From owner-freebsd-announce@FreeBSD.ORG Mon Jan 5 04:40:20 2009 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2659D106564A for ; Mon, 5 Jan 2009 04:40:20 +0000 (UTC) (envelope-from kensmith@FreeBSD.org) Received: from myers.cse.buffalo.edu (myers.cse.buffalo.edu [128.205.32.88]) by mx1.freebsd.org (Postfix) with ESMTP id B9F2D8FC1D for ; Mon, 5 Jan 2009 04:40:19 +0000 (UTC) (envelope-from kensmith@FreeBSD.org) Received: from myers.cse.buffalo.edu (localhost [127.0.0.1]) by myers.cse.buffalo.edu (8.14.3/8.12.4) with ESMTP id n054Tp8J009059 for ; Sun, 4 Jan 2009 23:29:51 -0500 (EST) Received: (from kensmith@localhost) by myers.cse.buffalo.edu (8.14.3/8.14.3/Submit) id n054TpfZ009058 for freebsd-announce@freebsd.org; Sun, 4 Jan 2009 23:29:51 -0500 (EST) (envelope-from kensmith) Date: Sun, 4 Jan 2009 23:29:51 -0500 From: Ken Smith To: freebsd-announce@freebsd.org Message-ID: <20090105042951.GA9039@myers.cse.buffalo.edu> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="TB36FDmn/VVEgNH/" Content-Disposition: inline User-Agent: Mutt/1.4.2.3i Subject: [FreeBSD-Announce] FreeBSD 7.1-RELEASE Available X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 05 Jan 2009 04:40:20 -0000 --TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable The FreeBSD Release Engineering Team is pleased to announce the availability of FreeBSD 7.1-RELEASE. This is the second release from the 7-STABLE branch which improves on the functionality of FreeBSD 7.0 and introduces some new features. Some of the highlights: - The ULE scheduler is now the default in GENERIC kernels for amd64 and i386 architectures. The ULE scheduler significantly improves performance on multicore systems for many workloads. - Support for using DTrace inside the kernel has been imported from OpenSolaris. DTrace is a comprehensive dynamic tracing framework. - A new and much-improved NFS Lock Manager (NLM) client. - Boot loader changes allow, among other things, booting from USB devices and booting from GPT-labeled devices. - The cpuset(2) system call and cpuset(1) command have been added, providing an API for thread to CPU binding and CPU resource grouping and assignment. - KDE updated to 3.5.10, GNOME updated to 2.22.3. - DVD-sized media for the amd64 and i386 architectures For a complete list of new features and known problems, please see the online release notes and errata list, available at: http://www.FreeBSD.org/releases/7.1R/relnotes.html http://www.FreeBSD.org/releases/7.1R/errata.html For more information about FreeBSD release engineering activities, please see: http://www.FreeBSD.org/releng/ Availability ------------- FreeBSD 7.1-RELEASE is now available for the amd64, i386, ia64, pc98, powerpc, and sparc64 architectures. FreeBSD 7.1 can be installed from bootable ISO images or over the network; the required files can be downloaded via FTP or BitTorrent as described in the sections below. While some of the smaller FTP mirrors may not carry all architectures, they will all generally contain the more common ones, such as i386 and amd64. MD5 and SHA256 hashes for the release ISO images are included at the bottom of this message. The purpose of the ISO images provided as part of the release are as follows: dvd1: Contains everything necessary to install the base FreeBSD operating system, a collection of pre-built packages, the documentation, and supports booting into a "livefs" based rescue mode. This should be all you need if you can burn and use DVD-sized media. disc1, disc2, disc3, livefs, docs: disc1 contains the base FreeBSD system and a few pre-built packages. disc2 