FreeBSD 9.1-RELEASE发布了

FreeBSD 9.1-RELEASE发布了。这个版本是 9-STABLE 分支的第二个发布版本,重要的新增特性和改善包括:

– 全新的支持 GEM/KMS 的 Intel 新一代 GPU 驱动
– 快速用户态 I/O 框架 netmap(4)
– 来自 Illumos 的 ZFS 改进
– CAM Target Layer,用于模拟磁盘和存储控制器设备
– 可选的 C++11 支持,包括 LLVM libc++ 和 libcxxrt
– Jail devfs, nullfs, zfs 挂载和配置文件支持
– POSIX2008 扩展本地化支持,包括与 Darwin 扩展的兼容支持
– 用于 Emulex OneConnect 10Gbit 以太网卡的驱动 oce(4)
– 用于 Solarflare SFC9000 控制器的 10Gb 以太网卡的驱动 sfxge(4)
– 对于 Xen Paravirtualized 以太网驱动 (netback) 的改进
– 用于 HighPoint RocketRAID 27xx SAS 6Gbp/s HBA 的驱动 hpt27xx(4)
– GEOM 多通道 (multipath) class 的改进
– 默认启用了 GEOM raid class,用于替代 ataraid(8) 并支持更多的软 RAID
– 对于 AVX FPU 扩展的内核支持
– 对于 IPv6 硬件加速的多项支持

FreeBSD-SA-12:08.linux

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:08.linux Security Advisory
The FreeBSD Project

Topic: Linux compatibility layer input validation error

Category: core
Module: kernel
Announced: 2012-11-22
Credits: Mateusz Guzik
Affects: All supported versions of FreeBSD.
Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4576

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

FreeBSD is binary-compatible with the Linux operating system through a
loadable kernel module/optional kernel component.

II. Problem Description

A programming error in the handling of some Linux system calls may
result in memory locations being accessed without proper validation.

III. Impact

It is possible for a local attacker to overwrite portions of kernel
memory, which may result in a privilege escalation or cause a system
panic.

IV. Workaround

No workaround is available, but systems not using the Linux binary
compatibility layer are not vulnerable.

The following command can be used to test if the Linux binary
compatibility layer is loaded:

# kldstat -m linuxelf

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_9_0, or RELENG_9_1 security
branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 9.0, and 9.1 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch # fetch http://security.FreeBSD.org/patches/SA-12:08/linux.patch.asc
b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1,
9.1-RC2, or 9.1-RC3 on the i386 or amd64 platforms can be updated via
the freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r243418
releng/7.4/ r243417
stable/8/ r243417
releng/8.3/ r243417
stable/9/ r243417
releng/9.0/ r243417
releng/9.1/ r243417
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4576
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:08.linux.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlCutVoACgkQFdaIBMps37JA4QCfZ/wp/ysDIJd1VwF525PzimTt
BUwAoJdU6pddJeJCsHfZ8812cAsrsLqP
=KVp4
—–END PGP SIGNATURE—–

FreeBSD-SA-12:07.hostapd

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:07.hostapd Security Advisory
The FreeBSD Project

Topic: Insufficient message length validation for EAP-TLS messages

Category: contrib
Module: wpa
Announced: 2012-11-22
Credits: Timo Warns, Jouni Malinen
Affects: FreeBSD 8.0 and later.
Corrected: 2012-11-22 22:52:15 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4445

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The hostapd utility is an authenticator for IEEE 802.11 networks. It
provides full support for WPA/IEEE 802.11i and can also act as an IEEE
802.1X Authenticator with a suitable backend Authentication Server
(typically FreeRADIUS).

EAP-TLS is the original, standard wireless LAN EAP authentication
protocol defined in RFC 5216. It uses PKI to secure communication to a
RADIUS authentication server or another type of authentication server.

II. Problem Description

The internal authentication server of hostapd does not sufficiently
validate the message length field of EAP-TLS messages.

III. Impact

A remote attacker could cause the hostapd daemon to abort by sending
specially crafted EAP-TLS messages, resulting in a Denial of Service.

IV. Workaround

No workaround is available, but systems not running hostapd are not
vulnerable.

Note that for FreeBSD 8.x systems, the EAP-TLS authentication method
is not enabled by default. Systems running FreeBSD 8.x are only
affected when hostapd is built with -DEAP_SERVER and as such, binary
installations from the official release are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 8-STABLE or 9-STABLE, or to
the RELENG_8_3, or RELENG_9_0 security branch dated after the
correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 8.3
and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 8.x]
# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd-8.patch.asc
[FreeBSD 9.x]

# fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch # fetch http://security.FreeBSD.org/patches/SA-12:07/hostapd.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.

