[guru] FreeBSD biztonsagi frissitesek
DATE: Tue, 03 Mar 2009 23:55:39 +0100
A FreeBSD kernel netgraph és bluetooth támogatása nem minden mezőt
inicializál a socket leíróban, ami kernel kód futtatást is eredményezhet.
Az FreeBSD ftpd valamint lukemftpd daemon-jai Cross-site request forgery
hibát tartalmaznak, a túl hosszú parancsokat a maximális sorhossznál
elvágják, és újabb parancsoknak tekintik.
Itt is helytelenül használták az OpenSSL EVP_VerifyFinal() függvényét,
ami hibás DSA és ECDSA kulcs ellenőrzést eredményezett.
A TELNET protokollon lehetőség van környezeti változók átvitelére,
azonban néhány változó beállítása veszélyes lehet a bejelentkezési
folyamat lezajlása előtt. A FreeBSD telnetd-je eddig kiszedte az ilyen
változókat, azonban a környezeti változók kezelésének átdolgozása
során a védelem semmissé vált, így egy régi hiba ismét érintheti a
rendszereket.
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:13.protosw Security Advisory
The FreeBSD Project
Topic: netgraph / bluetooth privilege escalation
Category: core
Module: sys_kern
Announced: 2008-12-23
Credits: Christer Oberg
Affects: All FreeBSD releases
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2)
2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7)
2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE)
2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1)
2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The FreeBSD kernel provides support for a variety of different types of
communications sockets, including IPv4, IPv6, ISDN, ATM, routing protocol,
link-layer, netgraph(4), and bluetooth sockets. As an early form of
object-oriented design, much of the functionality specific to different
types of sockets is abstracted via function pointers.
II. Problem Description
Some function pointers for netgraph and bluetooth sockets are not
properly initialized.
III. Impact
A local user can cause the FreeBSD kernel to execute arbitrary code.
This could be used by an attacker directly; or it could be used to gain
root privilege or to escape from a jail.
IV. Workaround
No workaround is available, but systems without local untrusted users
are not vulnerable. Furthermore, systems are not vulnerable if they
have neither the ng_socket nor ng_bluetooth kernel modules loaded or
compiled into the kernel.
Systems with the security.jail.socket_unixiproute_only sysctl set to
1 (the default) are only vulnerable if they have local untrusted users
outside of jails.
If the command
# kldstat -v | grep ng_
produces no output, the system is not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch dated after the
correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3, 6.4,
and 7.0 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw6x.patch.asc
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch
# fetch http://security.FreeBSD.org/patches/SA-08:13/protosw.patch.asc
b) Apply the patch.
# cd /usr/src
# patch < /path/to/patch
c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/sys/kern/uipc_domain.c 1.44.2.4
RELENG_6_4
src/UPDATING 1.416.2.40.2.4
src/sys/conf/newvers.sh 1.69.2.18.2.7
src/sys/kern/uipc_domain.c 1.44.2.3.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.12
src/sys/conf/newvers.sh 1.69.2.15.2.11
src/sys/kern/uipc_domain.c 1.44.2.3.4.1
RELENG_7
src/sys/kern/uipc_domain.c 1.51.2.2
RELENG_7_1
src/UPDATING 1.507.2.13.2.2
src/sys/kern/uipc_domain.c 1.51.2.1.2.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.11
src/sys/conf/newvers.sh 1.72.2.5.2.11
src/sys/kern/uipc_domain.c 1.51.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186405
releng/6.4/ r186405
releng/6.3/ r186405
stable/7/ r186405
releng/7.1/ r186405
releng/7.0/ r186405
- -------------------------------------------------------------------------
VII. References
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:13.protosw.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAklQP9QACgkQFdaIBMps37KL2gCfRlQ7kTB24DYnDEGRUC+px4bX
214AoJJrJjaeS6ITyk73AL/OK+rNAM4u
=7qyU
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-08:12.ftpd Security Advisory
The FreeBSD Project
Topic: Cross-site request forgery in ftpd(8)
Category: core
Module: ftpd
Announced: 2008-12-23
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2008-12-23 01:23:09 UTC (RELENG_7, 7.1-PRERELEASE)
2008-12-23 01:23:09 UTC (RELENG_7_1, 7.1-RC2)
2008-12-23 01:23:09 UTC (RELENG_7_0, 7.0-RELEASE-p7)
2008-12-23 01:23:09 UTC (RELENG_6, 6.4-STABLE)
2008-12-23 01:23:09 UTC (RELENG_6_4, 6.4-RELEASE-p1)
2008-12-23 01:23:09 UTC (RELENG_6_3, 6.3-RELEASE-p7)
CVE Name: CVE-2008-4247
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
ftpd(8) is a general-purpose implementation of File Transfer Protocol (FTP)
server that is shipped with the FreeBSD base system. It is not enabled
in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.
A cross-site request forgery attack is a type of malicious exploit that is
mainly targeted to a web browser, by tricking a user trusted by the site
into visiting a specially crafted URL, which in turn executes a command
which performs some privileged operations on behalf of the trusted user
on the victim site.
II. Problem Description
The ftpd(8) server splits long commands into several requests. This
may result in the server executing a command which is hidden inside
another very long command.
