From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:36:34 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 10A331065672; Fri, 23 Dec 2011 15:36:34 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id F09708FC25; Fri, 23 Dec 2011 15:36:33 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaXQM078831; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaXlL078830; Fri, 23 Dec 2011 15:36:33 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:33 GMT Message-Id: <201112231536.pBNFaXlL078830@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:06.bind X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:06.bind Security Advisory The FreeBSD Project Topic: Remote packet Denial of Service against named(8) servers Category: contrib Module: bind Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-11-17 01:10:16 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-11-17 00:36:10 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-01 21:13:41 UTC (RELENG_9, 9.0-STABLE) 2011-12-01 21:17:59 UTC (RELENG_9_0, 9.0-RC3) 2011-11-16 23:41:13 UTC (ports tree) CVE Name: CVE-2011-4313 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. II. Problem Description A remote attacker could cause the BIND resolver to cache an invalid record, which could cause the BIND daemon to crash when that record is being queried. III. Impact An attacker that is able to send an specifically crafted response to the BIND daemon can cause it to crash, resulting in a denial of service. Note that due to the nature of this vulnerability, the attacker does not necessarily have to have query access to the victim server. The vulnerability can be triggered by tricking legitimate clients, for instance spam filtering systems or an end user browser, which can be made to the query on their behalf. IV. Workaround No workaround is available, but systems not running the BIND resolving name server are not affected. Servers that are running in authoritative-only mode appear not to be affected by this vulnerability. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3-RELEASE and 7.4-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind7.patch.asc [FreeBSD 8.1-RELEASE and 8.2-RELEASE] # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch # fetch http://security.FreeBSD.org/patches/SA-11:06/bind8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind/ # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) Install and run BIND from the Ports Collection after the correction date. The following versions and newer versions of BIND installed from the Ports Collection already have the mitigation measure: bind96-9.6.3.1.ESV.R5.1 bind97-9.7.4.1 bind98-9.8.1.1 VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.9 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.8 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.6.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.6.2.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.3.2.2 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.3.2.2 RELENG_8 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.9 src/contrib/bind9/bin/named/query.c 1.3.2.8 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.5.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.5.2.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.3.2.3.2.1 RELENG_9 src/contrib/bind9/lib/dns/rbtdb.c 1.13.2.1 src/contrib/bind9/bin/named/query.c 1.11.2.1 RELENG_9_0 src/contrib/bind9/lib/dns/rbtdb.c 1.13.4.1 src/contrib/bind9/bin/named/query.c 1.11.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r227603 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r227599 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228189 releng/9.0/ r228190 - ------------------------------------------------------------------------- VII. References https://www.isc.org/software/bind/advisories/cve-2011-4313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4313 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:06.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37K18wCeLYPkREXJsMXYdzt+guRFcPZR VY4AoII3kmCzRX/gYRmPW7lwGqWIgwlM =wMSJ -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:36:39 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 470451065670; Fri, 23 Dec 2011 15:36:39 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 2A0DF8FC21; Fri, 23 Dec 2011 15:36:39 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFadoU078865; Fri, 23 Dec 2011 15:36:39 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFadWk078864; Fri, 23 Dec 2011 15:36:39 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:39 GMT Message-Id: <201112231536.pBNFadWk078864@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:07.chroot