and disc3 contain more pre-built packages. Those three can be burned to CDROM sized media and should be all you need to do a normal installation. livefs contains support for entering into a "livefs" based rescue mode but you need disc1 to do the initial boot first. docs contains the documentation. bootonly: This supports booting a machine using the CDROM drive but does not contain the support for installing FreeBSD from the CD itself, you would need to perform a network based install (e.g. from an FTP server) after booting from the CD. FreeBSD 7.1-RELEASE can also be purchased on CD-ROM or DVD from several vendors. One of the vendors that will be offering FreeBSD 7.1-based products is: ~ FreeBSD Mall, Inc. http://www.freebsdmall.com/ BitTorrent ---------- 7.1-RELEASE ISOs are available via BitTorrent. A collection of torrent files to download the images is available at: http://torrents.freebsd.org:8080/ FTP --- At the time of this announcement the following FTP sites have FreeBSD 7.1-RELEASE available. ftp://ftp.freebsd.org/pub/FreeBSD/ ftp://ftp3.freebsd.org/pub/FreeBSD/ ftp://ftp7.freebsd.org/pub/FreeBSD/ ftp://ftp10.freebsd.org/pub/FreeBSD/ ftp://ftp12.freebsd.org/pub/FreeBSD/ ftp://ftp.at.freebsd.org/pub/FreeBSD/ ftp://ftp.au.freebsd.org/pub/FreeBSD/ ftp://ftp.cz.freebsd.org/pub/FreeBSD/ ftp://ftp.dk.freebsd.org/pub/FreeBSD/ ftp://ftp.fr.freebsd.org/pub/FreeBSD/ ftp://ftp2.ie.freebsd.org/pub/FreeBSD/ ftp://ftp2.ru.freebsd.org/pub/FreeBSD/ ftp://ftp.se.freebsd.org/pub/FreeBSD/ ftp://ftp.si.freebsd.org/pub/FreeBSD/ ftp://ftp.tw.freebsd.org/pub/FreeBSD/ ftp://ftp2.uk.freebsd.org/pub/FreeBSD/ ftp://ftp3.us.freebsd.org/pub/FreeBSD/ ftp://ftp7.us.freebsd.org/pub/FreeBSD/ ftp://ftp10.us.freebsd.org/pub/FreeBSD/ ftp://ftp11.us.freebsd.org/pub/FreeBSD/ However before trying these sites please check your regional mirror(s) first by going to: ftp://ftp..FreeBSD.org/pub/FreeBSD Any additional mirror sites will be labeled ftp2, ftp3 and so on. More information about FreeBSD mirror sites can be found at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html For instructions on installing FreeBSD, please see Chapter 2 of The FreeBSD Handbook. It provides a complete installation walk-through for users new to FreeBSD, and can be found online at: http://www.FreeBSD.org/doc/en_US.ISO8859-1/books/handbook/install.html Updating Existing Systems ------------------------- NOTE: If updating from a 7.0 or earlier system due to a change in the Vendor's drivers certain Intel NICs will now come up as igb(4) instead of em(4). We normally try to avoid changes like that in stable branches but the vendor felt it necessary in order to support the new adapters. See the UPDATING entry dated 20080811 for details. There are only 3 PCI ID's that should have their name changed from em(4) to igb(4): 0x10A78086, 0x10A98086, and 0x10D68086. You should be able to determine if your card will change names by running the command "pciconf -l", and for the line representing your NIC (should be named em on older systems, e.g. em0 or em1, etc) check the fourth column. If that says "chip=3D0x10a78086" (or one of the other two IDs given above) you will have the adapter's name change. Updates from Source ------------------- The procedure for doing a source code based update is described in the FreeBSD Handbook: http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/synching.html http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/makeworld.html The branch tag to use for updating the source is RELENG_7_1. FreeBSD Update -------------- The freebsd-update(8) utility