III. Impact
This could, with a specifically crafted command, be used in a
cross-site request forgery attack.
FreeBSD systems running ftpd(8) server could act as a point of privilege
escalation in an attack against users using web browser to access trusted
FTP sites.
IV. Workaround
No workaround is available, but systems not running FTP servers are
not vulnerable. Systems not running the FreeBSD ftp(8) server are not
affected, but users of other ftp daemons are advised to take care
since several other ftp daemons are known to have related bugs.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch
# fetch http://security.FreeBSD.org/patches/SA-08:12/ftpd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/ftpd
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/libexec/ftpd/ftpcmd.y 1.64.2.3
src/libexec/ftpd/extern.h 1.19.14.1
src/libexec/ftpd/ftpd.c 1.206.2.4
RELENG_6_4
src/UPDATING 1.416.2.40.2.4
src/sys/conf/newvers.sh 1.69.2.18.2.7
src/libexec/ftpd/ftpcmd.y 1.64.2.2.4.2
src/libexec/ftpd/extern.h 1.19.30.2
src/libexec/ftpd/ftpd.c 1.206.2.3.4.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.12
src/sys/conf/newvers.sh 1.69.2.15.2.11
src/libexec/ftpd/ftpcmd.y 1.64.2.2.2.1
src/libexec/ftpd/extern.h 1.19.26.1
src/libexec/ftpd/ftpd.c 1.206.2.3.2.1
RELENG_7
src/libexec/ftpd/ftpcmd.y 1.66.2.1
src/libexec/ftpd/extern.h 1.19.24.1
src/libexec/ftpd/ftpd.c 1.212.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.2
src/libexec/ftpd/ftpcmd.y 1.66.6.2
src/libexec/ftpd/extern.h 1.19.32.2
src/libexec/ftpd/ftpd.c 1.212.6.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.11
src/sys/conf/newvers.sh 1.72.2.5.2.11
src/libexec/ftpd/ftpcmd.y 1.66.4.1
src/libexec/ftpd/extern.h 1.19.28.1
src/libexec/ftpd/ftpd.c 1.212.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186405
releng/6.4/ r186405
releng/6.3/ r186405
stable/7/ r186405
releng/7.1/ r186405
releng/7.0/ r186405
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-08:12.ftpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAklQP8wACgkQFdaIBMps37ITvgCePP8oVI6cffvQu229Qg7eNshN
A0kAn3A6kjr+QovEwOVKNzjow1aCtU8K
=sDxD
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:01.lukemftpd Security Advisory
The FreeBSD Project
Topic: Cross-site request forgery in lukemftpd(8)
Category: core
Module: lukemftpd
Announced: 2009-01-07
Credits: Maksymilian Arciemowicz
Affects: All supported versions of FreeBSD.
Corrected: 2009-01-07 20:17:55 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2)
2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8)
CVE Name: CVE-2008-4247
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
lukemftpd(8) is a general-purpose implementation of File Transfer Protocol
(FTP) server that is shipped with the FreeBSD base system. It is not enabled
in default installations but can be enabled as either an inetd(8) server,
or a standard-alone server.
A cross-site request forgery attack is a type of malicious exploit that is
mainly targeted to a web browser, by tricking a user trusted by the site
into visiting a specially crafted URL, which in turn executes a command
which performs some privileged operations on behalf of the trusted user
on the victim site.
II. Problem Description
The lukemftpd(8) server splits long commands into several requests. This
may result in the server executing a command which is hidden inside
another very long command.
III. Impact
This could, with a specifically crafted command, be used in a
cross-site request forgery attack.
FreeBSD systems running lukemftpd(8) server could act as a point of privilege
escalation in an attack against users using web browser to access trusted
FTP sites.
IV. Workaround
No workaround is available, but systems not running FTP servers are
not vulnerable. Systems not running the FreeBSD lukemftpd(8) server are not
affected, but users of other ftp daemons are advised to take care since
several other ftp daemons are known to have related bugs.
NOTE WELL: lukemftpd(8) is a different implementation of an FTP server
than ftpd(8).