X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:07.chroot Security Advisory The FreeBSD Project Topic: Code execution via chrooted ftpd Category: core Module: libc Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Chroot is an operation that changes the apparent root directory for the current process and its children. The chroot(2) system call is widely used in many applications as a measure of limiting a process's access to the file system, as part of implementing privilege separation. The nsdispatch(3) API implementation has a feature to reload its configuration on demand. This feature may also load shared libraries and run code provided by the library when requested by the configuration file. II. Problem Description The nsdispatch(3) API has no mechanism to alert it to whether it is operating within a chroot environment in which the standard paths for configuration files and shared libraries may be untrustworthy. The FreeBSD ftpd(8) daemon can be configured to use chroot(2), and also uses the nsdispatch(3) API. III. Impact If ftpd is configured to place a user in a chroot environment, then an attacker who can log in as that user may be able to run arbitrary code with elevated ("root") privileges. IV. Workaround Don't use ftpd with the chroot option. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.3 and 7.4] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot7.patch.asc [FreeBSD 8.1 and 8.2] # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch # fetch http://security.FreeBSD.org/patches/SA-11:07/chroot8.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system as described in and reboot the system. 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 4) This update adds a new API, __FreeBSD_libc_enter_restricted_mode() to the C library, which completely disables loading of shared libraries upon return. Applications doing chroot(2) jails need to be updated to call this API explicitly right after the chroot(2) operation as a safety measure. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/include/unistd.h 1.80.2.4 src/lib/libc/include/libc_private.h 1.17.2.4 src/lib/libc/Versions.def 1.3.2.3 src/lib/libc/net/nsdispatch.c 1.14.2.3 src/lib/libc/gen/Symbol.map 1.6.2.7 src/lib/libc/gen/Makefile.inc 1.128.2.6 src/lib/libc/gen/libc_dlopen.c 1.2.2.2 src/libexec/ftpd/popen.c 1.26.10.2 src/libexec/ftpd/ftpd.c 1.212.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/include/unistd.h 1.80.2.3.4.2 src/lib/libc/include/libc_private.h 1.17.2.3.4.2 src/lib/libc/Versions.def 1.3.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.14.2.2.2.2 src/lib/libc/gen/Symbol.map 1.6.2.6.4.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.4.2 src/lib/libc/gen/libc_dlopen.c 1.2.4.2 src/libexec/ftpd/popen.c 1.26.10.1.2.2 src/libexec/ftpd/ftpd.c 1.212.2.1.6.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/include/unistd.h 1.80.2.3.2.2 src/lib/libc/include/libc_private.h 1.17.2.3.2.2 src/lib/libc/Versions.def 1.3.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.14.2.1.6.2 src/lib/libc/gen/Symbol.map 1.6.2.6.2.2 src/lib/libc/gen/Makefile.inc 1.128.2.5.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.2.1 src/libexec/ftpd/popen.c 1.26.24.2 src/libexec/ftpd/ftpd.c 1.212.2.1.4.2 RELENG_8 src/include/unistd.h 1.95.2.2 src/lib/libc/include/libc_private.h 1.20.2.3 src/lib/libc/Versions.def 1.8.2.3 src/lib/libc/net/nsdispatch.c 1.18.2.3 src/lib/libc/gen/Symbol.map 1.21.2.6 src/lib/libc/gen/Makefile.inc 1.144.2.7 src/lib/libc/gen/libc_dlopen.c 1.1.4.2 src/libexec/ftpd/popen.c 1.26.22.3 src/libexec/ftpd/ftpd.c 1.214.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/include/unistd.h 1.95.2.1.6.2 src/lib/libc/include/libc_private.h 1.20.2.2.4.2 src/lib/libc/Versions.def 1.8.2.2.4.2 src/lib/libc/net/nsdispatch.c 1.18.2.2.2.2 src/lib/libc/gen/Symbol.map 1.21.2.5.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.6.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.8.2 src/libexec/ftpd/popen.c 1.26.22.2.4.2 src/libexec/ftpd/ftpd.c 1.214.2.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/include/unistd.h 1.95.2.1.4.2 src/lib/libc/include/libc_private.h 1.20.2.2.2.2 src/lib/libc/Versions.def 1.8.2.2.2.2 src/lib/libc/net/nsdispatch.c 1.18.2.1.4.2 src/lib/libc/gen/Symbol.map 1.21.2.3.2.2 src/lib/libc/gen/Makefile.inc 1.144.2.4.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.10.2 src/libexec/ftpd/popen.c 1.26.22.2.2.2 src/libexec/ftpd/ftpd.c 1.214.2.1.4.2 RELENG_9 src/include/unistd.h 1.101.2.2 src/lib/libc/include/libc_private.h 1.26.2.2 src/lib/libc/Versions.def 1.9.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.2 src/lib/libc/gen/Symbol.map 1.38.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.2 src/lib/libc/gen/libc_dlopen.c 1.1.