3) To update your vulnerable system via a binary patch:

Systems running 8.3-RELEASE, 9.0-RELEASE, 9.1-RC1, 9.1-RC2, or 9.1-RC3
on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Subversion:

Branch/path Revision
– ————————————————————————-
stable/8/ r<revision>
releng/8.3/ r<revision>
stable/9/ r<revision>
releng/9.0/ r<revision>
releng/9.1/ r<revision>
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4445
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.hostapd.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlCutVYACgkQFdaIBMps37IiwACfb85bpNnyzDRhlDnQiQ4lc6rC
MFsAoJ0KXKPu6focwcOGgwuQLhHjTpMx
=wijQ
—–END PGP SIGNATURE—–

FreeBSD-SA-12:06.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:06.bind Security Advisory
The FreeBSD Project

Topic: Multiple Denial of Service vulnerabilities with named(8)

Category: contrib
Module: bind
Announced: 2012-11-22
Affects: All supported versions of FreeBSD before 9.1-RC2.
Corrected: 2012-11-22 23:15:38 UTC (RELENG_7, 7.4-STABLE)
2012-11-22 22:52:15 UTC (RELENG_7_4, 7.4-RELEASE-p11)
2012-10-11 13:25:09 UTC (RELENG_8, 8.3-STABLE)
2012-11-22 22:52:15 UTC (RELENG_8_3, 8.3-RELEASE-p5)
2012-10-10 19:50:15 UTC (RELENG_9, 9.1-PRERELEASE)
2012-11-22 22:52:15 UTC (RELENG_9_0, 9.0-RELEASE-p5)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC1-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC2-p1)
2012-11-22 22:52:15 UTC (RELENG_9_1, 9.1-RC3-p1)
CVE Name: CVE-2012-4244, CVE-2012-5166

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

II. Problem Description

The BIND daemon would crash when a query is made on a resource record
with RDATA that exceeds 65535 bytes.

The BIND daemon would lock up when a query is made on specific
combinations of RDATA.

III. Impact

A remote attacker can query a resolving name server to retrieve a record
whose RDATA is known to be larger than 65535 bytes, thereby causing the
resolving server to crash via an assertion failure in named.

An attacker who is in a position to add a record with RDATA larger than
65535 bytes to an authoritative name server can cause that server to
crash by later querying for that record.

The attacker can also cause the server to lock up with specific
combinations of RDATA.

IV. Workaround

No workaround is available, but systems not running the BIND name
server are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, or RELENG_9_0 security branch dated
after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:06/bind.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch

Recompile the operating system using buildworld and installworld as
described in <URL:http://www.FreeBSD.org/handbook/makeworld.html>.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 9.0-RELEASE, or 9.1-RC1 on
the i386 or amd64 platforms can be updated via the freebsd-update(8)
utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.4
bind97-9.7.6.4
bind98-9.8.3.4
bind99-9.9.1.4

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r243418
releng/7.4/ r243417
stable/8/ r241443
releng/8.3/ r243417
stable/9/ r241415
releng/9.0/ r243417
releng/9.1/ r243417
– ————————————————————————-

VII. References

https://kb.isc.org/article/AA-00778 https://kb.isc.org/article/AA-00801
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4244 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5166
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:06.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlCutVIACgkQFdaIBMps37JhPQCfcwCHE7CxzBnrMdszdFYODgQs
1+kAn316Rx2d0Ecig5JHUR3broq5Hpog
=EklC
—–END PGP SIGNATURE—–

FreeBSD下简易Http代理服务器安装笔记(Squid)

FreeBSD下简易Http代理服务器安装笔记(Squid)

一、更新ports
# csup -L 2 -h cvsup.freebsdchina.org /usr/share/examples/cvsup/ports-supfile

二、安装Squid
# cd /usr/ports/www/squid
# make install clean

三、生成密码文件
# htpasswd -c /usr/local/etc/squid/password username
输入两次密码即可生成密码文件

四、配置
# vi /usr/local/etc/squid/squid.conf

http_port 3128
cache_dir null /var/squid/cache/
cache_access_log /var/squid/logs/access.log
cache_log /var/squid/logs/cache.log
cache_store_log /var/squid/logs/store.log

acl all src 0.0.0.0/0

auth_param basic program /usr/local/libexec/squid/ncsa_auth /usr/local/etc/squid/password
auth_param basic children 5
auth_param basic credentialsttl 2 hours
auth_param basic realm bsdart.org
acl auth_user proxy_auth REQUIRED
http_access allow auth_user

