From owner-svn-ports-all@freebsd.org Thu Aug 11 21:27:29 2016 Return-Path: Delivered-To: svn-ports-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id DFE8CBB6829; Thu, 11 Aug 2016 21:27:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 9BBB414F0; Thu, 11 Aug 2016 21:27:29 +0000 (UTC) (envelope-from feld@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u7BLRSJF091872; Thu, 11 Aug 2016 21:27:28 GMT (envelope-from feld@FreeBSD.org) Received: (from feld@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u7BLRStX091871; Thu, 11 Aug 2016 21:27:28 GMT (envelope-from feld@FreeBSD.org) Message-Id: <201608112127.u7BLRStX091871@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: feld set sender to feld@FreeBSD.org using -f From: Mark Felder Date: Thu, 11 Aug 2016 21:27:28 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-head@freebsd.org Subject: svn commit: r420107 - head/security/vuxml X-SVN-Group: ports-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: SVN commit messages for the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 11 Aug 2016 21:27:30 -0000 Author: feld Date: Thu Aug 11 21:27:28 2016 New Revision: 420107 URL: https://svnweb.freebsd.org/changeset/ports/420107 Log: Add missing FreeBSD SA entries from 2015 to vuxml Modified: head/security/vuxml/vuln.xml Modified: head/security/vuxml/vuln.xml ============================================================================== --- head/security/vuxml/vuln.xml Thu Aug 11 21:19:09 2016 (r420106) +++ head/security/vuxml/vuln.xml Thu Aug 11 21:27:28 2016 (r420107) @@ -58,6 +58,453 @@ Notes: * Do not forget port variants (linux-f10-libxml2, libxml2, etc.) --> + + FreeBSD -- rpcbind(8) remote denial of service [REVISED] + + + FreeBSD + 10.210.2_5 + 10.110.1_22 + 9.39.3_28 + + + + +

Problem Description:

+

In rpcbind(8), netbuf structures are copied directly, + which would result in two netbuf structures that reference + to one shared address buffer. When one of the two netbuf + structures is freed, access to the other netbuf structure + would result in an undefined result that may crash the + rpcbind(8) daemon.

+

Impact:

+

A remote attacker who can send specifically crafted + packets to the rpcbind(8) daemon can cause it to crash, + resulting in a denial of service condition.

+ + + + CVE-2015-7236 + FreeBSD-SA-15:24.rpcbind + + + 2015-09-29 + 2016-08-11 + + + + + FreeBSD -- Local privilege escalation in IRET handler + + + FreeBSD-kernel + 10.110.1_19 + 9.39.3_24 + + + + +

Problem Description:

+

If the kernel-mode IRET instruction generates an #SS or + #NP exception, but the exception handler does not properly + ensure that the right GS register base for kernel is reloaded, + the userland GS segment may be used in the context of the + kernel exception handler.

+

Impact:

+

By causing an IRET with #SS or #NP exceptions, a local + attacker can cause the kernel to use an arbitrary GS base, + which may allow escalated privileges or panic the system.

+ + + + CVE-2015-5675 + FreeBSD-SA-15:21.amd64 + + + 2015-08-25 + 2016-08-11 + + + + + FreeBSD -- Multiple integer overflows in expat (libbsdxml) XML parser + + + FreeBSD + 10.110.1_18 + 10.210.2_1 + 9.39.3_23 + + + + +

Problem Description:

+

Multiple integer overflows have been discovered in the + XML_GetBuffer() function in the expat library.

+

Impact:

+

The integer overflows may be exploited by using specifically + crafted XML data and lead to infinite loop, or a heap buffer + overflow, which results in a Denial of Service condition, + or enables remote attackers to execute arbitrary code.

+ + + + CVE-2015-1283 + FreeBSD-SA-15:20.expat + + + 2015-08-18 + 2016-08-11 + + + + + FreeBSD -- routed(8) remote denial of service vulnerability + + + FreeBSD + 10.110.1_17 + 9.39.3_22 + + + + +

Problem Description:

+

The input path in routed(8) will accept queries from any + source and attempt to answer them. However, the output path + assumes that the destination address for the response is + on a directly connected network.

+

Impact:

+

Upon receipt of a query from a source which is not on a + directly connected network, routed(8) will trigger an + assertion and terminate. The affected system's routing table + will no longer be updated. If the affected system is a + router, its routes will eventually expire from other routers' + routing tables, and its networks will no longer be reachable + unless they are also connected to another router.

+ + + + CVE-2015-5674 + FreeBSD-SA-15:19.routed + + + 2015-08-05 + 2016-08-11 + + + + + FreeBSD -- shell injection vulnerability in patch(1) + + + FreeBSD + 10.110.1_17 + + + + +

Problem Description:

+

Due to insufficient sanitization of the input patch + stream, it is possible for a patch file to cause patch(1) + to pass certain ed(1) scripts to the ed(1) editor, which + would run commands.

+

Impact:

+

This issue could be exploited to execute arbitrary + commands as the user invoking patch(1) against a specically + crafted patch file, which could be leveraged to obtain + elevated privileges.

+ + + + CVE-2015-1418 + FreeBSD-SA-15:18.bsdpatch + + + 2015-08-05 + 2016-08-11 + + + + + FreeBSD -- Resource exhaustion in TCP reassembly + + + FreeBSD-kernel + 10.110.1_16 + 9.39.3_21 + 8.48.4_35 + + + + +

Problem Description:

+

There is a mistake with the introduction of VNET, which + converted the global limit on the number of segments that + could belong to reassembly queues into a per-VNET limit. + Because mbufs are allocated from a global pool, in the + presence of a sufficient number of VNETs, the total number + of mbufs attached to reassembly queues can grow to the total + number of mbufs in the system, at which point all network + traffic would cease.