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:01/lukemftpd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/libexec/lukemftpd
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.2
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.2
src/contrib/lukemftpd/src/ftpd.c 1.4.2.2
RELENG_6_4
src/UPDATING 1.416.2.40.2.5
src/sys/conf/newvers.sh 1.69.2.18.2.8
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.6.1
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.6.1
src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.6.2
RELENG_6_3
src/UPDATING 1.416.2.37.2.13
src/sys/conf/newvers.sh 1.69.2.15.2.12
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.5.2.1.4.1
src/contrib/lukemftpd/src/extern.h 1.1.1.4.2.1.4.1
src/contrib/lukemftpd/src/ftpd.c 1.4.2.1.4.1
RELENG_7
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.2.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.2.1
src/contrib/lukemftpd/src/ftpd.c 1.5.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.4
src/sys/conf/newvers.sh 1.72.2.9.2.5
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.6.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.6.1
src/contrib/lukemftpd/src/ftpd.c 1.5.6.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.12
src/sys/conf/newvers.sh 1.72.2.5.2.12
src/contrib/lukemftpd/src/ftpcmd.y 1.1.1.6.4.1
src/contrib/lukemftpd/src/extern.h 1.1.1.5.4.1
src/contrib/lukemftpd/src/ftpd.c 1.5.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186872
releng/6.4/ r186872
releng/6.3/ r186872
stable/7/ r186872
releng/7.1/ r186872
releng/7.0/ r186872
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4247
http://security.freebsd.org/advisories/FreeBSD-SA-08:12.ftpd.asc
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:01.lukemftpd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFJZR5UFdaIBMps37IRApUJAKCEGZggeEjPC67j5Tmxl2fEDJ9sIQCfTAKn
vpOXC5jix3XiB7wxGKrvNJM=
=qPEc
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:02.openssl Security Advisory
The FreeBSD Project
Topic: OpenSSL incorrectly checks for malformed signatures
Category: contrib
Module: openssl
Announced: 2009-01-07
Credits: Google Security Team
Affects: All FreeBSD releases
Corrected: 2009-01-07 21:03:41 UTC (RELENG_7, 7.1-STABLE)
2009-01-07 20:17:55 UTC (RELENG_7_1, 7.1-RELEASE-p1)
2009-01-07 20:17:55 UTC (RELENG_7_0, 7.0-RELEASE-p8)
2009-01-07 20:17:55 UTC (RELENG_6, 6.4-STABLE)
2009-01-07 20:17:55 UTC (RELENG_6_4, 6.4-RELEASE-p2)
2009-01-07 20:17:55 UTC (RELENG_6_3, 6.3-RELEASE-p8)
CVE Name: CVE-2008-5077
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
FreeBSD includes software from the OpenSSL Project. The OpenSSL Project is
a collaborative effort to develop a robust, commercial-grade, full-featured
Open Source toolkit implementing the Secure Sockets Layer (SSL v2/v3)
and Transport Layer Security (TLS v1) protocols as well as a full-strength
general purpose cryptography library.
II. Problem Description
The EVP_VerifyFinal() function from OpenSSL is used to determine if a
digital signature is valid. The SSL layer in OpenSSL uses
EVP_VerifyFinal(), which in several places checks the return value
incorrectly and treats verification errors as a good signature. This
is only a problem for DSA and ECDSA keys.
III. Impact
For applications using OpenSSL for SSL connections, an invalid SSL
certificate may be interpreted as valid. This could for example be
used by an attacker to perform a man-in-the-middle attack.
Other applications which use the OpenSSL EVP API may similarly be
affected.
IV. Workaround
For a server an RSA signed certificate may be used instead of DSA or
ECDSA based certificate.
Note that Mozilla Firefox does not use OpenSSL and thus is not
affected.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 7.x]
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl.patch.asc
[FreeBSD 6.x]
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch
# fetch http://security.FreeBSD.org/patches/SA-09:02/openssl6.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libssl
# make obj && make depend && make && make install
# cd /usr/src/secure/usr.bin/openssl
# make obj && make depend && make && make install
NOTE: On the amd64 platform, the above procedure will not update the
lib32 (i386 compatibility) libraries. On amd64 systems where the i386
compatibility libraries are used, the operating system should instead
be recompiled as described in
<URL:http://www.FreeBSD.org/handbook/makeworld.html>
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/crypto/openssl/apps/speed.c 1.13.2.1
src/crypto/openssl/apps/verify.c 1.1.1.5.12.1
src/crypto/openssl/apps/x509.c 1.1.1.10.2.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.12.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.2.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.2
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.2
RELENG_6_4
src/UPDATING 1.416.2.40.2.5
src/sys/conf/newvers.sh 1.69.2.18.2.8
src/crypto/openssl/apps/speed.c 1.13.12.1
src/crypto/openssl/apps/verify.c 1.1.1.5.24.1
src/crypto/openssl/apps/x509.c 1.1.1.10.12.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.24.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.12.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.12.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.6.1
