Date: Sat, 27 Jul 2013 03:39:12 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r42453 - in head/share: security/advisories security/patches/SA-13:07 security/patches/SA-13:08 xml Message-ID: <201307270339.r6R3dCbm099042@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Sat Jul 27 03:39:12 2013 New Revision: 42453 URL: http://svnweb.freebsd.org/changeset/doc/42453 Log: Add two latest advisories: Fix Denial of Service vulnerability in named(8). [13:07] Fix a bug that allows remote client bypass the normal access checks when when -network or -host restrictions are used at the same time with -mapall. [13:08] Added: head/share/security/advisories/FreeBSD-SA-13:07.bind.asc (contents, props changed) head/share/security/advisories/FreeBSD-SA-13:08.nfsserver.asc (contents, props changed) head/share/security/patches/SA-13:07/ head/share/security/patches/SA-13:07/bind.patch (contents, props changed) head/share/security/patches/SA-13:07/bind.patch.asc (contents, props changed) head/share/security/patches/SA-13:08/ head/share/security/patches/SA-13:08/nfsserver.patch (contents, props changed) head/share/security/patches/SA-13:08/nfsserver.patch.asc (contents, props changed) Modified: head/share/xml/advisories.xml Added: head/share/security/advisories/FreeBSD-SA-13:07.bind.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:07.bind.asc Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,121 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:07.bind Security Advisory + The FreeBSD Project + +Topic: BIND remote denial of service + +Category: contrib +Module: bind +Announced: 2013-07-26 +Credits: Maxim Shudrak and the HP Zero Day Initiative, ISC +Affects: FreeBSD 8.4-RELEASE and FreeBSD 9.x +Corrected: 2013-07-26 22:53:17 UTC (stable/8, 8.4-STABLE) + 2013-07-26 22:40:17 UTC (releng/8.4, 8.4-RELEASE-p2) + 2013-07-26 22:43:09 UTC (stable/9, 9.2-BETA2) + 2013-07-26 22:40:23 UTC (releng/9.1, 9.1-RELEASE-p5) +CVE Name: CVE-2013-4854 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +BIND 9 is an implementation of the Domain Name System (DNS) protocols. +The named(8) daemon is an Internet Domain Name Server. The libdns +library is a library of DNS protocol support functions. + +II. Problem Description + +Due to a software defect a specially crafted query which includes +malformed rdata, could cause named(8) to crash with an assertion +failure and rejecting the malformed query. This issue affects both +recursive and authoritative-only nameservers. + +III. Impact + +An attacker who can send a specially crafted query could cause named(8) +to crash, resulting in a denial of service. + +IV. Workaround + +No workaround is available, but systems not running the named(8) service +and not using the base system DNS utilities are not affected. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:07/bind.patch +# fetch http://security.FreeBSD.org/patches/SA-13:07/bind.patch.asc +# gpg --verify bind.patch.asc + +b) Execute the following commands as root: + +# cd /usr/src +# patch < /path/to/patch + +Recompile the operating system using buildworld and installworld as +described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>. + +Restart the named daemon, or reboot the system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r253696 +releng/8.4/ r253692 +stable/9/ r253695 +releng/9.1/ r253693 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing XXXXXX with the revision number, on a +machine with Subversion installed: + +# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing XXXXXX with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>; + +VII. References + +https://kb.isc.org/article/AA-01015 + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4854>; + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:07.bind.asc +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAlHzPpMACgkQFdaIBMps37Jb2ACdFqaNTTBFiOCuz30MJ5s85UVd +MzoAn2ebCjqULwyEbJaeTlck87NPfQWR +=RFf2 +-----END PGP SIGNATURE----- Added: head/share/security/advisories/FreeBSD-SA-13:08.nfsserver.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/advisories/FreeBSD-SA-13:08.nfsserver.asc Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,120 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +============================================================================= +FreeBSD-SA-13:08.nfsserver Security Advisory + The FreeBSD Project + +Topic: Incorrect privilege validation in the NFS server + +Category: core +Module: nfsserver +Announced: 2013-07-26 +Credits: Rick Macklem, Christopher Key, Tim Zingelman +Affects: FreeBSD 8.3, FreeBSD 9.0 and FreeBSD 9.1 +Corrected: 2012-12-28 14:06:49 UTC (stable/9, 9.2-BETA2) + 2013-07-26 22:40:23 UTC (releng/9.1, 9.1-RELEASE-p5) + 2013-01-06 01:11:45 UTC (stable/8, 8.3-STABLE) + 2013-07-26 22:40:29 UTC (releng/8.3, 8.3-RELEASE-p9) +CVE Name: CVE-2013-4851 + +For general information regarding FreeBSD Security Advisories, +including descriptions of the fields above, security branches, and the +following sections, please visit <URL:http://security.FreeBSD.org/>. + +I. Background + +The Network File System (NFS) allows a host to export some or all of its +file systems so that other hosts can access them over the network and mount +them as if they were on local disks. FreeBSD includes both server and client +implementations of NFS. + +II. Problem Description + +The kernel incorrectly uses client supplied credentials instead of the one +configured in exports(5) when filling out the anonymous credential for a +NFS export, when -network or -host restrictions are used at the same time. + +III. Impact + +The remote client may supply privileged credentials (e.g. the root user) +when accessing a file under the NFS share, which will bypass the normal +access