Date: Thu, 11 Aug 2016 21:27:28 +0000 (UTC) From: Mark Felder <feld@FreeBSD.org> To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r420107 - head/security/vuxml Message-ID: <201608112127.u7BLRStX091871@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: feld Date: Thu Aug 11 21:27:28 2016 New Revision: 420107 URL: https://svnweb.freebsd.org/changeset/ports/420107 Log: Add missing FreeBSD SA entries from 2015 to vuxml Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 11 21:19:09 2016 (r420106) +++ head/security/vuxml/vuln.xml Thu Aug 11 21:27:28 2016 (r420107) @@ -58,6 +58,453 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">; + <vuln vid="0e5d6969-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- rpcbind(8) remote denial of service [REVISED]</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.2</ge><lt>10.2_5</lt></range> + <range><ge>10.1</ge><lt>10.1_22</lt></range> + <range><ge>9.3</ge><lt>9.3_28</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>In rpcbind(8), netbuf structures are copied directly, + which would result in two netbuf structures that reference + to one shared address buffer. When one of the two netbuf + structures is freed, access to the other netbuf structure + would result in an undefined result that may crash the + rpcbind(8) daemon.</p> + <h1>Impact:</h1> + <p>A remote attacker who can send specifically crafted + packets to the rpcbind(8) daemon can cause it to crash, + resulting in a denial of service condition.</p> + </body> + </description> + <references> + <cvename>CVE-2015-7236</cvename> + <freebsdsa>FreeBSD-SA-15:24.rpcbind</freebsdsa> + </references> + <dates> + <discovery>2015-09-29</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0dfa5dde-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Local privilege escalation in IRET handler</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_19</lt></range> + <range><ge>9.3</ge><lt>9.3_24</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>If the kernel-mode IRET instruction generates an #SS or + #NP exception, but the exception handler does not properly + ensure that the right GS register base for kernel is reloaded, + the userland GS segment may be used in the context of the + kernel exception handler.</p> + <h1>Impact:</h1> + <p>By causing an IRET with #SS or #NP exceptions, a local + attacker can cause the kernel to use an arbitrary GS base, + which may allow escalated privileges or panic the system.</p> + </body> + </description> + <references> + <cvename>CVE-2015-5675</cvename> + <freebsdsa>FreeBSD-SA-15:21.amd64</freebsdsa> + </references> + <dates> + <discovery>2015-08-25</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0da8a68e-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.1</ge><lt>10.1_18</lt></range> + <range><ge>10.2</ge><lt>10.2_1</lt></range> + <range><ge>9.3</ge><lt>9.3_23</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>Multiple integer overflows have been discovered in the + XML_GetBuffer() function in the expat library.</p> + <h1>Impact:</h1> + <p>The integer overflows may be exploited by using specifically + crafted XML data and lead to infinite loop, or a heap buffer + overflow, which results in a Denial of Service condition, + or enables remote attackers to execute arbitrary code.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1283</cvename> + <freebsdsa>FreeBSD-SA-15:20.expat</freebsdsa> + </references> + <dates> + <discovery>2015-08-18</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0d584493-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- routed(8) remote denial of service vulnerability</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.1</ge><lt>10.1_17</lt></range> + <range><ge>9.3</ge><lt>9.3_22</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The input path in routed(8) will accept queries from any + source and attempt to answer them. However, the output path + assumes that the destination address for the response is + on a directly connected network.</p> + <h1>Impact:</h1> + <p>Upon receipt of a query from a source which is not on a + directly connected network, routed(8) will trigger an + assertion and terminate. The affected system's routing table + will no longer be updated. If the affected system is a + router, its routes will eventually expire from other routers' + routing tables, and its networks will no longer be reachable + unless they are also connected to another router.