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.6.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.13
src/sys/conf/newvers.sh 1.69.2.15.2.12
src/crypto/openssl/apps/speed.c 1.13.10.1
src/crypto/openssl/apps/verify.c 1.1.1.5.22.1
src/crypto/openssl/apps/x509.c 1.1.1.10.10.1
src/crypto/openssl/apps/spkac.c 1.1.1.4.22.1
src/crypto/openssl/ssl/s2_srvr.c 1.12.10.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.12.10.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.14.2.1.4.1
src/crypto/openssl/ssl/s2_clnt.c 1.13.2.1.4.1
RELENG_7
src/crypto/openssl/apps/speed.c 1.15.2.1
src/crypto/openssl/apps/verify.c 1.1.1.6.2.1
src/crypto/openssl/apps/x509.c 1.1.1.11.2.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.2.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.2.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.2.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.2.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.2.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.2.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.4
src/sys/conf/newvers.sh 1.72.2.9.2.5
src/crypto/openssl/apps/speed.c 1.15.6.1
src/crypto/openssl/apps/verify.c 1.1.1.6.6.1
src/crypto/openssl/apps/x509.c 1.1.1.11.6.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.6.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.6.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.6.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.6.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.6.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.6.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.12
src/sys/conf/newvers.sh 1.72.2.5.2.12
src/crypto/openssl/apps/speed.c 1.15.4.1
src/crypto/openssl/apps/verify.c 1.1.1.6.4.1
src/crypto/openssl/apps/x509.c 1.1.1.11.4.1
src/crypto/openssl/apps/spkac.c 1.1.1.5.4.1
src/crypto/openssl/ssl/s2_srvr.c 1.13.4.1
src/crypto/openssl/ssl/s3_clnt.c 1.1.1.14.4.1
src/crypto/openssl/ssl/s3_srvr.c 1.1.1.17.4.1
src/crypto/openssl/ssl/ssltest.c 1.1.1.10.4.1
src/crypto/openssl/ssl/s2_clnt.c 1.15.4.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r186873
releng/6.4/ r186872
releng/6.3/ r186872
stable/7/ r186872
releng/7.1/ r186872
releng/7.0/ r186872
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5077
http://www.openssl.org/news/secadv_20090107.txt
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFJZR5ZFdaIBMps37IRAofJAJ4lm2jGfsMo28c0W4zRkhZrKmttGwCgmdd9
IvNUwk47W24SwhQAGH5+Ggw=
=UHSl
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:04.bind Security Advisory
The FreeBSD Project
Topic: BIND DNSSEC incorrect checks for malformed signatures
Category: contrib
Module: bind
Announced: 2009-01-13
Credits: Google Security Team
Affects: All supported FreeBSD versions
Corrected: 2009-01-10 03:00:21 UTC (RELENG_7, 7.1-STABLE)
2009-01-13 21:19:27 UTC (RELENG_7_1, 7.1-RELEASE-p2)
2009-01-13 21:19:27 UTC (RELENG_7_0, 7.0-RELEASE-p9)
2009-01-10 04:30:27 UTC (RELENG_6, 6.4-STABLE)
2009-01-13 21:19:27 UTC (RELENG_6_4, 6.4-RELEASE-p3)
2009-01-13 21:19:27 UTC (RELENG_6_3, 6.3-RELEASE-p9)
CVE Name: CVE-2009-0025
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server. DNS Security
Extensions (DNSSEC) are additional protocol options that add
authentication as part of responses to DNS queries.
FreeBSD includes software from the OpenSSL Project. The OpenSSL
Project is a collaborative effort to develop a robust,
commercial-grade, full-featured Open Source toolkit implementing the
Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
protocols as well as a full-strength general purpose cryptography
library.
II. Problem Description
The DSA_do_verify() function from OpenSSL is used to determine if a
DSA digital signature is valid. When DNSSEC is used within BIND it
uses DSA_do_verify() to verify DSA signatures, but checks the function
return value incorrectly.
III. Impact
It is in theory possible to spoof a DNS reply even though DNSSEC
is set up to validate answers. This could be used by an attacker for
man-in-the-middle or other spoofing attacks.
IV. Workaround
Disable the the DSA algorithm in named.conf. This will cause answers
from zones signed only with DSA to be treated as insecure. Add the
following to the options section of named.conf:
disable-algorithms . { DSA; };
NOTE WELL: If named(8) is not explicitly set to use DNSSEC the setup is
not vulnerable to the issue as described in this Security Advisory.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 6-STABLE, or 7-STABLE, or to the
RELENG_7_1, RELENG_7_0, RELENG_6_4, or RELENG_6_3 security branch
dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 6.3, 6.4,
7.0, and 7.1 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch
# fetch http://security.FreeBSD.org/patches/SA-09:04/bind.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install
# /etc/rc.d/named restart
c) Install and use a fixed version of BIND from the FreeBSD Ports
Collection.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_6
src/contrib/bind9/CHANGES 1.1.1.3.2.10
src/contrib/bind9/FAQ 1.1.1.2.2.5
