From owner-svn-doc-all@FreeBSD.ORG Fri Mar 21 17:25:31 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id C4BA05EB; Fri, 21 Mar 2014 17:25:31 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id AFABD8BD; Fri, 21 Mar 2014 17:25:31 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2LHPVvY018229; Fri, 21 Mar 2014 17:25:31 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2LHPVtZ018228; Fri, 21 Mar 2014 17:25:31 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403211725.s2LHPVtZ018228@svn.freebsd.org> From: Dru Lavigne Date: Fri, 21 Mar 2014 17:25:31 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44311 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 17:25:31 -0000 Author: dru Date: Fri Mar 21 17:25:31 2014 New Revision: 44311 URL: http://svnweb.freebsd.org/changeset/doc/44311 Log: Update example Security Advisory and its descriptions. Next commit will add to the introduction of this section. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 16:12:49 2014 (r44310) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 17:25:31 2014 (r44311) @@ -3183,66 +3183,178 @@ You are advised to update or deinstall t What Does an Advisory Look Like? - &os; security advisories use the format seen in this - example: + Here is an example of a &os; security advisory: ============================================================================= -FreeBSD-SA-XX:XX.UTIL Security Advisory +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA512 + +============================================================================= +FreeBSD-SA-14:04.bind Security Advisory The FreeBSD Project -Topic: denial of service due to some problem +Topic: BIND remote denial of service vulnerability -Category: core -Module: sys -Announced: 2003-09-23 -Credits: Person -Affects: All releases of &os; - &os; 4-STABLE prior to the correction date -Corrected: 2003-09-23 16:42:59 UTC (RELENG_4, 4.9-PRERELEASE) - 2003-09-23 20:08:42 UTC (RELENG_5_1, 5.1-RELEASE-p6) - 2003-09-23 20:07:06 UTC (RELENG_5_0, 5.0-RELEASE-p15) - 2003-09-23 16:44:58 UTC (RELENG_4_8, 4.8-RELEASE-p8) - 2003-09-23 16:47:34 UTC (RELENG_4_7, 4.7-RELEASE-p18) - 2003-09-23 16:49:46 UTC (RELENG_4_6, 4.6-RELEASE-p21) - 2003-09-23 16:51:24 UTC (RELENG_4_5, 4.5-RELEASE-p33) - 2003-09-23 16:52:45 UTC (RELENG_4_4, 4.4-RELEASE-p43) - 2003-09-23 16:54:39 UTC (RELENG_4_3, 4.3-RELEASE-p39) -CVE Name: CVE-XXXX-XXXX +Category: contrib +Module: bind +Announced: 2014-01-14 +Credits: ISC +Affects: FreeBSD 8.x and FreeBSD 9.x +Corrected: 2014-01-14 19:38:37 UTC (stable/9, 9.2-STABLE) + 2014-01-14 19:42:28 UTC (releng/9.2, 9.2-RELEASE-p3) + 2014-01-14 19:42:28 UTC (releng/9.1, 9.1-RELEASE-p10) + 2014-01-14 19:38:37 UTC (stable/8, 8.4-STABLE) + 2014-01-14 19:42:28 UTC (releng/8.4, 8.4-RELEASE-p7) + 2014-01-14 19:42:28 UTC (releng/8.3, 8.3-RELEASE-p14) +CVE Name: CVE-2014-0591 For general information regarding FreeBSD Security Advisories, including descriptions of the fields above, security branches, and the -following sections, please visit -http://www.FreeBSD.org/security/. +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. + +II. Problem Description + +Because of a defect in handling queries for NSEC3-signed zones, BIND can +crash with an "INSIST" failure in name.c when processing queries possessing +certain properties. This issue only affects authoritative nameservers with +at least one NSEC3-signed zone. Recursive-only servers are not at risk. + +III. Impact + +An attacker who can send a specially crafted query could cause named(8) +to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not running authoritative DNS service +with at least one NSEC3-signed zone using named(8) are not vulnerable. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. -I. Background +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. +[FreeBSD 8.3, 8.4, 9.1, 9.2-RELEASE and 8.4-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-release.patch.asc +# gpg --verify bind-release.patch.asc -II. Problem Description +[FreeBSD 9.2-STABLE] +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch +# fetch http://security.FreeBSD.org/patches/SA-14:04/bind-stable-9.patch.asc +# gpg --verify bind-stable-9.patch.asc +b) Execute the following commands as root: -III. Impact +# cd /usr/src +# patch < /path/to/patch +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. -IV. Workaround +Restart the applicable daemons, or reboot the system. +3) To update your vulnerable system via a binary patch: -V. Solution +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: +# freebsd-update fetch +# freebsd-update install -VI. Correction details +VI. Correction details +The following list contains the correction revision numbers for each +affected branch. -VII. References +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r260646 +releng/8.3/ r260647 +releng/8.4/ r260647 +stable/9/ r260646 +releng/9.1/ r260647 +releng/9.2/ r260647 +- ------------------------------------------------------------------------- - - - The Topic field specifies the - problem. It provides an introduction to the security - advisory and notes the utility affected by the +To see which files were modified by a particular revision, run the +following command, replacing NNNNNN with the revision number, on a +machine with Subversion installed: + +# svn diff -cNNNNNN --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing NNNNNN with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=NNNNNN> + +VII. References + +<URL:https://kb.isc.org/article/AA-01078> + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0591> + +The latest revision of this advisory is available at +<URL:http://security.FreeBSD.org/advisories/FreeBSD-SA-14:04.bind.asc> +-----BEGIN PGP