From owner-freebsd-security@FreeBSD.ORG Thu Oct 2 10:08:48 2003 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id A1A7E16A4B3 for ; Thu, 2 Oct 2003 10:08:48 -0700 (PDT) Received: from gw.celabo.org (gw.celabo.org [208.42.49.153]) by mx1.FreeBSD.org (Postfix) with ESMTP id 0C21643FE1 for ; Thu, 2 Oct 2003 10:08:45 -0700 (PDT) (envelope-from nectar@celabo.org) Received: from madman.celabo.org (madman.celabo.org [10.0.1.111]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "madman.celabo.org", Issuer "celabo.org CA" (verified OK)) by gw.celabo.org (Postfix) with ESMTP id B10075482B for ; Thu, 2 Oct 2003 12:08:44 -0500 (CDT) Received: by madman.celabo.org (Postfix, from userid 1001) id 47CDF6D476; Thu, 2 Oct 2003 12:08:44 -0500 (CDT) Date: Thu, 2 Oct 2003 12:08:44 -0500 From: "Jacques A. Vidrine" To: freebsd-security@FreeBSD.org Message-ID: <20031002170844.GA66592@madman.celabo.org> Mail-Followup-To: "Jacques A. Vidrine" , freebsd-security@FreeBSD.org Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Url: http://www.celabo.org/ User-Agent: Mutt/1.5.4i-ja.1 Subject: HEADS UP: upcoming security advisories X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 Oct 2003 17:08:48 -0000 Hello Folks, Just a status on upcoming advisories. FreeBSD-SA-03:15.openssh This is in final review and should be released today. Fixes for this issue entered the tree on September 24. I apologize for the delay in getting this one out. FreeBSD-SA-03:16.filedesc A reference counting bug was discovered that could lead to kernel memory disclosure or a system panic. Fixes for this issue were committed to -CURRENT, -STABLE, and the security branches earlier today. This bug was reported to us by Joost Pol of Pine Digital Security, and their advisory just went onto the web: FreeBSD-SA-03:17.procfs Several similar bugs involving integer arithmetic underflows or overflows were identified, again by Joost Pol. These bugs could also lead to kernel memory disclosure or system panic. Fixes for this issue are in -CURRENT and -STABLE. The security branches will be addressed during the rest of the day. FreeBSD-SA-03:18.openssl The issue reported at affects the version of OpenSSL included with previous versions of FreeBSD. The impact is limited to denial-of-service. Because of the relative severity of the above issues, this openssl issue will likely not be completely dealt with until tomorrow or even Saturday. The official fixed version, OpenSSL 0.9.7c, was imported into -CURRENT yesterday, and will be MFC'd to -STABLE today, but it will be a bit longer to backport fixes for the security branches. Cheers, -- Jacques Vidrine . NTT/Verio SME . FreeBSD UNIX . Heimdal nectar@celabo.org . jvidrine@verio.net . nectar@freebsd.org . nectar@kth.se