[Belansky]

И снова патч по безопасности. При генерации списка сетевых интерфейсов ядро пишет в часть буфера, не обнуляя ее. В результате предыдущее содержимое буфера может быть доступно процессу. Процесс пользователя может получить доступ к 12 байтам данных. Эта память может содержать такую информацию, как части кэша файла или буфера терминала (например, в буфере терминала может находится пароль пользователя).

[Belansky]

Очередной патч по безопасности.

[archy]

[1] FreeBSD-SA-05:08.kmem
[2] FreeBSD-SA-05:07.ldt
[3] FreeBSD-SA-05:06.iir

[Belansky]

Очередной патч по безопасности.

[mar]

Из freebsd-security-notifications@freebsd.org

Цитата:

============================================================================= Message: 1 FreeBSD-SA-05:10.tcpdump Security Advisory The FreeBSD Project Topic: Infinite loops in tcpdump protocol decoding Category: contrib Module: tcpdump Announced: 2005-06-09 Credits: "Vade 79", Simon L. Nielsen Affects: FreeBSD 5.3-RELEASE and FreeBSD 5.4-RELEASE Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE) 2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2) 2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16) CVE Name: CAN-2005-1267, CAN-2005-1278, CAN-2005-1279, CAN-2005-1280 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The tcpdump utility is used to capture and examine network traffic. II. Problem Description Several tcpdump protocol decoders contain programming errors which can cause them to go into infinite loops. III. Impact An attacker can inject specially crafted packets into the network which, when processed by tcpdump, could lead to a denial-of-service. After the attack, tcpdump would no longer capture traffic, and would potentially use all available processor time. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 or RELENG_5_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.3 and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../tcpdump.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...dump.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/tcpdump/tcpdump # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/contrib/tcpdump/print-bgp.c 1.1.1.5.2.1 src/contrib/tcpdump/print-isoclns.c 1.12.2.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.2.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.11 src/sys/conf/newvers.sh 1.62.2.18.2.7 src/contrib/tcpdump/print-bgp.c 1.1.1.5.6.1 src/contrib/tcpdump/print-isoclns.c 1.12.6.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.6.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.19 src/sys/conf/newvers.sh 1.62.2.15.2.21 src/contrib/tcpdump/print-bgp.c 1.1.1.5.4.1 src/contrib/tcpdump/print-isoclns.c 1.12.4.1 src/contrib/tcpdump/print-ldp.c 1.1.1.1.4.1 src/contrib/tcpdump/print-rsvp.c 1.1.1.1.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1267 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1278 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1279 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1280 http://marc.theaimsgroup.com/?l=bugt...11454406222040 http://marc.theaimsgroup.com/?l=bugt...11454461300644 ============================================================================= Message: 2 FreeBSD-SA-05:11.gzip Security Advisory The FreeBSD Project Topic: gzip directory traversal and permission race vulnerabilities Category: contrib Module: gzip Announced: 2005-06-09 Credits: Ulf Harnhammar, Imran Ghory Affects: All FreeBSD releases Corrected: 2005-06-08 21:26:27 UTC (RELENG_5, 5.4-STABLE) 2005-06-08 21:27:44 UTC (RELENG_5_4, 5.4-RELEASE-p2) 2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16) 2005-06-08 21:29:53 UTC (RELENG_4, 4.11-STABLE) 2005-06-08 21:30:43 UTC (RELENG_4_11, 4.11-RELEASE-p10) 2005-06-08 21:31:16 UTC (RELENG_4_10, 4.10-RELEASE-p15) CVE Name: CAN-2005-0988, CAN-2005-1228 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background gzip is a file compression utility. II. Problem Description Two problems related to extraction of files exist in gzip: The first problem is that gzip does not properly sanitize filenames containing "/" when uncompressing files using the -N command line option. The second problem is that gzip does not set permissions on newly extracted files until after the file has been created and the file descriptor has been closed. III. Impact The first problem can allow an attacker to overwrite arbitrary local files when uncompressing a file using the -N command line option. The second problem can allow a local attacker to change the permissions of arbitrary local files, on the same partition as the one the user is uncompressing a file on, by removing the file the user is uncompressing and replacing it with a hardlink before the uncompress operation is finished. IV. Workaround Do not use the -N command line option on untrusted files and do not uncompress files in directories where untrusted users have write access. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:11/gzip.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...gzip.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/gnu/usr.bin/gzip # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path ------------------------------------------------------------------------- RELENG_4 src/gnu/usr.bin/gzip/gzip.c 1.10.2.1 RELENG_4_11 src/UPDATING 1.73.2.91.2.11 src/sys/conf/newvers.sh 1.44.2.39.2.14 src/gnu/usr.bin/gzip/gzip.c 1.10.26.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.16 src/sys/conf/newvers.sh 1.44.2.34.2.17 src/gnu/usr.bin/gzip/gzip.c 1.10.24.1 RELENG_5 src/gnu/usr.bin/gzip/gzip.c 1.11.2.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.11 src/sys/conf/newvers.sh 1.62.2.18.2.7 src/gnu/usr.bin/gzip/gzip.c 1.11.6.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.19 src/sys/conf/newvers.sh 1.62.2.15.2.21 src/gnu/usr.bin/gzip/gzip.c 1.11.4.1 ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0988 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1228 http://marc.theaimsgroup.com/?l=bugt...11271860708210 http://marc.theaimsgroup.com/?l=bugt...11402732406477