supports binary upgrades of i386 and amd64 systems running earlier FreeBSD releases. Systems running 7.0-RELEASE, 7.1-BETA, 7.1-BETA2, 7.1-RC1, or 7.1-RC2 can upgrade as follows: =20 # freebsd-update upgrade -r 7.1-RELEASE During this process, FreeBSD Update may ask the user to help by merging some configuration files or by confirming that the automatically performed merging was done correctly. =20 # freebsd-update install The system must be rebooted with the newly installed kernel before continui= ng. # shutdown -r now =20 After rebooting, freebsd-update needs to be run again to install the new userland components, and the system needs to be rebooted again: # freebsd-update install # shutdown -r now =20 Users of Intel network interfaces which are changing their name from "em" to "igb" should make necessary changes to configuration files BEFORE running freebsd-update, since otherwise the network interface will not be configured appropriately after rebooting for the first time. =20 Users of earlier FreeBSD releases (FreeBSD 6.x) can also use freebsd-update= to upgrade to FreeBSD 7.1, but will be prompted to rebuild all third-party applications (e.g., anything installed from the ports tree) after the second invocation of "freebsd-update install", in order to handle differences in t= he system libraries between FreeBSD 6.x and FreeBSD 7.x. For more information, see: http://www.daemonology.net/blog/2007-11-11-freebsd-major-version-upgrade.ht= ml Support ------- The FreeBSD Security Team currently plans to support FreeBSD 7.1 until January 31st 2011. For more information on the Security Team and their support of the various FreeBSD branches see: http://www.freebsd.org/security/ Acknowledgments ---------------- Many companies donated equipment, network access, or man-hours to support the release engineering activities for FreeBSD 7.1 including The FreeBSD Foundation, FreeBSD Systems, Hewlett-Packard, Yahoo!, Network Appliances, and Sentex Communications. The release engineering team for 7.1-RELEASE includes: Ken Smith Release Engineering, amd64, i386, sparc64 Release Buildi= ng, Mirror Site Coordination Robert Watson Release Engineering, Security Konstantin Belousov Release Engineering Marc Fonvieille Release Engineering, Documentation Maxime Henrion Release Engineering Bruce A. Mah Release Engineering, Documentation George Neville-Neil Release Engineering Hiroki Sato Release Engineering, Documentation Murray Stokely Release Engineering Marcel Moolenaar ia64, powerpc Release Building Takahashi Yoshihiro PC98 Release Building Kris Kennaway Package Building Joe Marcus Clarke Package Building Erwin Lansing Package Building Mark Linimon Package Building Pav Lucistnik Package Building Colin Percival Security Officer Peter Wemm Bittorrent Coordination Trademark --------- FreeBSD is a registered trademark of The FreeBSD Foundation. ISO Image Checksums ------------------- MD5 (7.1-RELEASE-amd64-bootonly.iso) =3D f127de85eb1f3a945b56ef750fa610ae MD5 (7.1-RELEASE-amd64-disc1.iso) =3D ac88bfa3359aea242450d74c20347bde MD5 (7.1-RELEASE-amd64-disc2.iso) =3D 918d89e3ee330f5bd13535bc82def802 MD5 (7.1-RELEASE-amd64-disc3.iso) =3D d01747e4de48acb052f827d723ef9672 MD5 (7.1-RELEASE-amd64-docs.iso) =3D 4558db657d0b021849c2b1a802e1bea4 MD5 (7.1-RELEASE-amd64-dvd1.iso) =3D df1a3604d4f99b7cf3511d42d33c550a MD5 (7.1-RELEASE-amd64-livefs.iso) =3D 83dd8e10ff27f8799c66bd4bd26ac5b3 MD5 (7.1-RELEASE-i386-bootonly.iso) =3D 6988cd1662a03e5465cb38b1100a28eb MD5 (7.1-RELEASE-i386-disc1.iso) =3D ebdea2ebae35597bed323047cd70bcf2 MD5 (7.1-RELEASE-i386-disc2.iso) =3D