From owner-freebsd-announce@FreeBSD.ORG Mon Nov 18 15:56:17 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id EECA0C1A for ; Mon, 18 Nov 2013 15:56:17 +0000 (UTC) Received: from aslan.scsiguy.com (aslan.scsiguy.com [70.89.174.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AC6972391 for ; Mon, 18 Nov 2013 15:56:17 +0000 (UTC) Received: from [192.168.0.109] (c-50-183-54-121.hsd1.co.comcast.net [50.183.54.121]) (authenticated bits=0) by aslan.scsiguy.com (8.14.7/8.14.5) with ESMTP id rAIFuFCK000818 (version=TLSv1/SSLv3 cipher=AES128-SHA bits=128 verify=NO) for ; Mon, 18 Nov 2013 08:56:16 -0700 (MST) (envelope-from deb@freebsdfoundation.org) From: Deb Goodkin Message-Id: <10A95116-B1C4-4BDF-8950-15C615EB12F7@freebsdfoundation.org> Date: Mon, 18 Nov 2013 08:58:28 -0700 To: freebsd-announce@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 7.0 \(1822\)) X-Mailer: Apple Mail (2.1822) X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.4.3 (aslan.scsiguy.com [70.89.174.89]); Mon, 18 Nov 2013 08:56:17 -0700 (MST) X-Mailman-Approved-At: Mon, 18 Nov 2013 16:46:34 +0000 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.16 Subject: [FreeBSD-Announce] Faces of FreeBSD - Colin Percival X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.16 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Nov 2013 15:56:18 -0000 Dear FreeBSD Community, Thank you for the tremendous amount of support you've given us over=20 this past week! We've received 145 donations, totaling $5,000+, towards = our goal of raising $1,000,000 for 2013. Plus, we're receiving pledges from = larger companies. We are excited to share our first Faces of FreeBSD story for 2013. This = is a chance for us to spotlight different people who contribute to FreeBSD in = various ways. Let us introduce you to Colin Percival. His company is a Silver Donor = this year. = http://freebsdfoundation.blogspot.com/2013/11/faces-of-freebsd-colin-perci= val.html Please consider making a donation to help us continue and increase our=20= support of the FreeBSD Project and community worldwide! To make a=20 donation go to: http://www.freebsdfoundation.org/donate/ Thank You, The FreeBSD Foundation= From owner-freebsd-announce@FreeBSD.ORG Tue Nov 19 10:21:30 2013 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id E8A82E4B; Tue, 19 Nov 2013 10:21:30 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 89F752363; Tue, 19 Nov 2013 10:21:30 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 82C3262EB; Tue, 19 Nov 2013 10:21:29 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 90E5C1A3B; Tue, 19 Nov 2013 11:21:30 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Message-Id: <20131119102130.90E5C1A3B@nine.des.no> Date: Tue, 19 Nov 2013 11:21:30 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-13:14.openssh X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.16 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 19 Nov 2013 10:21:31 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-13:14.openssh Security Advisory The FreeBSD Project Topic: OpenSSH AES-GCM memory corruption vulnerability Category: contrib Module: openssh Announced: 2013-11-19 Affects: FreeBSD 10.0-BETA Corrected: 2013-11-19 09:35:20 UTC (stable/10, 10.0-STABLE) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA3-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA2-p1) 2013-11-19 09:35:20 UTC (stable/10, 10.0-BETA1-p2) CVE Name: CVE-2013-4548 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. AES-GCM (Galois/Counter Mode) is a mode of operation for AES block cipher that combines the counter mode of encryption with the Galois mode of authentication which can offer throughput rates for state of the art, high speed communication channels. OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. II. Problem Description A memory corruption vulnerability exists in the post-authentication sshd process when an AES-GCM cipher (aes128-gcm@openssh.com or aes256-gcm@openssh.com) is selected during key exchange. III. Impact If exploited, this vulnerability might permit code execution with the privileges of the authenticated user, thereby allowing a malicious user with valid credentials to bypass shell or command restrictions placed on their account. IV. Workaround Disable AES-GCM in the server configuration. This can be accomplished by adding the following /etc/sshd_config option, which will disable AES-GCM while leaving other ciphers active: Ciphers aes128-ctr,aes192-ctr,aes256-ctr,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc Systems not running the OpenSSH server daemon (sshd) are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch # fetch http://security.FreeBSD.org/patches/SA-13:14/openssh.patch.asc # gpg --verify openssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch Recompile the operating system using buildworld and installworld as described in . Restart the sshd daemon, or reboot the system. 3) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/10/ r258335 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (FreeBSD) iQIcBAEBAgAGBQJSizUhAAoJEO1n7NZdz2rn6VcQALriII/5f2ipZQeOt41p5oBi r3qQ3uoZc705MGhld/Zz/RjmB8N+NSZUCZQP0sjaEUkksykZNQhmlbvJXB0ywDHP ggIpq++7r2igXMwqqj+7SEtOkQc/rP8/pDjAn0CJKDGIItgpYuqB34sEJNNuYjiM f/bdfXN3zU4VOiIjCjfGuOamGPXCyRdEAm9HKMVWuDqXIjBHdOxhkw2TnyrC77Vd IxOEYsD97XYuJF++55uHBMv+jynrlQfJF9s3+rQVGOqs14KXYJ+HeqFwxJkhIzyg BrxotPNcO6i5lFOiZrCcmEkf3SRh3Ok3CFFFdn9EhOTxrfGKRm/7R+WB0NKT4+ll sAWfhCCMHkhE/j/0L/DCGL8wD6zH1bzpFWn6efAlih4N5YXSJfGlZdkPw0zl/ZgD umYiwpr9PMnPtocfpV51HITNf0T+CUUHJ5bI3Do9cKZyr3yt869r2MNH6PLT0Lyl 4YTcN6IC1K+2JXxvjry7wuJWaPUDS/Hl7Rb3vivdyFJsOF6cddCq1uoU/COXjEE7 KF2+KXNKyCZvfPYxzaljvQjEEGZFswN21YrG4dk3JbaOEo0/+s06DJe/YDhagRgQ h1DtzesRuV8Mlxf0kCX5dmMEjIYX0ZtsZT7aueoSD0zGDFpiOjMQ2DQ3O9S3UhFz ScAFXjtFwMqy8RkwNzIp =Nkc2 -----END PGP SIGNATURE-----