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.2 src/libexec/ftpd/popen.c 1.27.2.2 src/libexec/ftpd/ftpd.c 1.220.2.2 RELENG_9_0 src/include/unistd.h 1.101.2.1.2.2 src/lib/libc/include/libc_private.h 1.26.2.1.2.2 src/lib/libc/Versions.def 1.9.2.1.2.2 src/lib/libc/net/nsdispatch.c 1.19.2.1.2.2 src/lib/libc/gen/Symbol.map 1.38.2.1.2.2 src/lib/libc/gen/Makefile.inc 1.159.2.1.2.2 src/lib/libc/gen/libc_dlopen.c 1.2.6.2 src/lib/libc/iconv/citrus_module.c 1.1.2.1.2.2 src/libexec/ftpd/popen.c 1.27.2.1.2.2 src/libexec/ftpd/ftpd.c 1.220.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:07.chroot.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37ILmgCgjVxRH+NsPpnXOVdwWmuxlSDp h9wAniE0tokORcqQlFJim5Pc1Z65ybwl =45yE -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:36:43 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7466E1065712; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6007C8FC16; Fri, 23 Dec 2011 15:36:43 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFahXZ078900; Fri, 23 Dec 2011 15:36:43 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFahhh078899; Fri, 23 Dec 2011 15:36:43 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:43 GMT Message-Id: <201112231536.pBNFahhh078899@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:08.telnetd X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:43 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:08.telnetd Security Advisory The FreeBSD Project Topic: telnetd code execution vulnerability Category: core Module: contrib Announced: 2011-12-23 Affects: All supported versions of FreeBSD. Corrected: 2011-12-23 15:00:37 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-23 15:00:37 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-23 15:00:37 UTC (RELENG_9, 9.0-STABLE) 2011-12-23 15:00:37 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4862 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The FreeBSD telnet daemon, telnetd(8), implements the server side of the TELNET virtual terminal protocol. It has been disabled by default in FreeBSD since August 2001, and due to the lack of cryptographic security in the TELNET protocol, it is strongly recommended that the SSH protocol be used instead. The FreeBSD telnet daemon can be enabled via the /etc/inetd.conf configuration file and the inetd(8) daemon. The TELNET protocol has a mechanism for encryption of the data stream (but it is not cryptographically strong and should not be relied upon in any security-critical applications). II. Problem Description When an encryption key is supplied via the TELNET protocol, its length is not validated before the key is copied into a fixed-size buffer. III. Impact An attacker who can connect to the telnetd daemon can execute arbitrary code with the privileges of the daemon (which is usually the "root" superuser). IV. Workaround No workaround is available, but systems not running the telnet daemon are not vulnerable. Note that the telnet daemon is usually run via inetd, and consequently will not show up in a process listing unless a connection is currently active; to determine if it is enabled, run $ ps ax | grep telnetd | grep -v grep $ grep telnetd /etc/inetd.conf | grep -vE '^#' If any output is produced, your system may be vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2, and 8.1 systems. a) Download the patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch # fetch http://security.FreeBSD.org/patches/SA-11:08/telnetd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libtelnet # make obj && make depend && make && make install # cd /usr/src/libexec/telnetd # make obj && make depend && make && make install 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.24.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.24.1 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.38.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.40.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.2.36.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.38.2 RELENG_8 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.2.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.2 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.8.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.6.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.6.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.36.1.4.2 RELENG_9 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.10.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.2 RELENG_9_0 src/crypto/heimdal/appl/telnet/libtelnet/encrypt.c 1.1.1.3.12.1 src/contrib/telnet/libtelnet/encrypt.c 1.9.42.