e20444a71dd709d92f3340323e58535c MD5 (7.1-RELEASE-i386-disc3.iso) =3D e64fab3db2917e1ba15bc72ab2af35f6 MD5 (7.1-RELEASE-i386-docs.iso) =3D e04e8dc0261fc947efb699faf8852eb8 MD5 (7.1-RELEASE-i386-dvd1.iso) =3D bbb47ab60bda55270ddd9ff4f73b9dc8 MD5 (7.1-RELEASE-i386-livefs.iso) =3D 148b2aae58b4a9e27970ff77b5dd6f08 MD5 (7.1-RELEASE-ia64-bootonly.iso) =3D 43c55b764bcc0b6c7ec07037cdca12a7 MD5 (7.1-RELEASE-ia64-disc1.iso) =3D 47ffbdbdf8b258c6b1018e3a75b3cab3 MD5 (7.1-RELEASE-ia64-disc2.iso) =3D e603d24d1c8e21dbc8e85e4bf30f0482 MD5 (7.1-RELEASE-ia64-disc3.iso) =3D ef356f4e4efc7258899a9ead3fa834ea MD5 (7.1-RELEASE-ia64-docs.iso) =3D 7dba36505623251068e7fc1f06099634 MD5 (7.1-RELEASE-ia64-livefs.iso) =3D d3f6f2d47b1bd2b46cb7db7180215385 MD5 (7.1-RELEASE-pc98-bootonly.iso) =3D c46d9eed8fb421f294ffd6a6770dbd46 MD5 (7.1-RELEASE-pc98-disc1.iso) =3D 90d8d8c24d8a14c166428df037addc68 MD5 (7.1-RELEASE-pc98-livefs.iso) =3D 4c578bfe71d3dd7c2de4ba490fae04ee MD5 (7.1-RELEASE-powerpc-bootonly.iso) =3D c7f8b40c7b7194f4b40776b86864e257 MD5 (7.1-RELEASE-powerpc-disc1.iso) =3D 228c53863c604298f66a86f0a1fd4f88 MD5 (7.1-RELEASE-powerpc-disc2.iso) =3D a1d8c054fdfa420ac1965ca0795f6693 MD5 (7.1-RELEASE-powerpc-disc3.iso) =3D 24aa15c263cebf28e1d2f66f7c6b9215 MD5 (7.1-RELEASE-powerpc-docs.iso) =3D 3073516ccd548a979794ea0aaba7b732 MD5 (7.1-RELEASE-sparc64-bootonly.iso) =3D 0fd076346a8d6d49601f4aaa2148edb1 MD5 (7.1-RELEASE-sparc64-disc1.iso) =3D 715680a781ed8649271430c10f7907db MD5 (7.1-RELEASE-sparc64-disc2.iso) =3D 7179853c118549dbe780f94e74e90ddf MD5 (7.1-RELEASE-sparc64-disc3.iso) =3D f640b3a800c18020279158f444cf1643 MD5 (7.1-RELEASE-sparc64-docs.iso) =3D 94d5661906826735b0a4264197a5f4b4 SHA256 (7.1-RELEASE-amd64-bootonly.iso) =3D a633924d756812eb6916d0e9cc2821c= 20935daaf76eb741319bcabd246a2d4ab SHA256 (7.1-RELEASE-amd64-disc1.iso) =3D 4f7deebbd5e3211d144c6e630b808e918f= cbb901ff4689b64087ed4c2d6e781d SHA256 (7.1-RELEASE-amd64-disc2.iso) =3D 2236148b61b896d62086889bc6fedaf36a= 24dbf327c1d1f30f79a6c1ff677b8d SHA256 (7.1-RELEASE-amd64-disc3.iso) =3D 19035ad37eae028bf27b060ea10ecff7a9= cc9feae10f951d63907b6be852c458 SHA256 (7.1-RELEASE-amd64-docs.iso) =3D ac17871f20b9438ce27ec6598c2441c8ad5= 8f19b5696cacddc332976c2e24a4c SHA256 (7.1-RELEASE-amd64-dvd1.iso) =3D 1c148191e8c01191011d5fde4688aaa567a= 166838ed9722d1ae73451c4ef2b7d SHA256 (7.1-RELEASE-amd64-livefs.iso) =3D 1a30fca92c806b2f58c569c894bec221e= 7e2aad9c2937e6c09cd8e340bfb0903 SHA256 (7.1-RELEASE-i386-bootonly.iso) =3D ad848e85c0a8e83fc5c26fad4f370eb6= c34d2e3154966cd460788f56f734085c SHA256 (7.1-RELEASE-i386-disc1.iso) =3D 58e588c26d06b84d8c3c01d8507b2ffe2e2= 37b167f72604c82d34011dc850a46 SHA256 (7.1-RELEASE-i386-disc2.iso) =3D 6d0476f77e3a17863eddf59eadb41ecb52c= 4399614442a0df39f97c8e4c74b2e SHA256 (7.1-RELEASE-i386-disc3.iso) =3D b58d19c5bcb88e5651dce06ccf55bd9a309= efaec2b2fe47a9277343a8f6646fe SHA256 (7.1-RELEASE-i386-docs.iso) =3D 521e45641f4e50168a74ea315720d13844e8= a1220f28656302aca8281261ac5b SHA256 (7.1-RELEASE-i386-dvd1.iso) =3D 303be4ce844f0cb18aa38a41988dc5fba960= 427dbcc69263410308176cb5875f SHA256 (7.1-RELEASE-i386-livefs.iso) =3D db1609e72ad3f979b3f6d954ac2811588c= c99c460c57e3035835cb604447dc0d SHA256 (7.1-RELEASE-ia64-bootonly.iso) =3D 059c82e3e4b535730795a52b939d3085= c7cd891a37570a3567e47dee6a345787 SHA256 (7.1-RELEASE-ia64-disc1.iso) =3D e97ad79b9f21e3554e47bd125a25dea5ada= c112608bbcba8c60d45aebc0b1837 SHA256 (7.1-RELEASE-ia64-disc2.iso) =3D f1c91524eebe8d1933057669ad7ce1343f1= 8aecbad092d1402652e6c0d69f7a9 SHA256 (7.1-RELEASE-ia64-disc3.iso) =3D ed838b4c4801d6244f33cdd02abcca4c208= b0dd2d89c6f0446a1913d95662096 