src/contrib/bind9/FAQ.xml 1.1.1.1.2.5
src/contrib/bind9/README 1.1.1.2.2.6
src/contrib/bind9/aclocal.m4 1.1.4.1
src/contrib/bind9/bin/dig/dig.1 1.1.1.1.4.4
src/contrib/bind9/bin/dig/dig.c 1.1.1.2.2.4
src/contrib/bind9/bin/dig/dig.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dig/dig.html 1.1.1.1.4.4
src/contrib/bind9/bin/dig/dighost.c 1.1.1.2.2.5
src/contrib/bind9/bin/dig/host.1 1.1.1.1.4.4
src/contrib/bind9/bin/dig/host.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dig/host.html 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-keygen.8 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-keygen.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dnssec/dnssec-keygen.html 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.8 1.1.1.1.4.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.c 1.1.1.2.2.4
src/contrib/bind9/bin/dnssec/dnssec-signzone.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/dnssec/dnssec-signzone.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/client.c 1.1.1.2.2.7
src/contrib/bind9/bin/named/config.c 1.1.1.2.2.4
src/contrib/bind9/bin/named/controlconf.c 1.1.1.1.4.4
src/contrib/bind9/bin/named/include/named/globals.h 1.1.1.1.4.2
src/contrib/bind9/bin/named/interfacemgr.c 1.1.1.1.4.4
src/contrib/bind9/bin/named/lwresd.8 1.1.1.1.4.4
src/contrib/bind9/bin/named/lwresd.c 1.1.1.1.4.3
src/contrib/bind9/bin/named/lwresd.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/named/lwresd.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/main.c 1.1.1.2.2.3
src/contrib/bind9/bin/named/named.8 1.1.1.1.4.4
src/contrib/bind9/bin/named/named.conf.5 1.1.1.2.2.4
src/contrib/bind9/bin/named/named.conf.docbook 1.1.1.2.2.5
src/contrib/bind9/bin/named/named.conf.html 1.1.1.2.2.4
src/contrib/bind9/bin/named/named.docbook 1.1.1.1.4.4
src/contrib/bind9/bin/named/named.html 1.1.1.1.4.4
src/contrib/bind9/bin/named/query.c 1.1.1.1.4.6
src/contrib/bind9/bin/named/server.c 1.1.1.2.2.6
src/contrib/bind9/bin/named/unix/include/named/os.h 1.1.1.2.2.2
src/contrib/bind9/bin/named/unix/os.c 1.1.1.2.2.4
src/contrib/bind9/bin/named/update.c 1.1.1.2.2.4
src/contrib/bind9/bin/nsupdate/Makefile.in 1.1.1.1.4.2
src/contrib/bind9/bin/nsupdate/nsupdate.1 1.1.4.1
src/contrib/bind9/bin/nsupdate/nsupdate.8 1.1.1.1.4.4
src/contrib/bind9/bin/nsupdate/nsupdate.docbook 1.1.1.1.4.3
src/contrib/bind9/bin/nsupdate/nsupdate.html 1.1.1.1.4.4
src/contrib/bind9/bin/rndc/rndc-confgen.c 1.1.1.2.2.1
src/contrib/bind9/bin/rndc/rndc.c 1.1.1.3.2.3
src/contrib/bind9/config.h.in 1.1.4.1
src/contrib/bind9/configure.in 1.1.1.2.2.6
src/contrib/bind9/lib/bind/aclocal.m4 1.1.1.2.2.2
src/contrib/bind9/lib/bind/api 1.1.1.2.2.4
src/contrib/bind9/lib/bind/bsd/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/bsd/strerror.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/bsd/strtoul.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/config.h.in 1.1.1.2.2.4
src/contrib/bind9/lib/bind/configure.in 1.1.1.2.2.5
src/contrib/bind9/lib/bind/dst/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/dst/dst_api.c 1.1.1.2.2.4
src/contrib/bind9/lib/bind/dst/hmac_link.c 1.1.1.1.4.4
src/contrib/bind9/lib/bind/dst/support.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/include/arpa/nameser.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/isc/assertions.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/isc/misc.h 1.1.1.1.4.1
src/contrib/bind9/lib/bind/include/resolv.h 1.1.1.1.4.2
src/contrib/bind9/lib/bind/inet/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/inet/inet_net_pton.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/irs/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/dns_ho.c 1.1.1.1.4.4
src/contrib/bind9/lib/bind/irs/irp.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/isc/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/assertions.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/bitncmp.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/isc/ctl_clnt.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/isc/ctl_srvr.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/nameser/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/bind/port_after.h.in 1.1.1.2.2.4
src/contrib/bind9/lib/bind/resolv/Makefile.in 1.1.1.1.4.2
src/contrib/bind9/lib/bind/resolv/res_debug.c 1.1.1.1.4.2
src/contrib/bind9/lib/bind/resolv/res_mkquery.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind/resolv/res_query.c 1.1.1.1.4.1
src/contrib/bind9/lib/bind9/api 1.1.1.2.2.4
src/contrib/bind9/lib/bind9/check.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/adb.c 1.1.1.2.2.4
src/contrib/bind9/lib/dns/api 1.1.1.2.2.7
src/contrib/bind9/lib/dns/cache.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.1.4.6
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.1.4.5
src/contrib/bind9/lib/dns/journal.c 1.1.1.2.2.3
src/contrib/bind9/lib/dns/masterdump.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/message.c 1.1.1.1.4.5
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.3
src/contrib/bind9/lib/dns/rbt.c 1.1.1.2.2.3
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.h 1.1.1.1.4.1
src/contrib/bind9/lib/dns/rdata/generic/txt_16.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c 1.1.1.1.4.1