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228843 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228843 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228843 releng/9.0/ r228843 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:08.telnetd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37IYcwCfXn5aQTfQDe/AnS31JBg+BB1m HJMAmgOE5pUKTlFqLw5UBouMNFfUmu2u =dcyj -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:36:50 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 914E4106588C; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7D4028FC12; Fri, 23 Dec 2011 15:36:50 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFaooe078934; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFaoEp078933; Fri, 23 Dec 2011 15:36:50 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:50 GMT Message-Id: <201112231536.pBNFaoEp078933@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:09.pam_ssh X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:50 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:09.pam_ssh Security Advisory The FreeBSD Project Topic: pam_ssh improperly grants access when user account has unencrypted SSH private keys Category: contrib Module: pam Announced: 2011-12-23 Credits: Guy Helmer, Dag-Erling Smorgrav Affects: All supported versions of FreeBSD. Corrected: 2011-12-11 20:40:23 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-11 20:38:36 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-11 16:57:27 UTC (RELENG_9, 9.0-STABLE) 2011-12-11 17:32:37 UTC (RELENG_9_0, 9.0-RELEASE) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The base system includes a module named pam_ssh which, if enabled, allows users to authenticate themselves by typing in the passphrase of one of the SSH private keys which are stored in encrypted form in the their .ssh directory. Authentication is considered successful if at least one of these keys could be decrypted using the provided passphrase. By default, the pam_ssh module rejects SSH private keys with no passphrase. A "nullok" option exists to allow these keys. II. Problem Description The OpenSSL library call used to decrypt private keys ignores the passphrase argument if the key is not encrypted. Because the pam_ssh module only checks whether the passphrase provided by the user is null, users with unencrypted SSH private keys may successfully authenticate themselves by providing a dummy passphrase. III. Impact If the pam_ssh module is enabled, attackers may be able to gain access to user accounts which have unencrypted SSH private keys. IV. Workaround No workaround is available, but systems that do not have the pam_ssh module enabled are not vulnerable. The pam_ssh module is not enabled in any of the default policies provided in the base system. The system administrator can use the following procedure to inspect all PAM policy files to determine whether the pam_ssh module is enabled. If the following command produces any output, the system may be vulnerable: # egrep -r '^[^#].*\' /etc/pam.* /usr/local/etc/pam.* The following command will disable the pam_ssh module in all PAM policies present in the system: # sed -i '' -e '/^[^#].*pam_ssh/s/^/#/' /etc/pam.conf /etc/pam.d/* \ /usr/local/etc/pam.conf /usr/local/etc/pam.d/* V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch # fetch http://security.FreeBSD.org/patches/SA-11:09/pam_ssh.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam/modules/pam_ssh # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.8.2 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.44.2.1.6.2 RELENG_8 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.3 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.4.2 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.45.2.2.2.2 RELENG_9 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.2 RELENG_9_0 src/lib/libpam/modules/pam_ssh/pam_ssh.c 1.47.2.1.2.2 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228421 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228420 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228410 releng/9.0/ r228414 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:09.pam_ssh.