SHA256 (7.1-RELEASE-ia64-docs.iso) =3D dd7c1dc8fe4968bd32b2fef42b21460211be= f5284ecf9be53490de595f4b6a8b SHA256 (7.1-RELEASE-ia64-livefs.iso) =3D 81a8cad96e8540e32a9197d4dcba587b12= 66a8d56ff75db3755381471793e90f SHA256 (7.1-RELEASE-pc98-bootonly.iso) =3D 8b4038d22b59464e7df7cc1273a1929b= df89be77bc8fecfa88faf4d81db049c9 SHA256 (7.1-RELEASE-pc98-disc1.iso) =3D 43eae1bc95cc307f0b228cd8388c94cfad0= db1402650e5b31262c8a2040ead7a SHA256 (7.1-RELEASE-pc98-livefs.iso) =3D ba4e744629fb5a7f40e288b15a39dc971c= 3a5108a38e9952ec00fd951292f677 SHA256 (7.1-RELEASE-powerpc-bootonly.iso) =3D e1c0e47b3aa66604853e9a27ccad3= 81d1abb3b6dbe49fc7a773ba91720dd5862 SHA256 (7.1-RELEASE-powerpc-disc1.iso) =3D e672b975d10502677076014804d486c4= 06e79cd7724353f76abc68b55dd5972e SHA256 (7.1-RELEASE-powerpc-disc2.iso) =3D 9f6aff26f127a229cdae1e73c4eb25d6= d51b595380110bb99f9882b88c0a2a20 SHA256 (7.1-RELEASE-powerpc-disc3.iso) =3D 0c0c3a012fad489b425d35e4df539f23= be4c26cc46a950f5699b84da4a37bdb2 SHA256 (7.1-RELEASE-powerpc-docs.iso) =3D 4fc75610e7bed8c05e474053266b4a8cc= e40c039707e39970ca2cf78ff99dee9 SHA256 (7.1-RELEASE-sparc64-bootonly.iso) =3D d8259fa546988201cb629ce606a10= f8928e7b93a6e317e4078abbe6804bd5068 SHA256 (7.1-RELEASE-sparc64-disc1.iso) =3D 020030fff08be2a2e99dfa057096a273= 05c762ad5aebc4b880de84587dd3ef1a SHA256 (7.1-RELEASE-sparc64-disc2.iso) =3D 0d287b855a94317332d0dada8ac6ba2e= 216200f76551e463e94af30dc14cebdc SHA256 (7.1-RELEASE-sparc64-disc3.iso) =3D 246c73be0f35fcdc7437b346a796c622= 4a9de887325cdc99f3008fd961c47edb SHA256 (7.1-RELEASE-sparc64-docs.iso) =3D 30e298e8d36cdabcf6b48eea5d5fb7843= 51c44f8cb97df29695037d9513843cc --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature Content-Disposition: inline -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.7 (FreeBSD) iD8DBQFJYYy+/G14VSmup/YRAn7TAJ0eis+oHl/MavHu/xo3wyv4IfGOlwCfZCiC 9eZH7a8eUYz/yvZCBcuf2vo= =dL+c -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/-- From owner-freebsd-announce@FreeBSD.ORG Wed Jan 7 21:36:20 2009 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 479D51065795; Wed, 7 Jan 2009 21:36:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 31DDA8FC20; Wed, 7 Jan 2009 21:36:20 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n07LaKj3049696; Wed, 7 Jan 2009 21:36:20 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n07LaKBR049694; Wed, 7 Jan 2009 21:36:20 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 7 Jan 2009 21:36:20 GMT Message-Id: <200901072136.n07LaKBR049694@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:01.lukemftpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 21:36:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:01.lukemftpd Security Advisory The FreeBSD Project Topic: Cross-site request forgery in lukemftpd(8) Category: core Module: lukemftpd Announced: 2009-01-07 Credits: Maksymilian Arciemowicz Affects: All supported versions of FreeBSD. Corrected: 2009-01-07 20:17:55 UTC (RELENG_7, 7.1-STABLE) 2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1) 2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8) 2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE) 2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2) 2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8) CVE Name: CVE-2008-4247 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background lukemftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP) server that is shipped with the FreeBSD base system. It is not enabled in default installations but can be enabled as either an inetd(8) server, or a standard-alone