五、建立缓存
# /usr/local/sbin/squid -z

六、启动服务
# vi /etc/rc.conf

squid_enable="YES"

# /usr/local/etc/rc.d/squid start

原文链接:http://dinggd.com/2012/11/freebsd%E4%B8%8B%E7%AE%80%E6%98%93http%E4%BB%A3%E7%90%86%E6%9C%8D%E5%8A%A1%E5%99%A8%E5%AE%89%E8%A3%85%E7%AC%94%E8%AE%B0squid/

在 Emacs 里阅读 RSS

在 Emacs 里阅读 RSS
在 Google Reader 里定制和阅读 RSS 本来就很方便,为啥还需要在 Emacs 里费力不讨好地做同样的事情呢?作为顶级禽兽,“无利不起早”是一条真理。

一个重要的原因是为了看英文新闻,用 sdcv 查单词方便一些,点击组合键就搞定了。当然,在 Windows 里装一个盗版的金山词霸,用鼠标点点也能做得到。FreeBSD 的屁民以折腾和自虐为乐,“键盘党”和“鼠标帮”在 FreeBSD 的群落里乐此不疲地内斗。其实,都是浮云。呵呵……

Emacs-w3m

有人喜欢用 Emacs23 里自带的 Gnus 来定制 RSS,Gnus 固然强大,然而用 newsticker 更简单一些。

因为 newsticker 仅仅提供标题和链接,我们用 Emacs-w3m。w3m 是日本人开发的一款优秀的网页文本浏览器,可以在 Emacs 里调用。FreeBSD 提供了 Emacs-w3m 的 port。下面,分别是 w3m 和 Emacs-w3m 的效果图。文本浏览器,效果自然有折扣。可以在 Emacs 里加图片,可我觉得那样就没意思了,不如直接用 Opera。

如果终端是 UTF-8 编码,用 w3m 打开中文网页可能会遭遇部分显示为乱码的尴尬。这时,按 o 键,转到 Charset Settings,关闭 Automatic charset detect when loading 选项。

在 Emacs 里阅读 RSS

有人形容 Emacs 是“伪装成编辑器的操作系统”。不管怎样,Emacs 是强大的。

在 Emacs 里阅读 RSS

用 newsticker 定制 RSS

下面是我的 RSS 定制,有华盛顿邮报,还有一些期刊的 RSS。

;;;;;;;;;;;;;;;;;;;;;;;;;;;                                                                                     
;;; emacs-w3m reads RSS ;;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;

(setq newsticker-url-list
‘(("Washington Post" "http://feeds.washingtonpost.com/rss/world")
     ("ScienceDaily" "http://www.sciencedaily.com/rss")
     ("PAMI" "http://csdl.computer.org/rss/tpami.xml")
     ("Knowledge Mining" "http://csdl.computer.org/rss/tkde.xml")
     ("Learning Technologies" "http://csdl.computer.org/rss/tlt.xml")))
(autoload ‘w3m-region "w3m" nil t)
(setq newsticker-html-renderer ‘w3m-region)

在 Emacs 里调用 sdcv 查英文单词

sdcv 是 stardict 的命令行。下面的配置参考了网上的资料,在以前的帖子里也介绍过。这里,不嫌冗余地再贴一次。

;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;                                                                  
;; 调用 stardict 的命令行接口 sdcv 来查辞典   ;;
;; 如果选中了 region 就查询 region 的内容     ;;
;; 否则就查询当前光标所在的词                 ;;
;; 组合键:C-c d                             ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
(global-set-key (kbd "C-c d") ‘SearchStardict)
(defun SearchStardict ()
  (interactive)
  (let ((begin (point-min))
        (end (point-max)))
    (if mark-active
        (setq begin (region-beginning)
              end (region-end))
      (save-excursion
        (backward-word)
        (mark-word)
        (setq begin (region-beginning)
              end (region-end))))
    (message "%s"
     (shell-command-to-string
      (concat "sdcv -n -u XDICT英汉辞典  "
       (buffer-substring begin end))))))
效果图

在 Emacs 里键入:M-x newsticker-show-news,便可以阅读定制的 RSS 新闻了。可以方便地查单词,查过的单词存在 ~/.sdcv_history 里。新闻文件存在 ~/.emacs.d/newsticker 里。