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37JTSwCfS+bmWBxv5hote7Hrcl7VZjjk vKMAn116aLADxmdYsyZ5WdSrfFTRt3Xm =Y+ar -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:36:57 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF2CC1065A32; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id AAEB68FC20; Fri, 23 Dec 2011 15:36:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.5/8.14.5) with ESMTP id pBNFavsn078980; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from cperciva@localhost) by freefall.freebsd.org (8.14.5/8.14.5/Submit) id pBNFavxW078979; Fri, 23 Dec 2011 15:36:57 GMT (envelope-from security-advisories@freebsd.org) Date: Fri, 23 Dec 2011 15:36:57 GMT Message-Id: <201112231536.pBNFavxW078979@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: cperciva set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: FreeBSD Security Advisory FreeBSD-SA-11:10.pam X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:36:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-11:10.pam Security Advisory The FreeBSD Project Topic: pam_start() does not validate service names Category: contrib Module: pam Announced: 2011-12-23 Credits: Matthias Drochner Affects: All supported versions of FreeBSD. Corrected: 2011-12-13 13:03:11 UTC (RELENG_7, 7.4-STABLE) 2011-12-23 15:00:37 UTC (RELENG_7_4, 7.4-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_7_3, 7.3-RELEASE-p9) 2011-12-13 13:02:52 UTC (RELENG_8, 8.2-STABLE) 2011-12-23 15:00:37 UTC (RELENG_8_2, 8.2-RELEASE-p5) 2011-12-23 15:00:37 UTC (RELENG_8_1, 8.1-RELEASE-p7) 2011-12-13 12:59:39 UTC (RELENG_9, 9.0-STABLE) 2011-12-13 13:02:31 UTC (RELENG_9_0, 9.0-RELEASE) CVE Name: CVE-2011-4122 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The PAM (Pluggable Authentication Modules) library provides a flexible framework for user authentication and session setup / teardown. It is used not only in the base system, but also by a large number of third-party applications. Various authentication methods (UNIX, LDAP, Kerberos etc.) are implemented in modules which are loaded and executed according to predefined, named policies. These policies are defined in /etc/pam.conf, /etc/pam.d/, /usr/local/etc/pam.conf or /usr/local/etc/pam.d/. The PAM API is a de facto industry standard which has been implemented by several parties. FreeBSD uses the OpenPAM implementation. II. Problem Description Some third-party applications, including KDE's kcheckpass command, allow the user to specify the name of the policy on the command line. Since OpenPAM treats the policy name as a path relative to /etc/pam.d or /usr/local/etc/pam.d, users who are permitted to run such an application can craft their own policies and cause the application to load and execute their own modules. III. Impact If an application that runs with root privileges allows the user to specify the name of the PAM policy to load, users who are permitted to run that application will be able to execute arbitrary code with root privileges. There are no vulnerable applications in the base system. IV. Workaround No workaround is available, but systems without untrusted users are not vulnerable. Inspect any third-party setuid / setgid binaries which use the PAM library and ascertain whether they allow the user to specify the policy name, then either change the binary's permissions to prevent its use or remove it altogether. The following command will output a non-zero number if a dynamically linked binary uses libpam: # ldd /usr/local/bin/suspicious_binary | grep -c libpam The following command will output a non-zero number if a statically linked binary uses libpam: # grep -acF "/etc/pam.d/" /usr/local/bin/suspicious_binary V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_2, RELENG_8_1, RELENG_7_4, or RELENG_7_3 security branch dated after the correction date. 2) To update your vulnerable system via a source code patch: The following patches have been verified to apply to FreeBSD 7.4, 7.3, 8.2 and 8.1 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch # fetch http://security.FreeBSD.org/patches/SA-11:10/pam.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/libpam # make obj && make depend && make && make install NOTE: On the amd64 platform, the above procedure will not update the lib32 (i386 compatibility) libraries. On amd64 systems where the i386 compatibility libraries are used, the operating system should instead be recompiled as described in 3) To update your vulnerable system via a binary patch: Systems running 7.4-RELEASE, 7.3-RELEASE, 8.2-RELEASE, or 8.1-RELEASE on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.2 RELENG_7_4 src/UPDATING 1.507.2.36.2.7 src/sys/conf/newvers.sh 1.72.2.18.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.8.1 RELENG_7_3 src/UPDATING 1.507.2.34.2.11 src/sys/conf/newvers.sh 1.72.2.16.2.13 src/contrib/openpam/lib/openpam_configure.c 1.1.1.7.20.1.6.1 RELENG_8 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.2.1 RELENG_8_2 src/UPDATING 1.632.2.19.2.7 src/sys/conf/newvers.sh 1.83.2.12.2.10 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.8.1 RELENG_8_1 src/UPDATING 1.632.2.14.2.10 src/sys/conf/newvers.sh 1.83.2.10.2.11 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.6.1 RELENG_9 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.10.1 RELENG_9_0 src/contrib/openpam/lib/openpam_configure.c 1.1.1.8.12.