server. A cross-site request forgery attack is a type of malicious exploit that is mainly targeted to a web browser, by tricking a user trusted by the site into visiting a specially crafted URL, which in turn executes a command which performs some privileged operations on behalf of the trusted user on the victim site. II. Problem Description The lukemftpd(8) server splits long commands into several requests. This may result in the server executing a command which is hidden inside another very long command. III. Impact This could, with a specifically crafted command, be used in a cross-site request forgery attack. FreeBSD systems running lukemftpd(8) server could act as a point of privilege escalation in an attack against users using web browser to access trusted FTP sites. IV. Workaround No workaround is available, but systems not running FTP servers are not vulnerable. Systems not running the FreeBSD lukemftpd(8) server are not affected, but users of other ftp daemons are advised to take care since several other ftp daemons are known to have related bugs. NOTE WELL: lukemftpd(8) is a different implementation of an FTP server than ftpd(8). V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.0, and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch # fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/libexec/lukemftpd # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.2 src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.2 src/contrib/lukemftpd/src/ftpd.c 1.4.2.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.5 src/sys/conf/newvers.sh 1.69.2.18.2.8 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.6.1 src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.6.1 src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.6.2 RELENG_6_3 src/UPDATING 1.416.2.37.2.13 src/sys/conf/newvers.sh 1.69.2.15.2.12 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.4.1 src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.4.1 src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.4.1 RELENG_7 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.2.1 src/contrib/lukemftpd/src/extern.h 1.1.1.5.2.1 src/contrib/lukemftpd/src/ftpd.c 1.5.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.4 src/sys/conf/newvers.sh 1.72.2.9.2.5 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.6.1 src/contrib/lukemftpd/src/extern.h 1.1.1.5.6.1 src/contrib/lukemftpd/src/ftpd.c 1.5.6.2 RELENG_7_0 src/UPDATING 1.507.2.3.2.12 src/sys/conf/newvers.sh 1.72.2.5.2.12 src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.4.1 src/contrib/lukemftpd/src/extern.h 1.1.1.5.4.1 src/contrib/lukemftpd/src/ftpd.c 1.5.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r186872 releng/6.4/ r186872 releng/6.3/ r186872 stable/7/ r186872 releng/7.1/ r186872 releng/7.0/ r186872 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247 http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFJZR5UFdaIBMps37IRApUJAKCEGZggeEjPC67j5Tmxl2fEDJ9sIQCfTAKn vpOXC5jix3XiB7wxGKrvNJM= =qPEc -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Jan 7 21:37:18 2009 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1208C1065BDA; Wed, 7 Jan 2009 21:37:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id EEAE48FC1B; Wed, 7 Jan 2009 21:37:17 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (simon@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id n07LbHTr049774; Wed, 7 Jan 2009 21:37:17 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id n07LbHco049772; Wed, 7 Jan 2009 21:37:17 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 7 Jan 2009 21:37:17 GMT