From owner-freebsd-announce@FreeBSD.ORG Wed Jan 6 22:54:18 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 981FA1065676; Wed, 6 Jan 2010 22:54:18 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6C50F8FC13; Wed, 6 Jan 2010 22:54:18 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06MsIf6088985; Wed, 6 Jan 2010 22:54:18 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MsIo8088984; Wed, 6 Jan 2010 22:54:18 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:54:18 GMT Message-Id: <201001062254.o06MsIo8088984@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Errata Notices To: FreeBSD Errata Notices Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-10:01.freebsd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-stable@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:54:18 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-EN-10:01.freebsd Errata Notice The FreeBSD Project Topic: Various FreeBSD 8.0-RELEASE improvements Category: core Module: kern Announced: 2010-01-06 Affects: FreeBSD 8.0-RELEASE. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background Since FreeBSD 8.0 was released, several stability and performance problems have been identified. This Errata Notice describes several fixes judged to be of particular importance, but low risk, to users with specific workloads or using specific features that trigger these problems. Areas where problems are addressed include NFS, ZFS, Multicast networking, SCTP as well as the rename(2) syscall. II. Description * Slow NFS client reconnects when using TCP Under certain circumstances the NFS client can queue requests even though the remote server has initiated a connection shutdown. The deferred notice of the shutdown can cause slow reconnects against an NFS server that drops inactive connections. * Possible panics in ZFS Due to inadequate checks, attempts to modify a file on a read-only ZFS snapshot will lead to a 'dirtying snapshot' kernel panic. The system will also panic if ZFS is combined with a MAC policy supporting file system labeling (e.g., mac_biba(4) or mac_mls(4)). * Multicast regression and panic Multicast filtering may not pass incoming IGMP messages if the group has not been joined. User space routing daemons will therefore not see all IGMP control traffic. Further, the system will panic under certain circumstances in the IPv4 multicast forwarding path. * Panic when invalid SCTP message received during connection shutdown Receiving a specially crafted SCTP shutdown message with an invalid Transmission Sequence Number may cause the system to panic if there has been a valid association. * Panic caused by rename(2) If a path argument to the rename(2) syscall ends in '/.', insufficient checking will cause the system to panic. III. Solution Perform one of the following: 1) Upgrade your system to 8-STABLE, or to the RELENG_8_0 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/EN-10:01/nfsreconnect.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/nfsreconnect.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsvaccess.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsvaccess.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsmac.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/zfsmac.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/multicast.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/multicast.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/mcinit.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/mcinit.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/sctp.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/sctp.patch.asc # fetch http://security.FreeBSD.org/patches/EN-10:01/rename.patch # fetch http://security.FreeBSD.org/patches/EN-10:01/rename.patch.asc b) Apply the patches. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. IV. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - - ------------------------------------------------------------------------- RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/sys/netinet/ip_mroute.c 1.155.2.1.2.2 src/sys/netinet/raw_ip.c 1.220.2.2.2.2 src/sys/netinet6/raw_ip6.c 1.111.2.1.2.2 src/sys/rpc/clnt_vc.c 1.8.2.2.2.2 src/sys/kern/vfs_lookup.c 1.132.2.1.2.2 src/sys/netinet/sctp_input.c 1.82.2.2.2.2 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_znode.c 1.24.2.2.2.1 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_vnops.c 1.46.2.7.2.1 src/sys/cddl/contrib/opensolaris/uts/common/sys/vnode.h 1.3.4.1.2.1 src/sys/cddl/compat/opensolaris/sys/vnode.h 1.12.2.2.2.2 - - ------------------------------------------------------------------------- Subversion: Branch/path Revision - - ------------------------------------------------------------------------- releng/8.0/ r201679 - - ------------------------------------------------------------------------- V. References The latest revision of this Errata Notice is available at http://security.FreeBSD.org/advisories/FreeBSD-EN-10:01.freebsd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRRFQFdaIBMps37IRAuq9AJ9fq1708qfDgnyzuNRWnumiQhJD2gCcDqWd AyQA3ZdKXci6S8d9UauJFw4= =NwGp -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Jan 