From owner-svn-doc-head@freebsd.org Thu Jan 14 18:05:16 2016 Return-Path: Delivered-To: svn-doc-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AF087A83BDD; Thu, 14 Jan 2016 18:05:16 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 879151991; Thu, 14 Jan 2016 18:05:16 +0000 (UTC) (envelope-from glebius@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id u0EI5F1R093376; Thu, 14 Jan 2016 18:05:15 GMT (envelope-from glebius@FreeBSD.org) Received: (from glebius@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id u0EI5FLC093375; Thu, 14 Jan 2016 18:05:15 GMT (envelope-from glebius@FreeBSD.org) Message-Id: <201601141805.u0EI5FLC093375@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: glebius set sender to glebius@FreeBSD.org using -f From: Gleb Smirnoff Date: Thu, 14 Jan 2016 18:05:15 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r48016 - head/share/security/advisories X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-head@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for the doc tree for head List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 14 Jan 2016 18:05:16 -0000 Author: glebius (src committer) Date: Thu Jan 14 18:05:15 2016 New Revision: 48016 URL: https://svnweb.freebsd.org/changeset/doc/48016 Log: Fix the snmpd.config file name throughout the advisory. Submitted by: Wout Decré Submitted by: Andrei Modified: head/share/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc Modified: head/share/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc ============================================================================== --- head/share/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc Thu Jan 14 17:50:53 2016 (r48015) +++ head/share/security/advisories/FreeBSD-SA-16:06.bsnmpd.asc Thu Jan 14 18:05:15 2016 (r48016) @@ -5,7 +5,7 @@ Hash: SHA512 FreeBSD-SA-16:06.bsnmpd Security Advisory The FreeBSD Project -Topic: Insecure default bsnmpd.conf permissions +Topic: Insecure default snmpd.config permissions Category: contrib Module: bsnmpd @@ -32,8 +32,8 @@ implements all other MIBs through loadab II. Problem Description The SNMP protocol supports an authentication model called USM, which relies -on a shared secret. The default permission of the bsnmpd configuration file, -/etc/bsnmpd.conf, is weak and does not provide adequate protection against +on a shared secret. The default permission of the snmpd.configiguration file, +/etc/snmpd.config, is weak and does not provide adequate protection against local unprivileged users. III. Impact @@ -49,7 +49,7 @@ authentication model are not vulnerable. V. Solution This vulnerability can be fixed by modifying the permission on -/etc/bsnmpd.conf to owner root:wheel and permission 0600. +/etc/snmpd.config to owner root:wheel and permission 0600. The patch is provided mainly for third party vendors who deploy FreeBSD and provide a safe default. The patch itself DOES NOT fix the permissions @@ -60,7 +60,7 @@ The patch can be applied by performing o 1) Upgrade your vulnerable system to a supported FreeBSD stable or release / security branch (releng) dated after the correction date. -The system administrator should change the permission on /etc/bsnmpd.conf +The system administrator should change the permission on /etc/snmpd.config to root:wheel and 0600. 2) To update your vulnerable system via a binary patch: @@ -71,7 +71,7 @@ platforms can be updated via the freebsd # freebsd-update fetch # freebsd-update install -The system administrator should change the permission on /etc/bsnmpd.conf +The system administrator should change the permission on /etc/snmpd.config to root:wheel and 0600. 3) To update your vulnerable system via a source code patch: @@ -126,17 +126,17 @@ The latest revision of this advisory is -----BEGIN PGP SIGNATURE----- -iQIcBAEBCgAGBQJWl2j4AAoJEO1n7NZdz2rnkaQP/3K9kqYY1YoHQ++uzFPnfuZQ -mkGPJ0frGG46pTL806QJidky6D0LP0zNCzhtU45ZlFMguJ3B3QYp/62Cw61dBG22 -x0uEkvI2F2F39IPA/clspyUHg3Y1RYgTpJrxey0JLrK0yxelyI8vMwB4tCB2eEDW -ZGVU6rvFQcWJOWHABXVYcc+4Yy5ucudp0QbJsVHAKLtF7MLuntVlUj+x4Nncog5k -kmGt6W7tzFn2gNsWcmntmG/LWyPkPURWhYfIj3fgcRrpMTVIDFX5PTgQyJR7DwOM -/beIoQxxKBUwTW1ZRgvcCqFBu7DKSCMABoHgpqLj1gdeiJ1LaO4dErtWXvdBEAAP -+XLi5OkRG3OKzIAIRnkz/SrkAUoRkzHEK1dI0coyw7AdXXjDBWtX+n9lzRXs7hqT -LC3riK/Km9OYVn3+T7tCWnvKN45f+FnD8zxZDE+33Jv9wI8X+CCs9GjJdoJ0HDSd -b6rg8E4gGPzfwFxSNXZQKfDSSuVBECIp3av1gp6hN3qZNOX/sadMsxro8VVGFLPg -81rC+JfKNTeVtxF8oJi9eg3FQ/eupxQv4RvC2c37R7LcErAU1KKxZyNrwv6xDEMx -QVnx74o+luxXSirLxq276pfBQJdMjxYzWCj6E8ztcAZenz3M4WNiRFlt7hdq/3YO -bDBdQPe4eYSHHSGyGcz/ -=LDPU +iQIcBAEBCgAGBQJWl+LcAAoJEO1n7NZdz2rnZgcQANXfhZ5c/0sRlLmSGtvvCOvC +Zw7OEFrFuEgDL4RmjsJznQ6CJ7CO/4rF6+oaDRpCaJCfo2r92mpk3N+q907L9yZD +JR6dXajZugrq5cXnn3n5zMKiWQJnA5hQ9xz4dxRIsVwGcDKNmPDH37nmL7iv0E1n +AkTLoUTXqwYZvUm+K3uDXA/i/ML8lQ7ERRdY2+4cufo2pGD6TfzNuxYMOzQldS29 +4ikv30TTdSMhKxjYS+qMkeFKvwr2UGwERO/eGhoBwqwXV0MAsKDgX4ahfgu7VQln +Qs+2VaRk9PYPYS6DuOaUc+rCJ1SxmZ5/vK7ULt4zvxNT0r+sp0wvxYsDcQP2JDL5 +iY+O0gvDi4ob0Y+30YaLwoM7L7yW+Lzgv+QgT344T2iDOu3ZEZK/n4gEkD+HYNkJ +/mU/frCbBbcil8AhyiBO/shjATPfRWSGJUpkYpDDnzR1fhojRJlrkl8WOprjHtYw +OntSUQ1tXsYUJ0iNyhYDNlfI8abjOw/jAqeFBFjFa6FvA/pml+jyWGsscl7evrwQ +uIzJo7yHwcqxa7pqSAdiPRVE3hnzeR0yZtOHBpOvR/veHdoXfYhn1QZCIy6hbuSy +gN3vPm+vow5Ls46i0JVNzXRdGWiIVyfHt9axoQOef5zvbsLm9qgGECrTBHjbow2I +fQ7dKyaCpR1ORJ0NLH61 +=hOZk -----END PGP SIGNATURE-----