Message-Id: <200901072137.n07LbHco049772@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-09:02.openssl X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 07 Jan 2009 21:37:20 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-09:02.openssl Security Advisory The FreeBSD Project Topic: OpenSSL incorrectly checks for malformed signatures Category: contrib Module: openssl Announced: 2009-01-07 Credits: Google Security Team Affects: All FreeBSD releases Corrected: 2009-01-07 21:03:41 UTC (RELENG_7, 7.1-STABLE) 2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1) 2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8) 2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE) 2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2) 2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8) CVE Name: CVE-2008-5077 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is a collaborative effort to develop a robust, commercial-grade, full-featured Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1) protocols as well as a full-strength general purpose cryptography library. II. Problem Description The EVP_VerifyFinal() function from OpenSSL is used to determine if a digital signature is valid. The SSL layer in OpenSSL uses EVP_VerifyFinal(), which in several places checks the return value incorrectly and treats verification errors as a good signature. This is only a problem for DSA and ECDSA keys. III. Impact For applications using OpenSSL for SSL connections, an invalid SSL certificate may be interpreted as valid. This could for example be used by an attacker to perform a man-in-the-middle attack. Other applications which use the OpenSSL EVP API may similarly be affected. IV. Workaround For a server an RSA signed certificate may be used instead of DSA or ECDSA based certificate. Note that Mozilla Firefox does not use OpenSSL and thus is not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.0, and 7.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc [FreeBSD 6.x] # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch # fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/secure/lib/libssl # make obj && make depend && make && make install # cd /usr/src/secure/usr.bin/openssl # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/crypto/openssl/apps/speed.c 1.13.2.1 src/crypto/openssl/apps/verify.c 1.1.1.5.12.1 src/crypto/openssl/apps/x509.c 1.1.1.10.2.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.12.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.2.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.2 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.5 src/sys/conf/newvers.sh 1.69.2.18.2.8 src/crypto/openssl/apps/speed.c 1.13.12.1 src/crypto/openssl/apps/verify.c 1.1.1.5.24.1 src/crypto/openssl/apps/x509.c 1.1.1.10.12.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.24.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.12.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.12.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.6.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.13 src/sys/conf/newvers.sh 1.69.2.15.2.12 src/crypto/openssl/apps/speed.c 1.13.10.1 src/crypto/openssl/apps/verify.c 1.1.1.5.22.1 src/crypto/openssl/apps/x509.c 1.1.1.10.10.1 src/crypto/openssl/apps/spkac.c 1.1.1.4.22.1 src/crypto/openssl/ssl/s2_srvr.c 1.12.10.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.10.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.1 src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.4.1 RELENG_7 src/crypto/openssl/apps/speed.c 1.15.2.1 src/crypto/openssl/apps/verify.c 1.1.1.6.2.1 src/crypto/openssl/apps/x509.c 1.1.1.11.2.