</p> + </body> + </description> + <references> + <cvename>CVE-2015-5674</cvename> + <freebsdsa>FreeBSD-SA-15:19.routed</freebsdsa> + </references> + <dates> + <discovery>2015-08-05</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0d090952-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.1</ge><lt>10.1_17</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>Due to insufficient sanitization of the input patch + stream, it is possible for a patch file to cause patch(1) + to pass certain ed(1) scripts to the ed(1) editor, which + would run commands.</p> + <h1>Impact:</h1> + <p>This issue could be exploited to execute arbitrary + commands as the user invoking patch(1) against a specically + crafted patch file, which could be leveraged to obtain + elevated privileges.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1418</cvename> + <freebsdsa>FreeBSD-SA-15:18.bsdpatch</freebsdsa> + </references> + <dates> + <discovery>2015-08-05</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0cb9d5bb-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Resource exhaustion in TCP reassembly</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_16</lt></range> + <range><ge>9.3</ge><lt>9.3_21</lt></range> + <range><ge>8.4</ge><lt>8.4_35</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>There is a mistake with the introduction of VNET, which + converted the global limit on the number of segments that + could belong to reassembly queues into a per-VNET limit. + Because mbufs are allocated from a global pool, in the + presence of a sufficient number of VNETs, the total number + of mbufs attached to reassembly queues can grow to the total + number of mbufs in the system, at which point all network + traffic would cease.</p> + <h1>Impact:</h1> + <p>An attacker who can establish concurrent TCP connections + across a sufficient number of VNETs and manipulate the + inbound packet streams such that the maximum number of mbufs + are enqueued on each reassembly queue can cause mbuf cluster + exhaustion on the target system, resulting in a Denial of + Service condition.</p> + <p>As the default per-VNET limit on the number of segments + that can belong to reassembly queues is 1/16 of the total + number of mbuf clusters in the system, only systems that + have 16 or more VNET instances are vulnerable.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1417</cvename> + <freebsdsa>FreeBSD-SA-15:15.tcp</freebsdsa> + </references> + <dates> + <discovery>2015-07-28</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0c6759dd-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- shell injection vulnerability in patch(1)</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.1</ge><lt>10.1_16</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>Due to insufficient sanitization of the input patch + stream, it is possible for a patch file to cause patch(1) + to run commands in addition to the desired SCCS or RCS + commands.</p> + <h1>Impact:</h1> + <p>This issue could be exploited to execute arbitrary + commands as the user invoking patch(1) against a specically + crafted patch file, which could be leveraged to obtain + elevated privileges.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1416</cvename> + <freebsdsa>FreeBSD-SA-15:14.bsdpatch</freebsdsa> + </references> + <dates> + <discovery>2015-07-28</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0c064c43-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_15</lt></range> + <range><ge>9.3</ge><lt>9.3_20</lt></range> + <range><ge>8.4</ge><lt>8.4_34</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>TCP connections transitioning to the LAST_ACK state can + become permanently stuck due to mishandling of protocol + state in certain situations, which in turn can lead to + accumulated consumption and eventual exhaustion of system + resources, such as mbufs and sockets.</p> + <h1>Impact:</h1> + <p>An attacker who can repeatedly establish TCP connections + to a victim system (for instance, a Web server) could create + many TCP connections that are stuck in LAST_ACK state and + cause resource exhaustion, resulting in a denial of service + condition. This may also happen in normal operation where + no intentional attack is conducted, but an attacker who can + send specifically crafted packets can trigger this more + reliably.</p> + </body> + </description> + <references> + <cvename>CVE-2015-5358</cvename> + <freebsdsa>FreeBSD-SA-15:13.tcp</freebsdsa> + </references> + <dates> + <discovery>2015-07-21</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0bb55a18-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Denial of Service with IPv6 Router Advertisements</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_9</lt></range> + <range><ge>9.3</ge><lt>9.3_13</lt></range> + <range><ge>8.4</ge><lt>8.4_27</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The Neighbor Discover Protocol allows a local router to + advertise a suggested Current Hop Limit value of a link, + which will replace Current Hop Limit on an interface connected + to the link on the FreeBSD system.