From owner-freebsd-announce@FreeBSD.ORG Mon Dec 22 21:55:22 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 08821202 for ; Mon, 22 Dec 2014 21:55:22 +0000 (UTC) Received: from aslan.scsiguy.com (ns1.scsiguy.com [70.89.174.89]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id D7D1A34C7 for ; Mon, 22 Dec 2014 21:55:21 +0000 (UTC) Received: from [192.168.0.119] (c-73-181-102-26.hsd1.co.comcast.net [73.181.102.26]) (authenticated bits=0) by aslan.scsiguy.com (8.14.9/8.14.9) with ESMTP id sBMLtCLd087690 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Mon, 22 Dec 2014 14:55:13 -0700 (MST) (envelope-from deb@freebsdfoundation.org) From: Deb Goodkin X-Pgp-Agent: GPGMail 2.5b3 Content-Type: multipart/signed; boundary="Apple-Mail=_886D43D4-21B4-433F-9226-554B81F4AE8F"; protocol="application/pgp-signature"; micalg=pgp-sha512 Date: Mon, 22 Dec 2014 14:55:06 -0700 Message-Id: To: freebsd-announce@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 8.1 \(1993\)) X-Mailer: Apple Mail (2.1993) X-Mailman-Approved-At: Mon, 22 Dec 2014 23:05:13 +0000 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Subject: [FreeBSD-Announce] FreeBSD Foundation 2014 Semi-Annual Newsletter! X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Dec 2014 21:55:22 -0000 --Apple-Mail=_886D43D4-21B4-433F-9226-554B81F4AE8F Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii Dear FreeBSD Community, As 2014 comes to an end, we wanted to share with you what we did this = year to support the FreeBSD Project and community. In the our December Newsletter, = https://www.freebsdfoundation.org/press/2014dec-newsletter.html = , = you'll get a summary of all the FreeBSD development work we've = supported; highlights of all the conferences that we sponsored and = attended; plans for the FreeBSD Journal in 2015; a great testimonial = from a commercial user; and our Q1-Q3 financial reports. And, the = insightful and always inspirational letter from our president and = founder, Justin Gibbs. We're also in the home stretch of our year-end fundraising drive. Thank = you to everyone who helped us pass the halfway point towards our goal of = expanding our donor base to 2000 community investors. It's because of = your generosity that we're able to do all of the wonderful things you = see in our latest newsletter. You can find more information on how your = gifts directly impact the FreeBSD community in our Annual Appeal at = http://freebsdfoundation.blogspot.com/2014/12/freebsd-foundation-2014-year= -end.html = Annual Appeal = . Please consider making a donation today, to help us continue and = increase our support forf the FreeBSD Project and community worldwide! = Go here to make a donation: http://www.freebsdfoundation.org/donate/ = Thank you for your continued support! The FreeBSD Foundation --Apple-Mail=_886D43D4-21B4-433F-9226-554B81F4AE8F Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP using GPGMail -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCgAGBQJUmJM7AAoJELLsYiYPtogfYoYIAMH2GE45UpVRQhwq7M2tffJO 2QB+EcOEa/dZwW8nEFQXdSWF4TQ6e7fFU3iwnAtV1mhehKJSukyDL59C1d7nwE4h iW7PWY5l+YNq7ipKOPgNdxa6T+bJ/bss4uEPltvgyET2uieNRc4sbA0Ldh2w8Nbq hLz0fTExcdJYHOGjP1/cafY+Ak3LX6oTAaAyEdD1P4Di98Lz5/TO14XI15afP8o3 WN/wHkI0sTvNew0mVEMI6aFs1E5SQF2ZfldKO4Vxhvq263BbcO6ZkxNU8oCMGThZ MC4cOTHuyUoQhBfi5Hlal4qyQiLjEfIM4lok5b4QssU92F/l0YMq0UQeLlNijbE= =hQRG -----END PGP SIGNATURE----- --Apple-Mail=_886D43D4-21B4-433F-9226-554B81F4AE8F-- From owner-freebsd-announce@FreeBSD.ORG Tue Dec 23 23:33:25 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D3929E64; Tue, 23 Dec 2014 23:33:25 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 7A41B64E67; Tue, 23 Dec 2014 23:33:25 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 5CF419EB4; Tue, 23 Dec 2014 23:33:18 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 0165A4BB5; Wed, 24 Dec 2014 00:33:09 +0100 (CET) From: FreeBSD Security Advisories To: FreeBSD Security Advisories Reply-To: freebsd-security@freebsd.org Precedence: bulk Message-Id: <20141223233310.0165A4BB5@nine.des.no> Date: Wed, 24 Dec 2014 00:33:09 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Security