src/contrib/bind9/lib/dns/request.c 1.1.1.1.4.4
src/contrib/bind9/lib/dns/resolver.c 1.1.1.2.2.10
src/contrib/bind9/lib/dns/validator.c 1.1.1.2.2.5
src/contrib/bind9/lib/dns/view.c 1.1.1.1.4.2
src/contrib/bind9/lib/dns/xfrin.c 1.1.1.2.2.5
src/contrib/bind9/lib/isc/Makefile.in 1.1.1.1.4.1
src/contrib/bind9/lib/isc/api 1.1.1.2.2.5
src/contrib/bind9/lib/isc/assertions.c 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/assertions.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/mem.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/msgs.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/include/isc/platform.h.in 1.1.1.1.4.2
src/contrib/bind9/lib/isc/include/isc/portset.h 1.1.4.1
src/contrib/bind9/lib/isc/include/isc/resource.h 1.1.1.1.4.2
src/contrib/bind9/lib/isc/include/isc/socket.h 1.1.1.1.4.3
src/contrib/bind9/lib/isc/include/isc/timer.h 1.1.1.1.4.4
src/contrib/bind9/lib/isc/include/isc/types.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/mem.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/portset.c 1.1.4.1
src/contrib/bind9/lib/isc/print.c 1.1.1.1.4.2
src/contrib/bind9/lib/isc/pthreads/mutex.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/timer.c 1.1.1.1.4.5
src/contrib/bind9/lib/isc/unix/app.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/include/isc/net.h 1.1.1.1.4.1
src/contrib/bind9/lib/isc/unix/net.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/resource.c 1.1.1.1.4.3
src/contrib/bind9/lib/isc/unix/socket.c 1.1.1.2.2.5
src/contrib/bind9/lib/isc/unix/socket_p.h 1.1.1.1.4.2
src/contrib/bind9/lib/isc/unix/time.c 1.1.1.1.4.1
src/contrib/bind9/lib/isccfg/api 1.1.1.2.2.4
src/contrib/bind9/lib/isccfg/namedconf.c 1.1.1.2.2.5
src/contrib/bind9/version 1.1.1.3.2.10
RELENG_6_4
src/UPDATING 1.416.2.40.2.6
src/sys/conf/newvers.sh 1.69.2.18.2.9
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.2.4.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.2.2.1
RELENG_6_3
src/UPDATING 1.416.2.37.2.14
src/sys/conf/newvers.sh 1.69.2.15.2.13
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.1.4.2.2.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.1.4.1.2.1
RELENG_7
src/contrib/bind9/CHANGES 1.1.1.10.2.4
src/contrib/bind9/COPYRIGHT 1.1.1.4.2.3
src/contrib/bind9/FAQ 1.1.1.6.2.2
src/contrib/bind9/FAQ.xml 1.1.1.4.2.2
src/contrib/bind9/README 1.1.1.7.2.2
src/contrib/bind9/aclocal.m4 1.1.2.1
src/contrib/bind9/bin/check/check-tool.c 1.1.1.3.2.2
src/contrib/bind9/bin/check/named-checkconf.c 1.1.1.4.2.1
src/contrib/bind9/bin/check/named-checkzone.c 1.1.1.3.2.2
src/contrib/bind9/bin/dig/dig.1 1.1.1.4.2.2
src/contrib/bind9/bin/dig/dig.c 1.1.1.5.2.2
src/contrib/bind9/bin/dig/dig.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dig/dig.html 1.1.1.4.2.2
src/contrib/bind9/bin/dig/dighost.c 1.1.1.5.2.3
src/contrib/bind9/bin/dig/host.1 1.1.1.4.2.2
src/contrib/bind9/bin/dig/host.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dig/host.html 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.8 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dnssec/dnssec-keygen.html 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.8 1.1.1.4.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.c 1.1.1.5.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/dnssec/dnssec-signzone.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/client.c 1.1.1.6.2.4
src/contrib/bind9/bin/named/config.c 1.1.1.4.2.3
src/contrib/bind9/bin/named/controlconf.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/include/named/globals.h 1.1.1.3.2.1
src/contrib/bind9/bin/named/interfacemgr.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwaddr.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwdgnba.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwdnoop.c 1.1.1.2.2.1
src/contrib/bind9/bin/named/lwresd.8 1.1.1.4.2.2
src/contrib/bind9/bin/named/lwresd.c 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwresd.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/named/lwresd.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/main.c 1.1.1.5.2.1
src/contrib/bind9/bin/named/named.8 1.1.1.4.2.2
src/contrib/bind9/bin/named/named.conf.5 1.1.1.5.2.2
src/contrib/bind9/bin/named/named.conf.docbook 1.1.1.5.2.3
src/contrib/bind9/bin/named/named.conf.html 1.1.1.5.2.2
src/contrib/bind9/bin/named/named.docbook 1.1.1.4.2.2
src/contrib/bind9/bin/named/named.html 1.1.1.4.2.2
src/contrib/bind9/bin/named/query.c 1.1.1.6.2.2
src/contrib/bind9/bin/named/server.c 1.1.1.6.2.4
src/contrib/bind9/bin/named/unix/include/named/os.h 1.1.1.3.2.1
src/contrib/bind9/bin/named/unix/os.c 1.1.1.5.2.1
src/contrib/bind9/bin/named/update.c 1.1.1.5.2.2
src/contrib/bind9/bin/nsupdate/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/bin/nsupdate/nsupdate.1 1.1.2.1
src/contrib/bind9/bin/nsupdate/nsupdate.8 1.1.1.4.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.c 1.1.1.5.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/nsupdate/nsupdate.html 1.1.1.4.2.2
src/contrib/bind9/bin/rndc/rndc-confgen.c 1.1.1.3.2.1
src/contrib/bind9/bin/rndc/rndc.8 1.1.1.4.2.2
src/contrib/bind9/bin/rndc/rndc.c 1.1.1.6.2.2
src/contrib/bind9/bin/rndc/rndc.docbook 1.1.1.3.2.2