6 22:54:51 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 1D98E10656A6; Wed, 6 Jan 2010 22:54:51 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 0A2128FC0C; Wed, 6 Jan 2010 22:54:51 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06Msoni089041; Wed, 6 Jan 2010 22:54:50 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06Msord089040; Wed, 6 Jan 2010 22:54:50 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:54:50 GMT Message-Id: <201001062254.o06Msord089040@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:01.bind X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:54:51 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:01.bind Security Advisory The FreeBSD Project Topic: BIND named(8) cache poisoning with DNSSEC validation Category: contrib Module: bind Announced: 2010-01-06 Credits: Michael Sinatra Affects: All supported versions of FreeBSD. Corrected: 2009-12-11 01:23:58 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2009-12-11 02:23:04 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-4022 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background BIND 9 is an implementation of the Domain Name System (DNS) protocols. The named(8) daemon is an Internet Domain Name Server. DNS Security Extensions (DNSSEC) provides data integrity, origin authentication and authenticated denial of existence to resolvers. II. Problem Description If a client requests DNSSEC records with the Checking Disabled (CD) flag set, BIND may cache the unvalidated responses. These responses may later be returned to another client that has not set the CD flag. III. Impact If a client can send such queries to a server, it can exploit this problem to mount a cache poisoning attack, seeding the cache with unvalidated information. IV. Workaround Disabling DNSSEC validation will prevent BIND from caching unvalidated records, but also prevent DNSSEC authentication of records. Systems not using DNSSEC validation are not affected. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 6.3] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-63.patch.asc [FreeBSD 6.4] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-64.patch.asc [FreeBSD 7.1] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-71.patch.asc [FreeBSD 7.2] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-72.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch # fetch http://security.FreeBSD.org/patches/SA-10:01/bind9-80.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/lib/bind # make obj && make depend && make && make install # cd /usr/src/usr.sbin/named # make obj && make depend && make && make install # /etc/rc.d/named restart NOTE WELL: Users running FreeBSD 6 and using DNSSEC are advised to get a more recent BIND version with more complete DNSSEC support. This can be done either by upgrading to FreeBSD 7.x or later, or installing BIND for the FreeBSD Ports Collection. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.4 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.11 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.3 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.6 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.7 RELENG_6_4 src/UPDATING 1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.3.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.4.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.9.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.4.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.4.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.5.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.1.4.2.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.6.2.2 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.1.2.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.1.4.4.2.1 RELENG_7 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.4 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.2.2 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.6 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.3 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.5 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.4 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2.2.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.8.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1.2.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.3.2.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2.2.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.1.4.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.1.1.3.6.1 src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.3.2.1 src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.6.1 src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.1.4.1 src/contrib/bind9/bin/named/query.c 1.1.1.6.2.1.4.1 RELENG_8 src/contrib/bind9/lib/dns/rbtdb.c 1.3.2.2 src/contrib/bind9/lib/dns/include/dns/types.h 1.2.2.2 src/contrib/bind9/lib/dns/resolver.c 1.6.2.2 src/contrib/bind9/lib/dns/masterdump.c 1.3.2.2 src/contrib/bind9/lib/dns/validator.c 1.4.2.2 src/contrib/bind9/bin/named/query.c 1.3.