在 Emacs 里阅读 RSS

在 Emacs 里阅读 RSS

原文链接: https://wiki.freebsdchina.org/doc/r/rss

kqueue介绍

这篇文章我从第一次接触kqueue到目前的理解,一直放在我的mempad中,最近有朋友对kqueue的一些疑问,所以我就把这个发出来。

首先需要简单的说明几个概念, struct event, kevent()和kqueue。

struct event就是kevent()操作的最基本的事件结构。
kevent() 是一个系统调用syscall,而kqueue是freebsd内核中的一个事件队列kernel queue。
kevent()是kqueue的用户界面,是对kqueue进行添加,删除操作的用户态的界面。

// ==========================================================

下面就重点介绍一下struct event和kevent()这两个开发者必须要了解的参数和API。

1. struct event 结构体中主要成员介绍

ident     – 标记事件的描述符, socketfd, filefd, signal
filter      – 事件的类型, 读事件:EVFILT_READ, 写事件:EVFILT_WRITE, 信号:EVFILT_SIGNAL
flags     – 事件的行为, 对kqueue的操作:
添加到kqueue中:EV_ADD, 从kqueue中删除:EV_DELETE, 这两种是主要的行为
一次性事件:EV_ONESHOT, 此事件是或操作, 指定了该事件, kevent()返回后, 事件会从kqueue中删除
更新事件: EV_CLEAR,此事件是或操作, 手册上的解释是,当事件通知给用户后,事件的状态会被重置。可以用在类似于epoll的ET模式,也可以用在描述符有时会出错的情况。
其他事件: EOF事件:EV_EOF, 错误事件:EV_ERROR(返回值)
fflags    –
data     –
udata   – 用户指定的数据
2. kevent() 各参数的说明

kq               – kqueue() 返回的唯一描述符, 标记着一个内核队列
changes       – 需要对kqueue进行修改的事件集合, 此参数就是kevent()对目前kqueue中的事件的操作,比如删除kqueue中已经存在的事件,或者向kqueue中添加新的事件,也就是说,kevent()通过此参数对kqueue的修改
nchanges     – 需要修改的事件的个数
events         – kevent()会把所有事件存储在events中
nevents       – kevent()需要知道存储空间有多大, == 0 : kevent()会立即返回
timeout        – 超时控制, = NULL:kevent()会一直等到有关注的事件发生; != NULL:kevent()会等待指定的时间
// ==========================================================

有几点需要说明的是 :

1) 指定EV_ADD|EV_ONESHOT或者EV_DELETE|EV_ONESHOT的行为, kevent()返回后, 会把事件从kqueue中删除;

2) 当事件类型指定为EVFILT_SIGNAL的时候, struct event 中data会返回此时信号发生了多少次
3) 如果 nevents == 0, kevent()会立即返回, 不会理会timeout指定的超时时间, 这是一种直接注册事件的方法.

原文链接: http://ray.bsdart.org/archives/304.raymond

FreeBSD-SA-12:05.bind

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:05.bind Security Advisory
The FreeBSD Project

Topic: named(8) DNSSEC validation Denial of Service

Category: contrib
Module: bind
Announced: 2012-08-06
Credits: Einar Lonn of IIS.se
Affects: All supported versions of FreeBSD
Corrected: 2012-08-06 21:33:11 UTC (RELENG_7, 7.4-STABLE)
2012-08-06 21:33:11 UTC (RELENG_7_4, 7.4-RELEASE-p10)
2012-07-24 19:04:35 UTC (RELENG_8, 8.3-STABLE)
2012-08-06 21:33:11 UTC (RELENG_8_3, 8.3-RELEASE-p4)
2012-08-06 21:33:11 UTC (RELENG_8_2, 8.2-RELEASE-p10)
2012-08-06 21:33:11 UTC (RELENG_8_1, 8.1-RELEASE-p13)
2012-07-24 22:32:03 UTC (RELENG_9, 9.1-PRERELEASE)
2012-08-06 21:33:11 UTC (RELENG_9_0, 9.0-RELEASE-p4)
CVE Name: CVE-2012-3817

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

BIND 9 is an implementation of the Domain Name System (DNS) protocols.
The named(8) daemon is an Internet Domain Name Server.

DNS Security Extensions (DNSSEC) provides data integrity, origin
authentication and authenticated denial of existence to resolvers.