[mar]

Продолжение (опять bind)
=============================================================================
Message: 3
FreeBSD-SA-05:12.bind9 Security Advisory
The FreeBSD Project

Topic: BIND 9 DNSSEC remote denial of service vulnerability

Category: core
Module: bind9
Announced: 2005-06-09
Credits: Internet Systems Consortium
Affects: FreeBSD 5.3
Corrected: 2005-03-23 18:16:29 UTC (RELENG_5, 5.3-STABLE)
2005-06-08 21:29:15 UTC (RELENG_5_3, 5.3-RELEASE-p16)
CVE Name: CAN-2005-0034

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is the Internet domain name server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication and integrity to the DNS protocols.

DNSSEC is not enabled by default in any FreeBSD release. A system
administrator must take special action to enable DNSSEC.

II. Problem Description

A DNSSEC-related validator function in BIND 9.3.0 contains an
inappropriate internal consistency test. When this test is triggered,
named(8) will exit.

III. Impact

On systems with DNSSEC enabled, a remote attacker may be able to inject
a specially crafted packet that will cause the internal consistency test
to trigger, and named(8) to terminate. As a result, the name server
will no longer be available to service requests.

IV. Workaround

DNSSEC is not enabled by default, and the "dnssec-enable" directive is
not normally present. If DNSSEC has been enabled, disable it by
changing the "dnssec-enable" directive to "dnssec-enable no;" in the
named.conf(5) configuration file.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_3
security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 5.3
systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...12/bind9.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...ind9.patch.asc

b) Execute the following commands as root:

# cd /usr/src/
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
-------------------------------------------------------------------------
RELENG_5
src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.2
RELENG_5_3
src/UPDATING 1.342.2.13.2.19
src/sys/conf/newvers.sh 1.62.2.15.2.21
src/contrib/bind9/lib/dns/validator.c 1.1.1.1.2.1.2.1
-------------------------------------------------------------------------

VII. References

http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0034
http://www.kb.cert.org/vuls/id/938617
http://www.isc.org/index.pl?/sw/bind/bind-security.php
http://www.isc.org/index.pl?/sw/bind/bind9.php

[mar]

Цитата:

