From owner-freebsd-announce@FreeBSD.ORG Sun Nov 2 20:02:24 2014 Return-Path: Delivered-To: announce@FreeBSD.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C5FF31C6 for ; Sun, 2 Nov 2014 20:02:24 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id AED3ED50 for ; Sun, 2 Nov 2014 20:02:24 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id sA2K2O6B066857 for ; Sun, 2 Nov 2014 20:02:24 GMT (envelope-from bdrewery@freefall.freebsd.org) Received: (from bdrewery@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id sA2K2OkL066851 for announce@FreeBSD.org; Sun, 2 Nov 2014 20:02:24 GMT (envelope-from bdrewery) Received: (qmail 5280 invoked from network); 2 Nov 2014 14:02:20 -0600 Received: from unknown (HELO blah) (freebsd@shatow.net@129.253.54.225) by sweb.xzibition.com with ESMTPA; 2 Nov 2014 14:02:20 -0600 Message-ID: <54568DA2.6030309@FreeBSD.org> Date: Sun, 02 Nov 2014 14:01:38 -0600 From: Bryan Drewery Organization: FreeBSD User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 MIME-Version: 1.0 To: freebsd-ports@FreeBSD.org Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Sun, 02 Nov 2014 20:07:21 +0000 Subject: [FreeBSD-Announce] SSP now default for ports/packages, ssp/new_xorg repository EOL X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 02 Nov 2014 20:02:24 -0000 Ports and Package users, Ports now have SSP enabled by default. The package repository will now build SSP by default as well. SSP is "Stack Smashing Protection" and can be read about at https://en.wikipedia.org/wiki/Buffer_overflow_protection. This only applies to the head (/latest) packages, not the Quarterly branch packages. This applies to the ports checkout that portsnap uses. WITHOUT_SSP can be defined in make.conf to not use this feature. SSP will be used to build ports (with -fstack-protector) on all amd64 releases and i386 releases which are 10.0 or newer. The "ssp" repository and "new_xorg" repositories will no longer be updated after 11/15 as they are no longer needed as both are default for ports now. Please update your repository configurations to now only track the /latest repository. This is the default from /etc/pkg/FreeBSD.conf. Remove any overrides from /usr/local/etc/pkg/repos/ for the "ssp" or "new_xorg" repositories. Regards, Bryan Drewery on behalf of portmgr From owner-freebsd-announce@FreeBSD.ORG Wed Nov 5 00:42:34 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 23844E82; Wed, 5 Nov 2014 00:42:34 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id BB492BD8; Wed, 5 Nov 2014 00:42:33 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 6C4DDAF7A; Wed, 5 Nov 2014 00:42:32 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 902AE10E5; Wed, 5 Nov 2014 01:42:31 +0100 (CET) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20141105004231.902AE10E5@nine.des.no> Date: Wed, 5 Nov 2014 01:42:31 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:12.zfs X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 00:42:34 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-14:12.zfs Errata Notice The FreeBSD Project Topic: NFSv4 and ZFS cache consistency issue Category: contrib Module: zfs Announced: 2011-11-04 Credits: Bart Hsiao, Marcelo Araujo, Kevin Buhr Affects: All supported versions of FreeBSD. Corrected: 2014-10-07 06:00:09 UTC (stable/10, 10.0-STABLE) 2014-10-15 06:31:08 UTC (releng/10.1, 10.1-RC2) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-10-07 06:00:32 UTC (stable/9, 9.3-STABLE) 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The Network File System (NFS) allows a host to export some or all of its file systems that can be any kind of file systems such like UFS, ZFS etcetera, so that other hosts can access them over the network and mount them as if they were on local disks. II. Problem Description In a configuration where two or more clients mount a ZFS file system over NFSv4 from a FreeBSD server, if client1 caches a directory listing and a file in the directory is renamed on client2, then client1 can end up in a state where the cached but incorrect directory contents persists indefinitely and is never updated. III. Impact When client2 renames a file or directory, client1 does not receive the changed attributes and never does a READDIR to get the updated contents. This could result in a client that has incorrect information about the actual content of the mounted file system. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch # fetch http://security.FreeBSD.org/patches/EN-14:12/zfs.patch.asc # gpg --verify zfs.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/zfs.patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r274108 releng/8.4/ r274111 stable/9/ r272677 releng/9.1/ r274112 releng/9.2/ r274113 releng/9.3/ r274114 stable/10/ r272676 releng/10.0/ r274110 releng/10.1/ r273122 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-14:12.zfs.asc -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUWWUOAAoJEO1n7NZdz2rn9KsQAIw7xhRYGUQ+SwIl6E8Tzodd bx/VkTLOgcDrGSNqREzkgNeTtWXOXRwibZpBVXl8sglf+WPtZsnGcCALze9CiS14 boesjajpl7znqJ8zDpIU3qMdFsEOB5Ky3KDTQgCMEygAJrOxASGv6TCOT/3e1hRr Ez0+32dnqooxNRJjHA0t+t+gBszFFLV1PbstpaCOOAsZpmNMtJGbhsydF/aKcK17 dcNaOKjMPB4SDGMx+dcZqS8bToEXfe0lwOGiEDAavVCyMx5zyie2bGfUWEI2bpu5 1VcOtnMxpKlgJdEOIbFI0RXdj4CujLbfwNBnDGLELcCZsPtoWJQZHDmDXK5pkEof 6aOHqqmZrFsI9V81ymVbQYYSHF67ZeRZB3CotC8trQn+tnxK1l0s6KF0FzSHQigU y1Q1vErOKuzPEcrD7sp7xTS3VAQ1a7/uGY6KcTSrJu7xwrJe8KRNvufokgnzU3D4 X/O/L7TxvjTmTu1T2882mMIrtpALf/tjGwW32ksUnXo6RiwByvaalO9ObEBPYzGQ C9xG3ggfqhyHDlw21VhCjZF5hQ7xUnBKHjT60LbGMB5llaN1DUN6HRT9rCbeN4gP 5eJalL2x1NLT1XVCBYlq1IhE6vTcnTdVVcGRBJQbPnfqivrDzBfIFzhy/4tc1J7K IkJAwk+aThuF3j3xnt+z =lQAP -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Nov 5 00:43:22 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id CD385130; Wed, 5 Nov 2014 00:43:22 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 6F85AC22; Wed, 5 Nov 2014 00:43:22 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id C7389AF81; Wed, 5 Nov 2014 00:43:21 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id A430E10EA; Wed, 5 Nov 2014 01:43:20 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141105004320.A430E10EA@nine.des.no> Date: Wed, 5 Nov 2014 01:43:20 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:24.sshd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 00:43:22 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:24.sshd Security Advisory The FreeBSD Project Topic: Denial of service attack against sshd(8) Category: contrib Module: openssh Announced: 2014-11-04 Credits: Affects: FreeBSD 9.1, 9.2 and 10.0. Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) CVE Name: CVE-2014-8475 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The sshd(8) daemon is the server side of OpenSSH. Heimdal is an implementation of Kerberos 5, which provides authentication and single sign-on capability for many network services, including OpenSSH. II. Problem Description Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. III. Impact An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process. IV. Workaround Possible workarounds include rebuilding sshd with Kerberos support disabled or installing the security/openssh-portable package from the FreeBSD ports tree or an official package repository. Systems that do not run an OpenSSH server are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc # gpg --verify sshd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch c) Recompile sshd. Execute the following commands as root: # cd /usr/src/secure/usr.sbin/sshd # make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service sshd restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r265314 releng/9.1/ r274112 releng/9.2/ r274113 stable/10/ r265313 releng/10.0/ r274110 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUWWlZAAoJEO1n7NZdz2rn4UEP/0VdM6uSHWyQSOzO+kuDxRfT wru9+yjCB4NJtFzvBLe8eeiUDiTqJaTfrAGbbr9l5qkRXvTaUzWyaHyraLN4nK51 /ouxKzxxrqf0YDpYQPIUwCVmkoLn/+0T3U7sB78bx5WH4W1XoKKWIkChCyZpVvBI vw6A5Ep4+U6mTGXE2D04WQISkKXYqzCuW0rJBnm0xDj9xUprgZJ7tTSx/ewAiA/L FV37riqb8OII8lThV7g0s0F0JWDUf+AznG/S7amior0jMMSExdafifcvHEUZNs72 4cYh66p/GxeImU2Tm3VDRlfoAv86kUFwIevwD4oj5wXa7aBMdUwPITyQJ0We68gj 3kMBpJaZAJ7DpwYuCu7/RF7K4Irt3mSJJipS3IvI2LteHCakZBIUlbrPJrcfMl4P VJQU3v4HLH5XZskuR5UEJ755DT+7ZMd7tFl0iWFVsutwjf/bn2u0rtfdcpOerAub 0gYGzPcC9dzBM5OHZdo1wwmZu56jRpddmQ/nc94Wsmm7Nw2ibd9YZpU88LCqR7xa