Advisory FreeBSD-SA-14:31.ntp X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 23:33:26 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-SA-14:31.ntp Security Advisory The FreeBSD Project Topic: Multiple vulnerabilities in NTP suite Category: contrib Module: ntp Announced: 2014-12-23 Affects: All supported versions of FreeBSD. Corrected: 2014-14-22 19:07:16 UTC (stable/10, 10.1-STABLE) 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) 2014-14-22 19:08:09 UTC (stable/9, 9.3-STABLE) 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) 2014-14-22 19:08:09 UTC (stable/8, 8.4-STABLE) 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) CVE Name: CVE-2014-9293, CVE-2014-9294, CVE-2014-9295, CVE-2014-9296 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The ntpd(8) daemon is an implementation of the Network Time Protocol (NTP) used to synchronize the time of a computer system to a reference time source. II. Problem Description When no authentication key is set in the configuration file, ntpd(8) would generate a random key that uses a non-linear additive feedback random number generator seeded with very few bits of entropy. [CVE-2014-9293] The ntp-keygen(8) utility is also affected by a similar issue. [CVE-2014-9294] When Autokey Authentication is enabled, for example if ntp.conf(5) contains a 'crypto pw' directive, a remote attacker can send a carefully crafted packet that can overflow a stack buffer. [CVE-2014-9295] In ntp_proto.c, the receive() function is missing a return statement in the case when an error is detected. [CVE-2014-9296] III. Impact The NTP protocol uses keys to implement authentication. The weak seeding of the pseudo-random number generator makes it easier for an attacker to brute-force keys, and thus may broadcast incorrect time stamps or masquerade as another time server. [CVE-2014-9293, CVE-2014-9294] An attacker may be able to utilize the buffer overflow to crash the ntpd(8) daemon or potentially run arbitrary code with the privileges of the ntpd(8) process, which is typically root. [CVE-2014-9295] IV. Workaround No workaround is available, but systems not running ntpd(8) are not affected. Because the issue may lead to remote root compromise, the FreeBSD Security Team recommends system administrators to firewall NTP ports, namely tcp/123 and udp/123 when it is not clear that all systems have been patched or have ntpd(8) stopped. V. Solution NOTE WELL: It is advisable to regenerate all keys used for NTP authentication, if configured. Perform one of the following: 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your vulnerable system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your vulnerable system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch # fetch https://security.FreeBSD.org/patches/SA-14:31/ntp.patch.asc # gpg --verify ntp.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/patch c) Recompile the operating system using buildworld and installworld as described in . Restart the ntpd(8) daemons, or reboot the system. VI. Correction details The following list contains the correction revision numbers for each affected branch. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r276073 releng/8.4/ r276154 stable/9/ r276073 releng/9.1/ r276155 releng/9.2/ r276156 releng/9.3/ r276157 stable/10/ r276072 releng/10.0/ r276158 releng/10.1/ r276159 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this advisory is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUmfSAAAoJEO1n7NZdz2rnV/IQAMeAuVbyKDMu3mec0ErpL5z8 OcSxVxKWH9udDJQkpiw6OaU4ks7PGOH/PgAad0mIhWPflXtpUlWMQtUa54Ds4s/t NjknM2vS4sBMZLk0Poqsts0TohfwdxF+CT8OCZARA2i3t70Ov0Y9BeoCatL2rnS+ rPbhhlnQXrsAJDCKcjSrYw+37cDNEdcvk4UKhiKh76J6CXwn2cT6h1dXTMFyImWq slTNlkJV6iFMNYn3oSA8nCVEJVMw2XQwVfg2qzkpZcuDGKE5fFpdvX3VcRP7b2cq zwSClt29B7FF3EjrplRuEdgxDk8m9PjVbUz9tocLPIqV0RjhTA9j7MhNcWH5G3Dh u6NQDsA0WzE8Ki2mrWpTEAFp21ZzSyXXtZ703XYiXbQKNG9lKEFv5Z8ffVHSrUT7 uB2BsP+LrnnWNNdjkRSSSxrfy4CvFLsdQ9FI1FNz+oofEio6yPO+W47pBH//Nbj0 wfeReW1OlbrtWF6NHZr4CfX+Lx9hu4CXXdXRWKdMDTYUywr0V6BiIsrNlN1z7XCy 90+43twFhGBsOSVD5PpcDmt9oEYfpwWKdXO6dXClCo+mxAki/fgf5Y24cTT9DTQn