src/contrib/bind9/bin/rndc/rndc.html 1.1.1.4.2.2
src/contrib/bind9/config.h.in 1.1.2.1
src/contrib/bind9/configure.in 1.1.1.6.2.3
src/contrib/bind9/lib/bind/aclocal.m4 1.1.1.2.10.2
src/contrib/bind9/lib/bind/api 1.1.1.5.2.2
src/contrib/bind9/lib/bind/bsd/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/bsd/strerror.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/bsd/strtoul.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/config.h.in 1.1.1.4.2.3
src/contrib/bind9/lib/bind/configure.in 1.1.1.5.2.3
src/contrib/bind9/lib/bind/dst/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/dst/dst_api.c 1.1.1.5.2.2
src/contrib/bind9/lib/bind/dst/hmac_link.c 1.1.1.4.2.2
src/contrib/bind9/lib/bind/dst/support.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/include/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/arpa/nameser.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/assertions.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/eventlib.h 1.1.1.3.2.1
src/contrib/bind9/lib/bind/include/isc/misc.h 1.1.1.2.2.1
src/contrib/bind9/lib/bind/include/isc/platform.h.in 1.2.2.1
src/contrib/bind9/lib/bind/include/netdb.h 1.1.1.4.2.1
src/contrib/bind9/lib/bind/include/resolv.h 1.1.1.3.2.1
src/contrib/bind9/lib/bind/inet/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/inet/inet_net_pton.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/inet/inet_network.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/Makefile.in 1.1.1.3.2.1
src/contrib/bind9/lib/bind/irs/dns_ho.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind/irs/getnetgrent.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/irs/getnetgrent_r.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind/irs/irp.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/isc/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/assertions.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/bitncmp.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/ctl_clnt.c 1.1.1.2.2.2
src/contrib/bind9/lib/bind/isc/ctl_srvr.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/isc/logging.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/nameser/Makefile.in 1.1.1.2.2.1
src/contrib/bind9/lib/bind/port_after.h.in 1.1.1.4.2.1
src/contrib/bind9/lib/bind/port_before.h.in 1.1.1.4.2.2
src/contrib/bind9/lib/bind/resolv/Makefile.in 1.1.1.3.2.1
src/contrib/bind9/lib/bind/resolv/res_debug.c 1.1.1.3.2.1
src/contrib/bind9/lib/bind/resolv/res_mkquery.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/resolv/res_query.c 1.1.1.2.2.1
src/contrib/bind9/lib/bind/resolv/res_send.c 1.1.1.4.2.1
src/contrib/bind9/lib/bind9/api 1.1.1.5.2.2
src/contrib/bind9/lib/bind9/check.c 1.1.1.5.2.4
src/contrib/bind9/lib/dns/acache.c 1.1.1.1.2.1
src/contrib/bind9/lib/dns/adb.c 1.1.1.5.2.2
src/contrib/bind9/lib/dns/api 1.1.1.6.2.4
src/contrib/bind9/lib/dns/cache.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/dispatch.c 1.1.1.4.2.4
src/contrib/bind9/lib/dns/dst_parse.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/dst_parse.h 1.1.1.2.2.1
src/contrib/bind9/lib/dns/include/dns/dispatch.h 1.1.1.3.2.4
src/contrib/bind9/lib/dns/journal.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/master.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/masterdump.c 1.1.1.3.2.1
src/contrib/bind9/lib/dns/message.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.2
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/rbt.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/rbtdb.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/generic/nsec_47.h 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/generic/txt_16.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/in_1/apl_42.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/rdata/in_1/naptr_35.c 1.1.1.2.2.1
src/contrib/bind9/lib/dns/request.c 1.1.1.3.2.2
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.4
src/contrib/bind9/lib/dns/rootns.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/sdb.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/tkey.c 1.1.1.4.2.1
src/contrib/bind9/lib/dns/tsig.c 1.1.1.4.2.2
src/contrib/bind9/lib/dns/validator.c 1.1.1.6.2.2
src/contrib/bind9/lib/dns/view.c 1.1.1.2.2.2
src/contrib/bind9/lib/dns/xfrin.c 1.1.1.5.2.3
src/contrib/bind9/lib/dns/zone.c 1.1.1.5.2.2
src/contrib/bind9/lib/isc/Makefile.in 1.1.1.2.2.2
src/contrib/bind9/lib/isc/api 1.1.1.5.2.3
src/contrib/bind9/lib/isc/assertions.c 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/assertions.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/lex.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/mem.h 1.1.1.3.2.1
src/contrib/bind9/lib/isc/include/isc/msgs.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/include/isc/platform.h.in 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/portset.h 1.1.2.1
src/contrib/bind9/lib/isc/include/isc/resource.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/socket.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/include/isc/timer.h 1.1.1.3.2.2
src/contrib/bind9/lib/isc/include/isc/types.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/mem.c 1.1.1.3.2.2
src/contrib/bind9/lib/isc/portset.c 1.1.2.1
src/contrib/bind9/lib/isc/print.c 1.1.1.3.2.1