---------------------------------------------------------------------- Message: 1 Date: Wed, 29 Jun 2005 21:54:54 GMT From: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory FreeBSD-SA-05:13.ipfw To: FreeBSD Security Advisories <security-advisories@freebsd.org> Message-ID: <200506292154.j5TLssOf008150@freefall.freebsd.org> ============================================================================= FreeBSD-SA-05:13.ipfw Security Advisory The FreeBSD Project Topic: ipfw packet matching errors with address tables Category: core Module: netinet Announced: 2005-06-29 Credits: Max Laier Affects: FreeBSD 5.4-RELEASE Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) CVE Name: CAN-2005-2019 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background ipfw(8) is a system facility which allows IP packet filtering, redirecting, and traffic accounting. ipfw lookup tables are a way to specify many IP addresses which can be used for packet matching in an efficient manner. II. Problem Description The ipfw tables lookup code caches the result of the last query. The kernel may process multiple packets concurrently, performing several concurrent table lookups. Due to an insufficient locking, a cached result can become corrupted that could cause some addresses to be incorrectly matched against a lookup table. III. Impact When lookup tables are used with ipfw, packets may on very rare occasions incorrectly match a lookup table. This could result in a packet being treated contrary to the defined packet filtering ruleset. For example, a packet may be allowed to pass through when it should have been discarded. The problem can only occur on Symmetric Multi-Processor (SMP) systems, or on Uni Processor (UP) systems with the PREEMPTION kernel option enabled (not the default). IV. Workaround a) Do not use lookup tables. OR b) Disable concurrent processing of packets in the network stack by setting the "debug.mpsafenet=0" tunable: # echo "debug.mpsafenet=0" >> /boot/loader.conf V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 5-STABLE, or to the RELENG_5_4 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:13/ipfw.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...ipfw.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_5 src/sys/netinet/ip_fw2.c 1.70.2.14 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/ip_fw2.c 1.70.2.10.2.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-2019 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:13.ipfw.asc

[mar]

Цитата:

essage: 2 Date: Wed, 29 Jun 2005 21:55:00 GMT From: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2 To: FreeBSD Security Advisories <security-advisories@freebsd.org> Message-ID: <200506292155.j5TLt0cj008194@freefall.freebsd.org> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-05:14.bzip2 Security Advisory The FreeBSD Project Topic: bzip2 denial of service and permission race vulnerabilities Category: contrib Module: contrib_bzip2 Announced: 2005-06-29 Credits: Imran Ghory, Chris Evans Affects: All FreeBSD releases Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0953, CAN-2005-1260 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background bzip2 is a block-sorting file compression utility. II. Problem Description Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions. III. Impact The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time. The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted. IV. Workaround Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...14/bzip2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zip2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libbz2 # make obj && make depend && make && make install # cd /usr/src/usr.bin/bzip2 # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/bzip2/bzip2.c 1.1.1.1.2.3 contrib/bzip2/bzlib.c 1.1.1.1.2.3 contrib/bzip2/compress.c 1.1.1.1.2.3 contrib/bzip2/decompress.c 1.1.1.1.2.3 contrib/bzip2/huffman.c 1.1.1.1.2.3 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1 contrib/bzip2/compress.c 1.1.1.1.2.2.12.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1 contrib/bzip2/compress.c 1.1.1.1.2.2.10.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1 RELENG_5 contrib/bzip2/bzip2.c 1.1.1.2.8.1 contrib/bzip2/bzlib.c 1.1.1.2.8.1 contrib/bzip2/compress.c 1.1.1.2.8.1 contrib/bzip2/decompress.c 1.1.1.2.8.1 contrib/bzip2/huffman.c 1.1.1.2.8.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 contrib/bzip2/bzip2.c 1.1.1.2.12.1 contrib/bzip2/bzlib.c 1.1.1.2.12.1 contrib/bzip2/compress.c 1.1.1.2.12.1 contrib/bzip2/decompress.c 1.1.1.2.12.1 contrib/bzip2/huffman.c 1.1.1.2.12.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 contrib/bzip2/bzip2.c 1.1.1.2.10.1 contrib/bzip2/bzlib.c 1.1.1.2.10.1 contrib/bzip2/compress.c 1.1.1.2.10.1 contrib/bzip2/decompress.c 1.1.1.2.10.1 contrib/bzip2/huffman.c 1.1.1.2.10.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0953 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1260 http://marc.theaimsgroup.com/?l=bugt...11229375217633 http://scary.beasts.org/security/CESA-2005-002.txt The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:14.bzip.asc