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r228467 releng/7.4/ r228843 releng/7.3/ r228843 stable/8/ r228466 releng/8.2/ r228843 releng/8.1/ r228843 stable/9/ r228464 releng/9.0/ r228465 - ------------------------------------------------------------------------- VII. References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4122 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-11:10.pam.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70nOoACgkQFdaIBMps37KEWgCgiD/7EymFrnFueD7yyLiI3hLV lU4An2FUTQRJ0GakViobm9ejHdfmf2Vb =9COS -----END PGP SIGNATURE----- From owner-freebsd-security-notifications@FreeBSD.ORG Fri Dec 23 15:50:54 2011 Return-Path: Delivered-To: freebsd-security-notifications@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id D8EDF1065677 for ; Fri, 23 Dec 2011 15:50:54 +0000 (UTC) (envelope-from bounces+73574-54df-freebsd-security-notifications=freebsd.org@sendgrid.me) Received: from o2.shared.sendgrid.net (o2.shared.sendgrid.net [74.63.235.152]) by mx1.freebsd.org (Postfix) with SMTP id 921DC8FC1C for ; Fri, 23 Dec 2011 15:50:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h= message-id:date:from:reply-to:mime-version:to:subject :content-type:content-transfer-encoding; s=smtpapi; bh=SK7mqlrTn ixksJfJB7zKsN2/OdA=; b=FxutWxp9g1lJaioaXAHW3Cr5NWfH1v89rLCNzvuBo OwMIFG1a78MNrK6S7iwS5hGVAPjbF/Yas+UMMXyfttaFdYAJwX4P78JNRJE2E64e nmMRYGvW50NQeIiIy6v9t0GIx7K0k9kiB9TfOU0Uv/JsoAsIkNwioDv9xJIY41ep lA= Received: by 10.16.69.78 with SMTP id mf38.3046.4EF4A0DC4 Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: from mail.tarsnap.com (unknown [10.9.180.5]) by mi1 (SG) with ESMTP id 4ef4a0dc.79b.8c0fdf for ; Fri, 23 Dec 2011 09:40:12 -0600 (CST) Received: (qmail 74089 invoked from network); 23 Dec 2011 15:39:30 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by mail.tarsnap.com with ESMTP; 23 Dec 2011 15:39:30 -0000 Received: (qmail 60827 invoked from network); 23 Dec 2011 15:39:21 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 23 Dec 2011 15:39:21 -0000 Message-ID: <4EF4A0A8.3000707@freebsd.org> Date: Fri, 23 Dec 2011 07:39:20 -0800 From: FreeBSD Security Officer Organization: FreeBSD Project User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:8.0) Gecko/20111112 Thunderbird/8.0 MIME-Version: 1.0 To: freebsd-announce@freebsd.org, freebsd-security-notifications@freebsd.org X-Enigmail-Version: undefined Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Sendgrid-EID: 5qVSvszVOIE6PbdhSmXigGLd1c13rH5IBNEtlWQdcjG5ouU+B6ozhR+ku4loRYi89sxqLHtxeawi7SBibu5lWkmGBnz7ScCOZPgWDkRPy8hvHC/5XJCXmyzOVvGDGGNB8BWtxx8sCthbSWEo1BWt8Utq+kNEG3cOn6+Cdo56izHeJ8BaKRln+Y/G/+cD6e86 X-Mailman-Approved-At: Fri, 23 Dec 2011 15:55:07 +0000 Cc: Subject: Merry Christmas from the FreeBSD Security Team X-BeenThere: freebsd-security-notifications@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: security-officer@freebsd.org List-Id: "Moderated Security Notifications \[moderated, low volume\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 23 Dec 2011 15:50:54 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, No, the Grinch didn't steal the FreeBSD security officer GPG key, and your eyes aren't deceiving you: We really did just send out 5 security advisories. The timing, to put it bluntly, sucks. We normally aim to release advisories on Wednesdays in order to maximize the number of system administrators who will be at work already; and we try very hard to avoid issuing advisories any time close to holidays for the same reason. The start of the Christmas weekend -- in some parts of the world it's already Saturday -- is absolutely not when we want to be releasing security advisories. Unfortunately my hand was forced: One of the issues (FreeBSD-SA-11:08.telnetd) is a remote root vulnerability which is being actively exploited in the wild; bugs really don't come any worse than this. On the positive side, most people have moved past telnet and on to SSH by now; but this is still not an issue we could postpone until a more convenient time. While I'm writing, a note to freebsd-update users: FreeBSD-SA-11:07.chroot has a rather messy fix involving adding a new interface to libc; this has the awkward side effect of causing the sizes of some "symbols" (aka. functions) in libc to change, resulting in cascading changes into many binaries. The long list of updated files is irritating, but isn't a sign that anything in freebsd-update went wrong. - -- Colin Percival Security Officer, FreeBSD | freebsd.org | The power to serve Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (FreeBSD) iEYEARECAAYFAk70oKgACgkQFdaIBMps37IsdACgh01CeO+zVGe3o9dn2cLvhh70 ISoAoJCeLUAbJ+0ibyfbVM4fYxpiEfo0 =vt5I -----END PGP SIGNATURE-----