src/contrib/bind9/lib/isc/pthreads/mutex.c 1.1.1.3.2.1
src/contrib/bind9/lib/isc/timer.c 1.1.1.4.2.3
src/contrib/bind9/lib/isc/unix/app.c 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/include/isc/net.h 1.1.1.2.2.1
src/contrib/bind9/lib/isc/unix/net.c 1.1.1.3.2.2
src/contrib/bind9/lib/isc/unix/resource.c 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/socket.c 1.1.1.5.2.3
src/contrib/bind9/lib/isc/unix/socket_p.h 1.1.1.2.2.2
src/contrib/bind9/lib/isc/unix/time.c 1.1.1.2.2.1
src/contrib/bind9/lib/isccfg/api 1.1.1.4.2.3
src/contrib/bind9/lib/isccfg/namedconf.c 1.1.1.5.2.2
src/contrib/bind9/lib/lwres/api 1.1.1.5.2.2
src/contrib/bind9/make/rules.in 1.1.1.4.2.2
src/contrib/bind9/version 1.1.1.10.2.4
RELENG_7_1
src/UPDATING 1.507.2.13.2.5
src/sys/conf/newvers.sh 1.72.2.9.2.6
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.6.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.1.4.1
RELENG_7_0
src/UPDATING 1.507.2.3.2.13
src/sys/conf/newvers.sh 1.72.2.5.2.13
src/contrib/bind9/lib/dns/opensslrsa_link.c 1.1.1.4.4.1
src/contrib/bind9/lib/dns/openssldsa_link.c 1.1.1.3.2.1.2.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/6/ r187002
releng/6.4/ r187194
releng/6.3/ r187194
stable/7/ r186997
releng/7.1/ r187194
releng/7.0/ r187194
- -------------------------------------------------------------------------
VII. References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0025
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:02.openssl.asc
https://www.isc.org/node/373
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:04.bind.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iD8DBQFJbRUmFdaIBMps37IRAonEAJsFQFtZGTz6tXFc5TSRMLhB1hxb6QCeI0Pd
ZFPKsX8/XspOTzRWA1h3QPk=
=dpqG
-----END PGP SIGNATURE-----
--- End Message ---
--- Begin Message ---
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-09:05.telnetd Security Advisory
The FreeBSD Project
Topic: telnetd code execution vulnerability
Category: core
Module: contrib
Announced: 2009-02-16
Affects: FreeBSD 7.x
Corrected: 2009-02-16 21:56:17 UTC (RELENG_7, 7.1-STABLE)
2009-02-16 21:56:17 UTC (RELENG_7_1, 7.1-RELEASE-p10)
2009-02-16 21:56:17 UTC (RELENG_7_0, 7.0-RELEASE-p3)
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.
I. Background
The FreeBSD telnet daemon, telnetd(8), implements the server side of the
TELNET virtual terminal protocol. It has been disabled by default in
FreeBSD since August 2001, and due to the lack of cryptographic security
in the TELNET protocol, it is strongly recommended that the SSH protocol
be used instead. The FreeBSD telnet daemon can be enabled via the
/etc/inetd.conf configuration file and the inetd(8) daemon.
The TELNET protocol allows a connecting client to specify environment
variables which should be set in any created login session; this is used,
for example, to specify terminal settings.
II. Problem Description
In order to prevent environment variable based attacks, telnetd(8) "scrubs"
its environment; however, recent changes in FreeBSD's environment-handling
code rendered telnetd's scrubbing inoperative, thereby allowing potentially
harmful environment variables to be set.
III. Impact
An attacker who can place a specially-constructed file onto a target system
(either by legitimately logging into the system or by exploiting some other
service on the system) can execute arbitrary code with the privileges of
the user running the telnet daemon (usually root).
IV. Workaround
No workaround is available, but systems which are not running the telnet
daemon are not vulnerable.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 7-STABLE, or to the RELENG_7_1 or
RELENG_7_0 security branch dated after the correction date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 7.0 and 7.1
systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch
# fetch http://security.FreeBSD.org/patches/SA-09:05/telnetd.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/libtelnet
# make obj && make depend && make
# cd /usr/src/libexec/telnetd
# make obj && make depend && make && make install
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
CVS:
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_7
src/contrib/telnet/telnetd/sys_term.c 1.18.22.1
RELENG_7_1
src/UPDATING 1.507.2.13.2.6
src/sys/conf/newvers.sh 1.72.2.9.2.7
src/contrib/telnet/telnetd/sys_term.c 1.18.30.2
RELENG_7_0
src/UPDATING 1.507.2.3.2.14
src/sys/conf/newvers.sh 1.72.2.5.2.14
src/contrib/telnet/telnetd/sys_term.c 1.18.26.1
- -------------------------------------------------------------------------
Subversion:
Branch/path Revision
- -------------------------------------------------------------------------
stable/7/ r188699
releng/7.1/ r188699
releng/7.0/ r188699
- -------------------------------------------------------------------------
VII. References
http://lists.grok.org.uk/pipermail/full-disclosure/2009-February/067954.html
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-09:05.telnetd.asc
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (FreeBSD)
iEYEARECAAYFAkmZ4dwACgkQFdaIBMps37JI2gCfZsCqw/ev/qVKELwNiFxj8zra
aooAn0GU4wBW7jBulFhrSyXtKVlgs18B
=joA6
-----END PGP SIGNATURE-----
--- End Message ---