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/contrib/bind9/lib/dns/rbtdb.c 1.3.4.1 src/contrib/bind9/lib/dns/include/dns/types.h 1.2.4.1 src/contrib/bind9/lib/dns/resolver.c 1.6.4.1 src/contrib/bind9/lib/dns/masterdump.c 1.3.4.1 src/contrib/bind9/lib/dns/validator.c 1.4.4.1 src/contrib/bind9/bin/named/query.c 1.3.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r200394 releng/6.4/ r201679 releng/6.3/ r201679 stable/7/ r200393 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r200383 releng/8.0/ r201679 head/ r199958 - ------------------------------------------------------------------------- VII. References https://www.isc.org/node/504 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4022 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:01.bind.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRQ9dFdaIBMps37IRAip+AJ0S55AYqLsrwrLLMo8Qi6fGxoH7EQCfU/6K RUb5Kn+O1qc/FUzEQ12AmrA= =Pfoo -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Jan 6 22:55:36 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8160010657C6; Wed, 6 Jan 2010 22:55:36 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 6EBAD8FC1D; Wed, 6 Jan 2010 22:55:36 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06MtamA089117; Wed, 6 Jan 2010 22:55:36 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MtanW089116; Wed, 6 Jan 2010 22:55:36 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:55:36 GMT Message-Id: <201001062255.o06MtanW089116@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:02.ntpd X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:55:36 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:02.ntpd Security Advisory The FreeBSD Project Topic: ntpd mode 7 denial of service Category: contrib Module: ntpd Announced: 2010-01-06 Affects: All supported versions of FreeBSD. Corrected: 2010-01-06 21:45:30 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) 2010-01-06 21:45:30 UTC (RELENG_6, 6.4-STABLE) 2010-01-06 21:45:30 UTC (RELENG_6_4, 6.4-RELEASE-p9) 2010-01-06 21:45:30 UTC (RELENG_6_3, 6.3-RELEASE-p15) CVE Name: CVE-2009-3563 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description If ntpd receives a mode 7 (MODE_PRIVATE) request or error response from a source address not listed in either a 'restrict ... noquery' or a 'restrict ... ignore' section it will log the even and send a mode 7 error response. III. Impact If an attacker can spoof such a packet from a source IP of an affected ntpd to the same or a different affected ntpd, the host(s) will endlessly send error responses to each other and log each event, consuming network bandwidth, CPU and possibly disk space. IV. Workaround Proper filtering of mode 7 NTP packets by a firewall can limit the number of systems used to attack your resources. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 6-STABLE, 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, RELENG_7_1, RELENG_6_4, or RELENG_6_3 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 6.3, 6.4, 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch # fetch http://security.FreeBSD.org/patches/SA-10:02/ntpd.patch.asc b) Execute the following commands as root: # cd /usr/src # patch < /path/to/patch # cd /usr/src/usr.sbin/ntp/ntpd # make obj && make depend && make && make install # /etc/rc.d/ntpd restart VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_6 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.2 RELENG_6_4 src/UPDATING 1.416.2.40.2.13 src/sys/conf/newvers.sh 1.69.2.18.2.15 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.8.1.2.1 RELENG_6_3 src/UPDATING 1.416.2.37.2.20 src/sys/conf/newvers.sh 1.69.2.15.2.19 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.20.1 RELENG_7 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.2 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/contrib/ntp/ntpd/ntp_request.c 1.1.1.4.18.1.2.1 RELENG_8 src/contrib/ntp/ntpd/ntp_request.c 1.2.2.1 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/contrib/ntp/ntpd/ntp_request.c 1.2.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/6/ r201679 releng/6.4/ r201679 releng/6.3/ r201679 stable/7/ r201679 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r201679 releng/8.0/ r201679 head/ r200576 - ------------------------------------------------------------------------- VII. References http://support.ntp.org/bin/view/Main/SecurityNotice#DoS_attack_from_certain_NTP_mode https://support.ntp.org/bugs/show_bug.cgi?id=1331 http://www.kb.cert.org/vuls/id/568372 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3563 The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:02.ntpd.