SIGNATURE----- + +iQIcBAEBCgAGBQJS1ZTYAAoJEO1n7NZdz2rnOvQP/2/68/s9Cu35PmqNtSZVVxVG +ZSQP5EGWx/lramNf9566iKxOrLRMq/h3XWcC4goVd+gZFrvITJSVOWSa7ntDQ7TO +XcinfRZ/iyiJbs/Rg2wLHc/t5oVSyeouyccqODYFbOwOlk35JjOTMUG1YcX+Zasg +ax8RV+7Zt1QSBkMlOz/myBLXUjlTZ3Xg2FXVsfFQW5/g2CjuHpRSFx1bVNX6ysoG +9DT58EQcYxIS8WfkHRbbXKh9I1nSfZ7/Hky/kTafRdRMrjAgbqFgHkYTYsBZeav5 +fYWKGQRJulYfeZQ90yMTvlpF42DjCC3uJYamJnwDIu8OhS1WRBI8fQfr9DRzmRua +OK3BK9hUiScDZOJB6OqeVzUTfe7MAA4/UwrDtTYQ+PqAenv1PK8DZqwXyxA9ThHb +zKO3OwuKOVHJnKvpOcr+eNwo7jbnHlis0oBksj/mrq2P9m2ueF9gzCiq5Ri5Syag +Wssb1HUoMGwqU0roS8+pRpNC8YgsWpsttvUWSZ8u6Vj/FLeHpiV3mYXPVMaKRhVm +067BA2uj4Th1JKtGleox+Em0R7OFbCc/9aWC67wiqI6KRyit9pYiF3npph+7D5Eq +7zPsUdDd+qc+UTiLp3liCRp5w6484wWdhZO6wRtmUgxGjNkxFoNnX8CitzF8AaqO +UWWemqWuz3lAZuORQ9KX +=OQzQ +-----END PGP SIGNATURE----- + + Every security advisory uses the following format: + + + + Each security advisory is signed by the + PGP key of the Security Officer. The + public key for the Security Officer can be verified at + . + + + + The name of the security advisory always begins with + FreeBSD-SA- (for FreeBSD Security + Advisory), followed by the year in two digit format + (14:), followed by the advisory number + for that year (04.), followed by the + name of the affected application or subsystem + (bind). The advisory shown here is the + fourth advisory for 2014 and it affects + BIND. + + + + The Topic field summarizes the vulnerability. - + - + The Category refers to the affected part of the system which may be one of core, contrib, or @@ -3250,113 +3362,95 @@ VII. References

contrib category means that the - vulnerability affects software contributed to the &os; - Project, such as Sendmail. + vulnerability affects software included with &os;, + such as BIND. The ports category indicates that the - vulnerability affects add on software available through + vulnerability affects software available through the Ports Collection. - + - + The Module field refers to the component location. In this example, the - sys module is affected; therefore, this - vulnerability affects a component used within the - kernel. - + bind module is affected; therefore, this + vulnerability affects an application installed with the + operating system. + - + The Announced field reflects the - date the security advisory was published, or announced - to the world. This means that the security team has + date the security advisory was published. This means + that the security team has verified that the problem exists and that a patch has been committed to the &os; source code repository. - + - + The Credits field gives credit to the individual or organization who noticed the vulnerability and reported it. - + - + The Affects field explains which - releases of &os; are affected by this vulnerability. - For the kernel, a quick look over the output from - &man.ident.1; on the affected files will help in - determining the revision. For ports, the version number - is listed after the port name in /var/db/pkg. If the - system does not sync with the &os; Subversion repository - and is not rebuilt daily, chances are that it is - affected. - + releases of &os; are affected by this vulnerability. + - + The Corrected field indicates the - date, time, time offset, and release that was + date, time, time offset, and releases that were corrected. - + - - Reserved for the identification information used to - look up vulnerabilities in the Common Vulnerabilities - and Exposures database. - - - - The Background field gives - information about the affected utility. Most of the time - this is why the utility exists in &os;, what it is used - for, and a bit of information on how the utility came to - be. - + + The CVE Name field lists the + advisory number, if one exists, in the public cve.mitre.org + security vulnerabilities database. + + + + The Background field provides a + description of the affected module. + - + The Problem Description field - explains the security hole in depth. This can include - information on flawed code, or even how the utility - could be maliciously used to open a security hole. - + explains the vulnerability. This can include + information about the flawed code and how the utility + could be maliciously used. + - + The Impact field describes what - type of impact the problem could have on a system. For - example, this could be anything from a denial of service - attack, to extra privileges available to users, or even - giving the attacker superuser access. - - - - The Workaround field offers a - workaround to system administrators who cannot - upgrade the system due to time constraints, network - availability, or other reasons. Security should not be - taken lightly, and an affected system should either be - patched or the workaround implemented. - + type of impact the problem could have on a system. + + + + The Workaround field indicates if + a workaround is available to system administrators who cannot + immediately patch the system . + - - The Solution field offers + + The Solution field provides the instructions for patching the affected system. This is a step by step tested and verified method for getting a system patched and working securely. - + - + The Correction Details field - displays the Subversion branch or release name with the - periods changed to underscore characters. It also shows - the revision number of the affected files within each - branch. - - - - The References field usually - offers sources of other information. This can include - web URLs, books, mailing lists, and - newsgroups. - - + displays each affected Subversion branch with + the revision number that contains the corrected code. + + + + The References field + offers sources of additional information regarding the + vulnerability. + +