CKuVZuyaMi+HZ0jf2sKITQ03S8+Nrn7cZEXkIGScfT5z1Y8pcN+7bRhB1DpaCs0q IIw6TjJXQm8DTMuBIwf3 =oSCq -----END PGP SIGNATURE----- From owner-freebsd-announce@FreeBSD.ORG Tue Dec 23 23:33:41 2014 Return-Path: Delivered-To: freebsd-announce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id AD1D4370; Tue, 23 Dec 2014 23:33:41 +0000 (UTC) Received: from smtp.des.no (smtp.des.no [194.63.250.102]) by mx1.freebsd.org (Postfix) with ESMTP id 4FCF064E85; Tue, 23 Dec 2014 23:33:41 +0000 (UTC) Received: from nine.des.no (smtp.des.no [194.63.250.102]) by smtp-int.des.no (Postfix) with ESMTP id 666879EB7; Tue, 23 Dec 2014 23:33:40 +0000 (UTC) Received: by nine.des.no (Postfix, from userid 1001) id 0B70E4BBD; Wed, 24 Dec 2014 00:33:32 +0100 (CET) From: FreeBSD Errata Notices To: FreeBSD Errata Notices Reply-To: freebsd-stable@freebsd.org Precedence: bulk Message-Id: <20141223233332.0B70E4BBD@nine.des.no> Date: Wed, 24 Dec 2014 00:33:32 +0100 (CET) Subject: [FreeBSD-Announce] FreeBSD Errata Notice FreeBSD-EN-14:13.freebsd-update X-BeenThere: freebsd-announce@freebsd.org X-Mailman-Version: 2.1.18-1 List-Id: "Project Announcements \[moderated\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 23 Dec 2014 23:33:41 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 ============================================================================= FreeBSD-EN-14:13.freebsd-update Errata Notice The FreeBSD Project Topic: freebsd-update attempts to remove the root directory Category: base Module: freebsd-update Announced: 2014-12-23 Credits: Colin Percival Affects: All supported versions of FreeBSD. Corrected: 2014-12-23 22:56:01 UTC (releng/10.1, 10.1-RELEASE-p3) 2014-12-23 22:55:14 UTC (releng/10.0, 10.0-RELEASE-p15) 2014-12-22 22:11:39 UTC (stable/10, 10.0-STABLE) 2014-12-22 22:11:50 UTC (stable/9, 9.3-STABLE) 2014-12-23 22:54:25 UTC (releng/9.3, 9.3-RELEASE-p7) 2014-12-23 22:53:44 UTC (releng/9.2, 9.2-RELEASE-p17) 2014-12-23 22:53:03 UTC (releng/9.1, 9.1-RELEASE-p24) 2014-12-22 22:11:45 UTC (stable/8, 8.4-STABLE) 2014-12-23 22:52:22 UTC (releng/8.4, 8.4-RELEASE-p21) For general information regarding FreeBSD Errata Notices and Security Advisories, including descriptions of the fields above, security branches, and the following sections, please visit . I. Background The freebsd-update(8) utility is used to apply binary patches to FreeBSD systems installed from official release images, as an alternative to rebuilding from source. A freebsd-update(8) build server generates the signed update packages, consisting of an index of files and directories with checksums before the update, a set of binary patches, and an index of files and directories with checksums after the update. The client downloades the indexes, verifies the signatures and checksums, then downloads and applies the required patches. The freebsd-update(8) utility views the system as a set of components: "world", "kernel" and "src". The "world" component is divided into four subcomponents: "base", "doc", "lib32" and "games". These components and subcomponents correspond to six of the seven system components offered during installation (the seventh being ports, which is handled by the portsnap utility). II. Problem Description 1) The default configuration for freebsd-update(8) has all six components enabled. Components which are not installed should be disabled in the configuration file. Failing to do so is normally harmless, as the freebsd-update(8) client will ignore instructions to patch files that do not exist on the system. However, if an update adds a file, it will be installed even if it belongs to a component which was not previously installed. Due to human error, the world/lib32 component, containing 32-bit compatibility libraries for 64-bit systems, was left out of the freebsd-update(8) server's baseline for FreeBSD 10.1-RELEASE. As a result, the freebsd-update(8) client removed these libraries when upgrading a system from an earlier release. The 32-bit libraries were re-added as part of the first set of updates released after the mistake was discovered. 