II. Problem Description

BIND 9 stores a cache of query names that are known to be failing due
to misconfigured name servers or a broken chain of trust. Under high
query loads, when DNSSEC validation is active, it is possible for a
condition to arise in which data from this cache of failing queries
could be used before it was fully initialized, triggering an assertion
failure.

III. Impact

A remote attacker that is able to generate high volume of DNSSEC
validation enabled queries can trigger the assertion failure that causes
it to crash, resulting in a denial of service.

IV. Workaround

No workaround is available, but systems not running the BIND resolving
name server with dnssec-validation enabled are not affected.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch # fetch http://security.FreeBSD.org/patches/SA-12:05/bind.patch.asc
b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/lib/bind/dns
# make obj && make depend && make && make install
# cd /usr/src/usr.sbin/named
# make obj && make depend && make && make install

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

4) Install and run BIND from the Ports Collection after the correction
date. The following versions and newer versions of BIND installed from
the Ports Collection are not affected by this vulnerability:

bind96-9.6.3.1.ESV.R7.2
bind97-9.7.6.2
bind98-9.8.3.2
bind99-9.9.1.2

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.11
RELENG_7_4
src/UPDATING 1.507.2.36.2.12
src/sys/conf/newvers.sh 1.72.2.18.2.15
src/contrib/bind9/lib/dns/resolver.c 1.1.1.9.2.8.2.1
RELENG_8
src/contrib/bind9/CHANGES 1.9.2.15
src/contrib/bind9/lib/dns/resolver.c 1.3.2.6
src/contrib/bind9/lib/dns/zone.c 1.6.2.10
src/contrib/bind9/lib/isc/random.c 1.2.2.4
src/contrib/bind9/version 1.9.2.15
RELENG_8_3
src/UPDATING 1.632.2.26.2.6
src/sys/conf/newvers.sh 1.83.2.15.2.8
src/contrib/bind9/lib/dns/resolver.c 1.6.2.7.2.1
RELENG_8_2
src/UPDATING 1.632.2.19.2.12
src/sys/conf/newvers.sh 1.83.2.12.2.15
src/contrib/bind9/lib/dns/resolver.c 1.6.2.4.2.1
RELENG_8_1
src/UPDATING 1.632.2.14.2.16
src/sys/conf/newvers.sh 1.83.2.10.2.17
src/contrib/bind9/lib/dns/resolver.c 1.6.2.3.2.1
RELENG_9
src/contrib/bind9/CHANGES 1.21.2.5
src/contrib/bind9/lib/dns/resolver.c 1.15.2.3
src/contrib/bind9/lib/dns/zone.c 1.7.2.3
src/contrib/bind9/version 1.21.2.5
RELENG_9_0
src/UPDATING 1.702.2.4.2.6
src/sys/conf/newvers.sh 1.95.2.4.2.8
src/contrib/bind9/lib/dns/resolver.c 1.15.4.1
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r239108
releng/7.4/ r239108
stable/8/ r238749
releng/8.3/ r239108
releng/8.2/ r239108
releng/8.1/ r239108
stable/9/ r238756
releng/9.0/ r239108
– ————————————————————————-

VII. References

https://kb.isc.org/article/AA-00729
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3817
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:05.bind.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.9

iEYEARECAAYFAlAgP6kACgkQFdaIBMps37KLuQCfdF1xHFsD5vgeWKeTfPo1z0UG
XN8AnRZQy5itaoFPFALXoDy3ZnZ5qA1t
=hvTi
—–END PGP SIGNATURE—–

FreeBSD-SA-12:04.sysret

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

=============================================================================
FreeBSD-SA-12:04.sysret Security Advisory
The FreeBSD Project

Topic: Privilege escalation when returning from kernel

Category: core
Module: sys_amd64
Announced: 2012-06-12
Credits: Rafal Wojtczuk, John Baldwin
Affects: All supported versions of FreeBSD
Corrected: 2012-06-12 12:10:10 UTC (RELENG_7, 7.4-STABLE)
2012-06-12 12:10:10 UTC (RELENG_7_4, 7.4-RELEASE-p9)
2012-06-12 12:10:10 UTC (RELENG_8, 8.3-STABLE)
2012-06-12 12:10:10 UTC (RELENG_8_3, 8.3-RELEASE-p3)
2012-06-12 12:10:10 UTC (RELENG_8_2, 8.2-RELEASE-p9)
2012-06-12 12:10:10 UTC (RELENG_8_1, 8.1-RELEASE-p11)
2012-06-12 12:10:10 UTC (RELENG_9, 9.0-STABLE)
2012-06-12 12:10:10 UTC (RELENG_9_0, 9.0-RELEASE-p3)
CVE Name: CVE-2012-0217

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit <URL:http://security.FreeBSD.org/>.

