From owner-freebsd-security-notifications Mon Mar 12 15:31:43 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 4C60137B718; Mon, 12 Mar 2001 15:31:39 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNVdI26137; Mon, 12 Mar 2001 15:31:39 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:31:39 -0800 (PST) Message-Id: <200103122331.f2CNVdI26137@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:23.icecast Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:23 Security Advisory FreeBSD, Inc. Topic: icecast port contains remote vulnerability Category: ports Module: icecast Announced: 2001-03-12 Credits: |CyRaX| Affects: Ports collection prior to the correction date. Corrected: 2001-03-10 Vendor status: Unresponsive FreeBSD only: NO I. Background icecast is a server for streaming MP3 audio. II. Problem Description The icecast software, versions prior to 1.3.7_1, contains multiple format string vulnerabilities, which allow a remote attacker to execute arbitrary code as the user running icecast, usually the root user. There are a number of other potential abuses of format strings which may or may not pose security risks, but have not currently been audited. The icecast port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary remote users can execute arbitrary code on the local system as the user running icecast, usually the root user. If you have not chosen to install the icecast port/package, then your system is not vulnerable to this problem. IV. Workaround Deinstall the icecast port/package, if you have installed it. V. Solution Consider running the icecast software as a non-privileged user to minimize the impact of further security vulnerabilities in this software. To upgrade icecast, choose one of the following options: 1) Upgrade your entire ports collection and rebuild the icecast port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/audio/icecast-1.3.7_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/audio/icecast-1.3.7_1.tgz NOTE: It may be several days before updated packages are available [alpha] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/audio/icecast-1.3.7_1.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/audio/icecast-1.3.7_1.tgz 3) download a new port skeleton for the icecast port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1b9lUuHi5z0oilAQF0VQQAgjsvLSPtZ1pu6OtkGxuMJhCmmeCvFJvL 4szsF1csrFrXhaH7z1VjJP8r/Q2NBzWcS3qujkhGRObsGGyvAJKk7QVrqnjXV3gD rgLnphjNlKt0VuXafxXwTT8YTxoCbzOHy23aa0KaRWoCAVcVi4AAZs4XHEUgU+Ov lWOyEgxUBEk= =WM3Y -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Mar 12 15:35: 0 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id F195437B72B; Mon, 12 Mar 2001 15:34:54 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNYsG26356; Mon, 12 Mar 2001 15:34:54 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:34:54 -0800 (PST) Message-Id: <200103122334.f2CNYsG26356@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:26.interbase Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:26 Security Advisory FreeBSD, Inc. Topic: interbase contains remote backdoor Category: ports Module: interbase Announced: 2001-03-12 Credits: Firebird project Affects: Ports collection prior to the correction date. Corrected: See below. Vendor status: No update released FreeBSD only: NO I. Background Interbase is a SQL database server from Borland. II. Problem Description The interbase software contains a remote backdoor account, which was apparently introduced by the vendor in 1992. The interbase source code has recently been released and is the basis for a derivative project called firebird, who are credited with discovering the vulnerability. The backdoor account has full read and write access to databases stored on the server, and also gives the ability to write to arbitrary files on the server as the user running the interbase server (usually user root). Remote attackers may connect to the database on TCP port 3050. The interbase port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Remote users who can connect to the interbase database server can obtain full access to all databases using a backdoor account built into the server itself. This account cannot be disabled. If you have not chosen to install the interbase port/package, then your system is not vulnerable to this problem. IV. Workaround 1) Deinstall the interbase port/package, if you have installed it. 2) Use packet filters on your perimeter firewalls, or ipfw(8)/ipf(8) on the interbase server to prevent connections from untrusted systems to TCP port 3050 on the interbase server. Note that local users, or arbitrary users on systems permitted to connect to the TCP port can still access the backdoor account. 3) Migrate to the firebird database, which is an open-source derivative of the interbase software which does not contain the backdoor account. V. Solution The FreeBSD port of interbase is not provided by Borland -- it is provided in binary form from Rios Corporation -- and there does not appear to be a patch available for the security vulnerability. Therefore there is currently no complete solution to this security vulnerability; see the previous section for possible workarounds. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1c21UuHi5z0oilAQEfhgP/aoWhV5eBmmKkYcpVxRhu+FkkOYJvIwih RIsCmTKISP5f0smt37Qw4B0o5F2EmAUVncYFNGK39Co+Pxr9eyRx0PD4HvX8JnZ3 7QtqRE4Oh2LwX0xpd9tpUpT1yxdGX9u+TSB+9MdB5hIyEsnRjwuMwZn1vUOBB8uk whVMpvQLc/w= =C9Nl -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Mar 12 15:37:58 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5651F37B71C; Mon, 12 Mar 2001 15:37:53 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNbrV26867; Mon, 12 Mar 2001 15:37:53 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:37:53 -0800 (PST) Message-Id: <200103122337.f2CNbrV26867@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Ports Security Advisory FreeBSD-SA-01:27.cfengine Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:27 Security Advisory FreeBSD, Inc. Topic: cfengine port contains remote root vulnerability Category: ports Module: cfengine Announced: 2001-03-12 Credits: Pekka Savola Affects: Ports collection prior to the correction date. Corrected: 2001-01-21 Vendor status: Updated version released FreeBSD only: NO I. Background cfengine is a system for automating the configuration and maintenance of large networks. II. Problem Description The cfengine port, versions prior to 1.6.1, contained several format string vulnerabilities which allow a remote attacker to execute arbitrary code on the local system as the user running cfengine, usually user root. The cfengine port is not installed by default, nor is it "part of FreeBSD" as such: it is part of the FreeBSD ports collection, which contains nearly 4700 third-party applications in a ready-to-install format. The ports collections shipped with FreeBSD 3.5.1 and 4.2 contain this problem since it was discovered after the releases. FreeBSD makes no claim about the security of these third-party applications, although an effort is underway to provide a security audit of the most security-critical ports. III. Impact Arbitrary remote users can execute code on the local system as the user running cfengine, usually user root. If you have not chosen to install the cfengine port/package, then your system is not vulnerable to this problem. IV. Workaround One of the following: 1) Deinstall the cfengine port/package, if you have installed it. 2) Implement access controls on connections to the cfengine server, either at the application level using the cfengine configuration file, or by using network-level packet filtering on the local system using ipfw(8)/ipf(8), or on the perimeter firewalls. V. Solution One of the following: 1) Upgrade your entire ports collection and rebuild the cfengine port. 2) Deinstall the old package and install a new package dated after the correction date, obtained from: [i386] ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/sysutils/cfengine-1.6.3.tar.gz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/sysutils/cfengine-1.6.3.tar.gz [alpha] Packages are not automatically generated for the alpha architecture at this time due to lack of build resources. 3) download a new port skeleton for the cfengine port from: http://www.freebsd.org/ports/ and use it to rebuild the port. 4) Use the portcheckout utility to automate option (3) above. The portcheckout port is available in /usr/ports/devel/portcheckout or the package can be obtained from: ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-4-stable/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/i386/packages-5-current/devel/portcheckout-2.0.tgz ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/alpha/packages-5-current/devel/portcheckout-2.0.tgz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1dclUuHi5z0oilAQFhhAQApfRMj88GYMKiTtLeyjWeaDLFIlDjUTl4 fF1QQNzetOSIoVjA+CsbkTgsX/c8B6Lc7BuTI7K3BLKUu2QC2GbYkn5/ymCdYQeE dW2S00bMdBP6GwURAdFnizezkZq5Y3oEVYXVL4s91M9jb3wCwNOwnbfKH/aegFvL ZOjDvMUdjb0= =yzjS -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Mar 12 15:44: 3 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 5F2B137B718; Mon, 12 Mar 2001 15:44:00 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNi0527614; Mon, 12 Mar 2001 15:44:00 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:44:00 -0800 (PST) Message-Id: <200103122344.f2CNi0527614@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:28.timed Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:28 Security Advisory FreeBSD, Inc. Topic: timed allows remote denial of service Category: core Module: timed Announced: 2001-03-12 Credits: Discovered during internal source code auditing Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2001-03-10 (FreeBSD 3.5-STABLE) 2001-01-07 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background timed(8) is a server for the Time Synchronisation Protocol, for synchronising the system clocks of multiple clients. II. Problem Description Malformed packets sent to the timed daemon could cause it to crash, thereby denying service to clients if timed is not run under a watchdog process which causes it to automatically restart in the event of a failure. The timed daemon is not run in this way in the default invocation from /etc/rc.conf using the timed_enable variable. The timed daemon is not enabled by default, and its use is not recommended (FreeBSD includes ntpd(8), the network time protocol daemon, which provides superior functionality). All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run timed. It was corrected prior to the forthcoming release of FreeBSD 4.3. III. Impact Remote users can cause the timed daemon to crash, denying service to clients. IV. Workaround Implement packet filtering at perimeter firewalls or on the local machine using ipfw(8)/ipf(8) to prevent untrusted users from connecting to the timed service. The timed daemon listens on UDP port 525 by default. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:28/timed.patch.asc This patch has been verified to apply to FreeBSD 4.2-RELEASE and FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases. Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/timed/timed # patch -p < /path/to/patch # make depend && make all install Kill and restart timed to cause the changes to take effect. If you have started timed with non-standard options (e.g. by setting timed_flags in /etc/rc.conf) then the below command will need to be modified appropriately. # killall -KILL timed # /usr/sbin/timed -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1emVUuHi5z0oilAQEYEwP/cPNMQO7LjlEs2/MyxJwVKpQLRzmprJjQ i2QpXEvkZgXSxAcIh15jNsR1TPwUnzCRWHZ5touw0DxTbTbMsnzRVx0/P5jGmQCT 6n5Z11puyEg336zET+tGhVnEt9Ybm7Z/h7Et+njVRTVqbe2AtpFeSbI5NXlZCgs6 ZUYxdLUhfPM= =Dw88 -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message From owner-freebsd-security-notifications Mon Mar 12 15:48: 4 2001 Delivered-To: freebsd-security-notifications@freebsd.org Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id C5E0237B721; Mon, 12 Mar 2001 15:47:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Received: (from kris@localhost) by freefall.freebsd.org (8.11.1/8.11.1) id f2CNlxT28110; Mon, 12 Mar 2001 15:47:59 -0800 (PST) (envelope-from security-advisories@FreeBSD.org) Date: Mon, 12 Mar 2001 15:47:59 -0800 (PST) Message-Id: <200103122347.f2CNlxT28110@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: kris set sender to security-advisories@FreeBSD.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Subject: FreeBSD Security Advisory FreeBSD-SA-01:29.rwhod Sender: owner-freebsd-security-notifications@FreeBSD.ORG Precedence: bulk Reply-To: postmaster@freebsd.org X-Loop: FreeBSD.org -----BEGIN PGP SIGNED MESSAGE----- ============================================================================= FreeBSD-SA-01:29 Security Advisory FreeBSD, Inc. Topic: rwhod allows remote denial of service Category: core Module: rwhod Announced: 2001-03-12 Credits: Mark Huizer Affects: All released versions of FreeBSD 3.x, 4.x. FreeBSD 3.5-STABLE prior to the correction date. FreeBSD 4.2-STABLE prior to the correction date. Corrected: 2000-12-23 (FreeBSD 3.5-STABLE) 2000-12-22 (FreeBSD 4.2-STABLE) FreeBSD only: NO I. Background rwhod(8) is a server which implements the rwho protocol, which communicates information on system uptime and logged-in users between machines on a network. II. Problem Description Malformed packets sent to the rwhod daemon could cause it to crash, thereby denying service to clients if rwhod is not run under a watchdog process which causes it to automatically restart in the event of a failure. The rwhod daemon is not run in this way in the default invocation from /etc/rc.conf using the rwhod_enable variable. All versions of FreeBSD 3.x and 4.x prior to the correction date including 3.5.1-RELEASE and 4.2-RELEASE are vulnerable to this problem, if they have been configued to run rwhod (this is not enabled by default). III. Impact Remote users can cause the rwhod daemon to crash, denying service to clients. IV. Workaround Implement packet filtering at perimeter firewalls or on the local machine using ipfw(8)/ipf(8) to prevent untrusted users from connecting to the rwhod service. The rwhod daemon listens on UDP port 513 by default. V. Solution Upgrade your vulnerable FreeBSD system to 3.5-STABLE or 4.2-STABLE after the respective correction dates. To patch your present system: download the relevant patch from the below location, and execute the following commands as root: # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-01:29/rwhod.patch.asc This patch has been verified to apply to FreeBSD 4.2-RELEASE and FreeBSD 3.5.1-RELEASE. It may or may not apply to older releases. Verify the detached PGP signature using your PGP utility. # cd /usr/src/usr.sbin/rwhod # patch -p < /path/to/patch # make depend && make all install Kill and restart rwhod to cause the changes to take effect. If you have started rwhod with non-standard options (e.g. by setting rwhod_flags in /etc/rc.conf) then the below command will need to be modified appropriately. # killall -KILL rwhod # /usr/sbin/rwhod -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.4 (FreeBSD) Comment: For info see http://www.gnupg.org iQCVAwUBOq1fmlUuHi5z0oilAQG05QP/bQpUXpXc+X3/k/jbqgxjNOXwfzYRwNph trCjRBKDKZrBGvlS2mTSbyisn6Rcv5PhigVAmU7sllrrXmYDCuMjNoMQqIhRwMax ojaklsg6F8rX3zNwUlaQp45ZYiJ9Zi34kkRRnZQ5oAFciS6I/3tYnP9t0Sedbbsi V/na+hI/Gtk= =TskQ -----END PGP SIGNATURE----- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security-notifications" in the body of the message