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.2.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.2.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.2.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.4 src/sys/conf/newvers.sh 1.72.2.9.2.5 src/crypto/openssl/apps/speed.c 1.15.6.1 src/crypto/openssl/apps/verify.c 1.1.1.6.6.1 src/crypto/openssl/apps/x509.c 1.1.1.11.6.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.6.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.6.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.6.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.6.1 RELENG_7_0 src/UPDATING 1.507.2.3.2.12 src/sys/conf/newvers.sh 1.72.2.5.2.12 src/crypto/openssl/apps/speed.c 1.15.4.1 src/crypto/openssl/apps/verify.c 1.1.1.6.4.1 src/crypto/openssl/apps/x509.c 1.1.1.11.4.1 src/crypto/openssl/apps/spkac.c 1.1.1.5.4.1 src/crypto/openssl/ssl/s2_srvr.c 1.13.4.1 src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.4.1 src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.4.1 src/crypto/openssl/ssl/ssltest.c 1.1.1.10.4.1 src/crypto/openssl/ssl/s2_clnt.c 1.15.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r186873 releng/6.4/ r186872 releng/6.3/ r186872 stable/7/ r186872 releng/7.1/ r186872 releng/7.0/ r186872 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077 http://www.openssl.org/news/secadv_20090107.txt The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (FreeBSD) iD8DBQFJZR5ZFdaIBMps37IRAofJAJ4lm2jGfsMo28c0W4zRkhZrKmttGwCgmdd9 IvNUwk47W24SwhQAGH5+Ggw= =UHSl -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Jan 9 21:51:36 2009 Return-Path: Delivered-To: freebsd-announce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 17B1F1065675 for ; Fri, 9 Jan 2009 21:51:36 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from aslan.scsiguy.com (aslan.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id DFD708FC17 for ; Fri, 9 Jan 2009 21:51:35 +0000 (UTC) (envelope-from deb@freebsdfoundation.org) Received: from [192.168.16.105] (c-75-71-72-123.hsd1.co.comcast.net [75.71.72.123]) (authenticated bits=0) by aslan.scsiguy.com (8.14.3/8.14.3) with ESMTP id n09LE6XR040634 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 9 Jan 2009 14:14:07 -0700 (MST) (envelope-from deb@freebsdfoundation.org) Message-ID: <4967BE06.4070500@freebsdfoundation.org> Date: Fri, 09 Jan 2009 14:13:42 -0700 From: Deb Goodkin User-Agent: Thunderbird 2.0.0.19 (Windows/20081209) MIME-Version: 1.0 To: freebsd-announce@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 09 Jan 2009 22:03:18 +0000 Cc: Subject: [FreeBSD-Announce] Thank You FreeBSD Community! X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Jan 2009 21:51:36 -0000 Dear FreeBSD Community, The FreeBSD Foundation would like to thank everyone for your donations in 2008. We are extremely grateful to everyone who dug deep in their pockets, during these hard times, to help us get very close to our goal. We raised $282,481 towards our goal of $300,000. With the downturn in the economy, we were very concerned about getting close to our goal. By the end of November, we had only raised $190,000. We sent out a plea for donations and we received 173 donations in December! This year we had 450 donors, compared to 374 last year. We were impressed with all the donations received from developers and other volunteers who already put in countless hours supporting the project. We will be posting our 2009 budget soon, so you can see how we plan to spend the funds. Sincerely, The FreeBSD Foundation