I. Background

The FreeBSD operating system implements a rings model of security, where
privileged operations are done in the kernel, and most applications
request access to these operations by making a system call, which puts
the CPU into the required privilege level and passes control to the
kernel.

II. Problem Description

FreeBSD/amd64 runs on CPUs from different vendors. Due to varying
behaviour of CPUs in 64 bit mode a sanity check of the kernel may be
insufficient when returning from a system call.

III. Impact

Successful exploitation of the problem can lead to local kernel privilege
escalation, kernel data corruption and/or crash.

To exploit this vulnerability, an attacker must be able to run code with user
privileges on the target system.

IV. Workaround

No workaround is available.

However FreeBSD/amd64 running on AMD CPUs is not vulnerable to this
particular problem.

Systems with 64 bit capable CPUs, but running the 32 bit FreeBSD/i386
kernel are not vulnerable, nor are systems running on different
processor architectures.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 7-STABLE, 8-STABLE, or 9-STABLE,
or to the RELENG_7_4, RELENG_8_3, RELENG_8_2, RELENG_8_1, or RELENG_9_0
security branch dated after the correction date.

2) To update your vulnerable system via a source code patch:

The following patches have been verified to apply to FreeBSD 7.4,
8.3, 8.2, 8.1 and 9.0 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

# fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch # fetch http://security.FreeBSD.org/patches/SA-12:04/sysret.patch.asc
b) Apply the patch.

# cd /usr/src
# patch < /path/to/patch

c) Recompile your kernel as described in
<URL:http://www.FreeBSD.org/handbook/kernelconfig.html> and reboot the
system.

3) To update your vulnerable system via a binary patch:

Systems running 7.4-RELEASE, 8.3-RELEASE, 8.2-RELEASE, 8.1-RELEASE,
or 9.0-RELEASE on the i386 or amd64 platforms can be updated via the
freebsd-update(8) utility:

# freebsd-update fetch
# freebsd-update install

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

CVS:

Branch Revision
Path
– ————————————————————————-
RELENG_7
src/sys/amd64/amd64/trap.c 1.319.2.14
RELENG_7_4
src/UPDATING 1.507.2.36.2.11
src/sys/conf/newvers.sh 1.72.2.18.2.14
src/sys/amd64/amd64/trap.c 1.319.2.12.2.2
RELENG_8
src/sys/amd64/amd64/trap.c 1.332.2.24
RELENG_8_3
src/UPDATING 1.632.2.26.2.5
src/sys/conf/newvers.sh 1.83.2.15.2.7
src/sys/amd64/amd64/trap.c 1.332.2.21.2.2
RELENG_8_2
src/UPDATING 1.632.2.19.2.11
src/sys/conf/newvers.sh 1.83.2.12.2.14
src/sys/amd64/amd64/trap.c 1.332.2.14.2.2
RELENG_8_1
src/UPDATING 1.632.2.14.2.14
src/sys/conf/newvers.sh 1.83.2.10.2.15
src/sys/amd64/amd64/trap.c 1.332.2.10.2.2
RELENG_9
src/sys/amd64/amd64/trap.c 1.357.2.9
RELENG_9_0
src/UPDATING 1.702.2.4.2.5
src/sys/conf/newvers.sh 1.95.2.4.2.7
src/sys/amd64/amd64/trap.c 1.357.2.2.2.3
– ————————————————————————-

Subversion:

Branch/path Revision
– ————————————————————————-
stable/7/ r236953
releng/7.4/ r236953
stable/8/ r236953
releng/8.3/ r236953
releng/8.2/ r236953
releng/8.1/ r236953
stable/9/ r236953
releng/9.0/ r236953
– ————————————————————————-

VII. References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0217
The latest revision of this advisory is available at
http://security.FreeBSD.org/advisories/FreeBSD-SA-12:04.sysret.asc

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v1.4.12 (FreeBSD)

iEYEARECAAYFAk/XQGgACgkQFdaIBMps37KCsACdEvLcb0JhWKmVlvq5SuKzuW1Q
fhsAnRVLFoGa2WGnRpfQrLYCjL9gs8Rd
=RvZd
—–END PGP SIGNATURE—–