checks. + +IV. Workaround + +Systems that do not provide the NFS service are not vulnerable. Systems that +do provide the NFS service are only vulnerable when -mapall or -maproot is +used in combination with network and/or host restrictions. + +V. Solution + +Perform one of the following: + +1) Upgrade your vulnerable system to a supported FreeBSD stable or +release / security branch (releng) dated after the correction date. + +2) To update your vulnerable system via a source code patch: + +The following patches have been verified to apply to the applicable +FreeBSD release branches. + +a) Download the relevant patch from the location below, and verify the +detached PGP signature using your PGP utility. + +# fetch http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch +# fetch http://security.FreeBSD.org/patches/SA-13:08/nfsserver.patch.asc +# gpg --verify nfsserver.patch.asc + +b) Apply the patch. + +# cd /usr/src +# patch < /path/to/patch + +c) Recompile your kernel as described in +<URL:http://www.FreeBSD.org/handbook/kernelconfig.html>; and reboot the +system. + +3) To update your vulnerable system via a binary patch: + +Systems running a RELEASE version of FreeBSD on the i386 or amd64 +platforms can be updated via the freebsd-update(8) utility: + +# freebsd-update fetch +# freebsd-update install + +VI. Correction details + +The following list contains the correction revision numbers for each +affected branch. + +Branch/path Revision +- ------------------------------------------------------------------------- +stable/8/ r245086 +releng/8.3/ r253694 +stable/9/ r244772 +releng/9.1/ r253693 +- ------------------------------------------------------------------------- + +To see which files were modified by a particular revision, run the +following command, replacing XXXXXX with the revision number, on a +machine with Subversion installed: + +# svn diff -cXXXXXX --summarize svn://svn.freebsd.org/base + +Or visit the following URL, replacing XXXXXX with the revision number: + +<URL:http://svnweb.freebsd.org/base?view=revision&revision=XXXXXX>; + +VII. References + +<URL:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4851>; + +The latest revision of this advisory is available at +http://security.FreeBSD.org/advisories/FreeBSD-SA-13:08.nfsserver.asc +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAlHzPrkACgkQFdaIBMps37I9YACfSu4orRhgOhol8vacW9kF3ZGP +jtAAn0t2i14CMo1MT5MztI6RWX3hnUWZ +=xjf/ +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:07/bind.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:07/bind.patch Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,13 @@ +Index: contrib/bind9/lib/dns/rdata/generic/keydata_65533.c +=================================================================== +--- contrib/bind9/lib/dns/rdata/generic/keydata_65533.c (revision 253461) ++++ contrib/bind9/lib/dns/rdata/generic/keydata_65533.c (working copy) +@@ -176,7 +176,7 @@ + UNUSED(options); + + isc_buffer_activeregion(source, &sr); +- if (sr.length < 4) ++ if (sr.length < 16) + return (ISC_R_UNEXPECTEDEND); + + isc_buffer_forward(source, sr.length); Added: head/share/security/patches/SA-13:07/bind.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:07/bind.patch.asc Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,6 @@ +-----BEGIN PGP SIGNATURE----- + +iEYEABECAAYFAlHzPqUACgkQFdaIBMps37IIPgCgioXGAf1PRyZ0mSeCktSzxFeY +l+4An0YlRzZ8Xbt+CgxwIwyvGjLYpy9q +=tbCD +-----END PGP SIGNATURE----- Added: head/share/security/patches/SA-13:08/nfsserver.patch ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:08/nfsserver.patch Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,13 @@ +Index: sys/kern/vfs_export.c +=================================================================== +--- sys/kern/vfs_export.c (revision 253367) ++++ sys/kern/vfs_export.c (working copy) +@@ -208,7 +208,7 @@ + np->netc_anon = crget(); + np->netc_anon->cr_uid = argp->ex_anon.cr_uid; + crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, +- np->netc_anon->cr_groups); ++ argp->ex_anon.cr_groups); + np->netc_anon->cr_prison = &prison0; + prison_hold(np->netc_anon->cr_prison); + np->netc_numsecflavors = argp->ex_numsecflavors; Added: head/share/security/patches/SA-13:08/nfsserver.patch.asc ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/share/security/patches/SA-13:08/nfsserver.patch.asc Sat Jul 27 03:39:12 2013 (r42453) @@ -0,0 +1,22 @@ +-----BEGIN PGP SIGNED MESSAGE----- +Hash: SHA1 + +Index: sys/kern/vfs_export.c +=================================================================== +- --- sys/kern/vfs_export.c (revision 253367) ++++ sys/kern/vfs_export.c (working copy) +@@ -208,7 +208,7 @@ + np->netc_anon = crget(); + np->netc_anon->cr_uid = argp->ex_anon.cr_uid; + crsetgroups(np->netc_anon, argp->ex_anon.cr_ngroups, +- - np->netc_anon->cr_groups); ++ argp->ex_anon.cr_groups); + np->netc_anon->cr_prison = &prison0; + prison_hold(np->netc_anon->cr_prison); + np->netc_numsecflavors = argp->ex_numsecflavors; +-----BEGIN PGP SIGNATURE----- + +iEYEARECAAYFAlHzPsQACgkQFdaIBMps37J36gCgglvXt5i1cg/+gvs4mHyJ+mrj +tesAn1Qli/x2FjqbQ++FPs8qF2Sc7Rxs +=kdhf +-----END PGP SIGNATURE----- Modified: head/share/xml/advisories.xml ============================================================================== --- head/share/xml/advisories.xml Sat Jul 27 00:02:23 2013 (r42452) +++ head/share/xml/advisories.xml Sat Jul 27 03:39:12 2013 (r42453) @@ -8,6 +8,23 @@ <name>2013</name> <month> + <name>7</name> + + <day> + <name>26</name> + + <advisory> + <name>FreeBSD-SA-13:07.bind</name> + </advisory> + + <advisory> + <name>FreeBSD-SA-13:08.nfsserver</name> + </advisory> + </day> + + </month> + + <month> <name>6</name> <day>
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201307270339.r6R3dCbm099042>