[mar]

Цитата:

: 2 Date: Wed, 29 Jun 2005 21:55:00 GMT From: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory FreeBSD-SA-05:14.bzip2 To: FreeBSD Security Advisories <security-advisories@freebsd.org> Message-ID: <200506292155.j5TLt0cj008194@freefall.freebsd.org> ============================================================================= FreeBSD-SA-05:14.bzip2 Security Advisory The FreeBSD Project Topic: bzip2 denial of service and permission race vulnerabilities Category: contrib Module: contrib_bzip2 Announced: 2005-06-29 Credits: Imran Ghory, Chris Evans Affects: All FreeBSD releases Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0953, CAN-2005-1260 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background bzip2 is a block-sorting file compression utility. II. Problem Description Two problems have been discovered relating to the extraction of bzip2-compressed files. First, a carefully constructed invalid bzip2 archive can cause bzip2 to enter an infinite loop. Second, when creating a new file, bzip2 closes the file before setting its permissions. III. Impact The first problem can cause bzip2 to extract a bzip2 archive to an infinitely large file. If bzip2 is used in automated processing of untrusted files this could be exploited by an attacker to create an denial-of-service situation by exhausting disk space or by consuming all available cpu time. The second problem can allow a local attacker to change the permissions of local files owned by the user executing bzip2 providing that they have write access to the directory in which the file is being extracted. IV. Workaround Do not uncompress bzip2 archives from untrusted sources and do not uncompress files in directories where untrusted users have write access. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...14/bzip2.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...zip2.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libbz2 # make obj && make depend && make && make install # cd /usr/src/usr.bin/bzip2 # make obj && make depend && make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 contrib/bzip2/bzip2.c 1.1.1.1.2.3 contrib/bzip2/bzlib.c 1.1.1.1.2.3 contrib/bzip2/compress.c 1.1.1.1.2.3 contrib/bzip2/decompress.c 1.1.1.1.2.3 contrib/bzip2/huffman.c 1.1.1.1.2.3 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 contrib/bzip2/bzip2.c 1.1.1.1.2.2.12.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.12.1 contrib/bzip2/compress.c 1.1.1.1.2.2.12.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.12.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.12.1 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 contrib/bzip2/bzip2.c 1.1.1.1.2.2.10.1 contrib/bzip2/bzlib.c 1.1.1.1.2.2.10.1 contrib/bzip2/compress.c 1.1.1.1.2.2.10.1 contrib/bzip2/decompress.c 1.1.1.1.2.2.10.1 contrib/bzip2/huffman.c 1.1.1.1.2.2.10.1 RELENG_5 contrib/bzip2/bzip2.c 1.1.1.2.8.1 contrib/bzip2/bzlib.c 1.1.1.2.8.1 contrib/bzip2/compress.c 1.1.1.2.8.1 contrib/bzip2/decompress.c 1.1.1.2.8.1 contrib/bzip2/huffman.c 1.1.1.2.8.1 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 contrib/bzip2/bzip2.c 1.1.1.2.12.1 contrib/bzip2/bzlib.c 1.1.1.2.12.1 contrib/bzip2/compress.c 1.1.1.2.12.1 contrib/bzip2/decompress.c 1.1.1.2.12.1 contrib/bzip2/huffman.c 1.1.1.2.12.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 contrib/bzip2/bzip2.c 1.1.1.2.10.1 contrib/bzip2/bzlib.c 1.1.1.2.10.1 contrib/bzip2/compress.c 1.1.1.2.10.1 contrib/bzip2/decompress.c 1.1.1.2.10.1 contrib/bzip2/huffman.c 1.1.1.2.10.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0953 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-1260 http://marc.theaimsgroup.com/?l=bugt...11229375217633 http://scary.beasts.org/security/CESA-2005-002.txt The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CE...05:14.bzip.asc

[mar]

Цитата:

