From owner-freebsd-announce@FreeBSD.ORG Tue Dec 23 01:39:23 2008 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 502B41065675; Tue, 23 Dec 2008 01:39:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 3ABD88FC12; Tue, 23 Dec 2008 01:39:23 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBN1dNdh029497; Tue, 23 Dec 2008 01:39:23 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBN1dNeJ029495; Tue, 23 Dec 2008 01:39:23 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 23 Dec 2008 01:39:23 GMT Message-Id: <200812230139.mBN1dNeJ029495@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:13.protosw X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2008 01:39:23 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:13.protosw Security Advisory The FreeBSD Project Topic: netgraph / bluetooth privilege escalation Category: core Module: sys_kern Announced: 2008-12-23 Credits: Christer Oberg Affects: All FreeBSD releases Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE) 2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2) 2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7) 2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE) 2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1) 2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD kernel provides support for a variety of different types of communications sockets, including IPv4, IPv6, ISDN, ATM, routing protocol, link-layer, netgraph(4), and bluetooth sockets. As an early form of object-oriented design, much of the functionality specific to different types of sockets is abstracted via function pointers. II. Problem Description Some function pointers for netgraph and bluetooth sockets are not properly initialized. III. Impact A local user can cause the FreeBSD kernel to execute arbitrary code. This could be used by an attacker directly; or it could be used to gain root privilege or to escape from a jail. IV. Workaround No workaround is available, but systems without local untrusted users are not vulnerable. Furthermore, systems are not vulnerable if they have neither the ng_socket nor ng_bluetooth kernel modules loaded or compiled into the kernel. Systems with the security.jail.socket_unixiproute_only sysctl set to 1 (the default) are only vulnerable if they have local untrusted users outside of jails. If the command # kldstat -v | grep ng_ produces no output, the system is not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, and 7.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch # fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch.asc [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch # fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/sys/kern/uipc_domain.c 1.44.2.4 RELENG_6_4 src/UPDATING 1.416.2.40.2.4 src/sys/conf/newvers.sh 1.69.2.18.2.7 src/sys/kern/uipc_domain.c 1.44.2.3.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.12 src/sys/conf/newvers.sh 1.69.2.15.2.11 src/sys/kern/uipc_domain.c 1.44.2.3.4.1 RELENG_7 src/sys/kern/uipc_domain.c 1.51.2.2 RELENG_7_1 src/UPDATING 1.507.2.13.2.2 src/sys/kern/uipc_domain.c 1.51.2.1.2.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.11 src/sys/conf/newvers.sh 1.72.2.5.2.11 src/sys/kern/uipc_domain.c 1.51.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r186405 releng/6.4/ r186405 releng/6.3/ r186405 stable/7/ r186405 releng/7.1/ r186405 releng/7.0/ r186405 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:13.protosw.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAklQP9QACgkQFdaIBMps37KL2gCfRlQ7kTB24DYnDEGRUC+px4bX 214AoJJrJjaeS6ITyk73AL/OK+rNAM4u =7qyU -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Dec 23 01:39:29 2008 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 44364106567F; Tue, 23 Dec 2008 01:39:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2F0F68FC20; Tue, 23 Dec 2008 01:39:29 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (cperciva@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mBN1dTYd029539; Tue, 23 Dec 2008 01:39:29 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mBN1dTkJ029537; Tue, 23 Dec 2008 01:39:29 GMT (envelope-from security-advisories@freebsd.org) Date: Tue, 23 Dec 2008 01:39:29 GMT Message-Id: <200812230139.mBN1dTkJ029537@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-08:12.ftpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2008 01:39:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-08:12.ftpd Security Advisory The FreeBSD Project Topic: Cross-site request forgery in ftpd(8) Category: core Module: ftpd Announced: 2008-12-23 Credits: Maksymilian Arciemowicz Affects: All supported versions of FreeBSD. Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE) 2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2) 2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7) 2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE) 2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1) 2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7) CVE Name: CVE-2008-4247 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP) server that is shipped with the FreeBSD base system. It is not enabled in default installations but can be enabled as either an inetd(8) server, or a standard-alone server. A cross-site request forgery attack is a type of malicious exploit that is mainly targeted to a web browser, by tricking a user trusted by the site into visiting a specially crafted URL, which in turn executes a command which performs some privileged operations on behalf of the trusted user on the victim site. II. Problem Description The ftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. III. Impact This could, with a specifically crafted command, be used in a cross-site request forgery attack. FreeBSD systems running ftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites. IV. Workaround No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD ftp(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.0, and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch # fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/ftpd # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/libexec/ftpd/ftpcmd.y 1.64.2.3 src/libexec/ftpd/extern.h 1.19.14.1 src/libexec/ftpd/ftpd.c 1.206.2.4 RELENG_6_4 src/UPDATING 1.416.2.40.2.4 src/sys/conf/newvers.sh 1.69.2.18.2.7 src/libexec/ftpd/ftpcmd.y 1.64.2.2.4.2 src/libexec/ftpd/extern.h 1.19.30.2 src/libexec/ftpd/ftpd.c 1.206.2.3.4.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.12 src/sys/conf/newvers.sh 1.69.2.15.2.11 src/libexec/ftpd/ftpcmd.y 1.64.2.2.2.1 src/libexec/ftpd/extern.h 1.19.26.1 src/libexec/ftpd/ftpd.c 1.206.2.3.2.1 RELENG_7 src/libexec/ftpd/ftpcmd.y 1.66.2.1 src/libexec/ftpd/extern.h 1.19.24.1 src/libexec/ftpd/ftpd.c 1.212.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.2 src/libexec/ftpd/ftpcmd.y 1.66.6.2 src/libexec/ftpd/extern.h 1.19.32.2 src/libexec/ftpd/ftpd.c 1.212.6.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.11 src/sys/conf/newvers.sh 1.72.2.5.2.11 src/libexec/ftpd/ftpcmd.y 1.66.4.1 src/libexec/ftpd/extern.h 1.19.28.1 src/libexec/ftpd/ftpd.c 1.212.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r186405 releng/6.4/ r186405 releng/6.3/ r186405 stable/7/ r186405 releng/7.1/ r186405 releng/7.0/ r186405 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iEYEARECAAYFAklQP8wACgkQFdaIBMps37ITvgCePP8oVI6cffvQu229Qg7eNshN A0kAn3A6kjr+QovEwOVKNzjow1aCtU8K =sDxD -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Dec 24 01:49:52 2008 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B40A21065673 for ; Wed, 24 Dec 2008 01:49:52 +0000 (UTC) (envelope-from deb@freebsd.org) Received: from aslan.scsiguy.com (ns1.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id 7060A8FC08 for ; Wed, 24 Dec 2008 01:49:52 +0000 (UTC) (envelope-from deb@freebsd.org) Received: from [192.168.16.104] (c-75-71-72-123.hsd1.co.comcast.net [75.71.72.123]) (authenticated bits=0) by aslan.scsiguy.com (8.14.3/8.14.3) with ESMTP id mBO1npYB051765 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Tue, 23 Dec 2008 18:49:51 -0700 (MST) (envelope-from deb@freebsd.org) Message-ID: <4951952E.5060503@freebsd.org> Date: Tue, 23 Dec 2008 18:49:34 -0700 From: Deb Goodkin User-Agent: Thunderbird 2.0.0.18 (Windows/20081105) MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Wed, 24 Dec 2008 02:16:18 +0000 Subject: [FreeBSD-Announce] The FreeBSD Foundation End-of-Year Newsletter X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Dec 2008 01:49:52 -0000 Dear FreeBSD Community, I am pleased to announce the publication of The FreeBSD Foundation's End-of-Year Newsletter. Go to http://www.freebsdfoundation.org/press/2008Dec-newsletter.shtml to find out how we have supported the FreeBSD Project and community this year. Thank You, Deb Goodkin The FreeBSD Foundation