jsW+F/+napKvsBXqAHTlmJ87oJUSruYS+K/dKbGvCDIjBTjsNu3HqMNS5g4vG+GR MazlN8Vrg6zVx11ESzFiIJBAgLLNfRgXNFNSPY3NMuMYiS7q0QwGkQlWBb5bmiB8 FlP/B/8bn/171n5RfarG =mry5 -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Nov 5 00:43:39 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 9C6CA5C0; Wed, 5 Nov 2014 00:43:39 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 43BDBC41; Wed, 5 Nov 2014 00:43:38 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 2D1E6AF85; Wed, 5 Nov 2014 00:43:38 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 1218310F6; Wed, 5 Nov 2014 01:43:37 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141105004337.1218310F6@nine.des.no> Date: Wed, 5 Nov 2014 01:43:37 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:25.setlogin X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 00:43:39 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:25.setlogin Security Advisory The FreeBSD Project Topic: Kernel stack disclosure in setlogin(2) / getlogin(2) Category: core Module: kernel Announced: 2014-11-04 Credits: Mateusz Guzik Affects: All supported versions of FreeBSD. Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE) 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) CVE Name: CVE-2014-8476 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The setlogin(2) system call sets the login name of the user associated with the current session. The getlogin(2) routine returns the login name of the user associated with the current session, as previously set by setlogin(2). II. Problem Description When setlogin(2) is called while setting up a new login session, the login name is copied into an uninitialized stack buffer, which is then copied into a buffer of the same size in the session structure. The getlogin(2) system call returns the entire buffer rather than just the portion occupied by the login name associated with the session. III. Impact An unprivileged user can access this memory by calling getlogin(2) and reading beyond the terminating NUL character of the resulting string. Up to 16 (FreeBSD 8) or 32 (FreeBSD 9 and 10) bytes of kernel memory may be leaked in this manner for each invocation of setlogin(2). This memory may contain sensitive information, such as portions of the file cache or terminal buffers, which an attacker might leverage to obtain elevated privileges. IV. Workaround No workaround is available. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 9.1] # fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch # fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin-91.patch.asc # gpg --verify setlogin-91.patch.asc [All other versions] # fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch # fetch http://security.FreeBSD.org/patches/SA-14:25/setlogin.patch.asc # gpg --verify setlogin.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r274108 releng/8.4/ r274111 stable/9/ r274109 releng/9.1/ r274112 releng/9.2/ r274113 releng/9.3/ r274114 stable/10/ r274107 releng/10.0/ r274110 releng/10.1/ r274115 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnI0IP/RlwFhOJgr9CHdKg5SYsruSQ LG6z0ufgUETIkeXP1KGm6oYz0X8hpU2Q+MIE5urrPbGYL4Ouo/1oCiwGkBPh4xM/ L2Z/qIBxmfG/NaRK8PnGSXzlCc02XGnqf9Y6CJN1sIkwrptop02y9sgaLsqLy7K6 s/YvQ1fe5FT6TV9Nr9l6OwKkVAYa1Ba+JUnklVBWA2eZkLa6YOUlY25w9alqTMVQ Z4oaLHCnGradKdaKKk0NOOYv0ZGHjkp/Lwd9ja8wyW0K+R1aef9Z5tWloVWQBeJ8 gzxeA/JpfRtb0lYj2GIpny6znP/lzkEve42No6xDdmUr4Wp0b5hN2qGgwwgEFSIo 2kFVwMkRlK1JsD0U+VK8AxP4neJFECw3t0zWTUr3BMnxoOEG6O1nIU0T6Ru8/K0b aIc/G8TiOxOaXHuiWJhR1p9cblGlz7HnFSAmM6vN0O4DBcX7xwr/ndDl/6npvkmt biB+hXZK0Ega8X9LsZ5injDo0FZ4XNIyEOy4/QOeJW4kJQv0Oh14cYSU6cM/yfaU tJ7M6WYnFS8G+0e03auM1XVeu2oxyR0ry1IC7xS4O9N4m+8nE7DlRU8okhQRXiFB iCmzO1XmOTK0zygtS34bDaOuey3U0yFG4O5wMKrAkMeQ9jPogyt99ZzIk3L3UPqZ xcWRhKahyz9umrzsssOL =xiWR -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Nov 5 00:43:47 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 8D5A897E; Wed, 5 Nov 2014 00:43:47 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 1EAE4C55; Wed, 5 Nov 2014 00:43:47 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 73121AF89; Wed, 5 Nov 2014 00:43:46 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 500071101; Wed, 5 