Date: Fri, 21 Mar 2014 17:25:31 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44311 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201403211725.s2LHPVtZ018228@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Mar 21 17:25:31 2014 New Revision: 44311 URL: http://svnweb.freebsd.org/changeset/doc/44311 Log: Update example Security Advisory and its descriptions. Next commit will add to the introduction of this section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 16:12:49 2014 (r44310) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 17:25:31 2014 (r44311) @@ -3183,66 +3183,178 @@ You are advised to update or deinstall t <sect2> <title>What Does an Advisory Look Like?</title> - <para>&os; security advisories use the format seen in this - example:</para> + <para>Here is an example of a &os; security advisory:</para> <programlisting>============================================================================= -FreeBSD-SA-XX:XX.UTIL Security Advisory +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:04.bind Security Advisory The FreeBSD Project -Topic: denial of service due to some problem <co xml:id="co-topic"/> +Topic: BIND remote denial of service vulnerability -Category: core <co xml:id="co-category"/> -Module: sys <co xml:id="co-module"/> -Announced: 2003-09-23 <co xml:id="co-announce"/> -Credits: Person <co xml:id="co-credit"/> -Affects: All releases of &os; <co xml:id="co-affects"/> - &os; 4-STABLE prior to the correction date -Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE) - 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6) - 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15) - 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8) - 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18) - 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21) - 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33) - 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43) - 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) <co xml:id="co-corrected"/> -<acronym>CVE</acronym> Name: CVE-XXXX-XXXX <co xml:id="co-cve"/> +Category: contrib +Module: bind +Announced: 2014-01-14 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x +Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-0591 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the -following sections, please visit -http://www.FreeBSD.org/security/. +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +Because of a defect in handling queries for NSEC3-signed zones, BIND can +crash with an "INSIST" failure in name.c when processing queries possessing +certain properties. This issue only affects authoritative nameservers with +at least one NSEC3-signed zone. Recursive-only servers are not at risk. + +III. Impact + +An attacker who can send a specially crafted query could cause named(8) +to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not running authoritative DNS service +with at least one NSEC3-signed zone using named(8) are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. -I. Background <co xml:id="co-backround"/> +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. +[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc +# gpg --verify bind-release.patch.asc -II. Problem Description <co xml:id="co-descript"/> +[FreeBSD 9.2-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc +# gpg --verify bind-stable-9.patch.asc +b) Execute the following commands as root: -III. Impact <co xml:id="co-impact"/> +# cd /usr/src +# patch < /path/to/patch +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. -IV. Workaround <co xml:id="co-workaround"/> +Restart the applicable daemons, or reboot the system. +3) To update your vulnerable system via a binary patch: -V. Solution <co xml:id="co-solution"/> +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: +# freebsd-update fetch +# freebsd-update install -VI. Correction details <co xml:id="co-details"/> +VI. Correction details +The following list contains the correction revision numbers for each +affected branch. -VII. References <co xml:id="co-ref"/></programlisting> +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260646 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260646 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- - <calloutlist> - <callout arearefs="co-topic"> - <para>The <literal>Topic</literal> field specifies the - problem. It provides an introduction to the security - advisory and notes the utility affected by the +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://kb.isc.org/article/AA-01078> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG +ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO +XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg +ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG +9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5 +fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua +OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb +zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag +Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm +067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq +7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO +UWWemqWuz3lAZuORQ9KX +=OQzQ +-----END PGP SIGNATURE-----</programlisting> + + <para>Every security advisory uses the following format:</para> + + <itemizedlist> + <listitem> + <para>Each security advisory is signed by the + <acronym>PGP</acronym> key of the Security Officer. The + public key for the Security Officer can be verified at + <xref linkend="pgpkeys"/>.</para> + </listitem> + + <listitem> + <para>The name of the security advisory always begins with + <literal>FreeBSD-SA-</literal> (for FreeBSD Security + Advisory), followed by the year in two digit format + (<literal>14:</literal>), followed by the advisory number + for that year (<literal>04.</literal>), followed by the + name of the affected application or subsystem + (<literal>bind</literal>). The advisory shown here is the + fourth advisory for 2014 and it affects + <application>BIND</application>.</para> + </listitem> + + <listitem> + <para>The <literal>Topic</literal> field summarizes the vulnerability.