</p> + <h1>Impact:</h1> + <p>When the Current Hop Limit (similar to IPv4's TTL) is + small, IPv6 packets may get dropped before they reached + their destinations.</p> + <p>By sending specifically crafted Router Advertisement + packets, an attacker on the local network can cause the + FreeBSD system to lose the ability to communicate with + another IPv6 node on a different network.</p> + </body> + </description> + <references> + <cvename>CVE-2015-2923</cvename> + <freebsdsa>FreeBSD-SA-15:09.ipv6</freebsdsa> + </references> + <dates> + <discovery>2015-04-07</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0b65f297-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Insecure default GELI keyfile permissions</topic> + <affects> + <package> + <name>FreeBSD</name> + <range><ge>10.1</ge><lt>10.1_9</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The default permission set by bsdinstall(8) installer + when configuring full disk encrypted ZFS is too open.</p> + <h1>Impact:</h1> + <p>A local attacker may be able to get a copy of the geli(8) + provider's keyfile which is located at a fixed location.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1415</cvename> + <freebsdsa>FreeBSD-SA-15:08.bsdinstall</freebsdsa> + </references> + <dates> + <discovery>2015-04-07</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0afe8b29-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- Integer overflow in IGMP protocol</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_9</lt></range> + <range><ge>9.3</ge><lt>9.3_13</lt></range> + <range><ge>8.4</ge><lt>8.4_27</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>An integer overflow in computing the size of IGMPv3 data + buffer can result in a buffer which is too small for the + requested operation.</p> + <h1>Impact:</h1> + <p>An attacker who can send specifically crafted IGMP packets + could cause a denial of service situation by causing the + kernel to crash.</p> + </body> + </description> + <references> + <cvename>CVE-2015-1414</cvename> + <freebsdsa>FreeBSD-SA-15:04.igmp</freebsdsa> + </references> + <dates> + <discovery>2015-02-25</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0aad3ce5-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- SCTP stream reset vulnerability</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_5</lt></range> + <range><ge>10.0</ge><lt>10.0_17</lt></range> + <range><ge>9.3</ge><lt>9.3_9</lt></range> + <range><ge>8.4</ge><lt>8.4_23</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>The input validation of received SCTP RE_CONFIG chunks + is insufficient, and can result in a NULL pointer deference + later.</p> + <h1>Impact:</h1> + <p>A remote attacker who can send a malformed SCTP packet + to a FreeBSD system that serves SCTP can cause a kernel + panic, resulting in a Denial of Service.</p> + </body> + </description> + <references> + <cvename>CVE-2014-8613</cvename> + <freebsdsa>FreeBSD-SA-15:03.sctp</freebsdsa> + </references> + <dates> + <discovery>2015-01-27</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + + <vuln vid="0a5cf6d8-600a-11e6-a6c3-14dae9d210b8"> + <topic>FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure</topic> + <affects> + <package> + <name>FreeBSD-kernel</name> + <range><ge>10.1</ge><lt>10.1_5</lt></range> + <range><ge>10.0</ge><lt>10.0_17</lt></range> + <range><ge>9.3</ge><lt>9.3_9</lt></range> + <range><ge>8.4</ge><lt>8.4_23</lt></range> + </package> + </affects> + <description> + <body xmlns="http://www.w3.org/1999/xhtml">; + <h1>Problem Description:</h1> + <p>Due to insufficient validation of the SCTP stream ID, + which serves as an array index, a local unprivileged attacker + can read or write 16-bits of kernel memory.</p> + <h1>Impact:</h1> + <p>An unprivileged process can read or modify 16-bits of + memory which belongs to the kernel. This smay lead to + exposure of sensitive information or allow privilege + escalation.</p> + </body> + </description> + <references> + <cvename>CVE-2014-8612</cvename> + <freebsdsa>FreeBSD-SA-15:02.kmem</freebsdsa> + </references> + <dates> + <discovery>2015-01-27</discovery> + <entry>2016-08-11</entry> + </dates> + </vuln> + <vuln vid="74ded00e-6007-11e6-a6c3-14dae9d210b8"> <topic>FreeBSD -- Buffer overflow in stdio</topic> <affects>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201608112127.u7BLRStX091871>