research has only demonstrated this flaw in Hyper-Threading Technology, where shared memory caches are used. III. Impact Information may be disclosed to local users, allowing in many cases for privilege escalation. For example, on a multi-user system, it may be possible to steal cryptographic keys used in applications such as OpenSSH or SSL-enabled web servers. IV. Workaround Systems not using processors with Hyper-Threading Technology support are not affected by this issue. On systems which are affected, the security flaw can be eliminated by setting the "machdep.hlt_logical_cpus" tunable: # echo "machdep.hlt_logical_cpus=1" >> /boot/loader.conf The system must be rebooted in order for tunables to take effect. Use of this workaround is not recommended on "dual-core" systems, as this workaround will also disable one of the processor cores. V. Solution Disable Hyper-Threading Technology on processors that support it. NOTE: It is expected that future work in cryptographic libraries and operating system schedulers may remedy this problem for many or most users, without necessitating the disabling of Hyper-Threading Technology. Future advisories will address individual cases. Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below and verify the detached PGP signature using your PGP utility. [FreeBSD 4.10] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt410.patch.asc [FreeBSD 4.11] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt411.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-05:09/htt5.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. NOTE: For users that are certain that their environment is not affected by this vulnerability, such as single-user systems, Hyper-Threading Technology may be re-enabled by setting the tunable "machdep.hyperthreading_allowed". VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/i386/i386/mp_machdep.c 1.115.2.23 src/sys/i386/include/cpufunc.h 1.96.2.4 RELENG_4_11 src/UPDATING 1.73.2.91.2.10 src/sys/conf/newvers.sh 1.44.2.39.2.13 src/sys/i386/i386/mp_machdep.c 1.115.2.22.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.15 src/sys/conf/newvers.sh 1.44.2.34.2.16 src/sys/i386/i386/mp_machdep.c 1.115.2.20.2.1 src/sys/i386/include/cpufunc.h 1.96.2.3.10.1 RELENG_5 src/sys/amd64/amd64/mp_machdep.c 1.242.2.11 src/sys/amd64/include/cpufunc.h 1.145.2.1 src/sys/i386/i386/mp_machdep.c 1.235.2.10 src/sys/i386/include/cpufunc.h 1.142.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.10 src/sys/amd64/amd64/mp_machdep.c 1.242.2.7.2.4 src/sys/amd64/include/cpufunc.h 1.145.6.1 src/sys/conf/newvers.sh 1.62.2.18.2.6 src/sys/i386/i386/mp_machdep.c 1.235.2.6.2.3 src/sys/i386/include/cpufunc.h 1.142.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.18 src/sys/amd64/amd64/mp_machdep.c 1.242.2.2.2.2 src/sys/amd64/include/cpufunc.h 1.145.4.1 src/sys/conf/newvers.sh 1.62.2.15.2.20 src/sys/i386/i386/mp_machdep.c 1.235.2.3.2.2 src/sys/i386/include/cpufunc.h 1.142.4.1 - ------------------------------------------------------------------------- VII. References http://www.daemonology.net/hyperthreading-considered-harmful/ The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-05:09.htt.asc -----BEGIN PGP SIGNATURE----- iD8DBQFChJA4FdaIBMps37IRAo8nAJ9w7xtIF0atnxiKDhFOpBXEZQDtZQCghWdM qc5lGST7l+iJEYN/7zTNUPY= =WqEa -----END PGP SIGNATURE-----