Nov 2014 01:43:45 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141105004345.500071101@nine.des.no> Date: Wed, 5 Nov 2014 01:43:45 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:26.ftp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 05 Nov 2014 00:43:47 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:26.ftp Security Advisory The FreeBSD Project Topic: Remote command execution in ftp(1) Category: core Module: ftp Announced: 2014-11-04 Credits: Jared McNeill, Alistair Crooks Affects: All supported versions of FreeBSD. Corrected: 2014-11-04 23:29:57 UTC (stable/10, 10.1-PRERELEASE) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC4-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC3-p1) 2014-11-04 23:34:46 UTC (releng/10.1, 10.1-RC2-p3) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-11-04 23:30:47 UTC (stable/9, 9.3-STABLE) 2014-11-04 23:33:46 UTC (releng/9.3, 9.3-RELEASE-p5) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) 2014-11-04 23:30:23 UTC (stable/8, 8.4-STABLE) 2014-11-04 23:32:15 UTC (releng/8.4, 8.4-RELEASE-p19) CVE Name: CVE-2014-8517 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ftp(1) userland utility is an interactive FTP client. It can also be used non-interactively, by providing a URL on the command line. In this mode, it supports HTTP in addition to FTP. II. Problem Description A malicious HTTP server could cause ftp(1) to execute arbitrary commands. III. Impact When operating on HTTP URIs, the ftp(1) client follows HTTP redirects, and uses the part of the path after the last '/' from the last resource it accesses as the output filename if '-o' is not specified. If the output file name provided by the server begins with a pipe ('|'), the output is passed to popen(3), which might be used to execute arbitrary commands on the ftp(1) client machine. IV. Workaround No workaround is available. Users are encouraged to replace ftp(1) in non-interactive use by either fetch(1) or a third-party client such as curl or wget. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 8] # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp-8.patch.asc # gpg --verify ftp-8.patch.asc [All other versions] # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch # fetch http://security.FreeBSD.org/patches/SA-14:26/ftp.patch.asc # gpg --verify ftp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile ftp. Execute the following commands as root: # cd /usr/src/usr.bin/ftp # make && make install VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r274108 releng/8.4/ r274111 stable/9/ r274109 releng/9.1/ r274112 releng/9.2/ r274113 releng/9.3/ r274114 stable/10/ r274107 releng/10.0/ r274110 releng/10.1/ r274115 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUWWUQAAoJEO1n7NZdz2rnhUwP+wQKrgKs6lRk6Yl4UtRyEwyG BHGkA62oaQbehuccahjQgIcLTk3Vp3AalXtSQpdyWJktHiYrFwBnheW/IrhJ6bMS dpJv3yqqQtSED9sADf+GAvxV6TG9bknq/RDxXKpsQ/MocYbiVxz/3nDOMz9CB7ep saDttvGHW7RUmNoKL70pgItGapiVuBzMF01PCZ2SmFiJHYi7BoiJwm72Y1NLU8YE TkiX2ZAoTVMN5/R3DW38HyVCyeY2tMTHSdQXRSYjwzJ0gEbBPWMPQyB1SAa8dtk5 j54KFNOBoaXMjd3USqFgo0fduU3rGZp5PwITTx5Rx5Ixtz2vHddyOISV0RcjA0cq TWDwBGlKET7qZ1j7nHTgy4U4wMTWFbkjjqEY+RHYywaAmy8ACDmEUci8d3fWKWVY d4y8RCvBrlnFVjmNiNcBc5XFXxY0Ra3BQ8C/VE0k0ZFuzmFUCi+DJZDR2Gtl0R9Q 1hAdj+yOJo46ylHPiSyoBZmsRZccV1a81phOPe0mPR84BvzNvBsdI+EFIJWi+5bw bjuSM8YCOHrlGkqh9h9+BizvLfJFpjUSglwzPmOfRpTv59XJpc6D1Hia+uICTEfd lSiJgDZ6enozY7QVoiO7G/ycyQCVe7Ehwywx/dpWXVpva85tn4Xl2khBCiPNbBBo xnPjqxmwGK+4uegsO6CY =QT3h -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Thu Nov 6 23:48:57 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 4F85A58F; Thu, 6 Nov 2014 23:48:57 +0000 (UTC) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:1900:2254:206c::16:87]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 3ADDA74; Thu, 6 Nov 2014 23:48:57 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.9/8.14.9) with ESMTP id sA6NmvQw073488; Thu, 6 Nov 2014 23:48:57 GMT (envelope-from security-advisories@freebsd.org) Received: (from delphij@localhost) by freefall.freebsd.org (8.14.9/8.14.9/Submit) id sA6NmvvK073486; Thu, 6 Nov 2014 23:48:57 GMT (envelope-from security-advisories@freebsd.org) Date: Thu, 6 Nov 2014 