</para> - </callout> + </listitem> - <callout arearefs="co-category"> + <listitem> <para>The <literal>Category</literal> refers to the affected part of the system which may be one of <literal>core</literal>, <literal>contrib</literal>, or @@ -3250,113 +3362,95 @@ VII. References <co xml:id="co-ref"/></p category means that the vulnerability affects a core component of the &os; operating system. The <literal>contrib</literal> category means that the - vulnerability affects software contributed to the &os; - Project, such as <application>Sendmail</application>. + vulnerability affects software included with &os;, + such as <application>BIND</application>. The <literal>ports</literal> category indicates that the - vulnerability affects add on software available through + vulnerability affects software available through the Ports Collection.</para> - </callout> + </listitem> - <callout arearefs="co-module"> + <listitem> <para>The <literal>Module</literal> field refers to the component location. In this example, the - <literal>sys</literal> module is affected; therefore, this - vulnerability affects a component used within the - kernel.</para> - </callout> + <literal>bind</literal> module is affected; therefore, this + vulnerability affects an application installed with the + operating system.</para> + </listitem> - <callout arearefs="co-announce"> + <listitem> <para>The <literal>Announced</literal> field reflects the - date the security advisory was published, or announced - to the world. This means that the security team has + date the security advisory was published. This means + that the security team has verified that the problem exists and that a patch has been committed to the &os; source code repository.</para> - </callout> + </listitem> - <callout arearefs="co-credit"> + <listitem> <para>The <literal>Credits</literal> field gives credit to the individual or organization who noticed the vulnerability and reported it.</para> - </callout> + </listitem> - <callout arearefs="co-affects"> + <listitem> <para>The <literal>Affects</literal> field explains which - releases of &os; are affected by this vulnerability. - For the kernel, a quick look over the output from - &man.ident.1; on the affected files will help in - determining the revision. For ports, the version number - is listed after the port name in <filename>/var/db/pkg</filename>. If the - system does not sync with the &os; Subversion repository - and is not rebuilt daily, chances are that it is - affected.</para> - </callout> + releases of &os; are affected by this vulnerability.</para> + </listitem> - <callout arearefs="co-corrected"> + <listitem> <para>The <literal>Corrected</literal> field indicates the - date, time, time offset, and release that was + date, time, time offset, and releases that were corrected.</para> - </callout> + </listitem> - <callout arearefs="co-cve"> - <para>Reserved for the identification information used to - look up vulnerabilities in the <link xlink:href="http://cve.mitre.org">Common Vulnerabilities - and Exposures</link> database.</para> - </callout> - - <callout arearefs="co-backround"> - <para>The <literal>Background</literal> field gives - information about the affected utility. Most of the time - this is why the utility exists in &os;, what it is used - for, and a bit of information on how the utility came to - be.</para> - </callout> + <listitem> + <para>The <literal>CVE Name</literal> field lists the + advisory number, if one exists, in the public <link + xlink:href="http://cve.mitre.org">cve.mitre.org</link>; + security vulnerabilities database.</para> + </listitem> + + <listitem> + <para>The <literal>Background</literal> field provides a + description of the affected module.</para> + </listitem> - <callout arearefs="co-descript"> + <listitem> <para>The <literal>Problem Description</literal> field - explains the security hole in depth. This can include - information on flawed code, or even how the utility - could be maliciously used to open a security hole.</para> - </callout> + explains the vulnerability. This can include + information about the flawed code and how the utility + could be maliciously used.</para> + </listitem> - <callout arearefs="co-impact"> + <listitem> <para>The <literal>Impact</literal> field describes what - type of impact the problem could have on a system. For - example, this could be anything from a denial of service - attack, to extra privileges available to users, or even - giving the attacker superuser access.</para> - </callout> - - <callout arearefs="co-workaround"> - <para>The <literal>Workaround</literal> field offers a - workaround to system administrators who cannot - upgrade the system due to time constraints, network - availability, or other reasons. Security should not be - taken lightly, and an affected system should either be - patched or the workaround implemented.</para> - </callout> + type of impact the problem could have on a system.</para> + </listitem> + + <listitem> + <para>The <literal>Workaround</literal> field indicates if + a workaround is available to system administrators who cannot + immediately patch the system .</para> + </listitem> - <callout arearefs="co-solution"> - <para>The <literal>Solution</literal> field offers + <listitem> + <para>The <literal>Solution</literal> field provides the instructions for patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely.</para> - </callout> + </listitem> - <callout arearefs="co-details"> + <listitem> <para>The <literal>Correction Details</literal> field - displays the Subversion branch or release name with the - periods changed to underscore characters. It also shows - the revision number of the affected files within each - branch.</para> - </callout> - - <callout arearefs="co-ref"> - <para>The <literal>References</literal> field usually - offers sources of other information. This can include - web <acronym>URL</acronym>s, books, mailing lists, and - newsgroups.</para> - </callout> - </calloutlist> + displays each affected Subversion branch with + the revision number that contains the corrected code.</para> + </listitem> + + <listitem> + <para>The <literal>References</literal> field + offers sources of additional information regarding the + vulnerability.</para> + </listitem> + </itemizedlist> </sect2> </sect1>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403211725.s2LHPVtZ018228>