Message: 3 Date: Wed, 29 Jun 2005 21:55:05 GMT From: FreeBSD Security Advisories <security-advisories@freebsd.org> Subject: FreeBSD Security Advisory FreeBSD-SA-05:15.tcp To: FreeBSD Security Advisories <security-advisories@freebsd.org> Message-ID: <200506292155.j5TLt5ig008238@freefall.freebsd.org> ============================================================================= FreeBSD-SA-05:15.tcp Security Advisory The FreeBSD Project Topic: TCP connection stall denial of service Category: core Module: inet Announced: 2005-06-29 Credits: Noritoshi Demizu Affects: All FreeBSD releases. Corrected: 2005-06-29 21:38:48 UTC (RELENG_5, 5.4-STABLE) 2005-06-29 21:41:03 UTC (RELENG_5_4, 5.4-RELEASE-p3) 2005-06-29 21:42:33 UTC (RELENG_5_3, 5.3-RELEASE-p17) 2005-06-29 21:43:42 UTC (RELENG_4, 4.11-STABLE) 2005-06-29 21:45:14 UTC (RELENG_4_11, 4.11-RELEASE-p11) 2005-06-29 21:46:15 UTC (RELENG_4_10, 4.10-RELEASE-p16) CVE Name: CAN-2005-0356, CAN-2005-2068 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit <URL:http://www.freebsd.org/security/>. I. Background The Transmission Control Protocol (TCP) of the TCP/IP protocol suite provides a connection-oriented, reliable, sequence-preserving data stream service. TCP timestamps are used to measure Round-Trip Time and in the Protect Against Wrapped Sequences (PAWS) algorithm. TCP packets with the SYN flag set are used during setup of new TCP connections. II. Problem Description Two problems have been discovered in the FreeBSD TCP stack. First, when a TCP packets containing a timestamp is received, inadequate checking of sequence numbers is performed, allowing an attacker to artificially increase the internal "recent" timestamp for a connection. Second, a TCP packet with the SYN flag set is accepted for established connections, allowing an attacker to overwrite certain TCP options. III. Impact Using either of the two problems an attacker with knowledge of the local and remote IP and port numbers associated with a connection can cause a denial of service situation by stalling the TCP connection. The stalled TCP connection my be closed after some time by the other host. IV. Workaround In some cases it may be possible to defend against these attacks by blocking the attack packets using a firewall. Packets used to effect either of these attacks would have spoofed source IP addresses. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 4-STABLE or 5-STABLE, or to the RELENG_5_4, RELENG_5_3, RELENG_4_11, or RELENG_4_10 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 4.10, 4.11, 5.3, and 5.4 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 4.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...:15/tcp4.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...tcp4.patch.asc [FreeBSD 5.x] # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE...5:15/tcp.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CE.../tcp.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in <URL:http://www.freebsd.org/handbook/kernelconfig.html> and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch Revision Path - ------------------------------------------------------------------------- RELENG_4 src/sys/netinet/tcp_input.c 1.107.2.44 RELENG_4_11 src/UPDATING 1.73.2.91.2.12 src/sys/conf/newvers.sh 1.44.2.39.2.15 src/sys/netinet/tcp_input.c 1.107.2.41.4.3 RELENG_4_10 src/UPDATING 1.73.2.90.2.17 src/sys/conf/newvers.sh 1.44.2.34.2.18 src/sys/netinet/tcp_input.c 1.107.2.41.2.1 RELENG_5 src/sys/netinet/tcp_input.c 1.252.2.16 RELENG_5_4 src/UPDATING 1.342.2.24.2.12 src/sys/conf/newvers.sh 1.62.2.18.2.8 src/sys/netinet/tcp_input.c 1.252.2.14.2.1 RELENG_5_3 src/UPDATING 1.342.2.13.2.20 src/sys/conf/newvers.sh 1.62.2.15.2.22 src/sys/netinet/tcp_input.c 1.252.4.1 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-0356 http://cve.mitre.org/cgi-bin/cvename...=CAN-2005-2068 http://www.kb.cert.org/vuls/id/637934 The latest revision of this advisory is available at ftp://ftp.freebsd.org/pub/FreeBSD/CE...-05:15.tcp.asc