23:48:57 GMT Message-Id: <201411062348.sA6NmvvK073486@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: delphij set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:24.sshd [REVISED] X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 06 Nov 2014 23:48:57 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:24.sshd Security Advisory The FreeBSD Project Topic: Denial of service attack against sshd(8) Category: contrib Module: openssh Announced: 2014-11-04 Credits: Konstantin Belousov Affects: FreeBSD 9.1, 9.2 and 10.0. Corrected: 2014-05-04 07:28:26 UTC (stable/10, 10.0-STABLE) 2014-11-04 23:31:17 UTC (releng/10.0, 10.0-RELEASE-p12) 2014-05-04 07:57:20 UTC (stable/9, 9.2-STABLE) 2014-11-04 23:33:17 UTC (releng/9.2, 9.2-RELEASE-p15) 2014-11-04 23:32:45 UTC (releng/9.1, 9.1-RELEASE-p22) CVE Name: CVE-2014-8475 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . 0. Revision History v1.0 2014-11-04 Initial release. v1.1 2014-11-06 Corrected "Credits" which was forgotten in the initial release, and corrected manual patch steps in "Solution" section. I. Background OpenSSH is an implementation of the SSH protocol suite, providing an encrypted and authenticated transport for a variety of services, including remote shell access. The sshd(8) daemon is the server side of OpenSSH. Heimdal is an implementation of Kerberos 5, which provides authentication and single sign-on capability for many network services, including OpenSSH. II. Problem Description Although OpenSSH is not multithreaded, when OpenSSH is compiled with Kerberos support, the Heimdal libraries bring in the POSIX thread library as a dependency. Due to incorrect library ordering while linking sshd(8), symbols in the C library which are shadowed by the POSIX thread library may not be resolved correctly at run time. Note that this problem is specific to the FreeBSD build system and does not affect other operating systems or the version of OpenSSH available from the FreeBSD ports tree. III. Impact An incorrectly linked sshd(8) child process may deadlock while handling an incoming connection. The connection may then time out or be interrupted by the client, leaving the deadlocked sshd(8) child process behind. Eventually, the sshd(8) parent process stops accepting new connections. An attacker may take advantage of this by repeatedly connecting and then dropping the connection after having begun, but not completed, the authentication process. IV. Workaround Possible workarounds include rebuilding sshd with Kerberos support disabled or installing the security/openssh-portable package from the FreeBSD ports tree or an official package repository. Systems that do not run an OpenSSH server are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch # fetch http://security.FreeBSD.org/patches/SA-14:24/sshd.patch.asc # gpg --verify sshd.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/sshd.patch c) Recompile sshd. Execute the following commands as root: # cd /usr/src/secure/usr.sbin/sshd # make clean # make obj && make depend && make && make install 4) Restart the affected service To restart the affected service after updating the system, either reboot the system or execute the following command as root: # service sshd restart VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/9/ r265314 releng/9.1/ r274112 releng/9.2/ r274113 stable/10/ r265313 releng/10.0/ r274110 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUXASgAAoJEO1n7NZdz2rnWyAQALEtSzPI5tZFRI79lLO3c3yM 6i7l6eqI7xUgh22M3w7oEDGEB/g51BJC+5haM9+CfrHrXDKMF1L3vQ29SUT3tNd/ abFaG2DZW9EbmG0pTsJco+looPOSIwWuAthGQAEkAU2073iX2ldo7MUcUzhTHu8d 0lIIoruefY92e4datwhlJT+6LLnCphPX1vRlo8N9hZrB/LO5+e/1c6wSK4lgIxEc mMdoXx/heCtPiwL+O7iTqa2j4VzZDGy+v4jaFYIkI/WFvsYm+X+xzUxRiJIY+8o7 3LMtUSHXv+hlV8DVCjtbDevJt+h42K1CgL22vkgMvzyRMF8vM+Fk8Kvvfd3GL9d6 ZJGv1cNZarRwfbE5pB+4JaXHgFMj4lihmoJdKqgxYglMbrdtHZM4pzZ2xX0GlsPD Hf4f1r+DugPc43s7lU9zus75NaVh/DZnFEHCTV7qIo0DD4Ia+T5lZnyfjNvbY7W+ q3Yz+bn3Uq9VdWW1WRpvaFItRuVbJGhGSpcVWl+QJHg9+plnZ0RQMmalkIgP6LBd nhq5rWQlbwc3pM2RMefr29Yl3oCc5Ox/AUnV/DD+bEkFa61mlldtm2cRq3X6yaMW sXRJ22DDHP10aMzlq0MkIQcbrgycAnoj6WEGBinv+lqh8SxHTkNi3pRI1w5lSh+k 075uI0Ka6HINuYqtRUaI =C6El -----END PGP SIGNATURE-----