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRQ9gFdaIBMps37IRAuH1AJ9eOII8McK5332jhuBHEMxAUbWKNQCghYfs y66+ElAr2uZrrXwerlVETPc= =yJm1 -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Wed Jan 6 22:55:56 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A8BCD1065A82; Wed, 6 Jan 2010 22:55:56 +0000 (UTC) (envelope-from security-advisories@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 962CD8FC15; Wed, 6 Jan 2010 22:55:56 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id o06MtuD3089183; Wed, 6 Jan 2010 22:55:56 GMT (envelope-from security-advisories@freebsd.org) Received: (from simon@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id o06MtuDW089182; Wed, 6 Jan 2010 22:55:56 GMT (envelope-from security-advisories@freebsd.org) Date: Wed, 6 Jan 2010 22:55:56 GMT Message-Id: <201001062255.o06MtuDW089182@freefall.freebsd.org> X-Authentication-Warning: freefall.freebsd.org: simon set sender to security-advisories@freebsd.org using -f From: FreeBSD Security Advisories To: FreeBSD Security Advisories Precedence: bulk Cc: Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-10:03.zfs X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Reply-To: freebsd-security@freebsd.org List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Jan 2010 22:55:56 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-10:03.zfs Security Advisory The FreeBSD Project Topic: ZFS ZIL playback with insecure permissions Category: contrib Module: zfs Announced: 2010-01-06 Credits: Pawel Jakub Dawidek Affects: FreeBSD 7.0 and later. Corrected: 2009-11-14 11:59:59 UTC (RELENG_8, 8.0-STABLE) 2010-01-06 21:45:30 UTC (RELENG_8_0, 8.0-RELEASE-p2) 2010-01-06 21:45:30 UTC (RELENG_7, 7.2-STABLE) 2010-01-06 21:45:30 UTC (RELENG_7_2, 7.2-RELEASE-p6) 2010-01-06 21:45:30 UTC (RELENG_7_1, 7.1-RELEASE-p10) For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background ZFS is a file-system originally developed by Sun Microsystems. The ZFS Intent Log ("ZIL") is a mechanism that gathers together in memory transactions of writes, and is flushed onto disk when synchronous semantics is necessary. In the event of crash or power failure, the log is examined and the uncommitted transaction would be replayed to maintain the synchronous semantics. II. Problem Description When replaying setattr transaction, the replay code would set the attributes with certain insecure defaults, when the logged transaction did not touch these attributes. III. Impact A system crash or power fail would leave some file with mode set to 07777. This could leak sensitive information or cause privilege escalation. IV. Workaround No workaround is available, but systems not using ZFS are not vulnerable. V. Solution Perform one of the following: 1) Upgrade your vulnerable system to 7-STABLE or 8-STABLE, or to the RELENG_8_0, RELENG_7_2, or RELENG_7_1 security branch dated after the correction date. 2) To patch your present system: The following patches have been verified to apply to FreeBSD 7.1, 7.2, and 8.0 systems. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. [FreeBSD 7.x] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs712.patch.asc [FreeBSD 8.0] # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch # fetch http://security.FreeBSD.org/patches/SA-10:03/zfs.patch.asc b) Apply the patch. # cd /usr/src # patch < /path/to/patch c) Recompile your kernel as described in and reboot the system. 3) Examine the system and look for affected files. These files can be identified with the following command: # find / -perm -7777 -print0 | xargs -0 ls -ld The system administrator will have to correct these problems if there is any files with such permission modes. For example: # find / -perm -7777 -print0 | xargs -0 chmod u=rwx,go= Will reset access mode bits to be readable, writable and executable by the owner only. The system administrator should determine the appropriate mode bits wisely. VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. CVS: Branch Revision Path - ------------------------------------------------------------------------- RELENG_7 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.3 RELENG_7_2 src/UPDATING 1.507.2.23.2.9 src/sys/conf/newvers.sh 1.72.2.11.2.10 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.4.1 RELENG_7_1 src/UPDATING 1.507.2.13.2.13 src/sys/conf/newvers.sh 1.72.2.9.2.14 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.6.2.1.2.1 RELENG_8 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.2.2 RELENG_8_0 src/UPDATING 1.632.2.7.2.5 src/sys/conf/newvers.sh 1.83.2.6.2.5 src/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_replay.c 1.8.4.1 - ------------------------------------------------------------------------- Subversion: Branch/path Revision - ------------------------------------------------------------------------- stable/7/ r201679 releng/7.2/ r201679 releng/7.1/ r201679 stable/8/ r199266 releng/8.0/ r201679 head/ r199157 - ------------------------------------------------------------------------- VII. References The latest revision of this advisory is available at http://security.FreeBSD.org/advisories/FreeBSD-SA-10:03.zfs.asc -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (FreeBSD) iD8DBQFLRRILFdaIBMps37IRAnI3AJ9ioK1Bbg++DpPYW/RX9wnujAeJxACff+Ph oEIfaiJ5y/DoGhklcAJdXTU= =JPje -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Fri Jan 8 14:17:58 2010 Return-Path: Delivered-To: announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7EDC41065670 for ; Fri, 8 Jan 2010 14:17:58 +0000 (UTC) (envelope-from michal.gladecki@software.com.pl) Received: from mail-fx0-f227.google.com (mail-fx0-f227.google.com [209.85.220.227]) by mx1.freebsd.org (Postfix) with ESMTP id 1054D8FC12 for ; Fri, 8 Jan 