+

Impact:

+

An attacker who can establish concurrent TCP connections + across a sufficient number of VNETs and manipulate the + inbound packet streams such that the maximum number of mbufs + are enqueued on each reassembly queue can cause mbuf cluster + exhaustion on the target system, resulting in a Denial of + Service condition.

+

As the default per-VNET limit on the number of segments + that can belong to reassembly queues is 1/16 of the total + number of mbuf clusters in the system, only systems that + have 16 or more VNET instances are vulnerable.

+ + + + CVE-2015-1417 + FreeBSD-SA-15:15.tcp + + + 2015-07-28 + 2016-08-11 + + + + + FreeBSD -- shell injection vulnerability in patch(1) + + + FreeBSD + 10.110.1_16 + + + + +

Problem Description:

+

Due to insufficient sanitization of the input patch + stream, it is possible for a patch file to cause patch(1) + to run commands in addition to the desired SCCS or RCS + commands.

+

Impact:

+

This issue could be exploited to execute arbitrary + commands as the user invoking patch(1) against a specically + crafted patch file, which could be leveraged to obtain + elevated privileges.

+ + + + CVE-2015-1416 + FreeBSD-SA-15:14.bsdpatch + + + 2015-07-28 + 2016-08-11 + + + + + FreeBSD -- Resource exhaustion due to sessions stuck in LAST_ACK state + + + FreeBSD-kernel + 10.110.1_15 + 9.39.3_20 + 8.48.4_34 + + + + +

Problem Description:

+

TCP connections transitioning to the LAST_ACK state can + become permanently stuck due to mishandling of protocol + state in certain situations, which in turn can lead to + accumulated consumption and eventual exhaustion of system + resources, such as mbufs and sockets.

+

Impact:

+

An attacker who can repeatedly establish TCP connections + to a victim system (for instance, a Web server) could create + many TCP connections that are stuck in LAST_ACK state and + cause resource exhaustion, resulting in a denial of service + condition. This may also happen in normal operation where + no intentional attack is conducted, but an attacker who can + send specifically crafted packets can trigger this more + reliably.

+ + + + CVE-2015-5358 + FreeBSD-SA-15:13.tcp + + + 2015-07-21 + 2016-08-11 + + + + + FreeBSD -- Denial of Service with IPv6 Router Advertisements + + + FreeBSD-kernel + 10.110.1_9 + 9.39.3_13 + 8.48.4_27 + + + + +

Problem Description:

+

The Neighbor Discover Protocol allows a local router to + advertise a suggested Current Hop Limit value of a link, + which will replace Current Hop Limit on an interface connected + to the link on the FreeBSD system.

+

Impact:

+

When the Current Hop Limit (similar to IPv4's TTL) is + small, IPv6 packets may get dropped before they reached + their destinations.

+

By sending specifically crafted Router Advertisement + packets, an attacker on the local network can cause the + FreeBSD system to lose the ability to communicate with + another IPv6 node on a different network.

+ + + + CVE-2015-2923 + FreeBSD-SA-15:09.ipv6 + + + 2015-04-07 + 2016-08-11 + + + + + FreeBSD -- Insecure default GELI keyfile permissions + + + FreeBSD + 10.110.1_9 + + + + +

Problem Description:

+

The default permission set by bsdinstall(8) installer + when configuring full disk encrypted ZFS is too open.

+

Impact:

+

A local attacker may be able to get a copy of the geli(8) + provider's keyfile which is located at a fixed location.

+ + + + CVE-2015-1415 + FreeBSD-SA-15:08.bsdinstall + + + 2015-04-07 + 2016-08-11 + + + + + FreeBSD -- Integer overflow in IGMP protocol + + + FreeBSD-kernel + 10.110.1_9 + 9.39.3_13 + 8.48.4_27 + + + + +

Problem Description:

+

An integer overflow in computing the size of IGMPv3 data + buffer can result in a buffer which is too small for the + requested operation.

+

Impact:

+

An attacker who can send specifically crafted IGMP packets + could cause a denial of service situation by causing the + kernel to crash.

+ + + + CVE-2015-1414 + FreeBSD-SA-15:04.igmp + + + 2015-02-25 + 2016-08-11 + + + + + FreeBSD -- SCTP stream reset vulnerability + + + FreeBSD-kernel + 10.110.1_5 + 10.010.0_17 + 9.39.3_9 + 8.48.4_23 + + + + +

Problem Description:

+

The input validation of received SCTP RE_CONFIG chunks + is insufficient, and can result in a NULL pointer deference + later.

+

Impact:

+

A remote attacker who can send a malformed SCTP packet + to a FreeBSD system that serves SCTP can cause a kernel + panic, resulting in a Denial of Service.

+ + + + CVE-2014-8613 + FreeBSD-SA-15:03.sctp + + + 2015-01-27 + 2016-08-11 + + + + + FreeBSD -- SCTP SCTP_SS_VALUE kernel memory corruption and disclosure + + + FreeBSD-kernel + 10.110.1_5 + 10.010.0_17 + 9.39.3_9 + 8.48.4_23 + + + + +

Problem Description:

+

Due to insufficient validation of the SCTP stream ID, + which serves as an array index, a local unprivileged attacker + can read or write 16-bits of kernel memory.

+

Impact:

+

An unprivileged process can read or modify 16-bits of + memory which belongs to the kernel. This smay lead to + exposure of sensitive information or allow privilege + escalation.

+ + + + CVE-2014-8612 + FreeBSD-SA-15:02.kmem + + + 2015-01-27 + 2016-08-11 + + + FreeBSD -- Buffer overflow in stdio