2) Under certain circumstances, it is possible for the freebsd-update(8) build server to generate an update package requiring the client to both remove and create the same directory. The client will normally detect this situation and ignore the conflicting instructions. Due to insufficient input normalization, if the directory being both removed and created is the root directory, the freebsd-update(8) client will fail to recognize that both instructions refer to the same directory. It will then attempt and fail to 'rmdir /', producing an error message. III. Impact The first issue will cause freebsd-update(8) to install 32-bit libraries on 10.1 systems where they were intentionally left out during installation but /etc/freebsd-update.conf was not edited to reflect this. The second issue, which is triggered by the addition of lib32, will result in a harmless but disconcerting error message when installing updates. IV. Workaround The first issue is strictly speaking a configuration error. To address it, update /etc/freebsd-update.conf to reflect the set of components that are installed on the system. Specifically, replace "world" on the Components line with "world/base", and add "world/doc" and / or "world/games" if those those components were selected during installation. The second issue is harmless and can safely be ignored. A workaround has been put in place on the freebsd-update(8) build server so the error will not occur while installing the update that corrects it. Systems which are updated from source rather than using freebsd-update(8) are not affected. V. Solution Perform one of the following: 1) Upgrade your system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. 2) To update your system via a binary patch: Systems running a RELEASE version of FreeBSD on the i386 or amd64 platforms can be updated via the freebsd-update(8) utility: # freebsd-update fetch # freebsd-update install 3) To update your present system via a source code patch: The following patches have been verified to apply to the applicable FreeBSD release branches. a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility. # fetch https://security.FreeBSD.org/patches/EN-14:13/freebsd-update.patch # fetch https://security.FreeBSD.org/patches/EN-14:13/freebsd-update.patch.asc # gpg --verify freebsd-update.patch.asc b) Apply the patch. Execute the following commands as root: # cd /usr/src # patch < /path/to/freebsd-update.patch c) Rebuild and reinstall the freebsd-update(8) client: # cd /usr/src/usr.sbin/freebsd-update # make && make install VI. Correction details The following list contains the revision numbers of each file that was corrected in FreeBSD. Branch/path Revision - ------------------------------------------------------------------------- stable/8/ r276089 releng/8.4/ r276154 stable/9/ r276090 releng/9.1/ r276155 releng/9.2/ r276156 releng/9.3/ r276157 stable/10/ r276088 releng/10.0/ r276158 releng/10.1/ r276159 - ------------------------------------------------------------------------- To see which files were modified by a particular revision, run the following command, replacing NNNNNN with the revision number, on a machine with Subversion installed: # svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base Or visit the following URL, replacing NNNNNN with the revision number: VII. References The latest revision of this Errata Notice is available at -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUmfVpAAoJEO1n7NZdz2rnbgkP/1XSnED0ly1kjGuK5g+148YW gHsB0oiJ3E3qGMHl0Z3E8HSl3XA4f+rMkEM6Ez/cADlzLbWsQFo0HXaT/bEandq4 OmmJF5cvWzOpk4Zc9svae5zfoCWqpMCderHoUyfF+GIjxOwES5Ga7Fj8kxiGuSlg WPWNoSJJnBcDLabNH4XiFo6S3OP21oJS1D9U0jlcIzknf5t+TDXwj4xM+fr1lqh2 sRmkqSkRFNQga7RN323gocX9u7wP/ePsKiAPUFLAj/gYYJVTOtfz2gwgHNg9tC2O 7T1VkbpTNvnbqz3J/bUza2jExyUuFsZpS1uFrbY0eKXRQpKSyMMUYV1sPz9g6fTV At1kYsnsOdXkSV47zMdXTVbunO/EGsM0JSwHBIFaLfXbq1edT/SNgh/QN6s4Zehz ZD3YUIjD062wVJW+ZRjIgTpPo9tG1vA70hmG5DKbjawF3dVg0W3ypgGRJYkjJmh2 zwSyz6V5XwtP/f5A8tw0uo6KqbO8GPDL/c2dOww79Up/9jCiqep5uNdMhnsL3w17 DRhuIluQlGMIkU7uizZWGqETW3Ok8/CVAznphJEvgXWknbr/trbAmyACdXdFwKkD Q+oH9U+H+qA5evbC4jGpwCWN2vYZnN+gqImv/ArYxhAOt+zWQqRedFaUZdJmbzwV fGqk6qlqwPs2F8V/VGg0 =CMmV -----END PGP SIGNATURE-----