2010 14:17:57 +0000 (UTC) Received: by fxm27 with SMTP id 27so4703182fxm.3 for ; Fri, 08 Jan 2010 06:17:51 -0800 (PST) Received: by 10.223.74.144 with SMTP id u16mr4171653faj.21.1262958955970; Fri, 08 Jan 2010 05:55:55 -0800 (PST) Received: from ?10.10.20.106? (ns.software.com.pl [62.111.243.82]) by mx.google.com with ESMTPS id 16sm8250438fxm.8.2010.01.08.05.55.55 (version=SSLv3 cipher=RC4-MD5); Fri, 08 Jan 2010 05:55:55 -0800 (PST) Message-ID: <4B4739C8.3060702@software.com.pl> Date: Fri, 08 Jan 2010 14:57:28 +0100 From: Michal Gladecki User-Agent: Thunderbird 2.0.0.19 (X11/20090105) MIME-Version: 1.0 To: announce@FreeBSD.org Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 08 Jan 2010 14:21:29 +0000 Cc: Subject: [FreeBSD-Announce] BSD Magazine goes free! X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 14:17:58 -0000 Hello everyone! We are happy to announce that BSD Magazine is transforming into a free monthly online publication. The online version of BSD Magazine will stay in the same quality and form. It will look like the BSD magazine one is familiar and comfortable with. Please sign up to our newsletter at www.bsdmag.org and get every issue straight to your inbox. Also, you can now download any of the previous issues from our website. The first online issue -- 2/2010 -- is coming out in February. Please spread the word about BSD Magazine. Best regards, Michal Gladecki, Editor-in-Chief of BSD Magazine From owner-freebsd-announce@FreeBSD.ORG Fri Jan 8 17:38:08 2010 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 8E4691065670 for ; Fri, 8 Jan 2010 17:38:08 +0000 (UTC) (envelope-from deb@freebsd.org) Received: from aslan.scsiguy.com (ns1.scsiguy.com [70.89.174.89]) by mx1.freebsd.org (Postfix) with ESMTP id 3E2068FC14 for ; Fri, 8 Jan 2010 17:38:08 +0000 (UTC) Received: from [192.168.16.102] (c-71-196-155-13.hsd1.co.comcast.net [71.196.155.13]) (authenticated bits=0) by aslan.scsiguy.com (8.14.3/8.14.3) with ESMTP id o08Hc6di046857 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Jan 2010 10:38:07 -0700 (MST) (envelope-from deb@freebsd.org) Message-ID: <4B476D60.5000901@freebsd.org> Date: Fri, 08 Jan 2010 10:37:36 -0700 From: Deb Goodkin User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: freebsd-announce@freebsd.org Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Mailman-Approved-At: Fri, 08 Jan 2010 17:46:59 +0000 Subject: [FreeBSD-Announce] Accepting Travel Grant Applications for AsiaBSDCon 2010 X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jan 2010 17:38:08 -0000 Calling all FreeBSD developers needing assistance with travel expenses to AsiaBSDCon 2010. The FreeBSD Foundation will be providing a limited number of travel grants to individuals requesting assistance. Please fill out and submit the Travel Grant Request Application at http://www.freebsdfoundation.org/documents/TravelRequestForm.pdf by January 29, 2010 to apply for this grant. How it works: This program is open to FreeBSD developers of all sorts (kernel hackers, documentation authors, bugbusters, system administrators, etc). In some cases we are also able to fund non-developers, such as active community members and FreeBSD advocates. (1) You request funding based on a realistic and economical estimate of travel costs (economy airfare, trainfare, ...), accommodations (conference hotel and sharing a room), and registration or tutorial fees. If there are other sponsors willing to cover costs, such as your employer or the conference, we prefer you talk to them first, as our budget is limited. We are happy to split costs with you or another sponsor, such as just covering airfare or board. If you are a speaker at the conference, we expect the conference to cover your travel costs, and will most likely not approve your direct request to us. (2) We review your application and if approved, authorize you to seek reimbursement up to a limit. We consider several factors, including our overall and per-event budgets, and (quite importantly) the benefit to the community by funding your travel. Most rejected applications are rejected because of an over-all limit on travel budget for the event or year, due to unrealistic or uneconomical costing, or because there is an unclear or unconvincing argument that funding the applicant will directly benefit the FreeBSD Project. Please take these points into consideration when writing your application. (3) We reimburse costs based on actuals (receipts), and by check or bank transfer. And, we do not cover your costs if you end up having to cancel your trip. We require you to submit a report on your trip, which we may show to current or potential sponsors, and may include in our semi-annual newsletter. There's some flexibility in the mechanism, so talk to us if something about the model doesn't quite work for you or if you have any questions. The travel grant program is one of the most effective ways we can spend money to help support the FreeBSD Project, as it helps developers get together in the same place at the same time, and helps advertise and advocate FreeBSD in the larger community. Thank You, The FreeBSD Foundation